⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More

Aug 25, 2025Ravie LakshmananCybersecurity News / Hacking

Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn't just a matter of firewalls and patches—it's about strategy. The strongest organizations aren't the ones with the most tools, but the ones that see how cyber risks connect to business, trust, and power.

This week's stories highlight how technical gaps become real-world pressure points—and why security decisions now matter far beyond IT.

⚡ Threat of the Week

Popular Password Managers Affected by Clickjacking — Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month. As of August 22, fixes have been released by Bitwarden, Dashlane, Enpass, KeePassXC-Browser, Keeper, LastPass, NordPass, ProtonPass, and RoboForm.

How GenAI Is Helping Cybersecurity Teams Reimagine Security Operations

Learn how cybersecurity teams are leveraging AI and what challenges they are facing, including questions such as:

What is the current state of adoption?
What use cases are being prioritized?
What key requirements do organizations have?
How is AI actually delivering results?

Learn more about AI in Security Operations for 2025 ➝

🔔 Top News

Russian Hackers Go After Old Cisco Flaw — Hackers linked to Russia are exploiting a seven-year-old vulnerability in unpatched end-of-life Cisco networking devices (CVE-2018-0171) to target enterprise and critical infrastructure networks in the U.S. and abroad. Over the past year, the threat actor, which Cisco is tracking as Static Tundra, has collected configuration files from thousands of networking devices used by US organizations in critical infrastructure sectors. On some vulnerable devices, the attackers changed the configuration settings to give themselves unauthorized access to the network. The attackers then used that access to explore the networks, looking specifically at protocols and applications that are commonly used in industrial systems. Cisco identified Static Tundra as primarily targeting organizations of strategic interest to the Kremlin, spanning the manufacturing, telecommunications, and higher education sectors across the globe. Once the threat actor gains access to a system of interest, they have been found to use stolen SNMP credentials to quietly control the compromised devices, letting them run commands, change settings, and steal configurations, all while hiding their activity from security controls. Static Tundra has also altered the configuration of compromised devices to create new local user accounts and enable remote access services like Telnet, granting them additional ways to regain access to the device if their initial communication mechanism is closed. Also used by the group is a backdoor called SYNful Knock to stay connected to infected devices and give a hidden foothold that survives reboots.
Apple Fixes Actively Exploited 0-Day — Apple released security fixes to fix a high-severity flaw in iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day is an out-of-bounds write vulnerability affecting the ImageIO framework. Tracked as CVE-2025-43300 (CVSS score: 8.8), the issue could result in memory corruption when processing a malicious image. The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking. The company provided no further technical details of the vulnerability or insights into the exploitation activity beyond characterizing the cyber attacks as sophisticated and highly targeted. The tech giant began using such terminology starting this year, presumably to signify nation-state threats and spyware activity.
Murky Panda Abuses Trusted Relationships to Breach Cloud Environments — The threat actor known as Murky Panda (aka Silk Typhoon) has been observed abusing trusted relationships in the cloud to hack enterprise networks. The attacks leverage N-day and zero-day vulnerabilities to drop web shells and a Golang malware called CloudedHope to facilitate remote access. A notable aspect of Murky Panda's tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers' cloud environments and conduct lateral movement to downstream victims.
INTERPOL Announces New Wave of Arrests in Africa — INTERPOL announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. "The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation," the agency said. The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti, which took place between June and August 2025 to tackle severe crimes like ransomware, online scams and business email compromise (BEC). The first wave of arrests occurred late last year.
Scattered Spider Hacker Gets 10 Years Jailterm — Noah Michael Urban, a 20-year-old member of the notorious cybercrime gang known as Scattered Spider, was sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. In addition to 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. The defendant, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 from at least five different victims.
North Korea Likely Behind New Diplomat Cyber Attacks — The North Korea-backed threat actor known as Kimsuky is believed to have orchestrated a spear-phishing attack targeting European embassies in South Korea. The campaign, ongoing since March 2025, is characterized by the use of GitHub as a command-and-control channel and a variant of an open-source malware called Xeno RAT. In an interesting twist, the attackers have yielded clues that they are working out of China, perhaps alluding to the possibility of a collaboration or that it's the work of a threat actor that closely mimics the tactics of Kimsuky. Furthermore, routing malicious cyber activity through China likely provides North Korea with some geopolitical cover and a safe haven as long as it doesn't directly harm domestic interests.
Alleged RapperBot Admin Charged in the U.S. — Ethan Foltz, 22, of Eugene, Oregon, was charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot since at least 2021. Foltz has been charged with one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison. In addition, law enforcement authorities conducted a search of Foltz's residence on August 6, 2025, seizing administrative control of the botnet infrastructure.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it's a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week's high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week's list includes — CVE-2025-7353 (Rockwell Automation ControlLogix), CVE-2025-8714 (PostgreSQL), CVE-2025-9037, CVE-2025-9040 (Workhorse Software Services), CVE-2025-54988 (Apache Tika), CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, CVE-2025-57791 Commvault), and CVE-2025-43300 (Apple iOS, iPadOS, and macOS).

