Category: Cybersecurity

Despite years of investment in Zero Trust, SSE, and endpoint protection, many enterprises are still leaving one critical layer exposed: the browser.

It’s where 85% of modern work now happens. It’s also where copy/paste actions, unsanctioned GenAI usage, rogue extensions, and personal devices create a risk surface that most security stacks weren’t designed to handle. For security leaders who know this blind spot exists but lack a roadmap to fix it, a new framework may help.

The Secure Enterprise Browser Maturity Guide: Safeguarding the Last Mile of Enterprise Risk, authored by cybersecurity researcher Francis Odum, offers a pragmatic model to help CISOs and security teams assess, prioritize, and operationalize browser-layer security. It introduces a clear progression from basic visibility to real-time enforcement and ecosystem integration, built around real-world threats, organizational realities, and evolving user behavior.

Why the Browser Has Become the Security Blind Spot

Over the past three years, the browser has quietly evolved into the new endpoint of the enterprise. Cloud-first architectures, hybrid work, and the explosive growth of SaaS apps have made it the primary interface between users and data.

• 85% of the workday now happens inside the browser
• 90% of companies allow access to corporate apps from BYOD devices
• 95% report experiencing browser-based cyber incidents
• 98% have seen BYOD policy violations

And while most security programs have hardened identity layers, firewalls, and email defenses, the browser remains largely ungoverned. It’s where sensitive data is copied, uploaded, pasted, and sometimes leaked, with little or no monitoring.

Traditional Tools Weren’t Built for This Layer

The guide breaks down why existing controls struggle to close the gap:

• DLP scans files and email, but misses in-browser copy/paste and form inputs.
• CASB protects sanctioned apps, but not unsanctioned GenAI tools or personal cloud drives.
• SWGs block known bad domains, but not dynamic, legitimate sites running malicious scripts.
• EDR watches the OS, not the browser’s DOM.

This reflects what is described as the “last mile” of enterprise IT, the final stretch of the data path where users interact with content and attackers exploit the seams.

GenAI Changed the Game

A core theme of the guide is how browser-based GenAI usage has exposed a new class of invisible risk. Users routinely paste proprietary code, business plans, and customer records into LLMs with no audit trail.

• 65% of enterprises admit they have no control over what data goes into GenAI tools
• Prompts are effectively unsanctioned API calls
• Traditional DLP, CASB, and EDR tools offer no insight into these flows

The browser is often the only enforcement point that sees the prompt before it leaves the user’s screen.

The Secure Enterprise Browser Maturity Model

To move from reactive response to structured control, the guide introduces a three-stage maturity model for browser-layer security:

Stage 1: Visibility

“You can’t protect what you can’t see.”

Organizations at this stage begin by illuminating browser usage across devices, especially unmanaged ones.

• Inventory browsers and versions across endpoints
• Capture telemetry: uploads, downloads, extension installs, session times
• Detect anomalies (e.g., off-hours SharePoint access, unusual copy/paste behavior)
• Identify shadow SaaS and GenAI usage without blocking it yet

Quick wins here include audit-mode browser extensions, logging from SWGs, and flagging outdated or unmanaged browsers.

Stage 2: Control & Enforcement

Once visibility is in place, teams begin actively managing risk within the browser:

• Enforce identity-bound sessions (e.g., block personal Gmail login from corp session)
• Control uploads/downloads to/from sanctioned apps
• Block or restrict unvetted browser extensions
• Inspect browser copy/paste actions using DLP classifiers
• Display just-in-time warnings (e.g., “You’re about to paste PII into ChatGPT”)

This stage is about precision: applying the right policies in real-time, without breaking user workflows.

Stage 3: Integration & Usability

At full maturity, browser-layer telemetry becomes part of the larger security ecosystem:

• Events stream into SIEM/XDR alongside network and endpoint data
• Risk scores influence IAM and ZTNA decisions
• Browser posture is integrated with DLP classifications and compliance workflows
• Dual browsing modes (work vs. personal) preserve privacy while enforcing policy
• Controls extend to contractors, third parties, and BYOD—at scale

In this phase, security becomes invisible but impactful, reducing friction for users and mean-time-to-response for the SOC.

A Strategic Roadmap, Not Just a Diagnosis

The guide doesn’t just diagnose the problem, it helps security leaders build an actionable plan:

• Use the browser security checklist to benchmark current maturity
• Identify fast, low-friction wins in Stage 1 (e.g., telemetry, extension audits)
• Define a control policy roadmap (start with GenAI usage and risky extensions)
• Align telemetry and risk scoring with existing detection and response pipelines
• Educate users with inline guidance instead of blanket blocks

It also includes practical insights on governance, change management, and rollout sequencing for global teams.

Why This Guide Matters

What makes this model especially timely is that it doesn’t call for a rip-and-replace of existing tools. Instead, it complements Zero Trust and SSE strategies by closing the final gap where humans interact with data.

Security architecture has evolved to protect where data lives. But to protect where data moves, copy, paste, prompt, upload, we need to rethink the last mile.

The Secure Enterprise Browser Maturity Guide is available now for security leaders ready to take structured, actionable steps to protect their most overlooked layer. Download the full guide and benchmark your browser-layer maturity.

Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft’s ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors.

“The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious,” Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc said in a technical write-up.

“Its methods reflect a broader shift toward ‘living-off-the-land’ tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.”

The phishing attacks, in a nutshell, make use of a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon that’s designed to communicate with attacker-controlled infrastructure that’s obscured using Amazon Web Services (AWS) cloud services.

ClickOnce is offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction. It was introduced in .NET Framework 2.0. However, the technology can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags.

As noted in the MITRE ATT&CK framework, ClickOnce applications can be used to run malicious code through a trusted Windows binary, “dfsvc.exe,” that’s responsible for installing, launching, and updating the apps. The apps are launched as a child process of “dfsvc.exe.”

“Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install,” MITRE explains. “As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.”

Trellix said the attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application, which, in turn, runs an executable using dfsvc.exe.

The binary is a ClickOnce loader that’s launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.

The Golang implant can communicate with a command-and-control (C2) server over HTTP(s), WebSockets, raw TCP, and SMB named pipes, allowing it to perform file operations, enumerate and terminate running processes, execute shell commands, escalate privileges using token theft and impersonation, and achieve lateral movement.

