Satellite FW, Attacks on European airports, Game was a malware, Self-propagating malware

Notable news for the week of September 14-20, 2025. This week, your editor is Koichi from F5 Security Incident Response Team. In this edition, I have security news about Satellite FW, attacks on European airports, a verified game that was a malware, and self-propagating malware.

We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.

Satellite (Great) Internet Firewall

According to a post by Human Rights in China on 20 September, China successfully launched three satellites on 5 September, including a prototype of the world's first ‘Satellite Internet Firewall', and successfully placed them into satellite orbit. According to the Beijing University of Posts and Telecommunications, which developed the ‘Satellite Internet Firewall', a security solution integrating a multi-dimensional rule engine, AI-based anomaly detection, and onboard active inspection. It features an architecture designed to coordinate protection of both the physical and network layers in space communications. And they announced, "This marks a historic step forward for China in the field of satellite internet security, achieving for the first time a technological breakthrough in the coordinated protection of the physical and network layers of satellite internet, providing a solid technical foundation for the security assurance of China’s satellite internet.”

This is not the first satellite launched into orbit for cybersecurity purposes (Moonlighter is the first one as far as I know), but it is the first Firewall satellite. How it will be operated remains to be seen, pending announcements from the Chinese authorities.

Source: China Launches First-Generation 'Satellite Internet Firewall' Security Payload

Cyber attacks on European airports

On September 20th, systems handling check-in and boarding at major European airports including London Heathrow, Brussels Airport in Belgium, and Berlin Airport in Germany suffered cyber attacks. This delayed checking-in and boarding procedures, leading to numerous flight delays and cancellations. The impact is thought to have affected at least tens of thousands of people. On the other hand, Frankfurt Airport, Germany's largest airport, was not affected. The airport authorities and Collins Aerospace admitted that these system failures were caused by a cyber attack by a malicious attacker.

The MUSEE software from Collins Aerospace, which supplies systems to airports around the world, was the target of this cyber attack. RTX, the parent company of Collins Aerospace, admitted that some airports were experiencing ‘cyber-related disruptions’ to the software, but explained that ‘the impact is limited to online check-in and baggage drop-off’ and that face-to-face check-in could mitigate the impact. No one knew who started the cyber attack. They said they were trying to fix the problem as quickly as possible. However, according to many websites about hacking, Collins Aerospace was attacked by ransomware in 2023. Many people have guessed that the attack was connected to this latest cyber attack.

Source: European airports snarled by cyberattack, disruption to stretch into Sunday
Source: Disruption continues at Heathrow, Brussels and Berlin airports after cyber-attack

A verified game ... was a malware

A game verified on Steam was actually a crypto-stealing malware.

Steam is a platform primarily distributing commercial PC games. Games sold undergo prior review by Steam to verify their quality and security (I believe).

A Latvian-based streamer battling cancer, was raising funds towards a $55,000 target for his cancer treatment payment. One of the viewers of his livestream suggested trying “BlockBlasters”, a game available on Steam, to get more fundraising. After the streamer downloaded and launched the game, over $32,000 in donations for his cancer treatment vanished from his cryptocurrency wallet within minutes. As this occurred during his livestream, numerous viewers witnessed the theft in real time. The shocking footage rapidly spread across social media, revealing the presence of malware embedded within “BlockBlasters”, and its impact on the entire PC game market.

An investigation by cryptocurrency security experts revealed that 261 Steam accounts had been affected, with total losses reaching $150,000. 'BlockBlasters' appeared, to be a standard 2D action game. This free game, developed by Genesis Interactive, launched on Steam on 31st July 2025. Initially, it did not seem to have any problems, received positive reviews, and even got “Verified” that it has compatibility with the Steam Deck handheld console (which I also use) by Steam, then, people thought Steam had verified that the game had no security issues.

For approximately one month, “BlockBlasters” was played as a normal game. However, an update released on 31st August secretly embedded malware designed to steal users' cryptocurrency. The malware continued its activities undetected thereafter. Then, in September of 2025, the theft occurred.

Source: Steam BlockBlasters game drained $32K in crypto

Source: BlockBlasters: Infected Steam game downloads malware disguised as patch

Source: Steam Game Update Reportedly Distributed Malware And Stole Money From Cancer Victim

Self-propagating supply chain attack

On September 15, 2025, a cyber-security firm StepSecurity reported that the popular NPM package “@ctrl/tinycolor,” downloaded over 2 million times weekly, had been compromised along with over 40 other packages (later, they announced it is over 500 packages).

This supply chain attack worm was named “Shai-Hulud” (Is the name derived from the sandworms in Dune?) The Shai-Hulud possesses self-propagating capabilities, automatically spreading infections to other packages managed by the maintainer of the compromised package. It also collects cloud service passwords and tries to keep access by installing security holes in GitHub Actions. This can threaten entire software systems. Collected credentials are packaged in JSON format and uploaded to a publicly accessible GitHub repository named “Shai-Hulud,” delivering them to the malicious attackers.

StepSecurity published the IoC of it and Immediate actions required to prevent damage from Shai-Hulud. Those are: