⚡ Weekly Recap: NFC Fraud, Curly COMrades, N-able Exploits, Docker Backdoors & More

Aug 18, 2025Ravie LakshmananCybersecurity / Hacking News

Power doesn’t just disappear in one big breach. It slips away in the small stuff—a patch that’s missed, a setting that’s wrong, a system no one is watching. Security usually doesn’t fail all at once; it breaks slowly, then suddenly. Staying safe isn’t about knowing everything—it’s about acting fast and clear before problems pile up. Clarity keeps control. Hesitation creates risk.

Here are this week’s signals—each one pointing to where action matters most.

⚡ Threat of the Week

Ghost Tap NFC-Based Mobile Fraud Takes Off — A new Android trojan called PhantomCard has become the latest malware to abuse near-field communication (NFC) to conduct relay attacks for facilitating fraudulent transactions in attacks targeting banking customers in Brazil. In these attacks, users who end up installing the malicious apps are instructed to place their credit/debit card on the back of the phone to begin the verification process, only for the card data to be sent to an attacker-controlled NFC relay server. The stolen card details are passed on to money mules who link the information to contactless payment systems like Apple Pay or Google Pay in person to obtain physical goods.

🔔 Top News

• Two N-able N-central Flaws Exploited in the Wild — Two security flaws impacting N-able N-central have come under active exploitation in the wild. The flaws, CVE-2025-8875 and CVE-2025-8876, allow command execution and command injection, respectively. The issues have been addressed in N-central versions 2025.3.1 and 2024.6 HF2 released on August 13, 2025. N-able is also urging customers to make sure that multi-factor authentication (MFA) is enabled, particularly for admin accounts.
• New ‘Curly COMrades’ APT Targets Georgia and Moldova — A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign designed to facilitate long-term access to target networks. The activity, tracked by the Romanian cybersecurity company since mid-2024, has singled out judicial and government bodies in Georgia, as well as an energy distribution company in Moldova. Curly COMrades are assessed to be operating with goals that are aligned with Russia’s geopolitical strategy. It gets its name from the heavy reliance on the curl utility for command-and-control (C2) and data transfer, and the hijacking of the component object model (COM) objects. Persistent access to the infected endpoints is accomplished by means of a bespoke backdoor called MucorAgent.
• XZ Utils Backdoor Found in Dozens of Docker Hub Images — Several Docker images built around the time of the XZ Utils compromise contain the backdoor, some of which are still available via the container image library Docker Hub. Binary said it identified 35 Debian images on Docker Hub that embedded the backdoor. That includes 12 Docker images and 23 second-order images. The main takeaway is that users should only rely on up-to-date images. The findings are a sign that traces of the supply chain threat have remained after more than a year since the incident came to light.
• U.S. Expands Sanctions on Garantex — The U.S. Treasury Department sanctioned Russian cryptocurrency exchange Garantex, its successor Grinex, and related affiliates as part of continued efforts by the government to halt the flow of ransomware proceeds facilitated by the platforms. Garantex is estimated to have processed more than $100 million in transactions linked to illicit activities since 2019. “Digital assets play a crucial role in global innovation and economic development, and the United States will not tolerate abuse of this industry to support cybercrime and sanctions evasion,” the Treasury Department said.
• EncryptHub Continues to Exploit Windows Flaw for Stealer Attacks — The Russia-aligned threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads, including a stealer called Fickle Stealer. The campaign combines social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger the infection routine via a rogue Microsoft Console (MSC) file.
• ShinyHunters and Scattered Spider Join Forces — ShinyHunters and Scattered Spider appear to be working together to carry out financially motivated attacks, including those targeting Salesforce customers. These include the use of adoption of tactics that mirror those of Scattered Spider, such as highly-targeted vishing (aka voice phishing) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration.

🔥 Trending CVEs

Hackers don’t wait—they strike within hours of a flaw being exposed. A missed patch, a hidden bug, or even a single overlooked CVE is enough to hand them the keys. What starts as “just one gap” can escalate into disruption, theft, or compromise before defenders even realize it’s happening. Below are this week’s high-risk vulnerabilities. Review them, patch quickly, and stay ahead before someone else makes the first move.

