⚡ Weekly Recap: BadCam Attack, WinRAR 0-Day, EDR Killer, NVIDIA Flaws, Ransomware Attacks & More

This week, cyber attackers are moving quickly, and businesses need to stay alert. They're finding new weaknesses in popular software and coming up with clever ways to get around security. Even one unpatched flaw could let attackers in, leading to data theft or even taking control of your systems. The clock is ticking—if defenses aren't updated regularly, it could lead to serious damage. The message is clear: don't wait for an attack to happen. Take action now to protect your business.

Here's a look at some of the biggest stories in cybersecurity this week: from new flaws in WinRAR and NVIDIA Triton to advanced attack techniques you should know about. Let's get into the details.

⚡ Threat of the Week

Trend Micro Warns of Actively Exploited 0-Day — Trend Micro has released temporary mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948 and CVE-2025-54987), both rated 9.4 on the CVSS scoring system, have been described as management console command injection and remote code execution flaws. There are currently no details on how the issues are being exploited in real-world attacks. Trend Micro said it "observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild."

Employees Are Using AI To Improve Their Work But Creating Risk

VPNs and public-facing IPs are your attack surface. Zero Trust + AI ensures safe public AI productivity.

Learn More ➝

🔔 Top News

• WinRAR 0-Day Under Active Exploitation — The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability. Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files. Russian cybersecurity vendor BI.ZONE, in a report published last week, said there are indications that the hacking group tracked as Paper Werewolf (aka GOFFEE) may have leveraged CVE-2025-8088 alongside CVE-2025-6218, a directory traversal bug in the Windows version of WinRAR that was patched in June 2025.
• New Windows EPM Poisoning Exploit Chain Detailed — New findings presented at the DEF CON 33 security conference showed that a now-patched security issue in Microsoft's Windows Remote Procedure Call (RPC) communication protocol (CVE-2025-49760, CVSS score: 3.5) could be abused by an attacker to conduct spoofing attacks and impersonate a known server. The vulnerability essentially makes it possible to manipulate a core component of the RPC protocol and stage what's called an EPM poisoning attack that allows unprivileged users to pose as a legitimate, built-in service with the goal of coercing a protected process to authenticate against an arbitrary server of an attacker's choosing.
• BadCam Attack Targets Linux Webcams From Lenovo — Linux-based webcams from Lenovo, Lenovo 510 FHD and Lenovo Performance FHD, which are powered by a System on a Chip (SoC) and firmware made by the Chinese company SigmaStar, can be weaponized and turned into BadUSB vectors, allowing attackers to tamper with the firmware of the devices to execute malicious commands when connected to a computer. "This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system," Eclypsium researchers Paul Asadoorian, Mickey Shkatov, and Jesse Michael said.
• The Far-Reaching Scale of VexTrio Revealed — A new analysis of VexTrio has unmasked it as a "cybercriminal organization with tendrils that are far-reaching," operating dozens of businesses and front companies across Europe, while posing as a legitimate ad tech firm to conduct various types of fraud. The cyber fraud network is assessed to be active in its present form since at least 2017. That said, suspected key figures behind the scheme have been linked to scam reports and sketchy domains since 2004. VexTrio's nerve center is Lugano, melding scam operations and traffic distribution schemes to maximize illicit revenue. It's also the result of two businesses, Tekka Group and AdsPro Group, joining forces in 2020. "The merger created a formidable suite of commercial entities that touch every part of the ad tech industry," Infoblox said. VexTrio is known for using traffic distribution systems (TDSes) to filter and redirect web traffic based on specific criteria, as well as relying on sophisticated DNS manipulation techniques like fast-fluxing, DNS tunneling, and domain generation algorithms (DGAs) to rapidly change the IP addresses associated with their domains, establish covert command-and-control (C2) communication, and maintain persistent access with infected systems. Campaigns orchestrated the threat actor to leverage TDSes to hijack web users from compromised websites and redirect them to a variety of malicious destinations, from tech support scams and fake updates to phishing domains and exploit kits. The use of commercial entities to run the traffic distribution schemes offers several advantages to threat actors, both from an operational perspective as well as avoiding scrutiny from the infosec community and law enforcement by maintaining a veneer of legitimacy. The system works like any other ad tech network, only it's malicious in nature. The threat actors pay VexTrio-controlled firms as if they were legitimate customers, receiving a steady supply of hijacked traffic and unsuspecting victims through TDSes for a variety of threats, from cryptocurrency scams and fake captcha schemes. "VexTrio employs a few hundred people globally. It's unclear how much the average VexTrio employee knows about the true business model," Infoblox said. The arrangement has proven to be extremely lucrative for VexTrio operators, who have been found leading a lavish lifestyle, sharing on social media about expensive cars and other luxuries.
• Multiple Flaws Patched in NVIDIA Triton Patched — Nvidia has patched a trio of vulnerabilities in its Triton inference server that could give unauthenticated remote attackers a way to take full control of susceptible servers. The new Triton vulnerabilities underscore a broader and rapidly growing category of AI-related threats that organizations must now factor into their security postures. With AI and ML tools becoming deeply embedded in critical business workflows, the attack surface has expanded in ways that traditional security frameworks aren't always equipped to handle. The emergence of new threats like AI supply chain integrity, model poisoning, prompt injection, and data leakage signals the need for securing the underlying infrastructure and practicing defense-in-depth.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it's a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week's high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week's list includes — CVE-2025-8088 (WinRAR), CVE-2025-55188 (7-Zip), CVE-2025-4371 (Lenovo 510 FHD and Performance FHD web cameras), CVE-2025-25050, CVE-2025-25215, CVE-2025-24922, CVE-2025-24311, CVE-2025-24919 (Dell ControlVault3), CVE-2025-49827, CVE-2025-49831 (CyberArk Secrets Manager), CVE-2025-6000 (HashiCorp Vault), CVE-2025-53786 (Microsoft Exchange Server), CVE-2025-30023 (Axis Communications), CVE-2025-54948, CVE-2025-54987 (Trend Micro Apex One Management Console), CVE-2025-23310, CVE-2025-23311, CVE-2025-23319 (NVIDIA Triton), CVE-2025-54574 (Squid Web Proxy), CVE-2025-7025, CVE-2025-7032, and CVE-2025-7033 (Rockwell Automation Arena Simulation), CVE-2025-54253, CVE-2025-54254 (Adobe Experience Manager Forms), CVE-2025-24285 (Ubiquiti UniFi Connect EV Station), CVE-2025-38236 (Linux Kernel), CVE-2025-2771, CVE-2025-2773 (BEC Technologies routers), CVE-2025-25214, CVE-2025-48732 (WWBN AVideo), CVE-2025-26469, and CVE-2025-27724 (MedDream PACS Premium).

