ThreatsDay Bulletin: 0-Days, LinkedIn Spies, Crypto Crimes, IoT Flaws and New Malware Waves

U.K.'s domestic intelligence agency MI5 has warned lawmakers that Chinese spies are actively reaching out to "recruit and cultivate" them with lucrative job offers on LinkedIn via headhunters or cover companies. Chinese nationals are said to be using LinkedIn profiles to conduct outreach at scale, allegedly on behalf of the Chinese Ministry of State Security. "Their aim is to collect information and lay the groundwork for long-term relationships, using professional networking sites, recruitment agents and consultants acting on their behalf," House of Commons Speaker Sir Lindsay Hoyle said. The activity is assessed to be "targeted and widespread." Targets included parliamentary staff, economists, think tank consultants, and government officials. In a statement shared with BBC, a spokesperson for the Chinese embassy in the UK said accusations of espionage were "pure fabrication" and accused the U.K. of a "self-staged charade." MI5 is not the only intelligence agency to warn about social media's potential to allow spying. In July, Mike Burgess, the Director-General of Australia's Security Intelligence Organization (ASIO), said a foreign intelligence agency tried to find info about an Australian military project by cultivating relationships with people who worked on it.

The European Commission unveiled a proposal for major changes to the European Union's General Data Protection Regulation (GDPR) and AI Act. Under the new "digital omnibus" package, the E.U. aims to simplify the General Data Protection Regulation (GDPR) and "clarify the definition of personal data" to allow companies to lawfully process personal data for AI training without prior consent from users for "legitimate interest" and as long as they do not break any laws. The move has been criticized for pandering to Big Tech's interests. It also amends cookie consent rules on websites, allowing users to "indicate their consent with one-click and save their cookie preferences through central settings of preferences in browsers and operating systems" instead of having to confirm their choice on every website they visit. "Taken together, these changes give both state authorities and powerful companies more room to collect and process personal information with limited oversight and reduced transparency," the European Digital Rights (eDRI) said. "People will lose straightforward safeguards, and minoritised communities will face even higher exposure to profiling, automated decisions and intrusive monitoring." Austrian privacy non-profit noyb said the changes "are not 'maintaining the highest level of personal data protection,' but massively lower protections for Europeans."

Threat actors are leveraging malicious VPN and ad-blocking extensions for Google Chrome and Microsoft Edge browsers to steal sensitive data. The extensions were collectively installed about 31,000 times. The extensions, once installed, could intercept and redirect every web page visited by users, collect browsing data and a list of installed extensions, modify or disable other proxy or security tools, and route traffic through attacker-controlled servers, LayerX said. The names of some of the extensions are VPN Professional: Free Unlimited VPN Proxy, Free Unlimited VPN, VPN-free.pro - Free Unlimited VPN for Secure Browsing, Ads Blocker - Block All Ads & Protect Privacy, and Ads Cleaner for Facebook.

A 45-year-old from Irvine, California, has pleaded guilty to laundering at least $25 million stolen in a massive $230 million cryptocurrency scam. Kunal Mehta (aka "Papa," "The Accountant," and "Shrek") is the eighth defendant to plead guilty for his participation in this scheme following charges brought by the Department of Justice in May 2025. The scheme used social engineering to steal hundreds of millions of dollars in cryptocurrency from victims throughout the U.S. through elaborate ruses committed online and through spoofed phone numbers between around October 2023 and March 2025, according to the U.S Justice Department. The stolen proceeds were used to purchase luxury goods, rental homes, a team of private security guards, and exotic cars. "Mehta created multiple shell companies in 2024 for the purpose of laundering funds through bank accounts created to give the appearance of legitimacy," the DoJ said. "To facilitate crypto-to-wire money laundering services, Mehta received stolen cryptocurrency from the group, which they had already laundered. Mehta then transferred the cryptocurrency to associates who further laundered it through sophisticated blockchain laundering techniques. The stolen funds returned to Mehta's shell company bank accounts through incoming wire transfers from additional shell companies organized by others throughout the United States." Mehta also personally delivered cash when requested by the members, while also performing wire transfers and facilitating exotic car purchases in exchange for a 10% fee.

Cybersecurity researchers have disclosed details of a critical security flaw in the Identity Manager product of Oracle Fusion Middleware (CVE-2025-61757, CVSS score: 9.8) that allows an unauthenticated attacker with network access via HTTP to compromise and take control of susceptible systems. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. "This pre-authentication RCE we found would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM," Searchlight Cyber's Adam Kues and Shubham Shah said. "The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws. Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters." Oracle addressed the vulnerability last month.

A critical security flaw in the Shelly Pro 4PM smart relay (CVE-2025-11243, CVSS score: 8.3) that an attacker could exploit to cause a device reboot, limiting the ability to detect abnormal power consumption or expose circuits to undesirable safety risks. "Unexpected inputs to multiple JSON-RPC methods on the Shelly Pro 4PM v1.4.4 can exhaust resources and trigger device reboots," Nozomi Networks said. "While the issue does not enable code execution or data theft, it can be used to systematically cause repeatable outages—impacting automation routines and visibility in both home and building contexts." Users are advised to update to version 1.6.0 and avoid direct internet exposure.

Keonne Rodriguez and William Lonergan Hill, co-founders of the crypto mixing service Samourai Wallet, were sentenced to five and four years in prison, respectively, for their role in facilitating over $237 million in illegal transactions. Both defendants pleaded guilty to charges of knowingly transmitting criminal proceeds back in August 2025. The defendants, per U.S. prosecutors, designed Samourai around a Bitcoin mixing service known as Whirlpool and Ricochet to conceal the nature of illicit transactions. "Over $237 million of criminal proceeds laundered through Samourai came from, among other things, drug trafficking, darknet marketplaces, cyber-intrusions, frauds, sanctioned jurisdictions, murder-for-hire schemes, and a child pornography website," the U.S. Justice Department said.

