What do a source code editor, a smart billboard, and a web server have in common? They’ve all become launchpads for attacks—because cybercriminals are rethinking what counts as “infrastructure.” Instead of chasing high-value targets directly, threat actors are now quietly taking over the overlooked: outdated software, unpatched IoT devices, and open-source packages. It’s not just clever—it’s reshaping how intrusion, persistence, and evasion happen at scale.
⚡ Threat of the Week
5Socks Proxy Using IoT, EoL Systems Dismantled in Law Enforcement Operation — A joint law enforcement operation undertaken by Dutch and U.S. authorities dismantled a criminal proxy network, known as anyproxy[.]net and 5socks[.]net, that was powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. The illicit platform, active since 2004, advertised more than 7,000 online proxies daily, with infected devices mainly located in the U.S., Canada and Ecuador. The attacks targeted IoT devices susceptible to known security flaws to deploy a malware called TheMoon. The development comes as two other law enforcement operations have felled the eXch cryptocurrency exchange for facilitating money laundering and six DDoS-for-hire services that were used to launch thousands of cyber-attacks across the world.
🔔 Top News
COLDRIVER Uses ClickFix to Distribute LOSTKEYS Malware — The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures. The attacks, detected in January, March, and April 2025, targeted current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs, as well as individuals connected to Ukraine. LOSTKEYS is designed to steal files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker.
Play Ransomware Attack Exploited CVE-2025-29824 as a 0-Day — Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States. The attack leveraged CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver that was patched by Microsoft last month. That said, no ransomware was actually deployed in the attack. However, Grixba, a custom information stealer known to be used by the Play ransomware operation, was put to use.
NSO Group Ordered to Pay $168 Million in Damages to WhatsApp — Israeli company NSO Group was ordered by a federal jury in the U.S. to pay Meta-owned WhatsApp WhatsApp approximately $168 million in monetary damages, more than four months after a federal judge ruled that the Israeli company violated U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware targeting more than 1,400 individuals globally. In addition, the jury determined that NSO Group must pay WhatsApp $444,719 in compensatory damages for the significant efforts WhatsApp engineers made to block the attack vectors. WhatsApp originally filed the lawsuit against NSO Group in 2019, accusing NSO Group of exploiting WhatsApp using a then-zero-day vulnerability in the messaging app to target journalists, human rights activists, and political dissidents. NSO Group said it will appeal the ruling.
3 Malicious npm Packages Target Cursor Users — Three malicious npm packages named sw-cur, sw-cur1, and aiide-cur have been flagged in the npm registry as designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. The packages claim to be offering “the cheapest Cursor API,” but contain functionality to modify legitimate files associated with the software to execute arbitrary code in the compromised system. The packages continue to be available for download from npm, and have been downloaded over 3,200 times to date. The discovery heralds a new trend where threat actors are using rogue npm packages as a way to introduce malicious modifications to other legitimate libraries or software already installed on developer systems.
SysAid Patches 4 Flaws That Enable Pre-Auth RCE — Multiple security flaws in the on-premise version of SysAid IT support software could be chained to achieve pre-authenticated remote code execution with elevated privileges. The flaws, tracked as CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 (CVSS scores: 9.3), and CVE-2025-2778, have been addressed in version 24.4.60 b16 of the software.
Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws in Mirai Attacks — Threat actors are exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices and an unpatched vulnerability affecting Samsung MagicINFO 9 Server to co-opt them into a Mirai botnet variant for conducting DDoS attacks. Users are advised to upgrade their GeoVision devices to a supported model and disconnect Samsung MagicINFO 9 Server instances from the public internet.
DoJ Charges Yemeni National for Deploying Black Kingdom Ransomware — The U.S. Department of Justice (DoJ) announced charges against a 36-year-old Yemeni national named Rami Khaled Ahmed for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States, between March 2021 to June 2023. Ahmed is accused of developing and deploying the ransomware by exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon. A report published by Kaspersky in June 2021 described the ransomware as “amateurish” and lacking in complexity and sophistication associated with major ransomware schemes.