📰 Around the Cyber World

• NVIDIA Rejects Backdoor Claims — GPU maker NVIDIA has rejected accusations that it has built backdoors or kill switches in its chips. "There are no back doors in NVIDIA chips. No kill switches. No spyware. That's not how trustworthy systems are built—and never will be," Nvidia Chief Security Officer David Reber Jr. said. The development came after the Cyberspace Administration of China (CAC) said it held a meeting with NVIDIA over "serious security issues" in the company's chips and claimed that U.S. artificial intelligence (AI) experts "revealed that NVIDIA's computing chips have location tracking and can remotely shut down the technology." A kill switch in a chip would be "a permanent flaw beyond user control, and an open invitation for disaster," Reber Jr. added.
• Attackers Compromise Target Within 5 Minutes — Threat actors successfully compromised corporate systems within just five minutes using a combination of social engineering tactics and rapid PowerShell execution. The incident demonstrates how cybercriminals are weaponizing trusted business applications to bypass traditional security measures. "The Threat Actor targeted around twenty users, impersonating IT support personnel, and successfully convinced two users to grant remote access to their system using the Windows native Quick Assist remote support tool," NCC Group said. "In less than five minutes, the Threat Actor executed PowerShell commands that led to the download of offensive tooling, malware execution and the creation of persistence mechanisms." The attack was detected and stopped before it could have led to a bigger infection.
• Companies Drowning in Threat Intel — A new study commissioned by Google Cloud found that an "overwhelming volume of threats and data combined with the shortage of skilled threat analysts" are making companies more vulnerable to cyber attacks and keeping them stuck in a reactive state. "Rather than aiding efficiency, myriad [threat intelligence] feeds inundate security teams with data, making it hard to extract useful insights or prioritize and respond to threats. Security teams need visibility into relevant threats, AI-powered correlation at scale, and skilled defenders to use actionable insights, enabling a shift from a reactive to a proactive security posture," the study found. The survey was conducted with 1,541 senior IT and cybersecurity leaders at enterprise organizations in North America, Europe, and Asia Pacific.

