2025-10-25 AI创业新闻
Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation
The threat actors behind a large-scale, ongoing smishing campaign have been attributed to more than 194,000 malicious domains since January 1, 2024, targeting a broad range of services across the world, according to new findings from Palo Alto Networks Unit 42. “Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular U.S. cloud services,” security researchers Reethika Ramesh, Zhanhao Chen, Daiping Liu, Chi-Wei Liu, Shehroze Farooqi, and Moe Ghasemisharif said . The activity has been attributed to a China-linked group known as the Smishing Triad , which is known to flood mobile devices with fraudulent toll violation and package misdelivery notices to trick users into taking immediate action and providing sensitive information.
These campaigns have proven to be lucrative, allowing the threat actors to make more than $1 billion over the last three years, according to a recent report from The Wall Street Journal. In a report published earlier this week, Fortra said phishing kits associated with the Smishing Triad are being used to increasingly target brokerage accounts to obtain banking credentials and authentication codes, with attacks targeting these accounts witnessing a fivefold jump in the second quarter of 2025 compared to the same period last year. “Once compromised, attackers manipulate stock market prices using ‘ramp and dump’ tactics,” security researcher Alexis Ober said . “These methods leave almost no paper trail, further heightening the financial risks that arise from this threat.” The adversarial collective is said to have evolved from a dedicated phishing kit purveyor into a “highly active community” that brings together disparate threat actors, each of whom plays a crucial role in the phishing-as-a-service (PhaaS) ecosystem.
This includes phishing kit developers, data brokers (who sell target phone numbers), domain sellers (who register disposable domains for hosting the phishing sites), hosting providers (who provide servers), spammers (who deliver the messages to victims at scale), liveness scanners (who validate phone numbers), and blocklist scanners (who check the phishing domains against known blocklists for rotation). The PhaaS ecosystem of the Smishing Triad Unit 42’s analysis has revealed that nearly 93,200 of the 136,933 root domains (68.06%) are registered under Dominet (HK) Limited, a registrar based in Hong Kong. Domains with the prefix “com” account for a significant majority, although there has been an increase in the registration of “gov” domains in the past three months. Of the identified domains, 39,964 (29.19%) were active for two days or less, 71.3% of them were active for less than a week, 82.6% of them were active for two weeks or less, and less than 6% had a lifespan beyond the first three months of their registration.
“This rapid churn clearly demonstrates that the campaign’s strategy relies on a continuous cycle of newly registered domains to evade detection,” the cybersecurity company noted, adding the 194,345 fully qualified domain names (FQDNs) used in the resolve to as many as 43,494 unique IP addresses, most of which are in the U.S. and hosted on Cloudflare ( AS13335 ). Some of the other salient aspects of the infrastructure analysis are below - The U.S. Postal Service (USPS) is the single most impersonated service with 28,045 FQDNs.
Campaigns using toll services lures are the most impersonated category, with about 90,000 dedicated phishing FQDNs. The attack infrastructure for domains generating the largest volume of traffic is located in the U.S., followed by China and Singapore. The campaigns have mimicked banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, electronic tolls, carpooling applications, hospitality services, social media, and e-commerce platforms in Russia, Poland, and Lithuania. In phishing campaigns impersonating government services, users are often redirected to landing pages that claim unpaid toll and other service charges, in some cases even leveraging ClickFix lures to trick them into running malicious code under the pretext of completing a CAPTCHA check.
“The smishing campaign impersonating U.S. toll services is not isolated,” Unit 42 said. “It is instead a large-scale campaign with global reach, impersonating many services across different sectors. The threat is highly decentralized.
Attackers are registering and churning through thousands of domains daily.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation
Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug. The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network.
It’s worth noting that the vulnerability does not impact Windows servers that do not have the WSUS Server Role enabled. In a hypothetical attack scenario, a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a “legacy serialization mechanism,” leading to remote code execution. According to HawkTrace security researcher Batuhan Er , the issue “arises from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation, enabling remote code execution with SYSTEM privileges.” It’s worth noting that Microsoft itself previously recommended developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter was subsequently removed from .NET 9 in August 2024.
.NET executable deployed via CVE‑2025‑59287 “To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025,” Redmond said in an update. Once the patch is installed, it’s advised to perform a system reboot for the update to take effect. If applying the out-of-band is not an option, users can take any of the following actions to protect against the flaw - Disable WSUS Server Role in the server (if enabled) Block inbound traffic to Ports 8530 and 8531 on the host firewall “Do NOT undo either of these workarounds until after you have installed the update,” Microsoft warned. The development comes as the Dutch National Cyber Security Centre (NCSC) said it learned from a “trusted partner that abuse of CVE-2025-59287 was observed on October 24, 2025.” Eye Security, which notified NCSC-NL of the in-the-wild exploitation, said it first observed the vulnerability being abused at 06:55 a.m.
UTC to drop a Base64-encoded payload targeting an unnamed customer. The payload, a .NET executable, “takes the value ‘aaaa’ request header and runs it directly using cmd.exe.” “This is the payload that is being sent to servers, which uses the request header with the name ‘aaaa’ as a source for the command that is to be executed,” Piet Kerkhofs, CTO of Eye Security, told The Hacker News. “This avoids commands appearing directly in the log.” Asked if the exploitation could have occurred earlier than today, Kerkhofs pointed out that the “PoC by HawkTrace was released two days ago, and it can use a standard ysoserial .NET payload, so yes, the pieces for exploitation were there.” When reached for comment, a Microsoft spokesperson told the publication that “We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.
The company also emphasized that the issue does not affect servers that don’t have WSUS Server Role enabled and has recommended impacted customers to follow the guidance on its CVE page . Given the availability of a PoC exploit and detected exploitation activity, it’s essential that users apply the patch as soon as possible to mitigate the threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the flaw to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring federal agencies to remediate it by November 14, 2025.
(The story was updated after publication with additional insights from Eye Security and a response from Microsoft.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign
A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT . The activity, observed in August and September 2025 by Sekoia, has been attributed to Transparent Tribe (aka APT36), a state-sponsored hacking group known to be active since at least 2013. It also builds upon a prior campaign disclosed by CYFIRMA in August 2025. The attack chains involve sending phishing emails containing a ZIP file attachment, or in some cases, a link pointing to an archive hosted on legitimate cloud services like Google Drive.
Present within the ZIP file is a malicious Desktop file embedding commands to display a decoy PDF (“CDS_Directive_Armed_Forces.pdf”) using Mozilla Firefox while simultaneously executing the main payload. Both the artifacts are pulled from an external server “modgovindia[.]com” and executed. Like before, the campaign is designed to target BOSS (Bharat Operating System Solutions) Linux systems, with the remote access trojan capable of establishing command-and-control (C2) using WebSockets. The malware supports four different methods for persistence, including creating a systemd service, setting up a cron job, adding the malware to the Linux autostart directory (“$HOME/.config/autostart”), and configuring .bashrc to launch the trojan by means of a shell script written to the “$HOME/.config/system-backup/” directory.
