Even in well-secured environments, attackers are getting in—not with flashy exploits, but by quietly taking advantage of weak settings, outdated encryption, and trusted tools left unprotected.
These attacks don’t depend on zero-days. They work by staying unnoticed—slipping through the cracks in what we monitor and what we assume is safe. What once looked suspicious now blends in, thanks to modular techniques and automation that copy normal behavior.
The real concern? Control isn’t just being challenged—it’s being quietly taken. This week’s updates highlight how default settings, blurred trust boundaries, and exposed infrastructure are turning everyday systems into entry points.
⚡ Threat of the Week
Critical SharePoint Zero-Day Actively Exploited (Patch Released Today) — Microsoft has released fixes to address two security flaws in SharePoint Server that have come under active exploitation in the wild to breach dozens of organizations across the world. Details of exploitation emerged over the weekend, prompting Microsoft to issue an advisory for CVE-2025-53770 and CVE-2025-53771, which are now assessed to be patch bypasses for two other SharePoint flaws tracked as CVE-2025-49704 and CVE-2025-49706, an exploit chain dubbed ToolShell that could be leveraged to achieve remote code execution on on-premises SharePoint servers. The two vulnerabilities were addressed by Microsoft earlier this month as part of its Patch Tuesday update. It’s currently not known who is behind the mass-exploitation activity.
🔔 Top News
Google Ships Patch for Actively Exploited Chrome Flaw — Google out patches to resolve a high-severity vulnerability in Chrome browser (CVE-2025-6558) that has come under active exploitation in the wild, making it the fifth zero-day to be either actively abused or demonstrated as a proof-of-concept (PoC) since the start of the year. The vulnerability is an incorrect validation of untrusted input in the browser’s ANGLE and GPU components that could allow an attacker to potentially perform a sandbox escape via a crafted HTML page. The issue has been addressed in versions 138.0.7204.157/.158 for Windows and Apple macOS, and 138.0.7204.157 for Linux.
Critical NVIDIA Container Toolkit Flaw Disclosed — A critical vulnerability in NVIDIA Container Toolkit (CVE-2025-23266) could be exploited to achieve code execution with elevated permissions. “A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service,” the GPU maker said. Wiz, which disclosed the flaw, said the shortcoming could be trivially exploited to access, steal, or manipulate the sensitive data and proprietary models of all other customers running on the same shared hardware by means of a three-line exploit.
New CrushFTP Bug Comes Under Attack — CrushFTP revealed that a critical flaw in its file transfer software (CVE-2025-54309) has been exploited in the wild, with unknown threat actors reverse engineering its source code to discover the bug and target devices that are yet to be updated to the latest versions. The issue affects all versions of CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23. “The attack vector was HTTP(S) for how they could exploit the server,” CrushFTP said. “We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.”
Golden dMSA Attack in Windows Server 2025 Enables Cross-Domain Attacks — Cybersecurity researchers disclosed a “critical design flaw” in delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025 that could enable cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely. “The attack leverages a critical design flaw: A structure that’s used for the password-generation computation contains predictable time-based components with only 1,024 possible combinations, making brute-force password generation computationally trivial,” Semperis researcher Adi Malyanker said.
Google Big Sleep AI Agent Flags Critical SQLite Flaw Before Exploitation — Big Sleep, an artificial intelligence (AI) agent launched by Google last year as a collaboration between DeepMind and Google Project Zero, facilitated the discovery of a critical security flaw in SQLite (CVE-2025-6965) that was previously only known to attackers as a zero-day and was on the verge of exploitation. Google described it as the first time an AI agent has been used to “directly foil efforts to exploit a vulnerability in the wild.”