This week’s list includes — CVE-2025-20265 (Cisco Secure Firewall Management Center), CVE-2025-8671 (HTTP/2), CVE-2025-8875, CVE-2025-8876 (N-able N-central), CVE-2025-25256 (Fortinet FortiSIEM), CVE-2025-53779 (Microsoft Windows), CVE-2025-49457 (Zoom Clients for Windows), CVE-2025-8355, CVE-2025-8356 (Xerox FreeFlow Core), CVE-2024-42512, CVE-2024-42513, CVE-2025-1468 (OPC UA .NET Standard Stack), CVE-2025-42950, CVE-2025-42957 (SAP), CVE-2025-54472 (Apache bRPC), CVE-2025-5456, CVE-2025-5462 (Ivanti Connect Secure), CVE-2025-53652 (Jenkins), CVE-2025-49090, CVE-2025-54315 (Matrix), CVE-2025-52970 (Fortinet FortiWeb),CVE-2025-7384 (Database for Contact Form 7, WPforms, Elementor forms plugin), CVE-2025-53773 (GitHub Copilot), CVE-2025-6186, CVE-2025-7739, CVE-2025-7734 (GitLab), CVE-2025-8341 (Grafana Infinity Datasource Plugin), CVE-2025-47227, CVE-2025-47228 (ScriptCase), CVE-2025-30404, CVE-2025-30405, CVE-2025-54949, CVE-2025-54950, CVE-2025-54951, CVE-2025-54952 (Meta ExecuTorch), CVE-2025-55154, and CVE-2025-55004 (ImageMagick).

