Daily Brief

China's cyber-espionage group, Salt Typhoon, successfully infiltrated Viasat, a major provider of satellite broadband globally, serving government, military, and other sectors. The breach was detected earlier this year and investigations have been conducted by Viasat with the help of federal authorities and a private cybersecurity firm, concluding no customer data was compromised. Past attacks by Salt Typhoon include multiple U.S.-based telecom providers such as AT&T, Verizon, and others, along with gaining unauthorized access to U.S. law enforcement's wiretapping systems and private communications of some U.S. officials. Salt Typhoon has been actively targeting telecom companies since at least 2019 and continued their cyberattacks as recently as January 2025 through exploiting unpatched network devices. Viasat had a previous cybersecurity issue in February 2022 when Russian hackers disrupted satellite services in Ukraine and Europe by deploying AcidRain malware. The firm confirmed the incident has been fully remediated and no subsequent activities related to this breach have been observed.

DuckDuckGo has updated its Scam Blocker tool to enhance protection against a wider array of online scams, including deceptive e-commerce and cryptocurrency sites. This privacy-focused browser and search engine, known for not tracking user activities, does not share data with external entities like Google. The Scam Blocker feature, a part of DuckDuckGo since 2018, now uses a local scan against a continuously updated threat list from cybersecurity firm Netcraft. To protect user privacy during threat detection, the browser employs an anonymous cryptographic process to check rare or unknown threats against DuckDuckGo servers. Users receive a clear warning when attempting to access a detected scam site, with options to either leave or proceed to the site. DuckDuckGo's Scam Blocker does not require user registration and is activated by default in the browser. Privacy Pro subscribers benefit additionally as Scam Blocker functions across all internet apps on their devices when using the DuckDuckGo VPN.

North Korea-aligned hackers, BlueNoroff, targeted a cryptocurrency foundation employee using deepfake Zoom calls to install macOS malware. The employee was lured into a meeting through a Telegram message that led to a fake Zoom environment, where deepfaked executives prompted a malware download. The malware download involved deceptive prompts to install a "Zoom extension," ultimately executing an AppleScript to covertly download further payloads. Investigations revealed multiple malicious binaries on the victim's system, hinting at a sophisticated malware deployment and control strategy. BlueNoroff is part of a broader set of financial crime activities linked to North Korea, aiming at cryptocurrency theft and espionage. The group’s modus operandi includes social engineering, leveraging software utilities like Zoom, to bypass standard cybersecurity measures. The attack underscores the heightened risk for remote workers, especially in sensitive sectors like cryptocurrency and blockchain technology. Security experts emphasize the importance of employee training to recognize and counteract social engineering tactics utilized in cyberattacks.

Vibe coding, a new AI-driven software development methodology, uses natural language inputs to generate code rapidly. Despite making software prototyping fast and accessible, it introduces severe vulnerabilities termed "silent killers" that traditional security tools often miss. These vulnerabilities, while passing functional tests, could allow exploitable flaws to persist into production environments. The article cites examples of how AI-generated code can inadvertently introduce real-world security risks without adequate safety measures. The EU is applying regulatory pressure, mandating conformity assessments for high-risk AI implementations across various sectors. Secure vibe coding practices include using AI as an augmentation tool, not a replacement, emphasizing the necessity for experience in architecture and security. To combat potential threats, organizational strategies include constructing tiered access and guided development environments for different user capacities. A comprehensive guide has been developed to detail secure coding practices, providing templates and configurations for effective AI application in software development.

Modern cyberattacks often leverage "Living Off Trusted Sites" (LOTS) tactics, exploiting well-known platforms like Google and Microsoft. LOTS attacks hide malicious code in normal internet traffic, eluding traditional cybersecurity measures. Many security teams fail to detect these threats due to their non-suspicious appearance, lacking identifiable malware signatures or unusual IP traces. Zscaler's upcoming webinar will offer insights into detecting and counteracting stealthy attacks harbored in commonly used SaaS applications and cloud platforms. The session is designed for security leaders, threat hunters, and IT or SOC teams, focusing on reducing the impact of false positives and uncovering hidden threats. Key takeaways include expert analysis, real-world detection stories, and effective strategies for handling cyber threats embedded in everyday digital tools.

