⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior.

Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert.

Here's how that false sense of security was broken again this week.

⚡ Threat of the Week

Newly Patched Critical Microsoft WSUS Flaw Comes Under Attack — Microsoft released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability that has since come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. According to Eye Security and Huntress, the security flaw is being weaponized to drop a .NET executable and Base64-encoded PowerShell payload to run arbitrary commands on infected hosts.

CISO Best Practices Cheat Sheet: Cloud Edition

This guide is for CISOs and cloud security leaders who want to move beyond fire drills and dashboards. Whether you're inheriting a cloud program, scaling to multi-cloud maturity, or aligning with board priorities, this cheat sheet helps you cut through the noise, focus on measurable outcomes, and lead with clarity – all with practical frameworks and 90-day actionable steps.

Get the Cheat Sheet ➝

🔔 Top News

• YouTube Ghost Network Delivers Stealer Malware — A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads. Active since 2021, the network has published more than 3,000 malicious videos to date, with the volume of such videos tripling since the start of the year. The campaign leverages hacked accounts and replaces their content with "malicious" videos that are centred around pirated software and Roblox game cheats to infect unsuspecting users searching for them with stealer malware. Some of the videos have amassed hundreds of thousands of views.
• N. Korea's Dream Job Campaign Targets Defense Sector — Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job. In the observed activity, the Lazarus group sends malware-laced emails purporting to be from recruiters at top companies, ultimately tricking recipients into infecting their own machines with malware such as ScoringMathTea. ESET noted that the attacks singled out companies that supply military equipment, some of which are currently deployed in Ukraine. One of the targeted companies is involved in the production of at least two unmanned aerial vehicles currently used in Ukraine.
• MuddyWater Targets 100+ Organisations in Global Espionage Campaign — The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities. The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering using a backdoor called Phoenix that's distributed via spear-phishing emails. MuddyWater, also called Boggy Serpens, Cobalt Ulster, Earth Vetala, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, TEMP.Zagros, and Yellow Nix, is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS).
• Meta Launches New Tools to Protect WhatsApp and Messenger Users from Scams — Meta said it is launching new tools to protect Messenger and WhatsApp users from potential scams. This includes introducing new warnings on WhatsApp when users attempt to share their screen with an unknown contact during a video call. On Messenger, users can opt to enable a setting called "Scam detection" by navigating to Privacy & safety settings. Once it's turned on, users are alerted when they receive a potentially suspicious message from an unknown connection that may contain signs of a scam. The social media giant also said it detected and disrupted close to 8 million accounts on Facebook and Instagram since the start of the year that are associated with criminal scam centers targeting people, including the elderly, across the world through messaging, dating apps, social media, crypto, and other apps. According to Graphika, the illicit money-making schemes target older adults and victims of previous scams. "The scammers use major social media platforms to attract their targets, then redirect them to fraudulent websites or private messages to divulge financial details or sensitive personal data," it said. "The operations follow a recurring pattern we've seen across our scams work: build trust, usher victims off-platform, and extract personal or financial data through registration for non-existent relief programs or submission of complaint forms based on organizational trust."
• Jingle Thief Strikes Cloud for Gift Card Fraud — A cybercriminal group called Jingle Thief has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud. "Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards," Palo Alto Networks Unit 42 said. "Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards." The end goal of these efforts is to leverage the issued gift cards for monetary gain by likely reselling them on gray markets.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week's most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week's list includes — CVE-2025-54957 (Dolby Unified Decoder), CVE-2025-6950, CVE-2025-6893 (Moxa), CVE-2025-36727, CVE-2025-36728 (SimpleHelp), CVE-2025-8078, CVE-2025-9133 (Zyxel), CVE-2025-61932 (Lanscope Endpoint Manager), CVE-2025-61928 (Better Auth), CVE-2025-57738 (Apache Syncope), CVE-2025-40778, CVE-2025-40780, CVE-2025-8677 (BIND 9), CVE-2025-11411 (Unbound), CVE-2025-61865 (I-O DATA NarSuS App), CVE-2025-53072, CVE-2025-62481 (Oracle E-Business Suite), CVE-2025-11702, CVE-2025-10497, CVE-2025-11447 (GitLab), CVE-2025-22167 (Atlassian Jira), CVE-2025-54918 (Microsoft), and CVE-2025-52882 (Claude Code for Visual Studio Code).