📰 Around the Cyber World

• Flaws in ZTNA Software — Cybersecurity researchers have discovered multiple security flaws impacting Zero Trust Network Access (ZTNA) solutions from Zscaler (CVE-2025-54982), NetSkope and Check Point Perimeter 81 that could be abused by attackers to escalate privileges on end user devices and to completely bypass authentication, granting access to internal resources as any user. The findings follow the discovery of critical weaknesses in Cato Networks’ Cato client, including one that could allow an attacker to gain full administrative control of a user’s device simply by having the user visit a malicious web page.
• Google Address Promptware Attack — Google has remediated a serious security issue that allowed maliciously crafted Google Calendar invites to remotely take over Gemini agents running on the target’s device, leak sensitive user data, and hijack control of smart home systems. The targeted promptware attack is initiated simply by an attacker sending a Google Calendar invite to a victim whose name contains an indirect prompt injection. When Google’s flagship AI chatbot is asked to summarize its upcoming calendar events, those dormant instructions are triggered, causing havoc in the physical environment, such as remotely controlling a victim’s home appliances. The attacks employ an approach called delayed automatic tool invocation to get around Google’s existing safety measures. They also demonstrate a potential side effect of Gemini’s broad permissions to take actions across the Google ecosystem. “As a result, we were able to hijack the application context, invoke its integrated agents, and exploit their permissions to perform a shocking range of malicious activities — including identifying the victim’s location, recording the victim, and even making changes within the victim’s physical environment.” The approach shows that Promptware, a variant of EchoLeak, is capable of performing both inter-agent lateral movement, by triggering malicious activity between different Gemini agents, and inter-app lateral movement, by escaping the boundaries of Gemini and leveraging applications installed on a victim’s smartphone, to perform malicious activities with real-world consequences. The promptware attacks further show that Gemini can be made to send spam links, generate vulgar content, open up the Zoom app and start a call, steal email and meeting details from a web browser, and download a file from a smartphone’s web browser. Google has since rolled out fixes like security thought reinforcement to address the issues. Indirect prompt injections are a more serious AI threat, as the malicious prompt is inserted by an outside source, either embedded within a web page or as text in a white font in an email that’s invisible to the naked eye, but can be parsed by AI systems. Addressing prompt injections is a hard problem since the methods LLMs can be tricked are continually evolving, and the attack surface is simultaneously getting more complex.
• Matter Adds New Security Features — Matter, a unifying, IP-based connectivity protocol and technical standard for smart home and IoT devices, has received numerous security enhancements in version 1.4.2, including (1) Wi-Fi Only Commissioning, which enables devices to be onboarded to Matter ecosystems over Wi-Fi without requiring Bluetooth Low Energy (LE) radios, (2) Vendor ID (VID) Verification, which allows controllers to cryptographically verify that the Admins installed on a device are genuinely from the vendors they claim, (3) Access Restriction Lists (ARLs), which provide a mechanism to restrict access to sensitive settings and data to only trusted, verified Controllers, and (4) Certificate Revocation Lists (CRLs), which offers support for revoking unused or compromised Device Attestation Certificates.
• Smart Buses Can Be Remotely Hacked — Cybersecurity researchers have discovered that Taiwanese smart buses that incorporate various systems to improve safety, efficiency, and passenger experience, such as Advanced Public Transportation Services (APTS) and Advanced Driver Assistance Systems (ADAS) can be remotely hacked. The research showcased it’s possible to easily bypass the on-board router’s authentication and gain unauthorized access to its administration interface, and then take over the APTS and ADAS functionality due to a lack of network segmentation. This enables an attacker to leverage the remote access to track the vehicle’s movements, manipulate controls, or access the camera. The vulnerabilities impact routers from BEC Technologies, which are commonly installed on smart buses in Taiwan.
