Byer-Nichols Threat Brief August 31 2025
Season: 2 | Episode: 36
Published: September 3, 2025
By: Byer Co
This cybersecurity threat brief from Byer-Nichols provides an overview of the cyber threat landscape for the latter half of August 2025. It highlights the emergence of AI-powered malware like PromptLock and an increase in threats targeting MacOS and Linux systems. The brief details top ransomware variants, with Qilin maintaining its lead, and identifies the manufacturing and financial services sectors as the most impacted, primarily in the USA. Furthermore, it discusses trending adversaries, including nation-state actors like APT36, and lists actively exploited vulnerabilities, noting a concerning number of Citrix-related exploits and a critical Apple vulnerability. Finally, the report outlines trending malware such as the new 4L4MD4R ransomware and the persistent XZ backdoor, alongside key cybersecurity news stories. https://jbyer.com/blog/byer-nichols-brief-august-31
Link: Byer-Nichols Threat Brief August 31 2025
Keywords: CyberSecurity News,Cybersecurity marketing,cybersecurity report
Episode Transcript
00:00:00 - 00:00:06
Welcome back to Digital Rage. I am Jeff the producer here at Byer Company. Today we have
00:00:06 - 00:00:11
the Byer-Nichols Cybersecurity Brief for the second half of August and the top story is
00:00:11 - 00:00:17
Promptlock, a malware that uses generative AI to analyze files on a victim's system to
00:00:17 - 00:00:24
attack vulnerabilities. Also, more attacks are targeting Linux and Mac OS systems that traditionally
00:00:24 - 00:00:32
were rarely targeted. So let's get into the details. Welcome to the deep dive.
00:00:32 - 00:00:37
You know, in today's world there's just so much information flying around, especially
00:00:37 - 00:00:42
in cybersecurity right. It changes so fast. Keeping up feels well, honestly it feels like
00:00:42 - 00:00:46
trying to drink from a fire hose sometimes. So our mission today, we want to give you
00:00:46 - 00:00:53
a bit of a shortcut. We've dug into the Byer Nickel's Threat Brief 0-0-0-0-25-0-2. It's
00:00:53 - 00:00:57
pretty dense stuff and we've pulled out what we think are the most crucial bits the insights
00:00:57 - 00:01:01
you actually need. The goal here is to get you up to speed, maybe show you a few surprising
00:01:01 - 00:01:06
things without burying you in technical jargon. Exactly. And this brief, it's specific.
00:01:06 - 00:01:12
It covers cybersecurity data just from August 15 to the 31st, 2025. So the really fresh
00:01:12 - 00:01:16
snapshot of what's happening now. We're talking emerging malware, who's getting targeted
00:01:16 - 00:01:20
industries, countries, you name it. We'll connect the dots for you, look for patterns and
00:01:20 - 00:01:25
really talk about what it all means for your defenses. Okay, let's unpack this then. Straight
00:01:25 - 00:01:29
into one of the biggest things in the executive summary, this emergence of malware that actually
00:01:29 - 00:01:35
uses generative AI. Specifically, the brief calls out prompt lock. He said found this one
00:01:35 - 00:01:39
recently. And it's not just another piece of malware, it feels like a real shift. Yeah,
00:01:39 - 00:01:45
prompt lock uses Gen AI like on the victim system. Right. It analyzes files. Then it makes
00:01:45 - 00:01:50
these intelligent decisions, should I encrypt this for ransomware or maybe steal it? I mean,
00:01:50 - 00:01:54
think about that. It's way beyond the static stuff we're used to. It can figure out what you
00:01:54 - 00:01:59
value. What's truly striking here is that adaptive nature. It's dynamic. This isn't just,
00:01:59 - 00:02:03
you know, throwing a fixed script at a wall and seeing what sticks, prompt lock, analyzing
00:02:03 - 00:02:07
and then deciding that completely shifts the defensive game. We have to move from just
00:02:07 - 00:02:12
reacting to known bad files, those signatures, right to actually anticipating attacks that
00:02:12 - 00:02:18
are context aware that adapt on the fly. It really demands a more proactive, almost
00:02:18 - 00:02:22
intelligent defense from our side to that's a huge shift. This mean our traditional defenses
00:02:22 - 00:02:28
like signature based detection. They just done. Absolutely. Well, not entirely obsolete.