Threat Actors Target EoL SonicWall SMA 100 Devices — Unknown intruders codenamed UNC6148 are targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances and deploying a novel, persistent backdoor and rootkit called OVERWATCH. Many key details about the campaign are currently unknown. For starters, Google said it does not have enough data to determine where the threat actors are based, or what their motives are. Second, the attacks are exploiting leaked local administrator credentials on the targeted devices for initial access. But it has been unable to pinpoint how the attackers managed to obtain the credentials used in the attack. While it’s possible that they were sourced from infostealer logs or credential marketplaces, the company noted it’s more likely that the attackers leveraged a known vulnerability. It’s also unclear precisely what the attackers are trying to accomplish after they take control of a device. The lack of information largely stems from how OVERWATCH functions, which allows the attackers to selectively remove log entries to hinder forensic investigation. The investigation also found that UNC6148 also managed to deploy a reverse shell on infected devices, something that should not normally be possible, leading to speculations that a zero-day might have been in play. The findings once again show network appliances are popular attacker targets, as they offer a way to gain access to high-value networks.
️🔥 Trending CVEs
Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.
This week’s list includes — CVE-2025-53770, CVE-2025-53771 (Microsoft SharePoint Server), CVE-2025-37103 (HPE Instant On Access Points), CVE-2025-54309 (CrushFTP), CVE-2025-23266, CVE-2025-23267 (NVIDIA Container Toolkit), CVE-2025-20337 (Cisco Identity Services Engine and ISE Passive Identity Connector), CVE-2025-6558 (Google Chrome), CVE-2025-6965 (SQLite), CVE-2025-5333 (Broadcom Symantec Endpoint Management Suite), CVE-2025-6965 (SQLite), CVE-2025-48384 (Git CLI), CVE-2025-4919 (Mozilla Firefox), CVE-2025-53833 (LaRecipe), CVE-2025-53506 (Apache Tomcat), CVE-2025-41236 (Broadcom VMware ESXi, Workstation, and Fusion), CVE-2025-27210, CVE-2025-27209 (Node.js), CVE-2025-53906 (Vim), CVE-2025-50067 (Oracle Application Express), CVE-2025-30751 (Oracle Database), CVE-2025-6230, CVE-2025-6231, CVE-2025-6232 (Lenovo Vantage), CVE-2024-13972, CVE-2025-7433, CVE-2025-7472 (Sophos Intercept X for Windows), CVE-2025-27212 (Ubiquiti UniFi Access), CVE-2025-4657 (Lenovo Protection Driver), CVE-2025-2500 (Hitachi Energy Asset Suite), CVE-2025-6023, CVE-2025-6197 (Grafana), CVE-2025-40776, CVE-2025-40777 (BIND 9), CVE-2025-33043, CVE-2025-2884, CVE-2025-3052 (Gigabyte), and CVE-2025-31019 (Password Policy Manager plugin).
📰 Around the Cyber World
Russian Sentenced to 3 Years in Prison in the Netherlands for Sharing Data — A Rotterdam court sentenced a 43-year-old Russian to three years in prison for breaching international sanctions by sharing sensitive ASML information from Dutch semiconductor chip machine maker ASML and NXP with a person in Russia. At his trial on June 26, the suspect admitted to copying files last year and sending them to a person in Russia using the Signal messaging app. While the name of the defendant was not disclosed, Reuters reported in February 2025 that the perpetrator was German Aksenov, and that he had contact with Russia’s FSB intelligence service. He was charged with IP theft and sanctions violations in December 2024.
U.K. NCSC Launches Vulnerability Research Initiative — The U.K. National Cyber Security Centre (NCSC) announced a new Vulnerability Research Initiative (VRI) that aims to strengthen relations with external cybersecurity experts. “The VRI’s mission is to strengthen the UK’s ability to carry out VR,” the NCSC said. “We work with the best external vulnerability researchers to deliver a deep understanding of security on a wide range of technologies we care about. The external VRI community also supports us in having tools and tradecraft for vulnerability discovery.”
