Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Jan. 18, 2026.
Internal emails, texts, slide decks, and deposition testimony show how Microsoft went from being sidelined at OpenAI’s founding to wielding decisive influence over the AI lab that launched the generative AI era — and how that power is now being tested as OpenAI emerges as a platform company with leverage of its own. … Read More
A longtime leader for Fulfillment by Amazon retires and offers parting thoughts, while former executives with Oracle, Microsoft and LevelTen take new roles. … Read More
Seattle’s ORCA transit system is rolling out an upgrade that will let riders pay fares by tapping their credit card or smartphone — no dedicated ORCA card required. … Read More
A weekend vibe-coding project by the startup leader and former Amazon Worldwide Consumer CEO sparked debate over the speed, scalability, and real‑world value of increasingly popular AI development workflows. … Read More
The heaviest hit facility is the Reality Labs office in Redmond, followed by the Spring District office in Bellevue, according to a state filing. … Read More
Seattle startup Emerald Battery Labs raised just under $1.1 million in a pre-seed round to continue scaling its sodium-ion battery technology. … Read More
Amazon Quick Suite has a new vice president, Chronus named a CEO, Supio added to its C-suite, and REI got an AI lead, among other Seattle area tech moves. … Read More
Microsoft CEO Satya Nadella riffed on some famous lines from tech leaders past this week in an appearance at the World Economic Forum in Davos, Switzerland, and offered up his own trippy candidate to join the canon of computing metaphors. Read More… Read More
The Good | Authorities Expose RaaS Leaders, Prosecute Identity Hackers & Tighten EU Cybersecurity Rules
Law enforcement in Ukraine and Germany have moved to dismantle Black Basta ransomware gang, confirming its leader and placing him on Europol and Interpol wanted lists. Identified as Oleg Evgenievich Nefedov, the Russian national is also known online as kurva, Washington, and S.Jimmi.
Police have also arrested two alleged Black Basta affiliates accused of breaching networks, cracking credentials, escalating privileges, and preparing ransomware attacks.
Investigators link Nefedov in a secondary role associated with the now-defunct Conti syndicate, confirming Black Basta’s evolution into a major ransomware-as-a-service (RaaS) operation responsible for hundreds of extortion incidents since 2022.
Police raid residence of suspected affiliates (Source: cyberpolice.gov.ua)
In the United States, Nicholas Moore, has pleaded guilty to breaching electronic filing systems tied to the Supreme Court of the United States, AmeriCorps, and the Department of Veterans Affairs. Prosecutors note that he repeatedly accessed the Supreme Court’s restricted system in 2023 using stolen credentials. He also breached AmeriCorps and veterans’ accounts, stealing and leaking sensitive personal and health data. Moore took to Instagram under the account @ihackedthegovernment to post screenshots of his victims’ information. He has since confessed to one count of computer fraud, punishable by one year in prison and a $100,000 fine.
New cybersecurity legislation proposed by the European Commission mandates the removal of high-risk suppliers from telecom networks and shoring up defenses against state-backed and criminal cyber threats targeting critical infrastructure. The plan builds on shortcomings in the EU’s voluntary 5G Security Toolbox, originally designed to limit member’s reliance on high-risk vendors. It also grants the Commission authority to coordinate EU-wide risk assessments across 18 critical sectors, strengthens ICT supply chain security, and streamlines voluntary certification schemes to improve resilience and technological sovereignty.
The Bad | Contagious Interview Attackers Leverage Visual Studio Code to Deploy Backdoors
DPRK-linked threat actors behind the ongoing Contagious Interview campaign are evolving their tactics by using malicious Microsoft Visual Studio Code projects to deliver backdoors.
In new research, the attackers are seen masquerading as recruiters conducting job assessments, instructing targets to clone repositories from platforms like GitHub and open them in VS Code. Once opened, specially crafted task configuration files automatically execute, fetching obfuscated JavaScript payloads hosted on Vercel domains and deploying multi-stage malware.
After the user grants trust in VS Code, its tasks.json file can automatically run embedded commands (Source: Jamf)
This novel technique, first seen last month, leverages VS Code’s runOn: folderOpen feature to trigger execution whenever a project is accessed. Earlier variants delivered the BeaverTail and InvisibleFerret implants, while newer versions disguise droppers as benign spell-check dictionaries to achieve remote code execution.
As part of the final payload, the backdoor logic establishes a continuous execution loop to harvest basic host information and fingerprints systems before executing attacker-supplied code. In some cases, additional scripts are downloaded minutes later to beacon frequently to a remote server, run further commands, and erase traces of activity. Researchers note that parts of the malware may be AI-assisted due to its code structure and inline comments.
Targets are typically software engineers, especially those working in the cryptocurrency, blockchain, and fintech sectors, where access to source code, credentials, and digital assets is valuable. Parallel research shows similar abuse of VS Code tasks to deploy backdoors, cryptominers, and credential-stealing modules via multiple fallback methods.
DPRK-based threat actors are rapidly experimenting with various delivery methods to increase the success of their attacks. Developers can counter the threat by continuing to scrutinize third-party repositories, carefully review task configurations, and install only trusted dependencies.
The Ugly | Attackers Target Misconfigured Training Apps to Access Cloud Environments
Threat actors are targeting misconfigured web applications like DVWA and OWASP Juice Shop to infiltrate cloud environments of Fortune 500 companies and their security vendors.
These intentionally vulnerable apps, designed for security training and internal testing, are exposed publicly and tied to privileged cloud accounts, creating a perfect storm of risks advantageous to attackers. Researchers have found nearly 2000 live, exposed apps, many linked to overly permissive identity access management (IAM) roles on AWS, GCP, and Azure, often using default credentials.
Attackers are leveraging the apps to deploy crypto miners, webshells, and persistence mechanisms. About 20% of found DVMA instances contain malicious artifacts, including XMRig cryptocurrency miners and a self-restoring watchdog.sh script that downloads additional AES-256-encrypted tools and removes competing miners.
PHP webshells like filemanager.php are also being deployed, allowing file operations and command execution, sometimes with indicators hinting at the operators’ origin.
XMRig mining Monero to xmr[.]kryptex[.]network resulting in the attacker keeping 100% of the proceeds (Source: Pentera)These exposed credentials could provide attackers full access to S3 buckets, GCS, and Azure Blob Storage, meaning attackers have read and write permissions to Secrets Manager, can interact with container registries, and obtain admin cloud privileges.
With these attacks active in the wild, organizations are urged to take steps to minimize their risk profile. Key defenses include maintaining a resource inventory, isolating test environments, and enforcing least-privilege IAM roles. By also replacing default credentials and automating resource expiration, organizations can eliminate systemic blind spots in non-production systems.
This week Jonathan chats with Nicholas Adams about OpenRiak! Why is there a Riak and an OpenRiak, which side of the CAP theorem does OpenRiak land on, and why is it so blazingly fast for some operations? Listen to find out!
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.
Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Jan. 11, 2026.
More than 150 techies packed the house at a Claude Code meetup event in Seattle on Thursday evening, eager to trade use cases and share how they’re using Anthropic’s fast-growing technology. … Read More
The tech giant’s new “community first” initiative includes pledges to pay full power costs, reject local tax breaks, and replenish more water than it uses — a response to growing backlash against AI infrastructure expansion. … Read More
Microsoft is supporting a Washington state bill to open up underused commercial land for housing, asserting that the larger crisis is solvable only if lawmakers unlock land faster, streamline permitting, and treat housing as a connected system rather than a series of one-off projects. … Read More
Seattle’s commercial real estate market continues to struggle amid remote work and broader pressures including tech layoffs and companies using AI to operate with leaner teams. … Read More
Kelman joined Redfin in 2005, a year after it launched, and helped guide the company from a small Seattle startup into a nationally known real estate brokerage and technology platform. … Read More
The division — which employs roughly 15,000 people — has a strong presence in the Seattle area and is responsible for the company’s “metaverse” technologies that work in conjunction with augmented and virtual reality. … Read More
The e-commerce giant plans to test a new big-box retail concept outside Chicago that mirrors the scale of a Walmart superstore, while layering in Amazon-style technology that blends in-store shopping with app-based ordering. … Read More
The Good | Authorities Arrest 34 in Black Axe Cyber Fraud Crackdown
Spanish police have arrested 34 suspects tied to a cyber fraud network allegedly linked to the Black Axe group, following a joint operation with Europol. After raids across four cities, authorities seized €66,400 in cash, vehicles, devices, and froze €119,350 held in bank accounts.