00:02:28 - 00:02:33
I wouldn't say that. They still catch the the easier stuff, the known threats, but for
00:02:33 - 00:02:38
things like prompt lock, yeah, our focus has got a shift more toward behavioral analysis,
00:02:38 - 00:02:43
using AI ourselves for anomaly detection, getting real time threat intel. It's becoming
00:02:43 - 00:02:46
more about understanding the intent and the context, not just recognizing a known piece
00:02:46 - 00:02:50
of code. Okay. So AI threats are one big thing,
00:02:50 - 00:02:55
but it's not the only shift, right? The brief also highlights this broader attack surface,
00:02:55 - 00:03:01
specifically more malware hitting macos and Linux reports is half, fully half of the trending
00:03:01 - 00:03:05
malware variants in this period. Yeah. Targeted those platforms. That's me. Well, that's
00:03:05 - 00:03:08
a big number. Talented some old assumptions, doesn't it? It really does. And it raises an
00:03:08 - 00:03:12
important question, you know, especially for anyone, maybe feeling a bit safer on a Mac
00:03:12 - 00:03:17
or Linux machine for a long time, the perception was oh, they're less vulnerable or at least
00:03:17 - 00:03:22
less targeted by the big campaigns, but this data, it's a firm reminder, you need solid
00:03:22 - 00:03:29
endpoint protection, good detection capabilities, no matter what OS you're running, Windows, Mac,
00:03:29 - 00:03:35
Linux, doesn't matter. That idea of security through obscurity, it's definitely gone. If
00:03:35 - 00:03:39
you're on Apple or Linux, you are absolutely a target now. Okay. So we understand the threats
00:03:39 - 00:03:44
are evolving, becoming smarter, hitting more platforms, but let's, let's follow the money.
00:03:44 - 00:03:48
Where's the impact really fell? Let's look at the top ransomware groups active in late August.
00:03:48 - 00:03:54
So Quillen is still up there. 20% share pretty dominant, but a cure is climbing fast over 14%
00:03:54 - 00:03:59
and Sonobi 2 or on 7%. The brief mentions of Cure's getting traction with these more sophisticated
00:03:59 - 00:04:02
supply chain attacks makes a harder to trace. And then you've got Warlock. They only showed
00:04:02 - 00:04:09
it publicly in June 2025, but they quickly made a mark by going after just one thing unpatched
00:04:09 - 00:04:14
Microsoft SharePoint servers. Very specific. Yeah. And that's crucial, isn't it? The rise of newer
00:04:14 - 00:04:19
groups like Warlock, focusing laser-like on specific vulnerabilities. It just highlights this
00:04:19 - 00:04:24
constant cat and mouse game. They are actively scanning for known weaknesses. If you haven't
00:04:24 - 00:04:29
patched that SharePoint server, you're basically putting out a welcome mat for these agile new
00:04:29 - 00:04:33
groups. It's not just about what ransomware exists, but how they're finding their way in.
00:04:33 - 00:04:37
Unpatched systems are key. So who's getting hit by these groups? Let's look at the victim
00:04:37 - 00:04:44
sector. Big changes here. Manufacturing actually jumped to number one over 16% and financial services
00:04:44 - 00:04:49
right behind it. Also over 16%. They moved up to these are often critical sectors right now.
00:04:49 - 00:04:54
Top targets. Absolutely. And construction, retail, they slipped down a bit. Technology stayed
00:04:54 - 00:04:59
at number five and location wise, the USA is still the main target way out in front at nearly
00:04:59 - 00:05:04
60%. Yeah. Followed by the UK and Germany much smaller percentages, though. But here's the
00:05:04 - 00:05:13
stat that really jumped out of me. Victim organization size. Get this. A massive 84.25% of victims are
00:05:13 - 00:05:20
small businesses. Defined as 500 employees or fewer. 84% that's overwhelming. It really is
00:05:20 - 00:05:26
overwhelming and incredibly insightful. Why target SMB so heavily? Well, several possibilities,
00:05:26 - 00:05:31
right? Maybe they're seen as having weaker defenses, perhaps less budget for dedicated
00:05:31 - 00:05:36
security teams, you know, or and this is key. They could just be an easier way into the supply
00:05:36 - 00:05:42
chain of larger companies they work with. Whatever the reason that stat just hammers home,
00:05:42 - 00:05:46
cybersecurity is not just a big company problem anymore. If you're a small business, you are
00:05:46 - 00:05:51
absolutely a high value target period. Okay. So beyond ransomware, the brief also digs
00:05:51 - 00:05:56
into specific adversary groups. The more sophisticated actors, let's zoom in on one example
00:05:56 - 00:06:03
of suspected nation state activity, APT 36 believed to be a Pakistani cyber espionage group
00:06:03 - 00:06:07
and their target. Indie defense personnel. The brief describes this really clever fishing
00:06:07 - 00:06:12
campaign they ran. They send emails with malicious PDFs. Okay, it's standard enough. But