• New EDR Killer Spotted — Malware capable of terminating antivirus software and obfuscated using commercial packers like HeartCrypt are being used in ransomware attacks involving BlackSuit, RansomHub, Medusa, Qilin, DragonForce, Crytox, Lynx, and INC. Posing as a legitimate utility, the EDR killer looks for a driver with a five-letter random name that's signed with a compromised certificate to achieve its goals. If found, the malicious driver is loaded into the kernel, as required to perform a bring your own vulnerable driver (BYOVD) attack and achieve kernel privileges required to turn off security products. The exact list of antivirus software to be terminated varies among samples. It's believed to be an evolution of EDRKillShifter, developed by RansomHub. "Multiple new variants of a malicious driver that first surfaced in 2022 are circulating in the wild," Symantec warned earlier this January. "The driver is used by attackers to attempt to disable security solutions." The fact that multiple ransomware actors are relying on variants of the same EDR killer tool alludes to the possibility of a common seller or some sort of an "information/tool leakage between them."
• Ransomware Continues to Evolve — Threat intel firm Analyst1 has published a profile of Yaroslav Vasinskyi, a Ukrainian national and member of the REvil gang that broke into Kaseya in 2021. Meanwhile, the ransomware landscape continues to be volatile as ever, replete with rebrands and abrupt cessation of activities amid continued law enforcement takedowns: BlackNevas (aka Trial Recovery) is assessed to be a derivative of Trigona, while one affiliate named "hastalamuerte" alleged that the Qilin group had conducted an exit scam, defrauding them of $48,000. Another user, operating under the handle "Nova," publicly leaked the Qilin affiliate panel, including login credentials, further exposing the group's operational security weaknesses. RansomHub, Babuk-Bjorka, FunkSec, BianLian, 8Base, CACTUS, Hunters International, and LockBit are among the groups that have stopped publishing new victims, indicating an increasingly fragmented ransomware ecosystem. "The rapid succession of events following the disappearance of RansomHub and the subsequent rise – and apparent turbulence – within Qilin's operations underscore the dynamic volatility of today's ransomware ecosystem," Dark Atlas said. "The internal chaos and alleged exit scam within Qilin [...] reveal deep fissures in trust and operational security among ransomware collectives, further compounded by active interference from law enforcement and rival groups."
• Turkish Organizations Targeted by SoupDealer — Banks, ISPs, and mid-level organizations in Türkiye are being targeted by phishing campaigns that deliver a new Java-based loader called SoupDealer. "When this malware is executed, it uses advanced persistence mechanisms – including downloading TOR to establish communication with the C2 panel and scheduling tasks for automatic execution – to ensure the device is located in Türkiye and being used in Turkish," Malwation said. "It then sends various information based on signals from the command-and-control server and gains full control over the device."
• Spark RAT Detailed — Cybersecurity researchers have detailed the inner workings of an open-source RAT called Spark RAT that's capable of targeting Windows, Linux, and macOS systems. It allows an attacker to remotely commandeer a compromised endpoint by establishing communications with C2 infrastructure and awaiting further instructions from an operator. "All the desirable RAT features are present, with the perhaps notable absence of Remote Desktop-like functionality," F5 Labs said. "These factors have combined to make SparkRAT an attractive offensive tool choice, as is evidenced by the documented instances of its use in threat campaigns."
• Threat Actors' Use of SVG Files Increase — Cybercriminals are turning Scalable Vector Graphics (SVG) files into potent weapons by embedding malicious JavaScript payloads that can bypass traditional security measures. Phishing attacks adopting the technique have revolved around convincing targets to open an SVG file, triggering the execution of the JavaScript code in the web browser, which then redirects them to a phishing site designed to steal credentials. "Instead of storing pixel data, SVGs use XML-based code to define vector paths, shapes, and text," Seqrite said. "This makes them ideal for responsive design, as they scale without losing quality. However, this same structure allows SVGs to contain embedded JavaScript, which can execute when the file is opened in a browser – something that happens by default on many Windows systems." SVG image files are also being used as a malware delivery vector in campaigns where adult sites have been found seeding obscured SVG payloads that leverage JSFuck to covertly endorse Facebook posts promoting the sites, ThreatDown found.
• Scams Targeting Elderly Led to $700 million Losses in 2024 — Americans aged 60 and older lost a staggering $700 million to online scams in 2024, signaling a steep rise in fraud targeting older adults. "Most notably, combined losses reported by older adults who lost more than $100,000 increased eight-fold, from $55 million in 2020 to $445 million in 2024," the U.S. Federal Trade Commission (FTC) said. "While younger consumers also have reported these scams, older adults were much more likely to report these extraordinarily high losses." The development came as authorities from the Philippines detained 20 Chinese nationals who were operating a crypto scam center in Pasay City. Thai police have also apprehended 18 Chinese nationals who were operating a scam call center in the city of Chiang Mai that targeted other Chinese speakers and operated for three months from a rented house.

