San Mateo, CA, September 1, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Researchers spot first AI-driven ransomware
ESET researchers have identified a ransomware called PrompLock, the world’s first generative AI-powered ransomware. Not yet seen in real-world attacks, PrompLock is written in Golang with Windows and Linux variants already submitted to VirusTotal. Unlike traditional ransomware, it leverages OpenAI’s gpt-oss:20b through the Ollama API to generate malicious Lua scripts on the fly. These scripts, capable of running cross-platform, can enumerate files, exfiltrate sensitive data, and encrypt targets using the SPECK 128-bit algorithm. The design employs an “internal proxy” tactic to tunnel connections to a remote server hosting the model, a method known for its persistence and evasion capabilities. ESET researchers say features like file destruction appear unfinished, suggesting that they are based on an early proof-of-concept rather than an operational threat. Read more.
Salt Typhoon hack traced to Chinese firms
Three Chinese companies secretly aided Beijing in Salt Typhoon’s hack of global telecom providers, U.S. and allied governments said. A joint 37-page report from the FBI, NSA, CISA, and 12 partner nations detailed how the campaign also targeted government, transportation, military, and lodging networks in 80 countries, hacking more than 200 companies. Analysts say what makes the revelation striking is that the three firms, Beijing Huanyu Tianqiong, Sichuan Zhixin Ruijie, and Sichuan Juxinhe, appear to be legitimate businesses as opposed to intelligence fronts. This means that “the MSS [Ministry of State Security] effectively used three private companies working in collaboration to hit some of the most important collection targets on the planet,” said Dakota Cary, a China analyst at SentinelOne. The U.S. sanctioned one of them earlier this year, but the others had not been publicly linked until now. Salt Typhoon’s breach of major carriers in Washington, D.C. alone exposed over a million individuals, with officials warning the hackers could still regain access. Read more.
Salesforce hit by credential theft campaign
Salesforce customers are facing a “widespread data theft campaign” after attackers systematically targeted numerous Salesforce instances between August 8 and August 18, exfiltrating data and specifically searching for sensitive credentials, including AWS keys, passwords, and Snowflake tokens. Salesloft revoked all Drift–Salesforce connections, requiring admins to reauthenticate, while Salesforce removed Drift from its AppExchange during the investigation. Google urged all Drift users to assume compromise and immediately rotate credentials, revoke API keys, and audit logs. Cory Michal, CSO of AppOmni, believes a nation-state actor is responsible because the hackers “demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus, and tradecraft makes this campaign stand out.” Read more.
Citrix flaw exploited in active attacks
Citrix has disclosed three new vulnerabilities in its NetScaler ADC and Gateway products, including a zero-day flaw (CVE-2025-7775) that attackers are already exploiting. The memory overflow bug, rated 9.2 in severity, allows remote attackers to hijack or crash vulnerable systems without authentication, particularly those configured for VPN, remote access, IPv6 traffic, or specific content routing. Two additional flaws, CVE-2025-7776 (CVSS 8.8) and CVE-2025-8424 (CVSS 8.7), could enable denial-of-service conditions or improper access to sensitive data. Security researchers note the flaws affect components similar to those targeted in last year’s widely exploited “CitrixBleed” vulnerabilities, though they are unrelated. Experts warn that the risk is heightened because many organizations continue to run unsupported NetScaler versions, with Tenable estimating that nearly 20% of exposed devices fall into this category. Analysts caution that these outdated systems represent “ticking time bombs.” Read more.
Whistleblower warns SSA data put at risk
A whistleblower complaint filed by SSA Chief Data Officer Charles Borges has alleged that Department of Government Efficiency (DOGE) officials created a vulnerable cloud environment containing a full copy of the Social Security Administration’s NUMIDENT database, potentially exposing the personal information of over 300 million Americans. The complaint accuses SSA CIO Aram Moghaddassi and others of granting themselves permission to copy sensitive records, including names, addresses, dates of birth, parents’ information, and Social Security numbers, without verified oversight. “Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American a new Social Security Number at great cost,” the complaint warned. Borges argued that the arrangement amounted to mismanagement and a threat to public safety, citing the absence of audits and unchecked DOGE control of the system. Read more.