00:06:12 - 00:06:16
the PDF has this blurred background and a button made to look exactly like the log in
00:06:16 - 00:06:21
for India's national Intermatic Center, the NIC, which is like the main government IT body
00:06:21 - 00:06:27
there handling critical stuff. Exactly. So if the target clicks that button, boom, redirected
00:06:27 - 00:06:34
to a URL downloads a ZIP file pretending to be a legit app, but the real goal, steal credentials,
00:06:34 - 00:06:37
get persistence in defense networks. It just shows the level of craft, doesn't it? And
00:06:37 - 00:06:42
the social engineering involved, it's not just about code, it's about deception. Making
00:06:42 - 00:06:47
something look incredibly real to trick someone really underscores how vital critical
00:06:47 - 00:06:51
thinking is when you get any email, especially official looking ones. And you know, just
00:06:51 - 00:06:56
to be clear, like the brief, we're focusing on the methods here. The TTP is tactics, techniques,
00:06:56 - 00:07:00
procedures. We're reporting impartially on how these attacks work, not getting into
00:07:00 - 00:07:04
the geopolitics behind them. Right. And the brief also quickly mentions salt typhoon
00:07:04 - 00:07:10
and silk typhoon. Both suspected nation state espionage groups potentially linked to China's
00:07:10 - 00:07:15
Ministry of State security, the MSS. Yeah. And it connects back to what the brief notes,
00:07:15 - 00:07:20
how these cyber activities often mirror real world tensions and rivalries. These examples
00:07:20 - 00:07:26
just highlight how persistent and targeted espionage campaigns are. And the need for incredibly
00:07:26 - 00:07:30
high security awareness, especially in government defense, that kind of sensitive sector, these
00:07:30 - 00:07:36
groups don't give up. Okay, let's switch gears a bit to the technical side. The weaknesses
00:07:36 - 00:07:43
attackers are actually using because the brief flags a particularly high number of trending
00:07:43 - 00:07:47
and actively exploited vulnerabilities, a CVEs during this period. It's a good reminder
00:07:47 - 00:07:51
that old flaws, they don't just disappear. Attackers love them. Still finding gold in those
00:07:51 - 00:07:56
old hills, huh? Totally. Like we're still seeing old dealing vulnerabilities exploited,
00:07:56 - 00:08:00
remote code execution, stuff like that, things from years ago, but still hitting devices
00:08:00 - 00:08:05
that never got patched. More recently, though, vulnerabilities in Fortinet, Fortissine,
00:08:05 - 00:08:09
Microsoft Exchange, big enterprise systems. Yeah, compromising those can give attackers
00:08:09 - 00:08:14
wide access across the network. Sirius stuff. But the brief highlights three citric flaws
00:08:14 - 00:08:20
as being of particular concern, two were from 2024, one from 2025, and then there's this
00:08:20 - 00:08:27
one CVE 2025, 4300, 300. It's an out of bounds right issue, basically letting an attacker
00:08:27 - 00:08:33
write data where they shouldn't potentially running code. And it impacts iOS, iPad OS,
00:08:33 - 00:08:37
and macos, broad Apple impact. Apple themselves apparently think it may have been exploited
00:08:37 - 00:08:42
in a sophisticated attack against specifically targeted individuals. Wow. Okay, so that's
00:08:42 - 00:08:47
a pretty serious warning for Apple users, even those lockdown systems aren't impenetrable.
00:08:47 - 00:08:52
So what's the big takeaway from all this vulnerability talk? It just reinforces yet again, how
00:08:52 - 00:08:56
absolutely critical it is to keep everything patched and updated. Your servers, your laptops,
00:08:56 - 00:09:00
yeah, but also your phones, your tablets, everything. The fact that vulnerabilities from like
00:09:00 - 00:09:04
2020 are still actively used, it shows the scale of the patching challenge. Attackers
00:09:04 - 00:09:09
will always take the easiest path in and an unpatched system is practically an open door.
00:09:09 - 00:09:14
Definitely. And moving from the flaws to the actual malicious code, the brief also lists
00:09:14 - 00:09:18
several trending malware families, new ones, and some making a comeback, a real mix.
00:09:18 - 00:09:24
A rogue scallery you might sell. Yeah, like EDR kill shifter, this is nasty. It's an evolution
00:09:24 - 00:09:28
of some ransom hub malware built specifically to disable endpoint detection and response
00:09:28 - 00:09:33
tools, basically trying to blind your security systems, cook and operate freely.
00:09:33 - 00:09:38
Sneaky turning off the cameras before the robbery. Exactly. Then there's plague. This one targets
00:09:38 - 00:09:44
Linux. It disguises itself as a Pam module, pluggable authentication module. That's deep
00:09:44 - 00:09:48
in the Linux authentication system. Wow, embedding itself in the login process. That makes
00:09:48 - 00:09:51
it incredibly hard to spot little on remove.