DeskRAT supports five different commands - ping , to send a JSON message with the current timestamp, along with “pong” to the C2 server heartbeat , to send a JSON message containing heartbeat_response and a timestamp browse_files , to send directory listings start_collection , to search and send files matching a predefined set of extensions and which are below 100 MB in size upload_execute , to drop an additional Python, shell, or desktop payload and execute it “DeskRAT’s C2 servers are named as stealth servers,” the French cybersecurity company said. “In this context, a stealth server refers to a name server that does not appear in any publicly visible NS records for the associated domain.” “While the initial campaigns leveraged legitimate cloud storage platforms such as Google Drive to distribute malicious payloads, TransparentTribe has now transitioned to using dedicated staging servers.” The findings follow a report from QiAnXin XLab, which detailed the campaign’s targeting of Windows endpoints with a Golang backdoor it tracks as StealthServer through phishing emails containing booby-trapped Desktop file attachments, suggesting a cross-platform focus. It’s worth noting that StealthServer for Windows comes in three variants - StealthServer Windows-V1 (Observed in July 2025), which employs several anti-analysis and anti-debug techniques to avoid detection; establishes persistence using scheduled tasks, a PowerShell script added to the Windows Startup folder, and Windows Registry changes; and uses TCP to communicate with the C2 server in order to enumerate files and upload/download specific files StealthServer Windows-V2 (Observed in late August 2025), which adds new anti‑debug checks for tools like OllyDbg, x64dbg, and IDA, while keeping the functionality intact StealthServer Windows-V3 (Observed in late August 2025), which uses WebSocket for communication and has the same functionality as DeskRAT XLab said it also observed two Linux variants of StealthServer, one of which is DeskRAT with support for an extra command called “welcome.” The second Linux version, on the other hand, uses HTTP for C2 communications instead of WebSocket. It features three commands - browse , to enumerate files under a specified directory upload , to upload a specified file execute , to execute a bash command It also recursively searches for files matching a set of extensions right from the root directory (“/”) and then transmits them as it encounters them in an encrypted format via a HTTP POST request to “modgovindia[.]space:4000.” This indicates the Linux variant could have been an earlier iteration of DeskRAT, since the latter features a dedicated “start_collection” command to exfiltrate files.
“The group’s operations are frequent and characterized by a wide variety of tools, numerous variants, and a high delivery cadence,” QiAnXin XLab said. Attacks from Other South and East Asian Threat Clusters The development comes amid the discovery of various campaigns orchestrated by South Asia-focused threat actors in recent weeks - A phishing campaign undertaken by Bitter APT targeting government, electric power, and military sectors in China and Pakistan with malicious Microsoft Excel attachments or RAR archives that exploit CVE-2025-8088 to ultimately drop a C# implant named “cayote.log” that can gather system information and run arbitrary executables received from an attacker-controlled server. A new wave of targeted activity undertaken by SideWinder targeting the maritime sector and other verticals in Pakistan, Sri Lanka, Bangladesh, Nepal, and Myanmar with credential-harvesting portals and weaponized lure documents that deliver multi-platform malware as part of a “concentrated” campaign codenamed Operation SouthNet. An attack campaign undertaken by a Vietnam-aligned hacking group known as OceanLotus (aka APT-Q-31) that delivers the Havoc post-exploitation framework in attacks targeting enterprises and government departments in China and neighboring Southeast Asian countries.
An attack campaign undertaken by Mysterious Elephant (aka APT-K-47) in early 2025 that uses a combination of exploit kits, phishing emails, and malicious documents to gain initial access to target government entities and foreign affairs sectors in Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka using a PowerShell script that drops BabShell (a C++ reverse shell), which then launches MemLoader HidenDesk (a loader that executes a Remcos RAT payload in memory) and MemLoader Edge (another malicious loader that embeds VRat, a variant of the open-source RAT vxRat). Notably, these intrusions have also focused on exfiltrating WhatsApp communications from compromised hosts using a number of modules – viz., Uplo Exfiltrator and Stom Exfiltrator – that are devoted to capturing various files exchanged through the popular messaging platform. Another tool used by the threat actor is ChromeStealer Exfiltrator, which, as the name implies, is capable of harvesting cookies, tokens, and other sensitive information from Google Chrome, as well as siphon files related to WhatsApp. The disclosure paints a picture of a hacking group that has evolved beyond relying on tools from other threat actors into a sophisticated threat operation, wielding its own arsenal of custom malware.
The adversary is known to share tactical overlaps with Origami Elephant , Confucius , and SideWinder, all of which are assessed to be operating with Indian interests in mind. “Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region,” Kaspesky said. “The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The Cybersecurity Perception Gap: Why Executives and Practitioners See Risk Differently
Does your organization suffer from a cybersecurity perception gap? Findings from the Bitdefender 2025 Cybersecurity Assessment suggest the answer is probably “yes” — and many leaders may not even realize it. This disconnect matters. Small differences in perception today can evolve into major blind spots tomorrow.
After all, perception influences what organizations prioritize, where they allocate resources, and how they respond in critical moments. Confidence at the Top, Caution on the Ground Bitdefender’s latest assessment surveyed 1,200 cybersecurity and IT professionals , and at first glance, the results suggest optimism. An impressive 93% say they are “somewhat” or “very confident” in their ability to manage cyber risk as the attack surface expands. But dig deeper, and the optimism begins to split.
Nearly half ( 45% ) of C-level respondents — including CISOs and CIOs — describe themselves as “very confident” in their organization’s readiness. Yet among mid-level managers, that number drops sharply to just 19% . Executives, it seems, are more than twice as likely as operational teams to feel assured about their cybersecurity posture. When leadership overestimates readiness, it can lead to underinvestment in people, processes, and technology.
But perhaps it’s not about who’s right — rather, it’s about how differently each group views the same landscape. Why the Cybersecurity Perception Gap Exists In a recent conversation with several Bitdefender cybersecurity experts, we explored what drives this perception gap — and why it persists across so many organizations. Sean Nikkel , Team Lead at the Bitdefender Cyber Intelligence Fusion Cell , says it’s no surprise that front-line professionals tend to have lower confidence in their organization’s cyber resilience. They’re the ones confronting risks up close.
“Think about what happens after a merger or acquisition,” Nikkel explains. “Whatever risk the acquired company carried, you now inherit. You can go from 100% green to yellow overnight — legacy systems, forgotten shadow IT, outdated processes. Those details are often invisible to leadership but painfully clear to security teams.” Martin Zugec , Bitdefender Technical Solutions Director, agrees.