• Embargo Ransomware Made About $34.2 million — Embargo ransomware is associated with about $34.2 million in cryptocurrency transactions since popping up around April 2024, with the majority of the victims located in the United States in the healthcare, business services, and manufacturing sectors. Unlike other traditional ransomware-as-a-service (RaaS) groups, Embargo retains control over infrastructure and payment negotiations and tends to avoid tactics like triple extortion and victim harassment that draw attention to itself. The attacks involve using phishing emails and drive-by downloads delivered via malicious websites as initial access vectors to disable security tools, turn off recovery options, and encrypt files. "Embargo may be a rebranded or successor operation to BlackCat (ALPHV) based on multiple technical and behavioral similarities – including using the Rust programming language, a similarly designed data leak site, and on-chain overlaps via shared wallet infrastructure," TRM Labs said. "Embargo launders ransom proceeds through intermediary wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net. Approximately $18.8 million remains dormant in unattributed wallets — a pattern that likely reflects deliberate evasion tactics." The links to BlackCat stem from on-chain overlaps, with historical BlackCat-linked addresses funneling funds to wallet clusters associated with Embargo victims. Technical similarities include the use of the Rust programming language, similar encryption toolkits, and the design of their data leak sites.
• Microsoft to Block File Access via FPRPC — Microsoft has announced that the Microsoft 365 apps for Windows will start blocking access to files via the insecure FPRPC legacy authentication protocol by default starting late August. "Microsoft 365 apps will block insecure file open protocols like FPRPC by default starting version 2508, with new Trust Center settings to manage these protocols," the company said. "These changes enhance security by reducing exposure to outdated technologies like FrontPage Remote Procedure Call (FPRPC), FTP, and HTTP." Separately, Microsoft has also announced that it intends to retire support for inline SVG images in Outlook for Web and new Outlook for Windows starting September 2025. "This change enhances security and aligns with current email client behavior, which already restricts inline SVG rendering," the company said.
• Nearly 30K Exchange Server Instances Vulnerable to CVE-2025-53786 — A little over 29,000 Microsoft Exchange email servers are missing an April 2025 hotfix for a recently disclosed security vulnerability (CVE-2025-53786) that allows attackers to escalate access from on-prem servers to online cloud environments. As of August 10, 2025, the countries with the most exposures are the U.S., Germany, Russia, France, the U.K., and Austria, per the Shadowserver Foundation.
• ScarCruft Linked to Ransomware Attack for the First Time — The North Korean threat actor known as ScarCruft (aka APT37), which has a history of deploying RokRAT, has been linked to an attack chain that has leveraged a malicious LNK file embedded in a RAR archive to deliver a stealer (LightPeek and FadeStealer), backdoor (NubSpy and CHILLYCHINO), and ransomware (VCD Ransomware). "It further underscores the group's persistent reliance on real-time messaging infrastructure, exemplified by NubSpy's use of PubNub as its command-and-control (C2) channel," S2W said. The attack has been attributed to ChinopuNK, a sub-cluster within ScarCruft known for deploying the Chinotto malware. The activity is a "notable deviation" from the group's historical focus on espionage. "This suggests a potential shift toward financially motivated operations, or an expansion of operational goals that now include disruptive or extortion-driven tactics," the company added.
• EDR-on-EDR Violence to Disable EDR Software — Cybersecurity researchers have uncovered a troubling new attack vector where threat actors are weaponizing free trials of endpoint detection and response (EDR) software to disable existing security tools – a phenomenon dubbed EDR-on-EDR violence, or bring your own EDR aka BYOEDR. "It turns out that one of the ways to disable EDR is with a free trial of EDR," researchers Ezra Woods and Mike Manrod said. "This is accomplished by removing exclusions and then adding the hash of the existing AV/EDR as a blocked application." Making matters worse, the research found that it's possible to abuse the RMM-like features of EDR products to facilitate command shell access.