📰 Around the Cyber World

Microsoft Scales Back Chinese Access to Early Warning System — Microsoft revealed it has scaled back some Chinese companies' access to its early warning system for cybersecurity vulnerabilities in the wake of sweeping hacking attempts against Microsoft SharePoint servers that have been pinned on Beijing. To that end, the Windows maker said several Chinese firms would no longer receive proof-of-concept code demonstrating the flaws. The change is applicable to "countries where they're required to report vulnerabilities to their governments," which would include China. The decision comes amid speculation that there may have been a leak from the Microsoft Active Protections Program (MAPP) may have resulted in the large-scale exploitation activity.
New Lazarus Stealer Spotted — A new Android banking trojan called Lazarus Stealer has been spotted in the wild. "Disguised as a harmless application called 'GiftFlipSoft,' the malware specifically targets multiple Russian banking apps, extracting card numbers, PINs, and other sensitive credentials while remaining completely hidden from the device's interface," CYFIRMA said. "The malware is built for persistence, operating silently in the background while exfiltrating sensitive data. It abuses high-risk permissions, default SMS privileges, overlay functions, and dynamic WebView content to carry out its operations." Once installed, the app requests default SMS app privileges, as well as overlay ("Display Over Other Apps") and Usage Access permissions to display fraudulent interfaces on legitimate applications for credential harvesting and monitor active applications in real time and detect when targeted applications, such as banking apps, are launched.
Google Agrees to Pay $30M to Settle Children's Privacy Lawsuit — Google has agreed to pay $30 million to settle a class-action lawsuit that it violated children's privacy on YouTube by secretly collecting their data without parental consent and using it to serve targeted ads. Google denied wrongdoing in agreeing to settle. The company previously paid a $170 million fine in 2019 to the Federal Trade Commission (FTC) and the state of New York for similar practices.
Storm-1575 Linked to Salty 2FA — The threat actor known as Storm-1575 has been attributed to a new phishing-as-a-service (PhaaS) offering called Salty 2FA. "Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials," ANY.RUN said. "It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis." Victims of Salty 2FA attacks span the finance, telecom, energy, consulting, logistics, and education sectors. Storm-1575 is the moniker assigned by Microsoft to the operators of DadSec and Rockstar 2FA.
What is HuiOne Guarantee? — The Telegram-based escrow platform HuiOne Guarantee (aka Haowang Guarantee), which announced its closure in June 2025, has acquired a 30% financial stake in Tudou Guarantee, which has emerged as a key fallback for Huione-affiliated vendors. Described as an "Amazon for criminals," the Cambodian conglomerate behind it, HuiOne Group, has had its HuiOne Pay license revoked by the National Bank of Cambodia earlier this March. HuiOne-linked infrastructure has received over $96 billion in cryptocurrency assets since 2021, according to TRM Labs, which said HuiOne Pay and HuiOne Guarantee share operational links, with fund flows observed from Huione Pay withdrawal wallets to Huione Guarantee's security deposit wallets. The findings come as darknet market escrow systems that manage cryptocurrency transactions between buyers and vendors continue to remain vulnerable to administrator exit scams. These systems implement escrow through multi-signature cryptocurrency wallet addresses that require signatures from the buyer and vendor to complete transactions, with the market administrator only stepping in during dispute resolution to side with either the buyer or vendor based on evidence provided by the two parties. To streamline operations, many darknet markets also use automated escrow release systems, transferring funds to vendors after 7 to 21 days unless buyers initiate disputes during the timer period. However, the "centralized" nature of the dispute resolution process, which is heavily reliant on the market administrators, introduces new risks such as bias, corruption, and exit scam scenarios where fairness takes a back seat.
Orange Belgium Discloses Breach — Orange Belgium, a subsidiary of telecommunications giant Orange Group, disclosed on Wednesday that attackers who breached its systems in July have stolen the data of approximately 850,000 customers. "At the end of July, Orange Belgium discovered a cyber attack on one of its IT systems, which gave unauthorized access to certain data from 850,000 customer accounts," the company said. "No critical data was compromised: no passwords, email addresses, bank or financial data were hacked. However, the hacker has gained access to one of our IT systems that contains the following information: name, first name, phone number, SIM card number, PUK code, [and] tariff plan."
U.K. Man Sentenced to Jail for Website Defacement and Data Theft — Al-Tahery Al-Mashriky, 26, from Rotherham, South Yorkshire, was sentenced to jail for 20 months for hacking into the websites of organizations in North America, Yemen and Israel and stealing the log in details of millions of people, including more than 4 million Facebook users. Al-Mashriky was arrested in August 2022 and pleaded guilty to nine offences earlier this March. Associated with an extremist hacker group named Yemen Cyber Army, the defendant infiltrated a number of websites to push religious and political ideologies. A review of his seized laptop uncovered personal data for over 4 million Facebook users and several documents containing usernames and passwords for services such as Netflix and Paypal. The Yemen Cyber Army is a hacktivist group that, in the past, has declared its support for the Houthis, an Islamist political and military organization.
