🕵🏻‍♂️ [InfoSec MASHUP] 45/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 A ransomware attack on Nevada began in May but was only found in August, disrupting services like driver’s licenses and background checks. The state spent at least $1.5 million to recover, kept paying employees, and did not pay the ransom. Officials recommend stronger centralized cybersecurity and better detection tools to prevent future breaches.

🇺🇸 The Congressional Budget Office (CBO) reported a cybersecurity incident that may have been caused by a foreign-linked attacker. The breach could have exposed communications between CBO researchers and lawmakers. The agency says it contained the incident, is investigating, and has added security controls.

🇺🇸 🇰🇷 Hyundai AutoEver America says hackers accessed its IT systems between Feb 22 and Mar 2, 2025. The breach exposed personal data, including names, Social Security numbers, and driver’s licenses. It is unclear how many people were affected or who carried out the attack.

🇯🇵 Hackers stole Slack credentials from a Nikkei employee’s infected personal computer. Attackers used those credentials to access Slack and exposed names, emails, and chat histories of over 17,000 people. Nikkei found the breach in September, changed passwords, and voluntarily reported it to Japan’s privacy commission.

🇸🇪 A cyberattack on Swedish IT supplier Miljödata exposed data for about 1.5 million people. The leak disrupted municipal services and put sensitive personal data on the dark web. Swedish authorities launched investigations into Miljödata and several municipalities over security and data-handling practices.

🇺🇸 🏫 The University of Pennsylvania confirmed a hacker used stolen employee credentials and social engineering to breach systems tied to development and alumni activities. The attacker stole 1.71 GB of files and a Salesforce donor database with about 1.2 million records, then sent an offensive mass email. The attacker posted samples and sent offensive emails using a compromised Penn marketing account. Penn is investigating with the FBI and CrowdStrike, boosting security, and will notify affected people.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

💳️ Authorities from multiple countries broke up three large credit card fraud networks that stole at least €300 million and affected over 4.3 million cardholders. Eighteen people were arrested, assets worth over €35 million seized, and suspects allegedly used payment firms and shell companies to launder money. The fraud created 19 million fake subscriptions and hid charges to avoid detection.

🇷🇺 🇺🇦 Russia’s Sandworm hackers launched destructive cyberattacks against Ukraine — They used multiple wiper malware families, including Sting and Zerlot, to erase data and damage systems. Targets included universities, government, energy, logistics, and even the grain industry.

🇪🇺 Law enforcement arrested nine people in a coordinated raid across Cyprus, Spain, and Germany for running a crypto fraud that stole about €600 million. They seized cash, bank funds, and cryptocurrencies worth over €1.5 million. Europol and Eurojust said the scam used fake investment sites and social media, and that fighting crypto crime needs cross-border cooperation.

🌍 State-sponsored hackers stole all SonicWall cloud backup files in a September breach. The files contained encrypted credentials and configuration data that could enable targeted attacks. SonicWall urged customers to check backups, reset passwords, and has completed a Mandiant-led investigation.

🇺🇸 ⚖️ Federal prosecutors say three incident-response professionals used ALPHV/BlackCat ransomware to attack five U.S. companies in 2023. One victim paid nearly $1.3 million; others were not successfully extorted. Two men were indicted, arrested, and face long prison terms while their employers say the conduct occurred outside company systems.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

👀 🇮🇹 Italian political consultant Francesco Nicodemo says he was targeted for 10 months with Paragon spyware — The case expands a wider Italian spyware scandal that has hit journalists, activists, executives and now a center-left consultant. Investigations show some targets were hacked by Italian intelligence, but many questions about who ordered the spying remain unanswered.

🇺🇸 🇰🇵 The U.S. Treasury sanctioned eight people and two companies for laundering money from North Korean cybercrime and fake IT worker schemes. Officials say North Korean hackers stole over $3 billion, mainly in cryptocurrency, and IT worker fraud added hundreds of millions. The funds are used to support North Korea’s weapons programs and evade sanctions.

🇺🇸 The Office of Personnel Management (OPM) will work with the National Science Foundation (NSF) to offer a mass deferment for CyberCorps Scholarship-for-Service graduates after the government shutdown. This gives graduates more time to find qualifying government jobs without immediate loan repayment. OPM also urged agencies to hire from the program and said it is sharing resources to help scholars meet service obligations.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

👀 📲 LANDFALL is commercial-grade Android spyware that targeted Samsung Galaxy devices using malformed DNG image files. It exploited a zero-day in Samsung’s image library (CVE-2025-21042) to install multi-component spyware, likely via zero-click messaging. The campaign ran in mid‑2024 and was linked to a wider pattern of DNG parsing exploits across mobile platforms.

🧩 Researchers found a malicious VS Code extension that can zip, upload, and encrypt files and uses GitHub as its command-and-control. The extension appears to be "vibe-coded" with AI-like artifacts and even leaked C2 keys and decryption tools. Separately, trojanized npm packages were distributing the Vidar infostealer via postinstall scripts, highlighting ongoing open-source supply-chain risks.

