Daily Brief

North Korean hackers, identified as the Kimsuky group, targeted diplomatic missions in South Korea between March and July 2025, using spear-phishing emails to compromise embassy staff and foreign ministry personnel. The campaign employed GitHub as a covert command-and-control channel, leveraging cloud storage platforms like Dropbox and Daum Cloud to deliver the Xeno RAT malware variant. Attackers crafted emails in multiple languages, impersonating trusted diplomatic contacts to deliver malicious ZIP files, which included Windows shortcuts executing PowerShell scripts for further infiltration. The operation's infrastructure and tactics suggest potential collaboration or overlap with China-based operatives, with activity patterns aligning with Chinese national holidays. In parallel, North Korean IT workers infiltrated over 320 companies by posing as remote employees, utilizing AI tools to enhance their operations and evade detection. These workers employed generative AI for creating résumés and deepfake technology for video interviews, complicating traditional security measures. The campaign's sophistication and strategic use of technology pose significant challenges to international cybersecurity defenses, emphasizing the need for enhanced vigilance and adaptive security strategies.

A white-hat hacker, known as "Bobdahacker," uncovered critical vulnerabilities in McDonald's staff and partner portals, potentially allowing unauthorized access to sensitive corporate resources and free food orders. The flaws included client-side security checks on the online delivery app, enabling unauthorized food orders and potential phishing attacks using corporate email accounts. McDonald's lacked a security.txt file, complicating the reporting process for vulnerabilities, which delayed the resolution of several critical security issues. The Feel-Good Design Hub was found to have inadequate security, exposing marketing materials and user data through easily manipulated login processes and visible API keys. The vulnerabilities extended to McDonald's franchise portal, Global Restaurant Standards, lacking admin authorization, allowing unauthorized changes to franchisee guidelines. Similar security weaknesses were identified in Casa Bonita, exposing customer data due to unprotected admin access, highlighting broader industry issues with digital infrastructure. McDonald's has addressed most of the identified issues, although some, like the Feel-Good Design Hub's registration security, remain unresolved. The incident underscores the necessity for robust security protocols and timely vulnerability reporting mechanisms to protect corporate and customer data.

The Department of Justice charged Ethan Foltz, 22, for running the RapperBot DDoS-for-hire service, impacting over 80 countries since 2021. RapperBot, also known as Eleven Eleven Botnet and CowBot, compromised devices like DVRs and routers using SSH and Telnet brute-force attacks. The botnet executed over 370,000 DDoS attacks, targeting 18,000 victims globally, including in China, Japan, and the U.S., with traffic reaching up to 6 Tbps. Law enforcement seized control of the botnet infrastructure in August 2025, as part of Operation PowerOFF, an international crackdown on DDoS-for-hire networks. RapperBot's activities extended to cryptojacking, exploiting compromised devices to mine Monero, thereby maximizing illicit profits. Foltz faces up to 10 years in prison if convicted, with charges of aiding and abetting computer intrusions. The case underscores the growing threat of DDoS-for-hire services and the need for robust international collaboration in cybersecurity enforcement.

A security flaw in Ollama Desktop v0.10.0 allowed remote attackers to exploit local chat settings via drive-by attacks, potentially compromising user data and model interactions. The vulnerability stemmed from incomplete cross-origin controls in the GUI's local web service, bypassing CORS preflight checks through manipulated POST requests. GitLab's Chris Moberly discovered the issue, prompting a swift response from Ollama's team, who released a patched version v0.10.1 within hours. The flaw affected both Mac and Windows versions of the desktop GUI, but not the core Ollama API, reducing the overall exposure risk. Users are advised to update their applications immediately; auto-updates are available for official installers, while Homebrew users must update manually. No evidence suggests the flaw was exploited in the wild, but the potential for trivial exploitation underscores the need for prompt patching. The incident serves as a reminder of the importance of robust cross-origin controls and timely vulnerability management to prevent unauthorized access.

Attackers exploited a critical vulnerability, CVE-2023-46604, in Apache ActiveMQ to gain unauthorized access to Linux servers, using a CVSS 9.8 flaw rated as a perfect 10 by Apache. After breaching systems, intruders installed a backdoor and used DripDropper malware to maintain control, patching the vulnerability to evade detection by security scans. DripDropper, an encrypted ELF file, communicates with a Dropbox account for command and control, complicating efforts to detect and analyze the malware. Attackers modified SSH configuration files to allow root access and altered cron job files to ensure persistent execution of their malware on compromised machines. Despite Apache's patch release in October 2023, many systems remain vulnerable due to delayed patch management by IT departments and slow vendor responses. The use of Sliver, a legitimate pentesting tool, highlights the dual-use nature of such tools and their potential for misuse by cybercriminals. Organizations are urged to review and accelerate their patch management processes to mitigate risks associated with delayed vulnerability remediation.