“In my investigations, I often see a completely different version of cybersecurity than what’s being discussed online,” he says. “There’s a gap between perception and reality — and that gap seems to be widening.” For Nick Jackson , Bitdefender’s Director of Cybersecurity Services, the issue often comes down to communication . “Mid-level managers handle much of the operational load, while CISOs and C-level leaders focus on strategic planning,” he notes. “Without strong reporting and collaboration, those worlds can drift apart.” How to Close the Perception Gap Bridging this divide isn’t just about improving communication — it’s a strategic imperative.
Jackson, who helps organizations align through the Bitdefender Security Advisory , says the solution starts with mutual understanding. “When both sides understand each other’s perspectives — the executive’s focus on risk appetite and business priorities, and the manager’s daily reality of operational threats — they can make smarter, faster decisions,” Jackson explains. Better alignment helps everyone. Mid-level managers gain insight into why the company might accept certain risks or limit spending in specific areas.
Meanwhile, executives gain a clearer view of the on-the-ground challenges that create those concerns in the first place. Ultimately, cybersecurity success depends on shared visibility and trust. Closing the perception gap builds a culture where executives and practitioners move in sync — aligning strategy with reality to strengthen the entire organization. Learn More About the C-Level vs.
Frontline Divide The perception gap identified in the Bitdefender 2025 Cybersecurity Assessment reaches beyond readiness, revealing differing cybersecurity priorities for 2025 and contrasting views on the global skills shortage. To explore the full findings, download the complete Bitdefender 2025 Cybersecurity Assessment Report and gain a data-driven view of what’s shaping cybersecurity strategy in the year ahead. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation
A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads. Active since 2021, the network has published more than 3,000 malicious videos to date, with the volume of such videos tripling since the start of the year. It has been codenamed the YouTube Ghost Network by Check Point. Google has since stepped in to remove a majority of these videos.
The campaign leverages hacked accounts and replaces their content with “malicious” videos that are centred around pirated software and Roblox game cheats to infect unsuspecting users searching for them with stealer malware. Some of these videos have racked up hundreds of thousands of views, ranging from 147,000 to 293,000. “This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe,” Eli Smadja, security research group manager at Check Point, said. “What looks like a helpful tutorial can actually be a polished cyber trap.
The scale, modularity, and sophistication of this network make it a blueprint for how threat actors now weaponize engagement tools to spread malware.” The use of YouTube for malware distribution is not a new phenomenon. For years, threat actors have been observed hijacking legitimate channels or using newly created accounts to publish tutorial-style videos with descriptions pointing to malicious links that, when clicked, lead to malware. These attacks are part of a broader trend where attackers repurpose legitimate platforms for nefarious purposes, turning them into an effective avenue for malware distribution. While some of the campaigns have abused legitimate ad networks, such as those associated with search engines like Google or Bing, others have capitalized on GitHub as a delivery vehicle, as in the case of the Stargazers Ghost Network .
One of the main reasons why Ghost Networks has taken off in a big way is that they can not only be used to amplify the perceived legitimacy of the links shared, but also maintain operational continuity even when the accounts are banned or taken down by the platform owners, thanks to their role-based structure. “These accounts take advantage of various platform features, such as videos, descriptions, posts (a lesser-known YouTube feature similar to Facebook post), and comments to promote malicious content and distribute malware, while creating a false sense of trust,” security researcher Antonis Terefos said. “The majority of the network consists of compromised YouTube accounts, which, once added, are assigned specific operational roles. This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation.” There are three specific types of accounts - Video-accounts, which upload phishing videos and provide descriptions containing links to download the advertised software (alternatively, the links are shared as a pinned comment or provided directly in the video as part of the installation process) Post-accounts, which are responsible for publishing community messages and posts containing links to external sites Interact-accounts, which like and post encouraging comments to give the videos a veneer of trust and credibility The links direct users to a wide range of services like MediaFire, Dropbox, or Google Drive, or phishing pages hosted on Google Sites, Blogger, and Telegraph that, in turn, incorporate links to download the supposed software.
In many of these cases, the links are concealed using URL shorteners to mask the true destination. Some of the malware families distributed via the YouTube Ghost Network include Lumma Stealer , Rhadamanthys Stealer , StealC Stealer , RedLine Stealer , Phemedrone Stealer , and other Node.js-based loaders and downloaders - A channel named @Sound_Writer (9,690 subscribers), which has been compromised for over a year to upload cryptocurrency software videos to deploy Rhadamanthys A channel named @Afonesio1 (129,000 subscribers), which was compromised on December 3, 2024, and January 5, 2025, to upload a video advertising a cracked version of Adobe Photoshop to distribute an MSI installer that deploys Hijack Loader , which then delivers Rhadamanthys “The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” Check Point said. “Adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks.” “These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack
Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks. The sophisticated threat, codenamed GlassWorm by Koi Security, is the second such supply chain attack to hit the DevOps space within a span of a month after the Shai-Hulud worm that targeted the npm ecosystem in mid-September 2025. What makes the attack stand out is the use of the Solana blockchain for command-and-control (C2), making the infrastructure resilient to takedown efforts. It also uses Google Calendar as a C2 fallback mechanism.
Another novel aspect is that the GlassWorm campaign relies on “invisible Unicode characters that make malicious code literally disappear from code editors,” Idan Dardikman said in a technical report. “The attacker used Unicode variation selectors – special characters that are part of the Unicode specification but don’t produce any visual output.” The end goal of the attack is to harvest npm, Open VSX, GitHub, and Git credentials, drain funds from 49 different cryptocurrency wallet extensions, deploy SOCKS proxy servers to turn developer machines into conduits for criminal activities, install hidden VNC (HVNC) servers for remote access, and weaponize the stolen credentials to compromise additional packages and extensions for further propagation. The names of the infected extensions, 13 of them on Open VSX and one on the Microsoft Extension Marketplace, are listed below. These extensions have been downloaded about 35,800 times.
The first wave of infections took place on October 17, 2025. It’s currently not known how these extensions were hijacked. codejoy.codejoy-vscode-extension 1.8.3 and 1.8.4 l-igh-t.vscode-theme-seti-folder 1.2.3 kleinesfilmroellchen.serenity-dsl-syntaxhighlight 0.3.2 JScearcy.rust-doc-viewer 4.2.1 SIRILMP.dark-theme-sm 3.11.4 CodeInKlingon.git-worktree-menu 1.0.9 and 1.0.91 ginfuru.better-nunjucks 0.3.2 ellacrity.recoil 0.7.4 grrrck.positron-plus-1-e 0.0.71 jeronimoekerdt.color-picker-universal 2.8.91 srcery-colors.srcery-colors 0.3.9 sissel.shopify-liquid 4.0.1 TretinV3.forts-api-extention 0.3.1 cline-ai-main.cline-ai-agent 3.1.3 (Microsoft Extension Marketplace) The malicious code concealed within the extensions is designed to search for transactions associated with an attacker-controlled wallet on the Solana blockchain, and if found, it proceeds to extract a Base64-encoded string from the memo field that decodes to the C2 server (“217.69.3[.]218” or “199.247.10[.]166”) used for retrieving the next-stage payload. The payload is an information stealer that captures credentials, authentication tokens, and cryptocurrency wallet data, and reaches out to a Google Calendar event to parse another Base64-encoded string and contact the same server to obtain a payload codenamed Zombi.