→ Malicious VSX Extension "SleepyDuck" Uses Ethereum to Keep Its Command Server Alive

🍎 ClickFix Attacks Against macOS Users Evolving — ClickFix social engineering tricks users into running copied commands that install malware. Attackers are improving Mac-targeted lures, using tailored prompts, videos and timers to pressure victims. Defenses are limited, so user training and awareness are critical.

😴 Gootloader malware is back after seven months, using SEO-poisoned sites to trick users into downloading malicious ZIPs with JavaScript loaders. The campaign now hides keywords using swapped web fonts and malformed ZIPs to evade detection and delivers backdoors like Supper SOCKS5. Infected machines often lead quickly to network compromise and ransomware, so avoid unknown legal-template sites.

🇷🇺 A Russia-aligned cluster called InedibleOchotense sent phishing messages to Ukrainians using trojanized ESET installers to drop a Kalambur backdoor. The malware installs legitimate ESET remover but also enables Tor-based remote access, OpenSSH, and RDP. ESET links this activity and similar campaigns to Sandworm and other Russia-linked groups conducting destructive and espionage attacks.

🥸 ⚒️ Google warns that malware now uses AI during attacks to change itself, evade detection, and gather data. Examples include ransomware and stealers that call AI models to rewrite code or generate commands. Researchers say this trend is new, likely to grow, and lowers the barrier for criminals.

→ … And debunk thread by Kevin Beaumont on Bluesky 🦋 

🇷🇺 🇧🇾 Operation SkyCloak uses phishing emails with weaponized ZIP attachments to install a persistent OpenSSH backdoor and a Tor hidden service on Windows machines. The malware checks for real-user activity, drops a renamed sshd.exe and a custom Tor binary, and creates scheduled tasks to enable SSH, SFTP, RDP and SMB access over Tor. Security firms say the campaign targets defense and government sectors in Russia and Belarus and hides attacker traffic with obfs4.

🔙 🚪 Microsoft found a new backdoor called SesameOp that uses the OpenAI Assistants API as a hidden command-and-control channel. The malware fetches encrypted commands from the API, runs them, and sends results back to the attacker. Microsoft shared the findings with OpenAI, which disabled the suspected API key.

🎠 Researchers found two Android trojans, BankBot-YNRK and DeliveryRAT, that steal financial and personal data from infected phones. BankBot-YNRK hides, asks for accessibility access, and targets many banking apps to steal credentials and perform fraud. DeliveryRAT is spread via fake delivery and marketplace apps, hides itself, steals messages and logs, and can run DDoS attacks.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🤝 Google’s $32 billion acquisition of cloud security firm Wiz has cleared U.S. Department of Justice antitrust review.

🤝 🪲 Bugcrowd has acquired AI-driven Mayhem Security to combine automated offensive testing with human hackers. The deal brings Mayhem’s continuous penetration tools and 11 employees into Bugcrowd, with founder David Brumley as chief AI and science officer. The goal is a unified platform that uses AI plus expert crowds to find and fix vulnerabilities earlier.

💸 A hacker stole over $120 million from Balancer’s v2 pools, with estimates around $128 million. The exploit likely arose from a rounding/authorization flaw in the vaults, but investigators have not agreed on the exact method. Balancer is investigating, warned users about scams, and will release a post-mortem.

📂 A researcher found a way to trick Anthropic’s Claude into stealing user files by using indirect prompt injections and the Files API. The attack saves user data in Claude’s Code Interpreter sandbox and uploads it to an attacker’s account using the attacker’s API key. Anthropic was notified and now considers the issue in-scope while warning that network access and external files pose risks.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Apple Patches 19 WebKit Vulnerabilities

• Apple addresses more than 100 vulnerabilities in security updates for iPhones, Macs and iPads

• Android Update Patches Critical Remote Code Execution Flaw

• Cisco Patches Critical Vulnerabilities in Contact Center Appliance

• Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching

🩹 🤑 Google released Chrome 142 with fixes for 20 vulnerabilities, including several high‑severity bugs in the V8 JavaScript engine. Google paid $130,000 in bounty rewards, including $50,000 each for two V8 bugs that could allow remote code execution. No exploitation in the wild was reported.

🤖 A flaw in Qualcomm Adreno GPU command handling lets a user-controlled SDS buffer run privileged CP_SMMU_TABLE_UPDATE commands. This lets an attacker load fake GPU page tables and get arbitrary GPU-backed read/write access to physical memory. With a stable r/w primitive the exploit can bypass SELinux and gain root on affected Samsung S23 firmware.

🐛 Security firm JFrog disclosed a critical React Native vulnerability (CVE-2025-11953) in the @react-native-community/cli package. The flaw lets unauthenticated attackers send POST requests to run arbitrary commands on developers' machines, especially when using the Metro dev server. Meta patched the issue in version 20.0.0 and users should update the @react-native-community/cli-server-api package.

🛰️ ICS, OT & IoT

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.