📰 Around the Cyber World

• Apple's iOS 26 Deletes Spyware Evidence — Apple's latest mobile operating system update, iOS 26, has made a notable change to a log file named "shutdown.log" that stores evidence of past spyware infections. According to iPhone forensics and investigations firm iVerify, the company is now rewriting the file after every device reboot, instead of appending new data at the end. While it's not clear if this is an intentional design decision or an inadvertent bug, iVerify said "this automatic overwriting, while potentially intended for system hygiene or performance, effectively sanitizes the very forensic artifact that has been instrumental in identifying these sophisticated threats."
• Google Details Information Ops Targeting Poland — Google said it observed multiple instances of pro-Russia information operations (IO) actors promoting narratives related to the reported incursion of Russian drones into Polish airspace that occurred in September 2025. "The identified IO activity, which mobilized in response to this event and the ensuing political and security developments, appeared consistent with previously observed instances of pro-Russia IO targeting Poland—and more broadly the NATO Alliance and the West," the company said. The messaging involved denying Russia's culpability, blaming the West, undermining domestic support for the government, and undercutting Polish domestic support for its government's foreign policy position towards Ukraine. The activity has been attributed to three clusters tracked as Portal Kombat (aka Pravda Network), Doppelganger, and an online publication named Niezależny Dziennik Polityczny. NDP is assessed to be a significant amplifier within the Polish information space of pro-Russia disinformation surrounding Russia's ongoing invasion of Ukraine.
• RedTiger-based infostealer Used to Steal Discord Accounts — Threat actors have been observed exploiting an open-source, Python-based red-teaming tool called RedTiger in attacks targeting gamers and Discord accounts. "The RedTiger infostealer targets various types of sensitive information, with a primary focus on Discord accounts," Netskope said. "The infostealer injects a custom JavaScript into Discord's client index.js file (discord_desktop_core) to monitor and intercept Discord traffic. Additionally, it collects browser-stored data (including payment information), game-related files, cryptocurrency wallet data, and screenshots from the host system. It can also spy through the victim's webcam and overload storage devices by mass-spawning processes and creating files." Additionally, the tool facilitates what's called mass file and process spamming, creating 100 files with random file extensions and launching 100 threads to kick off 400 total processes simultaneously, effectively overloading the system resources and hindering analysis efforts. The campaign is another example of threat actors exploiting any legitimate platform to gain false legitimacy and bypass protections. The development comes as gamers have also been the target of another multi-function Python RAT that leverages the Telegram Bot API as a command and control (C2) channel, allowing attackers to exfiltrate stolen data and remotely interact with victim machines. The malware, which masquerades as legitimate Minecraft software "Nursultan Client," can capture screenshots, take photos from a user's webcam, steal Discord authentication tokens, and open arbitrary URLs on the victim's machine.
• UNC6229 Uses Fake Job Postings to Spread RATs — A financially motivated threat cluster operating out of Vietnam has leveraged fake job postings on legitimate platforms like LinkedIn (or their own fake job posting websites such as staffvirtual[.]website) to target individuals in the digital advertising and marketing sectors with malware and phishing kits with the ultimate aim of compromising high-value corporate accounts and hijack digital advertising accounts. Google, which disclosed details of the "persistent and targeted" campaign, is tracking it as UNC6229. "The effectiveness of this campaign hinges on a classic social engineering tactic where the victim initiates the first contact. UNC6229 creates fake company profiles, often masquerading as digital media agencies, on legitimate job platforms," it noted. "They post attractive, often remote, job openings that appeal to their target demographic." Once the victim submits the application, the threat actor contacts the applicant via email to deceive them into opening malicious ZIP attachments, leading to remote access trojans or clicking on phishing links that capture their corporate credentials. Another aspect that makes this campaign noteworthy is that the victims are more likely to trust the email messages, since they are in response to a self-initiated action, establishing a "foundation of trust."
• XWorm 6.0 Detailed — The threat actors behind XWorm have unleashed a new version (version 6.0) of the malware with improved process protection and anti-analysis capabilities. "This latest version includes additional features for maintaining persistence and evading analysis," Netskope said. "The loader includes new Antimalware Scan Interface (AMSI)-bypass functionality using in-memory modification of CLR.DLL to avoid detection." The infection chain begins with a Visual Basic Script likely distributed via social engineering, which sets up persistence and proceeds to drop a PowerShell loader responsible for fetching the XWorm 6.0 payload from a public GitHub repository. One of the new features is its ability to prevent process termination by marking itself as a critical process and terminating itself when it detects execution on Windows XP. "This change may be an effort to prevent researchers or analysts from running the payload in a sandbox or legacy analysis environment," the company added.