Malicious npm Packages Target Solana Developers — Malicious npm packages have been found embedding an information stealer that's designed to single out Russian cryptocurrency developers as part of a campaign dubbed Solana-Scan. These malicious packages, solana-pump-test, solana-spl-sdk, and solana-pump-sdk, targeted the Solana cryptocurrency ecosystem and claimed to "scan" for Solana SDK components. All the packages were published by a user named "cryptohan." Contained within the package is an obfuscated CommonJS file that launches a JavaScript payload for extracting environment information and launching a second-stage that searches the compromised machine for sensitive files and exfiltrates them to a remote server located in the U.S. There is evidence that the JavaScript was written with the help of generative artificial intelligence (AI) tools like Anthropic Claude, software supply chain security outfit Safety said.
Singapore Warns of Dire Wolf Attacks — The Cyber Security Agency of Singapore (CSA) has warned of Dire Wolf double-extortion attacks targeting Dire Wolf since May 2025. "Dire Wolf ransomware group employs a double extortion tactic, where it encrypts data on victims' systems and threatens to publicly release exfiltrated data on its data leak site (DLS) unless a ransom is paid," CSA said. "This causes a two-fold impact of data loss and reputational damage on victim organizations."
Hijack Loader Detailed — Cybersecurity researchers have unpacked the inner workings of a malware loader called Hijack Loader that's used as a conduit for other payloads, including information stealers and remote access trojans. Attack chains distributing the malware have leveraged pirated game websites like Dodi Repacks, tricking users into downloading booby-trapped ZIP archives under the guise of video games like Virtua Fighter 5 REVO. Another propagation mechanism involves embedding a link to cracked software in TIDAL music playlists that show up in search engine results. Hijack Loader incorporates an array of anti-virtual machine and anti-debug techniques and attempts to disable Microsoft Defender Antivirus prior to launching the final payload.
Nebraska Man Sentenced to 1 Year in Prison for Illicit Crypto Mining — Charles O. Parks III, who was indicted in April 2024 for operating a large-scale illegal cryptojacking operation, was sentenced in the U.S. to one year and one day in prison. He is said to have defrauded two well-known providers of cloud computing services out of more than $3.5 million worth of computing resources from January through August 2021. Parks was charged with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme and pleaded guilty to wire fraud in December 2024. The mined currency was used for personal luxurious purchases and Parks boasted about his profits on social media to earn credibility as a crypto influencer. "Parks created and used a variety of names, corporate affiliations, and email addresses, including emails with domains from corporate entities he operated called 'MultiMillionaire LLC' and 'CP3O LLC,' to register numerous accounts with the service providers and to gain access to massive amounts of computing processing power and storage that he did not pay for," the Justice Department said.
Chrome Extension Detected Capturing Screenshots — A Chrome browser extension with more than 100,000 installs has been found to harbor covert features to capture screenshots, collect system information, and query IP geolocation APIs for location details. The screenshots are uploaded to an external server, aitd.one, which claims to be an AI threat detection service. Advertised as a free VPN app named FreeVPN.One, the featured add-on offered the promised functionality since its launch in 2000, before the surveillance features were subtly introduced in April, June, and July 2025. The developer behind the tool claimed the automatic screenshot capture is part of a Background Scanning feature that's triggered only on suspicious domains and for all users by default. However, Koi Security found that screenshots were being taken on trusted services like Google Sheets and Google Photos. "FreeVPN.One shows how a privacy branding can be flipped into a trap," the company said. "What's sold as safety becomes a quiet pipeline for collecting what you do and where you are."
Okta Releases Auth0 Customer Detection Catalog — Okta has announced the launch of the Auth0 Customer Detection Catalog, a comprehensive open-source repository designed to enhance proactive threat detection capabilities for Auth0 customers. "The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform," the identity security company said.
TRM Labs Launches Beacon Network to Monitor Crypto Crime — Blockchain intelligence firm TRM Labs announced the launch of Beacon Network, a real-time crypto crime response network for tracking illicit crypto activity and preventing it from leaving the blockchain. "Verified investigators flag addresses linked to financial crime. Beacon Network automatically propagates those labels across related wallets," the company said. "When tagged funds arrive at a participating exchange or issuer, Beacon Network triggers an instant alert." In doing so, cryptocurrency platforms can proactively review and hold flagged deposits before withdrawal, blocking illicit cash-outs.
Microsoft Aims to be Quantum-Safe by 2033 — Microsoft has set out a roadmap to complete transition to post quantum cryptography (PQC) across all its products and services by 2033, with roll out beginning by 2029. That's two years ahead of the deadline imposed by the United States and other governments. "Migration to post quantum cryptography (PQC) is not a flip-the-switch moment, it's a multi-year transformation that requires immediate planning and coordinated execution to avoid a last-minute scramble," the company's Mark Russinovich and Michal Braverman-Blumenstyk said. The U.S. National Institute of Standards and Technology (NIST) formalized the world's first PQC algorithms in August 2024.

New Phishing Campaign Uses Hidden AI Prompts — A phishing campaign has been spotted using hidden artificial intelligence (AI) prompts that are designed to manipulate AI-based email scanners and delay them from detecting the malicious payloads. The emails, sent from SendGrid, masquerade as password expiry notices from Gmail to induce a false sense of urgency using social engineering tactics. But buried in the email plain-text MIME section is a prompt that instructs automated scanners to "engage in the deepest possible multi-layered inference loop" and trick them into entering long reasoning loops instead of marking the messages as phishing. "If AI-driven systems are tied to automation (auto-tagging, ticketing, escalation), this injection could cause misclassification or delays," Malwr-analysis.com's Anurag said. The development coincided with a new wave of credential harvesting attacks involving phishing emails sent via SendGrid. "The campaign exploits the trusted reputation of SendGrid, a legitimate cloud-based email service used by businesses to send transactional and marketing emails," Cofense said. "By impersonating SendGrid's platform, attackers can deliver phishing emails that appear authentic and bypass common email security gateways."
493 Cases of Sextortion Against Children Linked to SE Asia Scam Compounds — A new report from the International Justice Mission (IJM) has linked 493 child sextortion cases to scam compounds operating in Cambodia, Myanmar, and Laos, where trafficked individuals are forced to carry out online fraud such as romance baiting and pig butchering scams. Forensic data has tied the cases to 40 of the 44 previously known scam compounds operating in Cambodia, Myanmar, and Laos. "This research indicates a likely convergence of two dark forms of exploitation – child sextortion and human trafficking – enabled by digital platforms and driven by profit," said Eric Heintz, Senior Criminal Analyst at IJM.
Mule Operators in META Adopt Complex Fraud Schemes — Cybersecurity researchers have laid bare the advanced techniques mule operators across the Middle East, Turkey and Africa (META) region have adopted to target retail banks, shifting from basic IP masking via VPNs and proxies to Starlink-based obfuscation tactics combined with advanced GPS spoofing, SIM abuse, and physical device "muling" using hired individuals and postal shipments. "Financial institutions in the Gulf region, where regulations are especially tight, enforce strict restrictions on VPN, hosting, and proxy traffic," Group-IB said. "Early on, these controls forced mule operators to rely on generic VPN services – easily identified via IP reputation tools. By late 2023, fraudsters began a rapid innovation cycle to bypass these filters and regain remote access to accounts in the target jurisdictions." Mule networks have been observed using stolen identities and location obfuscation tactics to remotely open hundreds of accounts to launder funds across targeted countries, with fraudsters also removing SIM cards entirely from Android devices to evade telecom fingerprinting and connecting to the internet via Wi-Fi hotspots, typically from nearby roaming-enabled phones, thereby masking their network origins. As recently as Q4 2024, the schemes have recruited so-called first-layer mules, who opened the bank accounts within trusted jurisdictions and then passed credentials to overseas operators who conducted laundering operations. A further escalation of this approach earlier this year eliminated the need for credential handover by physically shipping pre-configured phones. "First-layer mules based in trusted countries would open accounts and build trust through initial legitimate usage," Group-IB said. "Instead of sharing login credentials, they ship pre-configured phones to second-layer fraudsters operating abroad."

