Category: Cybersecurity

Cybersecurity researchers have shed light on a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP that has targeted a wide range of sectors in Australia, Brazil, Europe, and the United States since its emergence in early June 2025.

GLOBAL GROUP was “promoted on the Ramp4u forum by the threat actor known as ‘$$$,’” EclecticIQ researcher Arda Büyükkaya said. “The same actor controls the BlackLock RaaS and previously managed Mamona ransomware operations.”

It’s believed that GLOBAL GROUP is a rebranding of BlackLock after the latter’s data leak site was defaced by the DragonForce ransomware cartel back in March. It’s worth mentioning that BlackLock in itself is a rebrand of another RaaS scheme known as Eldorado.

The financially motivated group has been found to lean heavily on initial access brokers (IABs) to deploy the ransomware by weaponizing access to vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks. Also put to use are brute-force utilities for Microsoft Outlook and RDWeb portals.

$$$ has acquired Remote Desktop Protocol (RDP) or web shell access to corporate networks, such as those related to law firms, as a way to deploy post-exploitation tools, conduct lateral movement, siphon data, and deploy the ransomware.

Outsourcing the infiltration phase to other threat actors, who supply pre-compromised entry points into enterprise networks, allows affiliates to expend their efforts on payload delivery, extortion, and negotiation rather than network penetration.

The RaaS platform comes with a negotiation portal and an affiliate panel, the latter of which allows cybercriminals to manage victims, build ransomware payloads for VMware ESXi, NAS, BSD, and Windows, and monitor operations. In a bid to entice more affiliates, the threat actors promise a revenue-sharing model of 85%.

“GLOBAL GROUP’s ransom negotiation panel features an automated system powered by AI-driven chatbots,” the Dutch security company said. “This enables non-English-speaking affiliates to engage victims more effectively.”

As of July 14, 2025, the RaaS group has claimed 17 victims in Australia, Brazil, Europe, and the United States, spanning healthcare, oil-and-gas equipment fabrication, industrial machinery and precision engineering, automotive repair, accident-recovery services, and large-scale business process outsourcing (BPO).

The links to BlackLock and Mamona stem from the use of the same Russian VPS provider IpServer and source code similarities with Mamona. Specifically, GLOBAL GROUP is said to be an evolution of Mamona with added features to enable domain-wide ransomware installation. What’s more, the malware is also written in Go, just like BlackLock.

“The creation of GLOBAL GROUP by BlackLock’s administrator is a deliberate strategy to modernize operations, expand revenue streams, and stay competitive in the ransomware market,” Büyükkaya said. “This new brand integrates AI-powered negotiation, mobile-friendly panels, and customizable payload builders, appealing to a broader pool of affiliates.”

The disclosure comes as the Qilin ransomware group emerged as the most active RaaS operation in June 2025, accounting for 81 victims. Other major players include Akira (34), Play (30), SafePay (27), and DragonForce (25).

“SafePay saw the steepest decline at 62.5%, suggesting a major pullback,” cybersecurity company CYFIRMA said. “DragonForce emerged rapidly, with attacks spiking by 212.5%.”

In all, the total number of ransomware victims has dropped from 545 in May to 463 in June 2025, a 15% decline. February tops this year’s list with 956 victims.

“Despite the decline in numbers, geopolitical tensions and high-profile cyber attacks highlight growing instability, potentially heightening the risk of cyber threats,” NCC Group noted late last month.

According to data gathered by Optiv’s Global Threat Intelligence Center (gTIC), 314 ransomware victims were listed on 74 unique data leak sites in Q1 2025, representing a 213% increase in the number of victims. A total of 56 variants were observed in Q1 2024.

“Ransomware operators continued to use tried-and-true methods to gain initial access to victims – social engineering/phishing, exploitation of software vulnerabilities, compromising exposed and insecure software, supply-chain attacks and leveraging the initial access broker (IAB) community,” Optiv researcher Emily Lee said.

Cybersecurity researchers have charted the evolution of a widely used remote access trojan called AsyncRAT, which was first released on GitHub in January 2019 and has since served as the foundation for several other variants.

“AsyncRAT has cemented its place as a cornerstone of modern malware and as a pervasive threat that has evolved into a sprawling network of forks and variants,” ESET researcher Nikola Knežević said in a report shared with The Hacker News.

“While its capabilities are not that impressive on their own, it is the open-source nature of AsyncRAT that has truly amplified its impact. Its plug-in-based architecture and ease of modification have sparked the proliferation of many forks, pushing the boundaries even further”

While AsyncRAT’s evolution highlights its technical adaptability, its real-world impact stems from how it’s deployed in opportunistic phishing campaigns and bundled with loaders like GuLoader or SmokeLoader. These delivery methods enable rapid distribution through cracked software, malicious ads, or fake updates—targeting users in both corporate and consumer environments. Without early detection, AsyncRAT often acts as a staging tool for follow-on payloads like ransomware or credential stealers.

First published on GitHub by NYAN CAT, the C#-based malware is equipped to capture screenshots, log keystrokes, steal credentials, and allow attackers to commandeer infected systems stealthily, exfiltrate data, and execute malicious instructions.

The modular tool’s simplicity and open-source nature, coupled with its modular architecture and enhanced stealth features, has not only made it very adaptable and harder to detect, but also an attractive option for threat actors, as evidenced by the myriad campaigns distributing the threat over the years.

The Slovak cybersecurity company said the “groundwork” for AsyncRAT was laid earlier by another open-source RAT known as Quasar RAT (aka CinaRAT or Yggdrasil) that has been available on GitHub since 2015. Although both the malware strains are coded in C#, the wide-ranging differences between them suggest that AsyncRAT was much more than a fork: It was a major rewrite.

The two pieces of malware are united by the use of the same custom cryptography classes used to decrypt the malware configuration settings. Since the release of AsyncRAT, the malware has spawned diverse variants, including DCRat (aka DarkCrystal RAT) and Venom RAT.

DCRat marks a significant improvement over AsyncRAT, packing in evasion techniques to fly under the radar and augmenting its capabilities to gather webcam data, microphone recordings, and Discord tokens, alongside even a module to encrypt files.

“DCRat also implements evasion techniques like AMSI and ETW patching, which work by disabling security features that detect and log malicious behavior,” ESET said. “Addi5onally, it features an anti-process system whereby processes whose names match those in a denylist are terminated.”

Venom RAT, on the other hand, is said to have been inspired by DCRat, while also packing in enough unique features of its own.

“While they indeed belong to the Quasar RAT family, they are still different RATs,” Rapid7 researcher Anna Širokova noted in an analysis of AsyncRAT and Venom RAT in November 2024. “Venom RAT presents more advanced evasion techniques, making it a more sophisticated threat.”

ESET said it also identified lesser-known variants of AsyncRAT, such as NonEuclid RAT, which incorporates plugins to brute-force SSH and FTP credentials, collect geolocation, act as a clipper by substituting clipboard data with the attacker’s cryptocurrency wallet addresses, and even spread the malware by compromising portable executable files with an arbitrary payload.

