Daily Brief

Cybersecurity firm ReversingLabs uncovered a supply chain attack affecting the Ethcode Visual Studio Code extension, used by over 6,000 developers for Ethereum blockchain development. The attack was initiated through a pull request by a newly created GitHub user, Airez299, which included malicious code hidden among extensive legitimate updates. The malicious code introduced a dependency on a compromised npm package, "keythereum-utils," which was found to be obfuscated and designed to download a second-stage payload. The exact nature of the downloaded malware is unknown but suspected to be involved in cryptocurrency theft or contract poisoning. After detection, the malicious code and dependency were removed, and the Ethcode extension was reinstated in the VS Code Extensions Marketplace. This incident is part of a larger trend of software supply chain attacks, leveraging public repositories to infiltrate development environments with malware. ReversingLabs emphasized the increasing use of such tactics, noting an alarming rise in open-source malware discovered in recent quarters.

Zewei Xu, suspected Chinese cyberespionage agent, was arrested in Milan following intel from the US. US authorities link Xu to the Chinese state-sponsored group Silk Typhoon, accused of spying during COVID-19 on vaccine developments and carrying out the Microsoft Exchange hack. The US has filed an extradition request, with a court hearing at Milan's Court of Appeals set to decide on it. Xu's family claims confusion over his arrest, asserting he is an employee at a semiconductor firm and not involved with Chinese espionage. Silk Typhoon, associated with Xu, was previously implicated in significant security breaches at the US Treasury and against US networks. Italian-US diplomatic relations face strain, highlighted by recent contentious extradition cases and Italy's nuanced stance towards China. The upcoming court decision on Xu's extradition could further impact international relations and cybersecurity policies.

Recent incidents highlight how identity-driven attacks are successfully targeting major retailers like Adidas, The North Face, and Victoria's Secret. Attackers leverage overprivileged access and unmonitored service accounts, bypassing the need for malware or direct system breaches. Tactics such as credential stuffing, third-party breaches, and social engineering are being employed to access sensitive customer data. These security incidents primarily exploit poor identity management and lax MFA (Multi-Factor Authentication) implementations on SaaS platforms. Retailers' experiences underscore the importance of securing not just direct user access but also the extended access provided to vendors. The breaches reveal critical gaps in identity controls, overprivileged roles, and the need for robust monitoring of SaaS identities to prevent similar attacks. Security experts recommend stringent access controls, continuous monitoring of high-impact identities, and targeted training to mitigate risks from such identity-first attacks.

Cybersecurity experts have identified a new botnet, RondoDox, exploiting vulnerabilities in TBK DVRs and Four-Faith routers to conduct DDoS attacks. The botnet targets specific flaws designated as CVE-2024-3721 in TBK DVRs and CVE-2024-12856 in Four-Faith routers, often found in unmonitored environments like retail or office settings. RondoDox utilizes compromised devices to disguise command-and-control traffic, enabling multifaceted cyber-attacks including financial scams. The malware leverages a complex a shell script to provide multi-architecture support, ensuring widespread compatibility across devices. RondoDox implements advanced evasion techniques, such as DoH-based C2 resolution and XOR-encryption, to avoid detection by traditional IDS systems. The botnet actively terminates any running processes that could potentially interfere with its operations or aid in detection, like network utilities or other malware. The malware contacts external servers to receive commands for launching targeted DDoS attacks, simulating traffic from various popular platforms to remain undetected. Researchers emphasize the sophistication and adaptive capabilities of RondoDox, highlighting its potential to remain operational and undetected for prolonged periods.

CTM360 uncovered over 17,000 fake news websites fueling online investment scams across 50 countries. These sites mimic reputable news outlets like CNN and BBC, using fake articles to endorse fraudulent financial platforms. Scammers engage victims through ads with clickbait headlines and direct them to phony trading systems following initial contact. A two-phase scam process involves gaining trust via fake advisors and fake profit dashboards, followed by requests for money and personal information. The scams are sophisticated, utilizing local languages, media logos, and targeting specific regional audiences. Victims are induced to invest small initial amounts, which later escalate through pressure and manipulated profit displays. These schemes also harvest personal data for potential use in phishing, identity theft, and secondary scams. CTM360 tracks these fraudulent operations, providing takedown support and risk protection to affected regions and organizations.

