Scattered Spider resurfaces with fresh attacks on financial sector

Cyber security researchers have linked a new wave of attacks on financial services to Scattered Spider, undermining the group’s claims of going “dark.” According to researchers, the collective has shifted focus to the financial sector, using lookalike domains and targeting a major U.S. bank. The attackers gained entry by socially engineering an executive’s account and resetting their Azure Active Directory password. They then moved laterally through Citrix and VPN environments, compromised VMware ESXi, escalated privileges in Azure, and attempted to exfiltrate data from Snowflake and AWS. Experts warn the activity signals a tactical retreat rather than retirement. Scattered Spider, tied to ShinyHunters and LAPSUS$, is known for extortion and data theft campaigns. Analysts caution organisations not to be complacent, as criminal groups frequently rebrand or regroup under new identities. The episode highlights the need for continued vigilance against evolving social engineering and credential-based attacks in critical industries.

SlopAds ad fraud campaign hits 2.3 billion daily requests before takedown

A vast Android ad fraud operation named “SlopAds” has been dismantled after 224 malicious apps on Google Play generated over 2.3 billion ad requests per day. Researchers uncovered the campaign, which used obfuscation and steganography to hide its activity from Google’s security measures. Downloaded more than 38 million times across 228 countries, SlopAds primarily targeted users in the U.S. (30%), India (10%), and Brazil (7%).

The apps behaved normally if installed directly, but when downloaded via the attackers’ ad campaigns, they fetched an encrypted configuration to deploy the “FatModule” malware. This module, hidden inside PNG images, used covert WebViews to mimic real user interactions, generating billions of fake ad impressions and clicks. Google has removed the identified apps and updated Play Protect, but HUMAN warns the group behind SlopAds may adapt and relaunch similar schemes in the future, underlining the scale and resilience of mobile ad fraud.

Microsoft and Cloudflare dismantle raccoono365 phishing-as-a-service network

Microsoft and Cloudflare have jointly disrupted a large-scale Phishing-as-a-Service (PhaaS) operation known as RaccoonO365, which facilitated the theft of thousands of Microsoft 365 credentials. In September 2025, Microsoft’s Digital Crimes Unit, working with Cloudflare’s Cloudforce One and Trust and Safety teams, seized 338 websites and Worker accounts linked to the scheme.

Tracked by Microsoft as Storm-2246, the group stole at least 5,000 Microsoft credentials from 94 countries since July 2024, using phishing kits featuring CAPTCHA pages and anti-bot tactics to appear legitimate. A tax-themed campaign in April 2025 alone targeted more than 2,300 U.S. organisations, including 20 healthcare providers. Stolen credentials and cookies from OneDrive, SharePoint, and email accounts were then used for financial fraud, extortion, and as initial access for further attacks.

RaccoonO365 operated a subscription model via a private Telegram channel, charging between $355 and $999 in cryptocurrency. Microsoft has identified the group’s leader, Nigerian programmer Joshua Ogundipe, and referred the case to international law enforcement.

SonicWall urges firewall credential resets after breach

SonicWall has warned customers to reset all firewall-related credentials following a security breach that exposed configuration backup files from certain MySonicWall accounts. The company says attackers accessed less than 5% of its firewall backup files through brute-force attacks on its cloud API service. Although the stolen files contained encrypted passwords, they also held information that could make exploitation of affected firewalls easier.

SonicWall has issued detailed guidance for administrators to minimise risk, including disabling or restricting WAN access before resetting all credentials, API keys, and authentication tokens tied to users, VPN accounts, and services. The company emphasised that passwords and keys configured in SonicOS may also need updating with ISPs, VPN peers, or authentication servers.

The firm says there is no evidence of the files being leaked online and stresses the incident was not a ransomware attack. Customers are urged to follow the Essential Credential Reset bulletin to secure their environments promptly.

Google patches sixth chrome zero-day of 2025 exploited in the wild

Google has released emergency security updates for its Chrome browser to address four vulnerabilities, including CVE-2025-10585 – a zero-day flaw already exploited in active attacks. The issue, described as a type confusion bug in Chrome’s V8 JavaScript and WebAssembly engine, can enable attackers to execute arbitrary code or crash programmes by manipulating memory in unexpected ways.

Google’s Threat Analysis Group discovered and reported the flaw on 16 September 2025 but has withheld further details to prevent copycat exploitation until users have patched their browsers. CVE-2025-10585 marks the sixth Chrome zero-day disclosed or exploited this year.

Users are urged to update Chrome immediately to version 140.0.7339.185/.186 on Windows and macOS, or 140.0.7339.185 on Linux via More > Help > About Google Chrome > Relaunch. Other Chromium-based browsers, including Edge, Brave, Opera, and Vivaldi, should also apply updates as they are released to mitigate the risk of attack.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.