⚡ Weekly Recap — SharePoint Breach, Spyware, IoT Hijacks, DPRK Fraud, Crypto Drains and More

⚡ Weekly Recap — SharePoint Breach, Spyware, IoT Hijacks, DPRK Fraud, Crypto Drains and More

Some risks don't breach the perimeter—they arrive through signed software, clean resumes, or sanctioned vendors still hiding in plain sight.

This week, the clearest threats weren't the loudest—they were the most legitimate-looking. In an environment where identity, trust, and tooling are all interlinked, the strongest attack path is often the one that looks like it belongs. Security teams are now challenged to defend systems not just from intrusions—but from trust itself being turned into a weapon.

⚡ Threat of the Week

Microsoft SharePoint Attacks Traced to China — The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread a week after the discovery of the zero-day exploits, with more than 400 organizations globally compromised. The attacks have been attributed to two known Chinese hacking groups tracked as Linen Typhoon (aka APT27), Violet Typhoon (aka APT31), and a suspected China-based threat actor codenamed Storm-2603 that has leveraged the access to deploy Warlock ransomware. The attacks leverage CVE-2025-49706, a spoofing flaw, and CVE-2025-49704, a remote code execution bug, collectively called ToolShell. Bloomberg reported that Microsoft is investigating whether a leak from Microsoft Active Protections Program (MAPP), which provides early access to vulnerability information to security software providers, may have led to the zero-day exploitation. China has denied allegations it was behind the campaign.

Flare Customers Saw 321% ROI, Says Forrester Consulting Total Economic Impact™ (TEI) Study

A new Forrester Consulting study commissioned by Flare shows how Flare's threat exposure management platform delivered 321% ROI, cut manual work by 75%, and paid for itself in under 6 months for a composite organization representative of interviewed customers. Get the full business case.