00:09:51 - 00:09:55
For sure. And remember the XC backdoor scare. Oh, yeah, the supply chain nightmare.
00:09:55 - 00:10:00
Well, it's resurfaced. Researchers found dozens of Docker hub container images,
00:10:00 - 00:10:05
prebuilt software packages that had infected versions of the XC utils compression tool baked
00:10:05 - 00:10:11
right in. So developers could be pulling down these images and unknowingly compromising
00:10:11 - 00:10:15
their own systems or applications. What's really striking across all these examples,
00:10:15 - 00:10:20
though, is the sheer diversity. You've got ransomware, sophisticated evasion tools like
00:10:20 - 00:10:25
EDR kill shifter, deep back doors, like plague on Linux, espionage tools, mobile malware,
00:10:25 - 00:10:30
export kitty mentioned in the brief supply chain threats like XZ. It hits everything from
00:10:30 - 00:10:35
servers to phones to development environments. It just paints a picture of a really complex,
00:10:35 - 00:10:41
multifaceted threat landscape, not just one type of enemy. Absolutely. Okay. So to round
00:10:41 - 00:10:45
things out, let's quickly touch on some of the top news headlines, the brief summarized.
00:10:45 - 00:10:48
These give us that wider context of what's happening in the cyber world. Yeah, the bigger
00:10:48 - 00:10:52
picture stuff. Right. So things like critical zero day bugs found in cyber arc and hash
00:10:52 - 00:10:57
record password vaults. That's huge for enterprise security keys to the kingdom stuff.
00:10:57 - 00:11:02
Yeah, certainly concerning on the flip side. Some good news. Over $300 million in cybercrime
00:11:02 - 00:11:07
crypto seized by law enforcement, a significant win. Nice to see some claws taking back
00:11:07 - 00:11:14
illicit gains. And then this potentially game changing discovery. A new shade bios technique.
00:11:14 - 00:11:20
The report says it beats every kind of security. Whoa. Okay. That sounds fundamental. The
00:11:20 - 00:11:24
hardware level threat will need to watch that space for sure and other things like new ghost
00:11:24 - 00:11:30
calls using zoom and teams for command and control. Sonic wall urging users to disable SSL VPN.
00:11:30 - 00:11:36
Let's go on. If you connect all these dots, these headlines, they really paint this picture
00:11:36 - 00:11:41
of constant rapid innovation on both sides, right? Offense and defense. The stakes are just
00:11:41 - 00:11:47
incredibly high for businesses for us as individuals for nations. It's this complex, always shifting
00:11:47 - 00:11:52
battleground. It's not static. It's always evolving demands constant vigilance. So after all
00:11:52 - 00:11:56
that, what does this deep dive mean for you? Let's recap quickly. We saw the rise of intelligent
00:11:56 - 00:12:01
adaptive threats like Jenny, I malware, prompt lock being a prime example. We saw that all
00:12:01 - 00:12:06
operating systems Mac Linux included our vulnerable and targeted. We saw that small businesses
00:12:06 - 00:12:11
are bearing the brunt of attacks a massive percentage. Yeah, over 84% still staggering.
00:12:11 - 00:12:17
And we saw the persistent threat from sophisticated nation state actors alongside the constant
00:12:17 - 00:12:22
need to patch old flaws and watch out for diverse new malware. Honestly, just doing what you
00:12:22 - 00:12:27
did today, staying informed, listening to this, it's a really vital first step. This landscape
00:12:27 - 00:12:32
changes so fast. Proactive knowledge is absolutely key. It really is. And maybe that leaves us with
00:12:32 - 00:12:37
a final thought for you to chew on. Given this increasing sophistication, we're seeing AI
00:12:37 - 00:12:43
malware like prompt lock that learns targeted exploits hitting even supposedly secure systems
00:12:43 - 00:12:50
like Apple devices. How do our security strategies, both personal and for organizations, need to adapt?
00:12:50 - 00:12:53
What new capabilities should you be looking for in your defenses to counter threats that
00:12:53 - 00:12:58
learn, adapt and target with this kind of precision? Something to think about as these threats
00:12:58 - 00:13:02
inevitably keep evolving. Great point. Thank you for joining us on this deep dive today.
00:13:02 - 00:13:07
Stay curious, stay informed, and keep protecting your digital life. We'll catch you next time.
00:13:07 - 00:13:13
Reach out to us at jbuyer.com for comments and questions. Follow us at buyer company on social
00:13:13 - 00:13:17
media. And if you'd be so kind, please rate and review us in your podcast app.
00:13:17 - 00:13:19
[Music]