The Python Package Index (PyPI) has introduced measures to prevent domain resurrection attacks, which previously allowed attackers to hijack accounts via expired domains. These attacks posed significant risks, enabling supply-chain threats by allowing malicious versions of popular Python packages to be distributed. A past incident involved the 'ctx' package, where attackers embedded code to steal Amazon AWS credentials, highlighting the potential impact of such vulnerabilities. PyPI now uses Domainr’s Status API to monitor domain lifecycle stages, marking domains as unverified if they are expired or nearing expiration. This new system, operational since June 2025, has resulted in over 1,800 email addresses being marked unverified, reducing the risk of account takeovers. Users are advised to add backup emails from non-custom domains and enable two-factor authentication to enhance their account security. While the solution is not comprehensive against all attack vectors, it significantly mitigates risks associated with expired domain exploitation.

Okta has introduced open-source Sigma-based queries for Auth0, enhancing threat detection capabilities against account takeovers and suspicious activities in event logs. Auth0, Okta's identity and access management platform, is widely used for authentication and user management, making this development significant for its users. The new Customer Detection Catalog offers a curated set of pre-built queries, enabling faster and more effective analysis of potential security threats. Security teams can now integrate real-world detection logic directly into monitoring tools, improving the proactive threat detection of the Auth0 platform. The initiative invites contributions from the security community, fostering a collaborative approach to refining detection rules and expanding coverage. These Sigma rules are compatible with various SIEM and logging tools, broadening their applicability across different security environments. This open-source effort aims to strengthen the security posture of organizations by simplifying the process of identifying and responding to potential threats.

Okta has released open-source Sigma-based queries for Auth0 to enhance detection of account takeovers and misconfigurations, providing a proactive approach for threat detection. Auth0, Okta's identity and access management platform, serves organizations by managing login, authentication, and user management services. The new Customer Detection Catalog offers pre-built queries to identify suspicious activities like rogue admin accounts and token theft, enriching Auth0's security capabilities. Previously, Auth0 users relied on out-of-the-box solutions or custom-built detection rules, limiting their ability to promptly identify threats. The open-source approach allows contributions from the security community, facilitating continuous improvement and broader applicability across SIEM and logging tools. Organizations can integrate these detection rules into their monitoring tools, enhancing their ability to detect and respond to potential security incidents. By leveraging community-driven development, Okta aims to improve threat detection coverage and foster a collaborative security environment for Auth0 users.

Threat actors are exploiting a critical Apache ActiveMQ vulnerability (CVE-2023-46604) to deploy DripDropper malware on cloud Linux systems, gaining persistent access and control. Attackers patch the exploited vulnerability post-access to prevent other adversaries from exploiting the same flaw, ensuring exclusive control over compromised systems. DripDropper, a PyInstaller ELF binary, communicates with an attacker-controlled Dropbox account, using legitimate services to blend into regular network traffic and evade detection. The malware modifies SSH configurations to enable root login and alters cron job files for persistence, maintaining long-term access and control over infected systems. The flaw, with a CVSS score of 10.0, has been heavily exploited, also deploying other malicious payloads like HelloKitty ransomware and GoTitan botnet malware. Red Canary's detection of these tactics emphasizes the need for timely patching, strict access controls, and vigilant monitoring of cloud environments to detect anomalous activities. This campaign illustrates the evolving sophistication of threat actors in securing and maintaining access, urging organizations to reinforce their cybersecurity defenses.

Elastic has dismissed claims of a zero-day remote code execution (RCE) vulnerability in its Defend endpoint detection and response (EDR) product, following an investigation by its Security Engineering team. AshES Cybersecurity reported a potential RCE flaw in Elastic Defend, suggesting a NULL pointer dereference in the kernel driver could bypass EDR protections and enable persistence. Despite AshES Cybersecurity's demonstration videos, Elastic's team could not reproduce the alleged vulnerability or its effects, citing a lack of reproducible proof-of-concept from the researchers. Elastic emphasized their commitment to security, noting their bug bounty program has awarded over $600,000 since 2017, but criticized AshES for not adhering to coordinated disclosure practices. The incident highlights the importance of coordinated vulnerability disclosure and the challenges in verifying security claims without full collaboration from researchers. Elastic reassures stakeholders of their proactive approach to security and ongoing vigilance in safeguarding their products against potential threats.

Bragg Gaming Group experienced a cyberattack on its internal IT systems, with no customer data compromised, according to the company's initial reports. The incident was identified early on a Saturday, prompting Bragg to engage external cybersecurity experts to manage containment and investigation efforts. The company's operations, including gaming services, remained unaffected, with full access to data maintained, ensuring business continuity. While Bragg confirmed no personal or financial data was accessed, details about the attack vector and potential data exfiltration remain undisclosed. The identity of the attackers is currently unknown, and no major cybercrime groups have claimed responsibility for the breach. The incident raises concerns about the effectiveness of Bragg's internal defenses and the potential duration of unauthorized access. The situation is being closely monitored, but the lack of detailed communication from Bragg leaves stakeholders seeking further clarity on the breach's implications.

A new remote access trojan, GodRAT, is targeting financial institutions, particularly trading and brokerage firms, using malicious .SCR files disguised as financial documents distributed via Skype. The campaign employs steganography to hide shellcode within image files, facilitating malware download from a command-and-control server, with activity noted as recently as August 12, 2025. GodRAT is based on the Gh0st RAT code, utilizing a plugin-based approach to enhance its capabilities, including information harvesting and delivering secondary payloads like AsyncRAT. The malware targets regions including Hong Kong, the UAE, Lebanon, Malaysia, and Jordan, with initial detections dating back to September 9, 2024. Kaspersky identified the source code for GodRAT on VirusTotal, revealing its ability to generate executables or DLLs, injecting malicious code into legitimate binaries. The trojan communicates with its C2 server over TCP, collecting system information and antivirus details, and can perform file operations and deliver additional payloads, including password stealers. The use of legacy codebases like Gh0st RAT demonstrates their enduring presence and adaptability in the cybersecurity threat landscape, often customized for new campaigns.

Inotiv, a U.S.-based pharmaceutical firm, experienced a ransomware attack on August 8, 2025, leading to the encryption of critical systems and data. The Qilin ransomware gang has claimed responsibility, alleging the theft of 162,000 files, totaling 176GB, with samples published on their leak site. The attack has disrupted Inotiv's business operations, particularly impacting databases and internal applications vital for drug development and research processes. Inotiv has engaged external cybersecurity experts and notified law enforcement to assist in the investigation and containment of the breach. The company's IT team is actively working to restore affected systems and has implemented offline alternatives to mitigate operational impacts. No timeline has been provided for full recovery, indicating potential prolonged disruptions in Inotiv's operations and business processes. This incident underscores the ongoing threat of ransomware to critical sectors, emphasizing the need for robust cybersecurity measures and incident response plans.

A recently disclosed exploit combines two critical SAP NetWeaver flaws, CVE-2025-31324 and CVE-2025-42999, enabling remote code execution and system compromise. Despite SAP's patches in April and May 2025, the vulnerabilities were exploited as zero-days by multiple threat actors, including ransomware and espionage groups. The exploit allows attackers to bypass authentication, execute arbitrary commands, and potentially take over affected SAP systems and business data. Threat actors, including Qilin, BianLian, and RansomExx, have utilized these flaws, with involvement from China-linked espionage groups targeting critical infrastructure. The exploit was released by Scattered Lapsus$ Hunters, a collaboration between Scattered Spider and ShinyHunters, raising concerns about further malicious use. Onapsis advises organizations to apply SAP's latest security patches, restrict internet access to SAP applications, and monitor for signs of compromise to mitigate risks. The exploit's ability to conduct living-off-the-land attacks without additional artifacts poses significant challenges to detection and response efforts.

The Business Council of New York State (BCNYS) reported a data breach impacting over 47,000 individuals, exposing personal, financial, and health information. BCNYS, representing over 3,000 member organizations, discovered the breach six months post-incident, indicating a significant delay in detection. The breach involved unauthorized access to systems between February 24 and February 25, with data stolen including Social Security numbers and financial details. Health data compromised includes medical provider names, diagnoses, and insurance information, raising concerns about potential misuse. BCNYS has engaged external cybersecurity experts to investigate and secure their systems, aiming to prevent future incidents. Affected individuals are being notified and offered free credit monitoring services to mitigate potential identity theft risks. The incident underscores the importance of timely breach detection and robust cybersecurity measures in protecting sensitive information.