The data is exfiltrated to a remote endpoint (“140.82.52[.]31:80”) managed by the threat actor. Written in JavaScript, the Zombi module essentially turns a GlassWorm infection into a full-fledged compromise by dropping a SOCKS proxy, WebRTC modules for peer-to-peer communication, BitTorrent’s Distributed Hash Table (DHT) for decentralized command distribution, and HVNC for remote control. The problem is compounded by the fact that VS Code extensions are configured to auto-update, allowing the threat actors to push the malicious code automatically without requiring any user interaction. “This isn’t a one-off supply chain attack,” Dardikman said.
“It’s a worm designed to spread through the developer ecosystem like wildfire.” “Attackers have figured out how to make supply chain malware self-sustaining. They’re not just compromising individual packages anymore – they’re building worms that can spread autonomously through the entire software development ecosystem.” The development comes as the use of blockchain for staging malicious payloads has witnessed a surge due to its pseudonymity and flexibility, with even threat actors from North Korea leveraging the technique to orchestrate their espionage and financially motivated campaigns. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
North Korean Hackers Lure Defense Engineers With Fake Jobs to Steal Drone Secrets
Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job . “Some of these [companies] are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program,” ESET security researchers Peter Kálnai and Alexis Rapin said in a report shared with The Hacker News. It’s assessed that the end goal of the campaign is to plunder proprietary information and manufacturing know-how using malware families such as ScoringMathTea and MISTPEN. The Slovak cybersecurity company said it observed the campaign starting in late March 2025.
Some of the targeted entities include a metal engineering company in Southeastern Europe, a manufacturer of aircraft components in Central Europe, and a defense company in Central Europe. While ScoringMathTea (aka ForestTiger ) was previously observed by ESET in early 2023 in connection with cyber attacks targeting an Indian technology company and a defense contractor in Poland, MISTPEN was documented by Google Mandiant in September 2024 as part of intrusions aimed at companies in the energy and aerospace verticals. The first appearance of ScoringMathTea dates back to October 2022. Operation Dream Job, first exposed by Israeli cybersecurity company ClearSky in 2020, is a persistent attack campaign mounted by a prolific North Korean hacking group dubbed Lazarus Group, which is also tracked as APT-Q-1, Black Artemis, Diamond Sleet (formerly Zinc), Hidden Cobra, TEMP.Hermit, and UNC2970.
The hacking group is believed to be operational since at least 2009. In these attacks, the threat actors leverage social engineering lures akin to Contagious Interview to approach prospective targets with lucrative job opportunities and trick them into infecting their systems with malware. The campaign also exhibits overlaps with clusters tracked as DeathNote , NukeSped , Operation In(ter)ception, and Operation North Star . “The dominant theme is a lucrative but faux job offer with a side of malware: the target receives a decoy document with a job description and a trojanized PDF reader to open it,” ESET researchers said.
The attack chain leads to the execution of a binary, which is responsible for sideloading a malicious DLL that drops ScoringMathTea as well as a sophisticated downloader codenamed BinMergeLoader, which functions similarly to MISTPEN and uses Microsoft Graph API and tokens to fetch additional payloads. Alternate infection sequences have been found to leverage an unknown dropper to deliver two interim payloads, the first of which loads the latter, ultimately resulting in the deployment of ScoringMathTea, an advanced RAT that supports around 40 commands to take complete control over the compromised machines. “For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications,” ESET said. “This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Secure AI at Scale and Speed — Learn the Framework in this Free Webinar
AI is everywhere—and your company wants in. Faster products, smarter systems, fewer bottlenecks. But if you’re in security, that excitement often comes with a sinking feeling. Because while everyone else is racing ahead, you’re left trying to manage a growing web of AI agents you didn’t create, can’t fully see, and weren’t designed to control.
Join our upcoming webinar and learn how to make AI security work with you, not against you . The Quiet Crisis No One Talks About Did you know most companies now have 100 AI agents for every one human employee? Even more shocking? 99% of those AI identities are completely unmanaged.
No oversight. No lifecycle controls. And every one of them could be a backdoor waiting to happen. It’s not your fault.
Traditional tools weren’t built for this new AI world. But the risks are real—and growing. Let’s Change That. Together.
In our free webinar, “ Turning Controls into Accelerators of AI Adoption ,” we’ll help you flip the script. This isn’t about slowing the business down. It’s about giving you a real strategy to move faster—safely. Here’s what we’ll cover: Stop firefighting: Learn how to set up security by design, not as an afterthought.
Take control: Discover how to govern AI agents that behave like users—but multiply like machines. Be the enabler: Show leadership how security can accelerate AI adoption, not block it. Curious yet? Don’t miss out.
This isn’t fluff or theory. You’ll get: A practical framework to gain visibility and stay ahead of risk Ways to prevent credential sprawl and privilege abuse from Day One A strategy to align with business goals while protecting what matters Whether you’re an engineer, architect, or CISO, if you’ve felt like you’re stuck in reactive mode—you’re exactly who this is for. This is your moment to turn control into confidence. Register Today .
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: $176M Crypto Fine, Hacking Formula 1, Chromium Vulns, AI Hijack & More
Criminals don’t need to be clever all the time; they just follow the easiest path in: trick users, exploit stale components, or abuse trusted systems like OAuth and package registries. If your stack or habits make any of those easy, you’re already a target. This week’s ThreatsDay highlights show exactly how those weak points are being exploited — from overlooked misconfigurations to sophisticated new attack chains that turn ordinary tools into powerful entry points. Lumma Stealer Stumbles After Doxxing Drama Decline in Lumma Stealer Activity After Doxxing Campaign The activity of the Lumma Stealer (aka Water Kurita) information stealer has witnessed a “sudden drop” since last months after the identities of five alleged core group members were exposed as part of what’s said to be an aggressive underground exposure campaign dubbed Lumma Rats since late August 2025.
The targeted individuals are affiliated with the malware’s development and administration, with their personally identifiable information (PII), financial records, passwords, and social media profiles leaked on a dedicated website. Since then, Lumma Stealer’s Telegram accounts were reportedly compromised on September 17, further hampering their ability to communicate with customers and coordinate operations. These actions have led customers to pivot to other stealers like Vidar and StealC. It’s believed the doxxing campaign is driven by internal rivalries.
“The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients,” Trend Micro said . “The campaign’s consistency and depth suggest insider knowledge or access to compromised accounts and databases.” While Lumma Stealer faced a setback earlier this year after its infrastructure was taken in a coordinated law enforcement effort, it quickly resurfaced and resumed its operations. Viewed in that light, the latest development could threaten its commercial viability and hurt customer trust. The development coincides with the emergence of Vidar Stealer 2.0, which has been completely rewritten from scratch using C, along with supporting multi-threaded architecture for faster, more efficient data exfiltration and improved evasion capabilities.
