September 15, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Sep 15, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:45 [PATCHING] Microsoft Patch Tuesday Addresses 90 Issues, Two Zero-Days
Microsoft has fixed 181 vulnerabilities in September’s patch cycle and Microsoft Edge releases.

02:07 [CAMPAIGN] New Russian Speaking Threat Group Targeting Energy Sector
Seqrite Labs has documented a recent spear-phishing campaign it attributes to a new threat actor that Kroll is tracking as KTA496 and Seqrite Labs named NOISY BEAR. The actor targeted oil and gas energy sectors in central Asia, specifically Kazakhstan.

03:35 [CAMPAIGN] iCloud Calendar Invites Abused to Send Callback Phishing Scheme
Bleeping Computer investigated the abuse of Apple’s iCloud calendar invites to perpetrate a callback phishing scheme. The invites typically appear as fake purchase notifications, a common phishing lure.

04:50 [VULNERABILITY] Multiple Critical Flaws in SAP NetWeaver and S/4HANA
SAP released security updates to address multiple vulnerabilities in its products, including several critical flaws in SAP NetWeaver and a high-severity issue in SAP S/4HANA. These vulnerabilities allow attackers to execute operating system commands, upload arbitrary files and access/modify sensitive information without proper authorization.

06:43 [CAMPAIGN] Kroll Domain Spoofing Awareness
Kroll Threat Intelligence (TI) has identified several domains that appear to use Kroll-related terminology, likely to trick victims through social engineering campaigns.

07:36 [THREAT ACTOR ACTIVITY] Salesloft Compromise Update
Following on from the Kroll TI update last week, Salesloft has provided an update to its ongoing investigations surrounding the compromise of its platform. The update notes that from March to June 2025, the actor accessed the Salesloft GitHub account where they proceeded to download content and add a user account.

09:03 [CAMPAIGN] Popular NPM Packages Affected by Supply Chain Attack
Kroll TI recently published an article on a phishing campaign that targeted code repository developers for both the JavaScript “NPM” repository and Python's “PyPi.” Last week, a series of 18 highly popular packages were affected in the same manner, where the total package download count is approximately 2 billion downloads per week.

11:03 [RANSOMWARE] Who is KTA500/The GENTLEMEN Ransomware Group?
KTA500 emerged as a significant threat in August 2025, quickly establishing a formidable presence across the global threat landscape. This previously undocumented group demonstrates advanced capabilities through the systematic compromise of enterprise environments in 17 countries, including manufacturing, construction, healthcare and insurance sectors, with a particular focus on Thailand and the U.S.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.