August 18, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Aug 18, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:38 [PATCHING] Microsoft Patch Tuesday Addresses 118 Issues, 0 Zero-Days
Microsoft has fixed 118 vulnerabilities in August’s patch cycle and Microsoft Edge releases.

03:22 [SUPPLY CHAIN] Binarly Finds XZ Utils Backdoor Still Present in 35 Docker Images
Over a year after the XZ Utils backdoor (CVE-2024-3094) was disclosed in March 2024, Binarly researchers identified 35 Docker Hub images still containing the malicious code. The set includes 12 base Debian images and 23 derivative builds, creating transitive infection risks across container environments.

04:27 KTA487 (Aka "Curly COMrades") Targeting Judicial, Governmental and Energy Sectors
Bitdefender Labs released a report on a new threat group "Curly COMrades" that Kroll will track as KTA487. Bitdefender believes KTA487 aligns with Russia interests, targeting judicial, governmental and energy organizations in Georgia and Moldova.

05:25 Collaboration between ShinyHunters, Scattered Spider and LAPSUS$
Key Takeaways:

  • A cybercrime group collaboration featuring SHINYHUNTERS, SCATTEREDSPIDER and LAPSUS$ (under "scattered lapsu$ hunters" on Telegram) is developing ShinySp1d3r ransomware-as-a-service and mirroring sophisticated social engineering tactics for data extortion.
  • SCATTEREDSPIDER is a notorious, decentralized collective of young English-speaking cybercriminals known for highly targeted vishing, social engineering and help desk impersonation to bypass MFA and gain initial access for data theft and extortion.
  • Tactical convergence between SHINYHUNTERS and SCATTEREDSPIDER, evidenced by shared phishing infrastructure, Okta/Salesforce SSO impersonation and synchronized targeting of retail, insurance and aviation sectors suggests their collaboration has been ongoing for over a year.

06:40 CHARON Ransomware
Key Takeaways:

  • Kroll has recently observed an increase in the use of MESHAGENT as a remote management tool by threat actors. MESHAGENT is a lightweight remote management agent and part of the publicly CHARON is a new ransomware family employing advanced persistent threat (APT)-level evasion tactics, notably DLL sideloading and process injection, to target Middle Eastern public sector and aviation entities.
  • The campaign is highly targeted, evidenced by customized ransom notes naming victim organizations, and exhibits technical overlaps with the China-linked Earth Baxia hacking group; though definitive attribution is unclear.
  • CHARON performs disruptive actions like disabling security services and deleting backups, underscoring a concerning trend of ransomware operators adopting sophisticated nation-state-level techniques, posing an elevated risk to organizations.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.