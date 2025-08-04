Malware isn't just trying to hide anymore—it's trying to belong. We're seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It's not just about being malicious—it's about being believable.

In this week's cybersecurity recap, we explore how today's threats are becoming more social, more automated, and far too sophisticated for yesterday's instincts to catch.

⚡ Threat of the Week

Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and likely collect intelligence from diplomats' devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-in-the-middle (AiTM) position within domestic telecom companies and ISPs that diplomats are using for Internet access to push a piece of malware called ApolloShadow. This indicates that the ISP may be working with the threat actor to facilitate the attacks using the System for Operative Investigative activities (SORM) systems. Microsoft declined to say how many organizations were targeted, or successfully infected, in this campaign.

🔔 Top News

Companies that Employed Hafnium Hackers Linked to Over a Dozen Patents — Threat actors linked to the notorious Hafnium hacking group have worked for companies that registered several patents for highly intrusive forensics and data collection technologies. The findings highlight China's diverse private sector offensive ecosystem and an underlying problem with mapping tradecraft to a specific cluster, which may not accurately reflect the true organizational structure of the attackers. The fact that the threat actors have been attributed to three different companies shows that multiple companies may be working in tandem to conduct the intrusions and those companies may be providing their tools to other actors, leading to incomplete or misleading attribution. It's currently not known how the threat actors came to possess the Microsoft Exchange Server flaws that were used to target various entities in a widespread campaign in early 2021. But their close relationship with the Shanghai State Security Bureau (SSSB) has raised the possibility that the bureau may have obtained access to information about the zero-days through some evidence collection method and passed it on to the attackers. The discovery also highlights another important aspect: China-based Advanced Persistent Threats (APTs) may actually consist of different companies that serve many clients owing to the contracting ecosystem, which forces these companies to collaborate on intrusions. In June 2025, Recorded Future revealed that a Chinese state-owned defense research institute filed a patent in late December 2024 that analyzes various kinds of intelligence, including OSINT, HUMINT, SIGINT, GEOINT, and TECHINT, to train a military-specific large language model in order to "support every phase of the intelligence cycle and improve decision-making during military operations."

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it's a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week's high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week's list includes — CVE-2025-7340, CVE-2025-7341, CVE-2025-7360 (HT Contact Form plugin), CVE-2025-54782 (@nestjs/devtools-integration), CVE-2025-54418 (CodeIgniter4), CVE‑2025‑4421, CVE‑2025‑4422, CVE‑2025‑4423, CVE‑2025‑4424, CVE‑2025‑4425, CVE‑2025‑4426 (Lenovo), CVE-2025-6982 (TP-Link Archer C50), CVE-2025-2297 (BeyondTrust Privilege Management for Windows), CVE-2025-5394 (Alone theme), CVE-2025-2523 (Honeywell Experion PKS), CVE-2025-54576 (OAuth2-Proxy), CVE-2025-46811 (SUSE), CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078 (Partner Software).

📰 Around the Cyber World

🎥 Cybersecurity Webinars

Malicious Python Packages Are Everywhere — Learn How to Spot and Stop Them : In 2025, attacks on the Python ecosystem are rising fast—from typosquatting to dangerous container image flaws. If you're still "pip installing and praying," it's time to level up. Join us for a hands-on webinar where we break down real supply chain threats and show you how to defend your code with practical tools, smarter workflows, and hardened images. No hype—just clear steps to secure your Python stack.

Secure Your AI Stack: Learn How to Defend Identity Before It's Too Late: AI is changing the way we work—and the way we get attacked. Join Okta's Karl Henrik Smith to explore how identity is becoming the last, and most critical, line of defense against AI-powered threats. From deepfakes to autonomous agents, attackers are moving faster than traditional tools can handle. In this free webinar, you'll learn why identity-first security is the key to staying ahead—and how to put it into action.

🔧 Cybersecurity Tools

Thorium: Released by the U.S. CISA, this new open-source tool is a scalable platform for automating file analysis and aggregating results across diverse tools. It helps cybersecurity teams streamline malware triage, forensics, and tool testing by integrating with existing workflows through event-driven automation and a scalable infrastructure.

LangExtract: It is an open-source Python library, developed by Google, that helps developers extract structured information from unstructured text using Gemini and other LLMs. It's designed for tasks like parsing medical records, legal documents, or customer feedback by combining prompt-driven extraction, source-grounded outputs, and schema enforcement. LangExtract supports flexible backends, scales across long documents, and makes it easy to visualize and verify results—all without fine-tuning a model.

Disclaimer: These newly released tools are for educational use only and haven't been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Your Keyboard Could Be Spying on You — Here's How to Tell — Most people don't realize it, but your smartphone keyboard can do more than just type. Some of them quietly connect to the internet, sending back what you type, when you type, and even what's in your clipboard. Even trusted apps like Gboard and SwiftKey have cloud sync features that share your typing patterns. And in worse cases, rogue keyboards can log passwords or steal crypto wallet seeds without any visible signs.

The fix isn't just "don't use shady keyboards." It's knowing how to control what they can do. Start by using a firewall app like NetGuard or RethinkDNS to block your keyboard from sending data over the internet. Go into your keyboard's settings and turn off "personalization" or sync features. Watch out for weird behavior like a keyboard asking for access to your mic, contacts, or location — those are red flags. On newer Android versions, clipboard alerts will warn you if a keyboard is snooping.

If you want full peace of mind, switch to a keyboard that respects your privacy by design. Options like OpenBoard or Simple Keyboard have no internet access at all. They're fast, clean, and open source — meaning their code can be audited for hidden behavior. In short: if your keyboard wants to "learn from you," make sure it's not learning too much.

Conclusion

Every threat we covered this week tells the same story: attackers are evolving faster because they're learning from us. From how we code to how we trust, they're watching closely. But the flipside? So are we.

The more we share, the faster we adapt. Keep pushing, keep questioning, and never let "normal" make you comfortable.