CyberSecurity news

FlagThis

info@thehackernews.com (The@The Hacker News //
A concerning trend has emerged on TikTok where cybercriminals are exploiting the platform's widespread reach through AI-generated videos to distribute malware. These deceptive videos lure users into executing malicious PowerShell commands under the guise of providing instructions for software activation or unlocking premium features for applications like Windows, Microsoft Office, Spotify, and CapCut. Trend Micro researchers discovered that these videos, often featuring AI-generated voices and visuals, instruct viewers to run specific commands that ultimately download and install information-stealing malware such as Vidar and StealC.

One notable example highlighted by researchers involves a TikTok video claiming to offer instant Spotify enhancements, which amassed nearly half a million views along with a significant number of likes and comments. However, instead of delivering the promised benefits, the command provided in the video downloads a remote script that installs Vidar or StealC malware, executing it as a hidden process with elevated system privileges. These infostealers are designed to harvest sensitive information, including credentials, browser sessions, and cryptocurrency wallets, posing a substantial risk to unsuspecting users who fall victim to this social-engineering attack.

Security experts warn that these attacks are leveraging the "ClickFix" technique and using AI to generate convincing "how-to" videos. By exploiting the trust users place in video tutorials and the desire for free software or features, cybercriminals are effectively tricking individuals into infecting their own systems. Once active, the malware connects to command-and-control (C&C) servers to exfiltrate stolen data. Vidar employs stealthy tactics, utilizing platforms like Steam and Telegram as Dead Drop Resolvers to hide C&C details, while StealC uses direct IP connections. Users are urged to exercise caution and verify the legitimacy of instructions before running any commands provided in online videos.

Recommended read:
References :
  • CyberInsider: AI-Generated Videos on TikTok Push Vidar and StealC Infostealers
  • Virus Bulletin: Trend Micro researcher Junestherry Dela Cruz describes a TikTok campaign that uses possibly AI-generated videos to lure victims into executing PowerShell commands that lead to Vidar and StealC information stealers.
  • BleepingComputer: TikTok videos now push infostealer malware in ClickFix attacks
  • Help Net Security: TikTok videos + ClickFix tactic = Malware infection
  • bsky.app: Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • The Hacker News: The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector.
  • securityonline.info: Trend Micro reveals a growing threat on TikTok, where AI-generated videos deceive users into running malicious PowerShell commands
  • Thomas Fox-Brewster: Forbes discusses AI TikTok Videos Promising Free Spotify And Windows Subscriptions Trick Users Into Installing Malware Instead.
  • bsky.app: Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • www.scworld.com: Infostealer deployed via TikTok videos
  • bsky.app: Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • TARNKAPPE.INFO: ClickFix-Malware über TikTok: Mit viralen TikTok-Videos als Trojanischem Pferd starten Cyberkriminelle neue Angriffswellen.
  • bsky.app: BleepingComputer reports Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and StealC information-stealing malware in ClickFix attacks.
  • www.sentinelone.com: SentinelOne's Mary Braden Murphy shows how ClickFix is weaponizing verification fatigue to deliver RATs & infostealers. Tricking victims into infecting themselves in this manner has proven highly effective, with threat actors increasingly folding this technique into their playbook.
  • The DefendOps Diaries: Unmasking ClickFix: The New Cyber Threat on TikTok
  • securityaffairs.com: Fake software activation videos on TikTok spread Vidar, StealC.
  • The Hacker News: Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique
  • ciso2ciso.com: Fake software activation videos on TikTok spread Vidar, StealC – Source: securityaffairs.com
  • www.techradar.com: Cybercriminals are using AI to generate convincing "how-to" videos.
  • PCMag UK security: Warning: AI-Generated TikTok Videos Want to Trick You Into Installing Malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • cloud.google.com: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • hackread.com: Mandiant Threat Defense uncovers a campaign where Vietnam-based group UNC6032 tricks users with malicious social media ads for…
  • Malwarebytes: Cybercriminals are using text-to-video-AI tools to lure victims to fake websites that deliver malware like infostealers and Trojans.

Pierluigi Paganini@securityaffairs.com //
GreyNoise researchers have uncovered a significant and stealthy campaign exploiting ASUS routers, leading to the formation of a new botnet dubbed "AyySSHush". This long-running operation has compromised thousands of ASUS routers, with numbers steadily increasing. The attackers are gaining unauthorized, persistent access to the devices, effectively establishing a distributed network of backdoors, potentially laying the foundation for a future, larger botnet.

This attack is achieved through a sophisticated, multi-step exploitation chain, showcasing advanced knowledge of ASUS systems. Initial access is gained through brute-force login attempts and previously undocumented authentication bypasses. Attackers then exploit CVE-2023-39780, a command injection vulnerability, to execute system commands. This allows them to enable SSH access on a custom port and insert an attacker-controlled SSH public key, granting persistent remote access.

The AyySSHush botnet's stealth is enhanced by disabling router logging to evade detection and avoiding the installation of any malware. Crucially, the backdoor is stored in non-volatile memory (NVRAM), ensuring it survives both firmware upgrades and reboots. As of late May 2025, data confirmed that over 9,000 ASUS routers had been compromised. This campaign highlights the critical need for prompt patching of router vulnerabilities to prevent exploitation and botnet recruitment.