JasonRAT, for its part, introduces bespoke changes of its own, such as the ability to target systems based on country. Likewise, XieBroRAT features a browser credential stealer and a plugin to interact with Cobalt Strike servers via a reverse connection. It’s also adapted for the Chinese market.

“AsyncRAT’s rise and its subsequent forks highlight the inherent risks of open-source malware frameworks,” ESET said. “All of these forks not only extend AsyncRAT’s technical capabilities but also demonstrate how quickly and creatively threat actors can adapt and repurpose open-source code.”

“The widespread availability of such frameworks significantly lowers the barrier to entry for aspiring cybercriminals, enabling even novices to deploy sophisticated malware with minimal effort. This democratization of malware development – especially considering the rising popularity of LLMs and potential to misuse their capabilities – further accelerates the creation and customization of malicious tools, contributing to a rapidly expanding and increasingly complex threat landscape.”

This shift has also fueled the rise of malware-as-a-service (MaaS), where preconfigured AsyncRAT builders and plug-and-play modules are sold openly on Telegram and dark web forums. The growing overlap between open-source malware, penetration testing tools, and commercial remote access frameworks complicates attribution and defense.

For security teams, this means greater focus on behavioral detection, command-and-control (C2) analysis, and understanding how fileless persistence, clipboard hijacking, and credential theft converge in modern malware campaigns.

Jul 15, 2025The Hacker NewsAutomation / Risk Management

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These “invisible” non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers.

Astrix’s Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar:

“One dangerous habit we’ve had for a long time is trusting application logic to act as the guardrails. That doesn’t work when your AI agent is powered by LLMs that don’t stop and think when they’re about to do something wrong. They just do it.”

Why AI Agents Redefine Identity Risk

1. Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each additional action amplifies the blast radius.
2. LLMs behave unpredictably: Traditional code follows deterministic rules; large language models operate on probability. That means you cannot guarantee how or where an agent will use the access you grant it.
3. Existing IAM tools were built for humans: Most identity governance platforms focus on employees, not tokens. They lack the context to map which NHIs belong to which agents, who owns them, and what those identities can actually touch.

Treat AI Agents Like First-Class (Non-Human) Users

Successful security programs already apply “human-grade” controls like birth, life, and retirement to service accounts and machine credentials. Extending the same discipline to AI agents delivers quick wins without blocking business innovation.

Secure AI Agent Access

Enterprises shouldn’t have to choose between security and agility.

Astrix makes it easy to protect innovation without slowing it down, delivering all essential controls in one intuitive platform:

1. Discovery and Governance

Automatically discover and map all AI agents, including external and homegrown agents, with context into their associated NHIs, permissions, owners, and accessed environments. Prioritize remediation efforts based on automated risk scoring based on agent exposure levels and configuration weaknesses.

2. Lifecycle management

Manage AI agents and the NHIs they rely on from provisioning to decommissioning through automated ownership, policy enforcement, and streamlined remediation processes, without the manual overhead.

3. Threat detection & response

Continuously monitor AI agent activity to detect deviations, out-of-scope actions, and abnormal behaviors, while automating remediation with real-time alerts, workflows, and investigation guides.

The Instant Impact: From Risk to ROI in 30 Days

Within the first month of deploying Astrix, our customers consistently report three transformative business wins within the first month of deployment:

• Reduced risk, zero blind spots

  Automated discovery and a single source of truth for every AI agent, NHI, and secret reveal unauthorized third-party connections, over-entitled tokens, and policy violations the moment they appear. Short-lived, least-privileged identities prevent credential sprawl before it starts.

  “Astrix gave us full visibility into high-risk NHIs and helped us take action without slowing down the business.” – Albert Attias, Senior Director at Workday. Read Workday’s success story here.

• Audit-ready compliance, on demand

  Meet compliance requirements with scoped permissions, time-boxed access, and per-agent audit trails. Events are stamped at creation, giving security teams instant proof of ownership for regulatory frameworks such as NIST, PCI, and SOX, turning board-ready reports into a click-through exercise.

  “With Astrix, we gained visibility into over 900 non-human identities and automated ownership tracking, making audit prep a non-issue” – Brandon Wagner, Head of Information Security at Mercury. Read Mercury’s success story here.

• Productivity increased, not undermined

  Automated remediation enables engineers to integrate new AI workflows without waiting on manual reviews, while security gains real-time alerts for any deviation from policy. The result: faster releases, fewer fire drills, and a measurable boost to innovation velocity.

  “The time to value was much faster than other tools. What could have taken hours or days was compressed significantly with Astrix” – Carl Siva, CISO at Boomi. Read Boomi’s success story here.

The Bottom Line

AI agents unlock historic productivity, yet they also magnify the identity problem security teams have wrestled with for years. By treating every agent as an NHI, applying least privilege from day one, and leaning on automation for continuous enforcement, you can help your business embrace AI safely, instead of cleaning up the breach after attackers exploit a forgotten API key.

Ready to see your invisible identities? Visit astrix.security and schedule a live demo to map every AI agent and NHI in minutes.

Jul 15, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

Governmental organizations in Southeast Asia are the target of a new campaign that aims to collect sensitive information by means of a previously undocumented Windows backdoor dubbed HazyBeacon.

The activity is being tracked by Palo Alto Networks Unit 42 under the moniker CL-STA-1020, where “CL” stands for “cluster” and “STA” refers to “state-backed motivation.”

“The threat actors behind this cluster of activity have been collecting sensitive information from government agencies, including information about recent tariffs and trade disputes,” security researcher Lior Rochberger said in a Monday analysis.

Southeast Asia has increasingly become a focal point for cyber espionage due to its role in sensitive trade negotiations, military modernization, and strategic alignment in the U.S.–China power dynamic. Targeting government agencies in this region can provide valuable intelligence on foreign policy direction, infrastructure planning, and internal regulatory shifts that influence regional and global markets.

The exact initial access vector used to deliver the malware is currently not known, although evidence shows the use of DLL side-loading techniques to deploy it on compromised hosts. Specifically, it involves planting a malicious version of a DLL called “mscorsvc.dll” along with the legitimate Windows executable, “mscorsvw.exe.”

Once the binary is launched, the DLL proceeds to establish communication with an attacker-controlled URL that allows it to execute arbitrary commands and download additional payloads. Persistence is achieved by means of a service that ensures the DLL is launched even after a reboot of the system.

HazyBeacon is notable for the fact that it leverages Amazon Web Services (AWS) Lambda URLs for command-and-control (C2) purposes, demonstrating threat actors’ continued abuse of legitimate services to fly under the radar and escape detection.

“AWS Lambda URLs are a feature of AWS Lambda that allows users to invoke serverless functions directly over HTTPS,” Rochberger explained. “This technique uses legitimate cloud functionality to hide in plain sight, creating a reliable, scalable and difficult-to-detect communication channel.”

Defenders should pay attention to outbound traffic to rarely used cloud endpoints like *.lambda-url.*.amazonaws.com, especially when initiated by unusual binaries or system services. While AWS usage itself isn’t suspicious, context-aware baselining—such as correlating process origins, parent-child execution chains, and endpoint behavior—can help distinguish legitimate activity from malware leveraging cloud-native evasion.