Additionally, the backdoor incorporates anti-analysis features to evade detection, and supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features.

“RunnerBeacon’s design closely parallels known Go-based Cobalt Strike beacons (e.g. the Geacon/Geacon plus/Geacon Pro family),” the researchers said.

“Like Geacon, the set of commands (shell, process enumeration, file I/O, proxying, etc.) and use of cross-protocol C2 are very similar. These structural and functional similarities suggest RunnerBeacon may be an evolved fork or a privately modified variant of Geacon, tailored for stealthier, and cloud-friendly operations.”

Three different variants of OneClick have been observed in March 2025 alone: v1a, BPI-MDM, and v1d, with each iteration demonstrating progressively improved capabilities to fly under the radar. That said, a variant of RunnerBeacon was identified in September 2023 at a company in the Middle East in the oil and gas sector.

Although techniques like AppDomainManager injection have been used by China– and North Korea-linked threat actors in the past, the activity has not been formally attributed to any known threat actor or group. Trellix told The Hacker News that it did not have any more details to share on the scale of these attacks and the regions that have been targeted.

The development comes as QiAnXin detailed a campaign mounted by a threat actor it tracks as APT-Q-14 that has also employed ClickOnce apps to propagate malware by exploiting a zero-day cross-site scripting (XSS) flaw in the web version of an unnamed email platform. The vulnerability, it said, has since been patched.

The XSS flaw is automatically triggered when a victim opens a phishing email, causing the download of the ClickOne app. “The body of the phishing email comes from Yahoo News, which coincides with the victim industry,” QiAnXin noted.

The intrusion sequence serves a mailbox instruction manual as a decoy, while a malicious trojan is stealthily installed on the Windows host to collect and exfiltrate system information to a C2 server and receive unknown next-stage payloads.

The Chinese cybersecurity company said APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform.

APT-Q-14 has been described by QiAnXin as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15, which are assessed to be sub-groups within a South Korea-aligned threat group known as DarkHotel (aka APT-C-06).

Earlier this week, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel’s use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025.

The malware is engineered to establish communication with a remote server to download, decrypt, and execute unspecified shellcode.

“In general, the [hacking group’s] tactics have tended to be ‘simple’ in recent years: Different from the previous use of heavy-weight vulnerabilities, it has adopted flexible and novel delivery methods and attack techniques,” the company said. “In terms of attack targets, APT-C-06 still focuses on North Korean-related traders, and the number of targets attacked in the same period is greater.”

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

The coordinated action saw searches of 21 known or suspected “laptop farms” between June 10 and 17, 2025 across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.

“The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies,” the DoJ said.

The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People’s Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities.

Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.

North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through “legitimate” work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data.

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.

Last month, the DoJ said it had filed a civil forfeiture complaint in the U.S. District Court for the District of Columbia that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme.

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”

Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue.

To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for “keyboard-video-mouse”) switches like PiKVM or TinyPilot.

“Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses,” the DoJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators.”

In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers.

Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta.

Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il.

After Kim Kwang Jin and Jong Pong Ju gained their employers’ trust and were assigned projects that granted them access to the firm’s virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company’s smart contracts.

The stolen proceeds were then laundered using a cryptocurrency mixer service known as Tornado Cash and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents.

“These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. “Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide.”

“The U.S. government’s actions […] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are.”

Microsoft Suspends 3,000 Email Accounts Tied to IT Workers

Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267.

The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy.

The tech giant called out the IT workers’ exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs.

“These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities,” the Microsoft Threat Intelligence team said.

Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards.

Furthermore, the witting accomplices are responsible for validating the IT workers’ bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards.

As a way to counter the threat, Microsoft said it has developed a custom machine learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions.

“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” Redmond said. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”

Jul 01, 2025Ravie LakshmananVulnerability / Browser Security

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.

The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.

“Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,” according to a description of the bug on the NIST’s National Vulnerability Database (NVD).

Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025, indicating that it may have been weaponized in highly targeted attacks.

The involvement of Google’s Threat Analysis Group often signals that an exploit may be linked to targeted attacks — possibly involving nation-state actors or surveillance operations. TAG typically investigates serious threats like phishing campaigns, zero-click exploits, or attempts to bypass browser sandboxing.

The tech giant also noted that the issue was mitigated the next day by means of a configuration change that was pushed out to the Stable channel across all platforms. For everyday users, that means the threat may not be widespread yet, but it’s still urgent to patch — especially if you’re in roles handling sensitive or high-value data.

Google has not released any additional details about the vulnerability and who may have exploited it, but acknowledged that “an exploit for CVE-2025-6554 exists in the wild.”

CVE-2025-6554 is the fourth zero-day vulnerability in Chrome to be addressed by Google since the start of the year after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. However, it bears noting that there is no clarity on whether CVE-2025-4664 has been abused in a malicious context.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.

If you’re unsure whether your browser is up to date, go to Settings > Help > About Google Chrome — it should trigger the latest update automatically. For businesses and IT teams managing multiple endpoints, enabling automatic patch management and monitoring browser version compliance is critical.

Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

The coordinated action saw searches of 21 known or suspected “laptop farms” across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.

“The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies,” the DoJ said.

The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People’s Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities.

Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.

North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through “legitimate” work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data.

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.

Last month, the DoJ said it had filed a civil forfeiture complaint in federal court that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme.

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”

Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue.

To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for “keyboard-video-mouse”) switches like PiKVM or TinyPilot.

“Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses,” the DoJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators.”

In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers.

Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta.

Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il.

After Kim Kwang Jin and Jong Pong Ju gained their employers’ trust and were assigned projects that granted them access to the firm’s virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company’s smart contracts.

The stolen proceeds were then laundered using a cryptocurrency mixer and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents.

“These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. “Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide.”

“The U.S. government’s actions […] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are.”

Microsoft Suspends 3,000 Email Accounts Tied to IT Workers

Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267.

The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy.

The tech giant called out the IT workers’ exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs.

“These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities,” the Microsoft Threat Intelligence team said.

Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards.

Furthermore, the witting accomplices are responsible for validating the IT workers’ bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards.