Recommended read:
References :
  • cyberinsider.com: A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.
  • The GreyNoise Blog: GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
  • Blog: ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Here's how to find impacted assets on your network.
  • www.scworld.com: ASUS router backdoors affect 9K devices, persist after firmware updates
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet
  • bsky.app: Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco
  • securityaffairs.com: New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
  • securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet.
  • CyberInsider: 9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign
  • BleepingComputer: Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
  • www.techradar.com: Thousands of Asus routers hacked to create a major botnet planting damaging malware.
  • The Register - Security: 8,000+ Asus routers popped in 'advanced' mystery botnet plot
  • PCMag UK security: Cybercriminals Hack Asus Routers: Here's How to Check If They Got Into Yours
  • eSecurity Planet: Over 9,000 Routers Hijacked: ASUS Users Caught in Ongoing Cyber Operation
  • www.itpro.com: Asus routers at risk from backdoor vulnerability
  • www.csoonline.com: New botnet hijacks AI-powered security tool on Asus routers
  • www.esecurityplanet.com: Over 9,000 ASUS routers were hacked in a stealth cyberattack exploiting CVE-2023-39780.
  • cyble.com: Researchers disclosed that attackers have exploited this vulnerability in a widespread and stealthy botnet campaign, compromising over 9,000 ASUS routers and enabling persistent, unauthorized access to the affected devices.
  • hothardware.com: Heads up if you have an Asus router in your home or office, as there's a backdoor exploit doing the rounds affecting 9,000 devices and counting.
  • techvro.com: GreyNoise has exposed the AyySSHush botnet infecting over 9,000 ASUS routers, urging owners to factory reset devices as firmware updates alone won’t remove the hidden backdoor.
  • Techzine Global: New botnet creates permanent backdoors in ASUS routers
  • securityonline.info: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
  • securityonline.info: SecurityOnline: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
  • Catalin Cimpanu: -AyySSHush botnet infects 9k ASUS routers

@www.bleepingcomputer.com //
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.

The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches.

The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.

Recommended read:
References :
  • Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
  • bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • securityaffairs.com: Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider. SimpleHelp is a remote support and access software designed for IT professionals and support teams. It provides a streamlined way for IT teams to manage and monitor remote systems, making it a valuable tool for MSPs. However, the vulnerabilities exploited by DragonForce highlight the importance of keeping RMM software patched and up to date, as these tools can become attack vectors for ransomware and other threats.
  • www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
  • The Register - Security: Updated DragonForce ransomware infected a managed service provider, and its customers, after attackers exploited security flaws in remote monitoring and management tool SimpleHelp.…
  • www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
  • www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
  • ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
  • Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
  • MicroScope: Sophos warns MSPs over DragonForce threat
  • Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
  • MSSP feed for Latest: The bad actors exploited flaws in SimpleHelp's software to compromise the MSP and attack clients.
  • thehackernews.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
  • Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
  • www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
  • ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
  • Security Risk Advisors: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP
  • www.sentinelone.com: Robbinhood operator pleads guilty, PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
  • ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
  • news.sophos.com: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP

djohnson@CyberScoop //
A Vietnam-based cybercriminal group, identified as UNC6032, is exploiting the public's fascination with AI to distribute malware. The group has been actively using malicious advertisements on platforms like Facebook and LinkedIn since mid-2024, luring users with promises of access to popular prompt-to-video AI generation tools such as Luma AI, Canva Dream Lab, and Kling AI. These ads direct victims to fake websites mimicking legitimate dashboards, where they are tricked into downloading ZIP files containing infostealers and backdoors.

The multi-stage attack involves sophisticated social engineering techniques. The initial ZIP file contains an executable disguised as a harmless video file using Braille characters to hide the ".exe" extension. Once executed, this binary, named STARKVEIL and written in Rust, unpacks legitimate binaries and malicious DLLs to the "C:\winsystem\" folder. It then prompts the user to re-launch the program after displaying a fake error message. On the second run, STARKVEIL deploys a Python loader called COILHATCH, which decrypts and side-loads further malicious payloads.

This campaign has impacted a wide range of industries and geographic areas, with the United States being the most frequently targeted. The malware steals sensitive data, including login credentials, cookies, credit card information, and Facebook data, and establishes persistent access to compromised systems. UNC6032 constantly refreshes domains to evade detection, and while Meta has removed many of these malicious ads, users are urged to exercise caution and verify the legitimacy of AI tools before using them.

Recommended read:
References :
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • The Register - Security: GO The Register reports that miscreants are using text-to-AI-video tools and Facebook ads to distribute malware and steal credentials.
  • PCMag UK security: Warning AI-Generated TikTok Videos Want to Trick You Into Installing Malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • cloud.google.com: Google's Threat Intelligence Unit, Mandiant, reported that social media platforms are being used to distribute malware-laden ads impersonating legitimate AI video generator tools.
  • Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
  • hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
  • www.techradar.com: Millions of users could fall for fake Facebook ad for a text-to-AI-video tool that is just malware
  • CyberInsider: CyberInsider: Cybercriminals Use Fake AI Video Tools to Deliver Infostealers
  • Metacurity: Metacurity for a concise rundown of the most critical developments you should know, including UNC6032 uses prompt-to-video AI tools to lure malware victims
  • PCMag UK security: Cybercriminals have been posting Facebook ads for fake AI video generators to distribute malware, Google’s threat intelligence unit Mandiant .
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • hackread.com: Fake ChatGPT and InVideo AI Downloads Deliver Ransomware
  • PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
  • Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
  • ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
  • aboutdfir.com: Google warns of Vietnam-based hackers using bogus AI video generators to spread malware
  • BleepingComputer: Cybercriminals exploit AI hype to spread ransomware, malware
  • www.pcrisk.com: Novel infostealer with Vietnamese attribution
  • ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools – Source:thehackernews.com
  • securityonline.info: Warning: Fake AI Tools Spread CyberLock Ransomware and Numero Destructive Malware
  • Vulnerable U: Fake AI Video Generators Deliver Rust-Based Malware via Malicious Ads Analysis of UNC6032’s Facebook and LinkedIn ad blitz shows social-engineered ZIPs leading to multi-stage Python and DLL side-loading toolkits
  • oodaloop.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
  • OODAloop: Artificial intelligence tools are being used by cybercriminals to target users and propagate threats. The CyberLock and Lucky_Gh0$t ransomware families are some of the threats involved in the operations. The cybercriminals are using fake installers for popular AI tools like OpenAI’s ChatGPT and InVideoAI to lure in their victims.
  • bsky.app: LinkedIn is littered with links to lurking infostealers, disguised as AI video tools Deceptive ads for AI video tools posted on LinkedIn and Facebook are directing unsuspecting users to fraudulent websites, mimicking legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI.
  • BGR: AI products that sound too good to be true might be malware in disguise
  • Security Risk Advisors: Cisco Talos Uncovers Multiple Malware Families Disguised as Legitimate AI Tool Installers
  • blog.talosintelligence.com: Cisco Talos discovers malware campaign exploiting #AI tool installers. #CyberLock #ransomware #Lucky_Gh0$t & new "Numero" malware disguised as legitimate AI installers.