• Cmimai Stealer Spotted in the Wild — A new Visual Basic Script (VBS) stealer malware called Cmimai Stealer has been observed in the wild since June 2025, employing capabilities to harvest a wide range of information from infected hosts and exfiltrating the data using a Discord webhook. “It is lightweight and lacks advanced features like persistence on system restart, encrypted communication, and credential theft; perhaps by design,” K7 Security said. “Although it is collecting browser data and screenshots, making us classify it as an Infostealer, it can be used for the dual purpose as a Stealer and also as a second-stage reconnaissance tool used for strategizing further future attacks.”
• Windows Hello or Windows Hell No? — Cybersecurity researchers have presented a novel attack targeting Windows Hello for Business (WHfB) that leverages the storage subsystem of the biometric unit in order to conduct bypass attacks. Essentially, the attack can facilitate biometric injection from another computer that would compromise biometric authentication, granting access to any face or fingerprint submitted. ERNW Research demonstrated that a local admin, or someone who has access to their credentials via malware or other means, can inject biometric information into a computer that would allow it to recognize any face or fingerprint. While the biometric templates are “encrypted,” a local administrator can exchange biometric features in the database, allowing authentication as any user already enrolled in the targeted system, including the possibility to make a lateral movement by usurping a domain administrator. Microsoft’s Enhanced Sign-in Security (ESS), which operates at a higher hypervisor virtual trust level (VTL1), blocks this line of attack.
• Securam Prologic Lock Flaws Disclosed — Researchers James Rowley and Mark Omo managed to discover a “backdoor” intended to let authorized locksmiths open Securam Prologic locks used in Liberty Safe and seven other brands. In addition, they discovered a way for a hacker to exploit that backdoor—intended to be accessible only with the manufacturer’s help—to open a safe on their own in seconds, as well as found another security vulnerability in many newer versions of Securam’s locks that would allow a bad actor to insert a tool into a hidden port in the lock and instantly obtain a safe’s unlock code, WIRED reported. Securam is expected to fix the issues in future models of the ProLogic lock.
• UAC Bypass via eudcedit.exe — An inventive User Account Control (UAC) bypass method exploits Windows’ built-in Private Character Editor (“eudcedit.exe”), allowing attackers to gain elevated privileges without user consent. The technique once again highlights how legitimate Windows utilities can be weaponized to circumvent critical security mechanisms. “If eudcedit.exe is executed under a user context that already belongs to the Administrators group, and UAC is configured permissively (e.g., ‘Elevate without prompting’), Windows will launch it immediately with high integrity, without showing a UAC dialog,” security researcher Matan Bahar said.
• Information Leak in Multi-User Linux Environments — New research has demonstrated how basic Linux commands like “ps auxww” can be weaponized to extract database credentials, API keys, and administrative passwords in multi-user Linux environments, “without ever escalating privileges or exploiting a single bug,” according to Ionut Cernica.
• Privacy Leaks Via Siri — Privacy issues have been uncovered in Apple Siri, finding the chat assistant transmits metadata about installed and active open apps, as well as audio playback metadata (e.g., recording names) without the user’s ability to control these privacy settings or their consent. What’s more, messages dictated via Siri to apps like iMessage and WhatsApp are sent to Apple’s servers, along with the recipient phone number and other identifiers. The issues have been codenamed AppleStorm by Lumia Security. Apple said the behavior stemmed from third-party services’ use of SiriKit, its extension system for integrating external apps with Siri.
• OAuth Apps as a Privilege Escalation Tool — Malicious OAuth applications could be used to escalate privileges or move laterally within a target environment. That’s according to findings from Praetorian, which has open-sourced a red teaming tool called OAuthSeeker that performs phishing attacks using malicious OAuth applications to compromise user identities within Microsoft Azure and Office365. “It is possible for external verified or internal unverified applications to request user_impersonation privileges within Microsoft Azure, which then allows the attacker to impersonate the user to cloud computing resources within Microsoft Azure, such as accessing compute infrastructure, such as virtual machines,” Praetorian said. “Operators can leverage OAuthSeeker for both gaining initial access into an environment, for lateral movement after obtaining initial access, and for persistence purposes after compromising an account leveraging other methods.”