• 2 Founder of Samourai Wallet Plead Guilty to Money Laundering — Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million worth of crypto assets from criminal proceeds and concealing the nature of illicit transactions using services like Whirlpool and Ricochet. Samourai CEO Keonne Rodriguez and CTO William Lonergan Hill were arrested last year after the U.S. Federal Bureau of Investigation (FBI) took down their service. As part of their plea agreements, Rodriguez and Hill have also agreed to forfeit $237,832,360.55. "The defendants created and operated a cryptocurrency mixing service that they knew enabled criminals to wash millions in dirty money, including proceeds from cryptocurrency thefts, drug trafficking operations, and fraud schemes," the U.S. Department of Justice (DoJ) said. "They did not just facilitate this illicit movement of money, but also encouraged it."
• Tornado Cash Founder Convicted of Operating a Money Transmitting Business — Roman Storm, a co-founder of the cryptocurrency mixing service Tornado Cash, was found guilty of conspiring to operate an unlicensed money-transmitting business. However, the jury failed to reach a ruling on the more significant charges of conspiracy to commit money laundering and to violate sanctions. "Roman Storm and Tornado Cash provided a service for North Korean hackers and other criminals to move and hide more than $1 billion of dirty money," the DoJ said. Storm is set to be sentenced later this year and faces a maximum prison sentence of five years. The development came as the U.S. Treasury Department dropped its appeal against a court ruling that forced it to lift sanctions against Tornado Cash last month. Tornado Cash was delisted from the Specially Designated National and Blocked Persons (SDN) list earlier this March. The service was sanctioned in 2022 for its alleged links to cybercriminals and for having "repeatedly failed to impose effective controls" to prevent money laundering.
• Microsoft SharePoint Flaws Exploited to Drop China Chopper and ANTSWORD — Microsoft revealed that Chinese state-sponsored hackers had exploited new vulnerabilities in SharePoint to breach the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security. According to ProPublica, support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years. Microsoft said the China-based team "is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location." It's unclear if Microsoft's China-based staff had any role in the SharePoint hack. Attacks exploiting the SharePoint flaws (CVE-2025-49706 and CVE-2025-53770) have been observed performing unauthenticated code execution, extracting cryptographic keys, and deploying web shells like China Chopper and ANTSWORD. "The use of AntSword and China Chopper in the mid-2025 SharePoint exploitation campaigns aligns with tooling observed in prior incidents," Trustwave said. "Notably, in 2022, the same ANTSWORD and China Chopper were also observed to be deployed in an incident related to ProxyNotShell RCE vulnerabilities.
• E.U. Law Protecting Journalists from Spyware Goes into Effect — A new law in the European Union, called the European Media Freedom Act (EMFA), has taken effect starting August 8, 2025, seeking to promote independence, safeguard media against unjustified online content removal by very large online platforms, and protect journalistic sources, including against the use of spyware. However, the European Centre for Press and Media Freedom (ECPMF) said it's "deeply concerned that many national governments are neither prepared nor politically willing to make the required legislative changes," adding "this lack of commitment poses a serious risk to the EMFA's effectiveness."
• Israel Created Azure-Backed System to Store Palestinian Communications — Israel's elite military surveillance agency, Unit 8200, stored vast volumes of intercepted Palestinian phone calls on Microsoft's Azure cloud servers, according to a joint investigation by The Guardian, +972 Magazine, and Local Call. The massive phone surveillance operation intercepted and tracked all phone calls and messages sent across Palestine and was hosted in a segregated part of Azure. The cloud-based system is believed to have become operational in 2022. "Thanks to the control it exerts over Palestinian telecommunications infrastructure, Israel has long intercepted phone calls in the occupied territories," The Guardian reported. "But the indiscriminate new system allows intelligence officers to play back the content of cellular calls made by Palestinians, capturing the conversations of a much larger pool of ordinary civilians."