• Spike in Attacks Abusing Microsoft 365 Direct Send — Cisco Talos said it has observed increased activity by malicious actors leveraging Microsoft 365 Exchange Online Direct Send as part of phishing campaigns and business email compromise (BEC) attacks. It described the feature abuse as an opportunistic exploitation of a trusted pathway as it bypasses DKIM, SPF, and DMARC protections. "Direct Send preserves business workflows by allowing messages from these appliances to bypass more rigorous authentication and security checks," security researcher Adam Katz said. "Adversaries emulate device or application traffic and send unauthenticated messages that appear to originate from internal accounts and trusted systems."
• CoPhish Attack Steals OAuth Tokens via Copilot Studio Agents — Cybersecurity researchers found a way by which a Copilot Studio agent's "Login" settings can be used to redirect a user to any URL, resulting in an OAuth consent attack, which makes use of malicious third-party Entra ID applications to seize control of victim accounts. Copilot Studio agents are chatbots hosted on copilotstudio.microsoft[.]com. "This increases the attack's legitimacy by redirecting the user from copilotstudio.microsoft.com," Datadog said. The attack technique has been codenamed CoPhish. It essentially involves configuring an agent's sign-in process with a malicious OAuth application and modifying the agent to send the resulting user token issued by Entra ID to access the application to a URL under their control. Thus, when the attacker sends a malicious CoPilot Studio agent link to a victim via phishing emails and they attempt to access it, they are prompted to login to the service, at which point they are redirected to a malicious OAuth application for consent. "The malicious agent does not need to be registered in the target environment: in other words, an attacker can create an agent in their own environment to target users," Datadog added. It should be noted that the redirect action when the victim user clicks on the Login button can be configured to redirect to any malicious URL, and the application consent workflow URL is just one possibility for the threat actor.
• Abuse of AzureHound in the Wild — Multiple threat actors such as Curious Serpens (Peach Sandstorm), Void Blizzard, and Storm-0501 have leveraged a Go-based open-source data collection tool called AzureHound in their attacks. "Threat actors misuse this tool to enumerate Azure resources and map potential attack paths, enabling further malicious operations," Palo Alto Networks Unit 42 said. "Collecting internal Azure information helps threat actors uncover misconfigurations and indirect privilege escalation opportunities that might not be obvious without this full view of the target Azure environment. Threat actors also run the tool after obtaining initial access to the victim environment, downloading and running AzureHound on assets to which they have gained access."
• Modified Telegram Android App Delivers Baohuo Backdoor — A modified version of the Telegram messaging app for Android, named Telegram X, is being used to deliver a new backdoor called Baohuo, while remaining functional. Once launched, it connects to a Redis database for command-and-control (C2) and receives instructions to execute them on the compromised device. "In addition to being able to steal confidential data, including user logins and passwords, as well as chat histories, this malware has a number of unique features," Doctor Web said. "For example, to prevent itself from being detected and to cover up the fact that an account has been compromised, Baohuo can conceal connections from third-party devices in the list of active Telegram sessions. Moreover, it can add and remove the user from Telegram channels and also join and leave chats on behalf of the victim, also concealing these actions." The backdoor has infected more than 58,000 Android-based smartphones, tablets, TV box sets, and even cars to date since it began to be distributed in mid-2024 via in-app ads in mobile apps that trick users into installing the malicious APK from an external site that mimics an app marketplace. The rogue Android app has also been detected on legitimate third-party app catalogs like APKPure, ApkSum, and AndroidP. Some of the countries with the largest number of infections include Colombia, Brazil, Egypt, Algeria, Iraq, Russia, India, Bangladesh, Pakistan, Indonesia, and the Philippines.
