Cyber Briefing: 2025.09.11

EggStreme APT hits Philippine military, RatOn Android RAT spreads, SAP NetWeaver flaw patched, DDoS floods IoT, Vienna breached, GitHub-Salesloft hack, Ukraine warns, DOJ charges ransomware admin.

Sep 11, 2025

👉 What's trending in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. EggStreme Malware Targets Philippine Military

Bitdefender has discovered EggStreme, a fileless malware from a China-based advanced persistent threat (APT) group that's been targeting military organizations in the Philippines and across the Asia-Pacific region. This sophisticated threat framework uses multiple components to steal data, perform reconnaissance, and maintain a persistent presence in a victim's network.

2. RatOn Malware Hits Android Banking

A new Android malware, RatOn, has evolved from a simple NFC relay tool into a highly sophisticated remote access trojan. It combines traditional overlay attacks, automated money transfers, and NFC relay functionality, making it a uniquely dangerous threat that targets cryptocurrency wallets and bank applications.

3. SAP Patches Critical NetWeaver Flaw

SAP has released a new security bulletin addressing 21 new vulnerabilities in its products, including three critical issues affecting the widely used SAP NetWeaver software. These critical flaws could allow attackers to execute arbitrary code, upload malicious files, or gain unauthorized access to sensitive data, with one vulnerability scoring a maximum 10 out of 10 on the CVSS severity scale.

For more alerts, click here!

Search Jobs

💥 Cyber Incidents

4. DDoS Defender Hit by Massive Attack

In a massive distributed denial-of-service (DDoS) attack, a European mitigation service provider was targeted by a flood of 1.5 billion packets per second, an assault successfully fended off by the company FastNetMon. The attack originated from thousands of compromised IoT devices and MikroTik routers, highlighting the growing threat of weaponized consumer hardware.

5. Vienna VA Reports Data Breach Leak

Vienna, Virginia recently disclosed a data breach that affected their residents, leaking sensitive information including Social Security numbers, financial data, and passport numbers. A group known as Cephalus claimed responsibility for the attack, but Vienna officials have not confirmed the claim or provided additional details on the incident.

6. GitHub Hack Triggers Salesloft Breach

A new investigation has revealed that the data breach at Salesloft, which impacted its Drift application, originated from a compromised GitHub account. The threat actor, tracked as UNC6395, was able to access the account for several months, leading to a supply chain breach that has affected at least 22 companies.

For more incidents, click here!

Click to Report

📢 Cyber News

7. Ukraine Cyber Chief on Russian Tactics

When Oleksandr Potii became the head of Ukraine’s cybersecurity agency, his responsibilities grew from a few policy areas to more than a dozen, including protecting critical infrastructure and coordinating cyberdefense during wartime. Potii, the third person to lead the State Service of Special Communications and Information Protection (SSSCIP) since Russia's 2022 invasion, believes Russia's technical capabilities are strong and should not be underestimated.

8. US Charges Admin of Major Ransomware

The U.S. Department of Justice has charged Ukrainian national Volodymyr Viktorovich Tymoshchuk, also known as "deadforz," for his involvement as an administrator in multiple major ransomware operations. Tymoshchuk is accused of being a key figure in the LockerGoga, MegaCortex, and Nefilim ransomware attacks, which compromised hundreds of companies and caused millions of dollars in damages worldwide.

9. Kosovo Hacker Admits BlackDB Crimes

A Kosovar national, Liridon Masurica, has admitted guilt to running BlackDB.cc, a major cybercrime marketplace that operated for seven years. Masurica, who was extradited to the U.S. from Kosovo, pleaded guilty to charges related to the sale of compromised accounts, stolen credit card data, and personal information, which was used by other criminals for fraud and identity theft.

For more news, click here!

Check Events

📈Cyber Stocks

On Thursday, September 11, 2025, cybersecurity stocks moved slightly lower as investors weighed mixed inflation data, shifting rate-cut expectations, and continued valuation concerns..

Radware (RDWR) closed at $25.72, holding mostly flat but under modest pressure as investors await clearer signals on how upcoming inflation readings might affect its cloud-security outlook.
Rapid7 (RPD) dropped to $19.47, declining sharply amid valuation concerns and adverse reactions to macroeconomic data that suggest rate cuts may be pushed back.
Check Point Software Technologies (CHKP) settled at $194.24, slipping as upside from its solid earnings faces headwinds from broader tech weak-spots and cautious sentiment across cybersecurity.
SentinelOne (S) ended at $17.84, edging down as uncertainty over growth pacing and profitability tempers enthusiasm despite its strong product positioning.
Palo Alto Networks (PANW) closed at $197.33, nearly flat but slightly lower, as investors balance the company’s strength in platform security with fears that high multiples may no longer be fully justified under slowing economic conditions.

💡 Cyber Tip

📱 RatOn Malware Hits Android Banking and Crypto Apps

A new Android malware called RatOn has evolved from a simple NFC relay tool into a full-fledged remote access trojan. It combines overlay attacks, automated money transfers, and NFC relay functionality, giving attackers the ability to hijack banking apps and cryptocurrency wallets. Distributed through fake apps on the Play Store, such as “TikTok 18+,” RatOn tricks users into granting dangerous permissions, installs in multiple stages, and deploys a malicious NFC relay tool. It can steal credentials, capture PINs and seed phrases, and even lock devices with fake ransomware screens to pressure victims into exposing their accounts.

✅ What you should do

Download apps only from official and verified sources
Avoid installing cracked or adult-themed versions of popular apps
Check and limit app permissions, especially accessibility and device admin rights
Use mobile security solutions that detect trojans and info stealers
Reset your device and secure wallets if you suspect compromise

🔒 Why this matters
RatOn is a multi-functional threat built from scratch, capable of draining bank accounts, stealing crypto, and acting like ransomware. Its combination of advanced fraud techniques makes it a serious risk to Android users worldwide.