Daily Briefing for 08.27.25

At a glance.

• Spearphishing campaign targets US manufacturing companies.
• Citrix patches critical NetScaler zero-day.
• Blind Eagle targets Colombian government entities.
• US, Japan, and South Korea discuss ways to combat the DPRK's IT worker schemes.

Spearphishing campaign targets US manufacturing companies.

Check Point warns of a sophisticated phishing campaign targeting "supply chain–critical manufacturing companies" in the United States. The attackers initiate communication via the targeted entity's public contact form, then "maintain credible, business-oriented email conversations with the victim for weeks before delivering a malicious ZIP payload." The malicious attachment poses as an NDA form, and contains a malicious .lnk file that triggers a PowerShell-based loader to install a custom malware strain dubbed "MixShell."

The researchers note, "The majority of the targeted companies are in industrial manufacturing, including machinery, metalwork, component production, and engineered systems. Other affected industries include hardware & semiconductors, consumer goods & services, and biotech & pharmaceuticals. This distribution suggests that the attacker seeks entry points across wealthy operational and supply chain-critical industries instead of focusing on a specific vertical."

Citrix patches critical NetScaler zero-day.

Citrix yesterday issued patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway, including an actively exploited zero-day that can lead to remote code execution, BleepingComputer reports. The zero-day (CVE-2025-7775) is a memory overflow vulnerability that can lead to remote code execution. The flaw was assigned a CVSS score of 9.2.

Citrix said in a blog post, "As of August 26, 2025 Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed, and strongly recommends customers to upgrade their NetScaler firmware to the versions containing the fix as there are no mitigations available to protect against a potential exploit."

Blind Eagle targets Colombian government entities.

Recorded Future has published a report on activity by TAG-144 (also known as "Blind Eagle") targeting local, municipal, and federal entities within the Colombian government. Blind Eagle is a suspected South American threat actor that conducts cybercrime alongside espionage. Recorded Future notes, "Initial access typically occurs through spearphishing campaigns impersonating local government agencies, most notably Colombian authorities. These campaigns leverage themes such as debt collection and judicial notifications to lure victims into opening malicious documents...TAG-144 employs geo-fencing and other detection evasion measures that block access from outside Colombia or Ecuador, redirecting outsiders to official government websites."

US, Japan, and South Korea discuss ways to combat the DPRK's IT worker schemes.

The US State Department worked with the Ministries of Foreign Affairs in Japan and South Korea, as well as Mandiant, to organize a forum in Tokyo yesterday to explore strategies for fighting North Korea's fraudulent IT worker operations, the Record reports. The US State Department said in a press release that the forum had "over 130 attendees representing the trilateral governments and relevant industry partners including, freelance work platforms, payment service providers, cryptocurrency companies, AI industries, and other Web3 technology companies." The department added that the "event provided a forum for public and private sectors to bolster their collective defenses against deceptive North Korean IT worker tactics."