• Windows Disables File Explorer Previews for Security — Microsoft has disabled File Explorer previews for files downloaded from the internet (i.e., those that are marked with Mark of the Web). The change was rolled out for security reasons during this month's Patch Tuesday updates. "This change mitigates a vulnerability where NTLM hash leakage might occur if users preview files containing HTML tags (such as <link>, <src>, and so forth) referencing external paths. Attackers could exploit this preview feature to capture sensitive credentials," Microsoft said. Once the latest updates are installed, the File Explorer preview pane will display the following message: "The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents." To remove the block, users are required to right-click on the downloaded file, select Properties, and then Unblock. It's believed that the change is also designed to tackle CVE-2025-59214, a File Explorer spoofing issue that could be exploited to leak sensitive information over the network. CVE-2025-59214 is a bypass for CVE-2025-50154, which in turn is a bypass for CVE-2025-24054, a zero-click NTLM credential leakage vulnerability that came under active exploitation in the wild earlier this year.
• Phishing Campaigns Employ New Evasion Tactics — Kaspersky has warned that threat actors are increasingly employing diverse evasion techniques in their phishing campaigns and websites. "In email, these techniques include PDF documents containing QR codes, which are not as easily detected as standard hyperlinks," the Russian company said. "Another measure is password protection of attachments. In some instances, the password arrives in a separate email, adding another layer of difficulty to automated analysis. Attackers are protecting their web pages with CAPTCHAs, and they may even use more than one verification page."
• Fraudulent Perplexity Comet Browser Domains Found — BforeAI said it has observed over 40 fraudulent domains promoting Perplexity's AI-powered Comet browser, with bad actors also publishing copycat apps on Apple App Store and Google Play Store. "The timing of domain registrations closely follows Comet's launch timeline, indicating opportunistic cybercriminals monitoring for emerging technology trends," BforeAI said. "The use of international registrars, privacy protection services, and parking pages suggests coordination among threat actors."
• LockBit 5.0 Claims New Victims — LockBit, which recently resurfaced with a new version (codenamed "ChuongDong") following being disrupted in early 2024, is already extorting new victims, claiming over a dozen victims across Western Europe, the Americas, and Asia, affecting both Windows and Linux systems. Half of them have been infected by the newly released LockBit 5.0 variant, and the rest by LockBit Black. The development is a "clear sign that LockBit's infrastructure and affiliate network are once again active," Check Point said. The latest version introduces multi-platform support, stronger evasion, faster encryption, and randomized 16-character file extensions to evade detection. "To join, affiliates must deposit roughly $500 in Bitcoin for access to the control panel and encryptors, a model aimed at maintaining exclusivity and vetting participants," the company said. "Updated ransom notes now identify themselves as LockBit 5.0 and include personalized negotiation links granting victims a 30-day deadline before stolen data is published."
• Data Collection Consent Changes for New Firefox Extensions — Starting November 3, Mozilla will require all Firefox extensions to specifically declare in the manifest.json file if they collect and transmit personal data to third parties. This information is expected to be integrated into Firefox permission prompts when users attempt to install the browser add-on on the addons.mozilla.org page. "This will apply to new extensions only, and not new versions of existing extensions," Mozilla said. "Extensions that do not collect or transmit any personal data are required to specify this by setting the none required data collection permission in this property."
• Hackers Target WordPress Websites by Exploiting Outdated Plugins — A mass-exploitation campaign is targeting WordPress sites with GutenKit and Hunk Companion plugins vulnerable to known security flaws such as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 to take over sites for malicious ends. "These vulnerabilities make it possible for unauthenticated threat actors to install and activate arbitrary plugins, which can be leveraged to achieve remote code execution," Wordfence said. The exploitation activity is assessed to have commenced on October 8, 2025. Over 8,755,000 exploit attempts targeting these vulnerabilities have been blocked. In some of the incidents, the attack leads to the download of a ZIP archive hosted on GitHub that can automatically log in an attacker as an administrator and run scripts to upload and download arbitrary files. It also drops a PHP payload that comes with mass defacement, file management, network-sniffing capabilities, and installing further malware via a terminal. In scenarios where a full admin backdoor cannot be obtained, the attackers have been found to install a vulnerable "wp-query-console" to achieve unauthenticated remote code execution. The disclosure comes as the WordPress security company detailed how threat actors craft malware that uses variable functions and cookies for obfuscation.
• Unusual Phishing Attack Bypasses SEGs Using JavaScript — A "cunning new phishing attack" is bypassing Secure Email Gateways (SEGs) by making use of a phishing script with random domain selection and dynamic server-driven page replacement to steal credentials. The threat was first detected in February 2025 and remains ongoing. The campaign involves distributing phishing emails containing HTML attachments that contain an embedded URL leading to the fake landing page, or through emails with embedded links that spoof enterprise collaboration platforms like DocuSign, Microsoft OneDrive, Google Docs, and Adobe Sign. "In the tactic, the script picks a random .org domain from a hardcoded, predefined list," Cofense said. "The .org domains on the list appear to be dynamically generated in bulk without using words, likely in an attempt to bypass block lists or AI/ML tools designed to block domains based on certain word structures. The script then generates a dynamic UUID (Universal Unique Identifier), which can be used to track victims and serve as a campaign identifier, suggesting that this script may be part of a package that can be reused in different campaigns, potentially with different spoofed brands on credential phishing pages." The script is configured to send an HTTP(s) POST request to the random server, causing it to respond back with a dynamically generated login form based on the victim's context.
• Russia Plans China-Like Bug Disclosure Law — According to RBC, Russia is reportedly preparing a new bill that would require security researchers, security firms, and other white-hat hackers to report all vulnerabilities to the Federal Security Service (FSB), the country's principal security agency. This is similar to the legislation that was passed by China in July 2021. Security researchers who fail to report vulnerabilities to the FAB will face criminal charges for "unlawful transfer of vulnerabilities." The possibility of the creation of a register of white-hat hackers is also being discussed, the Russian media publication said. It should be noted that the use of zero-days by Chinese nation-state hacking groups has surged since the law went into effect. "Chinese threat activity groups have shifted heavily toward the exploitation of public-facing appliances since at least 2021," Recorded Future said in a November 2023 report. "Over 85% of known zero-day vulnerabilities exploited by Chinese state-sponsored groups during this subsequent period were in public-facing appliances such as firewalls, enterprise VPN products, hypervisors, load balancers, and email security products." In an analysis published in June 2025, the Atlantic Council said "China's 2021 Vulnerability Disclosure Law forces engagement with the overall offensive pipeline," adding "China uses its [Capture the Flag] and regulatory ecosystem to solicit bugs informally from hackers for national security use, [and] its major technology companies are strategic allies in sourcing exploits."
• Dozens of Nations Sign U.N. Cybercrime Treaty — As many as 72 countries have agreed to fight cybercrime, including by sharing data and mutually extraditing suspected criminals, under a new United Nations treaty, despite warnings over privacy and security by Big Tech and rights groups. The United Nations Convention against Cybercrime was adopted by the General Assembly of the United Nations on 24 December 2024. INTERPOL said "the Convention provides an enhanced legal and operational foundation for coordinated global action against cybercrime." In a statement on its website, the Human Rights Watch and other signatories said the treaty "obligates states to establish broad electronic surveillance powers to investigate and cooperate on a wide range of crimes, including those that don't involve information and communication systems" and does so without "adequate human rights safeguards." The U.N. Office on Drugs and Crime (UNODC) has defended the Convention, arguing the need for improved cooperation to tackle transnational crimes and protect children against online child grooming.
• New Caminho Loader Spotted in the Wild — A new Brazilian-origin Loader-as-a-Service (LaaS) operation called Caminho has been observed employing Least Significant Bit (LSB) steganography to conceal .NET payloads within image files hosted on legitimate platforms. "Active since at least March 2025, with a significant operational evolution in June 2025, the campaign has delivered a variety of malware and infostealers such as Remcos RAT, XWorm, and Katz Stealer to victims within multiple industries across South America, Africa, and Eastern Europe," Arctic Wolf said. "Extensive Portuguese-language code throughout all samples supports our high-confidence attribution of this operation to a Brazilian origin." Attack chains distributing the loader involve using spear-phishing emails with archived JavaScript (JS) or Visual Basic Script files using business-themed social engineering lures that, when launched, activate a multi-stage infection. This includes downloading an obfuscated PowerShell payload from Pastebin-style services, which then downloads steganographic images hosted on the Internet Archive (archive[.]org). The PowerShell script also extracts the loader from the image and launches it directly in memory. The loader ultimately retrieves and injects the final malware into the calc.exe address space without writing artifacts to disk. Persistence is established through scheduled tasks that re-execute the infection chain.