Investigators say the Nigeria-led ring ran man-in-the-middle (MitM) and business email compromise (BEC) scams, causing over $6 million in losses total. So far, four suspected leaders of the network have been jailed pre-trial as the probe continues into Europe-wide money mule networks.
In other news this week, the latest iteration of BreachForums has suffered another data breach after a MyBB users database was leaked online. This occurred after a site named after the ShinyHunters extortion gang released a 7Zip archive exposing over 323,000 user records and the forum’s PGP private key. While most IP addresses mapped to local loopback values, more than 70,000 resolved to public addresses valuable to cybersecurity researchers and law enforcement.
In Amsterdam, the nation’s Court of Appeal has sentenced a Dutch national to seven years for computer hacking and attempted extortion with evidence stemming from Sky ECC, an end-to-end encrypted chat service that Europol dismantled in 2021. Though one cocaine import charge was dropped, judges upheld the convictions tied to hacking port logistics systems in Rotterdam, Barendrecht, and Antwerp.
The individual was found using malware-laced USB sticks, which then enabled covert drug imports, data theft, and malware re-sale between 2020 and 2021.
The Bad | Researchers Expose ‘Reprompt’ Attack That Could Hijack Microsoft Copilot Sessions
Security researchers have disclosed a novel attack technique dubbed ‘Reprompt’ that could enable attackers to silently hijack a user’s Microsoft Copilot session and exfiltrate sensitive data with a single click. The method abuses how Copilot processes URL parameters, enabling malicious prompts to be injected directly through a legitimate Copilot link.
Reprompt works by embedding hidden instructions in the “q” parameter of a Copilot URL. Should a victim click the link, Copilot automatically executes the malicious prompt within the user’s authenticated session. That session remains active even after the Copilot tab is closed, meaning attackers could continue issuing follow-up commands without further user interaction. Since no plugins, malware, or visible prompts are required, the activity is effectively invisible.
To bypass Copilot’s safeguards, the researchers combined three techniques: parameter-to-prompt (P2) injection, a double-request trick that exploits guardrails applying only to the initial request, and a chain-request model where Copilot dynamically fetches new instructions from an attacker-controlled server.
Combined, these techniques could enable continuous, stealthy data exfiltration, while client-side, legacy security tools would be unable to determine what information was being stolen.
Double request to bypass safeguards (Source: Varonis)
Reprompt only impacts Copilot Personal; those using Microsoft 365 Copilot are not impacted due to additional controls such as auditing, DLP, and administrative restrictions. Varonis disclosed the issue to Microsoft on August 31, 2025 and the vulnerability was addressed in this month’s Patch Tuesday. Currently, there are no reports of in-the-wild exploitation.
The findings, however, are indicative of the risks posed by LLMs and AI assistants. They underscore the need for security teams to understand the attack surface these tools present as their use in enterprise environments continues to proliferate.
The Ugly | Charity-Themed ‘PluggyApe’ Malware Targets Ukrainian Defense Forces
Ukraine’s CERT-UA has reported a charity-themed cyber espionage campaign targeting officials within the country’s Defense Forces between October and December 2025. The activity is attributed with medium confidence to a Russian-aligned threat group tracked as Laundry Bear (aka Void Blizzard or UAC‑0190), a cluster previously linked to the 2024 breach of Dutch police systems.
These attacks have been observed relying heavily on tailored social engineering tactics delivered via Signal and WhatsApp. Targets receive instant messages, often from compromised or spoofed Ukrainian phone numbers, directing them to fake charity websites where they are urged to download password-protected archives.
These archives contain malicious executables disguised as documents, including PIF files built with PyInstaller, which ultimately deploys a Python-based backdoor called ‘PluggyApe’. Once installed, PluggyApe profiles the infected system, assigns a unique victim identifier, and establishes persistence through Windows Registry changes. The malware supports remote command execution and data exfiltration, communicating over WebSocket or MQTT.
Examples of malicious lures (Source: CERT-UA)
Later versions of PluggyApe, observed from December 2025 onward, introduced stronger obfuscation, additional anti-analysis checks, and more resilient command-and-control (C2) mechanisms. Instead of hardcoding C2 infrastructure, the malware dynamically retrieves server addresses from public paste services such as rentry[.]co and pastebin[.com], encoded in Base64, allowing operators to rapidly rotate infrastructure.
CERT-UA emphasized that mobile devices and messaging platforms have become primary attack vectors due to weaker monitoring and widespread trust. Compounding this is the attackers’ demonstrated knowledge of their targets and use of the Ukrainian language, audio, and video communication to increase credibility.
Alongside this campaign, CERT-UA also reports additional activity from other threat clusters targeting Ukrainian defense forces, local governments, and educational institutions using phishing, stealer malware, and open-source backdoors – all pointing to sustained and evolving cyber pressure facing Ukraine’s public sector.
This week Jonathan and Randal chat with Jose Valim about Elixir! What led Jose to create this unique programming language? What do we mean that it’s a functional language with immutability?
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.
Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Jan. 4, 2026.
Steven Maheshwary, a former generative AI leader at Amazon, is now a go-to-market lead in strategic partnerships at Anthropic, the AI giant behind Claude and backed by Amazon. … Read More
An AWS VP is switching roles; Seattle gets a new economic development lead; a Microsoft Teams VP departs; and more in the latest tech moves. … Read More
Amazon’s Ring is taking its home-security technology into the parking lot with a $5,000 solar-powered surveillance trailer aimed at construction sites, retail centers, and outdoor events — a move that puts the doorbell maker into more direct competition with commercial security providers. … Read More
Microsoft Research leader Desney Tan is leaving the company after 21 years, closing a career that spanned breakthrough work in human-computer interaction, health “moonshots,” and products including Xbox Kinect and Microsoft Band. … Read More
A former Expedia Group employee who secretly recorded women by hiding spy cameras throughout the company’s Seattle headquarters — including in bathrooms — was sentenced Friday to four years in prison. … Read More
— Karthik Ramakrishnan, who spent the past 14 years at Amazon where he helped develop the company’s AI strategy, has taken a VP role within the Data Cloud organization at Google Cloud. … Read More
The Good | U.K. Government Resets Public-Sector Cybersecurity With £210M Action Plan
The United Kingdom has unveiled a sweeping reset of its public-sector cybersecurity strategy, committing more than £210 million ($283 million) to shore up defenses across government departments and essential services. This investment is part of the new Government Cyber Action Plan, which marks a clear departure from years of fragmented oversight and outdated, legacy technology.
The new Government Cyber Action Plan sets a clear path to strengthen cyber security and boost resilience across the public sector.
The core of the plan is a centralized Government Cyber Unit, tasked with coordinating risk management, setting mandatory security standards, and leading incident response. Digital Government Minister Ian Murray framed the shift as urgent, warning that cyberattacks can take critical public services offline within minutes. Recent incidents like ransomware-driven NHS disruptions and the compromise of Ministry of Defence payroll systems all show that these risks are recurring realities rather than theoretical threats.
