Latest Stories

Stay up-to-date with everything at Approach

Blog article

Weekly Digest Week 36 – 2025

Publication date

05.09.2025

Featured Story

Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries.

NotDoor is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word. When detected, it enables attackers to exfiltrate data, upload files, and execute commands on the victim’s computer. The malware is deployed via Microsoft’s OneDrive executable using DLL side-loading, which installs the VBA backdoor and disables macro security protections.

The malware supports four commands: cmd and cmdno for executing commands, dwn to exfiltrate files, and upl to drop files to the victim’s computer.

SOC Analysis: This campaign demonstrates nation-state actors leveraging trusted business applications as persistent command and control infrastructure. Organizations should implement comprehensive macro security controls and monitor Outlook VBA activities across enterprise environments.

Other Stories

Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack

Google released September 2025 Android security patches fixing 120 vulnerabilities, including two zero-days (CVE-2025-38352 and CVE-2025-48543) actively exploited in targeted attacks. Both flaws allow privilege escalation without user interaction or additional permissions.

Google’s Threat Analysis Group discovered one flaw in the Linux kernel, suggesting potential spyware campaigns.

SOC Analysis: Organizations should prioritize Android security patch deployment across corporate mobile device fleets and review BYOD security policies. This highlights the importance of maintaining current patch levels on mobile devices, especially for personal devices accessing corporate resources.

Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure

Cybercriminals are using HexStrike AI (a legitimate penetration testing tool) to automatically exploit Citrix vulnerabilities within a week of disclosure. The tool integrates with 150+ security tools and automates vulnerability discovery and exploit development.

Darknet forums show criminals exploiting recent Citrix flaws and selling vulnerable NetScaler instances, shrinking the window between disclosure and exploitation.

SOC Analysis: This incident highlights how security automation platforms can be adapted for offensive purposes. Organizations should shorten patch deployment cycles as AI-powered tools accelerate exploitation timelines.

The CCB warns about ongoing campaign distributing trojanized PDF applications

The CCB warns organisations about a malicious campaign delivering trojanized PDF editors or product manuals. Once installed, this malware can steal credentials and turn Windows devices into proxies. Several incidents have already been reported, and the CCB is treating this campaign as high risk.

SOC Analysis: This campaign demonstrates sophisticated threat actors leveraging legitimate business requirements as attack vectors. Organizations should enforce strict software installation controls to prevent unauthorized applications.

OTHER STORIES

Weekly Digest Week 35 – 2025

Weekly Digest Week 34 – 2025

Weekly Digest Week 33 – 2025

Contact us to learn more about our services and solutions

Our team will help you start your journey towards cyber serenity

Do you prefer to send us an email?

info@approach-cyber.com

Facebook-f Linkedin-in Youtube

Our certifications & labels

Facebook-f Linkedin-in Youtube