Welcome to the September 2025 edition of the ConnectWise Cyber Research Unit™ (CRU) Monthly Threat Brief. This report provides a comprehensive look at the most significant cybersecurity developments impacting the IT services and SMB landscape. We break down the month’s top stories, critical vulnerabilities, and prevalent malware families to help you stay informed and prepared in an evolving threat environment. We have also begun adding descriptions of all the new detection signatures added to the ConnectWise SIEM™.
Top stories for September 2025
A new wave of Trojan horse malware is disguising itself as legitimate, fully functional applications, ranging from PDF editors to AI-powered assistants. Unlike crude fake installers, these apps work as promised, making users less likely to suspect anything malicious. Recent examples include AppSuite PDF Editor, which delivered the TamperedChef credential stealer via a hidden updater; ManualFinder, which leveraged Windows scheduled tasks and common binaries such as node.exe to blend in with normal system activity; and JustAskJacky, an AI assistant that quietly maintained persistence through command-and-control communications. These campaigns were backed by heavy investment in Google Ads, signed installers, and realistic branding, indicating a sophisticated and well-funded operation.
For managed service providers (MSPs), this trend underscores the limitations of traditional defenses, such as signature-based antivirus and basic user training. Because these apps appear professional and even helpful, detection must rely on behavioral analysis, such as monitoring for unexpected Run keys, abnormal access to DPAPI-protected data, or browsers being forcibly closed. Credential theft and cookie hijacking remain the attackers’ primary goals, enabling them to bypass MFA and access sensitive accounts. As adversaries continue to professionalize their malware distribution tactics, proactive threat hunting, advanced monitoring, and up-to-date intelligence will be critical to staying ahead.
FileFix attacks are an evolution of ClickFix techniques, tricking users into pasting malicious PowerShell commands into Windows File Explorer’s address bar instead of the Run dialog. Recent campaigns have moved far beyond proof-of-concept demos, using fake Facebook security alerts to lure victims into pasting “file paths” that actually execute hidden commands. To disguise the activity, attackers concatenate fake paths inside PowerShell comments, showing only benign-looking text in File Explorer while the malicious code runs in the background. The latest campaign, observed in August 2025, has a global footprint and uses phishing pages translated into multiple languages.
The operation further increases stealth through steganography, embedding second-stage PowerShell scripts and encrypted executables inside seemingly harmless JPG images hosted on legitimate platforms, such as BitBucket. Once executed, a go-based loader avoids sandbox detection and ultimately deploys StealC v2, an advanced info-stealer that targets cryptocurrency wallets, browsers, messaging apps, and cloud credentials.
For MSPs, these attacks demonstrate how social engineering is expanding beyond suspicious downloads and email attachments. Security awareness training must now cover unexpected use of trusted system utilities, such as File Explorer, while technical defenses should include monitoring for unusual PowerShell execution paths and image-based payload delivery.
SonicWall disclosed that attackers brute-forced access to its MySonicWall cloud-backup service, retrieving firewall configuration files for fewer than 5% of devices. While credentials inside the backups were encrypted, the files contained valuable metadata such as VPN endpoints, host mappings, admin usernames, enabled services, and firewall rules—information that can materially shorten an attacker’s path to follow-on compromise. SonicWall emphasized that this was not a ransomware incident or mass leak, but a targeted campaign that could enable phishing, VPN abuse, or exploitation of exposed services. Both SonicWall and national CERTs are urging impacted organizations to assume compromise and immediately rotate all referenced credentials, review configurations, and apply hardening steps.
For MSPs, this incident highlights how appliance configuration leaks can amplify risk, especially when combined with unpatched vulnerabilities. Even organizations not directly flagged as impacted should confirm whether backups exist, audit their enabled services, and consider staggering credential rotation. Affected clients should be prioritized based on backup flags, exposed services, such as SSL VPN, open management ports, and firmware patch status. SonicWall has provided a remediation playbook and online tool to guide rotation and service reviews. Since attackers may chain this metadata with other exploits, MSPs should treat flagged backups as compromised, accelerate patching, and document all remediation steps while maintaining clear communication with clients.