As a way to counter the threat, Microsoft said it has developed a custom machine-learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions.

“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” Redmond said. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”

Jul 01, 2025Ravie LakshmananMobile Security / Privacy

Microsoft has said that it’s ending support for passwords in its Authenticator app starting August 1, 2025.

The changes, the company said, are part of its efforts to streamline autofill in the two-factor authentication (2FA) app.

“Starting July 2025, the autofill feature in Authenticator will stop working, and from August 2025, passwords will no longer be accessible in Authenticator,” Microsoft said in a support document for Microsoft Authenticator.

It’s worth noting that Microsoft has already removed the ability to add or import new passwords in the app of last month. However, the option to save passwords through autofill will continue to work in July.

That said, the feature isn’t being completely eliminated. Instead, the saved passwords and addresses will now be synced with users’ Microsoft accounts, allowing them to be accessed via the Edge web browser by setting it as the default autofill provider.

“After August 2025, your saved passwords will no longer be accessible in Authenticator and any generated passwords not saved will be deleted,” Redmond said.

Another key aspect to note is that the changes do not apply to passkeys. Users who have enabled passkeys for their Microsoft accounts are required to enable Authenticator as their passkey provider. Disabling Authenticator will also have the side effect of disabling passkeys.

Users who already use a different password manager solution such as Apple iCloud Keychain or Google Password Manager can set it as their default autofill provider on their mobile devices. Users can also export their passwords from the Authenticator app and then import them into their chosen service.

Jun 30, 2025Ravie LakshmananCyber Attack / Critical Infrastructure

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber-attacks from Iranian state-sponsored or affiliated threat actors.

“Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events,” the agencies said.

“These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.”

There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted.

Emphasizing the need for “increased vigilance,” the agencies singled out Defense Industrial Base (DIB) companies, specifically those with ties to Israeli research and defense firms, as being at an elevated risk. U.S. and Israeli entities may also be exposed to distributed denial-of-service (DDoS) attacks and ransomware campaigns, they added.

Attackers often start with reconnaissance tools like Shodan to find vulnerable internet-facing devices, especially in industrial control system (ICS) environments. Once inside, they can exploit weak segmentation or misconfigured firewalls to move laterally across networks. Iranian groups have previously used remote access tools (RATs), keyloggers, and even legitimate admin utilities like PsExec or Mimikatz to escalate access—all while evading basic endpoint defenses.

Based on prior campaigns, attacks mounted by Iranian threat actors leverage techniques like automated password guessing, password hash cracking, and default manufacturer passwords to gain access to internet-exposed devices. They have also been found to employ system engineering and diagnostic tools to breach operational technology (OT) networks.

The development comes days after the Department of Homeland Security (DHS) released a bulletin, urging U.S. organizations to be on the lookout for possible “low-level cyber attacks” by pro-Iranian hacktivists amid the ongoing geopolitical tensions between Iran and Israel.

Last week, Check Point revealed that the Iranian nation-state hacking group tracked as APT35 targeted journalists, high-profile cyber security experts, and computer science professors in Israel as part of a spear-phishing campaign designed to capture their Google account credentials using bogus Gmail login pages or Google Meet invitations.

As mitigations, organizations are advised to follow the below steps –

• Identify and disconnect OT and ICS assets from the public internet
• Ensure devices and accounts are protected with strong, unique passwords, replace weak or default passwords, and enforce multi-factor authentication (MFA)
• Implement phishing-resistant MFA for accessing OT networks from any other network
• Ensure systems are running the latest software patches to protect against known security vulnerabilities
• Monitor user access logs for remote access to the OT network
• Establish OT processes that prevent unauthorized changes, loss of view, or loss of control
• Adopt full system and data backups to facilitate recovery

“Despite a declared ceasefire and ongoing negotiations towards a permanent solution, Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity,” the agencies said.

Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.

The operation, the agency said, was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. Europol said the investigation into the syndicate started in 2023.

In addition, the five alleged suspects behind the cryptocurrency scam were arrested on June 25, 2025. Three of the arrests took place in the Canary Islands, while two others were apprehended from Madrid.

“To carry out their fraudulent activities, the leaders of the criminal network allegedly used a net of associates spread around the world to raise funds through cash withdrawals, bank transfers, and crypto-transfers,” Europol said.

These types of scams often follow a pattern known as “pig butchering,” where scammers slowly build trust with victims over weeks or months—often through dating apps or friendly chats—before convincing them to invest in fake crypto platforms. Behind the scenes, fraudsters use social engineering tricks, like fake trading dashboards and scripted conversations, to keep the illusion going. Once money is deposited, it’s moved across multiple accounts in a process called layering, making it harder for authorities to trace.

The cybercriminals are believed to have set up a corporate and banking network based in Hong Kong, with the illicitly obtained funds routed through a maze of payment gateways and user accounts in the names of different people and in different exchanges.

The development comes shortly after the U.S. Department of Justice (DoJ) filed a civil forfeiture complaint seeking to recover over $225 million in cryptocurrency linked to cryptocurrency confidence (aka romance baiting) scams running out of Vietnam and the Philippines.

Europol described the “scale, variety, sophistication, and reach” of these online fraud schemes as “unprecedented,” and that they’re on track to surpass serious and organized crime, thanks to the increased adoption of artificial intelligence (AI) technologies.

“The integration of generative artificial intelligence by transnational criminal groups involved in cyber-enabled fraud is a complex and alarming trend observed in Southeast Asia, and one that represents a powerful force multiplier for criminal activities,” said UNODC Regional Analyst, John Wojcik, late last year.

According to a report from INTERPOL last week, cybercrime reports account for more than 30% of all reported crimes in Western and Eastern Africa. This included online scams, ransomware, business email compromise (BEC), and digital sextortion.

“Cybercrime continues to outpace the legal systems designed to stop it,” INTERPOL said, adding, “75% of countries surveyed said their legal frameworks and prosecution capacity needed improvement.”

Part of what makes this kind of fraud so hard to fight is how criminals exploit legal loopholes and fragmented international laws. Many scammers now use synthetic identities—fake personas built with stolen or AI-generated data—to register accounts or rent bank access. They also recruit financial mules to move money, often without them realizing they’re part of a crime.

