25th August – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 25th August, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• US pharmaceutical company Inotiv has experienced a ransomware attack that resulted in the unauthorized access and encryption of certain systems and data. The Qilin ransomware gang claimed responsibility and alleged the theft of approximately 162,000 files totaling 176GB.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Qilin.*)

• Belgian telecommunications company Orange Belgium has experienced a cyber attack that resulted in the compromise of data from 850,000 customer accounts. Exposed information includes names, phone numbers, SIM card numbers and PUK codes.
• Australian Internet and mobile provider iiNet’s network has been breached in a cyber attack. Threat actors exfiltrated personal data of more than 200,000 customers of the company. According to reports, access was gained using an employee’s stolen credentials.
• The Business Council of New York State (BCNYS) has disclosed a data breach that resulted in the theft of personal, financial, and health information belonging to over 47,000 individuals from an attack that occurred in February. The compromised data includes full names, Social Security numbers, dates of birth, state identification numbers, financial and payment card information, taxpayer identification numbers, electronic signature information, and sensitive health records.
• Bragg Gaming Group has confirmed a cyber attack that resulted in a compromise of its internal IT systems. Though the company states no customer or personal identifiable data was accessed or leaked. The impact was reportedly limited, with no disruption to gaming services or loss of account access, and no financial or personal data exposure has been detected.
• DaVita, US healthcare company, has confirmed a cyber attack that occurred earlier this year, and resulted in the theft of sensitive personal and health information belonging to nearly 2.7 million individuals. The information includes names, addresses, dates of birth, social security numbers, health insurance details, treatment information, and dialysis lab test results.
• Data I/O, global hardware company, has suffered a ransomware attack that resulted in outages of critical operational systems, including those used for shipping, manufacturing, production, and support functions. The attack has substantially impacted the company’s business operations.
• Russian investment and analytics platform Investment Projects has suffered a cyber attack. The attack resulted in the platform being taken offline and the partial destruction of its infrastructure. The pro-Ukrainian hacker group, Cyber Anarchy Squad, claimed responsibility for the attack, saying that it had accessed internal databases and employee documents, and leaked stolen files.

VULNERABILITIES AND PATCHES

• Apple issued a patch for a zero-day vulnerability (CVE-2025-43300) in Apple’s Image I/O framework affecting iOS, iPadOS, and macOS Sequoia, Sonoma, and Ventura. The vulnerability allows for an out-of-bounds write issue that may result in memory corruption or remote code execution. This flaw has been exploited in highly targeted, sophisticated attacks against specific individuals, and impacts a broad range of iPhone, iPad, and Mac models, both old and new. The vulnerability is triggered by processing malicious image files.
• Security researchers have discovered a high-severity buffer overflow vulnerability (tracked as CVE-2025-9363) in the portTriggerManageRule function of Linksys RE-series models. This high-severity, remotely exploitable vulnerability (CVSSv3 score: 8.8) allows attackers to overwrite the stack by manipulating the triggerRuleName or schedule parameters, and a proof-of-concept exploit has already been publicly disclosed.
• Google has released a security patch for Chrome that addresses the high severity vulnerability CVE-2025-9132, an out of bounds write issue which could be exploited remotely using crafted HTML pages. The vulnerability was discovered by Big Sleep, an AI agent developed by Google DeepMind.

THREAT INTELLIGENCE REPORTS

• Security researchers have released a report detailing a series of coordinated campaigns
  attributed to UAC-0057 (aka GhostWriter). These campaigns delivered a weaponized XLS spreadsheets with obfuscated VBA macros targeting Ukraine and Poland in mid-2025. The infection chain exploited compressed archives containing decoy documents and leveraged MacroPack-obfuscated macros to drop and load highly specific first-stage DLL implants.
• Cisco have issued a report detailing activity of a Russia affiliated APT group Static Tundra. The group was observed exploiting seven-year-old vulnerability CVE-2018-0171 in Cisco IOS Smart Install to compromise unpatched and end-of-life network devices globally. The group employs techniques such as SYNful Knock firmware implants, targeting the telecom, education, and manufacturing sectors, specifically in Ukraine and its allies.
• Researchers detailed a campaign by North Korean APT group Kimsuky targeting embassies and diplomatic missions in South Korea and globally. The campaign used spear-phishing emails with contextual diplomatic lures to deliver XenoRAT via malicious LNK files and PowerShell scripts, leveraging GitHub and cloud platforms for command-and-control and data exfiltration.
• Researchers have uncovered a stealthy Linux malware delivery technique. This technique delivers a spam email containing a RAR archive whose filename embeds a Bash payload, triggering code execution when handled by unsanitized shell scripts or commands. The infection chain uses command injection in common scripting patterns to launch a Base64-encoded downloader, which fetches and silently executes a Go-based VShell backdoor.