Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 20-26 September
LLM-powered malware: new threat capable of generating malicious code in real time
SentinelLABS warns that LLM-powered malware represents a growing challenge, as it can generate malicious code at runtime, making it difficult to detect with static signatures. To address this, researchers focused on two unavoidable artifacts: embedded API keys and embedded prompts, leading to the discovery of previously unpublished samples, including MalTerminal, possibly the first malware of its kind.
Cases such as PromptLock and LameHug/PROMPTSTEAL already demonstrated the use of LLMs to generate commands, exfiltrate data and increase persistence through multiple keys. While these capabilities make the malware more adaptable, its reliance on prompts and credentials also makes it fragile. The research also identified LLM-based offensive tools, such as vulnerability generators or intrusion agents.
The EU Cybersecurity Agency confirmed that the incident at European airports was a ransomware attack
A cyberattack against Collins Aerospace, a subsidiary of RTX and provider of check-in and boarding software, has caused delays at European airports including Heathrow, Brussels, Berlin and Dublin. The EU Cybersecurity Agency confirmed that it was a ransomware attack that affected the Muse system, forcing manual passenger processing.
While Heathrow said most flights are operating normally, Brussels canceled dozens of operations and other terminals are experiencing delays. Collins is working on updates to restore service, but has not yet guaranteed full system security. Authorities do not rule out that state actors are behind the attack, although sophisticated private groups are also being targeted. The European Commission said there is no indication of a widespread attack.
Meanwhile, airlines such as IAG, EasyJet and Wizz Air recorded stock market declines following the incident.
Third patch released for critical flaw in SolarWinds Web Help Desk
SolarWinds has released a third patch to fix a critical remote code execution (RCE) vulnerability without authentication in its Web Help Desk (WHD) product, identified as CVE-2025-26399 (CVSSv3 of 9.8 according to the manufacturer). This flaw affects version 12.8.7 and stems from an insecure deserialization in the AjaxProxy component.
This is a bypass of previous patches (CVE-2024-28986 and CVE-2024-28988, both with a CVSSv3 score of 9.8 according to SolarWinds), all of which are related to previous versions of WHD (12.8.3 and earlier). The vulnerability was reported by Trend Micro Zero Day Initiative (ZDI) and, although no public exploits have been detected, CISA had already warned about the active use of the original flaw in attacks.
SolarWinds has published a hotfix available on its customer portal, which requires replacing several specific JAR files on the affected system.
UNC5221 deploys BRICKSTORM in persistent attacks against critical sectors in the U.S.
Google Threat Intelligence and Mandiant have detected new operations linked to BRICKSTORM malware, a backdoor used to maintain persistent access in organizations in the legal, technology, BPO and SaaS sectors in the U.S. Since March 2025, the actor attributed to UNC5221, with possible Chinese nexus, has exploited 0-day zero vulnerabilities in perimeter devices to deploy BRICKSTORM in environments where EDR tools have no visibility.
Research shows that intruders have managed to remain undetected for an average of 393 days, employing lateral movement techniques, credential theft and exfiltration of critical emails and files. In several cases they compromised VMware vCenter and cloned sensitive virtual machines such as domain controllers or credential managers. In addition, they have deployed variants such as BRICKSTEAL and SLAYSTYLE, which allow intercepting credentials and executing commands.
Mandiant highlights the sophistication and adaptability of the actor, which even removed traces during active investigations.
Analysis of Operation Rewrite, a SEO poisoning campaign
In March 2025, Palo Alto Networks' Unit 42 discovered the SEO poisoning campaign “Operation Rewrite,” attributed with high confidence to Chinese-speaking threat actors under the name CL-UNK-1037, moderately linked to Group 9, described by ESET, and weakly linked to the DragonRank campaign. Operation Rewrite employs BadIIS malware, a malicious native IIS module that intercepts web traffic on compromised legitimate servers to redirect users to fraudulent sites for profit.
The campaign focused on East Asia and Southeast Asia, manipulating search results through keyword injection and 302 redirects. The attackers also managed to compromise multiple servers, exfiltrate source code, deploy additional variants of BadIIS, and expand their malicious infrastructure. The consequences include loss of reputation for legitimate domains, theft of sensitive data, and expansion of control over critical systems.
Unit 42 recommends that security teams strengthen their detection and hunting capabilities using the provided indicators of compromise.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