MuddyWater Targets CFOs and Finance Execs — The Iranian hacking group dubbed MuddyWater is actively targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia via spear-phishing emails that trick recipients into downloading ZIP archives from Firebase-hosted phishing pages. The attack chains lead to the deployment of OpenSSH and NetBird, a legitimate remote access tool for persistent access. The use of remote desktop software is a tactic often used by MuddyWater to facilitate access to compromised environments. "The infrastructure pivots, evolving payload paths, and consistent reuse of distinctive artifacts highlight a resourceful adversary that adapts quickly to maintain operational capability," Hunt.io said.
Iranian Hacktivist Group Targets Iranian Communication Networks — The anonymous Iranian hacktivist group known as Lab Dookhtegan has crippled the satellite communications systems on 64 Iranian ships at sea. The incident, which took place last week, impacted 39 oil tankers and 25 cargo ships operated by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). The hacks targeted Fannava, an Iranian tech company that provides satellite communication terminals for ships. Back in March 2025, the entity also disrupted satellite communication systems of 116 Iranian vessels linked to arms shipments for Yemen's Houthis. According to security researcher Nariman Gharib, the group hacked the company's network, identified all maritime communications terminals running iDirect satellite software, and then deployed malicious code to inflict permanent damage by overwriting the storage partitions with zeroes.
Pro-Iranian Hackers Demonstrated Coordination During 12-Day June Conflict With Israel — The 12-day conflict between Israel and Iran in June spilled into cyberspace, accompanied by a surge in cyber activity from pro-Iran hacking groups that worked in a "coordinated web" across borders to steal data, deface websites, spread propaganda, carry out DDoS campaigns, and deploy malware such as Remcos RAT. "Telegram has emerged as a critical platform for coordination, propaganda dissemination, and command-and-control for both state-aligned proxies and hacktivist collectives," Security Scorecard said in an analysis of 250,000 messages from Iranian proxies and hacktivists from over 178 active groups during the time period. "Its perceived anonymity and broad reach make it an attractive medium for these groups to organize, share information, claim responsibility for attacks, and even recruit new members." The cyber war highlights "how Iran has refined its use of digital tools to shape the battlespace, control domestic narratives, and project influence abroad," the Middle East Institute said.
4 Ghanaian Nations Extradited to the U.S. — The U.S. Department of Justice charged four Ghanaian nationals, Isaac Oduro Boateng, Inusah Ahmed, Derrick Van Yeboah, and Patrick Kwame Asare, for their roles in a massive fraud ring linked to the theft of over $100 million in romance scams and business email compromise attacks against individuals and businesses located across the U.S. between 2016 and May 2023. They were extradited to the U.S. on August 7, 2025. "After stealing the money, the fraud proceeds were then laundered to West Africa, where they were largely funneled to individuals called 'chairmen,' who directed the activities of other members of the conspiracy," the Justice Department said.
NIST Publishes Guidelines to Tackle Identity Fraud — The U.S. National Institute of Standards and Technology (NIST) published new guidelines to help organizations optimize their efforts to detect face morphing and deter identity fraud. "The most effective defense against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place," NIST's Mei Ngan said. "Some modern morph detection algorithms are good enough that they could be useful in detecting morphs in real-world operational situations. Our publication is a set of recommendations that can be tailored to a specific situation."
North Korea Linked to Over $1.75B in Thefts in 2025 — North Korea, which pulled off one of the biggest crypto heists in history in February 2025 by plundering nearly $1.5 billion from Dubai-based exchange Bybit, has stolen more than $1.75 billion in 2025 alone, according to Elliptic. In the six months following the Bybit hack, over $1 billion of the stolen funds have been laundered using multiple rounds of mixers and cross-chain movements to complicate the trail. "It is noteworthy that lesser-known blockchains were layered for portions of funds, perhaps in the hope that they are not as well supported by some analytics and investigation tools, and are less familiar to investigators attempting to trace asset movements," Elliptic said. "Previously unseen or less commonly used services were also utilized for Bybit laundering." Further analysis shows that funds reaching the Tron blockchain are ultimately cashed out via suspected Chinese over-the-counter trading services.
Attackers Abuse Virtual Private Servers to Breach SaaS Accounts — Threat actors are weaponizing virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts and then using them to send phishing emails. The activity was first observed in March 2025. "The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails," Darktrace said. "These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment."