Downloaded among the payloads is a file collector module that’s responsible for harvesting files matching a specific set of extensions (e.g., doc, docx, xls, xlsx, and pdf) and within a time range. This includes attempts to search for files related to the recent tariff measures imposed by the United States.

The threat actor has also been found to employ other services like Google Drive and Dropbox as exfiltration channels so as to blend in with normal network traffic and transmit the gathered data. In the incident analyzed by Unit 42, attempts to upload the files to the cloud storage services are said to have been blocked.

In the final stage, the attackers run cleanup commands to avoid leaving traces of their activity, deleting all the archives of staged files and other payloads downloaded during the attack.

“The threat actors used HazyBeacon as the main tool for maintaining a foothold and collecting sensitive information from the affected governmental entities,” Rochberger said. “This campaign highlights how attackers continue to find new ways to abuse legitimate, trusted cloud services.”

HazyBeacon reflects a broader trend of advanced persistent threats using trusted platforms as covert channels—a tactic often referred to as “living off trusted services” (LOTS). As part of this cloud-based malware cluster, similar techniques have been observed in threats using Google Workspace, Microsoft Teams, or Dropbox APIs to evade detection and facilitate persistent access.

Jul 15, 2025Ravie LakshmananMalware / Web Security

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks.

The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a malware loader codenamed XORIndex. The activity is an expansion of an attack wave spotted last month that involved the distribution of 35 npm packages that deployed another loader referred to as HexEval.

“The Contagious Interview operation continues to follow a whack-a-mole dynamic, where defenders detect and report malicious packages, and North Korean threat actors quickly respond by uploading new variants using the same, similar, or slightly evolved playbooks,” Socket researcher Kirill Boychenko said.

Contagious Interview is the name assigned to a long-running campaign that seeks to entice developers into downloading and executing an open-source project as part of a purported coding assignment. First publicly disclosed in late 2023, the threat cluster is also tracked as DeceptiveDevelopment, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

The activity is believed to be complementary to Pyongyang’s infamous remote information technology (IT) worker scheme, adopting the strategy of targeting developers already employed in companies of interest rather than applying for a job.

The attack chains using malicious npm packages are fairly straightforward in that they serve as a conduit for a known JavaScript loader and stealer called BeaverTail, which is subsequently used to extract data from web browsers and cryptocurrency wallets, as well as deploy a Python backdoor referred to as InvisibleFerret.

“The two campaigns now operate in parallel. XORIndex has accumulated over 9,000 downloads in a short window (June to July 2025), while HexEval continues at a steady pace, with more than 8,000 additional downloads across the newly discovered packages,” Boychenko said.

The XORIndex Loader, like HexEval, profiles the compromised machine and uses endpoints associated with hard-coded command-and-control (C2) infrastructure to obtain the external IP address of the host. The collected information is then beaconed to a remote server, after which BeaverTail is launched.

Further analysis of these packages has uncovered a steady evolution of the loader, progressing from a bare-bones prototype to a sophisticated, stealthier malware. Early iterations have been found to lack in obfuscation and reconnaissance capabilities, while keeping their core functionality intact, with second and third-generation versions introducing rudimentary system reconnaissance capabilities.

“Contagious Interview threat actors will continue to diversify their malware portfolio, rotating through new npm maintainer aliases, reusing loaders such as HexEval Loader and malware families like BeaverTail and InvisibleFerret, and actively deploying newly observed variants including XORIndex Loader,” Boychenko said.

Jul 14, 2025The Hacker NewsSecrets Management / SaaS Security

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems

Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom.

This isn’t just about poor hygiene; it’s a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it’s essential.

Below, we look at the risk profile of exposed credentials and secrets in public and private code repositories, how this attack vector has been used in the past, and what you can do to minimize your exposure.

The Git Repo Threat Landscape

The threat landscape surrounding Git repositories is expanding rapidly, driven by a number of causes:

• Growing complexity of DevOps practices
• Widespread reliance on public version control platforms like GitHub
• Human error and all the misconfigurations that entail: from poorly applied access controls to forgotten test environments pushed to production

It’s no surprise that as development velocity increases, so does the opportunity for attackers to weaponize exposed code repositories. GitHub alone reported over 39 million leaked secrets in 2024—a 67% increase from the year before. These included cloud credentials, API tokens, and SSH keys. Most of these exposures originate from:

• Personal developer accounts
• Abandoned or forked projects
• Misconfigured or unaudited repositories

For attackers, these aren’t just mistakes, they’re entry points. Exposed Git repos offer a direct, low-friction pathway into internal systems and developer environments. What starts as a small oversight can escalate into a full-blown compromise, often without triggering any alerts.

How Do Attackers Leverage Exposed Git Repositories?

Public tools and scanners make it trivial to harvest secrets from exposed Git repositories, and attackers know how to pivot quickly from exposed code to compromised infrastructure.

Once inside a repository, attackers look for:

• Secrets and credentials: API keys, authentication tokens, and passwords. Often hidden in plain sight within config files or commit history.
• Infrastructure intel: Details about Internal systems such as hostnames, IPs, ports, or architectural diagrams.
• Business logic: Source code that can reveal vulnerabilities in authentication, session handling, or API access.

These insights are then weaponized for:

• Initial access: Attackers use valid credentials to authenticate into:
  • Cloud environments — e.g., AWS IAM roles via exposed access keys, Azure Service Principals
  • Databases — e.g., MongoDB, PostgreSQL, MySQL using hardcoded connection strings
  • SaaS platforms — leveraging API tokens found in config files or commit history
• Lateral movement: Once inside, attackers pivot further by:
  • Enumerating internal APIs using exposed OpenAPI/Swagger specs
  • Accessing CI/CD pipelines using leaked tokens from GitHub Actions, GitLab CI, or Jenkins
  • Using misconfigured permissions to move across internal services or cloud accounts
• Persistence and exfiltration: To maintain access and extract data over time, they:
  • Create new IAM users or SSH keys to stay embedded
  • Deploy malicious Lambda functions or containers to blend in with normal workloads
  • Exfiltrate data from S3 buckets, Azure Blob Storage, or logging platforms like CloudWatch and Log Analytics

A single leaked AWS key can expose an entire cloud footprint. A forgotten .git/config file or stale commit may still contain live credentials.

These exposures often bypass traditional perimeter defenses entirely. We’ve seen attackers pivot from exposed Git repositories → to developer laptops → to internal networks. This threat isn’t theoretical, it’s a kill chain we’ve validated in live production environments using Pentera.

Recommended Mitigation Strategies

Reducing exposure risk starts with the basics. While no single control can eliminate Git-based attacks, the following practices help reduce the likelihood of secrets leaking – and limit the impact when they do.

1. Secrets Management

• Store secrets outside your codebase using dedicated secret management solutions like HashiCorp Vault (open source), AWS Secrets Manager, or Azure Key Vault. These tools provide secure storage, fine-grained access control, and audit logging.
• Avoid hardcoding secrets in source files or configuration files. Instead, inject secrets at runtime via environment variables or secure APIs.
• Automate secret rotation to reduce the window of exposure.

2. Code Hygiene

• Enforce strict .gitignore policies to exclude files that may contain sensitive information, such as .env, config.yaml, or credentials.json.
• Integrate scanning tools like Gitleaks, Talisman, and git-secrets into developer workflows and CI/CD pipelines to catch secrets before they’re committed.

3. Access Controls

• Enforce the principle of least privilege across all Git repositories. Developers, CI/CD tools, and third-party integrations should only have the access they need – no more.
• Use short-lived tokens or time-bound credentials wherever possible.
• Enforce multi-factor authentication (MFA) and single sign-on (SSO) on Git platforms.
• Regularly audit user and machine access logs to identify excessive privileges or suspicious behavior.

Find Exposed Git Data Before Attackers Do

Exposed Git repositories are not an edge-case risk, but a mainstream attack vector especially in fast-moving DevOps environments. While secret scanners and hygiene practices are essential, they often fall short of providing the full picture. Attackers aren’t just reading your code; they’re using it as a map to walk right into your infrastructure.

Yet, even teams using best practices are left blind to one critical question: could an attacker actually use this exposure to break in? Securing your repositories requires more than just static checks. It calls for continuous validation, proactive remediation, and an adversary’s mindset. As compliance mandates tighten and attack surfaces expand, organizations must treat code exposure as a core part of their security strategy and not as an afterthought.

To learn more about how your team can do this, join the webinar They’re Out to Git You on July 23rd, 2025

Jul 14, 2025Ravie LakshmananMalware / Web Security

Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix.

“Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters,” The DFIR Report said in a technical analysis published today in collaboration with Proofpoint.

“The campaign begins with compromised websites injected with a single-line script hidden in the page’s HTML, often unbeknownst to site owners or visitors.”

The JavaScript code acts as a traffic distribution system (TDS), using IP filtering techniques to redirect users to fake CAPTCHA verification pages that leverage ClickFix to entice them into running a PowerShell script that leads to the deployment of NodeSnake (aka Interlock RAT).

The use of NodeSnake by Interlock was previously documented by Quorum Cyber as part of cyber attacks targeting local government and higher education organizations in the United Kingdom in January and March 2025. The malware facilitates persistent access, system reconnaissance, and remote command execution capabilities.

While the name of the malware is a reference to its Node.js foundations, new campaigns observed last month have led to the distribution of a PHP variant by means FileFix. The activity is assessed to be opportunistic in nature, aiming for a broad range of industries.

“This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT,” the researchers said.

FileFix is an evolution of ClickFix that takes advantage of the Windows operating system’s ability to instruct victims into copying and executing commands using the File Explorer’s address bar feature. It was first detailed as a proof-of-concept (PoC) last month by security researcher mrd0x.

Once installed, the RAT malware carries out reconnaissance of the infected host and exfiltrate system information in JSON format. It also checks its own privileges to determine if it’s being run as USER, ADMIN, or SYSTEM, and establishes contact with a remote server to download and run EXE or DLL payloads.

Persistence on the machine is accomplished via Windows Registry changes, while the Remote Desktop Protocol (RDP) is used to enable lateral movement.

A noteworthy feature of the trojan is its abuse of Cloudflare Tunnel subdomains to obscure the true location of the command-and-control (C2) server. The malware further embeds hard-coded IP addresses as a fallback mechanism so as to ensure that the communication remains intact even if the Cloudflare Tunnel is taken down.

“This discovery highlights the continued evolution of the Interlock group’s tooling and their operational sophistication,” the researchers said. “While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks.”

In cybersecurity, precision matters—and there’s little room for error. A small mistake, missed setting, or quiet misconfiguration can quickly lead to much bigger problems. The signs we’re seeing this week highlight deeper issues behind what might look like routine incidents: outdated tools, slow response to risks, and the ongoing gap between compliance and real security.

For anyone responsible for protecting systems, the key isn’t just reacting to alerts—it’s recognizing the larger patterns and hidden weak spots they reveal.

Here’s a breakdown of what’s unfolding across the cybersecurity world this week.

⚡ Threat of the Week

NCA Arrests for Alleged Scattered Spider Members — The U.K. National Crime Agency (NCA) announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West Midlands and London on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. They are believed to be associated with the notorious cybercrime group known as Scattered Spider, an offshoot of a loose-knit collective called The Com, which is responsible for a vast catalog of crimes, including social engineering, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping, and murder.

🔔 Top News

• PerfektBlue Bluetooth Flaws Expose Millions of Vehicles to Remote Attacks — Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from Mercedes-Benz, Volkswagen, and Skoda. “PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” PCA Cyber Security said. Volkswagen said the identified issues exclusively concern Bluetooth and that neither is vehicle safety nor integrity affected. It also noted that exploitation of the vulnerabilities is only possible when several conditions are met simultaneously.
• North Korean Hacker Behind Fraudulent IT Worker Scheme Sanctioned — The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday sanctioned a member of a North Korean hacking group called Andariel for their role in the infamous remote information technology (IT) worker scheme. Song Kum Hyok, 38, is alleged to have enabled the fraudulent operation by using foreign-hired IT workers to seek remote employment with U.S. companies and planning to split income with them. The sanctions mark the first time a threat actor linked to Andariel, a sub-cluster within the Lazarus Group, has been tied to the IT worker scheme. “While the Treasury’s announcement marks a formal public association of the Andariel (APT45) hacking group with North Korea’s remote IT worker operation, the connection reflects a much broader and long-running pattern,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News.
• Chinese Hacker Arrested for Silk Typhoon Attacks — A Chinese national has been arrested in Milan, Italy, for his alleged links to a state-sponsored hacking group known as Silk Typhoon and for carrying out cyber attacks against American organizations and government agencies. Xu Zewei, 33, has been accused of being involved in the U.S. computer intrusions between February 2020 and June 2021, including a mass attack spree that leveraged then-zero-day flaws in Microsoft Exchange Server, a cluster of activity the Windows maker designed as Hafnium. Xu, alongside co-defendant and Chinese national Zhang Yu, are believed to have undertaken the attacks based on directions issued by the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).
• Threat Weaponize Leaked Version of Shellter to Distributed Stealers — Hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware and remote access trojans. The campaigns are believed to have started in April 2025, around the same time a company that procured a licensed version of the software leaked a copy on cybercrime forums. “Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools,” Elastic Security Labs said.
• Fortinet Patches Critical SQL Injection Flaw — Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. According to watchTowr Labs, the problem is rooted in the fact that a Bearer token Authorization header in a specially crafted HTTP request is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code. The disclosure comes as Sonar detailed multiple vulnerabilities in Fortinet’s FortiClient (CVE-2025-25251, CVE-2025-31365, CVE-2025-22855, CVE-2025-22859, and CVE-2025-31366) that, when chained together, grants an attacker complete organizational control with minimal user interaction. CVE-2025-22859 “enables an authenticated attacker to upload a stored XSS payload to a Linux-based EMS server,” security researcher Yaniv Nizry said. “Exploiting this vulnerability, an attacker can manipulate an EMS user into clicking a malicious link, forcing all registered endpoints to switch connection to a malicious EMS server without any interaction from the clients. This makes them susceptible to arbitrary code execution.”