It also incorporates advanced credential extraction methods to bypass Google Chrome’s app-bound encryption protections by means of memory injection techniques, and boasts of an automatic polymorphic builder to generate samples with distinct binary signatures, making static detection methods more challenging. “The new version of Vidar employs heavy use of control flow flattening, implementing complex switch-case structures with numeric state machines that can make reverse engineering more difficult,” Trend Micro said . Fake ads exploit trust in authorities Singapore Targeted by Large-Scale Investment Fraud A large-scale scam operation has misappropriated the images and likenesses of Singapore government officials to deceive Singapore citizens and residents into engaging with a fraudulent investment platform. “The scam campaign relies on paid Google Ads, intermediary redirect websites designed to conceal fraudulent and malicious activity, and highly convincing fake web pages,” Group-IB said .
“Victims were ultimately directed to a forex investment platform registered in Mauritius, operating under a seemingly legitimate legal entity with an official investment license. This structure created an illusion of compliance while enabling cross-border fraudulent activity.” On these scam platforms, victims are urged to fill in their personal information, after which they are aggressively pursued via phone calls to deposit substantial sums of money. In all, 28 verified advertiser accounts were used by the scammers to run malicious Google Ads campaigns. The ad distribution was managed primarily through verified advertiser accounts registered to individuals residing in Bulgaria, Romania, Latvia, Argentina, and Kazakhstan.
These ads were configured such that they were only served to people searching or browsing from Singapore IP addresses. To enhance the scam’s legitimacy, the threat actors created 119 malicious domains that impersonated legitimate and reputable mainstream news outlets like CNA and Yahoo! News. Rogue developer poisons open-source supply chain Malicious npm Package Drops AdaptixC2 Cybersecurity researchers have discovered a malicious npm package named “https-proxy-utils” that’s designed to download and execute a payload from an external server (cloudcenter[.]top) containing the AdaptixC2 post-exploitation framework by means of a post-install script.
It’s capable of targeting Windows, Linux, and macOS systems, employing OS-specific techniques to load and launch the implant. Once deployed, the agent can be used to remotely control the machine, execute commands, and achieve persistence. According to data from ReversingLabs, the package was uploaded to npm by a user named “bestdev123” on July 28, 2025. It has 57 recorded downloads.
The package is no longer available on the npm registry. While attackers abusing security tools for nefarious purposes is not a new phenomenon, coupling it with rogue packages on open-source repositories exposes users to supply chain risks. “This malicious package emphasizes once more that developers must exercise extreme caution when choosing what to install and depend on, as the supply chain landscape is filled with thousands of packages—often with deceptively similar names—making it far from straightforward to distinguish legitimate components from malicious impostors.” Henrik Plate, cybersecurity expert at Endor Labs, said. “In addition, they should consider disabling post-installation hooks, to prevent malware from being executed upon installation, e.g., by using npm’s –ignore-scripts option, or by using pnpm, which started to disable the use of lifecycle scripts by default.” Crypto gateway hit with record penalties Cryptomus Fined $176 Million in Canada Financial regulators in Canada issued $176 million in fines against Xeltox Enterprises Ltd.
(aka Cryptomus and Certa Payments Ltd.), a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites peddling cybercrime services, according to security journalist Brian Krebs. FINTRAC said the service “failed to submit suspicious transaction reports for transactions where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments, and sanctions evasion.” The agency said it found 1,068 instances where Cryptomus did not submit reports for July 2024 transactions involving known darknet markets and virtual currency wallets with ties to criminal activity. Starlink crackdown hits Southeast Asian scam hubs SpaceX Disables Starlink Devices Linked to Scam Factories as SE Asian Nations Ramp Up Pressure SpaceX said it has disabled more than 2,500 Starlink devices connected to scam compounds in Myanmar . It’s currently not clear when the devices were taken offline.
The development comes close on the heels of ongoing actions to crack down on online scam centers, with Myanmar’s military junta conducting raids on a scam hotspot in a rebel-held region of eastern Myanmar, detaining more than 2,000 people and seizing dozens of Starlink satellite internet devices at KK Park, a sprawling cybercrime hub to the south of Myawaddy. In February 2025, the Thai government cut off power supply to three areas in Myanmar, Myawaddy, Payathonzu, and Tachileik, which have become havens for criminal syndicates who have coerced hundreds of thousands of people in Southeast Asia and elsewhere into helping run online scams, including false romantic ploys, bogus investment opportunities, and illegal gambling schemes. These operations have been massively successful, ensnaring hundreds of thousands of workers and raking in tens of billions of dollars every year from victims, per estimates from the United Nations. The scam centers emerged out of Cambodia, Thailand, and Myanmar since the COVID-19 pandemic, but have since spread to other parts of the world such as Africa.
Workers at the “labor camps” are often recruited and trafficked under the promise of well-paid jobs and then held captive with threats of violence. In recent months, law enforcement authorities have stepped up their efforts , arresting hundreds of suspects across Asia and deporting several of them. According to the Global New Light of Myanmar , a total of 9,551 foreign nationals who illegally entered Myanmar have been arrested between January 30 and October 19, 2025, with 9,337 deported to their respective countries. Earlier this week, South Korean police officials formally arrested 50 South Koreans repatriated from Cambodia on accusations they worked for online scam organizations in the Southeast Asian country.
Cambodia and South Korea recently agreed to partner in combating online scams following the death of a South Korean student who was reportedly forced to work in a scam center in Cambodia. The death of the 22-year-old has also prompted South Korea, which is reportedly readying sanctions against the groups operating in Cambodia, to issue a “code black” travel ban to parts of the country, citing recent increases in cases of detention and “fraudulent employment.” More than 1,000 South Koreans are believed to be among around 200,000 people of various nationalities working in Cambodia’s scam industry. Predictable IDs expose AI chat sessions to hijack Security Flaw in Oat++ MCP A security flaw in the Oat++ implementation of Anthropic’s Model Context Protocol (MCP) could allow attackers to predict or capture session IDs from active AI conversations, hijack MCP sessions, and inject malicious responses via the oatpp-mcp server. The vulnerability, dubbed Prompt Hijacking, is being tracked as CVE-2025-6515 (CVSS score: 6.8).