Pierluigi Paganini@Security Affairs //
A new botnet, dubbed PumaBot, is actively targeting Linux-based IoT devices, posing a significant security risk. This Go-based malware is designed to steal SSH credentials through brute-force attacks, allowing it to spread malicious payloads and illicitly mine cryptocurrency. Unlike other botnets that perform broad internet scans, PumaBot employs a more targeted approach by retrieving lists of IP addresses from its command-and-control (C2) server, enabling it to focus its attacks on specific devices. This approach, coupled with its ability to impersonate legitimate system files, makes PumaBot a stealthy and dangerous threat to embedded Linux systems.

The attack begins with PumaBot attempting to brute-force SSH credentials on targeted devices, aiming to gain unauthorized access. Once inside, it establishes persistence using systemd service files, ensuring it survives reboots and remains active on the compromised device. To further mask its activities, PumaBot disguises itself as a legitimate Redis system file, attempting to blend in with normal system processes. After successfully gaining access to an infected system, it collects and exfiltrates basic system information to the C2 server, where it can receive commands to carry out its malicious objectives.

The primary goal of PumaBot appears to be cryptocurrency mining, as evidenced by the presence of "xmrig" and "networkxm" commands within its code. These commands suggest that compromised devices are being leveraged to generate illicit cryptocurrency gains for the botnet operators. Security experts also observed that the botnet performs checks to avoid honeypots and, curiously, looks for the string "Pumatronix," a surveillance and traffic camera manufacturer, hinting at a targeted or exclusionary approach. The discovery highlights the ongoing need for robust security measures for IoT devices, as they continue to be attractive targets for botnet recruitment and malicious activities.

Recommended read:
References :
  • ciso2ciso.com: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto – Source:thehackernews.com
  • Anonymous ???????? :af:: New PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and mine crypto.
  • securityaffairs.com: New PumaBot targets Linux IoT surveillance devices
  • The Hacker News: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto
  • BleepingComputer: A newly discovered Go-based Linux botnet malware named PumaBot is brute-forcing SSH credentials on embedded IoT devices to deploy malicious payloads.
  • gbhackers.com: New PumaBot Hijacks IoT Devices via SSH Brute-Force for Persistent Access
  • www.csoonline.com: Novel PumaBot slips into IoT surveillance with stealthy SSH break-ins
  • www.sentinelone.com: PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
  • securityonline.info: PumaBot: New Stealthy Linux Botnet Evades Detection, Targets IoT Devices
  • securityonline.info: PumaBot: New Stealthy Linux Botnet Evades Detection, Targets IoT Devices

Pierluigi Paganini@Security Affairs //
Victoria's Secret has shut down its website and disabled some in-store services following a cybersecurity incident. The lingerie retailer's online presence was temporarily halted during the Memorial Day Weekend, a peak holiday shopping period. While physical Victoria's Secret and PINK retail stores remain open, the company has taken steps to address the issue and has engaged third-party experts to restore operations. They do not know when operations will be back up and running.

The incident has disrupted online returns, fulfillment of recent orders, and the redemption of direct mail coupons, prompting the company to extend its U.S. return window by 30 days and extend expired coupon redemption windows. Victoria's Secret customers have expressed frustration with the lack of updates and difficulty contacting representatives through chat, email, or phone. They are working to fulfill orders placed before Monday.

The cyberattack on Victoria's Secret is part of a disturbing trend targeting global retailers, with recent breaches at Dior, Adidas, Harrods, Co-op, and Marks & Spencer. Experts such as Darren Guccione, CEO of Keeper Security, warn that this may signal that cybercrime groups are now actively targeting U.S. companies. Security professionals urge retailers to adopt proactive strategies like Privileged Access Management (PAM) and multi-factor authentication, while consumers are advised to use password managers and dark web monitoring services to protect themselves.

Recommended read:
References :
  • cyberinsider.com: Victoria’s Secret Shuts Down Website and Store Systems Following Cyberattack
  • securityaffairs.com: Victoria’s Secret ‘s website offline following a cyberattack
  • Davey Winder: Victoria’s Secret Lingerie Site Down — Security Incident Cited
  • SecureWorld News: Victoria's Secret Latest Victim of Cyberattacks
  • Graham Cluley: Victoria's Secret has reportedly suffered a major IT outage due to a cybersecurity "incident."
  • www.cybersecuritydive.com: Victoria's Secret shuts down website in response to security incident
  • techcrunch.com: Victoria’s Secret hit by outages as it battles security incident
  • thecyberexpress.com: Victoria’s Secret Website Down After Security Incident
  • The Record: The Victoria's Secret site now features a brief message to customers explaining that the retailer is "taking steps to address a security incident."

Zack Whittaker@techcrunch.com //
Data broker giant LexisNexis has disclosed a significant data breach affecting over 364,000 individuals. The breach targeted LexisNexis Risk Solutions (LNRS), a unit specializing in "know your customer," risk assessment, due diligence, and law enforcement assistance. An unauthorized party gained access to a third-party software development platform utilized by LNRS, resulting in the theft of sensitive personal data.

The intrusion, which occurred on December 25, 2024, was detected by LexisNexis on April 1, 2025. Initial reports indicate that the stolen data includes names, phone numbers, home addresses, email addresses, Social Security numbers, driver's license numbers, and dates of birth. While LexisNexis asserts that its own systems and infrastructure were not compromised, the breach raises concerns about the security of data entrusted to third-party vendors. The company stated that "No financial, credit card, or other sensitive personal information was accessed".