Read the Study ➝

🔔 Top News

• U.S. Treasury Sanctions N. Korean Company for IT Worker Scheme — The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned a North Korean front company and three associated individuals for their involvement in the fraudulent remote information technology (IT) worker scheme designed to generate illicit revenues for Pyongyang. In a related move, Christina Marie Chapman, a laptop farmer in Arizona responsible for facilitating the scheme, was sentenced to jail for eight-and-a-half years, after raising $17 million in illicit funds for the regime. In these schemes, IT workers from North Korea use well-crafted, carefully curated portfolios, complete with full social media profiles, AI-enhanced photos and deepfakes, and stolen identities to pass background checks and land jobs at various U.S. companies. Once hired, they take the help of facilitators to receive company-issued laptops and other equipment, which they can then connect to remotely, thereby giving the impression that they are within the country where the company is located. The ongoing efforts operate with the twin goals of generating revenue for the Hermit Kingdom's nuclear program and other efforts via regular salaries, as well as gaining a foothold inside corporate networks for the purpose of planting malware for stealing secrets and extorting their employers. "DPRK's cyber operations challenge the traditional nation-state playbook – merging cryptocurrency theft, espionage, and nuclear ambition within a self-funded system driven by profit, loyalty, and survival," said Sue Gordon, a member of DTEX's Advisory Board and former principal deputy director of U.S. National Intelligence. "Recognizing it as a family-run mafia syndicate unblurs the lines between cybercrime and statecraft. This report pulls back the curtain on their inner workings and psychology, revealing how deeply embedded they already are within our workforce – providing the context needed to anticipate their next move."
• Soco404 and Koske Target Misconfigured Cloud Instances to Drop Miners — Two different malware campaigns have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners. These activity clusters have been codenamed Soco404 and Koske. While Soco404 targets both Linux and Windows systems to deploy platform-specific malware, Koske is a Linux-focused threat. There is also evidence to suggest that Koske has been developed using a large language model (LLM), given the presence of well-structured comments, best-practice logic flow with defensive scripting habits, and synthetic panda-related imagery to host the miner payload.
• XSS Forum Taken Down and Suspected Admin Arrested — Law enforcement notched a significant victory against the cybercrime economy with the disruption of the notorious forum XSS and the arrest of its suspected administrator. That said, it's important to note that takedowns of similar forums have proved short-lived, and threat actors often move to new platforms or other alternatives, such as Telegram channels. The development comes as LeakZone, a self-styled "leaking and cracking forum" where users advertise and share breached databases, stolen credentials, and pirated software, was caught leaking the IP addresses of its logged-in users to the open web.
• Coyote Trojan Exploits Windows UI Automation — The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information. Coyote, which is known to target Brazilian users, comes with capabilities to log keystrokes, capture screenshots, and serve overlays on top of login pages associated with financial enterprises. Akamai's analysis found that the malware invokes the GetForegroundWindow() Windows API in order to extract the active window's title and compare it against a hard-coded list of web addresses belonging to targeted banks and cryptocurrency exchanges. "If no match is found Coyote will then use UIA to parse through the UI child elements of the window in an attempt to identify browser tabs or address bars," Akamai said. "The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison."
• Cisco Confirms Active Exploits Targeting ISE — Cisco has warned that a set of security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) have come under active exploitation in the wild. The flaws, CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282, allow an attacker to execute arbitrary code on the underlying operating system as root or upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it's a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week's high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week's list includes — CVE-2025-54068 (Laravel Livewire Framework), CVE-2025-34300 (Lighthouse Studio), CVE-2025-6704, CVE-2025-7624 (Sophos Firewall), CVE-2025-40599 (SonicWall SMA 100 Series), CVE-2025-49656, CVE-2025-50151 (Apache Jena), CVE-2025-22230, CVE-2025-22247 (Broadcom VMware Tools), CVE-2025-7783 (form-data), CVE-2025-34140, CVE-2025-34141, CVE-2025-34142, CVE-2025-34143 (Hexagon ETQ Reliance), CVE-2025-8069 (AWS Client VPN for Windows), CVE-2025-7723, CVE-2025-7724 (TP-Link VIGI NVR), CVE-2025-7742 (LG Innotek LNV5110R), CVE-2025-24000 (Post SMTP), CVE-2025-52449, CVE-2025-52452, CVE-2025-52453, CVE-2025-52454, CVE-2025-52455 (Salesforce Tableau Server), and CVE-2025-6241 (SysTrack).