• South Korea Targeted by Makop Ransomware — Users in South Korea have been targeted by Makop ransomware attacks that leverage remote desktop protocol (RDP) as an entry point, shifting from its previous distribution strategy of relying on fake resumes or emails related to copyrights. "It is worth noting that the use of RDP in the initial access phase and the installation of various tools from NirSoft and Mimikatz with an installation path of 'mimik' are the same as what the Crysis ransomware threat actor did when installing the Venus ransomware," AhnLab said. "This suggests the possibility that the same threat actor is behind the Crysis, Venus, and recent Makop ransomware attacks."
• WhatsApp Rolls Out New Feature to Tackle Scams — WhatsApp is introducing a new security feature that will help users spot potential scams when they are being added to a group chat by someone who is not in their contact list by serving additional information and options to exit the group. The messaging platform said it's also exploring ways to caution people when they are individually contacted by people not in their contacts. This includes showing more context about who has messaged, so users can make an informed decision. The Meta-owned company said it also took down over 6.8 million WhatsApp accounts linked to criminal scam centers based in Southeast Asia targeting people across the internet and around the world. "These scam centers typically run many scam campaigns at once – from cryptocurrency investments to pyramid schemes," the company said. "The scammers used ChatGPT to generate the initial text message containing a link to a WhatsApp chat, and then quickly directed the target to Telegram, where they were assigned a task of liking videos on TikTok. The scammers attempted to build trust in their scheme by sharing how much the target has already 'earned' in theory, before asking them to deposit money into a crypto account as the next task."
• Praetorian Releases ChromeAlone — Cybersecurity company Praetorian has released a tool called ChromeAlone that transforms Chromium browsers into a C2 framework and can be implanted and used in place of conventional tools like Cobalt Strike. The program offers the ability to steal browser credentials and session cookies, launch executables on the host from Chrome, phish for WebAuthn requests for physical security tokens like YubiKeys or Titan Security Keys, and offer EDR resistance. Separately, Praetorian also found that it's possible to abuse Traversal Using Relays around NAT (TURN) servers used by conferencing apps like Zoom and Microsoft Teams as a new C2 evasion method called 'Ghost Calls' to tunnel traffic through trusted infrastructure. This is accomplished by means of a tool called TURNt. "This approach allows operators to blend interactive C2 sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting," Praetorian noted, stating the approach uses legitimate credentials, WebRTC, and custom tooling to get around existing defenses.
• New Jailbreak Against AI Chatbots Employs Information Overload — AI chatbots like OpenAI ChatGPT and Google Gemini can be derived into generating illicit instructions for making a bomb or hacking an ATM if the prompt is made complicated, full of academic jargon, and cites non-existent sources. That's according to a new paper authored by a team of researchers from Intel, Boise State University, and the University of Illinois at Urbana-Champaign. The LLM jailbreaking technique called InfoFlood "transforms malicious queries into complex, information-overloaded queries capable of bypassing built-in safety mechanisms," the paper explained. "Specifically, InfoFlood: (1) uses linguistic transformations to rephrase malicious queries, (2) identifies the root cause of failure when an attempt is unsuccessful, and (3) refines the prompt's linguistic structure to address the failure while preserving its malicious intent."
• Israeli spyware vendor Candiru is still active — Cybersecurity firm Recorded Future has discovered new infrastructure for managing and delivering Candiru's DevilsTongue spyware. "Eight distinct clusters were identified, with five being likely still active, including those linked to Hungary and Saudi Arabia," it said. "One cluster tied to Indonesia was active until November 2024, and two associated with Azerbaijan have uncertain status due to a lack of identified victim-facing infrastructure."