LexisNexis is notifying affected individuals and relevant regulators about the breach. The company also reported the incident to law enforcement. They are offering affected individuals 24 months of identity protection and credit monitoring through Experian. The incident highlights the vulnerability of personal data within the data broker industry and comes shortly after the scrapping of a Biden-era rule intended to restrict data brokers from selling Americans’ sensitive information.

Recommended read:
References :
  • The Register - Software: Attack on LexisNexis Risk Solutions exposes data on 300k +
  • Zack Whittaker: New, by me: Data broker giant LexisNexis has revealed that its risk solutions unit (think "know your customer," risk assessing, due diligence, and law enforcement assistance) was breached, affecting the personal data and Social Security numbers of at least 364,000 people.
  • techcrunch.com: Data broker giant LexisNexis says breach exposed personal information of over 364,000 people
  • www.itpro.com: Breach at data analytics firm impacts 364,000 people
  • www.techradar.com: Over 364,000 people have personal info leaked following hack on data broker LexisNexis
  • ciso2ciso.com: Attack on LexisNexis Risk Solutions exposes data on 300k + – Source: go.theregister.com

@www.qualys.com //
Two new information disclosure vulnerabilities have been identified in Linux systems, specifically affecting Ubuntu, Red Hat Enterprise Linux, and Fedora distributions. These flaws reside in the core dump handlers 'apport' (CVE-2025-5054) and 'systemd-coredump' (CVE-2025-4598). The vulnerabilities are characterized as race condition bugs, which could be exploited by a local attacker to gain unauthorized access to sensitive information. Successful exploitation could lead to the exposure of critical data, including password hashes, through the manipulation of core dumps generated during system crashes.

Qualys Threat Research Unit (TRU) discovered that Apport incorrectly handled metadata when processing application crashes. This allows an attacker to induce a crash in a privileged process and quickly replace it with another process with the same process ID inside a mount and pid namespace. Apport will then attempt to forward the core dump, potentially containing sensitive information from the original privileged process, into the namespace. Similarly, systemd-coredump has a race condition that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump.

Both vulnerabilities have been assigned a CVSS score of 4.7, indicating a medium severity level. Red Hat has rated CVE-2025-4598 as Moderate due to the high complexity involved in successfully exploiting the flaw. To mitigate the risk, users can disable core dump generation for SUID binaries by running the command "echo 0 > /proc/sys/fs/suid_dumpable" as root. Canonical has released updates for the apport package for all affected Ubuntu releases, addressing CVE-2025-5054, and users are advised to update their systems as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Two Linux flaws can lead to the disclosure of sensitive data
  • The Hacker News: New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora
  • Ubuntu security notices: USN-7545-1: Apport vulnerability Qualys discovered that Apport incorrectly handled metadata when processing application crashes.
  • Open Source Security: Local information disclosure in apport and systemd-coredump
  • Planet Ubuntu: Ubuntu Blog: Apport local information disclosure vulnerability fixes available
  • ciso2ciso.com: Two Linux flaws can lead to the disclosure of sensitive data – Source: securityaffairs.com
  • ciso2ciso.com: Two Linux flaws can lead to the disclosure of sensitive data – Source: securityaffairs.com Source: securityaffairs.com – Author: Pierluigi Paganini
  • www.qualys.com: Qualys discovers local information disclosure vulnerabilities in apport and systemd-coredump

@therecord.media //
MathWorks, the company behind the popular MATLAB software used by over five million people worldwide, has confirmed a ransomware attack that began on May 18, 2025. The attack disrupted online applications and internal systems, impacting licensing and access for users globally. The company has notified federal law enforcement and is working with cybersecurity experts to restore affected systems.

Commercial customers and STEM students have been significantly impacted by the prolonged outage. An IT manager at an engineering firm reported difficulties acquiring new licenses, hindering ongoing projects. Students also faced challenges, particularly with assessment tools like MATLAB Grader and Cody, which were only recently partially restored. Some frustrated users admitted to pirating the software due to the lack of access to the services they had paid for.

MathWorks has been issuing updates on its status page, initially citing technical issues before confirming the ransomware attack on May 26. While many systems are being brought back online, full recovery is still underway. The company has not yet disclosed details about the ransomware group responsible, whether a ransom was paid, or if data was exfiltrated.

Recommended read:
References :
  • The Dysruption Hub: MathWorks confirms ransomware attack disrupted MATLAB services starting May 18, impacting licensing and access for users worldwide.
  • The Register - Software: Commercial customers, STEM students all feeling the pain after mega outage of engineering data-analysis tool Software biz MathWorks is cleaning up a ransomware attack more than a week after it took down MATLAB, its flagship product used by more than five million people worldwide.
  • therecord.media: MathWorks — developer of MATLAB — has updated customers after initially reporting outages on May 18, confirming a ransomware attack that took down online applications and internal systems used by staff.
  • The Record: MathWorks — developer of MATLAB — has updated customers after initially reporting outages on May 18, confirming a ransomware attack that took down online applications and internal systems used by staff.
  • securebulletin.com: When the world’s engineers, scientists, and students logged in to MATLAB on May 18, 2025, many were met with silence—a digital void where powerful tools once lived.
  • bsky.app: MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage.
  • www.bleepingcomputer.com: MathWorks Blames Ransomware Attack for Ongoing Outages - BleepingComputer
  • BleepingComputer: MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage.
  • Doug Levin: Doug Levin: MathWorks experienced a ransomware attack.
  • Secure Bulletin: Ransomware attack in MathWorks outage that paralyzed MATLAB
  • DataBreaches.Net: MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Blog: Confirmed: MathWorks outage due to ransomware attack
  • Catalin Cimpanu: MATLAB maker hit by ransomware

CyberNewswire@hackread.com //
SquareX has released new threat research highlighting a sophisticated Fullscreen Browser-in-the-Middle (BitM) attack that targets Apple Safari users. This attack exploits a flaw in the browser's Fullscreen API, allowing attackers to create a convincing fullscreen window that mimics a legitimate login page. By using a remote browser, victims are tricked into interacting with an attacker-controlled browser via a pop-up window, divulging credentials and other sensitive information, thinking they are using a regular browser window. Mandiant has highlighted the increasing use of BitM attacks to steal credentials and gain unauthorized access to enterprise SaaS apps.