To pull off such investment fraud schemes, unwitting people from Asia and Africa are lured into Southeast Asia with lucrative job opportunities, and forcefully detaining them inside “scam compounds” run by transnational organized crime groups originating from China.

As many as 53 scam compounds have been identified in Cambodia, per Amnesty International, where the non-profit said “human rights abuses have taken place or continue to occur, including human trafficking, torture and other ill-treatment, forced labour, child labour, deprivation of liberty and slavery.”

Many of the people forced into these scam compounds were originally promised tech or sales jobs abroad. Once they arrive, their passports are taken and they’re forced to scam others under threats of violence or debt.

Last year, the United States Institute of Peace revealed that the return on cyber scamming is estimated to exceed $12.5 billion annually in Cambodia, which amounts to half the country’s formal gross domestic product (GDP).

The findings highlight the enormity and scale of the problem, which typically involves building trust with prospective victims on social media and online dating apps before coaxing them to invest their funds in a bogus cryptocurrency platform.

The illegal operation has had such an impact that the Indian Embassy in Cambodia has a prominent warning on its website urging citizens to be vigilant against falling into the hands of human traffickers under the pretext of high-paying jobs, stating job seekers are coerced to undertake online financial scams and other illegal activities.

Adding more context to the criminal activity is a recent report from ProPublica that Chinese-language Telegram channels and groups are advertising to scammers the ability to rent U.S. bank accounts at Bank of America, Chase, Citibank, and PNC, who then use these accounts to launder the proceeds. Telegram has begun to take action on some of these channels.

Meta is said to have detected and taken down no less than seven million Facebook accounts associated with scam centers in Asia and the Middle East since the start of 2024, per a statement shared by the company to the investigative journalism organization.

Jun 30, 2025Ravie LakshmananCybercrime / Vulnerability

The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66.

Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its initial attack vector and installs off-the-shelf remote access trojans (RATS).

Many threat actors rely on bulletproof hosting providers like Proton66 because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites, command-and-control servers, and malware delivery systems without interruption.

The cybersecurity company said it identified a set of domains with a similar naming pattern (e.g., gfast.duckdns[.]org, njfast.duckdns[.]org) beginning in August 2024, all of which resolved to the same IP address (“45.135.232[.]38”) that’s associated with Proton66.

The use of dynamic DNS services like DuckDNS also plays a key role in these operations. Instead of registering new domains each time, attackers rotate subdomains tied to a single IP address — making detection harder for defenders.

“The domains in question were used to host a variety of malicious content, including phishing pages and VBS scripts that serve as the initial stage of malware deployment,” security researcher Serhii Melnyk said. “These scripts act as loaders for second-stage tools, which, in this campaign, are limited to publicly available and often open-source RATs.”

While Visual Basic Script (VBS) might seem outdated, it’s still a go-to tool for initial access due to its compatibility with Windows systems and ability to run silently in the background. Attackers use it to download malware loaders, bypass antivirus tools, and blend into normal user activity. These lightweight scripts are often the first step in multi-stage attacks, which later deploy remote access trojans (RATs), data stealers, or keyloggers.

The phishing pages have been found to legitimate Colombian banks and financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda. Blind Eagle, also known as AguilaCiega, APT-C-36, and APT-Q-98, is known for its targeting of entities in South America, particularly Colombia and Ecuador.

The deceptive sites are engineered to harvest user credentials and other sensitive information. The VBS payloads hosted on the infrastructure come fitted with capabilities to retrieve encrypted executable files from a remote server, essentially acting as a loader for commodity RATS like AsyncRAT or Remcos RAT.

Furthermore, an analysis of the VBS codes has revealed overlaps with Vbs-Crypter, a tool linked to a subscription-based crypter service called Crypters and Tools that’s used to obfuscate and pack VBS payloads with an aim to avoid detection.

Trustwave said it also discovered a botnet panel that allows users to “control infected machines, retrieve exfiltrated data, and interact with infected endpoints through a broad set of capabilities typically found in commodity RAT management suites.”

The disclosure comes as Darktrace revealed details of a Blind Eagle campaign that has been targeting Colombian organizations since November 2024 by exploiting a now-patched Windows flaw (CVE-2024-43451) to download and execute the next-stage payload, a behavior that was first documented by Check Point in March 2025.

“The persistence of Blind Eagle and ability to adapt its tactics, even after patches were released, and the speed at which the group were able to continue using pre-established TTPs highlights that timely vulnerability management and patch application, while essential, is not a standalone defense,” the company said.

Jun 30, 2025Ravie LakshmananCybersecurity / Hacking News

Ever wonder what happens when attackers don’t break the rules—they just follow them better than we do? When systems work exactly as they’re built to, but that “by design” behavior quietly opens the door to risk?

This week brings stories that make you stop and rethink what’s truly under control. It’s not always about a broken firewall or missed patch—it’s about the small choices, default settings, and shortcuts that feel harmless until they’re not.

The real surprise? Sometimes the threat doesn’t come from outside—it’s baked right into how things are set up. Dive in to see what’s quietly shaping today’s security challenges.

⚡ Threat of the Week

FBI Warns of Scattered Spider’s on Airlines — The U.S. Federal Bureau of Investigation (FBI) has warned of a new set of attacks mounted by the notorious cybercrime group Scattered Spider targeting the airline sector using sophisticated social engineering techniques to obtain initial access. Cybersecurity vendors Palo Alto Networks Unit 42 and Google Mandiant have also issued similar alerts, urging organizations to be on alert and apply necessary mitigations, including strong authentication, segregation of identities, and enforcing rigorous identity controls for password resets and multi-factor authentication (MFA) registration, to harden their environments to protect against tactics utilized by the threat actor.