Golden Chickens Return with TerraStealerV2 and TerraLogger Malware — Cybercriminal group Golden Chickens is back in the spotlight, this time with a fresh set of tools to steal credentials, cryptocurrency wallet data, browser extension information, and keystrokes. The findings represent the latest evidence of the threat actor’s ongoing efforts to evolve their malware-as-a-service (MaaS) offerings. Golden Chickens, also called Venom Spider, has long been tied to the More_eggs malware. Unlike its data-sucking counterpart TerraStealerV2, TerraLogger takes a simpler but no less dangerous approach by capturing keystrokes entered by the victim on their machine. The fact that it lacks a data exfiltration mechanism suggests that it’s likely being used as a module as part of their broader toolset.
️🔥 Trending CVEs
Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-32819, CVE-2025-32820, CVE-2025-32821 (SonicWall), CVE-2025-20188 (Cisco IOS XE Wireless Controller), CVE-2025-27007 (OttoKit), CVE-2025-24977 (OpenCTI), CVE-2025-4372 (Google Chrome), CVE-2025-25014 (Elastic Kibana), CVE-2025-4318 (AWS Amplify Studio), CVE-2024-56523, CVE-2024-56524 (Radware Cloud Web Application Firewall), CVE-2025-27533 (Apache ActiveMQ), CVE-2025-26168, CVE-2025-26169 (IXON VPN), CVE-2025-23123 (Ubiquiti UniFi Protect Cameras), CVE-2024-8176 (libexpat), and CVE-2025-47188 (Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones).
📰 Around the Cyber World
Bluetooth SIG Releases Bluetooth 6.1 — The Bluetooth Special Interest Group has announced the release of Bluetooth 6.1 with improved device privacy via Resolvable Private Addresses (RPA). The feature enables “randomizing the timing of address changes [and] makes it much more difficult for third-parties to track or correlate device activity over time,” the SIG said.
AI Slop Leads to Rise in Fake Bug Reports — Software supply chain security firm Socket is warning of a rise in artificial intelligence (AI)-generated fake vulnerability reports impacting bug bounty programs that cite non-existent functions, include unverified patch suggestions, and highlight flaws that could not be reproduced. A consequence of this deliberate misuse is that it could cause bug bounty initiatives to operate in an effective manner. “They divert limited attention from real vulnerabilities, add friction between maintainers and researchers, and chip away at the trust these programs depend on,” the company said. Curl project founder Daniel Stenberg, in a post on LinkedIn, said “I’m putting my foot down on this craziness,” and that every reporter who submits reports deemed AI slop will be instantly banned. “A threshold has been reached,” Stenberg said. “We are effectively being DDoSed. If we could, we would charge them for this waste of our time. We still have not seen a single valid security report done with AI help.”
AgeoStealer Stealer Disguises as a Video Game — A new information stealer called AgeoStealer has been observed using a website hosted on the Blogger platform, masquerading as a video game named Lomina to trick users into installing it. “By targeting browsers, authentication tokens, and system files, it enables cybercriminals to perform identity theft, corporate espionage, and unauthorized financial transactions,” Flashpoint said. “Additionally, the use of PowerShell process termination, combined with sandbox evasion tactics, makes it particularly difficult to detect through traditional antivirus solutions.”
South Korea says DeepSeek Transferred User Data to China and the U.S. Without Consent — South Korea’s data protection authority, the Personal Information Protection Commission (PIPC), has accused Chinese AI service DeepSeek of transferring the personal data of its users to companies located in China and the United States without obtaining their consent. This included device, network, app information, and prompts to a Chinese cloud service platform named Volcano Engine. Although the PIPC identified Volcano Engine as an affiliate of ByteDance, the watchdog said it is a “separate legal entity.” The findings are the result of an investigation the PIPC launched in February 2025.