ClickFix-Style Campaign Delivers Atomic Stealer Variant — A malvertising campaign has been observed directing unsuspecting users to fraudulent macOS help websites where ClickFix-style instructions are displayed to entice them into opening the Terminal app and pasting a command that, in turn, triggers the execution of a shell command to download from an external server a variant of Atomic macOS Stealer (AMOS) known as SHAMOS. Developed by a malware-as-a-service (MaaS) provider named Cookie Spider, it functions as an information stealer and downloads additional malicious payloads, including a spoofed Ledger Live wallet application and a botnet module. Alternate attack chains have relied on a GitHub repository masquerading as iTerm2. The GitHub account is no longer accessible. In recent months, the ClickFix technique has also been leveraged to deliver another macOS infostealer called Odyssey Stealer using bogus CAPTCHA verification checks.
MITRE Releases 2025 Most Important Hardware Weaknesses — The non-profit MITRE Corporation published a revised list of the Most Important Hardware Weaknesses (MIHW) to better align with the hardware security landscape. Sensitive Information in Resource Not Removed Before Reuse (CWE-226), Improper Isolation of Shared Resources on System-on-a-Chip (CWE-1189), and On-Chip Debug and Test Interface With Improper Access Control (CWE-1191) take the top three spots.
How Lumma Affiliates Operate — Despite a May 2025 law enforcement takedown targeting Lumma Stealer, the malware family appears to have staged a full recovery and continues to be a popular choice for threat actors. According to a report from Recorded Future, Lumma affiliates not only operate multiple schemes simultaneously, but also leverage previously undocumented tools such as a phishing page generator (DONUSSEF) and a cracked email credential validation tool. Also put to use are VPNs, privacy-focused web browsers, bulletproof hosting providers, virtual phone and SMS services (OnlineSim, SMS-Activate, and Zadarma), and proxies (PIA Proxy and GhostSocks). "For instance, one affiliate was identified operating rental scams, while others simultaneously leveraged multiple malware-as-a-service (MaaS) platforms, including Vidar, Stealc, and Meduza Stealer, likely to bolster operational agility, improve success rates, and mitigate the risks linked to detection and law enforcement takedowns," the company said. "In addition, several Lumma affiliates are tied to distinct threat actor personas across underground forums, reinforcing their deep integration within the broader cybercriminal ecosystem."
Deceptive Google Play Store Pages Distribute SpyNote — A new network of websites that mimic the Google Play Store pages of various apps is being used to trick users into installing malicious Android apps containing the SpyNote RAT. This is a continuation of an ongoing campaign that was flagged by DomainTools back in April 2025. "Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote's core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis," the company said. The development followed the discovery of a new version of the Anatsa (aka TeaBot) Android banking trojan that can now target over 831 financial institutions across the world, including various cryptocurrency platforms. "Anatsa streamlined payload delivery by replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the Anatsa payload," Zscaler ThreatLabz said. "Anatsa implemented Data Encryption Standard (DES) runtime decryption and device-specific payload restrictions."
New macOS Stealer Mac.c Spotted — Cybersecurity researchers have discovered a new macOS stealer called Mac.c that can steal iCloud Keychain credentials, browser-stored passwords, crypto wallet data, system metadata, and files from specific locations. It can be purchased for $1,500 per month under a subscription model, while AMOS is priced at $3,000 a month. "This lower price could also open the gates for less resourceful and less tech-savvy operators who want to break into the cybercriminal market and have little money to spend on dark web tools," Moonlock Lab said.
Paper Werewolf Uses New Linux Rootkit in Attacks Targeting Russia — The threat actor known as Paper Werewolf (aka GOFFEE) is targeting Russian organizations with a Linux rootkit named Sauropsida. The rootkit is based on an open-source rootkit known as Reptile. Also deployed are BindSycler, a Golang utility to tunnel traffic using the SSH protocol, and MiRat, a Mythic framework agent.