A security flaw (CVE-2025-64756, CVSS score: 7.5) has been identified in glob CLI's -c/--cmd flag that could result in operating system command injection, leading to remote code execution. "When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges," glob maintainers said in an alert. An attacker could leverage the flaw to execute arbitrary commands, compromising a developer's machine or paving the way for supply chain poisoning via malicious packages. The vulnerability affects Glob versions from 10.2.0 through 11.0.3. It has been patched in versions 10.5.0, 11.1.0, and 12.0.0. According to AISLE, which discovered and reported the flaw along with Gyde04, "you are not affected if you only use glob's library API (glob(), globSync(), async iterators) without invoking the CLI tool."

A Russian national alleged to be affiliated with the Void Blizzard (aka Laundry Bear) hacking group has been arrested in Phuket, according to CNN. Denis Obrezko, 35, was arrested on November 6, 2025, as part of a joint operation between the U.S. Federal Bureau of Investigation (FBI) and Thai officials. He was arrested a week after entering the country on a flight to Phuket. Earlier this May, Microsoft attributed Void Blizzard to espionage operations targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America, since at least April 2024.

X has revealed Chat, an encrypted upgrade to the platform's direct messaging service with support for video and voice calls, disappearing messages, and file sharing. In an X post, the social media platform said users can block screenshots and get notified of attempts. X first began rolling out encrypted DMs in May 2023 before pausing the feature on May 29, 2025, to make some improvements. "When entering Chat for the first time, a private-public key pair is created specific to each user," the company said. "Users are prompted to enter a PIN (which never leaves the device), which is used to keep the private key securely stored on X's infrastructure. This private key can then be recovered from any device if the user knows the PIN. In addition to the private-public key pairs, there is a per-conversation key that is used to encrypt the content of the messages. The private-public key pairs are used to exchange the conversation key securely between participating users."

A new phishing campaign has been observed weaponizing Microsoft Entra guest user invitations to deceive recipients into making phone calls to attackers posing as Microsoft support. The malware campaign uses Microsoft Entra tenant invitations sent from the legitimate invites@microsoft[.]com address to bypass email filters and establish trust with targets.

A Ukrainian national believed to be a developer for the Jabber Zeus cybercrime group has been reportedly extradited from Italy to the U.S. The man, Yuriy Igorevich Rybtsov, 41, of Donetsk, is alleged to be MrICQ (aka John Doe #3), according to a report from security journalist Brian Krebs. He is accused of handling notifications of newly compromised entities, as well as of laundering the illicit proceeds from the scheme. Another member of the group, Vyacheslav "Tank" Igorevich Penchukov, pleaded guilty to his role in two different malware schemes, Zeus and IcedID, in February 2024. Later that July, he was sentenced to 18 years and ordered to pay more than $73 million in restitution to victims. Speaking exclusively to the BBC earlier this month, the 39-year-old described himself as a "friendly guy." At one point, he ditched cybercrime to start a company buying and selling coal, only to be lured back into it due to the allure of ransomware. In the meantime, he is also learning French and English. Penchukov also acknowledged that Russian cybercrime groups worked with security services, such as the FSB. "You can't make friends in cybercrime, because the next day, your friends will be arrested and they will become an informant," he was quoted as saying. "Paranoia is a constant friend of hackers." In a report published this month, Analyst1 researcher Anastasia Sentsova said, "the Russian state has gotten its hands dirty and set up several hacktivist groups to support its war in Ukraine."

The U.S., the U.K., and Australia have sanctioned Russian bulletproof hosting (BPH) provider Media Land and its executives, including general director Aleksandr Volosovik (aka Yalishanda), for providing services to cybercrime and ransomware groups like Evil Corp, LockBit, Black Basta, BlackSuit, and Play. The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has also designated Hypercore Ltd., a front company of Aeza Group LLC (Aeza Group), along with two additional individuals and two entities that have led, materially supported, or acted for Aeza Group, including Maksim Vladimirovich Makarov, Ilya Vladislavovich Zakirov, Smart Digital Ideas DOO, and Datavice MCHJ. "These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries," said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. In tandem, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to help internet service providers and network defenders mitigate the risks posed by BPH providers. "These providers enable malicious activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks, posing an imminent and significant risk to the resilience and safety of critical systems and services," CISA said.

Cybersecurity researchers have released a C# implementation of PoolParty, a collection of process injection techniques that target Windows Thread Pools to evade endpoint detection and response (EDR) systems. PoolParty was first detailed by SafeBreach in late 2023. Its C# implementation, codenamed SharpParty by Trustwave and Stroz Friedberg, enables the PoolParty techniques to be used in tools that leverage inline MSBuild tasks in XML files.

Cybersecurity researchers have detailed a new macOS stealer malware called NovaStealer that can exfiltrate wallet-related files, collect telemetry data, and replaces legit Ledger/Trezor applications with tampered copies. "An unknown dropper fetches and runs mdriversinstall.sh, which installs a small scripts orchestrator under ~/.mdrivers and registers a LaunchAgent labeled application.com.artificialintelligence," a security researcher who goes by the name Bruce said. "This orchestrator pulls additional scripts encoded in b64 from the C2, drops them under ~/.mdrivers/scripts, and runs them in detached screen sessions in the background. It supports updates and handles the restart of responsible screen sessions."