The Safari-specific implementation flaw uses the Fullscreen API to create a BitM window in fullscreen mode, concealing the suspicious URL from the parent window. Safari users are particularly vulnerable due to the lack of clear visual indicators when entering fullscreen mode, making it difficult to distinguish between a legitimate page and a fake one. Attackers can easily embed a fake login button within the pop-up window that triggers the Fullscreen API upon being clicked. The current Fullscreen API requires user interaction to trigger fullscreen mode, but it does not specify the type of interaction required.

SquareX disclosed this vulnerability to Apple, but they were informed that there is no plan to address the issue. According to SquareX researchers, the Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the Fullscreen API. They emphasized that users could unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari, where the lack of clear fullscreen mode cues allows threat actors to steal user credentials stealthily. This exploit renders existing security solutions obsolete when it comes to detecting this type of BitM attack.

Recommended read:
References :
  • hackernoon.com: Fullscreen BitM Attack Discovered By SquareX Exploits Browser Fullscreen APIs To Steal Credentials
  • cyberinsider.com: Apple Safari Users Vulnerable to Stealthy Browser Attacks
  • BleepingComputer: Apple Safari exposes users to fullscreen browser-in-the-middle attacks
  • CyberInsider: Apple Safari Users Vulnerable to Stealthy Browser Attacks
  • Daily CyberSecurity: Fullscreen BitM Attack Discovered by SquareX Exploits Browser Fullscreen APIs to Steal Credentials in Safari
  • hackread.com: Fullscreen BitM Attack Discovered by SquareX Exploits Browser Fullscreen APIs to Steal Credentials in Safari
  • www.scworld.com: Apple's Safari web browser was discovered to have a Fullscreen API security issue, which could be abused to enable fullscreen browser-in-the-middle intrusions concealing the address bar of the parent window, reports BleepingComputer.

Pierluigi Paganini@Security Affairs //
The Czech Republic has formally accused China of orchestrating a "malicious cyber campaign" targeting an unclassified communication network within its Ministry of Foreign Affairs. The attacks, attributed to the China-linked APT31 hacking group, are believed to have been ongoing since 2022. This action represents a significant escalation in tensions between the two nations regarding cyber espionage. In response to the detected activity, the Czech government summoned the Chinese ambassador to express its strong condemnation of these hostile actions and to convey the damaging impact on bilateral relations. The European Union has voiced its solidarity with Prague following this announcement, further highlighting the international implications of the cyberattack.

The Czech government, in a formal statement, identified the People's Republic of China as responsible for the cyber campaign. The government believes with a high degree of certainty that APT31, also known as Judgement Panda, Bronze Vinewood or RedBravo, a cyber-espionage group linked to China's Ministry of State Security, was behind the attacks. This group has a history of targeting government and defense supply chains. Czech authorities said the malicious activity “affected an institution designated as Czech critical infrastructure,” and targeted one of the Ministry of Foreign Affairs’ unclassified networks.

The Czech Republic asserts that the cyberattacks violate responsible state behavior in cyberspace, as endorsed by members of the United Nations, and undermine the credibility of China. The government is demanding that China adhere to these norms and refrain from similar activities in the future. The Czech Foreign Affairs Minister stated that the attribution was intended to expose China, “which has long been working to undermine our resilience and democracy". The detection of the attackers during the operation allowed for the implementation of a new communication system for the ministry, significantly strengthening its security.

Recommended read:
References :
  • Lukasz Olejnik: The Czech Republic has accused China of a "malicious cyber campaign" targeting an unclassified communication network at its Foreign Affairs Ministry since 2022, summoning the Chinese ambassador in protest. The EU expressed solidarity with Prague following the announcement.
  • securityaffairs.com: Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry
  • BleepingComputer: Czechia blames China for Ministry of Foreign Affairs cyberattack
  • bsky.app: The Czech Republic says the Chinese-backed APT31 hacking group was behind cyberattacks targeting the country's Ministry of Foreign Affairs and critical infrastructure organizations.
  • The Hacker News: The Czech Republic on Wednesday formally accused a threat actor associated with the People's Republic of China (PRC) of targeting its Ministry of Foreign Affairs.
  • therecord.media: Czech authorities said they assessed with “a high degree of certainty†that a Chinese cyber-espionage group known as APT31, tried to hack into a government network.
  • mzv.gov.cz: Statement by the Government of the Czech Republic.

Mandvi@Cyber Security News //
The Interlock ransomware group is actively deploying a new, sophisticated remote access trojan (RAT) known as NodeSnake in attacks targeting corporate networks. Security researchers have observed this campaign, revealing that Interlock is leveraging NodeSnake as a key component of its attack toolkit to maintain persistent access and enhance its post-exploitation capabilities. NodeSnake, written in Golang, allows the attackers to bypass common detection mechanisms and exfiltrate sensitive data, ensuring continued access even if ransomware binaries are detected and removed.

Two UK-based universities and local government entities have recently fallen victim to NodeSnake within the past few months. Analysis by cybersecurity firm Quorum Cyber has uncovered two new variants of the RAT, strongly attributing them to the Interlock ransomware group. The timing and shared code elements between the incidents suggest a coordinated campaign by the same threat actor, signalling a shift in targets for the Interlock ransomware group which is believed to be behind these attacks.

NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements. This RAT expands the group’s capabilities for reconnaissance, lateral movement, and data exfiltration, facilitating ransomware deployment.

Recommended read:
References :
  • Cyber Security News: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • gbhackers.com: Interlock Ransomware Uses NodeSnake RAT for Persistent Access to Corporate Networks In a two UK-based universities have fallen victim to a sophisticated Remote Access Trojan (RAT) dubbed NodeSnake within the past two months.
  • hackread.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.
  • BleepingComputer: Interlock ransomware gang deploys new NodeSnake RAT on universities
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com Source: hackread.com – Author: Deeba Ahmed.
  • cyberpress.org: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com
  • bsky.app: We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks. Learn more about what you need to know about Interlock in my article on the Tripwire blog. #cybersecurity #ransomware #clickfix
  • Graham Cluley: "We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks.