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-47227, CVE-2025-47228 (ScriptCase), CVE-2025-24269, CVE-2025-24235 (SMBClient), CVE-2025-30012, CVE-2025-42963, CVE-2025-42964, CVE-2025-42966, and CVE-2025-42980 (SAP), CVE-2025-52488 (DNN), CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, CVE-2025-6243 (Ruckus Wireless), CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 (Apache Tomcat), CVE-2025-6948 (GitLab CE/EE), CVE-2025-0141 (Palo Alto Networks GlobalProtect App), CVE-2025-6691 (SureForms plugin), CVE-2025-7206 (D-Link DIR-825), CVE-2025-32353, CVE-2025-32874 (Kaseya RapidFire Tools Network Detective), CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, CVE-2025-7029 (Gigabyte UEFI), CVE-2025-1727 (End-of-Train and Head-of-Train devices), and a critical double free vulnerability in the Linux kernel’s pipapo set module.

📰 Around the Cyber World

• Atomic Stealer Gets a Backdoor Feature — The macOS information stealer known as Atomic Stealer (aka AMOS) has been updated with an embedded backdoor to obtain persistent access to compromised systems. The new component allows executing arbitrary remote commands, gaining full user-level access, and even surviving reboots, allowing attackers to maintain control over infected hosts indefinitely. According to Moonlock Lab, campaigns distributing Atomic have recently shifted from broad distribution channels like cracked software sites to targeted phishing aimed at cryptocurrency owners and using staged job interview invitations to infect freelancers. The United States, France, Italy, the United Kingdom, and Canada are among the most affected by the stealer malware. It is only the second known case of backdoor deployment at a global scale targeting macOS users, after North Korea. “The upgrade to AMOS represents a significant escalation in both capability and intent, whether the changes were made by the original malware authors or by someone else modifying the code,” the company said. “It’s clear that the Russia-affiliated authors of Atomic macOS Stealer are following in the footsteps of North Korean attack groups.”

