Home 
The final week of August 2025 witnessed a convergence of sophisticated supply chain attacks, critical infrastructure targeting, and state-sponsored campaigns that collectively demonstrated the accelerating sophistication and impact of modern cyber threats. The most significant developments include the first-ever AI-assisted supply chain attack through the Nx build platform compromise, the widespread Salesloft Drift OAuth token breach affecting hundreds of organizations including Zscaler, and critical infrastructure ransomware attacks against Nevada state government and Pennsylvania’s Attorney General Office.
The period was marked by the exploitation of CVE-2025-48384, a critical Git vulnerability actively exploited for remote code execution, and the emergence of Silver Fox APT’s advanced driver exploitation techniques to bypass Windows 10/11 security protections. Concurrently, UNC6395’s systematic exploitation of Salesforce instances through compromised Drift OAuth tokens affected over 700 organizations, representing one of the largest SaaS supply chain attacks to date.
Critical government infrastructure faced unprecedented disruption with Nevada’s statewide ransomware attack forcing the closure of all DMV offices and state services for over a week, while Pennsylvania’s Attorney General Office remained offline following a ransomware incident that disrupted court proceedings and law enforcement operations.
>>Outpace Attackers With AI-Based Automated Penetration Testing
New Hacking Techniques
AI-Assisted Supply Chain Reconnaissance
The s1ngularity attack on Nx represents the first documented case of threat actors weaponizing AI CLI tools for credential harvesting. Malicious code specifically targeted Anthropic Claude, Amazon Q, and Google Gemini command-line interfaces to enumerate secrets and accelerate reconnaissance on infected developer workstations.
OAuth Token Persistence Through Drift Integration
UNC6395 demonstrated advanced techniques for maintaining persistent access to Salesforce environments through compromised third-party OAuth tokens. The campaign involved systematic SOQL query execution, selective data exfiltration based on reconnaissance results, and deletion of query jobs to evade detection while maintaining audit log evidence.
Signature-Preserving Driver Modification
Silver Fox APT evolved their driver exploitation techniques by modifying a single byte in the unauthenticated timestamp field of Microsoft-signed drivers. This technique preserves the digital signature validity while generating new file hashes to bypass blocklist protections.
Critical CVEs and Attack Vectors
CVE-2025-48384: Git Arbitrary File Write Vulnerability
Discovery Date: July 8, 2025
Active Exploitation Confirmed: August 26, 2025
CVSS Score: 8.1 (High)
Overview
A critical vulnerability in Git allowing arbitrary file write operations through malicious .gitmodules files, leading to remote code execution when repositories are cloned with the –recursive flag on Unix-like systems.
Technical Deep Dive
The vulnerability exploits a mismatch in how Git handles carriage return (CR) characters when reading versus writing configuration values. Attackers craft malicious .gitmodules files containing submodule paths ending in CR characters. Git’s configuration parser strips these characters on read but preserves them on write, enabling malicious redirection of submodule contents to arbitrary filesystem locations.
When combined with symlinks pointing to submodule hooks directories and executable post-checkout hooks, the vulnerability enables immediate code execution upon repository cloning. The attack is particularly effective against developers using git clone –recursive, a common pattern in software development workflows.
Impact/Risk
- CISA addition to Known Exploited Vulnerabilities catalog with mandatory federal patching deadline
- Affects all major Unix-like development environments including macOS and Linux
- GitHub Desktop for macOS vulnerable due to default recursive cloning behavior
- Public proof-of-concept exploits available, lowering exploitation barriers
Takeaway for CISOs
Immediately patch all Git installations to versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, or 2.50.1. Implement repository validation policies for CI/CD systems and developer workstations. Monitor for unexpected file creation in startup directories and system locations. Consider restricting recursive repository clones in sensitive environments until patching is complete.
Advanced Persistent Threat Activity
UNC6395: Salesloft Drift OAuth Campaign
Active Period: August 8–18, 2025
Attribution: Chinese-nexus threat actor
Scope: 700+ organizations affected
Overview
UNC6395 conducted a systematic data theft campaign exploiting compromised OAuth tokens from the Salesloft Drift integration with Salesforce, targeting AWS credentials, Snowflake tokens, and sensitive business data across hundreds of corporate environments.
Technical Deep Dive
The campaign leveraged compromised OAuth and refresh tokens associated with Salesloft Drift’s Salesforce integration to execute targeted SOQL queries across critical Salesforce objects including Users, Accounts, Opportunities, and Cases. Attackers demonstrated operational security awareness by conducting reconnaissance queries to assess data volumes before selective exfiltration and systematically deleting query jobs to obscure activity.
