Morning, cyber pros! ☕ It's been a slightly quieter 24 hours, but we've still got some critical updates to chew on, from a dominant threat actor exploiting Ivanti RCEs to North Korean fake recruiters and a low-tech crypto phishing scam. Let's dive in:

Ivanti RCE Exploitation Dominance ⚠️
- A single threat actor, using bulletproof infrastructure from IP 193.24.123.42, is behind 83% of recent active exploitation attempts targeting two critical Ivanti EPMM RCE vulnerabilities (CVE-2026-21962 and CVE-2026-24061).
- This IP address is not widely published in IOC lists, meaning many defenders might be missing the primary source of these automated attacks, which also target Oracle WebLogic and GNU Inetutils Telnetd.
- Ivanti has released hotfixes and recommends using specific RPM packages or, for the most conservative approach, rebuilding EPMM instances and migrating data until full patches are available in Q1.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/one-threat-actor-responsible-for-83-percent-of-recent-ivanti-rce-attacks/

Lazarus Group's Fake Job Scams 🕵️
- North Korean threat actors, likely the Lazarus Group, are targeting JavaScript and Python developers with fake job offers that include malicious coding challenges.
- These challenges trick developers into installing compromised packages from npm and PyPi (dubbed 'Graphalgo'), which then deploy a sophisticated Remote Access Trojan (RAT) capable of exfiltrating files and checking for MetaMask installations.
- Developers who may have installed packages like 'bigmathutils' or those with 'graph' or 'big' in their name from suspicious sources should immediately rotate all credentials, tokens, and consider a full OS reinstall.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Crypto Wallet Phishing via Snail Mail ✉️
- Threat actors are employing a rare physical phishing tactic, sending fake letters impersonating Trezor and Ledger to trick hardware wallet users into revealing their recovery phrases.
- The letters create urgency, claiming mandatory "Authentication Checks" or "Transaction Checks" and directing users to scan QR codes that lead to sophisticated phishing websites designed to steal 12-, 20-, or 24-word seed phrases.
- Remember: reputable hardware wallet manufacturers will NEVER ask you to enter your recovery phrase on a website or computer; it should only be entered directly on the device itself during restoration.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #Ivanti #LazarusGroup #APT #Malware #RAT #Phishing #SocialEngineering #CryptoSecurity #InfoSec #IncidentResponse

The “Graphalgo” campaign represents a modular software supply-chain intrusion targeting developers directly.

Per ReversingLabs findings:
• 192 malicious npm/PyPI packages
• Delayed payload activation (post-version change)
• GitHub repos clean — malicious logic introduced via dependency chain
• RAT variants in JS, Python, VBS
• MetaMask wallet targeting
• Token-protected C2 channels
• GMT+9 commit indicators

Attribution aligns with historical tradecraft associated with Lazarus Group:
Crypto-focused targeting
Recruitment vector infection
Patience-based staged activation

This is a direct developer-layer attack bypassing enterprise perimeter defenses.

Source: https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Are dependency registries the new primary attack surface?
Engage below.

Follow @technadu for advanced threat analysis.

#ThreatIntel #SupplyChainSecurity #MalwareAnalysis #RAT #OpenSourceSecurity #DevSecOps #LazarusGroup #PackageSecurity #AppSec #BlueTeam #CyberThreats #IoC #Infosec

📰 North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code

North Korean hackers' 'Contagious Interview' campaign targets macOS developers using malicious VS Code projects on GitHub. Fake job offers lead to backdoors via trusted IDE features. 👨‍💻⚠️ #LazarusGroup #macOS #InfoSec #SupplyChain

🔗 https://cyber.netsecops.io/articles/north-korean-contagious-interview-campaign-weaponizes-vs-code-projects/?utm_source=mastodon&utm_medium=socia…

RE: https://social.troll.academy/@mushu/115937976404644181

https://runjak.codes/posts/2026-01-21-adversarial-coding-test/

Seems really similar to a recently reported variant of a North Korean state aligned campaign, ContagiousInterview. They've moved to VS Code tasks now

cc @lazarusholic

https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
https://opensourcemalware.com/blog/contagious-interview-vscode

#DPRK #ContagiousInterview #lazarus #LazarusGroup #FamousChollima

"Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera"

#CyberSecurity #LazarusGroup #LaptopFarms #ITrecruitment #Pattern ... https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html

You fail to realize you are on a honeypot.

https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/

#LazarusGroup #SituationalAwareness

North Korea lures engineers to rent identities in fake IT worker scheme
#NorthKorea #LazarusGroup #dprk

https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/

Alright cyber pros, it's been a pretty packed 24 hours! We've got major data breaches impacting millions, new insights into nation-state tactics, a huge takedown of a crypto mixer, and a stark warning about the security implications of agentic AI browsers. Let's dive in:

Major Data Breaches Unfold ⚠️
- South Korean e-commerce giant Coupang, often dubbed the "Amazon of Korea," confirmed a data breach impacting 33.7 million customers, over half the country's population. Exposed data includes names, emails, phone numbers, addresses, and order history, with local reports suggesting a former Chinese employee used unrevoked access tokens.
- The French Football Federation (FFF) also reported a breach of its member management software via a compromised account, exposing personal details like names, gender, DOB, nationality, and contact info for an undisclosed number of its 2.2 million members.
- The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, pushing a malicious update that included a hidden library for device fingerprinting and remote configuration. Users are urged to revert to older, safe builds and reset Google account passwords.

🗞️ The Record | https://therecord.media/coupang-south-korea-data-breach
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/coupang_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/french_football_federation_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/

Nation-State Actors Evolve Tactics 🕵🏼
- North Korea's Lazarus Group is accused by South Korean officials of stealing $30 million from the Upbit cryptocurrency exchange, using tactics similar to a 2019 attack. The group allegedly impersonated administrators to transfer funds, prompting Upbit to suspend services and move assets to cold storage.
- The Tomiris APT, linked to Kazakhstan-based Storm-0473, is increasingly leveraging public services like Telegram and Discord for command-and-control (C2) in attacks targeting government entities and foreign ministries across Central Asia and Russia. This shift aims to blend malicious traffic with legitimate activity, making detection harder.
- Leaked documents, analysed by Iranian opposition activist Nariman Gharib, allegedly link Iran's "Charming Kitten" (APT35) to assassination operations, suggesting compromised airline, hotel, and medical databases are used to locate regime enemies.

🗞️ The Record | https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange
📰 The Hacker News | https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Malicious Browser Extensions Run Rampant 🛡️
- A seven-year-long "ShadyPanda" campaign infected over 4.3 million Chrome and Edge users through 145 seemingly legitimate browser extensions that later pushed malware-laden updates. These extensions evolved from affiliate fraud and search hijacking to deploying remote code execution (RCE) backdoors and spyware.
- The RCE backdoor checks for new instructions hourly, executing arbitrary JavaScript with full browser API access, while spyware components exfiltrate extensive user data including browsing history, keystrokes, and sensitive identifiers to Chinese servers.
- Despite Google removing some, several extensions with millions of installs remain active on the Microsoft Edge Add-ons platform, highlighting a critical gap in ongoing marketplace security reviews post-approval.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/

AI Browsers: A New Security Nightmare 🧠
- The emergence of "agentic" AI browsers, like OpenAI's ChatGPT Atlas, is transforming browsers from passive tools into autonomous AI agents that can perform actions on behalf of users.
- These agents require maximum privileges, including access to session cookies, credentials, and payment details, creating an unprecedented attack surface and bypassing traditional "human-in-the-loop" safeguards and MFA.
- Prompt injection is a significant risk, where hidden text can command the AI to exfiltrate data, and traditional security tools often miss these threats due to a "session gap" where actions occur locally within the browser.

📰 The Hacker News | https://thehackernews.com/2025/12/webinar-agentic-trojan-horse-why-new-ai.html

Data Privacy Under Scrutiny 🔒
- Switzerland's data protection officers (Privatim) have advised public bodies to avoid hyperscale clouds and SaaS, specifically Microsoft 365, for sensitive data due to a lack of true end-to-end encryption, exposure to the US CLOUD Act, and providers' ability to unilaterally change terms.
- Exercise-tracking app Strava is updating its terms of service to require users to accept all risks associated with geolocation features, following past incidents where user data revealed sensitive locations like military bases.
- Edtech provider Illuminate Education settled with the FTC over a 2021 data breach affecting 10.1 million students, with allegations of poor security practices, deceptive claims, and delayed breach notifications (up to two years for some).

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/
🗞️ The Record | https://therecord.media/illuminate-education-data-breach-settlement-ftc

Regulatory Actions and Government Directives 📜
- Singapore's Ministry of Home Affairs has issued directives to Google and Apple, requiring them to prevent fake government messages and spoofed sender names on iMessage and Google Messages, with significant fines for non-compliance.
- Russia's Roskomnadzor has imposed "restrictive measures" on WhatsApp, citing violations of Russian law and its alleged use for terrorism, crime, and espionage, urging users to switch to domestic alternatives and threatening a full block.
- The Israel Defense Forces (IDF) is reportedly banning Android smartphones for top brass, standardising on iOS devices to reduce exposure to surveillance via social media apps.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_news_roundup/
🗞️ The Record | https://therecord.media/russia-whatsapp-restrictions
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Law Enforcement Strikes Back 🚨
- A major cryptocurrency mixing service, Cryptomixer, was taken down by Swiss and German law enforcement in "Operation Olympia," seizing three servers, its domain, and €24-29 million in Bitcoin. The service allegedly laundered over €1.3 billion for cybercriminals since 2016.
- South Korean police arrested four individuals for compromising over 120,000 IP cameras, with some suspects creating and selling sexually exploitative videos from intimate locations by exploiting weak passwords.
- In Australia, a man was jailed for over seven years for using "evil twin" Wi-Fi traps at airports and on flights to steal credentials and intimate material, while in the UK, a man received a 6.5-year sentence for operating a dark web drug empire.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
🗞️ The Record | https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
🤫 CyberScoop | https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/cybercrime_arrests_roundup/

Developer Secrets Exposed 🔑
- A security engineer scanned 5.6 million public GitLab repositories and discovered 17,000 verified live secrets, including over 5,000 Google Cloud credentials, 2,000+ MongoDB credentials, and numerous OpenAI, AWS, and Telegram bot tokens.
- The scan, costing about $770 and completed in 24 hours, found GitLab had a 35% higher density of leaked secrets per repository compared to Bitbucket, highlighting a pervasive issue of exposed credentials in public code.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Teen Cybercrime: Just a Phase? 📊
- A Dutch government report suggests that most adolescent cybercriminals tend to desist from offending by the age of 20, similar to other types of youth crime.
- The study indicates that only about four percent of those who start a "black hat" career maintain it into adulthood, often driven by technological curiosity and skill-building rather than financial gain.
- The report highlights the challenge of quantifying the specific social cost of cybercrime due to a lack of longitudinal data and its rapidly evolving nature, though overall adolescent crime costs the Netherlands €10.3 billion annually.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/dutch_study_teen_cybercrime/

#CyberSecurity #ThreatIntelligence #DataBreach #APT #LazarusGroup #Tomiris #ShadyPanda #Malware #BrowserExtensions #RCE #AI #AgenticAI #DataPrivacy #RegulatoryCompliance #LawEnforcement #CryptoMixer #Cybercrime #InfoSec #IncidentResponse

one of the largest crypto #defi protocols #Balancer is currently being robbed, $88 million stolen and counting. it will probably turn out to be #NorthKorea (because it's almost always north korea) but TBD.

one of the fun things about crypto is that when someone robs a bank you can watch the getaway car drive away just by clicking on some links in a blockchain explorer.

[edit] details of the bug that was exploited if you’re into that kind of thing: https://x.com/moo9000/status/1985262739493687351

[edit] ended up being a ~$130 million heist.

#DPRK #hack #hacking #infosec #threatintel #cybersecurity #cryptocurrency #crypto #ethereum #LazarusGroup

Alright team, it's been a pretty active 24 hours! We've got a mix of ongoing breaches, some serious nation-state activity, critical vulnerabilities under active exploitation, and a look at how we need to adapt our defensive strategies. Let's dive in:

Recent Cyber Attacks and Breaches 🚨

- Toys R Us Canada confirmed a data breach where customer names, addresses, phone numbers, and emails were stolen and dumped online. While no passwords or credit card details were involved, this PII is ripe for follow-up phishing or identity fraud.
- Russia's food safety agency, Rosselkhoznadzor, was hit by a DDoS attack that severely disrupted food shipments across the country by taking down critical electronic certification systems. This highlights the real-world impact of attacks on essential services.
- Amazon's recent 14-hour AWS outage in the US-EAST-1 region was caused by a latent race condition in DynamoDB's DNS management system, which accidentally deleted IP addresses for the service's regional endpoint, causing cascading failures.
- LastPass users are being targeted by the CryptoChameleon phishing group (UNC5356) using fake death claims to trick individuals into initiating the inheritance process and entering their master passwords or passkeys on fraudulent sites.
- A former general manager of US defence contractor L3Harris's cyber arm, Peter Williams, has been charged with selling seven trade secrets, potentially including offensive cyber capabilities, to a Russian buyer for $1.3 million, underscoring the persistent insider threat.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/toys-r-us-canada-warns-customers-info-leaked-in-data-breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/23/toysrus_canada_data_leak/
🗞️ The Record | https://therecord.media/russia-food-safety-agency-rosselkhoznadzor-ddos-attack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/technology/amazon-this-weeks-aws-outage-caused-by-major-dns-failure/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-used-to-breach-password-vaults/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/24/former_l3harris_cyber_director_charged/

Vulnerabilities Under Active Exploitation & Zero-Days 🛡️

- Microsoft has released emergency out-of-band patches for a critical Windows Server Update Service (WSUS) RCE flaw (CVE-2025-59287) that is now under active exploitation. This vulnerability allows unauthenticated attackers to execute code with SYSTEM privileges and is potentially wormable. Patch immediately if you have the WSUS Server Role enabled.
- Pwn2Own Ireland 2025 saw security researchers exploit 73 zero-day vulnerabilities across various devices, including smartphones, NAS, and smart home tech, earning over $1 million. This highlights the ongoing discovery of critical flaws before they hit the wild.
- HP pulled a faulty OneAgent software update (v1.2.50.9581) for Windows 11 AI PCs that mistakenly deleted Microsoft Entra ID "MS-Organization-Access" certificates, disconnecting devices from cloud environments. Affected devices require a manual recovery process.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/microsoft-releases-windows-server-emergency-updates-for-critical-wsus-rce-flaw/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-wsus-flaw-in-windows-server-now-exploited-in-attacks/
🚨 The Hacker News | https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/hp-pulls-faulty-update-that-broke-microsoft-entra-id-auth-on-ai-pcs/

New Threat Research on Threat Actors, Malware, and Tradecraft 🕵🏼

- North Korea's Lazarus Group (Operation DreamJob) is actively targeting European companies involved in drone development and military equipment manufacturing. They use fake job offers with trojanized PDFs to deploy the ScoringMathTea RAT, aiming to steal UAV manufacturing know-how.
- Iran's MuddyWater (APT34) has breached over 100 government entities, embassies, ministries, and telecom providers across the Middle East and North Africa. The campaign uses compromised enterprise mailboxes and NordVPN to send phishing emails with weaponised Word attachments that deploy the "Phoenix" backdoor.
- Check Point uncovered a "YouTube Ghost Network" that has published over 3,000 malicious videos since 2021, using hacked accounts to distribute infostealer malware (Lumma, Rhadamanthys, StealC, RedLine, Phemedrone) disguised as pirated software and game cheats.
- The "Smishing Triad," a China-linked group, is behind a massive global smishing campaign involving over 194,000 malicious domains since January 2024. They impersonate various services (USPS, toll services, banks) to steal credentials, with some attacks targeting brokerage accounts for "ramp and dump" stock manipulation.
- A researcher demonstrated an "indirect prompt injection" attack on Microsoft 365 Copilot, using Mermaid diagrams to trick the AI into exfiltrating sensitive tenant data like emails. Microsoft has patched the vulnerability, though it was deemed out-of-scope for a bug bounty.

