Malware Activity
The Rise of AI-Powered Ransomware and Cybersecurity Challenges
Recent reports reveal the emergence of PromptLock, an advanced, AI-driven ransomware that intelligently targets and encrypts valuable data while exfiltrating sensitive information to maximize damage and ransom potential. Developed in Golang and utilizing the DeepAI gpt-oss:20b model via the Ollama API, PromptLock generates dynamic, evasive Lua scripts capable of cross-platform operation. It has been found to target a range of systems including industrial control environments. Its sophisticated use of encryption and real-time payload generation exemplifies a significant evolution in cybercriminal tactics, complicating detection efforts and emphasizing the need for stronger cybersecurity defenses. While currently believed to be a proof-of-concept, PromptLock demonstrates how AI can facilitate adaptable and evasive malware, raising concerns about future threats. This development underscores the critical importance for organizations to enhance their security measures against increasingly autonomous and intelligent cyber threats, as well as the broader vulnerabilities introduced by AI systems themselves. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Experimental PromptLock Ransomware Uses AI to Encrypt Steal Data article
- TheHackerNews: Someone Created First AI Powered article
Threat Actor Activity
CISA Joint Advisory: Chinese-linked APT Salt Typhoon Hacking Campaign Hits 600 Organizations Worldwide
The China-linked advanced persistent threat (APT) group known as Salt Typhoon has been actively conducting cyber-espionage campaigns targeting global critical infrastructure sectors, including telecommunications, government, transportation, lodging, and military networks. The group exploits known vulnerabilities in network devices, such as Cisco IOS and Palo Alto Networks, to gain access and establish persistent presence in target environments. These vulnerabilities include CVE-2024-21887, CVE-2024-3400, CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171. Salt Typhoon's operations have been linked to three (3) Chinese technology firms—Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.—which provide cyber products and services to China's intelligence services. The data obtained through these intrusions enable Chinese intelligence to track target communications and movements globally. The campaign has targeted over 600 organizations, including major U.S. carriers like AT&T and Verizon, and entities in eighty (80) countries. The group uses compromised devices to pivot into other networks, modifying configurations and employing tools like JumbledPath for traffic monitoring. A joint advisory from intelligence and cybersecurity agencies in thirteen (13) countries emphasizes the importance of patching known vulnerabilities and strengthening security protocols to mitigate the threat. Organizations are urged to monitor for unauthorized changes and disable unused services to prevent further exploits. CTIX Analysts recommend organizations familiarize themselves with the mitigations listed in the CISA Joint Advisory linked below.
- CISA: Joint Salt Typhoon Advisory
- Bleeping Computer: Salt Typhoon Article
- The Record: Salt Typhoon Article
- The Hacker News: Salt Typhoon Article
Vulnerabilities
FreePBX Zero-Day Exploited in Active Attacks Against Exposed Systems
The Sangoma FreePBX Security Team has issued urgent warnings about a critical zero-day vulnerability in the Endpoint Manager module affecting FreePBX versions 16 and 17, which is being actively exploited against systems with Administrator Control Panels (ACP) exposed to the internet. Since at least August 21, 2025, attackers have leveraged the flaw to achieve unauthenticated remote code execution (RCE) and privilege escalation, allowing arbitrary command execution under the web server or Asterisk user, installation of persistent backdoors, deployment of cleanup scripts, and exfiltration of call detail records. Multiple organizations have reported server compromises impacting thousands of SIP extensions and hundreds of trunks, with observed indicators of compromise including modified configuration files, the presence of a ".clean.sh" script, suspicious POST requests to "modular.php", unauthorized ampuser entries in databases, and unusual extension 9998 call activity. While Sangoma has released an EDGE update for testing and promised a stable fix within days, it stresses that the patch only protects future installations and cannot clean already compromised systems. CTIX analysts strongly advise any affected readers to immediately restrict ACP access to trusted networks or VPNs, verify systems for compromise, rotate all credentials, restore from pre-attack backups, and rebuild on patched versions once the stable release is available. A formal CVE and post-mortem report are expected following the conclusion of Sangoma's ongoing investigation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
