Good Morning Security Gang!
I’ve got my double espresso in hand, and today we’re covering some of the most significant developments in cyber—from the discovery of the first AI-powered ransomware to fresh supply chain attacks, Iranian tankers being knocked offline, and new critical vulnerabilities in Git, Citrix, and Docker. Plus, we’ll touch on North Korea’s IT worker scam fueling its missile program, Google’s long-overdue Android fixes, and a sophisticated new social engineering campaign targeting manufacturers.
Let’s jump right in.
🤖 First AI-Powered Ransomware – “PromptLock”
ESET researchers discovered PromptLock, the first proof-of-concept AI-powered ransomware. Written in Golang, it uses the ChatGPT OSS-20B open-weight model to generate Lua scripts for tasks like file inspection, data exfiltration, and encryption.
"Today you're safe, right? So let's just say today you're safe tomorrow. That's a whole different story, right? Eventually the threat actors will figure it out eventually it'll run they'll find a way to get these APIs running where they don't need an OLAMA server for it." James Azar
Both Windows and Linux variants exist. Right now, it requires heavy resources and hasn’t been deployed in the wild—but as I said on the show: “Today you’re safe, tomorrow is a whole different story.” Once adversaries optimize it, we could see self-prompting ransomware with logic trees and adaptive kill chains.
🛠 SalesLoft Breach Leads to Salesforce Compromise
SalesLoft disclosed a supply chain breach involving its Drift Salesforce integration. Attackers stole OAuth and refresh tokens, pivoting into customer Salesforce instances to exfiltrate AWS keys, passwords, and Snowflake tokens. This clarifies that many recent Salesforce data theft incidents were not platform failures but fourth-party supply chain compromises. SalesLoft revoked all Drift tokens and requires customers to reauthenticate. Admins should rotate credentials and scan Salesforce objects for leaked secrets.
“Trends matter. Supply chain and insider compromises aren’t outliers anymore—they’re the rule.” James Azar
🚢 Iran Tanker Fleet Hacked – 60 Vessels Disrupted
Hackers from Lab Ducaton/So Lips claimed responsibility for disabling communications on 60 Iranian tankers and cargo ships, disrupting the state-owned National Iranian Tanker Company and IRISL. By gaining root access to satellite communication systems, they cut ships off from ports and shore. While not officially attributed to Israel, this mirrors March’s attack on 116 vessels. Maritime cyber remains one of Iran’s biggest Achilles’ heels.
🇮🇷 Iranian Cyber Blowback – Australia Braces
After expelling Iran’s ambassador, Australia is bracing for Iranian hacktivist retaliation. Google’s TAG warns of likely DDoS, website defacement, and data leaks aimed at pushing propaganda rather than causing material damage. Organizations are advised to rehearse playbooks and harden public-facing assets now.
🇰🇵 North Korean IT Worker Scam Exposed
The U.S., Japan, and South Korea convened in Tokyo to combat North Korea’s IT worker infiltration campaign. Using stolen IDs, North Koreans embedded in Western firms (often via China or Russia) have helped the Lazarus Group steal hundreds of millions from crypto platforms, funneling funds to WMD programs. The scheme dates back years and shows how insider placement is as valuable as malware.
📱 Google Adds Developer Verification for Android Apps
Starting in 2026, all Android apps (including sideloaded ones) must come from verified developers. This aims to combat the epidemic of sideloaded malware—Google found 50x more malware outside Play Store apps. Developers will need identity verification, including D-U-N-S numbers. It’s a long-overdue move, but whether it’s enforced effectively remains to be seen.
🏭 Sophisticated “MixShell” Campaign Targets Manufacturers
Checkpoint Research uncovered a new campaign delivering MixedShell in-memory malware through Contact Us forms on websites instead of email. Threat actors engage victims in weeks of professional exchanges, even using fake NDAs, before sending a weaponized ZIP. Targets include U.S. industrial, semiconductor, and biotech firms, with additional hits in Japan, Singapore, and Switzerland. This is social engineering at its most convincing.
🛠 Vulnerabilities – Git, Citrix, Docker
Git (CVE-2025-48384): Active exploitation on MacOS/Linux, allowing arbitrary file writes. Patch immediately.
Citrix (CVE-2025-57775): Zero-day in NetScaler ADC & Gateway, CVSS 9.2, now patched.
Docker Desktop (CVE-2025-9074): Container escape flaw impacting Mac/Windows, CVSS 9.3. Patched in v4.44.3.
🧠 James Azar’s CISO Take
Today’s episode underlines two themes: AI’s weaponization and the supply chain crisis. PromptLock proves adversaries are already experimenting with AI-driven malware, and SalesLoft shows how fourth-party integrations can create cascading exposures. This isn’t a Salesforce story—it’s a trust and governance story. As CISOs, we must inventory dependencies beyond tier-1 vendors and enforce least-privilege integrations.
The other thread is geopolitics meeting enterprise risk. Iran’s maritime disruptions, North Korea’s IT worker infiltration, and Australia bracing for Iranian retaliation all show how cyber is a frontline weapon of statecraft. At the same time, attackers are perfecting long-game social engineering like MixedShell. Our role isn’t just patching—it’s anticipating how adversaries blend geopolitical intent with technical compromise paths.
✅ Action Items
🤖 Track AI-powered malware trends; test detection against adaptive scripts.
🔐 Rotate Salesforce/Drift tokens, audit secrets, and reauthenticate integrations.
📡 Patch Git (CVE-2025-48384), Citrix (CVE-2025-57775), and Docker Desktop (CVE-2025-9074).
🚢 Monitor maritime/ICS exposure if tied to energy or shipping sectors.
🇰🇵 Train HR and procurement teams to spot fraudulent IT worker hires.
📱 Prepare Android device management policies for 2026 developer verification rollout.
🏭 Harden inbound “Contact Us” workflows against social engineering malware delivery.
Thank you for reading this and Stay Cyber Safe!
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Live Monday through Thursday at 9AM EST for the latest news on Youtube
Share this post