• LapDogs ORB Network Compromised Over 1,000 SOHO Devices — A China-linked APT has built an operational relay box (ORB) network called LapDogs comprising over 1,000 backdoored routers for espionage purposes. The digital break-ins began no later than September 2023 and have expanded ever since. The campaign mostly targets end-of-life routers, IoT devices, internet-connected security cameras, virtual servers, and other small office/home office (SOHO) devices, with the goal of building an Operational Relay Box (ORB) network. Five geographic regions — the US (352 victims), Japan (256 victims), South Korea (226 victims), Taiwan (80 victims), and Hong Kong (37 victims) — make up about 90% of the entire ORB network. The attacks leverage known security flaws in Linux-based devices to drop a backdoor called ShortLeash. The purpose of the malware itself is not known, although it has been found to share similarities with another malware sample used by UAT-5918. It’s suspected that the devices are being gradually, but steadily, compromised as part of methodical and small-scale efforts across the world to gain long-term access to networks.
• Iranian Hacking Group Targets Israeli Cybersecurity Experts — APT35, an Iranian state-sponsored hacking group associated with the Islamic Revolutionary Guard Corps (IRGC) has been linked to a spear-phishing campaign targeting journalists, high-profile cyber security experts, and computer science professors in Israel that seeks to redirect them to bogus phishing pages that are capable of harvesting their Google account credentials. The attacks, which take place via emails and WhatsApp messages, leverage fake Gmail login pages or Google Meet invitations to harvest their credentials. The development comes amid geopolitical tensions between Iran and Israel, which has also led to a spike in hacktivist activity in the region. “There are about 170 hacker groups attacking Israel, with about 1,345 cyber attacks on Israel, including about 447 cyber attacks launched against Israel after the conflict broke out,” NSFOCUS said in a report published last week. “The number of hacker groups attacking Iran reached about 55, and the number of cyber attacks on Iran reached about 155, of which about 20 were launched against Iran after the conflict broke out.”
• Citrix Patches Actively Exploited 0-Day — Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543 (CVSS score: 9.2), is a memory overflow bug that could result in unintended control flow and denial-of-service. It’s currently not known how the vulnerability is being exploited in the wild. The exploitation of CVE-2025-6543 coincides with reports that another critical security vulnerability in NetScaler ADC (CVE-2025-5777, CVSS score: 9.3) is also being weaponized in real-world attacks post public-disclosure.
• U.S. House Bans WhatsApp Use in Government Devices — The U.S. House of Representatives has formally banned congressional staff members from using WhatsApp on government-issued devices, citing security concerns. According to the House Chief Administrative Officer (CAO), the decision was taken based on a lack of transparency in how WhatsApp protects user data, the absence of stored data encryption, and potential security risks. WhatsApp has rejected these concerns, stating messages are end-to-end encrypted by default, and that it offers a “higher level” of security than other apps.
• New Tool to Neutralize Cryptomining Botnets — Akamai has proposed a novel mechanism to defang cryptomining botnets using XMRogue, a proof-of-concept (PoC) tool that lets defenders stop miners’ proxy servers from using compromised endpoints for illicit mining purposes. In cases where a mining proxy is not used, the approach uses a script to send more than 1,000 simultaneous login requests using the attacker’s wallet, which will force the pool to temporarily ban the wallet. That said, it’s worth noting that these methods don’t necessarily remove the malicious code from the systems as it’s just a way to disable the mining infrastructure.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws—sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-49825 (Teleport), CVE-2025-6218 (WinRAR), CVE-2025-49144 (Notepad++), CVE-2025-27387 (OPPO ColorOS), CVE-2025-2171, CVE-2025-2172 (Aviatrix Controller), CVE-2025-52562 (ConvoyPanel), CVE-2025-27915 (Zimbra Classic Web Client), CVE-2025-48703 (CentOS Web Panel), CVE-2025-23264, CVE-2025-23265 (NVIDIA Megatron LM), CVE-2025-36537 (TeamViewer), CVE-2025-4563 (Kubernetes), CVE-2025-2135 (Kibana), CVE-2025-3509 (GitHub), CVE-2025-36004 (IBM i), CVE-2025-49853 (ControlID iDSecure), CVE-2025-37101 (HPE OneView for VMware vCenter), CVE-2025-3699 (Mitsubishi Electric), CVE-2025-6709 (MongoDB), CVE-2025-1533, CVE-2025-3464 (ASUS Armoury Crate), and an unpatched flaw affecting Kerio Control.