Anthropic blocks hackers abusing Claude AI
Anthropic said it blocked hackers attempting to misuse its Claude AI system to generate phishing emails, write malicious code, and evade safety controls, raising concerns about criminals exploiting AI to supercharge cyberattacks. While no technical indicators were shared, Anthropic stated that it banned the accounts involved, tightened its safeguards, and will continue publishing similar findings to promote transparency. Backed by Amazon and Google, the firm faces scrutiny alongside OpenAI and Microsoft, as experts warn AI can make scams more realistic and accelerate hacking efforts. Security researchers caution that risks will escalate as models grow more powerful, unless companies and governments strengthen defenses. Anthropic emphasized that it conducts regular testing, outside reviews, and maintains strict safety practices to counter evolving threats. Read more.
SHAMOS malware spread through macOS ads
A new malvertising campaign has targeted macOS users with a variant of the Atomic macOS Stealer (AMOS), dubbed SHAMOS, between June and August 2025. Victims were lured to fake macOS help sites that instructed them to run a single-line installation command, bypassing Gatekeeper checks and directly installing a Mach-O executable. CrowdStrike reported blocking attempted compromises at more than 300 customer environments, attributing the campaign to the malware-as-a-service group Cookie Spider. The sites spread globally through Google search results, although none targeted Russia, reflecting forum rules that barred attacks on domestic users. The malicious script captured passwords before delivering SHAMOS. Read more.
Interpol operation seizes $485M in cybercrime
Interpol’s “Operation Serengeti 2.0” has led to the arrest of 1,209 suspected cybercriminals across 18 African nations, the U.K., and nine security organizations, officials announced Friday. The coordinated effort dismantled 11,432 pieces of malicious infrastructure, recovered $97.4 million, and identified nearly 88,000 victims, with financial losses tied to suspects estimated at $485 million. Authorities in Zambia shut down an online fraud scheme that affected 65,000 victims, while Angola dismantled 25 illicit cryptocurrency mining centers run by Chinese nationals, seizing $37 million in assets. Investigators also disrupted ransomware networks tied to Bl00dy, RansomHub, a human trafficking operation, and a multimillion-dollar inheritance scam. Interpol praised the operation as evidence of growing international cooperation against cybercrime. Read more.
Hidden prompts turn AI tools into weapons
Researchers have uncovered a new evolution of the ClickFix social engineering tactic, which utilizes “invisible prompt injection” to hijack AI summarization systems in email clients, browser extensions, and productivity platforms. The method conceals malicious instructions in HTML by utilizing CSS tricks, such as zero-width characters, white-on-white text, tiny fonts, or off-screen positioning. Attackers then repeat these payloads in bulk to dominate the AI’s context window and force it to echo attacker-controlled ransomware steps instead of legitimate summaries. Tests showed that poisoned content could weaponize popular summarizers into unwitting delivery systems, with outputs including Base64-encoded commands that simulate ransomware. Because users trust AI-generated digests, attackers can scale this technique across poisoned web pages, blogs, and forums. Read more.
Farmers Insurance breach affects 1M+ people
Farmers Insurance confirmed a major data breach affecting over 1.07 million individuals after a third-party vendor reported suspicious database activity on May 29, 2025. The insurer learned of the breach the following day and verified by July 24 that personal information had been compromised. Stolen data includes names, addresses, contact details, dates of birth, Social Security and driver’s license numbers, as well as sensitive insurance, claim, and financial records. The incident was disclosed to state attorneys general in California, Maine, and Massachusetts on Aug. 22, with customer notifications issued the same day. Farmers is providing two years of free Cyberscout credit monitoring and urges customers to stay vigilant, review their financial accounts, and consider setting up fraud alerts or credit freezes. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