• F5 Breach Began in Late 2023 — The recently disclosed security breach at F5 began in late 2023, much earlier than previously thought, per a report from Bloomberg. The hack came to light in August 2025, indicating the hackers managed to stay undetected for nearly two years. "The attackers penetrated F5's computer systems by exploiting software from the company that had been left vulnerable and exposed to the internet," the report said, adding the company's own staff failed to follow the cybersecurity guidelines it provides customers. It's believed that Chinese state-sponsored actors are behind the attack, although a Chinese official has called the accusations "groundless."
• Multiple Flaws in EfficientLab WorkExaminer Professional — Several vulnerabilities (CVE-2025-10639, CVE-2025-10640, and CVE-2025-10641) have been discovered in EfficientLab's WorkExaminer Professional employee monitoring software, including ones that can allow an attacker on the network to take control of the system and collect screenshots or keystrokes. "An attacker can also exploit missing server-side authentication checks to get unauthenticated administrative access to the WorkExaminer Professional server and therefore the server configuration and data," SEC Consult said. "In addition, all data between console, monitoring client, and server is transmitted unencrypted. An attacker with access to the wire can therefore monitor all transmitted sensitive data." The issues remain unpatched.
• U.S. Accuses Former Government Contractor of Selling Secrets to Russia — The U.S. Justice Department has unveiled charges against Peter Williams, a former executive of Trenchant, the cyber unit of defense contractor L3Harris, for allegedly stealing trade secrets and selling them to a buyer in Russia for $1.3 million. The court documents allege Williams allegedly stole seven trade secrets from two companies between April 2022 and in or about June 2025, and an additional eighth trade secret between June and August 6, 2025. The names of the companies were not disclosed, nor was any information provided regarding the identity of the buyer. Prosecutors are also seeking to forfeit Williams' property in Washington, D.C., as well as multiple luxury watches, handbags, and jewelry derived from proceeds traceable to the offense. The charges come as Trenchant is in the midst of investigating a leak of its hacking tools, TechCrunch reported.
• How Threat Actors are Abusing Azure Blob Storage — Microsoft has detailed the various ways threat actors are leveraging Azure Blob Storage, its object data service, at various stages of the attack cycle, owing to its critical role in storing and managing massive amounts of unstructured data. "Threat actors are actively seeking opportunities to compromise environments that host downloadable media or maintain large-scale data repositories, leveraging the flexibility and scale of Blob Storage to target a broad spectrum of organizations," the company said.
• Vault Viper Shares Links to SE Asian Scam Operations — A custom web browser under the name Universe Browser is being distributed by a "white label" iGaming (aka online gambling) software supplier that has ties to a cluster of cyber-enabled gambling and fraud platforms operated by criminal syndicates based in Cambodia, according to a report from Infoblox. The browser, available for Android, iOS, and Windows, is advertised as "privacy-friendly" and offers the ability to bypass censorship in countries where online gambling is prohibited. In reality, the browser "routes all connections through servers in China and covertly installs several programs that run silently in the background." While there is no evidence that the program has been used for malicious purposes, it bears all the hallmarks typically associated with a remote access trojan, including keylogging, extracting the user's current location, launching surreptitious connections, and modifying device network configurations. "Universe Browser has been modified to remove many functionalities that allow users to interact with the pages they visit or inspect what the browser is doing," the company added. "The right-click settings access and developer tools, for instance, have all been removed, while the browser itself is run with several flags disabling major security features, including sandboxing, and the support of insecure SSL protocols." The threat actor behind the operation is Baoying Group (寶盈集團) and BBIN, which have been given the moniker Vault Viper. Some aspects of the Universe Browser were previously documented by the UNODC. "While technical analysis is ongoing, preliminary examination reveals that U Browser not only enables involuntary, systematic screenshots to be taken on the infected device but also contains other hidden functionality allowing the software to capture keystrokes and clipboard contents – features consistent with malware evoking remote access trojans and various cryptocurrency and infostealers," UNODC noted. Baoying Group has maintained a large operational base in the Philippines since 2006, Infoblox said, but conceals the full extent of its activities through an "intricate web of companies and shell structures registered in dozens of countries in Asia, Europe, Latin America, and the Pacific Islands." The investigation has led to the discovery of no less than 1,000 unique name servers hosting thousands of active websites dedicated to illegal online gambling, including several known to be operated by criminal groups engaged in large-scale cyber-enabled fraud, money laundering, and other crimes.