Iranian Cyber Actors Impersonate a German Model Agency — Iranian threat actors have been linked to covert infrastructure (“megamodelstudio[.]com”) impersonating a German model agency. The site is designed to trigger the execution of malicious JavaScript that, unbeknownst to the visitors, gathers their browser languages, screen resolutions, IP addresses, and browser fingerprints likely in an attempt to facilitate further selective targeting. The activity has been attributed with low confidence to Agent Serpens (aka Charming Kitten), a threat actor known for its elaborate social engineering campaigns. The findings come as an Iran state-backed threat group dubbed Lemon Sandstorm targeted a critical national infrastructure (CNI) provider in a rival Middle Eastern nation and spread malicious software into its network over the past two years. The hacking group, per Fortinet, demonstrated operational security by taking pains to establish stealthy persistence for long periods and repeatedly trying various methods to infiltrate the network again after they were caught and eradicated.
Mozilla Streamlines Data Consent Experience for Firefox Add-ons — Browser maker Mozilla said it’s making available a new feature in Firefox Nightly version 139 that introduces a new data consent experience for extensions in order to “allow users to consent to share data with extensions directly in the Firefox add-on installation flow itself — rather than during a separate post-install experience and asking developers to build their own custom consent experiences.” As part of the changes, Mozilla has created broad categories based on data types used by extensions, such as personal data and technical and user interaction data. Extension developers can specify what data they wish to collect or transmit in their extension’s manifest.json file. During installation, the manifest information will be parsed by the browser and shown to the user. Users can then choose to accept or reject the data collection.
ChoiceJacking Attack Bypass Existing Juice Jacking Defenses to Steal Data — Juice jacking attacks happen when hackers infect a charger with hidden malware that can steal sensitive data from phones connected to it. While mobile operating systems have since introduced new confirmation prompts for data connections from a USB host to a mobile device, a newly devised platform-agnostic attack technique from the Graz University of Technology has been found to sidestep existing mitigations that allows a malicious charger to autonomously spoof user input to enable its own data connection. “Despite vendor customizations in USB stacks, ChoiceJacking attacks gain access to sensitive user files (pictures, documents, app data) on all tested devices from 8 vendors including the top 6 by market share,” researchers Florian Draschbacher, Lukas Maar, Mathias Oberhuber, and Stefan Mangard said. “For two vendors, our attacks allow file extraction from locked devices.” Apple, Google, Samsung, and Xiaomi have all acknowledged the attacks and have released fixes with iOS 18.4 (CVE-2025-24193) and Android 15 (CVE-2024-43085). The issue is being tracked for Samsung and Xiaomi under the CVE identifiers CVE-2024-20900 and CVE-2024-54096, respectively.
Threat Actors Target IIS Servers with Gh0st RAT — Suspected Chinese-speaking threat actors have been observed targeting poorly secured IIS web servers in South Korea with a malicious IIS module. “When the malicious IIS native module is loaded into the w3wp.exe process, it intercepts all HTTP requests being sent to the web server,” AhnLab said. “It then manipulates the response values to redirect to a specific page or perform a web shell function. Through the malicious native module, threat actors can intercept all traffic coming into the web server and modify it as needed.” The attack is notable for the use of a .NET-based web shell and Gh0st RAT, a remote access trojan widely used by Chinese hacking groups. “By installing their malicious modules on the web server, the threat actor was able to insert their affiliate links into the response values to the HTTP traffic requested from the web server,” the company said. “This allowed them to generate revenue by displaying their advertisements and banners on their partner websites. Additionally, the threat actor used the malware to install phishing pages and redirect users to them, thereby leaking sensitive information.”
Microsoft Begins Enforcing New Outlook Rules for Bulk Emails — Microsoft has begun enacting stricter rules that domains sending more than 5,000 emails per day are required to follow. This includes mandatory SPF, DKIM, DMARC settings, functional unsubscribe links, transparent mailing practices, and email bounce management. “These measures will help reduce spoofing, phishing, and spam activity, empowering legitimate senders with stronger brand protection and better deliverability,” the company said.