• Fake Minecraft Setup Leads to NjRAT — A new malware campaign has been observed using fake Minecraft installers or mods to distribute a remote access trojan called NjRAT. “It is written in .NET and allows attackers to fully control infected machines remotely, making it one of the most popular and persistent malware families used in cyber espionage, cybercrime, and surveillance operations,” Point Wild said. The disclosure comes as the cybersecurity company detailed the inner workings of another RAT called Sakula RAT that has been employed in targeted intrusions since at least 2012. Besides harvesting sensitive data, the malware can connect to a command-and-control (C2) server to receive instructions from the attacker to run arbitrary commands and download additional payloads.
• Israel Targeted by PowerShell RAT Using ClickFix — Speaking or RATs, multiple Israeli organizations have been targeted by spear-phishing attacks that direct users to fake landing pages mimicking Microsoft Teams invites, while using ClickFix-like lures to trick recipients into launching PowerShell commands under the guise of joining the conversation. The command initiates the retrieval and execution of a secondary PowerShell script from the attacker’s server, which, in turn, acts as a loader for a PowerShell remote access trojan that can run PowerShell commands from the C2 and run more malware. “The adversary leveraged compromised internal email infrastructure to distribute phishing messages across the regional business landscape,” Fortinet said. “The attacker systematically compromised multiple Israeli companies over several consecutive days, using each breached environment as a launchpad to target additional organizations in the region. This tactic closely mirrors MuddyWater’s typical approach to lateral expansion.” The absence of remote management tools (RMMs), a hallmark of MuddyWater’s attacks, indicates a tactical deviation. The disclosure came as Profero said it cracked the encryption of the DarkBit (aka Storm-1084) ransomware gang’s encryptors, allowing victims to recover files for free without paying a ransom. DarkBit is assessed to share overlaps with MuddyWater. The decrypter exploits a weak key generation algorithm used by the DarkBit group to brute-force the decryption key.
• Kimsuky Allegedly Suffers Data Breach — The North Korean state-sponsored hackers known as Kimsuky have reportedly suffered a data breach after a pair of hackers, named Saber and cyb0rg, stole the group’s data and leaked it publicly online. “Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda,” the hackers remarked in an analysis published in the latest issue of Phrack magazine. “You steal from others and favour your own. You value yourself above the others: You are morally perverted.” Among the leaked data are Kimsuky’s backend, exposing hacking tools, email addresses, internal manuals, and passwords that could provide insight into unknown campaigns and undocumented compromises. Saber and cyb0rg claim to have found evidence of Kimsuky compromising several South Korean government networks and companies. The files also include the group’s Android Toybox modifications and use of exploits like Bushfire. Another program is a Loadable Kernel Module (LKM) style rootkit with the ability to hide from detection and operate on any network port. “The main purpose of the rootkit is to create a persistent and stealthy backdoor,” Sandfly Security said. “The backdoor is activated when a special magic packet is received, combined with a correct password to initiate an SSL connection. The backdoor can be activated on any port. This is important to understand because a firewall alone may not protect the target system. If the magic packet is able to hit the victim, then the backdoor may be activated.” The tranche of data is said to have originated from a virtual workstation and virtual private server (VPS) used by the threat actor. That said, indications are that the dumps may have originated from a likely Chinese actor who has knowledge of Kimsuky’s tradecraft.
• 2 Founder of Samourai Wallet Plead Guilty to Money Laundering — Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million worth of crypto assets from criminal proceeds and concealing the nature of illicit transactions using services like Whirlpool and Ricochet. Samourai CEO Keonne Rodriguez and CTO William Lonergan Hill were arrested last year after the U.S. Federal Bureau of Investigation (FBI) took down their service. As part of their plea agreements, Rodriguez and Hill have also agreed to forfeit $237,832,360.55. “The defendants created and operated a cryptocurrency mixing service that they knew enabled criminals to wash millions in dirty money, including proceeds from cryptocurrency thefts, drug trafficking operations, and fraud schemes,” the U.S. Department of Justice (DoJ) said. “They did not just facilitate this illicit movement of money, but also encouraged it.”
• Tornado Cash Founder Convicted of Operating a Money Transmitting Business — Roman Storm, a co-founder of the cryptocurrency mixing service Tornado Cash, was found guilty of conspiring to operate an unlicensed money-transmitting business. However, the jury failed to reach a ruling on the more significant charges of conspiracy to commit money laundering and to violate sanctions. “Roman Storm and Tornado Cash provided a service for North Korean hackers and other criminals to move and hide more than $1 billion of dirty money,” the DoJ said. Storm is set to be sentenced later this year and faces a maximum prison sentence of five years. The development came as the U.S. Treasury Department dropped its appeal against a court ruling that forced it to lift sanctions against Tornado Cash last month. Tornado Cash was delisted from the Specially Designated National and Blocked Persons (SDN) list earlier this March. The service was sanctioned in 2022 for its alleged links to cybercriminals and for having “repeatedly failed to impose effective controls” to prevent money laundering.