🎥 Cybersecurity Webinars

• Learn How to Secure AI Agents Without Slowing Innovation — Accelerate AI adoption without sacrificing control. Govern AI identities, stop privilege abuse, and make security a business enabler.
• Discover How Leading Companies Harness AI for Smarter GRC — See how enterprises use AI to streamline compliance, reduce manual effort, and stay ahead of regulatory demands.
• Stop Drowning in Vulnerability Lists: Discover Dynamic Attack Surface Reduction — Static defenses overwhelm teams with vuln lists. Learn how automation and context-driven reduction close real risks faster.

🔧 Cybersecurity Tools

• FlareProx — It is a lightweight tool that uses Cloudflare Workers to spin up HTTP proxy endpoints in seconds. It lets you route traffic to any URL while masking your IP through Cloudflare's global network. Ideal for developers and security teams who need quick IP rotation, API testing, or simple redirection without servers. Supports all HTTP methods and includes a free tier with 100k requests per day.
• Rayhunter — Rayhunter is an open-source tool from the EFF that detects fake cell towers (IMSI catchers or Stingrays) used for phone surveillance. It runs on a cheap Orbic mobile hotspot, monitors cell network traffic, and alerts users when suspicious activity is found—like forced 2G downgrades or unusual ID requests. Simple to install and use, Rayhunter helps journalists, activists, and researchers spot cellular spying in real time.

Disclaimer: These tools are for educational and research use only. They haven't been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Validate Dependencies at the Source — Not Just the Package — Developers tend to trust package managers more than they should — and attackers count on it. Every major ecosystem, from npm to PyPI, has been hit by supply-chain attacks using fake packages or hijacked maintainer accounts to slip in hidden malware. Installing from a public registry doesn't mean you're getting the same code that's on GitHub — it just means you're downloading what someone uploaded.

Real security starts at the source. Use Sigstore Cosign to verify signed images and artifacts, and osv-scanner to check dependencies against vulnerability data from OSV.dev. For npm, add lockfile-lint to restrict downloads to trusted registries and enable audit signatures. Always pin exact versions and include checksum validation for anything fetched remotely.

Whenever possible, host verified dependencies in your own mirror — tools like Verdaccio, Artifactory, or Nexus keep builds from pulling directly from the internet. Integrate these checks into CI/CD so pipelines automatically scan dependencies, verify signatures, and fail if trust breaks.

Bottom line: don't trust what you can install — trust what you can verify. In today's supply chain, the real risk isn't your code — it's everything your code depends on. Build a clear chain of trust, and you turn that weak link into your strongest defense.

Conclusion

The stories change every week, but the message stays the same: cybersecurity isn't a one-time task — it's a habit. Keep your systems updated, question what feels too familiar, and remember: in today's digital world, trust is something you prove, not assume.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

________________________________________________________________________________________________________________________________
Original Article Published at The Hackers News
________________________________________________________________________________________________________________________________