Russian firms are facing an ongoing cyber-espionage effort utilizing a new malware dubbed Batavia, effective since July 2024. The attack is initiated with phishing emails disguised as contract agreements, containing malicious links from the domain "oblast-ru[.]com." The malware deploys by downloading an encoded script which gathers system profiling data and introduces more malicious payloads for deeper infiltration. Batavia, written in Delphi, masquerades as a contract document to mislead victims while it silently collects various data types, including office documents and screenshots. The collected data is sent to another attacker-controlled domain and further escalates the attack by downloading additional payloads targeting even more file types. Kaspersky has identified over 100 victims in several dozen organizations who have received these phishing emails in the last year, reflecting the attack's broad impact. Disclosed findings are part of a broader pattern of information-stealing campaigns, including another detailed instance dubbed NordDragonScan that affects Windows systems via similar attack vectors.

A significant portion of data breaches in 2025 still involve stolen credentials, emphasizing ongoing issues with password security. Regulatory bodies worldwide are enforcing stricter guidelines on password management, stressing on password length and the necessity of multi-factor authentication (MFA). EU’s updated NIS2 Directive and PCI-DSS 4.0 highlight these stringent requirements, potentially leading to severe consequences for non-compliance, including the removal of senior management. Organizations are finding it challenging to keep up with these evolving standards, risking regulatory actions and issues with cyber-insurance claims. Specops Software introduces tools like Password Auditor to help organizations assess and improve their compliance with password security best practices across various regulatory frameworks. These tools provide extensive reports and recommendations, helping close the audit visibility gap and ensure continuous monitoring of password policies. Password Auditor tool offers a free, robust solution for organizations to evaluate their current password policies against compliance standards and identify potential vulnerabilities.

Scattered Spider has created approximately 500 domains resembling corporate login pages to orchestrate phishing attacks across various sectors, impacting airlines, manufacturers, and restaurant chains. Although initially targeting the aviation industry, notably Qantas and other airlines, the criminal group has diversified its targets to include manufacturing, medical technology, financial services, and enterprise platforms. The fake domains are crafted to mimic legitimate portals like “victimname-servicedesk[.]com” or “victimname-okta[.]com”, intending to deceive employees into sharing login credentials. Check Point Research, which identified these domains, suggests the infrastructure might currently be in use or reserved for future attacks. Qantas recently experienced a breach involving the theft of 6 million customer records, followed by attempted extortion by the perpetrator to prevent data leakage. The shift in Scattered Spider’s focus from insurance and retail sectors to a broader range of industries illustrates an adaptive and opportunistic attack strategy. There is ongoing engagement with law enforcement to address these security incidents, without evidence to date of leaked personal data from the reported breaches.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog, adding four critical security flaws. These updates were prompted by actual incidents of exploitation by cybercriminals, particularly highlighting a vulnerability linked to a China-associated threat actor, Earth Lusca, using CVE-2019-9621 to install web shells and Cobalt Strike. New technical disclosures reveal significant issues in the Citrix NetScaler ADC system, specifically CVE-2025-5777, known as Citrix Bleed 2, which has also been actively exploited. Hackers exploit these Citrix vulnerabilities to steal sensitive data such as credentials and session tokens by manipulating memory read functions in the server. Federal Civilian Executive Branch (FCEB) agencies are urged to rectify these vulnerabilities by July 28, 2025, to mitigate potential security risks. Technical insights provided by watchTowr and Horizon3.ai indicate that attackers are compromising endpoints by crafting malicious HTTP requests aimed at data exfiltration.

Chinese national Xu Zewei was arrested in Milan for alleged links to the state-sponsored hacking group Silk Typhoon. Silk Typhoon, also known as Hafnium, has conducted cyberespionage against the U.S. and other nations, focusing on stealing sensitive data. Xu is accused of participating in the 2020 cyberattacks targeting COVID-19 vaccine researchers and healthcare organizations. The group attempted to steal intellectual property and public health data related to COVID-19 vaccines and treatments. Xu was apprehended at Milan's Malpensa Airport under an international warrant issued by the U.S. government. Recent activities of Silk Typhoon include campaigns against the U.S. Treasury's Office of Foreign Assets Control and cloud services to infiltrate networks. Xu is currently held in Busto Arsizio prison, with the U.S. seeking his extradition.