• India’s UPI to Stop P2P Money Requests to Tackle Fraud — The National Payments Corporation of India (NPCI) announced it will discontinue the person-to-person (P2P) Collect Request feature from the country’s instant payment system, Unified Payments Interface (UPI), starting October 1, 2025, aiming to strengthen security and prevent payment-related fraud. The feature allows users to request money from another individual via UPI, but has been misused by fraudsters by sending fake money transfer requests that can be inadvertently approved by a simple tap, thereby tricking unwitting users into authorizing payments. The change, however, does not apply to merchants.
• Microsoft Plans to Block Dangerous File Types in Teams — Microsoft revealed it’s planning to block dangerous file types and malicious URLs in Teams chats and channels. “Microsoft Teams now blocks messages containing weaponizable file types, such as executables, in chats and channels, increasing protection against malware and other file-based attacks,” the company said. “Microsoft Teams can now detect and warn users on malicious URLs sent in Teams chat and channels, increasing protection against malware attacks.” Separately, the tech giant said it’s also integrating Teams with Defender for Office 365 Tenant Allow/Block List to allow administrators to centrally manage blocked external domains in Teams.
• USB Worm Delivers Crypto Miner — A USB-based worm is being used to deliver the XMRig cryptocurrency miner as part of a global campaign targeting financial, education, healthcare, manufacturing, telecom, and oil and gas sectors in Australia, India, the U.S., and other countries. “The infection starts with execution of a VB script file from a USB drive (using a file name that starts with x and random 6 digits) from a folder named ‘rootdir,'” CyberProof said. The attack chain subsequently leverages DLL side-loading techniques to launch a malicious DLL that’s responsible for starting the mining process. In a related development, Russian companies have become the target of the Kinsing (aka H2Miner and Resourceful Wolf) cryptojacking group as part of large-scale attacks that brute-force SSH instances or scan internet-exposed servers for known vulnerabilities (e.g., CVE-2017-9841) in order to drop the Monero cryptocurrency miner.
• SMM Flaws in AMI Aptio UEFI Firmware — System Management Mode (SMM) memory corruption vulnerabilities (CVE-2025-33043) have been identified in UEFI modules present in AMI Aptio UEFI firmware that could be exploited by an attacker to elevate privileges and execute arbitrary code in the highly privileged SMM environment. “This could bypass certain firmware-level protections, such as those protecting the SPI flash memory, and enable persistent modifications to the firmware that operate independently of the OS,” CERT Coordination Center (CERT/CC) said.
• Former Intel Engineer Sentenced to 2 Years of Probation for Stealing Trade Secrets — An engineer who stole trade secrets from Intel and shared them with his new employer, Microsoft, was sentenced to two years of probation and ordered to pay a fine of more than $34,000. Varun Gupta was employed at Intel from July 2010 to January 2020, when he secured his new job at Microsoft. Gupta pleaded guilty to possessing trade secrets back in February 2025. “Between February and July 2020, while employed by the company in Washington, Gupta possessed and accessed his previous employer’s trade secrets and proprietary information without authorization,” the Justice Department noted at the time. “Gupta accessed information related to customized product design and pricing for significant purchases of computer processors, which Gupta used, as a representative of the Washington company, during head-to-head negotiations with his previous employer.” He was sued by Intel in early 2021.
• GitHub Repositories Deliver Stealer Malware — GitHub repositories disguised as legitimate projects, including game cheats, software cracks, and automation tools, have been used to distribute a malware loader called SmartLoader. It’s believed that users searching for such tools on search engines are the target of the campaign. The loader acts as a conduit for the Rhadamanthys information stealer malware, which is retrieved from a remote server. Users who search for tools to download YouTube videos for free have also been found to be served fake sites like YTMP4, where those who enter a video URL are displayed a “Download Now” button that drops DigitalPulse proxyware on the victim’s host by means of an executable hosted on GitHub. In a separate campaign, Facebook ads are being used to redirect users to fake landing pages that aim to deceive users into installing phony versions of cryptocurrency exchange apps like Binance that contain malware. The activity overlaps with a threat cluster dubbed WEEVILPROXY.