Storm-1516 Spreads Disinformation in Europe — A Kremlin-linked disinformation group tracked as Storm-1516 has been masquerading as real journalists and publishing fake articles on spoofed news websites to spread false narratives in France, Armenia, Germany, Moldova, and Norway. The threat actors used the names and photos of legitimate reporters to lend credibility to the bogus articles, per the Gnida Project. Another pro-Russia disinformation campaign known as Operation Overload (aka Matryoshka or Storm-1679) has been observed leveraging consumer-grade artificial intelligence tools to fuel a “content explosion” focused around exacerbating existing tensions around global elections, Ukraine, and immigration, among other controversial issues. The activity, operating since 2023, has a track record of disseminating false narratives by impersonating media outlets with the apparent aim of sowing discord in democratic countries. “This marks a shift toward more scalable, multilingual, and increasingly sophisticated propaganda tactics,” Reset Tech and Check First said. “The campaign has substantially amped up the production of new content in the past eight months, signalling a shift toward faster, more scalable content creation methods.” Some of the images used in the campaign are believed to have been generated using Flux AI, a text-to-image generator developed by Black Forest Labs. The company told WIRED that it has built “multiple layers of safeguards” to prevent abuse and that it’s committed to working with social media platforms and authorities to ward off unlawful misuse.
SLOW#TEMPEST Campaign’s Evolving Techniques Detailed — The threat actors behind a malware campaign called SLOW#TEMPEST have been observed using DLL-sideloading techniques to launch a malicious DLL, while relying on Control Flow Graph (CFG) obfuscation and dynamic function calls to conceal the code in the loader DLL. The primary goal of the DLL is to unpack and launch an embedded payload directly in memory only if the target machine has at least 6 GB of RAM. “The SLOW#TEMPEST campaign’s evolution highlights malware obfuscation techniques, specifically dynamic jumps and obfuscated function calls,” Palo Alto Networks Unit 42 said. “The success of the SLOW#TEMPEST campaign using these techniques demonstrates the potential impact of advanced obfuscation on organizations, making detection and mitigation significantly more challenging.”
Abacus Market Shutters After Likely Exit Scam — The darknet marketplace known as Abacus Market has suddenly closed its operations, rendering all its infrastructure, including its clearnet mirror, inaccessible. The development comes after Abacus Market users began reporting withdrawal issues in late June 2025. Blockchain intelligence firm TRM Labs said the marketplace’s creators may have possibly pulled off an exit scam and disappeared with users’ funds, although the possibility of a law enforcement seizure hasn’t been ruled out. Abacus’s exit follows the June 16, 2025, seizure of Archetyp Market by Europol. Abacus Market launched in September 2021 as Alphabet Market, before it rebranded to its current name two months later. The marketplace is estimated to have generated anywhere between $300 million and $400 million in cryptocurrency sales, spanning illicit drugs, counterfeit items, and stolen cards. According to data from Chainlysis, Abacus Market’s revenue has increased significantly, growing by 183.2% YoY in 2024.
MITRE Announces AADAPT for Cryptocurrency Security — The MITRE Corporation launched Adversarial Actions in Digital Asset Payment Technologies, aka AADAPT, a cybersecurity framework for addressing vulnerabilities in digital financial systems such as cryptocurrency. It’s modeled after the MITRE ATT&CK framework. “AADAPT provides developers, policymakers, and financial organizations with a structured methodology for identifying, analyzing, and mitigating potential risks associated with digital asset payments,” MITRE said. “By using insights derived from real-world attacks as cited by more than 150 sources from government, industry, and academia, the AADAPT framework identifies adversarial tactics, techniques, and procedures linked to digital asset payment technologies, including consensus algorithms and smart contracts.”
U.S. Ex-Army soldier Pleads Guilty to Hacking 10 Telcos — Former U.S. Army soldier Cameron John Wagenius (aka kiberphant0m and cyb3rph4nt0m) pleaded guilty to hacking and extorting at least 10 telecommunications companies between April 2023 and December 2024. The 21-year-old “conspired with others to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ protected computer networks,” the U.S. Department of Justice (DoJ) said. “The conspirators obtained these credentials using a hacking tool that they called SSH Brute, among other means. They used Telegram group chats to transfer stolen credentials and discuss gaining unauthorized access to victim companies’ networks.” The threat actors behind the scheme then extorted the victim organizations both privately and on cybercrime forums such as BreachForums and XSS.is by offering to sell the stolen data for thousands of dollars. Some of the data was eventually sold and used to perpetuate other frauds, including SIM-swapping. Wagenius et al are said to have attempted to extort at least $1 million from victim data owners. The attacks took place while Wagenius was on active duty, the DoJ said. Court documents show that the defendant Googled for phrases like “can hacking be treason” and “U.S. military personnel defecting to Russia.” In February 2025, Wagenius pleaded guilty to conspiracy to commit wire fraud, extortion in relation to computer fraud, aggravated identity theft, and unlawful transfer of confidential phone records information. He is scheduled for sentencing on October 6, 2025. His alleged co-conspirators, Connor Moucka and John Binns, were indicted in November 2024.