The action plan introduces stricter accountability for senior leaders, enhanced visibility into cyber risks, and more robust, centrally coordinated incident response exercises. Strategic government suppliers will also face tougher contractual cybersecurity requirements as concerns over supply chain vulnerabilities grow.
While challenges still remain, this new strategy signals a long-overdue cultural and structural shift. If matched with sustained investment and accountability, it could finally place the U.K. public sector on a more resilient and security-first footing in the face of accelerating cyber threats.
The Bad | China-Linked UAT-7290 Expands Linux-Based Espionage Beyond South Asian Telcos
UAT-7290, a China-linked threat actor, has expanded its cyber espionage operations beyond its focus on South Asian telecommunications firms to include organizations across Southeastern Europe. Active since at least 2022, the group is known for its extensive reconnaissance, network penetration techniques, and heavy reliance on Linux-based malware to compromise public-facing infrastructure.
Cyber researchers assess that UAT-7290 conducts extensive technical profiling of targets before exploiting exposed edge network devices. The actor primarily leverages one-day exploits and targeted SSH brute force attacks, often relying on publicly available proof of concept (PoC) exploit code rather than developing their own. Once initial access is achieved, the group escalates privileges and deploys a modular malware ecosystem tailored for persistence and lateral movement.
UAT-7290’s core tooling centers on Linux implants, beginning with the RushDrop (ChronosRAT) initial dropper, which initiates the infection chain and deploys additional components such as DriveSwitch and the SilentRaid (MystRodX) backdoor. SilentRaid enables long-term access through a plugin-based architecture that supports remote shell access, port forwarding, file operations, and credential-related data collection. While Linux remains the primary focus, the group has occasionally deployed Windows malware – tools commonly shared among China-aligned threat actors.
UAT-7290 is also known for playing a secondary role as an initial access provider. It converts compromised devices into Operational Relay Boxes (ORBs), infrastructure that can later be reused by other Chinese espionage groups, using the Bulbature backdoor.
The tooling and infrastructure overlaps with clusters such as APT10 and Moshen Dragon, reinforcing assessments that UAT-7290 is both an espionage operator and a strategic enabler within the broader Chinese cyber ecosystem.
A series of critical vulnerabilities were recently disclosed in the open-source workflow automation platform n8n, allowing unauthenticated attackers to achieve remote code execution (RCE), perform arbitrary commands, and execute untrusted code leading to full compromise.
Beginning with CVE-2025-68668 dubbed ‘N8scape’, this critical flaw (CVSS 9.9) involves a sandbox bypass in the Python Code Node using Pyodide. It works by affecting n8n versions prior to 2.0.0 and allows users with workflow permissions to execute arbitrary OS commands with the same privileges as the n8n service. With version 2.0.0, a task runner-based native Python implementation that improves security isolation was made default thus addressing the issue.
Shortly afterward, n8n disclosed an even more severe issue tracked as CVE-2026-21877, a CVSS 10.0 vulnerability enabling authenticated remote code execution under certain conditions. Affecting both self-hosted and n8n cloud deployments, the flaw could allow untrusted code execution, eventually leading to compromise of the entire instance. Although the critical flaw is patched in version 1.121.3, administrators are advised to apply the updates quickly, especially given a growing pattern of critical RCE-class vulnerabilities in the platform.
The third and latest disclosure this week, codenamed ‘Ni8mare’ and tracked as CVE-2026-21858 (CVSS 10.0), is a critical flaw that allows complete takeover of affected instances. Exploiting a content-type confusion issue in n8n’s webhook and form handling, attackers can read arbitrary files, extract credentials and encryption keys, forge admin sessions, and ultimately achieve RCE. Researchers noted that a compromised n8n instance becomes a single point of failure due to centralized storage of API keys, OAuth tokens, and infrastructure credentials, making it a veritable data trove for threat actors.
Invoking the content-type-confusion bug (Source: Cyera)
At the time of writing, reports from attack surface management vendors are observing over 26,000 exposed n8n instances online, emphasizing the need for timely patching, controlled exposure, and strict access management.
Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Dec. 28, 2025.
Angelina “Angy” Smith, who has been chief financial officer at the company since April, assumed the leadership position earlier this month, becoming Rad’s fourth CEO in three years. … Read More
Seattle-area venture capitalists polled by GeekWire say there are clear signs of excess in early-stage AI startups, but they largely reject the idea of a catastrophic bubble and argue the technology is already delivering real value. … Read More
This week on the GeekWire Podcast: The FCC’s decision to add foreign-made drones to its national security “Covered List” could upend the U.S. … Read More
SmarTek21 has sued TGP GP Management, accusing the New York-based advisor of flawed due diligence in a $5.2 million acquisition that has since required repeated cash infusions. … Read More
The Good | Authorities Crackdown on BlackCat and Coinbase Malicious Insiders & Malware Operators
Two former employees from Sygnia and DigitalMint have pleaded guilty for participating in ransomware attacks linking them to the BlackCat (ALPHV, AlphaVM) operation. Ryan Goldberg and Kevin Martin admitted to conspiring to extort U.S. organizations, abusing the same security expertise they once used to defend cyber victims. Working with a third accomplice, they breached multiple companies nationwide and shared roughly 20% of ransom proceeds for access to BlackCat’s infrastructure. Prosecutors say they demanded between $300,000 and $10 million per victim.
Alternative to insider risk at the highest technical levels, similar threats are emerging from much lower in the access chain, too. Indian authorities arrested a former customer support agent for aiding threat actors in the May data breach at Coinbase, a popular cryptoexchange with more arrests are expected. The incident exposed data from roughly 69,500 users after bribed staff at outsourcing partner, TaskUs, enabled access. This news follows charges against Ronald Spektor, accused of stealing $16 million by impersonating Coinbase, highlighting ongoing insider and social engineering risks.
We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice.
Thanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested. Another one down and more still to come.
Beyond insider abuse, attackers are also exploiting everyday user behavior to siphon funds at massive scale. A Lithuanian national was arrested for allegedly infecting 2.8 million systems with clipboard-stealing malware disguised as KMSAuto, an illegal Windows and Office software activator. The suspect used clipper malware to swap cryptocurrency addresses and divert funds to attacker-controlled ones. Korean National Police Agency says the campaign ran from 2020 to 2023, with a total of KRW 1.7 billion ($1.2M) stolen across thousands of transactions. Authorities warn that pirated software is often a key component in how attackers spread malware.
The Bad | Chinese-Based Attackers Deploy Stealthy Kernel‑Mode ‘ToneShell’ Backdoor
Security researchers have uncovered a significantly more stealthy variant of the ToneShell backdoor, a tool long associated with Chinese state-sponsored cyberespionage activity, now delivered via a kernel‑mode loader for the first time. New analysis links the campaign to G0129 (aka Bronze President, TEMP.Hex, Hive0154), a threat actor known for targeting government agencies, NGOs, and think tanks.
The activity, observed since at least February, primarily targets government organizations across Asia, particularly in Myanmar and Thailand. Investigators have found evidence that some victims had previously been compromised by earlier ToneShell variants, PlugX malware, or the ToneDisk USB worm, indicating long‑term persistence across multiple intrusion waves.
What sets this campaign apart is its use of a malicious kernel‑mode mini‑filter driver, ProjectConfiguration.sys, signed with a stolen or leaked digital certificate originally issued to Guangzhou Kingteller Technology Co., Ltd and valid between 2012 to 2015. Operating deep within the Windows kernel, the driver acts as a rootkit: evading static analysis by resolving kernel APIs at runtime, blocking file deletion and registry access, protecting injected processes, and deliberately interfering with Microsoft Defender by manipulating the WdFilter driver’s load order.
The driver ultimately injects two user‑mode payloads, including the updated ToneShell backdoor, which now features enhanced stealth capabilities. Changes also include a simplified host‑ID scheme, network traffic obfuscation using fake TLS headers, and remote administration capabilities such as file transfer and interactive shell access. Communication occurs over TCP port 443 to an attacker‑controlled infrastructure.