While the generated session ID used with Server-Sent Events ( SSE ) transports is designed to route responses from the MCP server to the client and distinguish between different MCP client sessions, the attack takes advantage of the fact that SSE does not require session IDs to be unique and cryptographically secure (a requirement enforced in the newer Streamable HTTP specification) to allow a threat actor in possession of a valid session ID to send malicious requests to the MCP server, allowing them to hijack the responses and relay a poisoned response back to the client. “Once a session ID is reused, the attacker can send POST requests using the hijacked ID, for example – Requesting tools, triggering prompts, or injecting commands, and the server will forward the relevant responses to the victim’s active GET connection in addition to the responses generated for the victim’s original requests,” JFrog said . OAuth abuse turns cloud access into a stealth backdoor Threat Actors Use Malicious OAuth Apps for Persistence Proofpoint has developed an automated toolkit named Fassa (short for “Future Account Super Secret Access”), which demonstrates methods by which threat actors establish persistent access through malicious OAuth applications. The tool has not been made publicly available.
“The strategic value of this approach lies in its persistence mechanism: even if the compromised user’s credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access,” the enterprise security company said. “This creates a resilient backdoor that can remain undetected within the environment indefinitely, unless specifically identified and remediated.” In one real-world attack observed by Proofpoint, threat actors have been found to take control of Microsoft accounts using an adversary-in-the-middle (AiTM) phishing kit known as Tycoon, and then created malicious mailbox rules and registered a second-party (aka internal) OAuth application named “test” to enable persistent access to the victim’s mailbox even after the password is reset. Admin bug exposes Formula 1 driver data Hacking Formula 1 Cybersecurity researchers Gal Nagli, Ian Carroll, and Sam Curry have disclosed a severe vulnerability in a critical Driver Categorisation portal (“driverscategorisation.fia[.]com”) managed by the International Automobile Federation (FIA) that could make it possible to access the sensitive data associated with every Formula 1 (F1) driver, including passport, driver’s license, and personal information. While the portal allows any individual to open an account, along with providing supporting documents, the researchers found that sending a specially crafted request where they assume the role of an “ADMIN” is enough to trick the system into actually assigning administrative privileges to a newly created account, using which an attacker could access detailed driver profiles.
Following responsible disclosure on June 3, 2025, a comprehensive fix for the bug was rolled out on June 10. “[The vulnerability is] called ‘Mass Assignment’ – a classic web / api security flaw,” Nagli said . “In simple terms: The server trusted whatever we sent it, without checking if we were ALLOWED to change those fields.” AI-driven agents boost cyber threat response Google Debuts New Agentic Platform for Threat Analysis and Response Google has launched a comprehensive agentic platform with the goal of accelerating threat analysis and response. The platform, available in preview for Google Threat Intelligence Enterprise and Enterprise+ customers, provides users with a set of specialized agents for cyber threat intelligence (CTI) and malware analysis.
“When you ask a question, the platform intelligently selects the best agent and tools to craft your answer, scouring everything from the open web and OSINT to the deep and dark web and our own curated threat reports,” Google said . In the event the query is about a malicious file, it routes the task to its malware analyst agent to provide the “most precise and relevant information.” The tech giant said the platform is designed to uncover hidden connections that exist between threat actors, vulnerabilities, malware families, and campaigns by tapping into Google Threat Intelligence’s comprehensive security dataset. SVG email bait leads to fake Microsoft logins New Tykit Phishing Kit Analyzed A new phishing kit named Tykit is being used to serve fake Microsoft 365 login pages to which users are redirected to via email messages containing SVG files as attachments. Once opened, the SVG file executes a “trampoline” JavaScript code to take the victim to the phishing page, but not before completing a Cloudflare Turnstile security check.
“It’s worth noting that the client-side code includes basic anti-debugging measures, for example, it blocks key combinations that open DevTools and disables the context menu,” ANY.RUN said . Once the credentials are entered, the user is redirected to the legitimate page to avoid raising any suspicion. Misconfigured build path exposed thousands of AI servers Security Flaw in Smithery.ai GitGuardian said it has uncovered a path traversal vulnerability in Smithery.ai that provided unauthorized access to thousands of MCP servers and their associated credentials, leading to a major supply chain risk. The problem has to do with the fact that the smithery.yaml configuration file used to build a server in Docker contains an improperly controlled property called dockerBuildPath, which allows any arbitrary path to be specified.
“A simple configuration bug allowed attackers to access sensitive files on the registry’s infrastructure, leading to the theft of overprivileged administrative credentials,” GitGuardian said . “These stolen credentials provided access to over 3,000 hosted AI servers, enabling the theft of API keys and secrets from potentially thousands of customers across hundreds of services.” The issue has since been addressed, and there is no evidence it was exploited in the wild. Prompt injection escalates to remote code execution From Prompt Injection to RCE in AI Agents Researchers have found that it’s possible to bypass the human approval step required when running sensitive system commands using modern artificial intelligence (AI) agents. According to Trail of Bits, this bypass can be achieved through argument injection attacks that exploit pre-approved commands, allowing an attacker to achieve remote code execution (RCE).
To counter these risks, it’s recommended to sandbox agent operations from the host system, reduce safe command allowlists, and use safe command execution methods that prevent shell interpretation. Unsafe deserialization opens door to remote code execution Security Flaw in python-socketio A security vulnerability in the python-socketio library ( CVE-2025-61765 , CVSS score: 6.4) could permit attackers to execute arbitrary Python code through malicious pickle deserialization in scenarios where they have already gained access to the message queue that the servers use for internal communications. “The pickle module is designed for serializing and deserializing trusted Python objects,” BlueRock said . “It was never intended to be a secure format for communicating between systems that don’t implicitly trust each other.
Yet, the python-socketio client managers indiscriminately unpickle every message received from the shared message broker.” As a result, a threat actor with access to the message queue can send a specially crafted pickle payload that gets executed once it’s deserialized. The issue has been addressed in version 5.14.0 of the library. Outdated Electron cores expose AI IDEs to old Chromium flaws Cursor, Windsurf IDEs Susceptible to 94+ N-Day Chromium Bugs AI-powered coding tools like Cursor and Windsurf have been found vulnerable to more than 94 known and patched security issues in the Chromium browser and the V8 JavaScript engine, putting over 1.8 million developers at risk, according to OX Security. The problem is that both the development environments are built on old versions of Visual Studio Code that are bundled with an Electron application runtime that points to outdated versions of the open-source Chromium browser and Google’s V8 engine.
“This is a classic supply chain attack waiting to happen,” the cybersecurity company said . “Cursor and Windsurf must prioritize upstream security updates. Until they do, 1.8 million developers remain exposed to attacks that could compromise not just their machines, but the entire software supply chain they’re part of.” Bogus Chrome installer delivers kernel-aware RAT Chinese Users Targeted with Fake Chrome Installer to Drop ValleyRAT Cybersecurity researchers have discovered a new attack chain that leverages bogus installers for Google Chrome as a lure to drop a remote access trojan called ValleyRAT as part of a multi-stage process. The binary is designed to drop an intermediate payload that scans for antivirus products primarily used in China and uses a kernel driver to terminate the associated processes so as to evade detection.