Signed Drivers in Malicious Campaigns — Since 2020, no less than 620 signed drivers, 80 certificates, and 60 Windows Hardware Compatibility Program (WHCP) accounts have been associated with threat actor campaigns. The majority of drivers have been signed by 131 Chinese companies. In 2022 alone, over 250 drivers and roughly 34 certificates and WHCP accounts were identified as potentially compromised. The findings show that “kernel-level attacks remain highly attractive to threat actors despite Microsoft’s improved defenses, due to the highest level of privileges on the compromised system and control they offer to attackers,” Group-IB said, adding it found overlap in the signing infrastructure across different malware campaigns, such as those using POORTRY and RedDriver. Some of the notable malware strains using kernel loaders for added stealth include Festi, FiveSys, FK_Undead, and BlackMoon. “Attackers leverage many signing certificates and WHCP accounts by exploiting legitimate processes like the WHCP and Extended Validation (EV) certificates. This includes those belonging to compromised or fraudulently registered organizations, signing malicious drivers, bypassing established security measures, and exploiting the trust model inherent in signed kernel drivers,” the company noted.
TeleMessage SGNL Flaw Seeing Exploitation Activity — Threat actors are actively attempting to exploit a security flaw in TeleMessage SGNL, an enterprise messaging system modeled after Signal, used by government agencies and enterprises alike to achieve secure communications. The vulnerability, CVE-2025-48927, can be used to leak sensitive information, including plaintext usernames, passwords, and other data. According to GreyNoise, exploitation efforts are coming from 25 IP addresses over the past 30 days. The majority of the IP addresses are from France, followed by Singapore, Germany, Hong Kong, and India. The attacks target the United States, Singapore, India, Mexico, and Brazil.
Microsoft Stops Relying on Chinese Engineers for Defense Cloud Support — Microsoft changed its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s Azure cloud services. The revamps came after a ProPublica investigation revealed that Microsoft has been using Chinese engineers to help maintain U.S. Department of Defense systems, potentially exposing sensitive data to the Chinese government. “In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services,” the company said.
Japan Authorities Release Free Phobos and 8Base Decryptor — Japan’s National Police Agency published a free decryption tool and a guide in English for organizations impacted by the Phobos and 8Base ransomware attacks. Earlier this February, two Russian nationals accused of using the Phobos ransomware to attack more than 1,000 entities were charged as part of a global law enforcement takedown. Phobos launched in December 2018, with a modified version called 8Base gaining prominence in 2023.
Android Allows Gemini Access Third-Party Apps — Google has implemented a change that will allow its Gemini artificial intelligence (AI) chatbot to interact with other apps installed on Android devices, such as Phone, Messages, and others, even if users have turned off “Gemini Apps Activity.” According to a support document from the company, “Even when Gemini Apps Activity is off, your conversations will be saved with your account for up to 72 hours. This lets Google provide the service and process any feedback. This activity won’t appear in your Gemini Apps Activity.” The update went into effect this month.
EvilPanel Phishing Toolkit Detailed — Cybersecurity researchers have discovered a new phishing toolkit called EvilPanel that’s built on Evilginx and provides a web interface for launching multi-factor authentication (MFA)-bypassing attacks. “EvilPanel wraps all of Evilginx’s powerful AiTM capabilities into a sleek, user-friendly web interface, eliminating the need for manual configuration and lowering the barrier to entry for would-be attackers,” Abnormal AI said. “EvilPanel’s core phishing functionality follows the Evilginx model – i.e., it maintains the login flow by acting as a transparent proxy.”