ToneShell injection workflow (Source: Securelist)
Researchers note this marks a clear evolution in G0129’s tactics, prioritizing kernel‑level persistence and evasion. As the payload operates almost entirely in memory, memory forensics becomes a critical detection method, alongside monitoring for indicators of compromise tied to the malicious driver and injected shellcode.
The Ugly | Hackers Steal $7M via Compromised Trust Wallet Chrome Extension
After a compromised update to the Trust Wallet Chrome extension went live over the holidays, approximately $7 million has been stolen from nearly 3,000 cryptocurrency wallets. The malicious version 2.68.0 contained a hidden JavaScript file called 4482.js that silently exfiltrated sensitive wallet data, including seed phrases, to an external server, api.metrics-trustwallet[.]com. Users immediately reported funds disappearing after simple wallet authorizations, prompting Trust Wallet to investigate and release a patched version 2.69. CEO Eowyn Chen confirmed the hack and assured users that the company would reimburse affected wallets.
Investigations indicate that attackers likely exploited a leaked Chrome Web Store API key to publish the malicious extension, bypassing Trust Wallet’s standard release procedures. In parallel, threat actors launched a phishing campaign using a Trust Wallet-branded site, fix-trustwallet[.]com, claiming to provide a “vulnerability fix”. Users who entered their seed phrases on the site immediately lost access to their wallets. WHOIS records suggest the phishing domain may be linked to the same actors behind the malicious extension.
Phishing site asking for wallet seed phrases (Source: BleepingComputer)
Trust Wallet, a non-custodial cryptocurrency wallet acquired by Binance in 2018, emphasized that mobile-only users and other browser extension versions were not affected. The company has begun reimbursing victims after verifying wallet ownership, transaction hashes, and affected addresses, while warning users not to share private keys or seed phrases.
Security researchers noted the incident highlights significant risks in browser-based wallets and supply chain attacks, as malicious updates can gain privileged access to funds. Trust Wallet has suspended compromised API keys, reported the malicious domains to registrars, and continues monitoring for scams. Users are strongly advised to immediately update to version 2.69, only use official channels, and verify all communications to protect their crypto assets.
Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Dec. 21, 2025.
A divided federal appeals court ruled that the University of Washington violated a computer science professor’s First Amendment rights by investigating and warning him over a parody land acknowledgment in a course syllabus, saying student discomfort does not justify retaliation against protected academic speech. … Read More
Matheus Gonçalves built his site as a one-stop status page for anxious skiers and snowboarders looking for updates on when the ski resort and U.S. … Read More
One of Jeff Bezos’ longtime collaborators in the commercial space industry is now one of his high-level executives, potentially ratcheting up competition with SpaceX. … Read More
Space startup’s CEO talks about putting tens of thousands of satellites in orbit to serve as networked data centers — an effort that could become a multibillion-dollar business. … Read More
The Seattle Seahawks gave blind and low-vision fans a new way to follow game action this season as one of several teams testing a device from Seattle startup OneCourt. … Read More
It’s that time of year where we re-visit the wins and challenges from 2025 in our special year-end edition of The Good, The Bad and the Ugly. Here are the biggest stories that defined the best, the worst, and the ugliest cybersecurity moments from this past year.
The Best
2025 has been a year of remarkable victories for law enforcement agencies worldwide, highlighting the power of cross-border coordination. From high-profile arrests to major asset seizures, authorities have steadily dismantled the infrastructure supporting criminal and state-aligned cyber actors.
In the last two weeks, Eurojust led a takedown of Ukrainian call centers defrauding Europeans of €10M and law enforcement seizing servers from E-Note crypto exchange laundering $70M through ransomware and account takeovers. Similarly, the arrest of Ukrainian national Victoria Dubranova for aiding Russian state-backed hacktivists, alongside Spanish authorities capturing a 19-year-old selling 64M stolen records, underscores the growing international effort to hold cybercriminals accountable.
Significant infrastructure disruptions further amplify these successes. Convictions of cybercriminals targeting sensitive systems, such as the prison sentence for the “evil twin” WiFi hacker and seizure of the Cryptomixer crypto mixer with €1.3B laundered since 2016, are tangible results in stopping large-scale fraud. Law enforcement groups also took on multifaceted approaches, combining legal action, sanctions, and operational disruption to arrest Russian and DPRK-related cybercriminals and place sanctions on bulletproof hosting providers and foreign actors.
Our joint guidance on bulletproof hosting providers highlights best practices to mitigate potential cybercriminal activity, including recommended actions that ISPs can implement to decrease the usefulness of BPH infrastructure. Learn more https://t.co/cGQpuLpBPPpic.twitter.com/tM55acfuQv
International coordination has also been key this year. Interpol’s massive operations across Africa, including Operation Serengeti 2.0 and Operation Red Card, led to the arrests of thousands of suspects and the seizure of tens of millions in stolen assets. Europol dismantled SIMCARTEL, a global SIM-box fraud network, seizing servers, SIM cards, crypto, and luxury vehicles, while coordinated actions targeted Diskstation ransomware gangs and hacktivist infrastructures. In parallel, DOJ and CISA-led operations disrupted high-value schemes, including Prince Group’s $15B romance scam and multiple ransomware networks, while releasing decryptors for Phobos and 8Base victims to provide tangible relief. Law enforcement also extended their reach to regulatory and infrastructure initiatives as well, introducing the Cyber Trust Mark certification for IoT devices and HIPAA encryption and MFA updates to ensure cyber safety from the top down.
Source: Group-IB
On the cybersecurity innovation front, CISA’s launch of Thorium, an open-source platform to help government agencies automate forensic investigations, and AI-enabled threat detection systems have allowed authorities to act on incidents more rapidly, from ransomware affiliate seizures to monitoring AI misuse.
The Worst
State-sponsored crime, supply chain abuse, and emerging malware strains have collectively challenged defenders worldwide.
North Korea’s DPRK-linked hackers were prolific throughout 2025, stealing over $2B in cryptocurrency, blending traditional heists with espionage campaigns like Operation Contagious Interview targeting remote workers. Similarly, Iranian-linked UNK_SmudgedSerpent and China-linked TA415 campaigns leveraged phishing, fake platforms, and developer tooling to compromise high-value targets, from policy experts to enterprise networks.
2025 saw developer platforms, open-source ecosystems, and smart contracts become prime targets for threat actors. VS Code extensions like Bitcoin Black and Codo AI exfiltrated credentials from crypto wallets, while NPM packages such as XORIndex and os-info-checker-es6 delivered multi-stage payloads. Novel malware families including SleepyDuck RAT and Betruger backdoors emerged, masquerading as popular extensions on the Open VSX open-source registry and supporting ransomware campaigns, respectively. Even AI-powered attacks emerged, with AkiraBot, Gamma AI phishing, and social engineering campaigns bypassing CAPTCHAs and traditional defenses to exploit SMBs and enterprise targets.
State-aligned and nation-state threat actors also pursued espionage alongside financial crime. Fake job schemes and AI/crypto talent lures enabled targeted malware deployment, while advanced persistent threats like UNC3886 delivered stealthy backdoors to corporate and diplomatic networks. Malicious actors increasingly weaponized cloud services, messaging platforms, and developer tools, blurring the line between operational convenience and attack vectors.
Error message with ClickFix message (Source: Validin)
The Ugliest
The “Ugly” dimension of 2025 was defined by AI-assisted attacks, zero-day exploitation, and ransomware industrialization, which amplified the scale and complexity of cybercrime. Large ransomware operations like CyberVolk resurfaced with AI-driven VolkLocker, automating negotiation, phishing, and multilingual attacks while leveraging Telegram for orchestration. AI also enhanced the capabilities of smaller, fragmented ransomware crews, allowing rapid targeting and payload deployment, though operational flaws sometimes limited effectiveness.
