AI Spreads Malware, Diplomats Phished Globally, GhostRedirector Exploits Servers – Cybersecurity News [September 01, 2025]

by | Sep 8, 2025 | Announcements

cybersecurity news

AI Spreads Malware, Diplomats Phished Globally, GhostRedirector Exploits Servers – Cybersecurity News [September 01, 2025]

by DuoCircle

This week brought a wave of innovative and large-scale cyberattacks. Scammers abused social media ads with AI features to push harmful links, with hundreds of accounts posting thousands of scams. More than 100 compromised government email accounts were used in a global phishing campaign against embassies and international organisations. At least 65 servers were hijacked to manipulate Google search rankings, while new backdoors turned email into a data theft tool. Attackers also exploited a Microsoft-signed driver to shut down security defences and install malware. These incidents highlight how quickly trusted platforms and tools can be weaponized, emphasizing the critical need for robust email security measures.

 

Malvertisers are Exploiting Social Media AI to Spread Harmful Links

Cyberattackers have found a clever way to bypass advertisements safety checks on social media by tricking the platform’s own AI assistants. It’s a method called Grokking, and it lets attackers hide malicious links where automated scanners cannot see them. They then prompt the AI to publicly share those hidden links under popular posts, making them visible to millions.

Here’s how it works. The campaign often starts with promoted video ads, using adult content to draw people in. Instead of placing links in the ad copy, the attackers hide them in metadata fields. They then reply to their own posts, asking the AI assistant to “find” and display the hidden link. Since the link now seems to come from a trusted AI account, it gains credibility and reaches millions of users. Clicking these links sends victims through questionable ad networks that ultimately deliver fake CAPTCHA checks, information-stealing malware, or other scams.

Researchers say hundreds of accounts are involved, each posting thousands of times before suspension. This activity demonstrates how attackers are increasingly exploiting AI features within mainstream platforms to amplify malicious campaigns at scale.

 

attackers

 

Diplomatic Entities Targeted in Global Spear-Phishing Campaign

A huge coordinated spear-phishing campaign has been uncovered, targeting embassies, consulates, and international organisations across the globe. The attackers sent out fake diplomatic emails carrying malicious Microsoft Word documents. Once a victim opened a file, they were prompted to enable macros, which would then trigger malware. What makes this malware so dangerous is that it was designed to hook into the system, connect with a remote server, and steal sensitive information.

What makes this campaign so concerning is the sheer scale it’s operating on and how believable it seems on the surface. The attackers used at least 104 compromised email accounts belonging to government officials to send the messages. For instance, attackers intruded on the official mailbox of a major European foreign ministry and leveraged the account to broadcast emails that appeared fully legitimate to the recipient’s eyes. The emails were written to sound like they were coming from officials and needed to be addressed immediately. They often mentioned recent geopolitical developments to convince delegates to open the attached files, which gave the malware an easy way to spread. Experts see this as just one part of a much larger espionage campaign, very similar to past attacks that have also targeted diplomatic groups.

 

malware

 

GhostRedirector Threat Group Exploits Windows Servers for SEO Fraud

A new threat group, which researchers are calling GhostRedirector, has popped up recently and has already compromised at least 65 Windows servers across several regions. These attackers are using a C++ backdoor named Rungan along with an IIS module called Gamshen. It seems their main goal is to manipulate Google search results to promote gambling sites using some pretty shady SEO practices. They usually get their foot in the door through SQL injection flaws, then use PowerShell to download more tools.

Once inside, Rungan gives them the power to create user accounts and run commands. Meanwhile, Gamshen works in the background to alter web responses specifically for Google’s crawlers, which inflates the ranking of the target sites. This campaign has hit a wide range of victims, including organizations in education, healthcare, tech, and retail. Researchers believe with medium confidence that GhostRedirector has ties to Southeast Asian countries, pointing to things like code artifacts and language markers. This whole operation highlights a growing trend of attackers abusing IIS modules for long-term access and fraudulent SEO schemes.

 

APT28 Group Deploys Outlook Backdoor “NotDoor” in NATO-Linked Attack

Researchers have spotted a new backdoor called NotDoor being used in attacks against organisations in NATO countries. This tricky malware is an Outlook macro that watches incoming emails for certain trigger words. When it finds one, it allows attackers to steal data, upload files, and run commands all through the email system. This shows how hackers are now using Outlook as a secret channel for communication and delivering malware.

 

email system

 

The backdoor gets installed using a technique that involves Microsoft’s OneDrive executable, which helps it bypass macro security and get itself set up. Once it’s active, NotDoor sticks around on the system, processes commands it receives in emails, and sends stolen files back to the attackers as encrypted attachments. It’s a serious threat because it’s part of a bigger trend where hackers use trusted platforms like Microsoft Dev Tunnels and Telegram to hide their activity and stay under the radar. This makes detection much harder, as the malicious traffic blends in with normal business operations. Researchers warn that such abuse of widely trusted tools highlights the growing sophistication of cyberattacks and the shrinking window for defenders to respond.

 

Silver Fox Exploits Vulnerable Drivers to Deliver a Powerful Spyware

Researchers have linked a hacking group known as Silver Fox to a crafty attack that exploits a vulnerable driver from WatchDog Anti-malware. The driver, amsdk.sys, was actually signed by Microsoft, so it wasn’t blocklisted. This gave the attackers a perfect opportunity to turn off security software and deploy their own malicious software. The campaign cleverly uses two different sets of drivers, an older one for Windows 7 and the WatchDog driver for Windows 10 and 11. Once it’s running, the malware gets past defenses and installs ValleyRAT, a powerful tool used for spying and fraud.

 

Malicious Software

 

Also known as SwimSnake, the Silver Fox group has been around since 2022 and mainly goes after South Asian users. They use fake apps, fake installers, and phishing scams about finance and taxes to lure people in. The group even has specialised teams focused on different user bases, like businesses and social media users, all to steal credentials and make a profit through fraud. Security researchers note that the group frequently updates its malware and evasion tactics, showing a high level of organisation and persistence.

Pin It on Pinterest

Share This