Threat Briefing: September 12, 2025

Recent cybersecurity incidents highlight how attackers are using increasingly sophisticated techniques against business platforms and trusted services. Threat actors are hijacking Meta Business accounts through malicious browser extensions, spreading cross-platform malware such as CHILLYHELL and ZynorRAT, and misusing legitimate tools like Docker APIs and iCloud Calendar.

These campaigns underscore a growing trend: adversaries are leveraging trusted infrastructure to evade detection and bypass traditional security defenses.

• Fake Browser Extensions Target Meta Business Accounts – Cybercriminals are distributing bogus extensions such as SocialMetrics Pro and Madgicx Plus to compromise Meta Business accounts. Once installed, these tools harvest Facebook session cookies, login credentials, and user data through deceptive ads and websites—putting advertisers at risk of account takeover and fraud. The Hacker News
• New Docker Malware Hijacks Exposed APIs to Build Botnet Infrastructure – A newly discovered Docker malware strain is exploiting exposed APIs to seize control of vulnerable systems. The malware installs persistence mechanisms, blocks competing threats, and scans for additional unprotected Docker servers, pointing to a coordinated effort to establish large-scale botnet infrastructure. Hackread
• 45 Previously Unknown Domains Reveal Ongoing Salt Typhoon Cyber Espionage – Threat researchers have identified 45 domains connected to the China-linked Salt Typhoon cyber espionage group, some active since May 2020. The discovered infrastructure overlaps with UNC4841 and has been used to target telecom providers through tactics like fraudulent email registrations. The Hacker News
• Salesloft Drift Breach Linked to GitHub Compromise and Stolen OAuth Tokens – A recent breach at Salesloft Drift stemmed from a GitHub compromise, allowing attackers to steal OAuth tokens and access Salesforce customer data. Several companies, including Zscaler and Cloudflare, were affected. Mandiant’s investigation confirmed the breach has been contained. Hackread
• iCloud Calendar Exploited to Send Phishing Emails from Apple Servers – Cybercriminals are abusing iCloud Calendar invites to deliver phishing messages from Apple’s own servers, often masquerading as fake PayPal payment notifications. By embedding scam text in calendar invites, attackers bypass spam filters and trick recipients into calling fraudulent support numbers. BleepingComputer