📰 Around the Cyber World

• Google Removes 1000s of YouTube Channels Tied to Influence Ops — Google removed nearly 11,000 YouTube channels and other accounts tied to state-linked propaganda campaigns from China, Russia and more in the second quarter of 2025. It removed over 2,000 removed channels linked to Russia, including 20 YouTube channels, 4 Ads accounts, and 1 Blogger blog associated with RT, a Russian state-controlled media outlet. The takedown also included more than 7,700 YouTube channels linked to China, which shared content in Chinese and English that promoted the People's Republic of China, supported President Xi Jinping and commented on U.S. foreign affairs.
• Surveillance Company Bypasses SS7 Safeguards — An unnamed surveillance company has been using a new attack technique to bypass the Signaling System 7 (SS7) protocol's protections and trick telecommunications companies into disclosing the location of their users. The attack method, likely used since the fourth quarter of 2024, hinges on Transaction Capabilities Application Part (TCAP) manipulation through SS7 commands that have been encoded in such a manner that their contents are not parsed by the protection systems or firewalls at the target network. "We don't have any information on how successful this attack method has been worldwide, as its success is vendor/software specific, rather than being a general protocol vulnerability, but its use as part of a suite indicates that it has had some value," Enea researchers Cathal Mc Daid and Martin Gallagher said.
• Number of Phishing Sites Aimed at Telegram Spikes — A new report has found that the number of phishing sites aimed at Telegram users increased to 12,500 in the second quarter of 2025. In one variant of the scheme, fraudsters create a phishing page that simulates the login page associated with Telegram or Fragment, a platform on the TON blockchain that allows users to buy and sell unique Telegram usernames and virtual phone numbers. Should victims enter their credentials and the confirmation codes, the accounts are hijacked by the attackers. The second scenario entails the attacker approaching a victim to purchase a rare digital gift from them in Telegram for a large amount. "As payment, the fraudster sends fake tokens," BI.ZONE said. "At first glance, they are indistinguishable from the real ones, but they have no real value. After the transfer, the victim is left without a gift and with a fake digital currency." In a related report, Palo Alto Networks Unit 42 said it identified 54,446 domains hosting phishing sites in a campaign impersonating Telegram dubbed telegram_acc_hijack. "These pages collect Telegram login credentials submitted and real-time one-time passcodes (OTPs) to hijack user accounts," the company added.
• Former NCA Employee Sentenced to 5.5 Years in Prison — A former officer with the U.K. National Crime Agency (NCA) was sentenced to five-and-a-half years in prison after stealing a chunk of the Bitcoin seized by the agency as part of a law enforcement operation targeting the now-defunct illicit dark web marketplace Silk Road. Paul Chowles, 42, was identified as the culprit after authorities recovered his iPhone, which linked him to an account used to transfer Bitcoin as well as relevant browser search history relating to a cryptocurrency exchange service. "Within the NCA, Paul Chowles was regarded as someone who was competent, technically minded and very aware of the dark web and cryptocurrencies," Alex Johnson, Specialist Prosecutor with the Crown Prosecution Service's Special Crime Division, said. "He took advantage of his position working on this investigation by lining his own pockets while devising a plan that he believed would ensure that suspicion would never fall upon him. Once he had stolen the cryptocurrency, Paul Chowles sought to muddy the waters and cover his tracks by transferring the Bitcoin into mixing services to help hide the trail of money."
• U.K. Sanctions 3 Russian GRU Units for Sustained Cyber Attacks — The U.K. sanctioned three units of the Russian military intelligence agency (GRU) and 18 military intelligence officers for "conducting a sustained campaign of malicious cyber activity over many years" with an aim to "sow chaos, division and disorder in Ukraine and across the world." The sanctions cover Unit 26165 (linked to APT28), Unit 29155 (linked to Cadet Blizzard), and Unit 74455 (linked to Sandworm), as well as African Initiative, a "social media content mill established and funded by Russia and employing Russian intelligence officers to conduct information operations in West Africa."
• U.K. Floats Ransomware Payments Ban for Public Bodies — The U.K. government has proposed new legislation that would ban public sector organizations and critical national infrastructure from paying criminal operators behind ransomware attacks, as well as enforce mandatory reporting requirements for all victims to inform law enforcement of attacks. "Public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransom demands to criminals under the measure," the government said. "The ban would target the business model that fuels cyber criminals' activities and makes the vital services the public rely on a less attractive target for ransomware groups." Businesses that do not fall under the ambit of the law would be required to notify the government of any intent to pay a ransom. A failure to download patches to address widely exploited vulnerabilities could lead to daily fines of £100,000 or 10 percent of turnover should a digital break-in occur.
