EvilAI Malware Impersonating AI Tools to Target Manufacturing & Retail and Hospitality Organizations

Summary A highly capable threat campaign, codenamed EvilAI by Trend Micro, is using seemingly legitimate, digitally signed AI-enhanced productivity software, such as PDF editors, to secretly deliver various malware strains globally. These applications, which appear functional, serve as initial access conduits to perform reconnaissance, exfiltrate browser data, and prepare systems for secondary payloads. The campaign has…

Read More

CISA and NCSC Release Directives to Address Multiple Cisco Platforms Exploited by Threat Actors

Context CISA has released Emergency Directive 25-03 in response to an advanced threat actor actively exploiting zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) devices. This alert comes as the United Kingdom National Cyber Security Centre releases a parallel advisory warning of active exploitation. This persistent threat utilizes new malware strains, RayInitiator and LINE VIPER, to maintain control and…

Read More

Salesloft Drift AI Abused for Further Attacks on Salesforce Environments for Major Cyber Security Firms

Executive Summary A widespread, opportunistic data theft campaign against Salesforce, attributed to the group UNC6395, has expanded in scope beyond initial reports. The attacks leverage compromised OAuth tokens from Salesloft Drift, an AI chat agent, to gain unauthorized access to customer instances of various services, including Salesforce and Google Workspace. Cybersecurity firms Zscaler and Palo Alto Networks have publicly confirmed impact,…

Read More

Colt Technology Services Attack Claimed by Warlock Ransomware, Data Up for Sale

Executive Summary UK-based telecom provider Colt Technology Services has been battling a cyberattack since August 12, 2025, which disrupted several of its support and online platforms for days. Initially described as a “technical issue,” the company later confirmed it was a cyber incident and that customer data was stolen. The WarLock ransomware group has claimed responsibility,…

Read More

QuirkyLoader Delivers Infostealers and RATs to Multiple Global Entities

Executive Summary Since November 2024, IBM X-Force has been tracking QuirkyLoader, a new malware loader actively used to deliver a variety of well-known payloads, including keyloggers and Remote Access Trojans (RATs). This multi-stage infection begins with a malicious email attachment that exploits dynamic-link library (DLL) side-loading to execute a hidden malicious DLL. The loader, consistently written…

Read More