Byer-Nichols Threat Brief September 15 2025
Season: 2 | Episode: 38
Published: September 18, 2025
By: Byer Co
This threat brief from Byer-Nichols Cybersecurity details the cybersecurity landscape from September 1-15, 2025, highlighting an increase in compromised consumer devices from vendors like TP-Link and SonicWall. It identifies Qilin as the top ransomware, though its activity is declining, and notes the emergence of new groups such as The Gentlemen. The report also discusses trending adversaries like APT28 and Mustang Panda, along with actively exploited vulnerabilities, particularly those affecting end-of-life TP-Link devices and a significant WhatsApp zero-click vulnerability. Additionally, it outlines trending malware like Brokewell and RatOn, which target Android users, and summarizes major cybersecurity news during the period.
Link: Byer-Nichols Threat Brief September 15 2025
Keywords:
Episode Transcript
00:00:00 - 00:00:04
Welcome back to Digital Rage. I'm Jeff, the producer here at Byer Company.
00:00:04 - 00:00:08
Today we have the Byer Nickel Cybersecurity brief for the first half of September,
00:00:08 - 00:00:12
highlighting an increase in compromised consumer devices from vendors like
00:00:12 - 00:00:18
TP Link and Sonic Wall. A significant WhatsApp zero click vulnerability and
00:00:18 - 00:00:23
Quillen is still the top-rance of where. Let's listen.
00:00:23 - 00:00:26
Welcome curious minds to another deep dive.
00:00:26 - 00:00:31
Great to be diving in. Today we're tearing into the latest
00:00:31 - 00:00:35
cybersecurity intelligence. We've got the Byer Nickel's threat brief,
00:00:35 - 00:00:40
the one covering September 1st, 15th, 2025. Yep, fresh off the digital press.
00:00:40 - 00:00:45
And our mission, well it's the same as always, sift through this, pull out the really
00:00:45 - 00:00:49
important stuff, connect those dots and give you that shortcut to being
00:00:49 - 00:00:53
genuinely informed about the digital threats that are
00:00:53 - 00:00:57
well shaping things right now. And it's a fascinating snapshot this time.
00:00:57 - 00:01:00
It is isn't it? And maybe a little alarming in places,
00:01:00 - 00:01:03
looking at what attackers are actually getting up to. What really jumps out I
00:01:03 - 00:01:08
think from this brief is just how dynamic and frankly agile cyber threats are
00:01:08 - 00:01:13
becoming. We're not just tracking say new tools or new attacker names.
00:01:13 - 00:01:17
We're seeing these fundamental shifts in who's being targeted and maybe even more
00:01:17 - 00:01:21
importantly how they're being targeted. Right. This period, this first half of
00:01:21 - 00:01:25
September, it gives a really revealing look into that constant evolution.
00:01:25 - 00:01:29
It just underscores why vigilance isn't, you know, just a good idea.
00:01:29 - 00:01:32
Absolutely necessary. Okay, so let's pull back that curtain then.
00:01:32 - 00:01:35
The executive summary kicks things off with some pretty stark
00:01:35 - 00:01:41
observations. What's really grabbing your attention as a new or maybe escalating concern,
00:01:41 - 00:01:44
especially for, you know, the everyday person listening?
00:01:44 - 00:01:49
Well, the brief really puts a spotlight on a quite a disturbing rise in
00:01:49 - 00:01:53
attackers managing to compromise devices from vendors like Sonic Wall.
00:01:53 - 00:01:58
And maybe more surprisingly for some TP link TP link like home routers.
00:01:58 - 00:02:02
Exactly. And that's the crucial insight here. Many of these aren't big corporate
00:02:02 - 00:02:06
firewalls. They're consumer grade devices. Your home router, maybe a Wi-Fi
00:02:06 - 00:02:10
extender. And the big implication, these compromises can just sit there
00:02:10 - 00:02:14
totally undetected for months. Maybe forever. Your personal network essentially
00:02:14 - 00:02:19
becomes an unwitting launch pad for attackers. Wow. It makes you ask, doesn't it?
00:02:19 - 00:02:22
When was the last time you even thought about the security of your home router after
00:02:22 - 00:02:26
that initial setup? That's yeah, that's a huge shift from what I think most people picture.