• Thought Lumma Was Out of Commission? Think Again! — The Lumma Stealer operations have recovered following a law enforcement takedown of its infrastructure earlier this year, with the malware being distributed through more discreet channels and stealthier evasion tactics. "Lumma's infrastructure began ramping up again within weeks of the takedown," Trend Micro said. "This rapid recovery highlights the group's resilience and adaptability in the face of disruption." A notable shift is the reduction in volume of domains using Cloudflare's services to obfuscate their malicious domains and make detection more challenging, instead shifting to Russian alternatives like Selectel. "This strategic pivot suggests a move towards providers that might be perceived as less responsive to law enforcement requests, further complicating efforts to track and disrupt their activities," the company added. Lumma Stealer is known for its diverse and evolving delivery methods, leveraging social media posts, GitHub, ClickFix, and fake sites distributing cracks and key generators, as initial access methods. The resurgence of Lumma is par for the course with modern cybercriminal operations that often can quickly resume activity even after significant law enforcement disruptions. In a statement shared with The Hacker News, ESET confirmed the resurgence of Lumma Stealer and that the current activity has approached levels similar to those before the law enforcement action. "Lumma Stealer operators continue to register dozens of new domains weekly – activity that didn't stop even after the disruption – but switched to primarily resolving them at nameservers located in Russia," Jakub Tománek, ESET malware analyst, said. "The codebase itself has shown minimal changes since the takedown attempt. This indicates the group's primary focus has been on restoring operations rather than innovating their 'product' and introducing new features."
• U.S. Government Warns of Interlock Ransomware — The U.S. government has warned of Interlock ransomware attacks targeting businesses, critical infrastructure, and other organizations in North America and Europe since late September 2024. The attacks, designed to target both Windows and Linux systems, employ drive-by downloads from compromised legitimate websites or ClickFix- and FileFix-style lures to drop payloads for initial access. "Actors then use various methods for discovery, credential access, and lateral movement to spread to other systems on the network," the U.S. government said. "Interlock actors employ a double extortion model in which actors encrypt systems after exfiltrating data, which increases pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked." Also part of the threat actor's tooling are Cobalt Strike and a custom remote access trojan called NodeSnake RAT, and information stealers like Lumma Stealer and Berserk Stealer to harvest credentials for lateral movement and privilege escalation.
• Apple Notifies Iranians of Spyware Attacks — Apple notified more than a dozen Iranians in recent months that their iPhones had been targeted with government spyware, according to a digital rights and security organization called Miaan Group. This included individuals who have a long history of political activism. Also notified by Apple were dissidents and a technology worker. It's unclear which spyware maker is behind these attacks. The attacks mark the first known example of advanced mercenary tools being used both inside Iran and against Iranians living abroad.
• Linux Servers Targeted by SVF Bot — Poorly managed Linux servers are being targeted by a campaign that delivers a Python-based malware called SVF Bot that enlists infected machines in a botnet that can conduct distributed denial-of-service (DDoS) attacks. "When the SVF Bot is executed, it can authenticate with the Discord server using the following Bot Token and then operate according to the threat actor's commands," ASEC said. "Most of the supported commands are for DDoS attacks, with L7 HTTP Flood and L4 UDP Flood being the main types supported."
• Turkish Companies Targeted by Snake Keylogger — Turkish organizations are the target of a new phishing campaign that delivers an information stealer called Snake Keylogger. The activity, primarily singling out defense and aerospace sectors, involves distributing bogus email messages that impersonate Turkish Aerospace Industries (TUSAŞ) in an attempt to trick victims into opening malicious files under the guise of contractual documents. "Once executed, the malware employs advanced persistence mechanisms – including PowerShell commands to evade Windows Defender and scheduled tasks for auto-execution – to harvest sensitive data, such as credentials, cookies, and financial information, from a wide range of browsers and email clients," Malwation said.