📰 Around the Cyber World

• Security Flaws Affect 100s of Printers and Scanners — Eight security vulnerabilities have been disclosed in multifunction printers (MFP) from Brother Industries, Ltd, that affect 742 models across 4 vendors, including FUJIFILM Business Innovation, Ricoh, Toshiba Tec Corporation, and Konica Minolta. “Some or all of these vulnerabilities have been identified as affecting 689 models across Brother’s range of printer, scanner, and label maker devices,” Rapid7 said. “Additionally, 46 printer models from FUJIFILM Business Innovation, 5 printer models from Ricoh, and 2 printer models from Toshiba Tec Corporation are affected by some or all of these vulnerabilities.” The most severe of the flaws is CVE-2024-51978 (CVSS score: 9.8), a critical bug that allows remote unauthenticated attackers to leak the target device’s serial number by chaining it with CVE-2024-51977 (CVSS score: 5.3), and generate the target device’s default administrator password. Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users.
• French Police Reportedly Arrest BreachForums Admins — French authorities have arrested five high-ranking members of BreachForums, a notorious online hub that specializes in selling stolen data and cybercriminal tools. This included forum users ShinyHunters, Hollow, Noct, and Depressed. A fifth suspect is said to have been apprehended by French police officials in February 2025. He went by the pseudonym IntelBroker (aka Kyle Northern), who has now been identified as a 25-year-old British man named Kai West. The latest iteration of BreachForums is currently offline. According to the U.S. Department of Justice (DoJ), West’s real-world identity was exposed after undercover Federal Bureau of Investigation (FBI) agents purchased a stolen API key that granted illicit access to one victim’s website, and traced the Bitcoin wallet’s address back to him. West has been charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, accessing a protected computer to obtain information, and wire fraud. In total, he faces up to 50 years in prison. “Kai West, an alleged serial hacker, is charged for a nefarious, years-long scheme to steal victim’s [sic] data and sell it for millions in illicit funds, causing more than $25 million in damages worldwide,” said FBI Assistant Director in Charge Christopher G. Raia. The U.S. is seeking his extradition.
• Canada Orders Hikvision to Close its Canadian Operations — Canada’s government has ordered Chinese CCTV systems vendor Hikvision to cease all its operations in the country and shut down its Canadian business following a national security review. “The government has determined that Hikvision Canada Ic.’s continued operations in Canada would be injurious to Canada’s national security,” according to a statement released by Mélanie Joly, Canada’s Minister of Industry. “This determination is the result of a multi-step review that assessed information and evidence provided by Canada’s security and intelligence community.” In addition, the order prohibits the purchase or use of Hikvision products in government departments, agencies, and crown corporations. Hikvision called the allegations “unfounded” and that the decision “lacks a factual basis, procedural fairness, and transparency.”
• U.K. NCSC Details “Authentic Antics” Malware — The National Cyber Security Centre (NCSC) is calling attention to a new malware it calls Authentic Antics that runs within the Microsoft Outlook process, displaying periodic malicious login prompts to steal credentials and OAuth 2.0 tokens in an attempt to gain unauthorized access to victim email accounts. “The stolen credential and token data is then exfiltrated by authenticating to the victim’s Outlook on the web account via the Outlook web API, with the freshly stolen token, to send an email to an actor-controlled email address,” the NCSC said. “The emails will not show in the victim’s sent folder.”
• Microsoft Wants to Avoid Another CrowdStrike-like Outage — Microsoft said it’s planning to deliver a private preview of the Windows endpoint security platform to select endpoint security partners, including Bitdefender, CrowdStrike, ESET, SentinelOne, Trellix, Trend Micro, and WithSecure, that will allow them to build their anti-malware solutions to run outside the Windows kernel and in the user mode, just as other regular applications. “This means security products like anti-virus and endpoint protection solutions can run in user mode just as apps do,” Microsoft said. “This change will help security developers provide a high level of reliability and easier recovery resulting in less impact on Windows devices in the event of unexpected issues.” The change, first announced in November 2024, comes nearly a year after a faulty CrowdStrike update took down 8.5 million Windows-based machines around the world. In tandem, Microsoft said it’s also giving Blue Screen of Death (BSoD) a big visual makeover nearly 40 years after its debut in Windows, turning it black and listing the stop code and faulty system driver behind the crash in an attempt to give more clarity.
• Noyb Accuses Bumble of Violating E.U. GDPR — Bumble’s partnership with OpenAI for its Bumble for Friends feature violates Europe’s General Data Protection Regulation, according to a complaint from Austrian privacy non-profit noyb. “Powered by OpenAI’s ChatGPT, the feature is designed to help you start a conversation by providing an AI-generated message,” noyb said. “In order to do this, your personal profile information is fed into the AI system without Bumble ever obtaining your consent. Although the company repeatedly shows you a banner designed to nudge you into clicking ‘Okay,’ which suggests that it relies on user consent, it actually claims to have a so-called ‘legitimate interest’ to use data.” Noyb said the “Okay” option gives users a false sense of control over their data, when it claims to have a legitimate interest in sending user data to OpenAI.
• Jitter-Trap Turns Evasion into Detection — Cybersecurity researchers have designed a clever new technique called Jitter-Trap that aims to detect post-exploitation and command-and-control (C2) communication stemming from the use of red teaming frameworks like Cobalt Strike, Sliver, Empire, Mythic, and Havoc that are often adopted by threat actors in cyber attacks to maintain access, execute commands, move laterally, and exfiltrate data, while simultaneously evading detection. These tools are known to employ a parameter called “sleep” that defines how often the beacon communicates with its operator (i.e., the C2 server). One obfuscation method used to cloak this periodic beaconing activity action is “jitter,” which adds a little bit of randomness to the communication pattern to ensure that it remains undetected. “The jitter property for sleep-time between requests exists to create light randomness with the intent to look natural and like real traffic caused by users,” Varonis said. Jitter-Trap demonstrates how patterns of randomness can be leveraged by defenders to determine if such traffic exists in the first place, effectively turning attackers’ own tactics against them.
• REvil Members Released in Russia — Four members of the REvil ransomware group, Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev, have been found guilty in Russia of financial fraud and cybercrimes, and were sentenced to five years in prison, but were ultimately released after a court determined that their sentence would amount to time already served while awaiting trial. This amounts to less than three years in detention. It’s worth noting that they were arrested in early 2022 on charges relating to trafficking stolen payment data and using malicious software to commit carding fraud. Other members of the crew, Daniil Puzyrevsky, Ruslan Khansvyarov, Aleksey Malozemov, and Artem Zayets, were jailed for four-and-a-half to six years in October 2024. Another REvil member, Yaroslav Vasinksyi, was arrested in 2021 at the Polish border and extradited to the US a year later. Last year, he was sentenced in May 2024 to almost 14 years in prison and ordered to return $16 million to his various victims. It is uncommon for Russia to prosecute its own hackers. In April 2022, Russia said the U.S. had unilaterally shut down communication channels with Russia on cybersecurity and withdrawn the negotiation process regarding the REvil gang.
• Malicious Python Package Shuts Down Windows Systems — A malicious Python package named psslib has been detected in the Python Package Index (PyPI) repository masquerading as a password security utility since November 2018, quietly attracting over 3,700 downloads to date. The package is a typosquat of the legitimate passlib library and is capable of immediately shutting down Windows systems when users enter a password that does not match the value set by the package’s developer. The library also incorporates the ability to invoke a system reboot without warning or consent. The discovery comes as two “protestware” packages with hidden functionality have been flagged in the npm registry. The packages (@link-loom/ui-sdk and @link-loom-react-sdk) specifically target Russian-language users visiting Russian or Belarusian domains (.ru, .su, and .by) in a web browser, blocking mouse-based interaction on the web page and indefinitely playing the Ukrainian anthem on a loop. That said, the attack ensures that only repeat visitors to the sites are targeted, meaning it’s triggered only when the target visits the websites more than once.
• Tudou Guarantee Takes Lead After HuiOne Shutdown — An illicit Telegram marketplace called Tudou Guarantee has emerged as the main winner following the closure of HuiOne Guarantee last month. The latest findings show that it’s business as usual for Chinese-language black markets in the wake of Telegram’s takedown of the two biggest of those bazaars, HuiOne Guarantee and Xinbi Guarantee. Both the services are estimated to have enabled a staggering $35 billion in transactions. Blockchain intelligence firm Elliptic said it’s tracking more than thirty highly-active guarantee markets. “Most notably, Tudou Guarantee has seen users more than double – and cryptocurrency inflows are now approximately equal to those seen for HuiOne Guarantee prior to its shutdown,” the company said. “Many of the merchants operating on Tudou are the same ones that previously sold through HuiOne Guarantee, offering stolen data, money laundering services and other products needed by scammers.” The shift is also significant in light of the fact that HuiOne Guarantee is a major shareholder in Tudou Guarantee. It acquired a 30% stake in December 2024. “These scammers have inflicted misery on millions of victims around the world, stealing billions of dollars. Unless these marketplaces are actively pursued, they will continue to flourish,” Elliptic’s Tom Robinson was quoted as saying to WIRED.

