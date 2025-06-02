If this had been a security drill, someone would've said it went too far. But it wasn't a drill—it was real. The access? Everything looked normal. The tools? Easy to find. The detection? Came too late.

This is how attacks happen now—quiet, convincing, and fast. Defenders aren't just chasing hackers anymore—they're struggling to trust what their systems are telling them.

The problem isn't too few alerts. It's too many, with no clear meaning. One thing is clear: if your defense still waits for obvious signs, you're not protecting anything. You're just watching it happen.

This recap highlights the moments that mattered—and why they're worth your attention.

⚡ Threat of the Week

APT41 Exploits Google Calendar for Command-and-Control — The Chinese state-sponsored threat actor known as APT41 deployed a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). Google said it observed the spear-phishing attacks in October 2024 and that the malware was hosted on an unspecified compromised government website. TOUGHPROGRESS is designed to read and write events with an attacker-controlled Google Calendar, and extract the commands specified in them for subsequent execution. The results of the execution are written back to another Calendar event from where they can be accessed by the attackers. The campaign targeted multiple other government entities, although the company did not reveal who was singled out.

🔔 Top News

New Law Enforcement Operation Takes down AvCheck[.]net — Authorities in the United States, in partnership with Finland and the Netherlands, have seized four domains and associated infrastructure that offered counter-antivirus (CAV) tools and crypting services to other threat actors to help their malware stay undetected from security software. These include AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru. "The seized domains offered services to cybercriminals, including counter-antivirus (CAV) tools," the U.S. Justice Department said. "When used together, CAV and crypting services allow criminals to obfuscate malware, making it undetectable and enabling unauthorized access to computer systems." Authorities said the seizure of AvCheck was made possible by exploiting the mistakes of the admins. "The admins did not provide the security they promised," officials said in a notice, stating they have also confiscated a database containing usernames, email addresses, payment information, and more.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities – they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week's list includes — CVE-2025-3935 (ConnectWise ScreenConnect), CVE-2025-47577 (TI WooCommerce Wishlist plugin), CVE-2025-2760, CVE-2025-2761 (GIMP), CVE-2025-0072 (Arm Mali GPU), CVE-2025-27462, CVE-2025-27463, CVE-2025-27464 (Citrix XenServer VM Tools for Windows), CVE-2025-4793 (PHPGurukul Online Course Registration), CVE-2025-47933 (Argo CD), CVE-2025-46701 (Apache Tomcat CGI servlet), CVE-2025-48057 (Icinga 2), CVE-2025-48827, CVE-2025-48828 (vBulletin), CVE-2025-41438, CVE-2025-46352 (Consilium Safety CS5000 Fire Panel), CVE-2025-1907 (Instantel Micromate), CVE-2025-26383 (Johnson Controls iSTAR Configuration Utility), CVE-2018-1285 (Rockwell Automation FactoryTalk Historian ThingWorx), CVE-2025-26147 (Denodo Scheduler), CVE-2025-24916, and CVE-2025-24917 (Tenable Network Monitor).

📰 Around the Cyber World

Mandatory Ransomware Payment Disclosure Begins in Australia — Australia became the first country in the world to require victims of ransomware attacks to declare to the government any extortion payments made on their behalf to cyber criminals. The law, initially proposed last year, only applies to organizations with an annual turnover greater than AU$3 million ($1.93 million) alongside a smaller group of specific entities working within critical infrastructure sectors. The turnover threshold is expected to capture just the top 6.5% of all registered businesses in Australia, comprising roughly half of the country's economy. Applicable organizations must report any ransomware payment they make to the Australian Signals Directorate (ASD) reporting tool within 72 hours of making the payment or becoming aware that the ransomware payment has been made. The report must include the following information: The ransomware payment amount demanded and paid and the method of provision that was demanded and used. The requirements do not apply to public sector bodies. Failure to comply can result in civil penalties.

🎥 Cybersecurity Webinars

The Hidden Danger Inside Every AI Agent — And How Hackers Are Exploiting It → AI agents can't run without access—but the service accounts and API keys they use often go unseen and unsecured. These invisible identities are becoming a top target for attackers. Join Astrix Security's Jonathan Sander to uncover the hidden risks behind AI and learn how to lock them down before it's too late. Don't wait for a breach—secure your AI from the inside out.

Your Trusted Apps Are Being Weaponized — Here's How to Spot It → Attackers no longer need to break in—they blend in. Using "Living Off Trusted Sites" (LOTS) tactics, they exploit popular apps and services to hide in plain sight. Join Zscaler's threat-hunting experts Marina Liang and Jessica Lee for a deep dive into how stealth attacks are uncovered across the world's largest security cloud. Learn the tools, techniques, and real-world cases behind modern evasion—and how to detect what your security stack is likely missing. If you're defending enterprise systems, this is your blueprint for spotting what others overlook.

🔧 Cybersecurity Tools

RedTeamTP — This toolkit streamlines red team infrastructure deployment using GitHub Actions. It supports Cobalt Strike, Mythic, and phishing setups across AWS, Azure, and DigitalOcean—handling config generation, provisioning, and teardown through repeatable, secure workflows.

CloudRec — It is an open-source multi-cloud CSPM platform that helps secure cloud environments through automated asset discovery, real-time risk detection, and customizable OPA-based policies. It supports AWS, GCP, Alibaba Cloud, and more, with a flexible, scalable architecture.

🔒 Tip of the Week

Use AI Models to Challenge Your Security Assumptions → AI tools like OpenAI's o3 aren't just for writing code—they can now help spot serious bugs, including vulnerabilities that even experts may miss. In one real case, o3 helped uncover a hidden flaw in Linux's kernel code by analyzing how different threads could access the same object at the wrong time—something that's easy to overlook.

How to apply this: When reviewing code or systems, try giving an AI model a specific function, some background about how it's used, and ask it questions like:

What could go wrong if two users interact at the same time?

Could this object be deleted while still in use?

Are all failure cases handled properly?

Why it works: Even experienced security teams make assumptions—about timing, logic, or structure—that attackers won't. AI doesn't assume. It explores every path, including the unlikely ones where real threats hide.

Use AI to think differently, and you may catch weak spots before someone else does.

Conclusion

The tools may keep changing, but the core challenge remains: knowing what to act on, and when. As new threats emerge and familiar ones resurface in unexpected ways, clarity becomes your sharpest defense.

Use these insights to question assumptions, update plans, and strengthen the weak spots that don't always show up on dashboards. Good security isn't just about staying ahead—it's about staying sharp.