• Call of Duty Makers Takes Game Offline After Reports of RCE Exploit — The makers of Call of Duty: World War 2 announced that the PC version of the game has been taken offline following “reports of an issue.” The issue appears to be a security problem, specifically a remote code execution (RCE) vulnerability in the popular video game that could allow an attacker to take over others’ PCs during live multi-player matches. The RCE exploit has been found to be abused to open command prompts on victim PCs, send mocking messages via Notepad, and forcibly shut down players’ computers, among others. Activision has not officially commented on the issue, but it’s said to be working to remediate the bug.
• BaitTrap Uses Over 17K Sites to Push Scams — A network of more than 17,000 websites is mimicking trusted brands, including CNN, BBC and CNBC, to redirect visitors to online scams. The BaitTrap network uses Google and Meta ads, social media posts, and YouTube videos to lure victims. The bogus sites typically collect personal information and attempt to hijack online crypto accounts. They target audiences in more than 50 countries all over the globe. The sites publish fake stories featuring prominent public figures, including national leaders and central bank governors, and falsely link those figures to “fabricated investment schemes in order to build trust and get engagement from victims.”
• Dutch Police Arrest 5 Phishing Gang Members — Dutch police have arrested five members of a phishing gang that operated out of the city of Lelystad. Four of the group’s members are teenagers aged 14 to 17. Authorities said the suspects used QR codes sent via email to collect login credentials for local banks. In a related law enforcement development, Nepalese authorities have apprehended 52 people for allegedly running online dating and crypto investment scams. The group ran a call center and a dating app called METOO to lure young Nepali women and facilitate fraudulent online transactions. Six of the detained suspects are Chinese and are believed to have managed the operation.
• German Court Orders Meta to Pay €5K Over GDPR Violation — A German court has ruled that Meta must pay €5,000 ($5,900) to a German Facebook user who sued the platform for embedding its Pixel tracking technology in third-party websites. The ruling could open the door to large fines down the road over data privacy violations relating to similar tracking tools. The Regional Court of Leipzig in Germany ruled that Meta tracking pixels and software development kits embedded in countless websites and apps collect users’ data without their consent and violate the continent’s General Data Protection Regulation (GDPR). “Every user is individually identifiable to Meta at all times as soon as they visit the third-party websites or use an app, even if they have not logged in via the Instagram and Facebook account,” the court said.
• LFI Flaw in Microsoft Export to PDF Feature — A Local File Inclusion (LFI) vulnerability has been disclosed in Microsoft 365’s Export to PDF functionality, potentially allowing attackers to access sensitive internal data when converting HTML documents to PDF. The vulnerability, reported by security researcher Gianluca Baldi, was subsequently patched by Microsoft, earning them a $3,000 bounty reward. “It turned out there was an undocumented behavior that allowed converting from HTML to PDF files,” Baldi said. “By embedding specific tags (<embed>, <object>, and <iframe>) into the HTML content, an attacker could force the inclusion of local files from the server’s file system into the resulting PDF—even files located outside the server’s root directory.”
• Unpatched Flaws in Ruckus Wireless — Multiple unpatched security flaws have been disclosed (CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, and CVE-2025-6243) in Ruckus Wireless management products Virtual SmartZone (vSZ) and Network Director (RND) could be exploited by an attacker to leak sensitive information and compromise the wireless environment. The flaws include authentication bypass, hard-coded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. “An attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment,” CERT/CC said. “Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks.” Noam Moshe of Claroty Team82 has been credited with discovering and reporting the issues. In the absence of patches, users are advised to limit access to trusted users and their authenticated clients to manage the infrastructure via a secure protocol like HTTPS or SSH.
• Security Flaws in Gigabyte UEFI — Multiple security flaws have been disclosed in UEFI modules present in Gigabyte firmware (CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029) that an attacker could exploit to elevate privileges and execute arbitrary code in the System Management Mode (SMM) environment of a UEFI-supported processor. “An attacker with local or remote administrative privileges may exploit these vulnerabilities to execute arbitrary code in System Management Mode (Ring -2), bypassing OS-level protections,” CERT/CC said. “These vulnerabilities can be triggered via SMI handlers from within the operating system, or in certain cases, during early boot phases, sleep states, or recovery modes – before the OS fully loads.” Successful exploitation of the vulnerabilities can disable UEFI security mechanisms such as Secure Boot and Intel BootGuard, facilitating stealthy firmware implants and persistent control over the system. The flaws were discovered and reported by Binarly.
• Android did not have a patch for the first time in July 2025 in a Decade — Google announced that no security patches have been released for Android and Pixel devices for the month of July 2025, ending a decade-long streak of security updates. This is the first month no security updates have been released since Google started rolling out monthly Android fixes in August 2015.
• Indonesia Extradites Russian National for Selling Personal Data on Telegram — Indonesia has extradited a Russian citizen named Alexander Zverev for allegedly running a Telegram channel that sold personal data obtained from law enforcement databases. Russian authorities claimed that Zverev operated an unnamed criminal network between 2018 and 2021 that profited from selling sensitive personal information sourced from databases belonging to Russia’s Interior Ministry (MVD), Federal Security Service (FSB), and mobile phone operators. Subscribers of the Telegram channel could allegedly purchase details about Russian citizens, including private information. Authorities have not disclosed the name of the channel or whether it is currently operational.
• Law Enforcement Catches Up on Ransomware Actors — The Brussels criminal court sentenced the Russian developer of Crylock ransomware to seven years in prison for masterminding the malware’s deployment on thousands of computers. His former co-conspirator, a female involved in advertising Crylock and negotiating with the victims, was sentenced to five years. More than €60 million (~$70 million) in cryptocurrency representing illegal proceeds from the ransomware operation have been seized by law enforcement. The development came as French authorities arrested a 26-year-old Russian basketball player for his alleged role in ransomware attacks. Daniil Kasatkin was arrested on June 21, 2025, at the Charles de Gaulle Airport in Paris at the request of U.S. authorities. It’s alleged that Kasatkin helped an unnamed ransomware gang negotiate ransoms. Kasatkin’s lawyer denied the charges and claimed his client had no technical skills. “He bought a second-hand computer. He did absolutely nothing. He’s shocked,” his lawyer, Frédéric Bélot, told AFP. “He’s useless with computers and can’t even install an application. He didn’t touch anything on the computer: it was either hacked, or the hacker sold it to him to act under the cover of another person.” He’s currently being held pending extradition to the U.S. The ransomware group Kasatkin was allegedly involved with has not been named, but is said to have attacked roughly 900 companies. The U.S. Federal Bureau of Investigation (FBI) said recently that it’s aware of 900 organizations hit by the Play ransomware group.
• RansomedVC Returns After Hiatus; Leaks Medusa Data — The RansomedVC ransomware group has returned after a two-year absence and leaked the internal chat transcripts of the Medusa ransomware group from December 11, 2022, to March 2023. RansomedVC claimed Medusa’s admin “seems completely absent and unresponsive to the needs of his members” and indicated that they may either be trying an exit scam or might have been compromised by law enforcement. “From the transcript and analyzing previous events, the group is mainly focused on targeting Fortinet Access as an SQLi Vulnerability was exploited by the group in 2024 and the current leaked chat that mentions ‘Forti’ also underlines its importance which dates back to 2023,” security researcher Rakesh Krishnan said. The development coincides with the emergence of new players, including BERT. Another ransomware group, SafePay, which emerged last year has since evolved to become “one of the most active and dangerous actors,” mainly targeting managed service providers (MSPs) and small-to-midsize businesses (SMBs). “The group uses classic but effective techniques: RDP- and VPN-based intrusion, credential theft, privilege escalation and living-off-the-land binaries to quietly move through victim networks, exfiltrate sensitive data and then encrypt files,” Acronis said. Ransomware assaults on businesses around the world have increased by 213% in the first quarter of 2025, with 2,314 victims reported over 74 distinct data breach sites, compared to just 1,086 in the first quarter of 2024.
• Disgruntled IT Worker Jailed for Cyber Attack — Mohammed Umar Taj, 31, of Hyrst Garth, Batley, U.K., was sentenced to seven months and 14 days in prison for unlawfully accessing his former employer’s premises, altering login credentials, and changing access credentials and multi-factor authentication configuration to disrupt the company’s operations. He was suspended from work in July 2022.
• Hacker Behind GMX Exchange Returns Assets — An unknown hacker behind the $42 million theft from decentralized exchange GMX has returned the stolen assets in return for a $5 million bug bounty. The development happened after GMX promised not to pursue charges if the hacker returned the funds. In a post-mortem report, the company said it has addressed the root cause in a subsequent update. “Based on a review of the incident by contributors, auditors and security researchers, the root cause of the exploit is a reentrancy attack,” it said. “By utilizing this reentrancy and bypassing the average short price calculations, the attacker was able to open positions and manipulate the average short price for BTC downwards from the initial value of $109,505.77 to $1,913.70.”