Japan Warns of Threat Actors Using Hijacked Financial Accounts to Conduct Trades — Weeks after Japan’s Financial Services Agency (FSA) alerted users of unauthorized transactions on internet stock trading services using stolen credentials harvested from phishing websites, the agency revealed that the hackers have conducted more than $1 billion in sales and purchases of about $902 billion since the start of the year. A total of 18 companies are impacted, with 3,505 transactions reported to date.
New Scam Exploits X Advertising Loophole — Threat actors are taking advantage of a loophole in X’s ads policy to conduct a financial scam that employs ads with the display URL spoofing “cnn[.]com” but, when clicked, redirects visitors to a crypto scam website impersonating Apple’s brand (“ipresale[.]world”). “The scam encourages visitors to create an account and buy a token positioned as coming from Apple; the website also includes a fake testimonial from Apple CEO Tim Cook,” Silent Push said. The findings coincide with the discovery of a recruitment scam that singles out job seekers with offers of flexible opportunities that entice them into depositing their own funds in order to complete a series of tasks and earn a cryptocurrency payment. “After enticing victims to their phishing website with the promise of substantial remuneration, the threat actor then coerces them into making up-front payments to engage in the tasks that supposedly release that remuneration,” Netcraft said. A similar campaign was documented by Proofpoint in October 2024.
Crypto Heist Uncovers New Malware — An investigation into a large-scale cryptocurrency theft with losses exceeding $1 million has led to the discovery of two new malware families named PRELUDE and DELPHYS. PRELUDE is a .NET backdoor that can launch a reverse shell and take screenshots. DELPHYS, on the other hand, is a 64-bit Delphi loader distributed in EXE form, and is used to execute the Havoc command-and-control (C2) framework. The campaign, per Kroll, was initiated via social engineering over a direct message on X, after which the victim was directed to a Discord server to download the malware. The activity, tracked as KTA440, is assessed to be a highly targeted campaign aimed at individuals of high net worth in the cryptocurrency space.
India-Pakistan Military Conflict Sparks Cyber Attacks — The recent military conflict between India and Pakistan has led to a surge in attacks targeting both countries. Cybersecurity company NSFOCUS said it observed a 500% rise in cyberattacks targeting India and a 700% rise against targets in Pakistan towards the end of April 2025. There has also been an increase in hacktivist activity targeting India in the form of DDoS attacks, led by RipperSec, AnonSec, Keymous+, Sylhet Gang, and Mr Hamza. However, according to CloudSEK, a majority of the claims of hacktivist campaigns targeting Indian digital infrastructure are “significantly overblown.” That’s not all. The rising military tensions have been capitalized by the Pakistan-linked Transparent Tribe (aka APT36) threat actor, which has employed spear-phishing and ClickFix-style lures to deliver Crimson RAT and a .NET-based loader, respectively.
CISA Releases Guidance to Mitigate OT Threats from Unsophisticated Cyber Actors — The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE) are urging critical infrastructure entities to review and take steps to bolster their security posture amid “cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States.” This includes removing OT connections to the public internet, changing default passwords, securing remote access to OT networks, and segmenting IT and OT networks. “Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage,” the agencies said.
LockBit Ransomware Admin Panel Hacked — In a further blow to LockBit’s operations, the ransomware scheme’s dark web affiliate panels were hacked and defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague.” The panel has also been made available to download in SQL database format, revealing custom ransomware builds, a list of 75 admins and affiliates who had access to the affiliate panel, 59,975 unique bitcoin addresses, and more than 4,400 victim negotiation messages from December 2024 to the end of April 2025. “The leaked chats reveal a fascinating twist – attackers offer up to 20% discounts to victims who choose to pay in Monero instead of Bitcoin,” Qualys said. “This isn’t just a random perk; it signals a deliberate preference for Monero, likely due to its privacy-centric design.” LockBitSupp, LockBit’s main administrator, has since confirmed the hack. While LockBit has continued to operate despite law enforcement action, the latest leak may sound the death knell for what was once the most prolific ransomware group.