ValleyRAT is launched by means of a DLL downloader that retrieves the malware from an external server (“202.95.11[.]152”). Also called Winos 4.0, the malware is linked to a Chinese cybercrime group known as Silver Fox. “Our analysis revealed Chinese language strings within the binary, including the internal DLL name, and identified that the targeted security solutions are products from Chinese vendors,” Cyderes researcher Rahul Ramesh said . “This indicates the attackers have knowledge of the regional software environment and suggests the campaign is tailored to target victims in China.” It’s worth noting that similar fake installers for Chrome have been used to distribute Gh0st RAT in the past.
Hidden Unicode fools app identity checks New Loophole Allows for Microsoft App Impersonation Varonis has disclosed details of a loophole that allows attackers to impersonate Microsoft applications by creating malicious apps with deceptive names such as “Azure Portal” or “Azure SQL Database” with hidden Unicode characters, effectively bypassing safeguards put in place to prevent the use of reserved names . This includes inserting “0x34f” between the application name such as “Az$([char]0x34f)ur$([char]0x34f)e Po$([char]0x34f)rtal.” This technique, codenamed Azure App-Mirage by Varonis, could then be combined with approaches like device code phishing to trick users into sharing authentication codes and gain unauthorized access to their accounts. Microsoft has since rolled out fixes to plug the issue. No binaries — attackers use SQL to ransom data Exploiting Databases for Malware-less Ransomware Threat actors have been observed exploiting weaknesses in internet-facing database servers and abusing legitimate commands to steal, encrypt, or destroy data and demand payment in exchange for returning the files or keeping them private.
This is part of an ongoing trend where attackers are increasingly going malware-less, instead resorting to living-off-the-land techniques to blend in with normal activity and achieve their goals. “Attackers connect remotely to these servers, copy the data to another location, wipe the database, and then leave behind a ransom note stored in the database itself,” cloud security firm Wiz said . “This approach bypasses many conventional detection methods because no malicious binary is ever dropped; the damage is done entirely with normal database commands.” Some of the most targeted database servers in ransomware attacks include MongoDB, PostgreSQL, MySQL, Amazon Aurora MySQL, and MariaDB. CSS tricks bury malicious prompts in plain sight Abuse of CSS for Hidden Text Salting Attackers are increasingly employing Cascading Style Sheets’ (CSS) text, visibility and display properties, and sizing properties to insert hidden text (paragraphs and comments) and characters into emails in what’s seen as a way to slip past spam filters and enterprise security defenses.
“There is widespread use of hidden text salting in malicious emails to bypass detection,” Cisco Talos researcher Omid Mirzaei said . “Attackers embed hidden salt in the preheader, header, attachments, and body — using characters, paragraphs, and comments — by manipulating text, visibility, and sizing properties.” The cybersecurity company also noted that hidden content is more commonly found in spam and other email threats than in legitimate emails. This creates a challenge for security solutions that rely on a large language model (LLM) to classify incoming messages, as a threat actor can conceal hidden prompts to influence the outcome. Covert network tracks 14,000 phones across continents Altamides for Stealth Phone Tracking A phone-tracking and surveillance platform named Altamides from a little-known European-led company in Indonesia called First Wap has been used to secretly track the movements of more than 14,000 phone numbers.
It’s run by European founders. According to an investigation published by Mother Jones, the platform was used to track political figures, famous executives, journalists, and activists. It exploited vulnerabilities in the Signaling System No. 7 (SS7) telecommunications protocol to zero in on an individual’s location using only their phone number.
The development comes a little over a month after Amnesty International revealed that Pakistan is spying on millions of its citizens using a phone-tapping system and a Chinese-built internet firewall that censors social media. “Pakistan’s Web Monitoring System [WMS] and Lawful Intercept Management System [LIMS] operate like watchtowers, constantly snooping on the lives of ordinary citizens,” Agnès Callamard, Secretary General at Amnesty International, said . “In Pakistan, your texts, emails, calls, and internet access are all under scrutiny. But people have no idea of this constant surveillance, and its incredible reach.
This dystopian reality is extremely dangerous because it operates in the shadows, severely restricting freedom of expression and access to information.” It has been found that a German company, Utimaco, and an Emirati company, Datafusion, supplied most of the technology that enables LIMS to operate in Pakistan. While the first iteration of WMS was installed in 2018 using technology provided by Sandvine, it has since been replaced by advanced technology from China’s Geedge Networks in 2023. This is assessed to be a commercialized version of China’s Great Firewall. These findings also dovetail with a report from the Associated Press, which found U.S.
tech companies designed and marketed systems that became the foundation for China’s surveillance state. “While the flood of American technology slowed considerably starting in 2019 after outrage and sanctions over atrocities in Xinjiang, it laid the foundation for China’s surveillance apparatus that Chinese companies have since built on and in some cases replaced,” the report said . Every one of these incidents tells the same story: attackers don’t break in — they log in, inject, or hijack what’s already trusted. The difference between surviving and becoming a headline is how fast you patch, isolate, and verify.
Stay sharp, review your defenses, and keep watching ThreatsDay — because next week’s breaches are already being written in today’s overlooked bugs. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Why Organizations Are Abandoning Static Secrets for Managed Identities
As machine identities explode across cloud environments, enterprises report dramatic productivity gains from eliminating static credentials. And only legacy systems remain the weak link. For decades, organizations have relied on static secrets, such as API keys, passwords, and tokens, as unique identifiers for workloads. While this approach provides clear traceability, it creates what security researchers describe as an “operational nightmare” of manual lifecycle management, rotation schedules, and constant credential leakage risks.
This challenge has traditionally driven organizations toward centralized secret management solutions like HashiCorp Vault or CyberArk, which provide universal brokers for secrets across platforms. However, these approaches perpetuate the fundamental problem: the proliferation of static secrets requiring careful management and rotation. “Having a workload in Azure that needs to read data from AWS S3 is not ideal from a security perspective,” explains one DevOps engineer managing a multicloud environment. “Cross-cloud authentication and authorization complexity make it hard to set this up securely, especially if we choose to simply configure the Azure workload with AWS access keys.” The Business Case for Change Enterprise case studies document that organizations implementing managed identities report a 95% reduction in time spent managing credentials per application component, along with a 75% reduction in time spent learning platform-specific authentication mechanisms, resulting in hundreds of saved hours annually.
But how to approach the transition, and what prevents us from entirely eliminating static secrets? Platform-Native Solutions Managed identities represent a paradigm shift from the traditional “what you have” model to a “who you are” approach. Rather than embedding static credentials into applications, modern platforms now provide identity services that issue short-lived, automatically rotated credentials to authenticated workloads. The transformation spans major cloud providers: Amazon Web Services pioneered automated credential provisioning through IAM Roles , where applications receive temporary access permissions automatically without storing static keys Microsoft Azure offers Managed Identities that allow applications to authenticate to services like Key Vault and Storage without developers having to manage connection strings or passwords Google Cloud Platform provides Service Accounts with cross-cloud capabilities, enabling applications to authenticate across different cloud environments seamlessly GitHub and GitLab have introduced automated authentication for development pipelines, eliminating the need to store cloud access credentials in development tools The Hybrid Reality However, the reality is more nuanced.