• Phishing Attacks Use Personalized Subject Lines and Links — Phishing attacks have been observed crafting personalized subject lines, attachment names, and embedded links to create a sense of familiarity or urgency, and increase the likelihood that the recipients engage with the email messages. “This strategy is not limited to the subject line; it is often extended to the email attachments, links, and message body,” Cofense said. “By including customized elements, attackers aim to increase the likelihood of a successful compromise.” These subject customization campaigns bearing travel Assistance, Response, Finance, Taxes, and Notification-themed emails have been found to deliver remote access trojans and information stealers. Finance-themed campaigns predominantly deliver jRAT, a cross-platform Remote Access Trojan written in Java that enables multi-operating system compatibility, whereas response-themed emails frequently serve PikaBot malware.
• Google pKVM Achieves SESIP Level 5 Certification — Google announced that its protected Kernel-based Virtual Machine (pKVM) for Android has achieved SESIP Level 5 certification, the highest security assurance level for IoT and mobile platforms. “This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar,” Google said. “This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity.”
• 81% of Organizations Knowingly Ship Vulnerable Code — While 98% of organizations experienced breaches due to vulnerable code, 81% knowingly shipped that code, often to meet business goals. “Under pressure to deliver, teams are treating patch-later practices as acceptable risk, embedding insecurity into the SDLC,” Checkmarx said in its Future of AppSec report. The report is based on a survey of 1,500 application security leaders. Half of the respondents already use AI security code assistants, and 34% admitted that more than 60% of their code is generated using artificial intelligence (AI) tools.
• Pak Entities Targeted by Blue Locker Ransomware — Pakistan’s National Cyber Emergency Response Team (NCERT) issued an alert warning of Blue Locker ransomware attacks targeting the oil and gas sector. The ransomware, believed to be connected to the Shinra malware family, is distributed via a PowerShell-based loader that attempts to disable security defenses, escalate privileges, and launch its main payload. Phishing emails, malicious attachments, drive-by downloads, and insecure remote access are some of the initial access routes used by the threat actors behind the operation. “The motive behind these events may vary, but it is unlikely that a traditional cybercriminal organization is responsible; instead, it is more probable that a nation-state group is attacking critical infrastructure,” Resecurity said. “Very often, advanced actors operate under the guise of cybercrime to blur attribution and avoid geopolitical context.” The disclosure came as Huntress detailed a KawaLocker (aka KAWA4096) ransomware incident that involved the attackers accessing a victim’s endpoint via Remote Desktop Protocol (RDP) using a compromised account, followed by disabling security tools using kernel drivers and then dropping the locker.
• Phishing Campaign Uses “ん” as a URL Forward Slash — A Booking.com-themed phishing campaign has been observed using the Unicode character “ん” in URLs as a substitute for forward slashes when rendered in a web browser to trick unsuspecting users into running malicious MSI installers that are likely capable of delivering additional malware.
• Threat Actors Sell Access to Compromised Law Enforcement Accounts — A flourishing underground economy is enabling unauthorized access to hacked government and law enforcement accounts. These accounts are either compromised through phishing or through information-stealing infections. A single account is available for as little as $40.
• Chrome Tests Blocking Fingerprinting in Incognito Mode — Google’s Chrome team said it’s testing a Script Blocking feature that’s aimed at thwarting scripts engaging in known, prevalent techniques for browser re-identification using browser APIs to extract additional information about the user’s browser or device characteristics. The feature is expected to be shipped in version 140.
• Norway Says Russian Hackers Sabotaged Dam — The Norwegian Police Security Service said pro-Russian hackers likely sabotaged a dam in the country’s southwest in April 2025. This is the first time officials have publicly linked the incident to Russia. “The aim of this type of operation is to influence and to cause fear and chaos among the general population,” PST said. Exactly who is behind it is presently unknown.
• NIST Finalizes Lightweight Cryptography Standard to Secure IoT Devices — The U.S. National Institute of Standards and Technology (NIST) has completed work on the Ascon cryptographic standard. The standard contains four cryptographic algorithms (ASCON-128 AEAD , ASCON-Hash 256, ASCON-XOF 128, and ASCON-CXOF 128) designed to be used on low-memory IoT devices, as well as RFID tags and medical implants. The agency has been working on the standard since 2023.
• Chinese AI Firm Runs Propaganda Campaigns — The Chinese government is enlisting the help of domestic AI companies to monitor and manipulate public opinion on social media through sophisticated propaganda campaigns. One such company, named GoLaxy has run influence operations targeting Hong Kong and Taiwan with the help of AI tools. Founded in 2010, it has also used a tool named GoPro to build psychological profiles and build data profiles for at least 117 sitting U.S. lawmakers and more than 2,000 other American political and thought leaders. Furthermore, GoLaxy is believed to be tracking thousands of right-wing influencers and journalists. The company has since attempted to scrub its digital footprint, albeit unsuccessfully. In a statement to The New York Times, GoLaxy said its products are mainly based on open-source data.

