September 8, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Sep 8, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:36 [THREAT ACTOR ACTIVITY] Attack on Salesloft Drift Leads to Third Party Compromises of User Data
In August 2025, the Salesloft Drift integration platform was compromised by the threat actor KTA223 (aka UNC6395, ShinyHunters), resulting in the theft of OAuth and refresh tokens.

03:05 [THREAT ACTOR ACTIVITY] Actors Utilize Open-Source Incident Response Tool Velociraptor to Deploy Visual Studio Code Tunnel
Sophos identified a threat actor using the incident response tool Velociraptor to download Visual Studio code (VS Code) via an encoded PowerShell command. The actors then used VS Code run as a service.

04:38 [MALWARE] ClickFix Generator Provides Insight into Lure Generation
Kroll TI has discovered a ClickFix tool hosted on a live webpage that generates the source code that could potentially be used by an actor on a malicious, or compromised domain, to lure victims to running code.

07:51 [VULNERABILITY] Apple ImageIO and WhatsApp iOS Vulnerabilities

09:34 [AI] "Vibe Hacking" Coding Agents Evolve AI-Assisted Cybercrime
Key Takeaways

  • AI agents automate sophisticated cyberattacks, enabling single actors to conduct large-scale data extortion operations.
  • AI lowers the barrier for cybercriminals, allowing individuals with limited technical expertise to execute complex operations like malware development.
  • Generative AI is integrated across all stages of cybercrime, from profiling victims and analyzing data to creating false identities and crafting ransom demands.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.