🤫 CyberScoop | https://cyberscoop.com/north-korea-lazarus-attacks-drone-companies/
🗞️ The Record | https://therecord.media/north-korea-hackers-target-europe-drone-makers
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/24/iran_muddywater_campaign/
🚨 The Hacker News | https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.html
🚨 The Hacker News | https://thehackernews.com/2025/10/smishing-triad-linked-to-194000.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/

Threat Landscape Commentary 🌍

- An op-ed highlights that nation-state actors like Salt Typhoon are shifting attacks to network perimeters, exploiting old, unpatched, or end-of-life devices (routers, VPNs, firewalls) as endpoints become harder targets. It stresses the need for proactive cyber resilience, rigorous asset management, and assuming breach.
- US National Cyber Director Sean Cairncross emphasised the need for the US to counter China's "surveillance state export" and promote a "clean American tech stack" globally. He criticised China's cyber behaviour, particularly targeting critical infrastructure, and called for strategic stability in the cyber domain.

🤫 CyberScoop | https://cyberscoop.com/proactive-cyber-defense-forgotten-devices-op-ed/
🤫 CyberScoop | https://cyberscoop.com/national-cyber-director-says-u-s-needs-to-counter-chinese-surveillance-push-american-tech/

Data Privacy 🔒

- Mozilla will require Firefox extension developers to disclose their data collection and sharing practices in the manifest.json file, starting November 3, 2025, for new extensions and by H1 2026 for all. This aims to provide users with clear transparency and control over their data.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/software/mozilla-new-firefox-extensions-must-disclose-data-collection-practices/

Regulatory Issues or Changes ⚖️

- The International Counter Ransomware Initiative (CRI), now with 61 member countries, has issued new guidance stressing the importance of improving software supply chain resilience against ransomware. This follows significant supply chain attacks and aims to promote better cyber hygiene and risk assessment practices.

🗞️ The Record | https://therecord.media/counter-ransomware-initiative-software-supply-chain-guidance

#CyberSecurity #ThreatIntelligence #IncidentResponse #Vulnerabilities #ZeroDay #RCE #APT #NationState #Phishing #Malware #DataBreach #SupplyChainSecurity #DataPrivacy #AWS #WSUS #LastPass #LazarusGroup #MuddyWater #Smishing

Lazarus Group targets Europe’s UAV defense sector using fake job offers in Operation DreamJob.
🎯 Main payload: ScoringMathTea RAT
🎯 Goal: Drone tech & design theft via espionage.
https://www.technadu.com/lazarus-group-targets-uav-sector-in-cyberespionage-operation-dreamjob-focusing-on-drones/611910/

#CyberSecurity #LazarusGroup #APT #OperationDreamJob #DroneSecurity

North Korea’s Lazarus Group is playing a dangerous game—posing as recruiters to breach European defense firms. How far will fake job offers push their cyber espionage mission?

https://thedefendopsdiaries.com/north-korean-lazarus-group-targets-european-defense-firms-in-operation-dreamjob/

#lazarusgroup
#operationdreamjob
#cyberespionage
#defensesecurity
#uavtechnology

It's been a bit quiet over the last 24 hours, but we've still got a couple of critical updates to cover, including a significant vulnerability in Microsoft Entra ID and evolving tactics from DPRK threat actors. Let's dive in:

Global Admin Access in Microsoft Entra ID ⚠️

- A critical vulnerability (CVE-2025-55241) in Microsoft Entra ID (formerly Azure AD) could have allowed an attacker to gain Global Administrator privileges in *any* company's tenant.
- The flaw stemmed from a combination of undocumented, unsigned "actor tokens" and a vulnerability in the deprecated Azure AD Graph API, enabling impersonation and bypassing Conditional Access policies.
- Crucially, exploitation left virtually no trace in the victim tenant's logs, making detection extremely difficult. Microsoft has since patched the issue and is working to remove the underlying legacy components.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/microsoft-entra-id-flaw-allowed-hijacking-any-companys-tenant/

DPRK Hackers Evolve Tactics with ClickFix and AI 📰

- North Korean threat actors, a subset of the Lazarus Group, are refining their "Contagious Interview" campaigns, now using "ClickFix" social engineering to deliver BeaverTail info-stealer and InvisibleFerret backdoor.
- A notable shift in targeting sees them focusing on marketing and trader roles in cryptocurrency and retail sectors, moving beyond their traditional software developer targets, and delivering malware as compiled binaries for multiple OS.
- These groups are actively monitoring cyber threat intelligence platforms to improve their operational resilience, with other DPRK groups like Kimsuky also leveraging GitHub for C2 and even ChatGPT to forge deepfake military IDs for spear-phishing.