Unofficial Signal App Used by Trump Government Officials Probes Hack — TeleMessage, an Israeli company that sells an unofficial Signal message archiving tool used by some U.S. government officials, has suspended all services after reportedly being hacked. Details of the hack emerged in the wake of a 404 Media report revealed an anonymous hacker had breached TeleMessage and gained access to direct messages and group chats archived using TM SGNL, TeleMessage’s unofficial Signal clone, alongside WhatsApp, Telegram, and WeChat.
🎥 Cybersecurity Webinars
Learn How Uniting Code, Cloud, and SOC Security Can Eliminate Hidden Gaps → Modern application security can’t afford to live in silos. With 80% of security gaps emerging in the cloud—and attackers exploiting them within hours—organizations must act faster and smarter. This webinar reveals how uniting code, cloud, and SOC security not only closes critical gaps but enables faster, more resilient defense across the entire application lifecycle. Join us to discover a unified approach that breaks barriers, reduces response time, and strengthens your security posture.
Expert Guide to Building a Legally Defensible Cyber Defense Program → Learn how to build a cyber defense program that meets legal standards and regulatory expectations. This step-by-step guide walks you through using the CIS Controls, SecureSuite tools, and CSAT Pro to create a practical, defensible, and cost-effective security strategy tailored to your organization’s needs.
🔧 Cybersecurity Tools
Chainsaw → It is a fast, lightweight forensic triage tool designed for rapid threat hunting and incident response on Windows systems. Built for speed and simplicity, it allows investigators to quickly search through Windows Event Logs, MFT files, Shimcache, SRUM, and registry hives using keyword matching, regex, and Sigma detection rules. With support for both Sigma and custom Chainsaw rules, it enables efficient detection of malicious activity—even in environments without pre-existing EDR coverage.
HAWK Eye → It is a powerful command-line security scanner designed to detect PII and secrets across your entire infrastructure—fast. With support for cloud services (S3, GCS, Firebase), databases (MySQL, PostgreSQL, MongoDB, Redis), messaging apps (Slack), and local file systems, it uses advanced OCR and pattern-matching to uncover sensitive data hidden in documents, images, archives, and even videos. It integrates easily into CI/CD pipelines or custom Python workflows, helping security teams proactively detect risks and prevent data leaks before they happen.
Aranya → It is a developer tool by SpiderOak for building zero-trust, decentralized apps with built-in access control and end-to-end encryption. It simplifies security by embedding micro-segmentation, authentication, and policy enforcement directly into your software—no external tools needed. Lightweight and portable, Aranya supports Rust and C integrations, making it easy to create secure-by-design systems that work safely across any network.
🔒 Tip of the Week
Cybersecurity Tip of the Week: Block AI Bots from Scraping Your Website → AI companies are quietly crawling websites to collect content for training their models. If you run a company blog, research portal, or any site with original content, it’s likely being indexed—often without your consent.
You can reduce this risk by adding a simple robots.txt rule that tells known AI crawlers to stay out. It doesn’t block rogue scrapers, but it does stop most major bots like GPTBot (OpenAI), AnthropicBot, and CCBot (Common Crawl), which power many commercial AI systems.
Add this to your site’s robots.txt file:
User-agent: GPTBot
Disallow: /
User-agent: AnthropicBot
Disallow: /
User-agent: CCBot
Disallow: /
This file must live at yourdomain[.]com/robots.txt. For extra visibility, monitor your server logs for unexpected crawlers. In an era where data is currency, limiting unauthorized use of your content is a simple, proactive security move.
Conclusion
This week underscored a fundamental reality: cyber risk is no longer just a technical problem—it’s a business, legal, and reputational one. From criminal indictments tied to ransomware operations, to flawed software policies that enable phishing through official ad platforms, the consequences are moving upstream.
Security decisions are leadership decisions now, and the organizations that act accordingly will be the ones that endure when the next breach hits close.
Source link