The attack extended beyond Salesforce, with stolen OAuth tokens used to access Google Workspace accounts through Drift Email integrations, enabling corporate email access and further credential harvesting. Attack infrastructure utilized Tor exit nodes and VPS providers for data exfiltration while employing suspicious User-Agent strings for authentication.
Impact/Risk
- Over 700 organizations affected including major enterprises like Zscaler
- Systematic credential harvesting enabling downstream attacks
- Complete Salesforce AppExchange removal of Drift application pending investigation
- Widespread OAuth token revocation disrupting legitimate business operations
Takeaway for CISOs
Immediately audit all third-party SaaS integrations and OAuth permissions. Implement continuous monitoring for unusual SOQL query patterns and data export activities. Establish OAuth token rotation policies and monitor for suspicious authentication patterns from VPS or Tor infrastructure. Review and minimize application permissions following the principle of least privilege.
Silver Fox APT: Driver-Based Defense Evasion
Active Period: Ongoing through August 2025
Attribution: China-linked APT group
Primary Target: Windows 10/11 enterprise environments
Overview
Silver Fox APT has evolved sophisticated driver exploitation techniques using Microsoft-signed but vulnerable drivers to bypass endpoint detection and response (EDR) solutions, culminating in ValleyRAT backdoor deployment across fully updated Windows systems.
Technical Deep Dive
The campaign employs a dual-driver strategy combining legacy Zemana Anti-Malware drivers for older systems with previously undetected WatchDog Antimalware drivers (amsdk.sys version 1.0.600) for Windows 10/11 environments. Both drivers enable arbitrary process termination, including protected processes, allowing complete disabling of security solutions before malware deployment.
The group’s all-in-one loaders integrate anti-analysis features, embedded vulnerable drivers, hardcoded security process termination lists, and ValleyRAT downloader components. Following vendor patching, Silver Fox adapted by modifying a single byte in driver timestamp fields to generate new hashes while preserving valid Microsoft signatures, effectively bypassing hash-based detection mechanisms.
Impact/Risk
- Successful bypass of Windows 10/11 protected process mechanisms
- Deployment of comprehensive surveillance capabilities via ValleyRAT
- Rapid adaptation to security patches and countermeasures
- Targeting of security solutions popular in East Asian markets
Takeaway for CISOs
Apply the latest Microsoft Vulnerable Driver Blocklist and implement behavior-based driver monitoring. Deploy YARA rules for detecting vulnerable driver abuse and establish kernel-level security monitoring. Implement application control policies preventing execution from temporary directories and monitor for unusual driver loading activities.
Critical Infrastructure Impact
Nevada Statewide Ransomware Attack
Discovery Date: August 24, 2025
Duration: Ongoing (Week 2+)
Impact: Complete state government service disruption
Nevada experienced an unprecedented statewide ransomware attack that forced the closure of all Department of Motor Vehicles offices, disabled government websites and phone systems, and disrupted critical administrative functions across state agencies. The attack represents the first known complete shutdown of state government services due to ransomware.
Pennsylvania Attorney General Ransomware
Discovery Date: August 18, 2025
Duration: Ongoing recovery efforts
Impact: Court case disruptions and law enforcement impairment
The Pennsylvania Attorney General’s Office suffered a ransomware attack that disabled email systems, phone lines, and the agency website, forcing courts to issue time extensions for criminal and civil cases while law enforcement operations continued through alternative channels.
Supply Chain Security Evolution
s1ngularity: First AI-Assisted Supply Chain Attack
Attack Date: August 26, 2025
Target: Nx build platform (4+ million weekly downloads)
Duration: 5 hours of active compromise
The compromise of the Nx build system represents a watershed moment in supply chain security, marking the first documented case where attackers weaponized AI development tools for reconnaissance and data exfiltration. The attack harvested developer credentials, cryptocurrency wallets, and sensitive environment variables while attempting to enlist locally installed AI CLI tools to accelerate the discovery process.
Operational Security Implications
The convergence of AI-assisted attacks, OAuth token abuse, and driver-level evasion techniques demonstrates threat actors’ rapid adoption of emerging technologies and attack surfaces. The systematic targeting of SaaS integrations through Drift’s OAuth tokens highlights the cascading risks of third-party application trust relationships, while the Nx compromise illustrates how AI tools in developer environments create new reconnaissance capabilities for attackers.
The complete disruption of Nevada’s state government services and Pennsylvania’s law enforcement operations underscores the critical infrastructure impact of modern ransomware campaigns, particularly when targeting fundamental administrative systems that underpin government operations.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