📰 The Hacker News | https://thehackernews.com/2025/09/dprk-hackers-use-clickfix-to-deliver.html

#CyberSecurity #Vulnerability #Microsoft #EntraID #AzureAD #ThreatIntelligence #DPRK #NorthKorea #LazarusGroup #Malware #BeaverTail #InvisibleFerret #SocialEngineering #ClickFix #APT #InfoSec #CyberAttack

✨ Cuidado com as Entrevistas Falsas!
📝 O Lazarus Group, famoso por suas táticas cibernéticas, está utilizando entrevistas de emprego falsas para espalhar malware. Descubra como essa estratégia enganosa funciona e como você pode se proteger de ataques cibernéticos. Não caia nessa armadilha! Clique para saber mais e fique seguro!
.
.
.
#SegurançaCibernética #Malware #LazarusGroup
https://inkdesign.com.br/lazarus-group-usa-malware-em-entrevistas-de-emprego-falsas/?fsp_sid=139803

North Korea’s #LazarusGroup just pulled off a bold new hack.

They posed as coworkers on Telegram, set up fake Calendly sites—and cycled through three custom RATs to compromise a DeFi employee’s system.

The scariest part? One tool may have exploited a Chrome zero-day.
#northkorea #ZeroDayAttacks
https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got a flurry of supply chain breaches, some critical zero-days, new nation-state malware, and a few reminders about basic security hygiene. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

- Luxury car manufacturer JLR has confirmed a cyber incident "severely disrupted" its global IT systems, impacting both production and retail operations.
- The company proactively shut down systems to mitigate impact, with no evidence of customer data theft reported yet, but significant operational downtime.
- This follows a trend of UK companies facing cyber incidents, highlighting the need for robust incident response and resilience planning.

🗞️ The Record | https://therecord.media/jaguar-land-rover-disruption-cyber-incident
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/jaguar-land-rover-says-cyberattack-severely-disrupted-production/

Pennsylvania AG Office Ransomware Attack 🏛️

- The Office of the Pennsylvania Attorney General confirmed a ransomware attack caused a two-week service outage, with the office refusing to pay the ransom.
- While systems are being restored, the incident led to court extensions for cases, though criminal prosecutions are not expected to be impacted.
- This marks the third ransomware attack on a Pennsylvania state entity, underscoring the persistent threat to government services and the importance of robust backups and recovery plans.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/pennsylvania-ag-office-says-ransomware-attack-behind-recent-outage/
🗞️ The Record | https://therecord.media/pennsylvania-attorney-general-office-ransomware-attack-recovery

Salesloft Drift Supply Chain Attacks Continue 🔗

- Palo Alto Networks, Zscaler, and Cloudflare are the latest victims in the ongoing Salesloft Drift supply chain attacks, where stolen OAuth tokens from Drift's Salesforce integration led to data exfiltration.
- Attackers gained access to Salesforce instances, primarily exfiltrating customer business contact information, company attributes, and basic support case details, with Cloudflare specifically warning about potential exposure of API tokens and sensitive info shared in support tickets.
- Organisations using Drift integrations should immediately revoke and rotate all associated OAuth tokens and API keys, and meticulously audit Salesforce login histories and API access logs from early August for suspicious activity.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/zscaler_customer_data_drift_compromise/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cloudflare-hit-by-data-breach-in-salesloft-drift-supply-chain-attack/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/

Europe Blames Russia for GPS Jamming 🛰️

- A plane carrying European Commission president Ursula von der Leyen was forced to use manual navigation after GPS jamming, which Bulgarian authorities and the EC attribute to Russia.
- This incident highlights a growing trend of GPS interference, particularly on Europe's Eastern flank, impacting air, maritime, and transport economies.
- The EU is working on an action plan to mitigate future attacks, including increasing low Earth orbit satellites and enhancing interference detection, but these are long-term solutions.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/eu_gps_jamming_russia_response/

New Threat Research 🔬

Lazarus Group Expands Malware Arsenal 🇰🇵

- North Korea's Lazarus Group is deploying three new cross-platform RATs – PondRAT, ThemeForestRAT, and RemotePE – in social engineering campaigns targeting the DeFi sector.
- The attack chain involves impersonating employees, using fake meeting sites, and deploying a loader (PerfhLoader) for initial access, potentially leveraging a Chrome zero-day.
- PondRAT is a basic RAT for file operations and shellcode, ThemeForestRAT offers more functionality and stealth, while RemotePE is a sophisticated RAT reserved for high-value targets, showcasing the group's evolving tradecraft.