🎥 Cybersecurity Webinars

• AI Threats Are Real—Learn How to Secure Every Agent Now: AI-powered shadow agents are becoming a serious security threat. Deployed without oversight, these invisible entities have access to sensitive data, making them prime targets for attackers. In this session, we'll explore how these agents emerge, why they're risky, and how to take control before they cause harm.
• How AI-Fueled Attacks are Targeting Identity—Learn to Stop Them: AI is changing the way cyberattacks happen, making traditional defenses obsolete. In this webinar, Karl Henrik Smith from Okta explains how AI is targeting identity security and how you can protect your organization from these new threats. Learn how to adapt your defenses for the AI-driven future.
• What You're Missing in Python Security: 2025's Must-Know Threats: In 2025, securing your Python supply chain is more critical than ever. With increasing threats like repojacking, typosquatting, and known vulnerabilities in core Python infrastructure, simply relying on "pip install and pray" won't cut it. Join our webinar to learn how to protect your Python projects, tackle current supply chain risks, and explore practical solutions to safeguard your code with industry-leading tools like Sigstore and Chainguard. Take action now to secure your Python environment and stay ahead of emerging threats.

🔧 Cybersecurity Tools

• DoomArena is a modular, plug-in framework for testing AI agents against evolving security threats. It works with platforms like τ-Bench, BrowserGym, and OSWorld, allowing realistic simulations of attacks such as prompt injections or malicious data sources. Its design separates attack logic from environments, making tests reusable across tasks, and supports detailed threat models, multiple attack types, and custom success checks to help identify vulnerabilities and evaluate defenses.
• Yamato Security, a volunteer-led group in Japan, has released a suite of open-source tools aimed at strengthening digital forensics and threat hunting. The lineup includes Hayabusa for Sigma-based Windows log analysis, Takajo for parsing Hayabusa results, Suzaku for cloud log forensics, and WELA for auditing Windows Event Logs, supported by detailed configuration guides. Also in the toolkit is SigmaOptimizer-UI, a user-friendly interface that streamlines the creation, testing, and refinement of Sigma rules from real-world logs, incorporating automated checks and optional LLM-powered enhancements.

Disclaimer: These newly released tools are for educational use only and haven't been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Boost Your Threat Detection with Easy, Free Tools — Cybersecurity isn't just about defending against attacks—it's also about detecting them early. One of the most effective ways to stay ahead of threats is by setting up real-time monitoring. Free tools like UptimeRobot allow you to monitor your website or systems for unexpected downtime, a common sign of an attack. By receiving instant alerts, you can act quickly if something goes wrong.

Another simple yet powerful step is running regular vulnerability scans. Qualys Community Edition is a free tool that helps you identify weak spots in your network or website. Regular scans will help you spot problems before attackers can exploit them, keeping your defenses strong.

Endpoint protection is equally important. While Windows Defender provides solid security, you can take it a step further with OSSEC, an open-source intrusion detection system. OSSEC monitors your devices for unusual behavior, helping catch threats that traditional antivirus software might miss.

Lastly, staying aware of malicious actors is key. Use resources like AlienVault Open Threat Exchange (OTX) to track known harmful IP addresses and domains. These free databases keep you informed about the latest threats targeting your network, allowing you to block risky traffic before it causes harm.

By integrating these free tools into your routine, you'll significantly enhance your ability to detect and respond to cyber threats quickly and effectively.

Conclusion

As we wrap up this week's cybersecurity update, remember that staying informed is your best defense. The threats are real, and the stakes are high—but with the right steps, your organization can stay ahead of attackers. Regular updates, timely patches, and continuous monitoring are your first line of defense. Keep working to build a culture of security, and always be ready to adapt to the changing landscape.

We'll be back next week with more insights, so keep those systems secure and stay vigilant. Until then, stay proactive, stay safe, and don't let your guard down. Cyber threats wait for no one.