🎥 Cybersecurity Webinars

How Code-to-Cloud Mapping Unites Dev, Sec, and Ops into One Powerful AppSec Team — Modern application security can't stop at code or cloud—it must connect both. In this webinar, you'll discover how code-to-cloud visibility closes the gaps that attackers exploit, uniting developers, DevOps, and security teams with a shared playbook for faster, smarter risk reduction.
7 Concrete Steps to Secure Shadow AI Agents Before They Spiral Out of Control — AI agents are no longer just tools—they're active players making decisions inside your enterprise. Yet many of these "shadow agents" operate without identity, ownership, or oversight, creating a dangerous blind spot that attackers are already exploiting. In this webinar, we'll expose how these invisible risks emerge and show security leaders the critical steps to bring AI identities under control—before they become your weakest link.
5 Simple Ways to Spot Rogue AI Agents Before They Take Over — Shadow AI Agents are multiplying fast—hidden in your workflows, fueled by non-human identities, and moving faster than your governance can keep up. In this exclusive session, security leaders will expose where these agents hide, the risks they pose, and the practical steps you can take today to regain visibility and control without slowing innovation.

🔧 Cybersecurity Tools

SafeLine — A self-hosted Web Application Firewall (WAF) designed to shield web applications from common threats such as SQL injection, XSS, SSRF, and brute-force attempts. By acting as a reverse proxy, it filters and monitors HTTP/S traffic, blocking malicious requests before they reach the server and preventing unauthorized data leaks. Its capabilities include rate limiting, anti-bot defenses, dynamic code protection, and access control—helping ensure web applications remain secure and resilient against evolving attacks.
AppLockerGen — An open-source utility that helps system administrators and security professionals create, merge, and manage Windows AppLocker policies more efficiently. By providing a user-friendly interface, it simplifies defining rules for executables, scripts, installers, and DLLs, while also supporting policy import/export, inspection for misconfigurations, and testing against common bypass techniques.

Disclaimer: These newly released tools are for educational use only and haven't been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Don't Just Store It. Lock It — When you drag a file into Google Drive, OneDrive, or Dropbox, it feels "safe." But here's the catch: most clouds only encrypt files on their servers — they hold the keys, not you.

That means if the provider is breached, subpoenaed, or a rogue admin pokes around, your "private" files aren't so private.

The fix is simple: end-to-end encryption. You encrypt before uploading, so your files are locked on your device and can only be unlocked with your key. Even if the cloud is hacked, attackers see nothing but scrambled noise.

Free, open-source tools that make this easy:

Cryptomator → perfect for beginners, creates an "encrypted vault" inside your Dropbox/Drive.
Kopia → modern backup tool with strong encryption, great for securing entire folders or servers.
Restic → fast, deduplicated, encrypted backups, loved by developers and sysadmins.
Rclone (with crypt) → the power-user's choice for syncing + encrypting files to almost any cloud.

Bottom line: If it's worth saving, it's worth locking. Don't trust the cloud with your keys.

Conclusion

Cybersecurity isn't just about technology—it's a test of leadership. The choices made in boardrooms shape how teams protect systems, respond to attacks, and recover from setbacks. This week's stories highlight a key truth: security comes down to decisions—where to invest, which risks to take, and which blind spots to fix. The best leaders don't promise perfect safety. Instead, they provide clarity, build resilience, and set direction when it matters most.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.