00:02:26 - 00:02:30
We tend to think, you know, asset corporations, government agencies, getting it.
00:02:30 - 00:02:35
Sophisticated targets. But you're saying our home networks, the actual backbone of our daily digital
00:02:35 - 00:02:41
lives, they're becoming a really significant and maybe a softer target. What makes them so
00:02:41 - 00:02:47
vulnerable right now specifically? Precisely. The report is very explicit about significant
00:02:47 - 00:02:52
activity around three specific CVEs, common vulnerabilities and exposures impacting
00:02:52 - 00:02:57
certain TP link devices. And here's the kicker. They've reached end of life.
00:02:57 - 00:03:04
Ah, okay, end of life. Yeah, we're talking CVE 2020, 24, 3, 63 for the TLWA885RE
00:03:04 - 00:03:13
extender, CVE 2023, 50224 for the popular TLWA841N router and CVE 20259377,
00:03:13 - 00:03:17
which hits multiple TP link router models. Got it. And the critical point isn't just that
00:03:17 - 00:03:20
these flaws exist. It's that because they're end of life, the manufacturer isn't releasing
00:03:20 - 00:03:26
security updates anymore. So no patches coming? Exactly. A patch might exist for one specific old
00:03:26 - 00:03:32
flaw, but the core firmware isn't maintained. So you get this ever growing list of potential
00:03:32 - 00:03:37
backdoors. It's like, like having a house with broken windows, but the landlord's just stop
00:03:37 - 00:03:42
doing any repairs at all. Right. So the advice isn't even patch it. It's replace it. These obsolete
00:03:42 - 00:03:49
devices are kind of ticking time bombs in potentially millions of homes. So for us, just trying to stay safe
00:03:49 - 00:03:54
online, it means we've got to look beyond our laptops and phones. We need to literally
00:03:54 - 00:03:59
audit the hardware connecting us to the internet. Is there anything else broadening this threat landscape?
00:03:59 - 00:04:05
Yeah, this trend of wider targeting goes beyond just the hardware. We're also seeing a noticeable
00:04:05 - 00:04:11
uptick and activity from two specific Android malware variants. Okay. And if you step back and
00:04:11 - 00:04:15
look at the global pattern, there's a definite shift in victim geography too. India and South Korea,
00:04:15 - 00:04:20
for instance, are now showing up in the top five victim locations for ransomware attacks. Really,
00:04:20 - 00:04:26
that's new. It is. And it's not just a slight expansion. It suggests attackers are actively diversifying
00:04:26 - 00:04:32
where they focus, maybe looking for new targets, potentially less hardened ones. Outside those,
00:04:32 - 00:04:37
traditionally dominant regions like the US or Western Europe. Okay. Now here's where things get
00:04:37 - 00:04:43
really interesting, I thought the ransomware scene. It's really getting a shake up, isn't it?
00:04:43 - 00:04:48
Quillen, which has been such a dominant player. Yeah, consistently. It's actually seeing its
00:04:48 - 00:04:55
percentage decrease steadily. Yeah. So if Quillen's maybe losing a bit of ground, who's actually
00:04:55 - 00:05:01
stepping into that spotlight? Who's changing the game? The report paints a really clear picture here.
00:05:01 - 00:05:05
You're right. Quillen still holds the top spot overall for this period, but it's share of
00:05:05 - 00:05:10
attacks has definitely dropped. Akira is the only other group from the previous top five that's still,
00:05:10 - 00:05:15
you know, really relevant. They actually moved up a rank, but the big story, the sudden emergence
00:05:15 - 00:05:23
of three entirely new actors making their debut in the top five. Three new ones, wow. Yeah. The gentleman,
00:05:23 - 00:05:29
play, and I and see ransom. These groups aren't just like bubbling under. They're rapidly asserting
00:05:29 - 00:05:34
themselves. The gentleman. That sounds less like hackers and more like, I don't know, something out
00:05:34 - 00:05:40
of a spy movie. What makes this particular group stand out? What are their methods? Well, the gentleman,
00:05:40 - 00:05:46
a group we genuinely hadn't documented before they stand out because the report notes their use of
00:05:46 - 00:05:52
highly tailored tools to bypass enterprise endpoint protection. Highly tailored. So this isn't just
00:05:52 - 00:05:57
about finding an existing vulnerability and exploiting it with an off the shelf tool. It suggests a
00:05:57 - 00:06:02
level of bespoke development, maybe deep reconnaissance before the attack. Right, custom work.
