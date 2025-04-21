Can a harmless click really lead to a full-blown cyberattack?

Surprisingly, yes — and that's exactly what we saw in last week's activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature, or reused login tokens. These aren't just tech issues — they're habits being exploited.

Let's walk through the biggest updates from the week and what they mean for your security.

⚡ Threat of the Week

Recently Patched Windows Flaw Comes Under Active Exploitation — A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates. The security flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle.

🔔 Top News

North Korea Targets Crypto Developers with Fake Python Coding Challenges — The North Korea-linked threat actor known as Slow Pisces (aka Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899) is targeting developers, particularly in the cryptocurrency sector, to deliver new stealer malware under the guise of a coding assignment. These challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer. Jade Sleet is one of the several North Korean threat activity clusters to leverage job opportunity-themed lures as a malware distributor vector, the others being Operation Dream Job, Contagious Interview, Alluring Pisces, and Moonstone Sleet.

— The China-linked threat actor known as Mustang Panda targeted an unspecified organization in Myanmar with an updated version of its signature backdoor, TONESHELL, in addition to debuting four new attack tools: two keyloggers (PAKLOG and CorKLOG), a utility for facilitating lateral movement (StarProxy), and a driver to evade endpoint detection and response (EDR) software (SplatCloak). The findings demonstrate the continued evolution of the threat actor's tradecraft to sidestep detection. European Diplomats Targeted in GRAPELOADER Attacks — The Russian state-sponsored threat actor known as APT29 has been attributed to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER. The attacks involve the use of phishing emails that employ wine-tasting lures to entice message recipients into opening booby-trapped ZIP archives that lead to GRAPELOADER, a malware loader that's capable of downloading and retrieving the next stage payload.

— Apple has released fixes to address two security flaws that it said have come under active exploitation in the wild. The flaws, a memory corruption vulnerability in the Core Audio framework (CVE-2025-31200) and an unspecified vulnerability in RPAC (CVE-2025-31201), are said to have been weaponized in an "extremely sophisticated attack against specific targeted individuals on iOS." However, the exact details surrounding the nature of the exploitation and who may have been targeted are not known. The issues have been addressed in iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1. UNC5174 Targets Linux Systems with SNOWLIGHT and VShell — A cyberspy crew with ties to China's Ministry of State Security has infected global organizations with a stealthy remote access trojan (RAT) called VShell to enable its espionage and access resale campaigns. The attacks, attributed to UNC5174, use a mix of custom and open-source malware, including a dropper named SNOWLIGHT that paves the way for the in-memory malware VShell. Besides using VShell, UNC5174 has also used a new command-and-control infrastructure since January 2025. Primary targets of the campaign consist of U.S.-based organizations, although Hong Kong, Taiwan, Japan, Germany, and France are some of the other countries where SNOWLIGHT has been spotted. The campaign is believed to have been ongoing as far back as November 2024.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week's list includes — CVE-2025-2492 (ASUS), CVE-2025-24054 (Microsoft Windows), CVE-2025-32433 (Erlang/OTP), CVE-2021-20035 (SonicWall Secure Mobile Access 100 Series), CVE-2025-31200, CVE-2025-31201 (Apple iOS, iPadOS, macOS Sequoia, tvOS, and visionOS), CVE-2025-24859 (Apache Roller), CVE-2025-1093 (AIHub theme), and CVE-2025-3278 (UrbanGo Membership plugin)

📰 Around the Cyber World

Google Makes :visited More Private — ​Google is finally taking steps to plug a long-standing privacy issue that, for over 20 years, enabled websites to determine users' browsing history through the previously visited links. The side-channel attack stemmed from allowing sites to style links as ":visited," meaning displaying them in the color purple if a user had previously clicked on them. This caused a privacy issue in that it could be abused to leak a user's browser history, and worse, track them. However, with the release of Chrome 136 on April 23, 2025, Google is adopting what's called triple-key partitioning that uses a combination of the link URL, top-level site, and frame origin. "With partitioning enabled, your :visited history is no longer a global list that any site can query," the company said.

🎥 Cybersecurity Webinars

AI-Powered Impersonation Is Beating MFA—Here's How to Shut the Door on Identity-Based Attacks — AI-driven impersonation is making traditional MFA useless—and attackers are getting in without ever stealing a password. In this session, you'll learn how to stop identity-based attacks before they start, using real-time verification, access checks, and advanced deepfake detection. From account takeover prevention to AI-powered identity proofing, see how modern defenses can shut the door on imposters. Join the webinar to see it in action. Smart AI Agents Need Smarter Security—Here's How to Start — AI agents are helping teams move faster—but without the right security, they can expose sensitive data or be manipulated by attackers. This session walks you through how to build AI agents securely, with practical steps, key controls, and overlooked risks you need to know. Learn how to reduce exposure without losing productivity, and keep your AI tools safe, reliable, and under control. Register now to start securing your AI the right way.

🔧 Cybersecurity Tools

dAWShund — AWS has powerful tools for managing cloud security — but those same tools can be misused if not closely monitored. dAWShund is a Python framework that helps security teams find, check, and map AWS permissions across accounts and regions. It's made up of three tools: one to list resources and policies, one to test what actions are allowed, and one to visualize it all using graphs. Whether you're on defense or offense, dAWShund helps you spot risky access before attackers do.

Tirreno — It is an open-source fraud prevention tool you can host yourself. Built with PHP and PostgreSQL, it helps you monitor user activity and spot suspicious behavior across websites, apps, SaaS platforms, and online communities. From stopping fake signups and bot traffic to flagging high-risk merchants, Tirreno gives you real-time analytics and smart risk signals — all with a quick 5-minute setup on your own server.

🔒 Tip of the Week

Stop Spam Before It Starts: Use Burner Emails the Smart Way — Most people use the same email everywhere — but when one company leaks or sells your address, your inbox starts filling with spam or phishing emails. A smarter way is to use a burner email system, where you give each company a unique email like netflix@yourdomain.com. To do this, buy a cheap domain (like myaliashub.com) and set up free forwarding with services like ImprovMX or SimpleLogin. Every email sent to any name on that domain will land in your main inbox. If one starts getting spam, just delete or block it — problem solved, no need to change your real email.

If you use Gmail, you can add +something after your name, like alex+uber@gmail.com, and Gmail will still deliver it. This helps you track who shared your email and set filters, but it's not very private since your real email is still visible. Some websites also block + emails. A better long-term option is to connect a custom domain to Gmail through Google Workspace, which gives you real aliases like shop@yourdomain.com with full control and spam filtering.

Apple users can use Hide My Email (built into iOS and macOS). It creates a random email like x2k4@privaterelay.appleid.com for each website, and forwards messages to your iCloud inbox. You can disable or delete these anytime. It's great for signups, subscriptions, or trials where you don't want to share your real email. For even more control, Apple lets you use custom domains too. These tools help you stay organized, stop spam early, and quickly trace any leaks — all without needing to change your main email ever again.

Conclusion

This week made it clear: attackers aren't just hunting for big holes — they're slipping through tiny cracks we barely notice. An outdated security setting. A forgotten endpoint. A tool used slightly out of spec. And just like that, they're in. We're seeing more cases where the compromise isn't about breaking in — it's about being invited in by accident. As systems grow more connected and automated, even the smallest misstep can open a big door.

Stay sharp, stay curious — and double-check the things you think are "too minor to matter."