Katz Stealer and Octalyn Stealer Detailed — Cybersecurity company SentinelOne is warning that threat actors are increasingly adopting an information stealer called Katz Stealer owing to its “robust credential and data discovery with theft capabilities as well as modern evasion and anti-analysis features.” It described the stealer as a “combination of credential theft and modern malware design.” Offered under a Malware-as-a-Service (MaaS) model for a mere $50 per month (or $360 for a whole year), stealers such as Katz are turnkey tools that lower the barrier to entry for pulling off malicious attacks. A notable feature of Katz Stealer is its ability to defeat Chromium’s app-bound encryption to gain access to and extract credentials and cookies. “Katz Stealer is not a ‘one shot’ infostealer; it is designed to continually exfiltrate the victim’s data,” SentinelOne said. “The malware not only extracts data found on a targeted system at the point of infection but also as data updated, changed, or freshly introduced.” Another new stealer masquerades as an educational tool called Octalyn Forensic Toolkit, but acts as a credential stealer, harvesting browser data, Discord and Telegram tokens, VPN configurations, gaming accounts, and cryptocurrency wallet artifacts. “Its modular C++ payload, Delphi-based builder, Telegram-based C2, and secondary payload delivery capability make it a potent tool for threat actors,” CYFIRMA said. “The use of obfuscation, Windows persistence techniques, and structured data theft highlights a deliberate effort to evade detection and maximize impact.”
Armenia Passes Use of Facial Recognition Technology by Police — Armenia’s parliament has passed controversial amendments to the country’s Law on Police, granting the Ministry of Internal Affairs access to a nationwide network of real-time surveillance cameras that are equipped with facial recognition technology. The cameras will operate across state and municipal buildings, public transport, airports, and parking areas. The law is set to take effect on August 9, 2025. The CSO Meter said the law “lacks clear legal safeguards, public oversight, and proper regulation of artificial intelligence (AI) technologies,” posing a risk to citizens’ privacy.
Scammers Using MaisonReceipts to Create Fake Receipts — Fraudsters are using tools like MaisonReceipts to generate counterfeit receipts for over 21 well-known retail brands in multiple currencies (USD, EUR, GBP). They are used by groups that resell counterfeit or stolen items, presenting them as authentic using bogus receipts. “The service is marketed through subscription-based websites, social media accounts, and encrypted messaging platforms, with features that make the fraudulent receipts appear convincing enough to deceive consumers and online marketplaces,” Group-IB said.
PyPI Blocks inbox.ru Email Domain — A recent spam campaign against PyPI has prompted the maintainers of the Python Package Index (PyPI) repository to ban the use of the “inbox.ru” email domain during new registrations as well as adding extra email addresses. “The campaign created over 250 new user accounts, publishing over 1,500 new projects on PyPI, leading to end-user confusion, abuse of resources, and potential security issues,” PyPI said. “All relevant projects have been removed from PyPI, and accounts have been disabled.”
Silver Fox Actor Creates Fake Websites for Malware Delivery — The threat actor known as Silver Fox, which is known for targeting Chinese-speaking individuals and entities, has created over 2,800 domains since June 2023, with 266 of the over 850 identified domains since December 2024 actively distributing malware. These fake websites act as a delivery vector for Windows-specific malware and masquerade as application download sites and software update prompts. “The consistent operational timing across all hours with high influxes during Chinese working hours, in addition to other factors, suggests a combination of automated and likely human-driven approach to their activities,” DomainTools said.
Arrested Scattered Spider Members Released on Bail — A British court has released four members of the Scattered Spider group on bail. They were arrested last week on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. They’ve been charged with hacking U.K. retailers Marks & Spencer, Co-op, and Harrods.
