< Back
background with colored padlocks

Tags:

Threat intelligence
10 September 2025

Weekly Summary Cyberattacks Sept 04-10

Behind the Mask of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers   

A malicious Chrome extension campaign specifically targeting Meta (Facebook/Instagram) advertisers was uncovered. The campaign, which had previously been tracked in earlier forms by DomainTools, has evolved into a new lure branded as "Madgicx Plus," a fake AI-powered advertising optimization platform. Promoted as a tool to enhance campaign management and ROI, the extension instead functions as dual-purpose malware capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts. Threat actors are impersonating Madgicx, a legitimate advertising technology company, to gain credibility with unsuspecting victims. 

Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data   

Dozens of previously unreported domains linked to Salt Typhoon, a Chinese state-sponsored Advanced Persistent Threat (APT) group, as well as related infrastructure tied to UNC4841 were disclosed. In total, Silent Push compiled 45 confirmed domains and multiple low-density IP addresses used by these groups, some of which are still active as of 2025. Several of these IPs later resolved to sinkholes controlled by researchers or law enforcement, confirming active disruption attempts against the threat actor. While some infrastructure now appears parked or inactive, researchers caution that Chinese APTs are known for long-term operations and may reuse domains or tactics in future campaigns. Silent Push advises organizations—particularly those in telecommunications, government, and critical infrastructure sectors—to retroactively check DNS and network logs for the identified domains and IP addresses over the past five years. The company warns that all domains linked to Salt Typhoon and UNC4841 represent a significant risk and urges defenders to adopt proactive threat hunting to detect pre-weaponized infrastructure.  

LockBit Ransomware Group Unveils Version 5.0 on Its Sixth Anniversary   

LockBit has announced the release of LockBit 5.0, signaling a potential resurgence following its disruption during Operation Cronos. Operation Cronos, a multinational law enforcement effort in February 2024, had successfully seized key infrastructure and management panels, exposing affiliates and leading many to believe that the group's influence would decline irreversibly. Despite this, LockBit 5.0 was revealed on onion networks and underground forums, presenting a rebranded, modular ransomware platform with faster encryption and improved evasion techniques. The affiliate program has also been refreshed, offering new incentives to cybercriminal partners, suggesting the group aims to regain traction across the ransomware ecosystem rapidly.

Operation BarrelFire: NoisyBear Targets Entities Linked to Kazakhstan's Oil & Gas Sector   

Seqrite Labs' APT-Team has uncovered an ongoing cyber espionage campaign, dubbed Operation BarrelFire, carried out by a threat group known as NoisyBear. Since April 2025, this actor has been targeting Kazakhstan's oil and gas sector, particularly employees of state-owned energy company KazMunaiGas (KMG). The attackers leveraged spear-phishing techniques, using a compromised business e-mail from KMG's finance department to distribute malicious ZIP archives. These archives contained decoy documents impersonating internal HR communications, along with a malicious shortcut file named "График зарплат.lnk" ("Salary Schedule.lnk"). When executed, this shortcut triggered a multistage infection chain beginning with the download of batch scripts, followed by obfuscated PowerShell loaders referred to as DOWNSHELL, which ultimately deployed a malicious DLL implant. 

Streameast, World's Largest Illegal Sports Streaming Platform, Shut Down   

Streameast — the world's largest illegal sports streaming platform — has been shut down following a year-long investigation led by the Alliance for Creativity and Entertainment (ACE) in cooperation with Egyptian law enforcement. The network consisted of 80 unauthorized domains that generated 1.6 billion visits in the past year, offering free access to global sports competitions, including the Premier League, Champions League, NFL, NBA, MLB, boxing, MMA, and Formula 1. Average monthly traffic reached 136 million visits, primarily from the U.S., Canada, the U.K., the Philippines, and Germany. On August 24, authorities conducted a raid in El-Sheikh Zaid, Egypt, arresting two men on suspicion of copyright infringement. Seized items included laptops, smartphones, cash, credit cards, and evidence linking the operation to a UAE shell company used to launder £4.9 million ($6.2 million) in advertising revenue since 2010, along with £150,000 ($200,000) in cryptocurrency.