Zero-day vulnerabilities were actively exploited across critical infrastructure and enterprise platforms. React2Shell in React/Next.js, Triofox (CVE-2025-12480), Oracle E-Business Suite (CVE-2025-61884), and ToolShell in SharePoint permitted full system compromise, highlighting that popular frameworks and business-critical software remain high-value targets. Cloud and AI services were similarly exploited; EchoLeak and Google Gemini LLM prompt injections enabled exfiltration of sensitive information without user interaction. Attackers in all these cases demonstrated a capacity to combine stealth, automation, and sophisticated payloads for maximum disruption.
2025 also saw cyber espionage intertwined with physical and geopolitical threats. Iranian-backed Crimson Sandstorm leveraged cyber reconnaissance to support missile strikes, while Chinese and DPRK actors continue to target aid operations, humanitarian NGOs, and government infrastructure, often exploiting IoT, industrial control systems, or open-source software to do so. In cross-border campaigns, long-dwell malware like BRICKSTORM and protocol-level exploits such as MadeYouReset created cascading impacts across critical networks and infrastructure.
PhantomCaptcha infection paths
The risk factor in many attacks this year were amplified by third-party risks. Breaches of Discord vendors, Mixpanel, and GitHub Actions exposed vast quantities of PII and credentials, enabling subsequent ransomware, phishing, or espionage campaigns. The combination of AI, automation, and high-impact vulnerabilities exemplifies a cybercrime industrial complex, where opportunistic and state-aligned actors scale operations with unprecedented speed and sophistication.
Conclusion
As 2025 draws to a close, one thing is clear: Cybersecurity has become more interconnected, more consequential, and more dependent on collective responsibility than ever before. From supply chain fragility and identity-based intrusion to the continued convergence of cybercrime and geopolitics, the challenges ahead demand deeper collaboration, stronger accountability, and a more deliberate approach to trust across the digital ecosystem.
From all of us here at SentinelOne, we wish you a happy, healthy, and secure New Year 2026!
Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Dec. 14, 2025.
Starbucks has named longtime Amazon executive Anand Varadarajan as its new chief technology officer, tapping a veteran of the tech giant’s grocery and supply chain operations as the coffee chain pushes to modernize technology in its stores. … Read More
Amazon filed a new layoff notice covering 84 Washington employees, but the cuts are unrelated to its October job reductions — stemming instead from a new state disclosure law. … Read More
A key Google partner is starting to display home listing details directly in search results, prompting some industry experts and analysts to question what impact the feature could have on the traffic — and financials — of major portal players like Zillow, Realtor.com and others. … Read More
The filing revealed new details of the privately held company’s ownership structure and financial predicament — including a steady decline in revenue, and liabilities more than double its assets. … Read More
The Microsoft executive behind the company’s recent push into books and print magazines is turning the page on a 28-year career, departing for a chief communications role at Cisco. … Read More
Amazon has quietly started rolling out Alexa.com, bringing its AI-powered Alexa+ assistant to the desktop browser for the first time and completing a long-missing piece of its consumer AI strategy. … Read More
Lisa Qian is Seattle’s first AI Officer; Microsoft recruit AI media leader Julia Beizer from Bloomberg; and DexCare names Rakshay Jain as chief product officer. … Read More
Since launching its flagship product earlier this year, the Seattle startup quickly went “viral,” sold out its first two production runs and built a near-six-figure waitlist. … Read More
The Good | Authorities Dismantle Global Fraud Ring and Crypto Laundering Network
Eurojust officials have dismantled a transnational fraud ring running call centers in Ukraine that scammed European victims out of more than €10 million.
In collaboration with authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, police arrested 12 suspects and conducted 72 searches across three Ukrainian cities, seizing vehicles, weapons, cash, computers, a polygraph machine, and forged IDs.
The network operated multiple call centers employing around 100 people and targeted more than 400 known victims. Scammers impersonated bank employees and police, claimed accounts were compromised, and coerced victims into transferring funds to “safe” accounts. Others used remote access software to steal credentials or collect cash in person.
Further seizures this week targeted the E-Note cryptocurrency exchange, dismantling its servers and domains after determining the service was used to launder more than $70 million in illicit funds. According to the DoJ, the proceeds stemmed largely from ransomware operations and account takeover attacks, routed through a global network of money mules.
The takedown was led by the FBI with support from German and Finnish authorities and Michigan State Police, with investigators confiscating multiple domains, mobile applications, backend servers, and customer databases containing transaction records.
Prosecutors have also unsealed an indictment against alleged operator Mykhalio Petrovich Chudnovets and are charging him with money laundering conspiracy. While no arrests have been made, Chudnovets faces up to 20 years in prison. Authorities say seized records may support further identifications and follow-on enforcement actions.
The Bad | North Korean Hackers Drive Record $2B Crypto Theft Surge in 2025
DPRK-linked threat actors drove a record surge in global cryptocurrency theft this year, claiming at least $2.02 billion of the $3.4 billion+ stolen worldwide between January and early December.
A new report delves into the 51% year-over-year increase, which marks the most severe year on record for DPRK-linked crypto crime while accounting for roughly 76% of all service compromises. Cumulatively, North Korean actors are now estimated to have stolen at least $6.75 billion in cryptocurrency.
Source: Chainalysis
A single incident, attributed to the TraderTraitor cluster, dominated the year: the February breach of Bybit that resulted in losses of approximately $1.5 billion. Beyond Bybit, DPRK-linked actors are also suspected in the theft of $36 million from South Korea’s most popular cryptocurrency exchange, Upbit.
These operations roll up into what is widely referred to as the Lazarus Group, a long-running threat actor tied to Pyongyang’s Reconnaissance General Bureau (RBG), which has historically blended large-scale crypto heists with espionage campaigns such as Contagious Interview, a campaign using fake recruitment-themed lures to deliver malware and harvest job applicant’s data.
The growing scale of DPRK-linked crypto theft shows the profitability of high-value, state-backed operations, also incentivizing other actors to adopt similar tactics, including advanced laundering schemes, affiliate-based attacks, and cross-border exploitation.
For the broader ecosystem, North Korean threat operations continue to both normalize large-scale crypto heists and accelerate the professionalization of illicit networks, complicating attribution and straining global law enforcement resources.
The Ugly | Threat Actors Upscaling Abilities with Widespread Adoption of LLMs
Ransomware operations are undergoing a rapid, dangerous transformation not through novel “super-hacks” but via the industrialized efficiency of Large Language Models (LLMs). A new report by SentinelLABS assesses that LLMs have become a critical operational accelerator, compressing the ransomware lifecycle and dramatically lowering the barrier to entry for novice cybercriminals.
The researchers say that threat actors are now automating reconnaissance, generating localized phishing lures, and triaging massive datasets across language barriers with unprecedented speed and accuracy with the help of LLMs. Ransomware-as-a-Service operators are already claiming to offer AI-assisted tools to affiliates to increase attack productivity.
Global RaaS offering Ai-Assisted Chat
SentinelLABS says attackers are successfully evading commercial guardrails through “prompt smuggling”, a process by which malicious requests are broken down into innocent-looking pieces across multiple chats. The outputs are then stitched together offline to build working attack tools.
The researchers predict that top-tier actors will go further, likely migrating to self-hosted, open-source models like Ollama to entirely avoid provider guardrails. This evolution would allow criminals to operate without telemetry or censorship, effectively weaponizing unrestricted AI.
Real-world campaigns already illustrate this escalation. Anthropic has reported on tools like Claude Code being used to automate entire extortion chains, from technical reconnaissance to calculating optimal ransom demands. In other instances, malware such as QUIETVAULT has been seen hijacking a victim’s own locally installed LLMs to intelligently hunt for crypto-wallets and sensitive files.