Krispy Kreme confirmed a data breach affecting 161,676 individuals following a cyberattack in November 2024. Personal information compromised includes social security numbers, financial account details, and driver’s license information. Krispy Kreme detected unauthorized IT activity on November 29, 2024, and publicly disclosed the breach in mid-December. The Play ransomware group claimed responsibility for the breach, alleging theft of a wide variety of confidential corporate and client data. Following failed negotiations with Krispy Kreme, the ransomware group released the stolen data on a dark web site in December 2024. Play ransomware uses double-extortion tactics and has previously targeted several high-profile organizations, including Rackspace and the City of Oakland. The FBI, CISA, and the Australian Cyber Security Centre have issued advisories noting the Play ransomware gang's global impact on approximately 300 organizations as of October 2023.

Russian threat actors, suspected to be part of APT29, used Google app passwords in a sophisticated phishing campaign to bypass two-factor authentication and access email accounts. From April to June 2025, the campaign specifically targeted prominent academics and critics of Russia with personalized social engineering tactics, including rapport building and tailored lures. Methods involved sending benign-looking phishing emails disguised as U.S. Department of State meeting invitations to establish credibility and manipulate targets into creating and sharing application-specific passwords. Attackers then used these passwords to set up mail clients and gain persistent access to victims' mailboxes, monitoring email correspondence under the guise of promoting "secure communications." The operations were meticulously planned to avoid detection, utilizing residential proxies and VPS servers when logging into compromised accounts. Google and Microsoft detected and publicly disclosed these activities; Google took measures to secure affected accounts and highlighted the dual use of similar social engineering strategies in related campaigns. The Citizen Lab and Google Threat Intelligence Group both highlighted the precision and calculated pacing of the approaches to minimize suspicion and maximize victim compliance.

Securonix identified an ongoing malware campaign, dubbed Serpentine#Cloud, leveraging Cloudflare tunnel subdomains to execute malicious Python-based code. The campaign, still very active, uses phishing emails with Windows shortcut files disguised as PDFs to initiate multi-stage infection processes. Attackers employ a combination of batch files, VBScript, and Python to deploy shellcodes that load Donut-packed payloads like AsyncRAT or Revenge RAT directly into memory. The usage of Cloudflare's legitimate tunneling service complicates domain blocking and increases the stealthiness of the malware delivery, making it difficult for security researchers to attribute and take down. There is no sector, industry, or country-specific target; infections are widespread across Western nations such as the US, UK, Germany, and also noted in Singapore and India. The entire attack process illustrates a focus on stealth and persistence, allowing attackers significant control over infected machines to steal data or move laterally to other systems.

Meta Platforms announced the introduction of passkey support for Facebook on Android and iOS, enhancing user security and login convenience. Passkeys serve as a more secure alternative to traditional passwords, utilizing biometrics or device PINs for authentication. This feature is aligned with efforts by major tech companies like Microsoft and Apple to adopt passkey technology. Meta has also enabled passkeys on WhatsApp and plans to extend this feature to Messenger and potentially Instagram. The introduction of passkeys not only secures accounts against phishing and other cyber threats but also streamlines payment processes through Meta Pay. Tech industry giants are progressively moving towards passwordless sign-in options, citing enhanced security and user experience.

A 33-year-old man involved in the Ryuk ransomware operation was extradited to the United States from Kyiv as part of an international cybercrime investigation. Arrested in April 2025, the suspect specialized in initially accessing corporate networks, enabling further data theft and ransomware deployment by his accomplices. The international operation, starting in 2023, involved Ukrainian cyber police, the National Police, and other law enforcement agencies, targeting ransomware groups like LockerGoga, MegaCortex, Hive, and Dharma. The suspect was identified through a meticulous analysis of seized devices and information gathered from the ongoing investigation. Ryuk ransomware, active from 2018 to mid-2020 and later evolving into the Conti group, was notorious for attacks on diverse sectors, including healthcare, amassing an estimated $150 million. The case remains under further investigation, with potential updates from the Department of Justice pending.