• South Korea Targeted by MeshAgent and SuperShell — Windows and Linux servers in South Korea are being targeted by Chinese-speaking threat actors to drop web shells like SuperShell and remote desktop software such as MeshAgent to establish persistent access and install additional payloads. The IP address used to stage the payloads has also been found to include WogRAT (short for “WingsOfGod”), a backdoor that can collect system information and execute arbitrary commands issued by a remote server. The exact initial access vector used in the attacks is unknown, according to AhnLab. “The attacker seems to target not only Windows but also Linux, attempting to take control of the network where the infected system belongs by moving from the initial penetration phase to the lateral movement phase,” the cybersecurity company said. “While the ultimate goal is unknown, the attacker may steal sensitive information or infect the network with ransomware if they successfully take control of the organization’s network.”
• AndroxGh0st Malware Evolves to Add New Flaws — The threat actors behind the AndroxGh0st malware have been found leveraging compromised websites associated with the University of California, San Diego, and an unnamed Jamaican events aggregator platform for C2 purposes. Attacks mounted by the Python-based cloud attack tool are known to leverage a wide range of known security flaws, including those affecting Apache Struts, Apache Shiro, FasterXML, Lantronix PremierWave, Popup Maker WordPress plugin, and Spring Framework, to obtain initial access and drop the malware. “The botnet exploits popular platforms (e.g., Apache Shiro, Spring framework, WordPress) and IoT devices (Lantronix), enabling remote code execution, sensitive data theft, and cryptomining,” CloudSEK said.
• Phishing Campaign Leverages CapCut Lures — A new phasing campaign is employing fake CapCut invoice lures to trick recipients into clicking on bogus links that mimic Apple account login pages and prompt them to enter their financial information to receive a refund. However, the attack is designed to stealthily hoover their credentials and credit card details to an external server. “As CapCut continues to dominate the short-form video editing scene, cybercriminals are seizing the opportunity to exploit its popularity,” Cofense said.
• Dutch Police Contact 126 Individuals in Connection with Cracked.io — Dutch police have identified and contacted 126 individuals who held accounts on the Cracked.io hacking forum. Authorities filed criminal cases against eight suspects and warned the remaining individuals against engaging in further criminal activity. The youngest person contacted by authorities was 11 years old. Law enforcement agencies from the U.S. and Europe seized Cracked and Nulled earlier this January. Prior to the takedown, the forum had more than 4.7 million users and was known for selling hacking services, stolen data, and malware.
• Vulnerabilities in Airoha SoCs — Cybersecurity researchers have discovered three flaws in devices that incorporate Airoha Systems on a Chip (SoCs) that could be weaponized to take over susceptible products without requiring any authentication or pairing, and on certain phones, even eavesdrop on conversations and extract call history and stored contacts. “Any vulnerable device can be compromised if the attacker is in Bluetooth range,” the researchers said. The vulnerabilities, assigned the CVE identifiers CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702, relate to missing authentication for GATT Services, missing authentication for Bluetooth BR/EDR, and an unspecified vulnerability in a custom protocol that allows for manipulating the device. The Bluetooth chipset, according to cybersecurity company ERNW, is used in headsets, earbuds, dongles, speakers, and wireless microphones. “Some vendors are not even aware that they are using an Airoha SoC,” ERNW noted. “They have outsourced parts of the development of their device, such as the Bluetooth module.”
• Operation Overload Uses API to Amplify Pro-Russian Propaganda — A Russian disinformation operation known as Operation Overload has adopted artificial intelligence (AI) to generate Russian propaganda and spread it across Telegram, X, BlueSky, and TikTok. The activity involves AI-generated or deceptively edited content, often impersonating journalists, public figures, and respected institutions, to interfere with the political discourse in Ukraine, France, Germany, Poland, Moldova, and the United States. “While anti-Ukrainian narratives continue to dominate, election interference stands out as a prominent theme,” CheckFirst said.
• Crypto Drainer Scam Impersonates Tax Authorities — A new phishing campaign dubbed Declaration Trap has been observed targeting cryptocurrency users by impersonating European tax authorities, specifically Dutch agencies Belastingdienst and MijnOverheid. In these attacks, prospective victims are lured via email messages to phishing sites that harvest personal information and run crypto drainer phishing kits to siphon seed phrases, and perform unauthorized withdrawals by sending malicious transaction signing requests. “The victim’s journey begins with an email that appears to come from Belastingdienst or MijnOverheid and tells the recipient they need to complete a special declaration form for their crypto assets due to new tax regulations introduced in 2025,” Group-IB said. “Scammers use pressure tactics: they set short deadlines for completing the form and threaten victims with fines if they don’t comply.” The disclosure comes as IBM X-Force detailed a phishing campaign that’s targeting financial institutions across the world with weaponized Scalable Vector Graphics (SVG) files embedded with JavaScript to steal credentials and drop remote access trojans (RATs). “When executed, the SVG-embedded JavaScript drops a ZIP archive containing a JavaScript file that is used to download a Java-based loader,” IBM said. “If Java is present, it deploys modular malware including Blue Banana RAT, SambaSpy, and SessionBot.”
• Hive0131 Campaign Delivers DCRat in Colombia — In a new phishing campaign detected in early May 2025, the threat actor tracked as Hive0131 targeted users in Colombia with bogus notifications about criminal proceedings to initiate an attack chain that ultimately delivered the modular DCRat malware to harvest files, keystrokes, and audio and video recordings. “Hive0131 is a financially motivated group likely originating from South America that routinely conducts campaigns largely in Latin America (LATAM) to deliver a wide array of commodity payloads,” IBM X-Force said. “The current campaigns imitate official correspondence and contain either an embedded link or a PDF lure with an embedded link. Clicking on the embedded link will initiate the infection chain to execute the banking trojan ‘DCRat’ in memory.” The attacks, which have also been found to either contain a PDF lure with a link to a TinyURL or an embedded link to a Google Docs location, are characterized by the use of an obfuscated .NET loader dubbed VMDetectLoader that’s used to download and execute DCRat.