While the report adds to the general industry concern around the use of AI by threat actors, it also debunks one of the wider myths in common circulation. The risk from today’s LLMs, the researchers say, isn’t superintelligent malware or novel attack vectors, it’s the more mundane industrialization of extortion with smarter target selection, tailored demands, and faster operational tempo, factors that increasingly complicate attribution and challenge defenders to adapt to a significantly higher-volume threat landscape.
Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Dec. 7, 2025.
A core group of early Microsoft developers and business leaders reunited this week, 40 years after releasing Windows 1.0, sharing previously untold stories and reflecting on a landmark project that set the stage for a global computing revolution. … Read More
Thirty years after Bill Gates declared Microsoft was going “all-in” on the internet, echoes of that moment are resurfacing in the company’s sweeping AI push. … Read More
Trevor Noah joined a 5th grade computer science class in Bellevue for Code.org’s Hour of AI, a Microsoft-supported initiative, learning alongside students and sharing why he believes kids have an edge over adults in the age of AI. … Read More
Ridwell, the Seattle startup that collects plastic and other hard-to-recycle items from consumers, keeps growing its footprint across the U.S. … Read More
Microsoft has released one of its most detailed looks yet at how people use Copilot — and the results suggest the AI assistant takes on different roles depending on time of day and the device being used. … Read More
Tech and cancer researchers are publicly releasing an AI tool that can perform sophisticated tumor analysis in a fraction of the time and cost of existing methods. … Read More
The Good | U.S. & Spanish Officials Crack Down on Hacktivist & Identity Theft Activities
U.S. officials have charged Ukrainian national Victoria Dubranova for allegedly supporting Russian state-backed hacktivist groups in global critical infrastructure attacks. Extradited earlier this year, Dubranova faces trials in February and April 2026 tied to her suspected involvement in NoName057(16) and CyberArmyofRussia_Reborn (CARR), respectively.
GOT HER: A pro-Russian UKR hacker, Victoria Dubranova, has been arrested in a MASSIVE 99-count indictment for GRU-backed attacks on US water systems and food plants. She’s been extradited — and now there’s a $10M bounty on her GRU bosses! https://t.co/i31z4aXPMFpic.twitter.com/AAKeGQWx0K
The indictment states that NoName057(16) operated as a state-sanctioned effort involving multiple threat actors and a government-created IT center. Their tooling includes a custom DDoS called ‘DDoSia’ used to launch attacks against government and financial agencies as well as critical transportation.
Prosecutors say Russia’s military intelligence service funded and directed CARR, a hacktivist group with over 75,000 Telegram followers and a long record of attacks. Damage to U.S. water systems, an ammonia leak at a Los Angeles facility, and targeting of nuclear and election infrastructure are all attributed to CARR. Dubranova faces up to 27 years on CARR-related charges and 5 years on NoName charges. Multi-million dollar rewards are in place for information on either threat group.
In Spain, authorities have arrested a 19-year-old hacker for the alleged theft and sale of 64 million records stolen from nine organizations. The suspect faces charges including cybercrime, unauthorized access, and privacy violations.
The investigation first started in June after breaches at the unnamed firms were reported. Police later confirmed that the suspect possessed millions of stolen records containing full names, addresses, emails, phone numbers, DNI numbers, and IBAN codes. He reportedly tried to sell the data on multiple forums using six accounts and five pseudonyms.
While officers have seized cryptocurrency wallets containing proceeds from the alleged sales, the total number of individuals affected remains unclear. Given the scale of the crime, Spanish authorities emphasize the seriousness of attempting to monetize stolen personal information.
The Bad | Malicious VS Code Extensions Deploy Stealthy Infostealer Malware
Two malicious Visual Studio Code extensions, Bitcoin Black and Codo AI, were recently discovered on Microsoft’s VS Code Marketplace, infecting developers with information-stealing malware. Each disguised as a harmless color theme and an AI coding assistant, the extensions were published under the alias ‘BigBlack’. While download counts are still low at the time of this writing, both packages point to a clear intent to compromise developer environments.
Researchers note that earlier versions of Bitcoin Black used a PowerShell script to fetch a password-protected payload, briefly flashing a visible window that could alert users. The latest version now has a hidden batch script that quietly downloads a DLL and executable via curl, significantly reducing detection risk. Meanwhile, Codo AI delivers legitimate code-completion via ChatGPT or DeepSeek but embeds a malicious payload alongside these features.
Both extensions deploy the Lightshot screenshot tool paired with a malicious DLL that uses DLL hijacking to load an infostealer called runtime.exe. Once executed, the malware creates a directory under %APPDATA%\Local\ and begins exfiltrating sensitive data from system details and clipboard content to WiFi passwords, screenshots, installed software lists, and running processes. Finally, it launches Chrome and Edge in headless mode to extract cookies and hijack active sessions, targeting several crypto wallets including Phantom, MetaMask, and Exodus.
VirusTotal report for Lightshot.dll (Source: Koi.ai)
Microsoft has since removed both extensions from the Marketplace and the malicious DLL is already flagged by 29 of 72 antivirus engines on VirusTotal. Developers are advised to install extensions only from trusted publishers and stay alert to atypical extension behavior.
The Ugly | CyberVolk Resurfaces With New Telegram-Powered RaaS ‘VolkLocker’
CyberVolk, a pro-Russia hacktivist persona first identified in late 2024, resurfaced this August with a revamped ransomware-as-a-service (RaaS) offering known as VolkLocker (CyberVolk 2.x). SentinelLABS reported this week that the group has pivoted to using Telegram for both automation and customer interaction; however, operations are being undercut by payloads that retain artifacts, allowing victims to recover their files.
VolkLocker is written in Golang and supports both Windows and Linux. Payloads are distributed largely unprotected, with RaaS operators instructed to use UPX for packing. Builders must supply key configuration values including a Bitcoin address, Telegram bot token ID, encryption deadline, file extension, and more.
On execution, the ransomware attempts privilege escalation via the “ms-settings” UAC bypass, performs system and VM checks, and enumerates drives for encryption. A dynamic HTML ransom note then displays a 48-hour countdown, while a separate enforcement timer corrupts the system if deadlines or decryption attempts fail.
Telegram serves as the backbone of the RaaS, offering operators an administrative panel, victim enumeration, broadcast messaging, and optional extensions such as RAT and keylogger control. Recent ads show CyberVolk expanding into standalone tooling with tiered pricing models.
Decryption triggered via backed-up key file
The encryption routine uses AES-256 in GCM mode with a hardcoded master key. Crucially, the key is written in plaintext to a file in %TEMP%, alongside the victim’s unique identifier and the attacker’s Bitcoin address – an apparent leftover test artifact that allows victims to decrypt their own files.
Despite repeated account bans on Telegram, CyberVolk continues to evolve its services. The plaintext key flaw, however, reveals quality-control issues that limit the real-world impact of VolkLocker as-is. SentinelOne’s Singularity Platform detects and blocks behaviors and payloads linked to CyberVolk.
Get caught up on the latest technology and startup news from the past week. Here are the most popular stories on GeekWire for the week of Nov. 30, 2025.