Armenian National Charged with Ryuk Ransomware Attacks — An Armenian man extradited from Ukraine to the United States has been charged over his alleged role in Ryuk ransomware attacks between March 2019 and September 2020. Karen Serobovich Vardanyan was arrested in Kyiv in April, and was extradited to the United States on June 18. Vardanyan has been charged with conspiracy, fraud in connection with computers, and extortion in connection with computers. He has been charged alongside Levon Georgiyovych Avetisyan, 45, who is also an Armenian national facing the same charges. He is currently detained in France and is expected to be extradited as well. Vardanyan and his accomplices received about 1,610 bitcoins from victims, valued at more than $15 million at the time of payment. Two Ukrainians — 53-year-olds Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko — were also charged in connection with Ryuk activity but remain at large.
$2.17B Stolen from Crypto Services in 2025 — Hackers and scammers have stolen over $2.17 billion in crypto assets in the first half of this year, with North Korea’s $1.5 billion hack of Bybit accounting for the majority of the assets. Data from TRM Labs shows that $2.1 billion was stolen across at least 75 distinct hacks and exploits. A total of $801,315,669 was lost across 144 incidents in Q2 2025, per CertiK. Wallet compromise emerged as the most costly attack vector in H1 2025, with $1,706,937,700 stolen across 34 incidents. “So far in 2025, significant concentrations of stolen fund victims have emerged in the U.S., Germany, Russia, Canada, Japan, Indonesia, and South Korea,” Chainalysis said. “Personal wallet compromises make up a growing share of total ecosystem value stolen over time.”
Japan Targeted by North Korea and China in 2024 — Japanese organizations have been targeted by North Korean threat actors to distribute malware families like BeaverTail, InvisibleFerret, and RokRAT, as well as by Chinese hacking groups such as Mustang Panda, Stone Panda, MirrorFace, Teleboyi, and UNC5221. The China-linked attacks led to the deployment of backdoors and trojans like ANEL and PlugX, Macnica said.
Rainbow Hyena Goes After Russian Firms — The threat actor known as Rainbow Hyena targeted Russian healthcare and IT organizations using phishing emails containing malicious attachments to distribute a C++-based custom backdoor called PhantomRemote. “The backdoor collects information about the compromised system, loads other executables from the C2 server, and runs commands via the cmd.exe interpreter,” BI.ZONE said.
Migration to Post-Quantum Cryptography is Uneven — About 6% of all 186 million SSH servers on the internet already use quantum-safe encryption, according to a new report from Forescout Research – Vedere Labs. “Three quarters of OpenSSH versions on the internet still run versions released between 2015 and 2022 that do not support quantum-safe encryption,” the company said. “If regulators mandate quantum-safe encryption in the near future, organizations will face serious gaps. Outdated infrastructure will become a compliance and security risk.”
Brazilian Police Arrest IT Worker for $100 Million Cyber Theft — Authorities in Brazil arrested a suspect in connection with a cyber attack that diverted more than $100 million from the country’s banking systems. Per a report from Associated Press, the suspect has been identified as João Roque, an IT employee of a software company named C&M and he allegedly helped unknown threat actors gain unauthorized access to Brazil’s instant payment system, known as PIX, by selling his credentials to them earlier this year for about $2,700 in two separate cash payments. Once the cybercriminals breached the company’s network, they carried out fraudulent PIX transactions. It’s believed that the losses could go up further, as the loss refers to just one financial institution that contracted with C&M.
Italian Police Arrest Diskstation Ransomware Gang — Italian police have arrested a 44-year-old Romanian for carrying out cyber attacks against Italian companies as part of a law enforcement effort called Operation Elicius. The unidentified man is alleged to be the leader of the DiskStation Security ransomware group, which has targeted Synology network-attached storage (NAS) devices since 2021. He faces charges of unauthorized access to computer systems and extortion.
Samsung Announces KEEP to Store Sensitive Data — Samsung announced a number of security and privacy updates to its Galaxy smartphones with One UI 8, including support for quantum-resistant Wi-Fi connections using ML‑KEM and a new architecture called Knox Enhanced Encrypted Protection (KEEP) that creates encrypted, app-specific storage environments for storing data. KEEP also integrates with Samsung’s Personal Data Engine (PDE) and Knox Vault, the company’s hardware security environment, to enable personalized artificial intelligence (AI) features by analyzing users’ data on-device.