• CISA and NSA Call for Adoption of Memory-Safe Languages — The U.S. Cybersecurity and Infrastructure Security Agency, along with the National Security Agency (NSA), issued guidance on adopting memory-safe languages (MSLs) such as Rust to mitigate memory-related vulnerabilities in software. MSLs offer built-in mechanisms such as bounds checking, memory management, data race prevention, and runtime safety checks to protect against memory bugs. “Achieving better memory safety demands language-level protections, library support, robust tooling, and developer training,” the agencies said. “MSLs offer built-in safeguards that shift safety burdens from developers to the language and the development environment. By integrating safety mechanisms directly at the language level, MSLs enhance security outcomes and reduce reliance on after-the-fact analysis tools.” However, the report also points out the challenges with adopting MSLs due to legacy systems and tightly coupled code, performance overhead, and the availability (or lack thereof) of tools and libraries available for an MSL.
• New SmartAttack Technique Uses Smartwatches to Steal Air-Gapped Data — A new side-channel attack dubbed SmartAttack has demonstrated the use of smartwatches as receivers for ultrasonic covert communication in air-gapped environments. The approach, according to Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel, utilizes the built-in microphones of smartwatches to capture covert signals in real-time within the ultrasonic frequency range of 18-22 kHz. As with other attacks of this kind, the threat model presupposes that the attacker has already infiltrated the air-gapped system and implanted malware that operates stealthily, transmitting information using the infected machine’s speakers in a frequency range that’s inaudible to humans. On the other end, the attack also requires the threat actor to compromise the smartwatch of an individual with access to the secured environment, and deploy malware capable of receiving the covert ultrasonic communication, decoding it, reconstructing it, and forwarding it to the attacker’s infrastructure. In an experimental setup, SmartAttack can be used to transmit data through ultrasonic signals over distances of more than 6 meters, with data rates of up to 50 bits per second. Dr. Guri, who disclosed RAMBO and PIXHELL attacks last year to exfiltrate data from air-gapped systems, said the findings highlight the “security risks posed by smartwatches in high-security environments.” Possible mitigations include prohibiting smartwatches and similar audio-capable wearables when entering secure environments, deploying ultrasonic monitoring systems to identify unauthorized transmissions, deploying ultrasonic jammers, and physically removing or disabling audio hardware components.
• Google Adds New Security Feature to Tackle XSS Attacks — Google has added a new security feature to the Chrome browser that automatically escapes “<” and “>” characters inside HTML attributes. The new feature is designed to prevent cross-site scripting attacks that rely on slipping in malicious code inside HTML code. The feature shipped with the stable version of Chrome 138 released on June 24, 2025. “It’s possible that a sanitizer may have a DOM tree it considers safe; however, after re-parsing, this DOM tree will be materially different, resulting in an XSS,” Google’s Michał Bentkowski said. This type of XSS attack is called mutation XSS (mXSS).

🎥 Cybersecurity Webinars

• Designing Identity for Trust at Scale—With Privacy, AI, and Seamless Logins in Mind ➝ In today’s AI-powered world, customer identity is all about trust. This webinar unpacks insights from the Auth0 2025 Trends Report—covering how users react to AI, rising privacy expectations, and the latest identity threats. Whether you’re building login flows or trust strategies, you’ll get clear, practical advice to stay ahead.
• Stop Pip Installing and Praying: Secure Your Python Supply Chain in 2025 ➝ The Python ecosystem in 2025 is under attack—from repo jacking and typosquatting to hidden flaws in common container images. If you’re still “pip installing and hoping,” it’s time to rethink. Join security experts as they unpack real threats, explain tools like CVE, Sigstore, and SLSA, and share how PyPI is responding. Whether you’re using YOLO models or managing production apps, you’ll get clear, practical steps to secure your Python supply chain today.

🔧 Cybersecurity Tools

• RIFT ➝ Microsoft has open-sourced RIFT, a tool that helps analysts spot attacker-written code in complex Rust malware. As Rust becomes more popular among threat actors, malware is getting harder to analyze. RIFT cuts through the noise by using automated signature matching and binary diffing to highlight only the custom code—saving time and improving detection.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Beyond Defaults: Mastering Windows Hardening ➝ Default Windows settings are built for ease, not security. That’s fine for casual use—but if you care about protecting your data, business, or even just your privacy, it’s time to go beyond the basics.

The good news? You don’t need to be a sysadmin to lock down your system. Tools like HardeningKitty, CIS-CAT Lite, and Microsoft’s Security Compliance Toolkit do the heavy lifting for you. They scan your system and tell you exactly what to fix—like disabling outdated protocols (SMBv1, NetBIOS), hardening Office macros, or turning off risky Windows features you don’t even use.

If that sounds a bit much, don’t worry—there are one-click apps too. ConfigureDefender lets you max out Microsoft Defender’s protection (including turning on hidden advanced rules). WPD and O&O ShutUp10++ help you cut Windows tracking, bloatware, and junk settings in minutes. Think of them as the “Privacy + Security” switches Microsoft should’ve given you by default.

Want to get serious? Start with CIS-CAT Lite to see where your system stands, then run HardeningKitty to close the gaps. These aren’t just checkboxes—you’re cutting off real-world attack paths like phishing payloads, document-based malware, and lateral movement across networks.

Bottom line: You don’t have to “just use Windows as it is.” You can make it work for you, not against you—without breaking anything. Small changes, big impact.

Conclusion

It’s easy to get caught up in the technical details, but at the end of the day, it’s about making smart decisions with the tools and time we have. No one can fix everything at once—but knowing where the cracks are is half the battle. Whether it’s a quick configuration check or a deeper policy rethink, small steps add up.

Take a few minutes to scan the highlights and see where your team might need a second look.