@securityonline.info //
Elastic Security Labs has identified a new information stealer called EDDIESTEALER, a Rust-based malware distributed through fake CAPTCHA campaigns. These campaigns trick users into executing malicious PowerShell scripts, which then deploy the infostealer onto their systems. EDDIESTEALER is hosted on multiple adversary-controlled web properties and employs the ClickFix social engineering tactic, luring unsuspecting individuals with the promise of CAPTCHA verification. The malware aims to harvest sensitive data, including credentials, browser information, and cryptocurrency wallet details.

This attack chain begins with threat actors compromising legitimate websites, injecting malicious JavaScript payloads that present bogus CAPTCHA check pages. Users are instructed to copy and paste a PowerShell command into their Windows terminal as verification, which retrieves and executes a JavaScript file called gverify.js. This script, in turn, fetches the EDDIESTEALER binary from a remote server, saving it in the downloads folder with a pseudorandom filename. The malware dynamically retrieves configuration data from a command-and-control server, allowing it to adapt its behavior and target specific programs.

EDDIESTEALER is designed to gather system metadata and siphon data of interest from infected hosts, including cryptocurrency wallets, web browsers, password managers, FTP clients, and messaging apps like Telegram. The malware incorporates string encryption, a custom WinAPI lookup mechanism, and a mutex to prevent multiple instances from running. It also includes anti-sandbox checks and a self-deletion technique using NTFS Alternate Data Streams to evade detection. The dynamic C2 tasking gives attackers flexibility, highlighting the ongoing threat of ClickFix campaigns and the increasing use of Rust in malware development.

Recommended read:
References :
  • Virus Bulletin: Elastic Security Labs has uncovered a novel Rust-based infostealer distributed via Fake CAPTCHA campaigns that trick users into executing a malicious PowerShell script. EDDIESTEALER is hosted on multiple adversary-controlled web properties.
  • The Hacker News: New EDDIESTEALER Malware Bypasses Chrome's App-Bound Encryption to Steal Browser Data
  • www.scworld.com: ClickFix used to spread novel Rust-based infostealer
  • Anonymous ???????? :af:: “Prove you're not a robot†— turns into full system breach! Hackers are using fake CAPTCHA checks to deploy a stealthy new Rust malware, EDDIESTEALER, via ClickFix—a social engineering trick abusing PowerShell on Windows , ,
  • securityonline.info: EDDIESTEALER: New Rust Infostealer Uses Fake CAPTCHAs to Hijack Crypto Wallets & Data
  • malware.news: Cybersecurity researchers have identified a sophisticated malware campaign utilizing deceptive CAPTCHA interfaces to distribute EddieStealer, a Rust-based information stealing malware that targets sensitive user data across multiple platforms.

Cynthia B@Metacurity //
The U.S. Treasury Department has sanctioned Funnull Technology Inc., a Philippines-based company, for providing infrastructure that facilitated "pig butchering" scams, a type of cryptocurrency investment fraud that has cost Americans over $200 million. The Treasury’s Office of Foreign Assets Control (OFAC) took action on May 29, 2025, targeting Funnull and its administrator, Liu Lizhi. The FBI has also issued an advisory warning against Funnull, highlighting its role as a major distributor of online scams. Funnull is accused of enabling cybercriminals by purchasing IP addresses in bulk from major cloud service providers and then selling them to operators of fraudulent investment platforms.

The sanctions follow an FBI investigation that linked Funnull to the majority of virtual currency investment scam websites reported to them. The agency stated that Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses for U.S. victims, with average individual losses exceeding $150,000. These scams typically involve perpetrators posing as romantic partners or friends online to gain victims’ trust, then convincing them to invest in virtual currency on platforms that ultimately prove to be fraudulent. Scammers often demand additional "taxes" on purported crypto earnings before allowing victims to withdraw their funds, which never happens.

Security firm Silent Push had previously identified Funnull as a criminal content delivery network (CDN) routing traffic through U.S.-based cloud providers before redirecting users to malicious websites. Their October 2024 research exposed a sprawling cluster of domains, dubbed "Triad Nexus," routed through Funnull's CDNs, revealing how cybercriminals leverage credible cloud providers for malicious activities through what they termed "infrastructure laundering." The FBI observed patterns of IP address activity on Funnull infrastructure between October 2023 and April 2025, including the simultaneous migration of hundreds of domains to other IP addresses, further complicating efforts to track and combat the scams.

Recommended read:
References :
  • krebsonsecurity.com: U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Threats | CyberScoop: Treasury sanctions crypto scam facilitator that allegedly stole $200M from US victims
  • Metacurity: US sanctions Filipino firm for pig butchering scams that cost Americans $200 million
  • DataBreaches.Net: U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • www.chainalysis.com: Chainalysis: OFAC Sanctions Funnull Technology Inc. for Supporting Pig Butchering Scams
  • www.silentpush.com: U.S. Treasury Sanctions FUNNULL CDN, FBI Issues Advisory Warning Against Major Cyber Scam Facilitator

@WhatIs //
A cyberattack struck Covenant Health on Monday, May 26, 2025, disrupting operations at St. Joseph Hospitals in Bangor, Maine, and Nashua, New Hampshire, as well as St. Mary’s Health System and Community Clinics in Lewiston, Maine. The healthcare provider, a Catholic-based nonprofit serving New England and parts of Pennsylvania, was forced to shut down all data systems across its hospitals, clinics, and provider practices as a protective measure against the "cyber incident initiated by an outside group." This action has impacted access to electronic records, appointment scheduling, and internal communications, leading to connectivity issues throughout the organization.