• Flaws in Thermomix TM5 Appliance — A security analysis of Thermomix TM5’s has uncovered several weaknesses that could render the kitchen appliance susceptible to firmware downgrade attacks (limited to versions prior to 2.14. Version 2.14) and secure boot bypass, allowing an attacker to gain persistence. “This vulnerability can be chained with the firmware downgrade vulnerability to gain arbitrary code execution and apply a controlled firmware update file without messing up with the NAND flash,” Synacktiv said. “By exploiting these flaws, one can alter the firmware version block to bypass anti-downgrade protections, downgrade the firmware, and potentially execute arbitrary code.”
• API Client Security Risks Detailed — An analysis of API clients like Postman, Insomnia, Bruno, and Hoppscotch has uncovered potential vulnerabilities within their JavaScript sandboxing implementations that could be exploited to achieve code execution. “Running untrusted code without any isolation is, of course, a bad idea, but it is also problematic to use seemingly working solutions such as Node.js’s built-in vm module or the third-party vm2 package,” Sonar researchers Oskar Zeino-Mahmalat and Paul Gerste said. “These are known to have bypasses that let malicious code escape the sandbox and get access to system resources.”
• Ubuntu Turns Off Intel GPU Security Mitigations — Ubuntu has disabled a security feature that protected Intel GPUs against Spectre side-channel attacks. Canonical said it now uses kernel-level protections, making it no longer necessary to have those safeguards. Ubuntu developers can expect the operating system to see a 20% in improvement in performance following the update. “After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level,” Ubuntu maintainers said. “At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.”
• Botnet Engages in Web Scraping — A new botnet comprising more than 3,600 unique IP addresses has been observed involved in web scraping activity at least since April 19, 2025. The majority of the botnet’s infected hosts are located in Taiwan, Japan, Bulgaria, and France, GreyNoise said, with targeted systems predominantly located in the United States and United Kingdom. “The dominance of Taiwanese IP space could suggest: A common technology or service deployed widely in Taiwan has been compromised, or that local exposure to a shared vulnerability is driving the clustering,” the threat intelligence firm said.
• Czechia Becomes the Latest Country to Issue Warning About DeepSeek — Czechia’s cybersecurity agency, the National Cyber and Information Security Agency (NÚKIB), issued a formal warning detailing the national security risks posed by the use of software provided by Chinese artificial intelligence company DeepSeek. “The primary security concerns stem from insufficient protection of data transmission and handling, from the collection of data types which, in greater volume, may lead to user deanonymization, and lastly, from the legal and political environment of the People’s Republic of China to which the company DeepSeek is fully subject,” NÚKIB said. To that end, the government has banned the use of DeepSeek on state-owned devices, urging the public to be mindful of the information shared with the platform. However, NÚKIB noted that the decision does not apply to open-source large language models (LLMs) developed by the company DeepSeek, provided that their source code is made available for review and can be deployed locally without any contact with servers associated with DeepSeek or its related entities. Several other nations, including Canada, Germany, Italy, the Netherlands, South Korea, and Taiwan, have issued similar warnings.
• TikTok Comes Under E.U. Radar Again — Ireland’s Data Protection Commission (DPC) said it’s opening a probe into TikTok over the transfer of user data in the European Union to servers located in China. “The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers [under GDPR],” the DPC said. The development comes a little more than two months after the DPC fined TikTok €530 million ($620 million) for infringing data protection regulations in the region by transferring European users’ data to China and for allowing TikTok’s China-based staff access European user data. TikTok, which is owned by China’s ByteDance, has been the subject of intense scrutiny on both sides of the Atlantic over how it handles personal user information amid concerns that it poses a national security risk. As per stringent data protection laws in the region, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. TikTok is also facing the heat in the United Kingdom after the First-tier Tribunal ruled that the Information Commissioner’s Office (ICO), the British data regulator, has the power to issue a monetary penalty notice (MPN) to TikTok. The ICO fined TikTok £12.7 million in 2023, but the company argued that “its processing was for artistic purposes, so the ‘special purposes’ provisions applied.”
• Google Details Advanced Protection in Android — Back in May 2025, Google launched Advanced Protection, a security feature that “ensures all of Android’s highest security features are enabled and are seamlessly working together to safeguard you against online attacks, harmful apps, and data risks.” Similar to Lockdown Mode in Apple iOS, iPadOS, and macOS devices, Advanced Protection aims to provide improved guardrails for journalists and other high-risk targets. In Google Chrome, this includes always using secure connections, full site isolation on mobile devices with 4GB+ RAM to keep malicious sites away from legitimate sites, and disabling JavaScript optimizations.
• SatanLock Announces Abrupt Shutdown — SatanLock, a newer ransomware group on the threat landscape, has announced that it will be shutting down. The exact reasons behind the sudden move is unclear. The group first emerged in early April, and published 67 victims within a span of a month. However, Check Point found that 65% of these victims had already been listed by other ransomware groups.
• Russia Rejects Law to Legalize White-Hat Hacking — Russia’s State Duma has rejected legislation that would have legalized ethical hacking, citing national security concerns. Politicians expressed worries that finding vulnerabilities found in software made by companies headquartered in hostile countries would require sharing them, which, in turn, could lead to those nations abusing the defects for strategic gain, local media reported.
• GitHub Repos Used to Distribute Malware as Free VPN — Threat actors have been observed using GitHub as a mechanism for staging stealer malware like Lumma by disguising it as ‘Free VPN for PC and Minecraft Skin Changer. “The analysis of the ‘Free-VPN-For-PC’ sample revealed that, behind its seemingly legitimate facade, it functions as a sophisticated malware dropper designed to implant the Lumma Stealer,” CYFIRMA said. “Disguised as a helpful tool, the dropper uses multiple layers of obfuscation, in-memory execution, and process injection to evade detection. The same malware was also repackaged under the name ‘Minecraft Skin,’ indicating a broader social engineering tactic targeting different user interests.”
• NFC-Enabled Fraud Targets Philippines’ Financial Sector — Chinese mobile malware syndicates that rely on NFC relay attacks have now spread to the Philippines, Resecurity revealed. “Major underground shops managed by Chinese cybercriminals list the Philippines as one of the most impacted areas, based on the volume of compromised credit cards (CCs),” the company said. Some of the other top regions targeted by Chinese cybercriminals include Australia, Taiwan, Malaysia, New Zealand, Singapore, Thailand, Hong Kong, Korea, and Indonesia. These groups, active on Telegram, enable fraudsters to acquire compromised cards and also check whether they are valid or not, using micro-charges performed via fraudulent merchants set up by Chinese cybercriminals. Attackers can then use tools like Z-NFC, X-NFC, SuperCard X, Track2NFC to clone stolen card data and perform unauthorized transactions using NFC-enabled devices.
• GitPhish Tool to Automate GitHub Device Code Phishing — Cybersecurity researchers have demonstrated a novel initial access vector that leverages the OAuth 2.0 Device Authorization Grant flow to compromise an organization’s GitHub repositories and software supply chain. Called Device Code Phishing, the technique employs social engineering ploys to trick targets into entering an eight-digit device code by clicking on an attacker-provided link, potentially leading to complete compromise of organizational GitHub repositories and software supply chains. It’s worth noting that device code phishing has been utilized by suspected Russian threat actors to gain access to Microsoft accounts. “We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in GitHub,” Praetorian said. “Red teamers can simulate realistic attack scenarios to test organizational resilience, while detection engineers can validate their ability to identify suspicious OAuth flows, unusual GitHub authentication patterns, and potential social engineering attempts.”
• Malicious Browser Extensions Galore — A set of 18 malicious extensions with 2.3 million downloads in Google’s Chrome Web Store and Microsoft Edge Addons have been found to incorporate features to track users’ site visits, steal browser activity, and redirect to potentially unsafe sites. These add-ons pose as productivity and entertainment tools across diverse categories, including color pickers, emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters and YouTube unblockers. While they offer the advertised functionality, they provide the perfect cover to conceal their browser surveillance and hijacking capabilities. The activity has been codenamed RedDirection by Koi Security. What makes the campaign concerning is that the extensions started off as benign tools, with the malicious code introduced at a later time via updates, in some cases after years. Last month, LayerX revealed that it had identified a network of malicious “sleeper agent” extensions that are likely being set up as a stepping stone for future activity. These extensions were identified as being installed nearly 1.5 million times. One of the extensions that’s common to both these clusters is “Volume Max — Ultimate Sound Booster” (extension ID: mgbhdehiapbjamfgekfpebmhmnmcmemg). The disclosure coincides with another campaign uncovered by Secure Annex dubbed Mellow Drama, which has transformed hundreds of extensions incorporating a Mellowtel library into a distributed web scraping network. The extensions have been collectively installed nearly 1 million times. “We discovered a new monetization library developed by Mellowtel that pays extension developers in exchange for the ‘unused bandwidth’ of users who have an extension installed,” John Tuckner said. The library has been traced back to an individual named Arslan Ali, who is also the founder of a company called Olostep that claims to offer the “world’s Most Reliable and Cost-effective Web Scraping API.” It’s believed that scraping requests from Olostep are distributed to any of the active extensions that are running the Mellowtel library. Mellowtel has since responded, stating it does not collect or sell users’ personal data. “Instead of collecting users’ data, tracking them across the web, and showing them ads non-stop, we are building a monetization engine for developers based on bandwidth/resource sharing,” Ali said.

