Brute force break-in.

SonicWall confirms a breach in its cloud backup platform. Google patches a high-severity zero-day in Chrome. Updates on the Shai-Hulud worm. Chinese phishing emails impersonate the chair of the House China Committee. The UK’s NCA takes the reins of the Five Eyes Law Enforcement Group. RevengeHotels uses AI to deliver VenomRAT to Windows systems. A major VC shares details of a recent ransomware attack. A lawsuit targets automated license plate readers. Our guest is Brock Lupton, Product Strategist at Maltego, discussing the human side of intelligence work. From mic check to malware, a crypto phishing story.

Today is Thursday September 18th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

SonicWall confirms a breach in its cloud backup platform. 

SonicWall has confirmed a breach in its MySonicWall cloud backup platform. Attackers launched brute-force attacks against its API service, gaining access to firewall configuration files.

Those files may include network maps, VPN credentials, API keys, encrypted passwords, and firewall rules. While SonicWall says fewer than 5% of firewalls are affected, it hasn’t shared exact numbers.

If you use SonicWall with cloud backup, check your MySonicWall account. If your devices are flagged, you need to reset all passwords, keys, and shared secrets—not just on your firewall, but also with ISPs, Dynamic DNS providers, VPN peers, and LDAP or RADIUS servers.

SonicWall has shut down the attack vector and is working with law enforcement.

Google patches a high-severity zero-day in Chrome. 

Google has issued emergency patches for CVE-2025-10585, a high-severity zero-day in Chrome’s V8 JavaScript engine. It’s the sixth exploited zero-day fixed in Chrome this year. Google confirmed the flaw has a public exploit, a strong sign of active abuse, often linked to state-backed spyware campaigns targeting high-risk individuals. The issue was reported by Google’s Threat Analysis Group and patched within a day. Users are urged to update Chrome immediately.

Updates on the Shai-Hulud worm. 

Yesterday we shared news of a new self-replicating worm, dubbed “Shai-Hulud,”[shy-hoo-lood] that has compromised over 180 packages, including the popular @ctrl/tinycolor library. The malware spreads automatically by stealing developer credentials, publishing malicious code to npm, and creating GitHub repos that expose stolen secrets. Harvested data includes API keys, cloud credentials (AWS, Azure, GCP), GitHub tokens, and SSH keys, potentially enabling ransomware, cryptomining, and cloud data theft.

Analysis from Palo Alto Networks’ Unit 42 indicates a large language model (LLM) likely helped generate the malicious bash script, based on unusual comments and emojis in the code. The worm currently targets Linux and macOS systems. Developers are urged to rotate all credentials, audit dependencies, review GitHub accounts, and enforce MFA immediately. This incident highlights the escalating risk of AI-assisted malware and the growing speed of CI/CD-driven supply chain compromises across open-source ecosystems.

Chinese phishing emails impersonate the chair of the House China Committee. 

Proofpoint has uncovered a new Chinese state-aligned cyber campaign targeting U.S. government agencies, think tanks, law firms, and academics focused on trade policy. The activity is attributed to TA415 (APT41, Wicked Panda, Brass Typhoon). Attackers used phishing emails themed around U.S.-China economic relations, sometimes impersonating Rep. John Moolenaar, chair of the House China Committee. The emails invited recipients to closed-door briefings, with malicious attachments delivering a Python loader called WhirlCoil.

Instead of noisy malware, the group leaned on Visual Studio Code Remote Tunnels and legitimate cloud services like Google Sheets and Zoho WorkDrive for persistence and command-and-control. The campaigns ran during summer trade negotiations, suggesting a clear intelligence-gathering motive. The findings echo a recent congressional advisory about ongoing Chinese phishing operations. Together, they highlight Beijing’s continued push for insights into U.S.-China economic strategy and its willingness to use stealthy, creative methods.

The UK’s NCA takes the reins of the Five Eyes Law Enforcement Group. 

The UK’s National Crime Agency (NCA) will chair the Five Eyes Law Enforcement Group (FELEG) for the first time since 2015, pledging to use the alliance to disrupt cybercrime, money laundering, and online child sexual abuse. FELEG unites major policing bodies, including the FBI, DEA, AFP, RCMP, and New Zealand Police. A key target is “The Com,” a loosely connected network of online groups spreading violent, extremist, and child abuse material, often run by young men on gaming platforms and messaging apps. These groups are also tied to major cybercrime outfits like Scattered Spider, ShinyHunters, and Lapsus$, linked to high-profile data thefts and extortion campaigns against global retailers and fashion brands. NCA director Graeme Biggar stressed that international cooperation is vital as criminals exploit new technologies, highlighting successes such as the LockBit ransomware takedown as proof of what joint action can achieve.

RevengeHotels uses AI to deliver VenomRAT to Windows systems. 

RevengeHotels (TA558) is using AI-generated loader scripts plus JavaScript and PowerShell downloaders to deliver VenomRAT to Windows systems. Targets include hotel reservation and HR inboxes, lured with overdue-invoice or job-application links that redirect to fake document portals. Visiting the site auto-downloads an AI-crafted WScript JS that drops a PowerShell loader, leading to VenomRAT execution. The RAT hardens itself (EnableProtection), kills debuggers and forensic tools, drops a VBS for persistence, elevates to SeDebugPrivilege, spreads via removable media, and erases Windows event logs.

A major VC shares details of a recent ransomware attack. 

Insight Partners, a major venture capital firm, disclosed more details of a 2024 ransomware attack affecting over 12,600 individuals. The breach began in October 2024 but was only detected on January 16, 2025, when attackers exfiltrated data and encrypted servers after a social engineering attack. Stolen information may include banking, tax, employee, and limited partner data. Victims face risks of identity theft and are offered free protection services. Experts warn VC firms are prime targets due to their sensitive financial and portfolio data.

A lawsuit targets automated license plate readers. 

A lawsuit in Norfolk, Virginia, has revealed the extent of surveillance by Flock Safety’s license plate readers (ALPRs). Between February and July 2025, 176 cameras tracked retired veteran Lee Schmidt 526 times—about four times daily—and co-plaintiff Crystal Arrington 849 times, averaging six logs a day. Norfolk struck a $2.2 million deal with Flock, whose ALPR network spans 5,000 police agencies, 1,000 businesses, and homeowners’ associations nationwide. The plaintiffs, backed by the Institute for Justice, argue warrantless tracking violates the Fourth Amendment and are seeking to disable Norfolk’s system. Flock, however, cites case law supporting ALPR use as public, point-in-time photography. Civil liberties advocates warn the technology amounts to mass surveillance, with potential risks if data is shared across jurisdictions or accessed by federal agencies such as ICE.

 

From mic check to malware, a crypto phishing story. 

In a story that hits uncomfortably close to home, it seems cybercriminals have decided that if you can’t get on a podcast, you might as well pretend to host one. A new phishing campaign is making the rounds in the crypto world, with attackers impersonating the popular Empire podcast to lure developers and influencers into “exclusive interviews.” The pitch arrives via DMs, complete with fake flattery and calendar invites. But instead of market insights, the victims are nudged toward convincing lookalikes of platforms like Streamyard or Huddle, where they’re told to download a desktop client. Spoiler: it’s not a client—it’s AMOS Stealer, neatly wrapped in a DMG file.

Once installed, the malware dutifully rifles through credentials, cookies, and crypto wallets, handing them over to cybercriminals for resale. This scheme follows hot on the heels of August’s fake CoinMarketCap journalist stunt, proving scammers are nothing if not creative. The moral? Not every podcast invitation is worth accepting—especially if it comes with a download link.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.