ThreatsDay Bulletin: MS Teams Hack, MFA Hijacking, $2B Crypto Heist, Apple Siri Probe & More

Microsoft detailed the various ways threat actors can abuse its Teams chat software at various stages of the attack chain, even using it to support financial theft through extortion, social engineering, or technical means. “Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics,” the company said. “After gaining control of MFA through social engineering password resets, they sign in to Teams to identify sensitive information supporting their financially motivated operations.” As mitigations, organizations are advised to strengthen identity protection, harden endpoint security, and secure Teams clients and apps.

A campaign that packages passport- or payment-themed ZIP archives with malicious Windows shortcut (.LNK) files has been found to deliver a PowerShell dropper that drops a DLL implant on compromised hosts. The ZIP archives are distributed via phishing emails. “Execution of the staged payload launches the DLL implant with rundll32.exe using the JMB export and establishes command and control to faw3[.]com,” Blackpoint Cyber said. “The PowerShell dropper uses simple but effective evasion, including building keywords like Start-Process and rundll32.exe from byte arrays, suppressing progress output, clearing the console, and changing server file names based on common antivirus processes. Once active, the implant runs under the user context and can enable remote tasking, host reconnaissance, and delivery of follow-on payloads while blending into normal Windows activity.”

The Citizen Lab said a coordinated Israeli-backed network of around 50 social media accounts on X pushed anti-government propaganda using deepfakes and other AI-generated content to Iranians with the goal of fomenting revolt among the country’s people and overthrowing the Iranian regime. The campaign has been codenamed PRISONBREAK. These accounts were created in 2023 but remained largely dormant until January 2025. “While organic engagement with PRISONBREAK’s content appears to be limited, some of the posts achieved tens of thousands of views. The operation seeded such posts to large public communities on X, and possibly also paid for their promotion,” the non-profit said. It’s assessed that the campaign is the work of an unidentified agency of the Israeli government, or a sub-contractor working under its close supervision.

The president of the Signal Foundation said the end-to-end encrypted messaging app will leave the European Union market rather than comply with a potential new regulation known as Chat Control. Chat Control, first introduced in 2022, would require service providers, including end-to-end encrypted platforms like Signal, to scan all platform communications and files to screen for “abusive material” before a message is sent. “Under the guise of protecting children, the latest Chat Control proposals would require mass scanning of every message, photo, and video on a person’s device, assessing these via a government-mandated database or AI model to determine whether they are permissible content or not,” Signal Foundation President Meredith Whittaker said. “What they propose is in effect a mass surveillance free-for-all, opening up everyone’s intimate and confidential communications, whether government officials, military, investigative journalists, or activists.” CryptPad, Element, and Tuta are among more than 40 other E.U. tech companies that have signed an open letter against the Chat Control proposal. Meanwhile, German officials said they will vote against the proposal, signaling that the bloc will not have the votes to move forward with the controversial measure.

New research has found that it’s possible to turn a Autodesk Revit file parsing crash (CVE-2025-5037) into a code execution exploit that is fully reliable even on the latest Windows x64 platform. “This RCE is unusually impactful due to the Axis cloud misconfiguration that could have resulted in automatic exploitation during normal usage of the affected products,” Trend Micro Zero Day Initiative researcher Simon Zuckerbraun said.

France said it’s opening an investigation into Apple over the company’s collection of Siri voice recordings. The Paris public prosecutor said the probe is in response to a whistleblower complaint. Apple subcontractor Thomas Le Bonniec said Siri conversations contained intimate moments or sensitive data that could easily deanonymize and identify users. “Apple has never used Siri data to create marketing profiles, has never made it available for advertising, and has never sold it to anyone for any reason whatsoever,” the company said in a statement shared with Politico. Earlier this January, Apple said it would not keep “audio recordings of interactions with Siri, unless the user explicitly agrees.”