Security experts emphasize that managed identities don’t solve every authentication challenge. Third-party APIs still require API keys, legacy systems often can’t integrate with modern identity providers, and cross-organizational authentication may still require shared secrets. “Using a secret manager dramatically improves the security posture of systems that rely on shared secrets, but heavy use perpetuates the use of shared secrets rather than using strong identities,” according to identity security researchers. The goal isn’t to eliminate secret managers entirely, but to dramatically reduce their scope.
Smart organizations are strategically reducing their secret footprint by 70-80% through managed identities, then using robust secret management for remaining use cases, creating resilient architectures that leverage the best of both worlds. The Non-Human Identity Discovery Challenge Most organizations don’t have visibility into their current credential landscape. IT teams often discover hundreds or thousands of API keys, passwords, and access tokens scattered across their infrastructure, with unclear ownership and usage patterns. “You can’t replace what you can’t see,” explains Gaetan Ferry, a security researcher at GitGuardian.
“Before implementing modern identity systems, organizations need to understand exactly what credentials exist and how they’re being used.” GitGuardian’s NHI (Non-Human Identity) Security platform addresses this discovery challenge by providing comprehensive visibility into existing secret landscapes before managed identity implementation. The platform discovers hidden API keys, passwords, and machine identities across entire infrastructures, enabling organizations to: Map dependencies between services and credentials Identify migration candidates ready for managed identity transformation Assess risks associated with current secret usage Plan strategic migrations rather than blind transformations Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
‘Jingle Thief’ Hackers Exploit Cloud Infrastructure to Steal Millions in Gift Cards
Cybersecurity researchers have shed light on a cybercriminal group called Jingle Thief that has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud. “Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards,” Palo Alto Networks Unit 42 researchers Stav Setty and Shachar Roitman said in a Wednesday analysis. “Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards.” The end goal of these efforts is to leverage the issued gift cards for monetary gain by likely reselling them on gray markets. Gift cards make for a lucrative choice as they can be easily redeemed with minimal personal information and are difficult to trace, making it harder for defenders to investigate the fraud.
The name Jingle Thief is a nod to the threat actor’s pattern of conducting gift card fraud coinciding with festive seasons and holiday periods. The cybersecurity company is tracking the activity under the moniker CL‑CRI‑1032, where “CL” stands for cluster and “CRI” refers to criminal motivation. The threat cluster has been attributed with moderate confidence to criminal groups tracked as Atlas Lion and Storm-0539 , with Microsoft describing it as a financially motivated crew originating from Morocco. It’s believed to be active since at least late 2021.
Jingle Thief’s ability to maintain footholds within compromised organizations for extended periods, in some cases for over a year, makes it a dangerous group. During the time it spends with the environments, the threat actor conducts extensive reconnaissance to map the cloud environment, moves laterally across the cloud, and takes steps to sidestep detection. Unit 42 said it observed the hacking group launching a wave of coordinated attacks targeting various global enterprises in April and May 2025, using phishing attacks to obtain credentials necessary to breach victims’ cloud infrastructure. In one campaign, the attackers are said to have maintained access for about 10 months and broken into 60 user accounts within a single organization.
“They exploit cloud-based infrastructure to impersonate legitimate users, gain unauthorized access to sensitive data, and carry out gift card fraud at scale,” the researchers noted. The attacks often involve attempts to access gift‑card issuance applications to issue high‑value cards across different programs, while simultaneously ensuring these actions leave minimal logs and forensic trails. Jingle Thief phishing attack chain across Microsoft 365 They are also highly targeted and tailored to each victim, with the threat actors carrying out reconnaissance before sending persuasive phishing login pages via email or SMS that can fool victims and trick them into entering their Microsoft 365 credentials. As soon as the credentials are harvested, the attackers waste no time logging into the environment and carry out a second round of reconnaissance, this time targeting the victim’s SharePoint and OneDrive for information related to business operations, financial processes, and IT workflows.
This includes searching for gift card issuance workflows, VPN configurations and access guides, spreadsheets or internal systems used to issue or track gift cards, and other key details related to virtual machines and Citrix environments. In the next phase, the threat actors have been found to leverage the compromised account to send phishing emails internally within the organization to broaden their foothold. These messages often mimic IT service notifications or ticketing updates by making use of information gleaned from internal documentation or previous communications. Furthermore, Jingle Thief is known to create inbox rules to automatically forward emails from hacked accounts to addresses under their control, and then cover up traces of the activity by moving the sent emails immediately to Deleted Items.
In some cases, the threat actor has also been observed registering rogue authenticator apps to bypass multi-factor authentication (MFA) protections and even enrolling their devices in Entra ID so as to maintain access even after victims’ passwords are reset or the session tokens are revoked. Besides their exclusive focus on cloud services rather than endpoint compromise, another aspect that makes Jingle Thief’s campaigns noteworthy is their propensity for identity misuse over deploying custom malware, thereby minimizing the chances of detection. “Gift card fraud combines stealth, speed and scalability, especially when paired with access to cloud environments where issuance workflows reside,” Unit 42 said. “This discreet approach helps evade detection while laying the groundwork for future fraud.” “To exploit these systems, the threat actors need access to internal documentation and communications.
They can secure this by stealing credentials and maintaining a quiet, persistent presence within Microsoft 365 environments of targeted organizations that provide gift card services.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw
E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be abused to take over customer accounts in Adobe Commerce through the Commerce REST API. Also known as SessionReaper, it was addressed by Adobe last month. A security researcher who goes by the name Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236.
The Dutch company said that 62% of Magento stores remain vulnerable to the security flaw six weeks after public disclosure, urging website administrators to apply the patches as soon as possible before broader exploitation activity picks up. Adobe has since revised its advisory to confirm reports of in-the-wild exploitation of CVE-2025-54236. The attacks have originated from the following IP addresses, with unknown threat actors leveraging the flaw to drop PHP webshells or probe phpinfo to extract PHP configuration information. 34.227.25[.]4 44.212.43[.]34 54.205.171[.]35 155.117.84[.]134 159.89.12[.]166 “PHP backdoors are uploaded via ‘/customer/address_file/upload’ as a fake session,” Sansec said .
The development comes as Searchlight Cyber published a detailed technical analysis of CVE-2025-54236, describing it as a nested deserialization flaw that enables remote code execution. It’s worth noting that CVE-2025-54236 is the second deserialization vulnerability impacting Adobe Commerce and Magento platforms in as many years. In July 2024, another critical flaw dubbed CosmicSting ( CVE-2024-34102 , CVSS score: 9.8) was subjected to widespread exploitation. With proof-of-concept (PoC) exploits and additional specifics now entering public domains, it’s imperative that users move quickly to apply the fixes.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.