The cyberattack has led to significant operational disruptions at the affected facilities. In both Bangor and Nashua, ambulance services have been diverted, and diagnostic scans have been redirected to other locations. Patients have reported difficulties in refilling prescriptions, and outpatient lab services at St. Joseph Hospital in Nashua are now only available on the main hospital campus with a physical order in hand. Staff are working under modified procedures to maintain patient care amidst the system outages. The hospitals have posted notices on their websites acknowledging the disruptions and assuring the public that teams are working to restore full services as quickly as possible.

Covenant Health spokesperson Karen Sullivan confirmed that cybersecurity experts have been engaged to investigate the breach and assist in restoring system functionality. While a timeline for full restoration has not been provided, the organization emphasizes that patient care remains a priority. Cybersecurity analysts are warning that medical institutions are increasingly vulnerable to cyberattacks due to the high value of patient data on illicit markets, stressing the urgent need for enhanced digital defenses across the healthcare sector. The incident is currently under investigation, and updates will be provided as more information becomes available.

Recommended read:
References :
  • DataBreaches.Net: Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • The Dysruption Hub: Cyberattack Disrupts Operations at St. Joseph Hospitals in Maine and New Hampshire
  • WhatIs: Covenant Health cyberattack disrupts New England hospitals

info@thehackernews.com (The@The Hacker News //
A new Windows Remote Access Trojan (RAT) has been discovered that employs a novel technique to evade detection. The malware corrupts its own DOS and PE headers, making it significantly more difficult for security tools to analyze and reconstruct the malicious code. This method obstructs forensic analysis and allows the RAT to operate stealthily on compromised Windows machines for extended periods, in some cases, for weeks before being detected. The FortiGuard Incident Response Team conducted a detailed investigation into this malware.

The Fortinet team managed to obtain a memory dump of the live malware process (dllhost.exe process PID 8200) and a complete 33GB memory dump of the compromised system. By meticulously replicating the compromised environment, they were able to revive the dumped malware in a controlled setting. This allowed them to observe its operations and communication patterns. The researchers had to manually identify the malware's entry point, allocate memory, and resolve API addresses through debugging, address relocation, and parameter adjustments to emulate the malware's behaviour in a lab setting.

Once operational, the malware was found to communicate with a command-and-control (C2) server at rushpaperscom over port 443, utilizing TLS encryption. Fortinet analysts identified the malware's use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic, along with an additional layer of custom encryption. Analysis confirms that the malware is a RAT, allowing attackers to capture screenshots, manipulate system services, and establish connections with other clients.

Recommended read:
References :
  • ciso2ciso.com: New Malware Spotted Corrupts Its Own Headers to Block Analysis – Source:hackread.com
  • hackread.com: New Windows Malware Spotted Corrupts Its Own Headers to Block Analysis
  • The Hacker News: New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers
  • ciso2ciso.com: The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks.

@www.trustwave.com //
Trustwave researchers have uncovered a large-scale phishing campaign where the Dadsec hacker group is exploiting the Tycoon2FA infrastructure to steal Office365 credentials. The Dadsec group, also known as Storm-1575, operates a Phishing-as-a-Service (PhaaS) platform and has been leveraging Tycoon2FA to target Microsoft 365 users since at least September 2023. This campaign demonstrates an evolution in phishing tactics, blending advanced evasion techniques with shared infrastructure, indicating a coordinated PhaaS ecosystem.

Recent investigations reveal a technical and operational overlap between Dadsec and Tycoon2FA, suggesting a convergence of methods. These campaigns typically lure victims with fake shared documents or urgent notifications that redirect them to carefully crafted phishing sites mimicking Microsoft's Office365 login page. The attacks employ advanced adversary-in-the-middle (AiTM) techniques, enabling attackers to intercept authentication flows, capture credentials, and bypass multi-factor authentication (MFA) protections by stealing session cookies.

Detailed analysis reveals that domains used in both Dadsec and Tycoon2FA campaigns consistently employ infrastructure traceable to shared Autonomous System Numbers, notably AS19871. These domains, often featuring randomized alphanumeric strings and common top-level domains such as .RU, host custom PHP scripts like "res444.php," "cllascio.php," and ".000.php" integral to payload delivery. The Tycoon2FA kit is believed to be a direct evolution or clone of Dadsec, demonstrating a high degree of technical sophistication, using layered obfuscation and Cloudflare Turnstile integration.

Recommended read:
References :
  • cyberpress.org: Dadsec Hackers Exploit Tycoon2FA Infrastructure to Harvest Office365 Credentials
  • gbhackers.com: Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials
  • SpiderLabs Blog: PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec's Operations
  • gbhackers.com: Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

@securityonline.info //
Multiple local vulnerabilities have been discovered in the Kea DHCP server suite, impacting default installations on Linux and BSD distributions. A report by the SUSE Security Team highlighted these flaws during a routine code review, before the system was due to ship in their products. Among the issues is a critical local root exploit that allows an unprivileged user to inject a hook library, leading to arbitrary code execution with root privileges. Other vulnerabilities include the ability to overwrite configuration files via the config-write command, as well as hash denial-of-service issues.

The set-config REST API command presents a significant security risk, as it grants complete control over the configuration of the kea-ctrl-agent and individual Kea services. This control allows for a trivial local privilege escalation by configuring a hook library accessible to an unprivileged user. The vulnerabilities were found in Kea release 2.6.1, but it is believed that older releases are also affected. The report also details seven security issues including local-privilege-escalation and arbitrary file overwrite vulnerabilities.

The Internet Systems Consortium (ISC) has addressed these vulnerabilities by releasing security fixes in all currently supported release series of Kea: 2.4.2, 2.6.3, and 2.7.9. These updates were made available on May 28, 2025, and users are strongly advised to update their Kea DHCP server installations immediately. CVE numbers CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 have been assigned to the vulnerabilities, with some CVEs covering multiple security flaws.

Recommended read:
References :

Editor-In-Chief, BitDegree@bitdegree.org //
The BitMEX cryptocurrency exchange has successfully thwarted an intrusion attempt orchestrated by the Lazarus Group, a notorious hacking organization with ties to North Korea. The exchange's security team detected the attack, preventing any compromise of their systems. In a significant countermove, BitMEX's security team managed to access one of the Lazarus Group's servers, providing valuable insights into their operations and tactics.

