In today’s cybersecurity news…
Fintech foils bank heist
Cybercriminals attempted to steal $130 million by breaching Sinqia S.A., the Brazilian arm of fintech firm Evertec, during a short-lived cyber-attack on Brazil’s Pix real-time payments system. The breach was detected on August 29 when stolen credentials from an IT vendor were used to try unauthorized business-to-business transfers. Sinqia immediately halted Pix transactions and brought in cybersecurity forensics teams. Part of the stolen funds have already been recovered, and Sinqia’s access to Pix has been revoked by regulators. No customer data appears affected, but the full financial and reputational impact is still under review.
NotDoor backdoor
Security researchers say Russia’s state-backed hacking group APT28 has rolled out a new tool called NotDoor that lets them secretly spy through Microsoft Outlook. The malware first has to be planted on a victim’s computer, but instead of running constantly, it sits dormant until it sees a special trigger email with a keyword like “Daily Report.” That message silently activates the backdoor, which then steals data, runs commands, and erases its tracks. Analysts say APT28 uses this trick because it makes the malware stealthier, easier to control, and harder to detect than a backdoor that’s always on. They called it NotDoor because of the use of the word Nothing in the code. And not because it’s not a door. Because it’s totally a door. A backdoor.
Salesloft-Drift impact continues drifting
The body count from the Salesforce Salesloft Drift supply-chain breach keeps rising. Cloudflare has now confirmed attackers accessed its Salesforce support cases and extracted 104 API tokens, all since rotated. Palo Alto Networks has disclosed it was also affected, alongside Zscaler, after stolen OAuth tokens from Drift were used to break into Salesforce instances between August 8 and 18. With three major security firms already on the roster, investigators warn more names could surface as the full extent of the compromise comes into focus.
This is why we can’t have nice things
HexStrike AI, an AI driven offensive security framework meant for red teams, has been leveraged by threat actors to exploit newly disclosed vulnerabilities at high speed, sometimes within ten minutes. By orchestrating more than 150 security tools through AI agents, it scans, crafts, and delivers exploits on its own. This built-in retry logic allows exploit attempts to continue until successful, massively improving attacker success rates. Threat actors are also using the tool to flag vulnerable systems for resale to other criminals. The tool has already been used to exploit Citrix NetScaler zero days and n-days.
Huge thanks to our sponsor, ThreatLocker
A bear, a kraken and a yeti walk into a breach…
The U.S. State Department has announced a reward of up to $10 million for information on three Russian intelligence officers accused of hacking U.S. critical infrastructure. The operatives are Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, all part of the FSB’s Center 16, also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, and Koala Team. Between 2012 and 2017, they allegedly carried out attacks on the Nuclear Regulatory Commission, Wolf Creek Nuclear Operating Corporation, and hundreds of foreign energy companies across 135 countries. More recently, the group has been linked to exploiting Cisco router flaws against U.S. networks. Tips can be submitted anonymously through the Rewards for Justice Tor channel.
Phishing diplomats
An Iranian state-sponsored group known as Homeland Justice has carried out a global phishing blitz against embassies, consulates, and international organizations across Europe, Africa, Asia, and the Americas. Using over 100 hijacked email accounts, including one from Oman’s foreign ministry in Paris, they sent fake Word documents that lured officials into enabling malicious macros. Once triggered, the malware installed itself to stay persistent, phone home to a command server, and collect system data. Security researchers say the operation is espionage, not crime-for-profit, and attribute it to Iran’s Ministry of Intelligence.
Spies worldwide may have to delay their travel
Law enforcement in the U.S. and Netherlands have seized VerifTools, an online marketplace that sold counterfeit driver’s licenses, passports, and bank documents for as little as $9 to help criminals dodge “Know Your Customer” checks. Investigators say the site raked in $6.4 million since 2022 before the FBI and Dutch police pulled down its domains and more than two dozen servers. But in a twist that feels on brand, the operators have already relaunched the service under a new domain, giving the fake identity ring a fresh identity of their own.
120 Android security flaws updated
Google’s September 2025 Android update fixes a whopping 120 vulnerabilities, including two zero-day flaws that are already being used in targeted attacks. One affects the Android kernel and could grant full device control, while the other hits the Android Runtime and lets attackers escalate privileges, both requiring no user action. The updates are being rolled out in two stages (Sept 1 and Sept 5 patch levels), giving device makers flexibility in deploying fixes across different hardware. Google urges users and partners to apply the latest patch levels without delay.