Iran's government likely restricted national internet access in response to potential Israel-linked cyberattacks. Significant internet traffic drop observed by CloudFlare and NetBlocks starting late Wednesday. Tehran cited "prevention of enemy abuse" as the reason for the internet blackout, following disruptions at Bank Sepah. Predatory Sparrow, suspected to have Israeli support, claimed responsibility for attacking Bank Sepah and Iranian crypto exchange Nobitex. The internet blackout in Iran aligns with statements from an Israeli Defense Force commander hinting at cyber-offensive breakthroughs. Access to Iranian websites (.IR domain) is currently impossible, as confirmed by international checks. Earlier warning by Tehran for citizens to delete WhatsApp owing to surveillance concerns, which Meta has denied.

Cybersecurity experts from Qualys have identified two local privilege escalation (LPE) flaws in major Linux distributions that enable attackers to gain root privileges. CVE-2025-6018 impacts the PAM configuration in openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing elevation to "allow_active" user status and the execution of restricted Polkit actions. CVE-2025-6019, found in libblockdev, can be exploited using the udisks daemon, which is included by default in most Linux systems, facilitating a full escalation to root access when combined with CVE-2025-6018. These vulnerabilities allow attackers with any active GUI or SSH session to quickly escalate their privileges and execute actions designated for physically present users. Attackers can potentially use such escalated privileges for broader malicious activities, such as altering security settings and installing backdoors for covert continued access. While Qualys has developed PoC exploits demonstrating the exploitability of these vulnerabilities on various systems including Ubuntu and Fedora, mitigation involves applying patches or modifying the Polkit rule requiring admin authentication. An additional related flaw (CVE-2025-6020) in Linux PAM’s pam_namespace module was also disclosed and resolved, highlighting continuous vulnerabilities in Linux privilege management components.

Pro-Israel hacking group "Predatory Sparrow" claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange, resulting in over $90 million in stolen cryptocurrencies. The attack led to the destruction of the stolen funds, which were directed to unusable addresses with embedded anti-IRGC messages, indicating a political motive rather than financial gain. Following the breach, Nobitex's website has been offline, and internal investigations are ongoing about the extent of data and security compromise. The hackers also threatened to release Nobitex's source code and internal information, intensifying the implications of the cyberattack. Blockchain analysis revealed that the stolen crypto was sent to vanity addresses, which are computationally infeasible to access, effectively burning the funds. This cyber incident follows a similar attack by the same group on the IRGC-controlled Bank Sepah, emphasizing a pattern of disruptive cyber tactics against Iranian interests. Researchers have connected Nobitex to the Iranian Revolutionary Guard Corps and high-ranking Iranian officials, which might have made it a specific target for these politically charged cyberattacks.

Researchers from Check Point uncovered a malware campaign disguising as Minecraft cheat tools on GitHub. Around 500 GitHub repositories were involved in distributing these Trojanized tools, which have affected over 1,500 devices so far. These malicious mods are linked to Russian-speaking malware developers part of the Stargazers Ghost Network. The malware conducts a multi-stage attack, starting with a Java-based loader that checks for a genuine environment, avoiding sandboxes and VMs. Subsequent stages of the malware steal Minecraft and Microsoft account credentials, as well as data from applications like Discord and Telegram. The final malware stage targets web browser credentials, cryptocurrency wallets, VPN configurations, and extensively collects data from the infected machine. This incident highlights the significant risks of downloading and using unofficial or pirated game mods and tools.

North Korean BlueNoroff hacking group utilized deepfake technology on Zoom calls to spread malware targeting Mac users. The intent behind the attacks is believed to be cryptocurrency theft, showing a continuance of the group's pattern. Attackers approached a tech firm employee through Telegram, misleading them to a deceptive Zoom meeting using familiar deepfake executive faces. During the Zoom session, technical issues were simulated, prompting the victim to download a malicious 'Zoom extension' that was actually malware. The attack involves a sophisticated chain wherein a seemingly innocent AppleScript disabled security logging and installed additional payloads to further compromise the system. Researchers warn that the increasing prevalence of macOS in enterprises is attracting more sophisticated malware attacks, underscoring the need for heightened Mac security awareness. The attackers have developed a proficient method of circumventing existing security measures by exploiting both technical and human vulnerabilities.