Researchers at BitMEX uncovered critical missteps made by the Lazarus Group during their campaigns, including exposed IP addresses and an accessible database. One key finding involved a rare slip-up where a hacker inadvertently revealed their real IP address, which was traced to Jiaxing, China. This location is near Shanghai and represents a notable lapse in security for the typically secretive group. BitMEX also blocked a phishing attempt linked to the Lazarus Group, where attackers posed as NFT partners on LinkedIn to trick one of its employees.

The Lazarus Group's attack strategy often begins with relatively unsophisticated methods like phishing to gain initial access to targeted systems. In this case, the attackers invited a BitMEX employee to a private GitHub repository containing code for a fake Next.js/React website. The goal was to make the victim run the project, which included malicious code, on their computer. BitMEX emphasized that the "Lazarus Group" comprises multiple hacking teams under the control of the North Korean government, responsible for stealing significant sums of money through various cyberattacks.

Recommended read:
References :
  • blog.bitmex.com: The BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus. BitMEX's security team gained access to one of the group's servers and traced one of its operators to Jiaxing, China.
  • bsky.app: The BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus.
  • DataBreaches.Net: Researchers at crypto exchange BitMEX on Friday said that they had uncovered several critical missteps that North Korean state-sponsored hacker group Lazarus had made during its campaigns. Those lapses included exposed IP addresses, an accessible Supabase database, and tracking algorithms.
  • Catalin Cimpanu: BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus. BitMEX's security team gained access to one of the group's servers and traced one of its operators to Jiaxing, China.
  • www.bitdegree.org: BitMEX has blocked a phishing attempt linked to the Lazarus Group , a hacking operation with ties to North Korea.
  • Metacurity: German police ID Trickbot's "Stern," BitMEX thwarts Lazarus Group attack, Shin Bet thwarted 85 Iranian cyberattacks aimed at civilians, Vibe coding app Lovable failed to fix critical flaw, China's quantum satellite Micius has a security flaw, Russia's Unit 29155 has a hacker team, much more

@blog.checkpoint.com //
Microsoft has revealed that Lumma Stealer malware has infected over 394,000 Windows computers across the globe. This data-stealing malware has been actively employed by financially motivated threat actors targeting various industries. Microsoft Threat Intelligence has been tracking the growth and increasing sophistication of Lumma Stealer for over a year, highlighting its persistent threat in the cyber landscape. The malware is designed to harvest sensitive information from infected systems, posing a significant risk to users and organizations alike.

Microsoft, in collaboration with industry partners and international law enforcement, has taken action to disrupt the infrastructure supporting Lumma Stealer. However, the developers behind the malware are reportedly making significant efforts to restore servers and bring the operation back online, indicating the tenacity of the threat. Despite these efforts, security researchers note that the Lumma Stealer operation has suffered reputational damage, potentially making it harder to regain trust among cybercriminals.

In related news, a new Rust-based information stealer called EDDIESTEALER is actively spreading through fake CAPTCHA campaigns, using the ClickFix social engineering tactic to trick users into running malicious PowerShell scripts. EDDIESTEALER targets crypto wallets, browser data, and credentials, demonstrating a continued trend of malware developers utilizing Rust for its enhanced stealth and stability. These developments underscore the importance of vigilance and robust cybersecurity practices to protect against evolving malware threats.

Recommended read:
References :
  • www.microsoft.com: Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
  • Catalin Cimpanu: Mastodon: The developers of the Lumma Stealer malware are making significant efforts to restore servers and return online.

@www.microsoft.com //
References: www.microsoft.com
Microsoft is aggressively integrating artificial intelligence across its products and services, striving to revolutionize the user experience. The company is focused on developing agentic systems that can work independently, proactively identify problems, suggest solutions, and maintain context across interactions. Microsoft envisions a future where AI agents will augment and amplify organizational capabilities, leading to significant transformations in various fields. To facilitate secure and flexible interactions, Microsoft is employing Model Context Protocol (MCP) to enable AI models to interact with external services.

As AI agents become more sophisticated and integrated into business processes, Microsoft recognizes the importance of evolving identity standards. The company is actively working on robust mechanisms to ensure agents can securely access data and act across connected systems, including APIs, code repositories, and enterprise systems. Microsoft emphasizes that industry collaboration on identity standards is crucial for the safe and effective deployment of AI agents.

To aid organizations in safely adopting AI, Microsoft Deputy CISO Yonatan Zunger shares guidance for efficient implementation and defense against evolving identity attack techniques. Microsoft CVP Charles Lamanna offers an AI adoption playbook, emphasizing the importance of "customer obsession" and "extreme ownership" for both startups and large enterprises navigating the age of AI. Lamanna suggests focusing on a few high-impact AI projects instead of spreading resources thinly across numerous pilots.

Recommended read:
References :

@cyberinsider.com //
Mozilla has released Firefox 139 to address a critical security vulnerability within the libvpx video codec encoder. This flaw, identified as a double-free vulnerability, could potentially lead to memory corruption and allow for arbitrary code execution on affected systems. Security experts are urging users to update to the latest version of Firefox immediately to mitigate the risk.

The vulnerability is particularly concerning because it is a zero-interaction exploit, meaning that an attacker could potentially execute malicious code without any user action beyond normal browsing activity. This underscores the importance of applying the patch as soon as possible to prevent potential compromise. The update aims to protect users from remote code execution attacks that could exploit the flaw in the libvpx codec.

The Cybersecurity community has highlighted the importance of prioritizing critical patches such as this one to defend against exploitation. This vulnerability demonstrates the persistent threat landscape and the need for constant vigilance in maintaining secure systems. By updating to Firefox 139, users can ensure they are protected against this potentially severe vulnerability.

Recommended read:
References :
  • cyberinsider.com: Mozilla Patches Critical libvpx Double-Free Vulnerability in Firefox 139
  • securityonline.info: Firefox Alert: Zero-Interaction Exploit in libvpx Allows Arbitrary Code Execution