00:06:02 - 00:06:07
Exactly. It's like they're crafting custom keys for specific locks, not just trying a bunch of master
00:06:07 - 00:06:13
keys. That level of sophistication, the resources involved, the patience, it kind of blurs the lines
00:06:13 - 00:06:18
between purely criminal groups and maybe something more strategic. It makes them a really significant
00:06:18 - 00:06:24
and frankly, alarming new threat for organizations to watch. Okay. So we've covered who's attacking
00:06:24 - 00:06:29
how new players like the gentleman are emerging. But who are they actually going after? Let's dig into
00:06:29 - 00:06:36
the victim's sector, geography, company size. What's the data telling us there? The victim's sector data
00:06:36 - 00:06:42
shows a fairly consistent pattern. But with some interesting nuances, manufacturing technology,
00:06:42 - 00:06:48
still leading the pack. Surprise there. Not really given their IP and supply chain value. But interestingly,
00:06:48 - 00:06:54
construction has climbed up to third place this period. Instruction. It could be several reasons,
00:06:54 - 00:07:00
maybe less mature security postures, valuable project data, disruption potential. It's definitely
00:07:00 - 00:07:05
a sector to watch. Retail and financial services, they round out the top five, still consistently high
00:07:05 - 00:07:09
value targets. And geographically, you mentioned the US is still taking the broad. Oh yeah, heavily.
00:07:09 - 00:07:16
Over 53% of attacks still hit US-based organizations. Wow. But as we touched on, the really notable change
00:07:16 - 00:07:22
is seeing South Korea and India pop up in the top five victim locations for the first time. South
00:07:22 - 00:07:29
Korea is over 4%, India nearly 3%. This isn't just a minor blip. It really signifies a deliberate
00:07:29 - 00:07:35
expansion of targeting. Attackers are actively seeking out new territories or perhaps finding new
00:07:35 - 00:07:40
ways into these rapidly digitalizing economies. This raises a really important question, probably for
00:07:40 - 00:07:46
a lot of our listeners. Does the data show whether it's the big Fortune 500 companies or smaller
00:07:46 - 00:07:51
businesses suffering more? Who's actually feeling the most pain here? And the data on this is, well,
00:07:51 - 00:07:58
it's stark. There's no ambiguity. Small businesses. And they define that as 500 employees or less.
00:07:58 - 00:08:07
They account for a staggering 84.07% of all victims. 84%. 84%. Mid-market organizations, they're next
00:08:07 - 00:08:13
at nearly 14%. Large enterprises, a tiny fraction, just over 2%. That's incredible. It really underscores
00:08:13 - 00:08:18
that it's often the smaller organizations. The ones typically with fewer dedicated cybersecurity
00:08:18 - 00:08:23
resources, maybe less expertise. They're the ones bearing the overwhelming brunt of these attacks.
00:08:23 - 00:08:28
It's not about being too small to be noticed. It's often about being seen as, well, easier prey.
00:08:28 - 00:08:32
Okay, shifting gear slightly. Beyond the purely criminal gangs, the brief also gets into some
00:08:32 - 00:08:38
trending adversaries that sound a bit more cloak and dagger or now sophisticated, often state
00:08:38 - 00:08:43
sponsored actors. Can you shed some light on these threats? Absolutely. What's quite illuminating here
00:08:43 - 00:08:50
is the sort of resurgence or continued high activity of known APT groups, advanced persistent threats.
00:08:50 - 00:08:56
Right. Specifically, APT 29 and APT 28 may be better known as Kozy Bear and Fancy Bear.
00:08:56 - 00:09:01
Both Russian state-sponsored groups heavily involved in espionage. They're definitely active.