📰 The Hacker News | https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html

Ukrainian Network FDN3 Launches Brute-Force Campaigns 🇺🇦

- A Ukrainian IP network, FDN3 (AS211736), along with associated networks (VAIZ-AS, ERISHENNYA-ASN, TK-NET), has been flagged for massive brute-force and password spraying attacks on SSL VPN and RDP devices.
- These networks frequently exchange IPv4 prefixes to evade blocklisting and are linked to bulletproof hosting services, including those associated with Ecatel's owners and Russian company Alex Host LLC.
- The activity, peaking in July 2025, highlights the use of such infrastructure by RaaS groups for initial access, urging defenders to secure RDP and SSL VPN endpoints against common credential attacks.

📰 The Hacker News | https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.html

Vulnerabilities & Exploitation 🛡️

WhatsApp & Apple Zero-Day Under Attack 📱

- WhatsApp and Apple have patched a zero-day vulnerability (CVE-2025-55177 in WhatsApp, CVE-2025-43300 in Apple OS) believed to be used in highly targeted, sophisticated attacks.
- The WhatsApp flaw involved "incomplete authorization of linked device synchronization messages," which could trigger content processing from arbitrary URLs.
- Apple's CVE-2025-43300 was an "out-of-bounds write issue" affecting iOS, iPadOS, and macOS, with both companies confirming active exploitation against specific individuals. Update your devices immediately!

🗞️ The Record | https://therecord.media/whatsapp-apple-zero-day-targeted-attacks

Frostbyte10 Bugs in Copeland Controllers 🧊

- Ten vulnerabilities, dubbed Frostbyte10, have been discovered in Copeland E2 and E3 controllers, used in thousands of refrigeration systems at major grocery chains and cold storage facilities.
- Three critical bugs could allow unauthenticated remote code execution with root privileges, potentially enabling manipulation of temperatures, food spoilage, and supply chain disruption.
- Copeland has issued firmware updates (E3 version 2.31F01) to fix these flaws, and CISA is urging immediate patching, especially for E2 controllers which are end-of-life.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/frostbyte10_copeland_controller_bugs/

Exposed Ollama Servers Pose AI Risk 🤖

- Cisco Talos researchers found over 1,100 Ollama servers, used for running large language models locally, exposed to the public internet, with 20% actively hosting models susceptible to unauthorised access.
- These exposed servers could be exploited for resource exhaustion, denial of service, lateral movement, or even unauthorised model uploads and configuration manipulation.
- The findings highlight a widespread neglect of fundamental security practices in AI system deployments, urging better access control, authentication, and network isolation.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/exposed_ollama_servers_insecure_research/

Data Privacy 🔒

Disney Fined $10M for Children's Data Collection 👶

- Disney has agreed to pay $10 million to settle FTC allegations that it unlawfully collected personal data from children watching YouTube videos without parental consent.
- The company allegedly failed to label a "significant number" of its YouTube videos as "Made for Kids," allowing targeted advertising based on collected data, violating the COPPA Rule.
- The settlement mandates changes to Disney's video designation practices and pushes YouTube to implement age assurance technologies, reinforcing the importance of child online privacy.

🗞️ The Record | https://therecord.media/disney-settles-with-ftc-millions/

Regulatory & Oversight ⚖️

Commercial Surveillanceware Industry Thrives Amidst Weak Oversight 🕵️‍♀️

- The commercial surveillanceware industry is experiencing significant growth and rising prices, with vendors charging millions for hacking services, despite government protestations and sanctions.
- Governments and companies are widely abusing these tools, targeting activists, journalists, and political figures, and there's evidence of surveillanceware techniques bleeding into criminal malware.
- The lack of effective political and regulatory safeguards, coupled with vendors' adeptness at covering tracks through corporate renamings and shell firms, leaves targets more exposed than ever.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/commercial_surveillanceware_safe/

Government Staffing & Programs 🏛️

Nicholas Andersen Appointed CISA Cybersecurity EAD 🇺🇸

- Nicholas Andersen has been appointed as the Executive Assistant Director for Cybersecurity at CISA, a key leadership role focused on protecting federal civilian agency networks and critical infrastructure.
- Andersen, a veteran of the first Trump administration, previously served at the Department of Energy and most recently as President and COO of Invictus International Consulting.
- His appointment comes amidst significant changes at CISA, including job cuts and funding reductions, with Andersen previously advocating for streamlining the agency.

