Scattered Spider Resurfaces with Targeted Attacks on Financial Sector
In early September 2025, the threat actor known as Scattered Spider, previously believed to have retired, resurfaced with a sophisticated campaign targeting several major entities in the financial sector. This resurgence marks a notable escalation in the group’s operational scope, employing advanced malware, social engineering, and supply-chain infiltration techniques.
Technical Profile of the Campaign
The new attack series attributed to Scattered Spider leveraged multi-stage phishing schemes to compromise employee email accounts at large banking institutions. Attackers used these footholds to further distribute weaponized documents exploiting unpatched zero-days in widely used productivity suites. These exploited vulnerabilities provided persistent access, which was then leveraged to install remote access trojans (RATs) and credential harvesting tools on critical banking infrastructure.
Malware and Exploit Analysis
For lateral movement and data exfiltration, the group deployed a customized variant of the Cobalt Strike framework, modified to evade endpoint detection and response (EDR) solutions. For initial reconnaissance and network mapping, living-off-the-land binaries (LOLBins) were frequently utilized, including added obfuscation layers on PowerShell and WMI scripts. Exfiltrated data included large volumes of customer records and transaction logs, indicating a dual motive of financial theft and cyber-espionage.
Remediation and Sector Response
Major targeted organizations activated incident response and forensic investigation protocols. These included account resets, segmented network lockdowns, and the deployment of updated threat intelligence indicators. Financial sector security teams are widely sharing IOCs (indicators of compromise) and have escalated user training on phishing prevention, specifically targeting the sophisticated tactics observed in this campaign.
Supply-Chain Attack Impacts npm Package ‘Nx,’ Exposes Sensitive Files Globally
In September 2025, a significant supply-chain attack targeting the ‘Nx’ package on the npm ecosystem resulted in the unauthorized exposure of nearly 20,000 sensitive files from projects and organizations worldwide. This breach highlights ongoing risks around open-source software dependencies and package ecosystem trust.
Attack Vector and Exploit Mechanism
The attacker was able to publish a malicious update of the Nx package to npm, which, on installation, executed post-install scripts to harvest environment variables, configuration files, and access tokens from development environments. These files were silently exfiltrated to a remote server controlled by the attackers. The batch affected organizations ranged from small web development firms to Fortune 500 software teams.
Indicators and Forensic Footprint
Forensic review revealed that the update contained heavily obfuscated JavaScript code designed to avoid traditional static analysis. Notably, attackers exploited a lack of multi-factor authentication enforcement for several high-profile npm publisher accounts, allowing unauthorized package updates to be pushed and widely adopted before detection.
Mitigation Efforts
The Nx package maintainers, in collaboration with npm security, rapidly revoked the compromised versions and issued urgent advisories. Organizations impacted have been urged to rotate credentials, invalidate tokens, and perform a full review of recent codebase exposure points. Increased scrutiny of package publisher access controls and automated analysis of new package versions are being discussed as preventative actions.
TransUnion Data Breach Affects 4.4 Million Individuals
Consumer credit reporting agency TransUnion reported a breach in September 2025 impacting 4.4 million customers. The attackers gained unauthorized access to sensitive consumer data, raising concerns about the efficacy of authentication safeguards and incident detection speed in high-value financial repositories.
Discovery and Scope
The breach was identified following irregular system traffic patterns, which post-incident analysis attributed to a compromised third-party vendor’s credentials. Attackers accessed names, addresses, social security numbers, credit histories, and limited financial account data.
Technical Root Cause Analysis
The compromise initiated through privilege escalation of a vendor account without sufficient network segmentation. Adversaries bypassed multi-factor authentication protections using a combination of phishing and social engineering, then moved laterally into more sensitive segments. TransUnion reports that no evidence suggests ongoing attacker presence post-discovery.
Response Measures and Consumer Protections
The company immediately engaged digital forensics experts, notified authorities, and provided affected individuals with identity theft protection and credit monitoring services. Security enhancements, including improved vendor management practices and more robust credential monitoring, are underway.
Attackers Abuse Velociraptor Incident Response Tool for Malicious Activity
Threat actors have begun exploiting Velociraptor, an open-source digital forensics and incident response (DFIR) tool, for malicious purposes. This represents a growing trend of attackers leveraging legitimate security utilities to evade detection and maintain persistent access within target networks.
Technique and Tactics
By deploying modified Velociraptor agents to compromised hosts, attackers leveraged its capability for file collection, process inspection, and lateral movement mapping. The abused tool enabled remote command execution and data exfiltration while blending into sanctioned IT and security operations traffic. Custom plugins were also implemented to bypass typical usage telemetry and alerting.
Detection and Defense Strategies
Security teams are being advised to conduct detailed inventories of approved security tools and hunt proactively for anomalous use or unauthorized Velociraptor agent deployment. Advanced endpoint analytics and network traffic analysis are now recommended to distinguish legitimate DFIR activity from attacker abuse.
Major Data Breach at Kering, Parent Company of Multiple Luxury Brands
Kering S.A., parent company of luxury fashion houses including Gucci, Balenciaga, and Yves Saint Laurent, confirmed a significant data breach in September 2025. The incident resulted in customer information exposure and heightened concerns about targeted attacks against high-profile retail organizations.
Attack Attribution and Methods
The breach is believed to be the work of the hacking group ShinyHunters, known for targeting valuable consumer data. Attackers gained access through a vulnerable customer relationship management web application, exploiting a zero-day vulnerability to gain administrative privileges and extract data.
Data Compromised
Compromised information includes customer names, contact details, home addresses, and records of purchase values. There is no current evidence of payment card or authentication credential theft, but the scale and sensitivity of the exposed records have triggered a global notification campaign.
Remediation Efforts
Kering’s security team has addressed the web application vulnerability, increased monitoring of suspicious user activity, and is coordinating with international regulators. Affected customers are being offered complimentary identity and fraud monitoring.