After 10 years, clean energy startup Modern Hydrogen has laid off most of its employees due to funding changes and is undergoing a “broader restructuring effort.” … Read More
The Washington-based company backed by Bill Gates and NVIDIA could be the first to deploy a utility-scale, next-generation reactor in America. … Read More
The announcement confirms reporting by GeekWire last week that revealed Amazon was building out a new rapid-delivery hub at a former Amazon Fresh Pickup site in Seattle’s Ballard neighborhood. … Read More
Does everyone in Seattle hate AI? That’s one of the surprising topics to arise this week in response to a spicy blog post penned by a former Microsoft engineer. … Read More
Yoodli is on a roll. The Seattle startup, which sells AI-powered software to help people practice real-world conversations such as sales calls and feedback sessions, announced a $40 million Series B round on Tuesday to fuel growth. … Read More
Microsoft’s shareholder meeting Friday morning highlighted a sharp divide: executives promoting a “planet-scale” AI future while investors voiced concerns about censorship, bias, privacy, and geopolitical entanglements. … Read More
The Good | Authorities Jail WiFi Hacker, Seize €1.3B Crypto Mixer & Charge Two Malicious Insiders
An Australian national has received just over seven years in prison for running “evil twin” WiFi networks on various flights and airports to steal travelers’ data. Using a ‘WiFi Pineapple’ device as an access point, he cloned legitimate airport SSIDs. Users were then redirected to phishing sites where he harvested their credentials, which were exploited to access women’s accounts and obtain intimate content. Investigators found thousands of images, stolen credentials, and fraudulent WiFi pages. The individual has since pleaded guilty to multiple cybercrime, theft, and evidence-destruction charges.
In Europe, Swiss and German authorities have dismantled the Cryptomixer service, which allegedly laundered over €1.3 billion in Bitcoin since 2016. As part of Operation Olympia, officials seized three servers, 12 TB of data, Tor .onion domains, and €24 million in Bitcoin, with support from Europol and Eurojust. Cryptomixer, accessible on both the clear and dark web as a hybrid mixing service, obscured blockchain transactions for ransomware operators, dark markets, and a variety of criminal groups.
U.S. prosecutors have charged Virginia twin brothers for allegedly conspiring to steal sensitive government data and destroy databases after being fired as federal contractors. Previously sentenced in 2015 for unauthorized access to State Department systems, they returned to contracting roles before facing these latest indictments for fraud, identity theft, and record destruction. The Justice Department says one brother deleted 96 government databases in February 2025, stole IRS and EEOC data, and abused AI for guidance on how to hide evidence. Both men now face lengthy federal penalties if convicted.
The Bad | Investigation Exposes Contagious Interview Remote Worker & Identity Theft Scheme
In a collaborative investigation, researchers have exposed a persistent North Korean infiltration scheme linked to Operation Contagious Interview (aka UNC5267). The researchers observed in real time adversary operators using sandboxed laptops, revealing tactics designed to embed North Korean IT workers in Western companies, especially those within STEM and finance industries.
For the first time ever, we recorded DPRK’s Famous Chollima full attack cycle: interviews, internal chats, every tool they use and every single click they made. Get ready for tons of raw footage.
The operation began when a researcher posed as a U.S. developer targeted by a Contagious Interview recruiter. The attacker attempted to hire the fake developer, requesting full access to their SSN, ID, Gmail, LinkedIn, and 24/7 laptop availability. Virtual machines mimicking real developer laptops where deployed, allowing the researchers to monitor every action without alerting the operators.
The sandbox sessions showed a lightweight but effective toolkit focused on identity theft and remote access rather than malware deployment. Operators were also seen using AI-driven job tools to auto-fill applications and generate interview answers, browser-based OTP generators to bypass MFA, and Google Remote Desktop for persistent control. Reconnaissance commands validated the environment, while connections routed through Astrill VPN matched known Contagious Interview infrastructure. In one session, an operator explicitly requested ID, SSN, and banking details, confirming the goal of full identity and workstation takeover.
The investigation highlights remote hiring as a quiet yet reliable entry point for identity-based attacks. Once inside, attackers can access sensitive dashboards, critical business data, and manager-level accounts. Companies can reduce risk by raising internal awareness and providing safe channels for employees to report suspicious requests, helping prevent infiltration before it escalates into internal compromise.
The Ugly | Researchers Warn of Critical React2Shell RCE Vulnerability in React and Next.js
A critical remote code execution (RCE) vulnerability, dubbed ‘React2Shell’, affecting React Server Components (RSC) and Next.js, is allowing unauthenticated attackers to perform server-side code via malicious HTTP requests.
Discovered by Lachlan Davidson, the flaw stems from insecure deserialization in the RSC ‘Flight’ protocol and impacts packages including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Versions affected include React 19.0 to 19.2.0 and Next.js experimental canary releases 14.3.0 to 16.x below patched versions. Exploitation is highly reliable, even in default deployments, and a single request can compromise the full Node.js process.
The flaw is being tracked as CVE-2025-55182. The technically correct CVE-2025-66478 has now been marked as a duplicate.
The vulnerability exists because RSC payloads are deserialized without proper validation, exposing server functions to attacker-controlled inputs. Modern frameworks often enable RSC by default, leaving developers unknowingly exposed. Fixes are available in React React 19.0, 19.1.0, 19.1.1, and 19.2.0, and Next.js 15.0.5–16.0.7. Administrators are urged to audit environments and update affected packages immediately.
Security researchers warn that cloud environments and server-side applications using default React or Next.js builds are particularly at risk. Exploitation could allow attackers to gain full control over servers, access sensitive data, and compromise application functionality. Reports have already emerged of China-nexus threat groups “racing to weaponize” the flaw.
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
December 4, 2025, Amazon Web Services
aws.amazon.com/blogs/securi…
@awscloud.bsky.social
Companies are advised to review deployments, restrict unnecessary server-side exposure, and monitor logs for anomalous RSC requests. Securing default configurations, validating deserialized input, and maintaining a regular patch management schedule can prevent attackers from exploiting framework-level vulnerabilities in production applications. SentinelOne’s blog post on the React2Shell RCE flaw can be found here.
The Good | Poland Detains Russian Hacker Amid Rising Moscow-Linked Sabotage
Poland’s Central Bureau for Combating Cybercrime (CBZC) has arrested a Russian national in Kraków on suspicion of breaching the IT systems of local companies, marking the latest incident tied to what Warsaw describes as Russia’s expanding sabotage and espionage campaign across Europe. According to Polish Interior Minister Marcin Kierwiński, the suspect allegedly compromised corporate-level security defenses to access and manipulate company databases in ways that could have disrupted operations and endangered customers.
Investigators say the man illegally entered Poland in 2022 and later obtained refugee status. He was detained on November 16 by Polish authorities and has since been interrogated, charged, and placed in three months of pre-trial custody. Authorities also believe he may be connected to additional cyberattacks affecting firms in Poland and other EU states, and they are still determining the full scope of the damage.
The arrest comes amid heightened concern over Russian hybrid warfare since Moscow’s invasion of Ukraine in 2022. Poland has linked recent incidents, including sabotage of a railway line and a fire at a major shopping mall, to Russian intelligence activities. The country has shut down all Russian consulates following the events.
EU officials warn that cyberattacks against regional companies and institutions have surged, with many attributed to GRU-backed actors. Other recent disruptions have included payment service outages and leaks of customer data from Polish firms. In response, Polish Digital Affairs Minister Krzysztof Gawkowski plans to invest a record €930 million on bolstering the county’s cybersecurity, underscoring what authorities describe as the urgent need for stronger corporate defenses and deeper international cooperation against increasingly aggressive cyber threats.
The Bad | FBI Warns of Banking Fraud & Account Takeover Schemes Ahead of Holidays
The FBI has issued a PSA about a sharp rise in account takeover (ATO) fraud, with cybercriminals impersonating financial institutions to steal more than $262 million since January 2025. The agency’s Internet Crime Complaint Center (IC3) has received over 5,100 reports this year from victims across individuals, businesses, and organizations across every sector.
The schemes start off with deceiving victims through texts, calls, and emails, posing as bank staff or customer support. They trick targets into revealing their login credentials, multi-factor authentication (MFA) codes, or one-time passcodes (OTPs). Criminals have also been luring victims onto phishing websites engineered to mimic legitimate banking or payroll sites, sometimes boosted through SEO poisoning to appear at the top of search results.