00:09:01 - 00:09:07
Still busy. Very. And APT 28, Fancy Bear has specifically been observed using a new Microsoft
00:09:07 - 00:09:13
Outlook Backdoor. They're calling it Not Door. A new Backdoor for Outlook, given how central email
00:09:13 - 00:09:18
is. That sounds particularly nasty. It's incredibly insidious. Yeah. Because Outlook is the
00:09:18 - 00:09:22
communication hub for countless organizations, government included. It's a potent tool for
00:09:22 - 00:09:27
intelligence gathering if you can get inside it undetected. Are other state-backed players making noise?
00:09:27 - 00:09:34
Oh, yes. Not to be outdone, the Chinese group, known as Mustang Panda, has been noted for its
00:09:34 - 00:09:40
exploits. Specifically, they targeted a Philippine military company in what looks like a focused
00:09:40 - 00:09:46
espionage campaign. And this group, Mustang Panda, also ties into some of the newer malware we're
00:09:46 - 00:09:51
seeing. Like the snake disc USB worm. Snake disc. Yeah. It works with another piece called the
00:09:51 - 00:09:57
Tone Shell Backdoor. And interestingly, snake disc apparently limits its execution just to
00:09:57 - 00:10:03
devices with Tylen-based IP addresses. Then it drops another payload, the Yokai Backdoor.
00:10:03 - 00:10:08
Wow. That's incredibly specific targeting geographically limited. Exactly. It demonstrates
00:10:08 - 00:10:13
meticulous planning, very clear strategic objectives. These aren't just random smash and grab attacks.
00:10:13 - 00:10:17
So definitely not opportunistic. These are well-resourced, carefully orchestrated campaigns.
00:10:17 - 00:10:21
What about white cobra? They were also mentioned. White cobra is another interesting one. They were
00:10:21 - 00:10:27
responsible for planting 24 malicious extensions across the Viscode and open VSX marketplaces.
00:10:27 - 00:10:32
Ah, targeting developers. Precisely. For anyone listening who works in development,
00:10:32 - 00:10:36
this highlights that growing threat to the software supply chain itself.
00:10:36 - 00:10:42
The tools, the components developers rely on every single day. Right. By compromising those
00:10:42 - 00:10:48
development environments, attackers can potentially inject malicious code into countless projects downstream.
00:10:48 - 00:10:51
It creates this huge ripple effect of vulnerabilities. It's like,
00:10:51 - 00:10:58
contaminating the flower before thousands of loaves of bread are baked. Yeah, that's a scary prospect.
00:10:58 - 00:11:04
Let's zero in now on some specific vulnerabilities and malware variants making waves right now.
00:11:04 - 00:11:08
One really caught my eye and involves a super popular messaging app. Pretty much everyone uses it.
00:11:08 - 00:11:14
Ah, you must be talking about CVE 2025 55177, the WhatsApp one. That's the one.
00:11:14 - 00:11:19
And it's frankly terrifying. It's a zero-click vulnerability effect in WhatsApp on both iOS and MacOS.
00:11:19 - 00:11:24
Zero-click. Explain that again. It means the attacker can trigger the vulnerability and potentially
00:11:24 - 00:11:29
execute code or process content from some arbitrary URL on your device without you doing anything.
00:11:29 - 00:11:33
No clicking a link, no opening a message, no interaction needed from the user at all.
00:11:33 - 00:11:37
And there's even evidence it's already being exploited out there in the wild.
00:11:37 - 00:11:42
Which raises that critical point again. Are you diligently keeping all your apps,
00:11:42 - 00:11:47
especially communication apps like WhatsApp, updated to the absolute latest version?
00:11:47 - 00:11:51
Because that's often your first line of defense. Zero-click is definitely nightmare fuel. It just
00:11:51 - 00:11:57
removes the user entirely from the equation. What other active and dangerous malware should we
00:11:57 - 00:12:02
be aware of from this report? Well, there's also BroQwell. It's an InfoSealers specifically going
00:12:02 - 00:12:06
after Android users. How does it spread? Attackers are being pretty clever, actually. They're using
00:12:06 - 00:12:13
Meta's ad platforms, Facebook, Instagram ads to trick people into installing fake versions of
00:12:13 - 00:12:18
the trading view app. Oh, the trading app. Okay. Yeah. Once you install the fake app, BroQwell gets
00:12:18 - 00:12:23
deployed. And it's designed to capture credentials, intercept your multifactor authentication codes,
00:12:23 - 00:12:27
text messages, and even try to drain cryptocurrency wallets if you have them.
00:12:27 - 00:12:34
Ouch. Any others. There's another Android banking Trojan called Raton. It's also quite sophisticated.
00:12:34 - 00:12:41
It combines RAT capabilities remote access Trojan with an NFC relay feature. NFC. Like Tap to
00:12:41 - 00:12:48
Pay. Sort of. It seems designed for crypto wallet account takeover and automating money transfers.
00:12:48 - 00:12:53
The report mentions it particularly targeting a specific bank's application in the Czech Republic.
00:12:53 - 00:12:58
Again, quite targeted. It really sounds like good old-fashioned social engineering, just
00:12:58 - 00:13:04
tricking users. It's still incredibly effective, even when paired with these advanced malware types.
00:13:04 - 00:13:07
Oh, absolutely. Social engineering never goes out of style, unfortunately.
00:13:07 - 00:13:14
Steele C is another textbook example mentioned. It's described as a very sophisticated campaign using
00:13:14 - 00:13:19
a convincing, multilingual phishing website. How does it usually start? Often with an email,
00:13:19 - 00:13:24
a very convincing one. Warning the victim that their Facebook account is at risk of suspension because
00:13:24 - 00:13:28
of some policy violation. It prays perfectly on that fear of losing access to your social media,
00:13:28 - 00:13:34
your online identity. Classic fear tactic. Exactly. And we're also seeing older threats being sort of
00:13:34 - 00:13:41
rebooted hybrid petia. Petia. Like the infamous wiper malware. A direct copy of the original petianop
00:13:41 - 00:13:46
petia wiper. Yeah. But it's been updated. Now it's capable of compromising UEFI-based systems.
00:13:47 - 00:13:53
UEFI. That's the basic boot up software on modern computers, right? That's right. The foundational
00:13:53 - 00:13:59
stuff that starts your computer before Windows or Mac OS even loads. And this new hybrid petia can
00:13:59 - 00:14:06
apparently bypass UEFI secure boot, at least on some older systems, using a specific vulnerability.
00:14:06 - 00:14:16
CVE 2024 7344. So they're reviving old destructive malware, but weaponizing it with new tricks to
00:14:16 - 00:14:21
hit deeper system levels. Precisely. Shows that attackers are constantly recycling and refining their
00:14:21 - 00:14:26
tools. Nothing ever truly goes away. Okay, let's turn to the top news headlines from this period.
00:14:26 - 00:14:30
It's pretty clear cyber threats aren't just hiding in the shadows. They are dominating public
00:14:30 - 00:14:34
discussion. What were some of the biggest stories that really reinforced what we've been talking
00:14:34 - 00:14:39
about that showcased this evolving landscape? The headlines really do vividly underscore this
00:14:39 - 00:14:43
acceleration, especially the role of AI and cybercrime now. AI. Yeah, that's popping up everywhere. We
00:14:43 - 00:14:49
saw reports of AI powered malware like this squangularity attack that apparently hit over 2,000 GitHub
00:14:49 - 00:14:55
accounts. And perhaps even more concerning, this tool called Hextrike AI is reportedly being used by
00:14:55 - 00:15:03
hackers to rapidly exploit in-day flaws. In-day, meaning flaws that are known, but maybe not widely
00:15:03 - 00:15:08
patched yet. Exactly. Vulnerabilities that have been discovered, maybe a patch is available, maybe not,
00:15:08 - 00:15:13
but systems haven't been updated yet. This tool uses AI to weaponize those known flaws in
00:15:13 - 00:15:19
incredibly quickly. It's not just AI assisting defense anymore. It's AI becoming a potent,
00:15:19 - 00:15:24
almost autonomous weapon for attackers. It dramatically increases the speed and scale of potential
00:15:24 - 00:15:30
compromises. That feels like a genuine game changer, fundamentally altering attack speed and scale.