North Korean hackers have stolen an estimated $2 billion worth of cryptocurrency assets in 2025, marking the largest annual total on record. A large chunk of the theft came from the Bybit hack in February, when the threat actors stole about $1.46 billion. Other thefts publicly attributed to North Korea in 2025 include those suffered by LND.fi, WOO X, and Seedify. However, it’s suspected that the actual figure may be even higher. “The 2025 total already dwarfs previous years and is almost triple last year’s tally, underscoring the growing scale of North Korea’s dependence on cyber-enabled theft to fund its regime,” Elliptic said. A notable shift observed this year is the increasing targeting of high-net-worth individuals. “As crypto prices have risen, individuals have become increasingly attractive targets, often lacking the security measures employed by businesses,” the company added. “Some of these individuals are also targeted due to their association with businesses holding large amounts of cryptoassets, which the hackers are looking to steal.” The development comes as Fortune reported that the North Korean fraudulent IT worker scheme has funneled up to $1 billion into the regime’s nuclear program in the past five years, making it a lucrative revenue-generating stream. North Korean actors well-versed in IT have been observed stealing identities, falsifying their résumés, and deceiving their way into highly paid remote tech jobs in the U.S., Europe, Australia, and Saudi Arabia, using artificial intelligence to fabricate work and disguise their faces and identities. According to the latest statistics from Okta, one in two targets were not tech firms, and one in four targets were not U.S.-based companies, indicating that any company recruiting remote talent could be at risk. Besides a “marked” increase in attempts to gain employment at AI companies or AI-focused roles, other sectors prominently targeted by North Korea included finance, healthcare, public administration, and professional services. The identity services provider said it has tracked over 130 identities operated by facilitators and workers, which can be linked to over 6,500 initial job interviews across more than 5,000 distinct companies up until mid-2025. “Years of sustained activity against a broad range of U.S. industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said. “They are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.” Once hired, North Korea IT workers request payment in stablecoins, likely due to their consistent value, as well as their popularity with OTC traders who can facilitate the off-ramp from cryptocurrency to fiat, Chainalysis noted. The salaries are then transferred through various money laundering techniques, such as chain-hopping, token swapping, bridge protocols, and consolidation addresses, to complicate the tracing of funds.

Security vulnerabilities have been discovered in the YoLink Smart Hub (v0382), the gateway device that manages all YoLink locks, sensors, plugs, and other IoT products, which could be exploited to achieve authorization bypass and allow attackers to remotely control other users’ devices, and access Wi-Fi credentials and device IDs in plaintext. To make matters worse, the use of long-lived session tokens allows ongoing unauthorized access. The vulnerabilities relate to insufficient authorization controls (CVE-2025-59449 and CVE-2025-59452), insecure network transmission (CVE-2025-59448), and improper session management (CVE-2025-59451). The most severe vulnerability, CVE-2025-59449, is rated as critical and could allow an attacker who obtains predictable device IDs to operate a user’s devices without strong authentication. The unencrypted MQTT communication between the hub and the mobile app also allows for the exposure of sensitive data like credentials and device IDs. “An attacker […] could potentially obtain physical access to YoLink customers’ homes by opening their garages or unlocking their doors,” Bishop Fox researcher Nicholas Cerne said. “Alternatively, the attacker could toggle the power state of devices connected to YoLink smart plugs, which could have a variety of impacts depending on the types of devices that were connected.”

Cybersecurity researchers from NCC Group detailed a bypass of the Android debug bridge (ADB) lockdown logic in Tesla’s telematics control unit (TCU) that could potentially allow attackers to gain shell access to production devices. The flaw (CVE-2025-34251, CVSS score: 8.6) is an arbitrary file write that could be used to obtain code execution in the context of root on the TCU. “The TCU runs the Android Debug Bridge (adbd) as root and, despite a ‘lockdown’ check that disables adb shell, still permits adb push/pull and adb forward,” according to an advisory for the vulnerability. “Because adbd is privileged and the device’s USB port is exposed externally, an attacker with physical access can write an arbitrary file to a writable location and then overwrite the kernel’s uevent_helper or /proc/sys/kernel/hotplug entries via ADB, causing the script to be executed with root privileges.”

A financially motivated threat cluster has used more than 80 spoofed domains and lure websites to target users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications, DomainTools said. The end goal of the attacks is to deliver Android and Windows trojans, likely for the purpose of stealing credentials through the use of fake login pages. The presence of Meta tracking pixels indicates that the threat actors are likely running it as a campaign, using Facebook ads or other methods to drive traffic to the fake pages.

The hacktivist group known as NoName057(16), which suffered a significant blow in July 2025 following an international law enforcement effort called Operation Eastwood, has managed to bounce back, escalate its activities, and leverage new alliances to amplify its reach. A majority of the group’s targets between late July and August 2025 comprised German websites, focusing on municipalities, police, public services, and government portals, as well as sites in Spain, Belgium, and Italy. “A key limitation remains: the group’s core infrastructure and leadership are based in Russia,” Imperva said. “Without cooperation from Russian authorities, fully dismantling NoName057(16) is highly unlikely. To date, Moscow has not taken action against pro-Russian hacktivist groups, and their activities often continue without interference.”