Researchers released PoC exploits for a critical vulnerability in Citrix NetScaler, identified as CVE-2025-5777 and named CitrixBleed2, susceptible to attackers exploiting it to steal user session tokens. The vulnerability allows attackers to extract memory contents from affected devices by sending malformed POST requests during login attempts. CitrixBleed2 enables extraction of approximately 127 bytes per request, potentially revealing sensitive data after numerous requests. Despite Citrix claiming there's no current exploitation, security findings suggest possible active exploitation, with indicators of memory dumping and session hijacking. Citrix has published patches for the vulnerability and recommends immediate application to prevent attacks. Observations from cybersecurity firms criticize Citrix's response and transparency concerning the exploit’s activity in the wild. All organizations using affected Citrix products are advised to review sessions for suspicious activity and terminate sessions as outlined by Citrix's guidelines.

CVE-2025-5777, known as CitrixBleed 2, is a critical security flaw in Citrix NetScaler devices, rated 9.3 CVSS, allowing attackers to access sensitive information. Despite the availability of patches, a significant number of Citrix users have not updated their systems, leaving them vulnerable to attacks. Exploits for this vulnerability are actively circulating, with security firms releasing vulnerability analyses and proof-of-concept tools. CitrixBleed 2 enables attackers to bypass multi-factor authentication, hijack user sessions, and potentially gain access to critical systems. The exploit involves sending malformed HTTP requests to Citrix gateways, which then leak session tokens and other sensitive data due to improper memory handling. Security researchers from watchTowr and Horizon3.ai have detailed the exploit process, emphasizing its simplicity and high potential for abuse. Citrix has yet to respond with comments regarding the extent of the attacks or additional mitigation measures since the initial patch release.

Hackers bribed an employee of C&M, a financial connectivity firm, to gain access to systems linked to Brazil’s Central Bank. The compromised employee, João Nazareno Roque, sold his credentials for approximately $920 and executed additional commands for $1,850. The attackers converted $30-40 million of the stolen funds to cryptocurrencies using various exchanges and OTC markets. Blockchain investigator ZachXBT is tracking the wallet addresses of the threat actors to assist in freezing the stolen funds. Brazilian police are conducting three separate investigations into the heist, though details about the hackers remain undisclosed. C&M maintains that their systems were not breached through technical vulnerabilities but via social engineering. The case reflects a trend of using simple attack methods effectively, including other instances such as a recent breach at Coinbase.

Malware analysts identified a new version of the Atomic macOS infostealer, now enhanced with a persistent backdoor feature. The backdoor enables attackers to execute remote commands, survive system reboots, and maintain indefinite control over compromised Mac devices. This upgraded version of Atomic malware has potential access to thousands of devices globally, with prevalent attacks in the United States, France, Italy, the UK, and Canada. Initially reported in April 2023, Atomic malware is distributed as Malware-as-a-Service (MaaS) on Telegram, targeting macOS systems including files, cryptocurrency data, and browser-stored passwords. Shifts in distribution methods have been observed, moving from cracked software dissemination to targeted phishing attacks, particularly against cryptocurrency holders and freelancers. Technical details of the backdoor involve a core executable hidden in the user’s directory and a persistent script ensuring execution at system startup with elevated privileges. Enhanced evasion techniques include detecting sandbox or virtual machine environments and employing string obfuscation to hinder detection. The evolution and sophistication of the Atomic infostealer exemplify the rising threat to macOS users from organized cybercrime entities.

Cybersecurity research reveals an SEO poisoning campaign targeting over 8,500 small and medium-sized business users with malware hidden in popular AI and collaboration tools. Fake websites impersonate legitimate software sources to distribute trojanized versions of tools like PuTTY and WinSCP, introducing Oyster backdoor malware upon installation. Malicious DLLs are employed for persistence, executing every three minutes to maintain the infection even after initial deployment. Recent incidents involve the misuse of search engine results to redirect users to phishing pages delivering Vidar Stealer and Lumma Stealer through concealed ZIP archives. Multiple malware types, including Legion Loader and RedLine Stealer, are being spread using diverse installation scripts and search engine manipulation strategies. The campaign also features a sophisticated attack using Google and Facebook ads to disseminate malware and phish for sensitive data, such as cryptocurrency wallet information. Increasing trend observed in the exploitation of trusted brands and tech support pages, redirecting users to scam numbers and fraudulent websites. Cybersecurity agencies stress the importance of downloading software and tools only from verified and official vendor sites to avoid such malicious traps.