🤫 CyberScoop | https://cyberscoop.com/cisa-nicholas-andersen-executive-assistant-director-of-cybersecurity/
🗞️ The Record | https://therecord.media/andersen-leadership-cisa-role

Moscow Hires Former School System Hackers 🇷🇺

- Moscow authorities have reportedly hired "three or four young people" who previously successfully hacked the capital's digital education platform, Moscow Electronic School (MES).
- These individuals are now working on the educational platform and other city services, a move that is not unprecedented in Russia, where the FSB has also appointed former hackers.
- This practice raises questions about the ethics and implications of governments recruiting individuals with a history of cybercrime, potentially normalising such activities.

🗞️ The Record | https://therecord.media/moscow-hires-hackers-breached-education/

Everything Else 💡

Varonis Acquires AI Email Security Firm SlashNext 🤝

- Varonis has acquired SlashNext, an AI-driven email security company, for up to $150 million, integrating its data-centric security with SlashNext's phishing and social engineering detection.
- SlashNext's technology uses predictive AI models, computer vision, and natural language processing to block threats across email and collaboration platforms like Slack and Microsoft Teams.
- This acquisition reflects the increasing role of AI in both cyber attacks and defence, aiming to enhance real-time data threat detection and incident response capabilities.

🤫 CyberScoop | https://cyberscoop.com/varonis-slashnext-acquisition-ai-email-security/

Google Debunks Widespread Gmail Password Reset Rumours ❌

- Google has clarified that it did not issue a broad warning for all 2.5 billion Gmail users to reset their passwords, debunking widely reported misinformation.
- The company stated that claims of a major Gmail security issue are "entirely false" and that Gmail's security defences block over 99.9% of phishing and malware attacks.
- This incident highlights the prevalence of unverified cybersecurity stories and the importance of relying on official sources for accurate information.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-billion-gmail-users-to-reset-passwords/

#CyberSecurity #ThreatIntelligence #Ransomware #SupplyChainAttack #ZeroDay #Vulnerability #APT #LazarusGroup #DataBreach #InfoSec #AI #DataPrivacy #GovernmentCyber #GPSJamming #IncidentResponse

Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE
https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html

#Infosec #Security #Cybersecurity #CeptBiro #LazarusGroup #MalwareArsenal #PondRAT #ThemeForestRAT #RemotePE

🔎 Lazarus Group: el ciber-ejército fantasma de Corea del Norte.

Desde ataques a Sony y el ransomware WannaCry, hasta robos millonarios de bancos y criptomonedas, este grupo demuestra que la guerra digital ya está aquí.

Mira el vídeo completo
https://rumble.com/v6y8jry-lazarus-group-el-ciber-ejrcito-secreto-de-corea-del-norte-d33.html

#LazarusGroup #Ciberataques #Ciberseguridad #CoreadelNorte #Geopolítica #Hackers #Cripto #Dosier33

someone asked if i knew how much money north korea has managed to extract from the #crypto industry (a lot of which we can be pretty sure ends up facilitating the nuclear weapons program). ended up writing a long enough reply that i figured a couple people here might be interested in reading it.

https://substack.com/@cryptadamus/note/c-149796167

#dprk #moneylaundering #uniswap #defi #cryptocurrency #bitcoin #NorthKorea #KimJongUn #LazarusGroup

Lazarus no descansa: nuevo golpe al exchange Lykke.

Cada vez que sale una noticia así me reafirmo: entender cómo se mueven estos grupos es clave para no ir a ciegas en el mundo cripto.

🔗 https://www.okx.com/fr/learn/lykke-hack-lazarus-group-crypto-heist

#cyberSecurity #lazarusGroup
#hacking #blockchain #ciberseguridad