Financial institutions in Latin America have become the target of a new malware campaign that uses malicious Google Chrome extensions mimicking Google Docs to initiate fraudulent transfers in real-time by taking remote control of the banking session. The activity, dubbed BlackStink, leverages advanced WebInject techniques to bypass traditional detection mechanisms, per IBM X-Force. “Once active, it can dynamically inject deceptive overlays into legitimate banking pages to harvest credentials, account details and transaction data,” the company noted. “Beyond simple credential theft, BlackStink is capable of auto-filling and auto-submitting forms, simulating user actions and executing automatic transactions — allowing attackers to move funds in real time without the victim’s awareness.”

Attack surface management company Censys said it observed 2,043 internet-accessible Oracle E-Business Suite instances exposed to the internet, making it crucial that users take steps to secure against CVE-2025-61882, a critical vulnerability in the Concurrent Processing component that can be exploited by an unauthenticated attacker with network access via HTTP to compromise the system. The vulnerability is assessed to have been weaponized as a zero-day by Cl0p as part of new extortion attacks since August 2025.

A crypter service called Asgard Protector is being used to hide malicious payloads such as Lumma Stealer to help the artifacts bypass security defenses. “Asgard Protector leverages Nullsoft package installations, hidden AutoIt binaries, and compiled AutoIt scripts in order to inject encrypted payloads into memory, which are decrypted in memory and executed,” SpyCloud said. “The combination of LummaC2 and Asgard Protector represents a potent union for evading detection and stealing data from devices and networks.” Some of the other malware families distributed using this crypter are Quasar RAT, Rhadamanthys, Vidar, and ACR Stealer. There is evidence to suggest that Asgard Protector has some sort of a connection with CypherIT given the functional similarities between the two.

The Windows malware known as WARMCOOKIE (aka BadSpace) is being actively developed and distributed, with recent campaigns leveraging CastleBot for propagation. “The most recent WARMCOOKIE builds we have collected contain the DLL/EXE execution functionality, with PowerShell script functionality being much less prevalent,” Elastic said. “These capabilities leverage the same function by passing different arguments for each file type. The handler creates a folder in a temporary directory, writing the file content (EXE / DLL / PS1) to a temporary file in the newly created folder. Then, it executes the temporary file directly or uses either rundll32.exe or PowerShell.exe. Below is an example of PE execution from procmon.”

Academics from UC Irvine have developed a new technique that turns an optical mouse into a microphone to secretly record and exfiltrate data from air-gapped networks. The new Mic-E-Mouse technique takes advantage of the high-performance optical sensors common in gaming mice to detect tiny vibrations caused by nearby sound and record the pattern in mouse movements. This data is then collected and exfiltrated to recover conversations with the help of a transformer-based neural network. For the attack to work, a bad actor must first compromise the computer through other means. The study used a $35 mouse to test the system and found it could capture speech with 61% accuracy, depending on voice frequency. “Our target for a suitable exploit delivery vehicle is open-source applications where the collection and distribution of high-frequency mouse data is not inherently suspicious,” the researchers said. “Therefore, creative software, video games, and other high performance, low latency software are an [sic] ideal targets for injecting our exploit.”

The emerging threat group known as Crimson Collective, which has been attributed to the recent breach of Red Hat, is believed to share ties with the larger Scattered Spider and LAPSUS$ collectives, according to security researcher Kevin Beaumont. The assessment is based on the fact that the messages posted on the group’s public Telegram channel are signed with the name “Miku,” which refers to an alias for Thalha Jubair, who was arrested last month in the U.K. in connection with the August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency. Interestingly, the Red Hat compromise date is listed as September 13, 2025, a couple of days before Jubair’s arrest. According to Rapid7, the threat actors are increasingly targeting AWS cloud environments to steal sensitive data and extort victim organizations, with the attacks relying on an open-source tool called TruffleHog to find leaked AWS credentials. “The threat group’s activity has been observed to start with compromising long-term access keys and leveraging privileges attached to the compromised IAM (Identity & Access Management) accounts,” the company said. “The threat group was observed creating new users and escalating privileges by attaching policies. When successful, the Crimson Collective performed reconnaissance to identify valuable data and exfiltrated it via AWS services. In case of the successful exfiltration of data, an extortion note is received by the victim.” The group has since partnered with Scattered LAPSUS$ Hunters, with ShinyHunters telling Bleeping Computer that it has been privately operating as an extortion-as-a-service (EaaS), where they work with other threat actors to extort companies in exchange for a share of the extortion demand.