• Former Engineer Pleads Guilty to Trade Theft — A Santa Clara County man and former engineer at a Southern California company pleaded guilty to stealing trade secret technologies developed for use by the U.S. government to detect nuclear missile launches, track ballistic and hypersonic missiles, and to allow U.S. fighter planes to detect and evade heat-seeking missiles. Chenguang Gong, 59, of San Jose, pleaded guilty to one count of theft of trade secrets. He remains free on a $1.75 million bond. Gong – a dual citizen of the United States and China – transferred more than 3,600 files from a Los Angeles-area research and development company where he worked to personal storage devices during his brief tenure with the company last year. The victim company hired Gong in January 2023 as an application-specific integrated circuit design manager. He was terminated three months later. Gong, who was arrested and charged in February, is scheduled for sentencing on September 29, 2025. He faces up to 10 years in prison.
• FBI Issues Warning About The Com — The Federal Bureau of Investigation (FBI) is warning the public about an online group called In Real Life (IRL) Com that provides violence-as-a-service (VaaS), including shootings, kidnappings, armed robbery, stabbings, physical assault, and bricking. "Services are posted online with a price breakdown for each act of violence," the FBI said. "Groups offering VaaS advertise contracts on social media platforms to solicit individuals willing to conduct the act of violence for monetary compensation." The threat group is also said to advertise swat-for-hire services via communication applications and social media platforms. IRL Com is assessed to be one of three subsets of The Com (short for The Community), a growing online collective comprising primarily of thousands of English-speaking individuals, many of whom are minors, and engage in a wide range of criminal endeavors. The other two offshoots are Hacker Com, which is linked to DDoS and ransomware-as-a-service (RaaS) groups, and Extortion Com, which primarily involves the exploitation of children. Notably, the Com encompasses threat clusters tracked as LAPSUS$ and Scattered Spider. A similar warning was issued by the U.K. National Crime Agency (NCA) earlier this March, calling attention to The Com's trend of recruiting teenage boys to commit a range of criminal acts, from cyber fraud and ransomware to child sexual abuse.
• Organized Crime Group Behind Large-Scale Fraud Disrupted — A highly organised criminal group involved in large-scale fraud in Western Europe was dismantled in a coordinated operation led by authorities from Romania and the United Kingdom. "The gang had travelled from Romania to several Western European countries, mainly the UK, and withdrew large sums of money from ATM machines," Europol said. "They later laundered the proceeds by investing in real estate, companies, vacations, and luxury products, including cars and jewelry." The operation has led to two arrests, 18 house searches, and the seizure of real estate, luxury cars, electronic devices, and cash. The attackers committed what has been described as Transaction Reversal Fraud (TRF), in which the screen of an ATM is removed and a bank card is inserted to request funds. The transactions were canceled (or reversed) before the funds were dispensed, allowing them to reach inside the ATM and take the cash before it was retracted. The gang is estimated to have plundered about €580,000 (about $681,000) using this method. "The perpetrators were also involved in other criminal activities, including skimming, forging electronic means of payment and transport cards, and conducting bin attacks — a type of card fraud carried out using software designed to identify card numbers and generate illicit income through fraudulent payments," Europol added. The development came as a 21-year-old U.K. student, Ollie Holman, who designed and distributed 1,052 phishing kits linked to £100 million (approximately $134 million) worth of fraud, was jailed for seven years. It is estimated that Holman received £300,000 from selling the kits between 2021 and 2023. The phishing kits were sold via Telegram. Holman previously pleaded guilty to seven counts, including encouraging or assisting the commission of an offence, making or supplying articles for use in fraud, and transferring, acquiring, and possessing criminal property, per the Crown Prosecution Service.
• Endgame Gear Acknowledges Supply Chain Attack — Gaming peripheral manufacturer Endgame Gear confirmed that unidentified threat actors compromised its official software distribution system to spread dangerous Xred malware to unsuspecting customers for nearly two weeks via the OP1w 4k v2 product page. The security breach occurred between June 26 and July 9, 2025. The company stated that "access to our file servers was not compromised, and no customer data was accessible or affected on our servers at any time," and that "This issue was isolated to the OP1w 4k v2 product page download only."