Once inside the victim’s account, fraudsters reset passwords, lock out the rightful owners, and quickly transfer funds into crypto-linked accounts, which makes recovery extremely difficult. Some victims report being manipulated with fabricated claims of fraudulent purchases, or even firearm transactions to incite panic, before being redirected to a second scammer impersonating law enforcement.
As we enter the holiday season, the FBI urges consumers and organizations to monitor their accounts closely, use strong unique passwords, enable MFA, verify URLs, and avoid visiting personal banking sites through search engine results. Victims should immediately contact their financial institutions to request recalls and provide indemnification documents, and then file detailed reports with IC3.
Officials and security experts stress that most ATO cases stem from compromised credentials. Stronger identity verification such as passwordless authentication and enabling manual verification steps remain basic security hygiene necessary for reducing these types of attacks.
The Ugly | OpenAI Alerts API Users After Mixpanel Breach Exposes Limited Data
OpenAI is alerting some ChatGPT API customers that limited personally identifiable information (PII) was exposed after its third-party analytics provider, Mixpanel, was breached. The compromise, stemming from an smishing campaign detected on November 8, affected “limited analytics data related to some users of the API”, but did not compromise ChatGPT or other OpenAI products.
While OpenAI confirmed that sensitive information such as credentials, API keys, requests, and usage data, payment and chat details, or government IDs remained secure, the exposed data may include usernames, email addresses, approximate user location, browser and operating system details, referring websites, and account or organization IDs.
OpenAI said users do not need to reset passwords or regenerate API keys. Some users have reported that CoinTracker, a cryptocurrency tracking platform, may also have been affected, with limited device metadata and transaction counts exposed.
OpenAI has begun an investigation, removed Mixpanel from production services, and is notifying affected users directly. The company warns that the leaked data could be used for phishing or social engineering attacks and advises users to verify any messages claiming to relate to the incident, enable MFA, and to never share account credentials via email, text, or chat.
Mixpanel, in turn, has responded to the incident by securing accounts, revoking active sessions, rotating compromised credentials, blocking the threat actor’s IPs, resetting employee passwords, and implementing new controls to prevent future incidents. The analytics firm also reached out to all impacted customers directly.
The incident highlights the risks posed by third-party service providers and the importance of awareness against phishing, even when no core systems or highly sensitive information are directly compromised.
The Good | Courts Prosecute DPRK Fraud, Ransomware Hosting & Crypto Mixer Ops
Five people have pleaded guilty to helping the DPRK run illicit revenue schemes involving remote IT worker fraud and cryptocurrency theft. The group enabled North Korean operatives to obtain U.S. jobs using false or stolen identities, generating over $2.2 million while impacting 136 companies. The DOJ is also seeking forfeiture of $15 million tied to APT38 cyber-heists. The defendants, Oleksandr Didenko, Erick Prince, Audricus Phagnasay, Jason Salazar, and Alexander Travis, admitted to stealing U.S. identities for overseas workers and laundering stolen funds.
In the U.S., U.K., and Australia, authorities have issued a coordinated sanction against Russian bulletproof hosting (BPH) providers that enable ransomware groups by leasing servers to support malware delivery, phishing attacks, and illicit content hosting. To help cybercriminals evade capture, BPH services ignore abuse reports and law enforcement takedowns. OFAC has sanctioned Media Land, its sister companies, and three executives all tied to LockBit, BlackSuit, Play, and other threat groups. Five Eyes agencies also released guidance to help ISPs detect and block malicious infrastructure used by BPH services.
Our joint guidance on bulletproof hosting providers highlights best practices to mitigate potential cybercriminal activity, including recommended actions that ISPs can implement to decrease the usefulness of BPH infrastructure. Learn more https://t.co/cGQpuLpBPPpic.twitter.com/tM55acfuQv
The founders of Samourai Wallet, a cryptocurrency mixing service, have been sentenced to prison for laundering over $237 million. Operating since 2015, Samourai used its ‘Whirlpool’ mixing system and ‘Ricochet’ multi-hop transactions to obscure Bitcoin flows. These features made tracing more difficult and enabled criminals involved in darknet markets, drug trafficking, and cybercrime to launder more than $2 billion. Authorities seized the platform, including its servers, domains, and mobile app, while the founders agreed to forfeit all traceable proceeds. CEO Keonne Rodriguez has received five years, while CTO William Lonergan Hill received four along with supervised release. The pair were ordered to pay fines of $250,000 each.
The Bad | DPRK Actors Build Fake Job Platform to Lure AI Talent & Push Malware
As part of their ongoing and evolving Contagious Interview campaign, DPRK-based threat actors have created a fake job platform designed to compromise legitimate job seekers, particularly in the AI research, software development, and cryptocurrency verticals. While earlier fraudulent IT-worker schemes relied on targeting individuals through phishing on social media platforms, the latest tactic weaponizes a fully functional hiring pipeline.
Researchers discovered the latest lure – a Next.js-based job portal hosted at lenvny[.]com, complete with dozens of fabricated AI and crypto-industry job listings. The listings mimic branding from major tech companies and feature a polished UI and full recruitment workflow that mirrors modern hiring systems, encouraging applicants to submit resumes and professional links before prompting them to record a video introduction.
This final step triggers the DPRK-favored ClickFix technique: When applicants copy the fake interview instructions, a hidden clipboard hijacker swaps their text with a multi-stage malware command. When pasted into a terminal, it downloads and executes staged payloads under the guise of a “driver update”, ultimately launching a VBScript-based loader. This design blends seamlessly with typical remote-work interview processes and dramatically increases the likelihood of accidental execution.
Error message with ClickFix message (Source: Validin)
The platform also performs strategic filtering, attracting AI and crypto professionals specifically as their skills, network access, and workstation devices tend to align with DPRK’s intelligence and financial priorities including model-training infrastructure to crypto exchange systems. The campaign reflects significant maturation in DPRK social engineering tradecraft, pairing high-fidelity UI design with covert malware delivery. Job seekers are advised to verify domains, avoid off-platform hiring systems, and execute any requested code only in sandboxed environments.
The Ugly | Iran-Backed Actors Weaponize Cyber Recon to Power Real-World Attacks
Iranian-linked threat actors are using cyber operations to support real-world military activity, a pattern described by researchers as “cyber-enabled kinetic targeting”.
In the past, conventional security models separated cyber and physical domains – delineations that are proving artificial in today’s socioeconomic and political climate. Now, these are not just cyber incidents that cause physical impact, but rather coordinated campaigns upon which digital operations are built to advance military objectives.
One example involves Crimson Sandstorm (aka Tortoiseshell and TA456), a group tied to Iran’s Islamic Revolutionary Guard Corps (IRGC). Between December 2021 and January 2024, the group probed a ship’s Automatic Identification System (AIS) before expanding their operations to other maritime platforms. On January 27, 2024, the group searched for AIS location data on one particular shipping vessel. Days later, that same ship was targeted in an unsuccessful missile strike by Iranian-backed Houthi forces, which have mounted repeated missile attacks on commercial shipping in the Red Sea amid the Israel–Hamas conflict.
A second case highlights Mango Sandstorm (aka Seedworm and TA450), a group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). In May, the group set up infrastructure for cyber operations and gained access to compromised CCTV feeds in Jerusalem to gather real-time visual intelligence. Just a month later, the Israel National Cyber Directorate confirmed Iranian attempts to access cameras during large-scale attacks, reportedly to get feedback on where the missiles hit and improve precision. Both highlighted cases show the attackers’ reliance on routing traffic through anonymizing VPNs to prevent attribution.
The divide between digital intrusions and physical warfare continues to blur. With nation state groups leveraging cyber reconnaissance as a precursor for physical attacks, it is likely we will continue to see significant developments in this kind of hybrid warfare.
Login