A new self-propagating worm, dubbed Shai-Hulud, has infected the npm ecosystem by compromising popular packages, including @ctrl/tinycolor (over 2M weekly downloads). The malware leverages npm’s post-install scripts to execute automatically during package installation, scanning local and CI/CD environments for secrets such as npm tokens, GitHub keys, AWS/GCP metadata credentials, and other service tokens. Harvested credentials are exfiltrated to attacker-controlled GitHub repositories, and when new npm tokens are discovered, the worm autonomously publishes malicious versions of any packages accessible to the compromised account. This creates an exponential spread mechanism rarely seen in supply chain attacks, allowing a single compromised maintainer to cascade the infection across the ecosystem.
For MSPs and small and midsized business (SMB) clients, the threat goes beyond poisoned dependencies; it represents a direct risk to development and production infrastructure. Compromised build systems can leak cloud credentials, enabling lateral access into customer environments. Mitigation requires both hygiene and visibility: enforce MFA on npm and GitHub accounts, rotate tokens and scope them narrowly, audit developer/CI systems for rogue publishes or workflows, and pin dependencies with lockfiles and integrity checks to prevent silent updates. Since the worm abuses trusted developer workflows, monitoring for anomalous publish activity and unexpected PowerShell or workflow executions is critical. This incident underscores how deeply intertwined supply chain security, credential hygiene, and CI/CD hardening have become.
Top vulnerabilities in September 2025
CVE-2023-52271 is a flaw in the Topaz Antifraud driver (specifically `wsftprm.sys` version 2.0.0.0) that allows a low-privileged user to invoke a vulnerable IOCTL to kill any process, including Protected Process Light (PPL) processes such as Microsoft Defender. Because this capability bypasses standard process protections, it enables attackers to disable or meddle with security agents at the kernel level.
In August 2025, the CRU observed threat actors using this vulnerability to deploy the crypto-miner XMRig, notably by deploying the vulnerable driver themselves using a technique known as bring‑your‑own‑vulnerable‑driver (BYOVD) to environments that did not already have it. In that attack, the adversary loaded the driver to gain kernel privileges and then invoked the IOCTL to disrupt security agents, easing ransomware deployment. Organizations should treat any unexpected or user‑mode termination of security services as a high‑fidelity alert, validate that systems do not have wsftprm.sys (or other unknown drivers) loaded, monitor for attempts to invoke IOCTL 0x22201C (and similar suspicious kernel calls), and apply vendor mitigations or blockloading policies to prevent BYOVD abuse.
CVE-2025-4632 is a critical path traversal vulnerability in Samsung MagicINFO 9 Server versions prior to 21.1052. This flaw allows unauthenticated attackers to write arbitrary files to system directories, potentially leading to remote code execution. The vulnerability was actively exploited in the wild following the release of a proof-of-concept exploit in April 2025. Attackers leveraged this flaw to deploy the Mirai botnet, among other malicious activities.
In September 2025, the CRU observed this vulnerability being exploited to deploy XMRig. Threat actors targeted Samsung MagicINFO 9 Server instances to gain unauthorized access and deploy malicious payloads. Organizations using affected versions are strongly advised to upgrade to version 21.1052 or later to mitigate this risk.
Top malware in September 2025
The Diamond Model
This section leverages the Diamond Model of Intrusion Analysis to structure the examination of recent malware activity, providing a clear analytical framework that links adversary, capabilities, infrastructure, and victimology. By applying the Diamond Model, we can better contextualize malicious behavior, identify patterns across campaigns, and highlight the relationships between threat actors, tools, and targeted entities.
KongTuke
KongTuke is a traffic distribution system (TDS) that adversaries abuse to funnel users through a chain of redirects and social engineering lures, ultimately delivering malware. Originally surfacing around 2024, KongTuke campaigns use compromised WordPress sites injected with JavaScript to present deceptive pages, such as fake CAPTCHA checks or browser updates, that entice visitors to run payloads. Over time, the lures have matured, adopting “paste-and-run” tactics, such as ClickFix and FileFix, which instruct users to copy malicious PowerShell commands into Windows utilities (Run dialog or File Explorer) to bypass conventional download protections.
Recent intelligence shows KongTuke playing a key role in distributing new variants of the Interlock RAT. In mid-2025, campaigns associated with the LandUpdate808 cluster (another alias linked to KongTuke) shifted from ClickFix to FileFix lures and began deploying a PHP-based RAT variant, sometimes followed by a Node.js version. The RAT conducts system reconnaissance, privilege checking, persistence via registry run keys, and communication via obscured C2 channels such as Cloudflare Tunnels.
Aliases