• New Campaign Targeted Crypto Users Since March 2024 — A new sophisticated and evasive malware campaign has managed to stay unnoticed and target cryptocurrency users globally since March 2024. Dubbed WEEVILPROXY, the activity leverages Facebook advertisement campaigns masquerading as well-known cryptocurrency-related software and platforms, such as Binance, Bybit, Kraken, Revolut, TradingView, and others, to trick users into downloading fake installers that ultimately drop information stealers and cryptocurrency drainers. "We have also observed the threat actor propagate ads through Google Display Network since April-May 2025, which are displayed throughout the internet in the form of images/videos," WithSecure said. "These ads appear geographically bound as well, for instance, we have observed such ads specifically targeting the Philippines, Malaysia, Thailand, Vietnam, Bangladesh, and Pakistan."
• VMDetector Loader Delivers Formbook Malware — A new variant of the VMDetector Loader malware has been found embedded within the "pixel data" of a seemingly benign JPG image that's delivered via phishing emails to ultimately deploy an information stealer called Formbook. The JPG image is retrieved from archive.org by means of Visual Basic Scripts present within zipped archives that are sent as attachments to the email messages.
• Threat Actors Use mount Binary in Hikvision Attacks — Attacks in the wild exploiting CVE-2021-36260, a command injection bug affecting Hikvision cameras, have been uncovered, leveraging the flaw to mount a remote NFS share and execute a file off of it. "The attacker tells mount to make the remote NFS share, /srv/nfs/shared, on 87.121.84[.]34 available locally as the directory ./b," VulnCheck said.
• How Windows Drivers Can Be Weaponized? — In a new detailed analysis, Security Joes has highlighted the threat posed by kernel-mode attacks and how attacks abusing vulnerable drivers, called the Bring Your Own Vulnerable Driver (BYOVD) technique, can be used by attackers to exploit signed-but-flawed drivers to bypass kernel protections. "Because drivers run in kernel mode, they possess high privileges and unrestricted access to system resources," the company said. "This makes them a high-value target for attackers aiming to escalate privileges, disable security mechanisms such as EDR callbacks, and achieve full control over the system."
• Organizations' Attack Surface Increases — Organizations have created more entry points for attackers. That's according to a report from ReliaQuest, which found a 27% increase in exposed ports between the second half of 2024 and the first half of 2025, a 35% increase in exposed operational technology (OT), and a surge in vulnerabilities in public-facing systems, such as PHP and WordPress. "Vulnerabilities in public-facing assets more than doubled, rising from 3 per organization in the second half of 2024 to 7 in the first half of 2025," the company said. "From late 2024 to early 2025, the number of exposed access keys for organizations in our customer base doubled, creating twice the opportunity for attackers to slip in unnoticed."
• Iranian Bank Pasargad Targeted During June Conflict — The Iranian bank known as Pasargad was targeted as part of a cyber attack during the Iran-Israel war in June 2025, impacting access to crucial services. A suspected Israeli operation called Predatory Sparrow claimed responsibility for the attack on another Iranian bank Sepah and the country's largest cryptocurrency exchange, Nobitex.
• CrowdStrike Outage Impacted Over 750 U.S. Hospitals — A new study undertaken by a group of academics from the University of California, San Diego, found that 759 U.S. hospitals experienced IT outages last July due to a faulty CrowdStrike update. "A total of 1098 distinct network services with outages were identified, of which 631 (57.5%) were unable to be classified, 239 (21.8%) were direct patient-facing services, 169 (15.4%) were operationally relevant services, and 58 (5.3%) were research-related services," the study said.
• North Korean Actors Employ NVIDIA Lures — The North Korean threat actors behind the Contagious Interview (aka DeceptiveDevelopment) campaign are leveraging ClickFix-style lures to trick unsuspecting job seekers into downloading a supposed NVIDIA-related update to address camera or microphone issues when attempting to provide a video assessment. The attack leads to the execution of a Visual Basic Script that launches a Python payload called PylangGhost that steals credentials and enables remote access via MeshAgent.
• ACRStealer Variant Distributed in New Attacks — Threat actors are propagating a new variant of ACRStealer that incorporates new features aimed at detection evasion and analysis obstruction. "The modified ACRStealer uses the Heaven's Gate to disrupt detection and analysis," AhnLab said. "Heaven's Gate is a technique used to execute x64 code in WoW64 processes and is widely used for analysis evasion and detection avoidance." The new version has been rebranded as Amatera Stealer, per Proofpoint. It's offered for sale for $199 per month to $1,499 per year.