Cambodia Arrests Over 1,000 Amid Crackdown on Online Scams — Cambodian authorities have arrested more than 1,000 suspects linked to online scams in an effort to crack down on cybercrime operations in the country. Those detained included over 200 Vietnamese, 27 Chinese, and 75 suspects from Taiwan and 85 Cambodians in the capital Phnom Penh and the southern city of Sihanoukville. About 270 Indonesians, including 45 women, were arrested in Poipet. In a related development, Thai officials raided properties connected to a Cambodian senator and business tycoon, Kok An, in relation to a local network of cyber scam call centers.
🎥 Cybersecurity Webinars
From Autofill to Alarm Bells: Securing Identity in the Age of AI — Logins got easier—but trust got harder. As AI reshapes digital identity, users are questioning how their data is used and who’s really behind the screen. In this session, discover how top brands are tackling AI-driven identity risks while rebuilding trust with smarter, privacy-first authentication strategies.
How Attackers Hijack Your Dependencies—and What DevSecOps Teams Must Do Now — Your Python environment is under attack—quietly, and from within. In 2025, repo hijacks, poisoned packages, and typosquatting aren’t rare edge cases—they’re part of the threat landscape. This webinar shows developers and DevSecOps leaders how to lock down the Python supply chain before compromised dependencies take down your systems.
Your AI Copilot May Be Letting Attackers In — Learn How to Lock Down the Identity Layer — AI copilots are boosting productivity—and attackers are using the same power to break your identity perimeter. From API abuse to synthetic logins, the identity layer is under siege. Join Okta to learn how to secure AI-powered workflows, detect AI-driven threats, and make identity your strongest line of defense in 2025.
🔧 Cybersecurity Tools
OSINTMap — It is a lightweight tool that helps you quickly find and use popular OSINT resources. It organizes hundreds of investigation links—like people search, domain lookups, and breach checkers—into one easy-to-browse local dashboard. Ideal for anyone doing OSINT work, it saves time by keeping everything in one place.
NortixMail — It is an open-source, self‑hosted disposable email server that makes burner addresses easy—without the usual email server headache. You can spin it up with Docker or manually, generate temporary email addresses on demand, and view messages via a clean web interface. Since it keeps messages locally and doesn’t rely on third-party services, it’s a great tool for testing, avoiding spam, or protecting your inbox during risky sign‑ups.
Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.
🔒 Tip of the Week
Map Known Vulnerabilities Automatically Across Your Stack — Attackers often use Windows Scheduled Tasks to stay hidden on systems. Some go a step further by removing key registry values like SD (Security Descriptor) or Index, making their tasks invisible to common tools like Task Scheduler, schtasks, or even Autoruns. These hidden tasks still run in the background and can be used for persistence or malware delivery.
To check for visible tasks, tools like Autoruns (by Sysinternals) and TaskSchedulerView (by NirSoft) are great starting points. They show active tasks and let you spot unusual ones. But hidden tasks require deeper digging. You can use PowerShell to scan the registry path HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree and look for tasks with missing SD values.
For more advanced checks, use Sysmon to track changes in the TaskCache registry and ProcMon to monitor registry activity in real time. Look for suspicious task names, missing values, or tasks with an Index of 0. Also, set alerts for Event ID 4698, which logs new scheduled task creation.
In short: use both visual tools and registry checks to uncover hidden scheduled tasks. Regular scans, baseline comparisons, and basic alerting can help catch threats early—before they do damage.
Conclusion
What’s becoming clearer each week is that attacker sophistication isn’t the exception—it’s the baseline. AI-driven reconnaissance, credential abuse, and signal mimicry are no longer advanced—they’re routine.
And as coordination gaps persist across security teams, the boundary between low-level noise and high-impact intrusions continues to blur. The result isn’t just a faster compromise—it’s a deeper erosion of trust. If trust was once a strength, it’s now a surface that attackers exploit.
Source link