🎥 Cybersecurity Webinars

• Stop ‘Pip Install and Pray’: How to Secure Your Python Supply Chain in 2025 – Repojacking, typosquatting, and poisoned containers are turning trusted tools into attack vectors. Whether you’re managing infrastructure or writing code, securing your Python environment is no longer optional. Learn how to take control before attackers do.
• From Login Fatigue to AI Fatigue: Securing Identity in 2025 – AI is streamlining logins—but it’s also raising alarm bells. Customers are growing wary of how their data is used, and trust is becoming harder to earn. This webinar reveals how leading brands are rebuilding digital trust while staying secure and user-friendly.
• From Copilots to Attack Bots: Securing the AI Identity Layer – As AI copilots and agents go mainstream, attackers are using the same tools to bypass logins, impersonate users, and exploit APIs. In this webinar, Okta reveals how to outpace AI threats by making identity your first—and last—line of defense.

🔧 Cybersecurity Tools

• BitChat – It is a tool that lets you chat without the internet, servers, or even phone numbers—just Bluetooth. It builds a local mesh network between nearby devices, enabling fully offline communication. Public group chats are secure and ready to use. Private messages and channels are still under development and haven’t been externally reviewed, so they’re not recommended for sensitive conversations just yet.
• GitPhish – It is a tool for testing GitHub’s device login flow in a security research setting. It helps stimulate phishing-style attacks by creating fake login pages, capturing tokens, and tracking activity. Built for ethical testing, it includes a dashboard, automated deployments, and logging—all meant for use in safe, authorized environments only.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Map Known Vulnerabilities Automatically Across Your Stack — Manually checking for CVEs is slow, incomplete, and easy to get wrong. Instead, use automated tools that correlate software versions with known vulnerabilities across your entire environment—both internal and internet-facing.

Start with Nmap and tools like CVEScannerV2 or Vulners NSE to scan live services for exposed software versions and match them to CVE databases. For deeper insights:

• Use tools like Nuclei (customizable vulnerability templates), Trivy (container + system CVEs), and Grype (SBOM-based scanning).
• Monitor third-party components with OSV-Scanner or Dependency-Track if you’re building software.
• Set up scheduled scans and use tools that integrate with ticketing systems to ensure teams actually act on the findings.

Finally, filter out noise—not every CVE is worth patching. Focus on CVEs with public exploits, high CVSS scores, and exposure to users or attackers.

Pro tip: Always validate findings with real-world exploitability, not just version matches.

Conclusion

What stands out this week isn’t just the scale of incidents—it’s how familiar tools, platforms, and even browser extensions are being quietly turned against us. From red teaming software reappearing as malware loaders to code libraries enabling stealth attacks, the line between legitimate use and exploitation keeps getting harder to see. When trusted environments become part of the attack chain, security teams must look beyond patching and start questioning assumptions about what’s safe by default.

Staying ahead means paying just as much attention to what’s already inside the gates as what’s trying to break in.

Jul 14, 2025Ravie LakshmananCybercrime / Law Enforcement

India’s Central Bureau of Investigation (CBI) has announced that it has taken steps to dismantle what it said was a transnational cybercrime syndicate that carried out “sophisticated” tech support scams targeting citizens of Australia and the United Kingdom.

The fraudulent scheme is estimated to have led to losses worth more than £390,000 ($525,000) in the United Kingdom alone.

The law enforcement effort, which was carried out on July 7, 2025, as part of Operation Chakra V, involved searches at three locations in Noida, one of which was a fully functional fraudulent call center operating from the Noida Special Economic Zone.

Evidence gathered by the CBI revealed that the call center, named FirstIdea, made use of advanced calling infrastructure and malicious scripts to facilitate cross-border anonymity and victim targeting at scale. A total of two arrests have been made, including a key operative partner of FirstIdea.

“The operation was meticulously timed with the time zones of the victims, resulting in the detection of live scam calls in progress during the raids,” the CBI said in a press statement.

The syndicate, the agency added, masqueraded as technical support staff of reputed multinational companies, including Microsoft with an intent to cheat foreign nationals by falsely claiming that their devices were compromised and extort money from them to address non-existent technical problems.

The U.K. National Crime Agency (NCA) said the arrest and disruption was the result of 18 months of “groundbreaking collaboration” between CBI, NCA, the U.S. Federal Bureau of Investigation (FBI), and Microsoft to identify the organized crime group and target the IT infrastructure used.

More than 100 people in the United Kingdom are said to have fallen prey to the tech support scam, which involved the threat actors using spoofed phone numbers and Voice Over Internet Protocol (VoIP) to route calls through multiple servers in several countries.

“More than 100 U.K. victims had been contacted by a group offering to fix their computers for a fee, following a screen pop up that suggested their device was infected or had been hacked,” the NCA noted. “In reality, the fraudsters were posing as employees of Microsoft, offering software solutions to an attack that had never taken place.”

The development comes as Nikkei Asia revealed that the number of scam centers used to pull off crypto scams in eastern Myanmar is continuing to expand at a rapid pace despite a crackdown earlier this February, with at least 16 suspected scam sites being documented and construction ongoing at eight of them.

Jul 14, 2025Ravie LakshmananMobile Security / Vulnerability

Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks.

The issues impact the Kigen eUICC card. According to the Irish company’s website, more than two billion SIMs in IoT devices have been enabled as of December 2020.

The findings come from Security Explorations, a research lab of AG Security Research company. Kigen awarded the company a $30,000 bounty for their report.

An eSIM, or embedded SIM, is a digital SIM card that’s embedded directly into a device as software installed onto an Embedded Universal Integrated Circuit Card (eUICC) chip.

eSIMs allow users to activate a cellular plan from a carrier without the need for a physical SIM card. eUICC software offers the ability to change operator profiles, remote provisioning, and management of SIM profiles.

“The eUICC card makes it possible to install the so-called eSIM profiles into the target chip,” Security Explorations said. “eSIM profiles are software representations of mobile subscriptions.”

According to an advisory released by Kigen, the vulnerability is rooted in the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, which is said to be used in eSIM products for radio compliance testing.

Specifically, the shortcoming allows for the installation of non-verified, and potentially malicious applets. GSMA TS.48 v7.0, released last month, mitigates the problem by restricting the use of the test profile. All other versions of the TS.48 specification have been deprecated.

“Successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys,” Kigen said. “This enables the attacker to install a malicious JavaCard applet.”

Furthermore, the vulnerability could facilitate the extraction of the Kigen eUICC identity certificate, thereby making it possible to download arbitrary profiles from mobile network operators (MNOs) in cleartext, access MNO secrets, and tamper with profiles and put them into an arbitrary eUICC without being flagged by MNO.

Security Explorations said the findings build upon its own prior research from 2019, which found multiple security vulnerabilities in Oracle Java Card that could pave the way for the deployment of a persistent backdoor in the card. One of the flaws also impacted Gemalto SIM, which relies on the Java Card technology.

These security defects can be exploited to “break memory safety of the underlying Java Card VM” and gain full access to the card’s memory, break the applet firewall, and potentially even achieve native code execution.

However, Oracle downplayed the potential impact and indicated that the “security concerns” did not affect their production of Java Card VM. Security Explorations said these “concerns” have now been proven to be “real bugs.”

The attacks might sound prohibitive to execute, but, to the contrary, they are well within the reach of capable nation-state groups. They could allow the attackers to compromise an eSIM card and deploy a stealthy backdoor, effectively intercepting all communications.

“The downloaded profile can be potentially modified in such a way, so that the operator loses control over the profile (no ability for remote control / no ability to disable/invalidate it, etc.), the operator can be provided with a completely false view of the profile state or all of its activity can be subject to monitoring,” the company added.

“In our opinion, the ability for a single broken eUICC / single eUICC GSMA cert theft to peek into (download in plaintext) eSIMs of arbitrary MNO constitutes a significant eSIM architecture weak point.”