• Aeza Group Shifts Infrastructure After U.S. Sanctions — Earlier this month, the U.S. Treasury Department imposed sanctions against Russia-based bulletproof hosting (BPH) service provider Aeza Group for assisting threat actors in their malicious activities, such as ransomware, data theft, and darknet drug trafficking. Silent Push, in a new analysis, said IP ranges from Aeza's AS210644 began migrating to AS211522, a new autonomous system operated by Hypercore Ltd., starting July 20, 2025, in an attempt to evade sanctions enforcement and operate under new infrastructure.
• Request for Quote Scams Demonstrate Sophistication — Cybersecurity researchers are calling attention to a widespread Request for Quote (RFQ) scam that employs common Net financing options (Net 15, 30, 45) to steal a variety of high-value electronics and goods. "In RFQ campaigns, the actor reaches out to a business to ask for quotes for various products or services," Proofpoint said. "The quotes they receive can be used to make very convincing lures to send malware, phishing links, and even additional business email compromise (BEC) and social engineering fraud." Besides using vendor-supplied financing and stolen identities of real employees to steal physical goods, these scams utilize email and legitimate online quote request forms to reach potential victims.
• Fake Games Distribute Stealer Malware — A new malware campaign is distributing fake installers for indie game titles such as Baruda Quest, Warstorm Fire, and Dire Talon, promoting them via fraudulent websites, YouTube channels, and Discord, to trick unwitting users into infecting their machines with stealers like Leet Stealer, RMC Stealer (a modified version of Leet Stealer), and Sniffer Stealer. The origins of Leet and RMC malware families can be traced back to Fewer Stealer, suggesting a shared lineage. It's believed that the campaign originally targeted Brazil, before expanding worldwide.
• U.S. FCC Wants to Ban Companies from Using Chinese Equipment When Laying Submarine Cables — The U.S. Federal Communications Commission said it plans to issue new rules that would ban Chinese technology from U.S. submarine cables in order to protect underwater telecommunications infrastructure from foreign adversary threats. "We have seen submarine cable infrastructure threatened in recent years by foreign adversaries, like China," FCC Chairman Brendan Carr said. "We are therefore taking action here to guard our submarine cables against foreign adversary ownership, and access as well as cyber and physical threats." In a recent report, Recorded Future said the risk environment for submarine cables has "escalated" and that the "threat of state-sponsored malicious activity targeting submarine cable infrastructure is likely to rise further amid heightened geopolitical tensions." The cybersecurity company also cited a lack of redundancy, a lack of diversity of cable routes, and limited repair capacity as some of the key factors that raise the risk of severe impact caused by damage to submarine cables.
• China Warns Citizens of Backdoored Devices and Supply Chain Threats — China's Ministry of State Security (MSS) has issued an advisory, warning of backdoors in devices and supply chain attacks on software. The security agency said such threats not only risk personal privacy and theft of corporate secrets, but also affect national security. "Potential technical backdoor security risks can also be reduced by strengthening technical protection measures, such as formulating patch strategies, regularly updating operating systems, regularly checking device logs, and monitoring abnormal traffic," MSS said, urging organizations to avoid foreign software and instead adopt domestic operating systems. In a separate bulletin, the MSS also alleged that overseas spy intelligence agencies may set up backdoors in its ocean observation sensors to steal data.
• NyashTeam Hacking Group Infrastructure Disrupted — Russia-based cybersecurity company F6 said it dismantled a network of domains operated by a relatively unknown hacking crew known as NyashTeam, which sells two different remote access trojans known as DCRat (DarkCrystal RAT) and WebRAT through Telegram bots and websites under the malware-as-a-service (MaaS) model. The malware is distributed using YouTube and GitHub by passing them off as game cheats or pirated software. The group is also believed to provide hosting services for cybercriminal infrastructure and support customers through plugins, guides, and data processing tools, appealing to both novice hackers and experienced cybercriminals alike.
• RenderShock Attack Technique Detailed — Cybersecurity researchers have detailed a zero-click attack strategy called RenderShock that leverages trusted operating system behaviors to conduct reconnaissance and deliver payloads without requiring any user interaction. "By embedding malicious logic in metadata, preview triggers, and document formats, RenderShock capitalizes on system convenience as an unguarded attack vector," CYFIRMA said. "Modern enterprise systems are built for convenience, automatically previewing, indexing, synchronizing, and rendering files across endpoints, cloud platforms, and productivity suites. These systems often process files without explicit user action, trusting that the rendering process is safe. RenderShock exploits these passive execution surfaces: trusted components that parse untrusted files silently in the background."