🎥 Cybersecurity Webinars

• 5 Hidden Risks in Your Code-to-Cloud Pipeline—And How to Fix Them Fast: Security gaps don’t start in the cloud—they begin in your code. Join us to discover how code-to-cloud visibility unites developers, DevOps, and security teams with one shared map of risk. Learn how to cut noise, speed remediation, and protect your business-critical applications before attackers find the weak link.
• How to Detect the Silent AI Threats Hiding in Your Systems: AI is no longer just a tool—it can act like a rogue insider hiding in plain sight. Join our webinar, Shadow Agents and Silent Threats, to uncover how AI is reshaping identity risks, why traditional defenses aren’t enough, and what you can do now to stay ahead of invisible threats.
• How to Stop Rogue AI Agents Before They Hijack Your Identities and Data: AI Agents are multiplying inside your business faster than most teams can track—slipping into workflows, cloud platforms, and identities without warning. In this exclusive panel, security experts will uncover where Shadow AI hides, the risks they pose, and the practical steps you can take right now to regain control—without slowing innovation.

🔧 Cybersecurity Tools

• Buttercup: It is a Cyber Reasoning System (CRS) built to automatically find and fix vulnerabilities in open-source software. Developed by Trail of Bits for DARPA’s AIxCC program, it combines fuzzing, program analysis, and AI-driven patching to discover security flaws and generate repairs. Designed to work with OSS-Fuzz compatible C and Java projects, Buttercup integrates multiple components—like an orchestrator, fuzzer, and patcher—into a workflow that can test, monitor, and secure code at scale.
• Beelzebub: It is an open-source honeypot framework that provides a controlled environment for studying cyber attacks. It combines low-code configuration with AI-driven simulation to mimic high-interaction systems while maintaining a safer, low-interaction core. Supporting multiple protocols like SSH, HTTP, and TCP, as well as monitoring through Prometheus and ELK integration, Beelzebub helps researchers and defenders observe attacker behavior, test defenses, and analyze emerging threats.
• ExtensionHound: It is a forensic analysis tool designed to trace Chrome extensions’ DNS activity. By correlating network requests with specific extensions, it overcomes Chrome’s default process-level attribution barrier, making it possible to identify which extension generated suspicious queries. With optional integrations for domain reputation (VirusTotal), extension details (Secure Annex), and YARA-based signature detection, ExtensionHound provides investigators with clearer visibility into extension behavior across Windows, macOS, and Linux environments.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Clipboard Permissions — A Hidden Data Leak Waiting to Happen — Most people think of their clipboard as a harmless convenience — copy some text, paste it where you need it, done. But in modern browsers like Chrome, the clipboard is a shared space between your computer and any website you grant permission to. Once allowed, a site can read whatever is currently in your clipboard — not just what you copied from that site, but from anywhere: your password manager, a PDF, a corporate document, or even secure notes.

The danger isn’t just “technical paranoia” — clipboard access is a known target for attackers because it bypasses a lot of security boundaries. If you’ve allowed a site to read your clipboard:

• It can read sensitive data from other apps — (e.g., passwords, personal IDs, bank info) if that data is in your clipboard while the site is open.
• It can read more than what you paste — Once permission is granted, a site can read your clipboard when you interact with it (e.g., clicking a button). It can see data copied from anywhere, not just from that site.
• It’s silent — there’s no pop-up or alert for each read. You won’t know it’s happening.

For example, you allow design-tool[.]com to read your clipboard because you want to paste an image directly into the site. in the day, you copy:

• A password from your password manager,
• A confidential client email snippet,
• Or a crypto wallet address.

While you’re still working in design-tool[.]com, its code could (maliciously or due to a compromise) send each clipboard read to a remote server — without you ever pressing “paste.”

Unlike file downloads or microphone access, Chrome’s clipboard permission is “all or nothing” for that site. Once allowed, the site can read at will until you manually revoke the permission.

What You Can Do

1. Grant Access Only When Needed: Go to chrome://settings/content/clipboard and set permissions to “Ask before accessing.”
2. Revoke Access After Use: Click the lock icon next to the address bar → Site settings → Block clipboard access.
3. Use Separate Profiles: Keep clipboard-trusted sites in a dedicated Chrome profile; close it when not in use.
4. Avoid Copying Sensitive Data While a Site is Open: If you must copy sensitive info, close the tab for any site with clipboard permissions first.

Clipboard access is like giving a stranger a window into your desk — you may only want them to look once, but if you leave the window open, they can keep peeking without asking. Treat clipboard permissions as carefully as camera or microphone access.

Conclusion

The pace isn’t slowing down, and the risks aren’t waiting. Every delay, every blind spot, becomes an opening someone else is ready to use. What’s urgent isn’t just patching or reacting—it’s staying one step ahead.