00:15:30 - 00:15:34
And we also saw massive supply chain attacks making headlines, which ties back to what you said about
00:15:34 - 00:15:39
White Cobra earlier. Precisely. There is that story about hackers hijacking NPM packages. These are
00:15:39 - 00:15:44
widely used software components in web development packages that collectively get 2 billion weekly
00:15:44 - 00:15:50
downloads. 2 billion. Wow. Yeah. It just shows how compromising one single point in that software
00:15:50 - 00:15:56
ecosystem can have these incredibly widespread devastating effects downstream. Similarly,
00:15:56 - 00:16:02
there was the Ghost Action GitHub Supply Chain attack, which stole over 3,300 secrets, things like
00:16:02 - 00:16:07
API keys, passwords, again targeting the fundamental billing blocks of software development.
00:16:08 - 00:16:13
These attacks are so insidious because they leveraged the trust we place in the shared code repositories
00:16:13 - 00:16:18
and tools. And just to highlight the scale of other threats, CloudFlare reported blocking the
00:16:18 - 00:16:24
largest ever recorded DDoL-US attack during this period, 11.5 terabits per second. Terabits, that's
00:16:24 - 00:16:29
astronomical. It's hard to even comprehend that scale. It's enough traffic to basically cripple
00:16:29 - 00:16:34
internet access for a small country all aimed at one target. It just speaks to the sheer destructive
00:16:34 - 00:16:40
power these denial of service threats now wield. Wow. Okay. That was a truly expansive and maybe
00:16:40 - 00:16:46
slightly sobering look into a rapidly evolving digital world. We've covered vulnerable home devices,
00:16:46 - 00:16:51
state-sponsored espionage, the alarming rise of AI and cybercrime. The landscape is incredibly
00:16:51 - 00:16:56
dynamic. So for you, our listener tuning in, what's the most critical takeaway from this deep dive
00:16:56 - 00:17:01
into the bar nickels threat brief? You know, if you zoom out what this brief really highlights, I think,
00:17:01 - 00:17:07
is the relentless broadening of the threat landscape. It's just not enough anymore to focus solely
00:17:07 - 00:17:13
on securing, say, corporate networks. We have to be thinking critically about securing our
00:17:13 - 00:17:18
personal devices, understanding the increasing sophistication of social engineering, recognizing
00:17:18 - 00:17:23
the systemic risk that comes from these supply chain attacks. And the fact that small businesses
00:17:23 - 00:17:30
are overwhelmingly targeted, combined with the common neglect of consumer grade devices,
00:17:30 - 00:17:35
like routers, that really pinpoints where many of the most significant yet often overlooked
00:17:35 - 00:17:40
risks actually reside. It's where individual awareness can genuinely make a difference.
00:17:40 - 00:17:44
So what does this all mean for you? Just navigating your own digital life day to day. It really
00:17:44 - 00:17:50
means proactive awareness is your absolute best defense. It really is. Keep those devices updated.
00:17:50 - 00:17:55
Your phone, your laptop, your router, keep the apps updated too. Seriously, consider replacing
00:17:55 - 00:17:59
any hardware that you know has reached end of life, especially network gear. Don't just leave it
00:17:59 - 00:18:06
plugged in. Exactly. And always, always, apply that healthy dose of skepticism to unexpected emails,
00:18:06 - 00:18:12
messages, pop-ups, especially anything designed to create urgency or fear. Question at first.
00:18:12 - 00:18:17
And maybe just for a final provocative thought to leave people with. Go for it.
00:18:17 - 00:18:22
Given this increasing sophistication we see, AI-powered threats, state-sponsored actors,
00:18:22 - 00:18:27
and this widespread targeting of consumer devices that are often vulnerable because they're
00:18:27 - 00:18:33
end of life. How much ethical or even practical responsibility should a hardware and software
00:18:33 - 00:18:38
vendors actually bear for the long-term security of those products, especially when they continue
00:18:38 - 00:18:43
to operate in our interconnect world and become easy entry points for attackers long after the
00:18:43 - 00:18:47
official support ends. That's a really good question. Where does that responsibility truly lie?
00:18:47 - 00:18:52
Something to ponder, I think, as we all continue trying to build and secure our digital future.
00:18:54 - 00:18:59
Reach out to us at jbuyer.com for comments and questions. Follow us at buyer company on social media,
00:18:59 - 00:19:05
and if you'd be so kind, please rate and review us in your podcast app.