🎥 Cybersecurity Webinars

• AI Is Breaking Trust—Here's How to Save It Before It's Too Late — Discover how customers are reacting to AI-driven digital experiences in 2025. The Auth0 CIAM Trends Report reveals rising identity threats, new trust expectations, and the hidden costs of broken logins. Join this webinar to learn how AI can be your biggest asset—or your biggest risk.
• Python Devs: Your Pip Install Could Be a Malware Bomb — In 2025, Python's supply chain is under siege — from typosquats to hijacked AI libraries. One wrong pip install could inject malware straight into production. This session shows how to secure your builds with tools like Sigstore, SLSA, and hardened containers. Stop hoping your packages are clean — start verifying.

🔧 Cybersecurity Tools

• Vendetect – It is an open-source tool designed to detect copied or vendored code across repositories — even when the code has been modified. Built for real-world security and compliance needs, it uses semantic fingerprinting and version control analysis to identify where code was copied from, including the exact source commit. Unlike academic plagiarism tools, Vendetect is optimized for software engineering environments: it catches renamed functions, stripped comments, and altered formatting, and helps trace untracked dependencies, license violations, and inherited vulnerabilities often found during security assessments.
• Telegram Channel Scraper – It is a Python-based tool designed for advanced monitoring and data collection from public Telegram channels. It uses the Telethon library to scrape messages and media, storing everything in optimized SQLite databases. Built for efficiency and scale, it supports real-time scraping, parallel media downloads, and batch data exports. This makes it useful for researchers, analysts, and security teams who need structured access to Telegram content for investigation or archiving — without depending on manual scraping or third-party platforms.

Disclaimer: These newly released tools are for educational use only and haven't been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Don't Trust Your Browser Blindly — Most people think of their browser as just a tool to get online — but in reality, it's one of the most exposed parts of your device. Behind the scenes, your browser quietly stores names, emails, companies, and sometimes even payment info. This data often lives in plain, unencrypted files that are easy to extract if someone gains local access — even briefly.

For example, in Chrome or Edge, personal autofill details are stored in a file called Web Data, which is a basic SQLite database anyone with access can read. This means that if your machine is compromised — even by a simple script — your personal or even work identity can be quietly stolen. Red teamers and attackers love this kind of recon gold.

It doesn't stop there. Browsers also keep session cookies, local storage, and site databases that often don't get wiped, even after logout. This data can allow attackers to hijack your logged-in sessions or extract sensitive info stored by web apps — including company tools. Even browser extensions, if malicious or hijacked, can quietly spy on your activity or inject bad code into pages you trust.

Another weak spot? Browser extensions. Even legitimate-looking add-ons can have wide permissions — letting them read what you type, track your browsing, or inject scripts. If a trusted extension gets compromised in an update, it can silently become a data theft tool. This happens more often than people think.

Here's how to reduce the risk:

• Clear autofill, cookies, and site data regularly
• Disable autofill entirely on workstations
• Limit extensions — audit them using tools like CRXcavator or Extension Police
• Use DB Browser for SQLite to inspect stored files (Web Data, Cookies)
• Use tools like BleachBit to securely wipe traces

Browsers are essentially lightweight application platforms. If you're not auditing how they store data and who can access it, you're leaving a major gap open — especially on shared or endpoint-exposed machines.

Conclusion

This week's signals are less a conclusion and more a provocation: What else might we be misclassifying? What familiar data could become meaningful under a different lens? If the adversary thinks in systems, not symptoms, our defenses must evolve accordingly.

Sometimes, the best response isn't a patch—it's a perspective shift. There's value in looking twice where others have stopped looking altogether.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

________________________________________________________________________________________________________________________________
Original Article Published at The Hackers News
________________________________________________________________________________________________________________________________