Daily Brief

Chaos RAT, a remote access trojan, targets both Windows and Linux platforms, distributed as a fake network troubleshooting tool. The malware, originally developed in 2017, became prominent in malicious activities beginning December 2022, focusing on web applications for cryptocurrency mining. It uses phishing emails for distribution, employing malicious links or attachments that introduce a script to automate persistent attacks. Capabilities include launching reverse shells, managing files, capturing screenshots, gathering system info, and executing shutdown or URL access commands. Recent updates to Chaos RAT include fixing vulnerabilities that could allow for command injection and cross-site scripting attacks. Security researchers warn that the RAT's open-source nature allows it to be easily adapted and masked by APT groups, complicating attribution efforts. Concurrently, a similar campaign targets Trust Wallet users with counterfeit desktop applications aiming to steal credentials and wallet data.

Traditional Data Leakage Prevention (DLP) tools are inadequate for today's SaaS environments due to the shift in how data is managed and accessed. Legacy DLP systems focus on monitoring data that moves across endpoints or networks, a method unsuited for the non-traditional modes of data flow in modern SaaS platforms like Google Workspace and Salesforce. The white paper highlights the necessity for a shift towards browser-centric DLP solutions, stressing that the majority of sensitive data interactions now occur directly in-browser. Browser-native security focuses on the actual interaction point — the browser — hence providing more effective protection against data breaches in real-time communication and collaboration tools. The paper argues that updating security strategies to include browser-centric DLP is crucial, given the rapid evolution and adoption of SaaS applications and AI tools in business processes. The browser is identified as the new frontline in data security, necessitating an urgent reevaluation of traditional DLP approaches to address modern security needs effectively.

Several malicious packages found in npm, Python, and Ruby repositories designed to steal cryptocurrency, erase codebases, and exfiltrate sensitive data. The packages exploit the open-source supply chain, underscoring the ongoing threat to ecosystems widely utilized in software development. Malicious Ruby gems clone a legitimate Telegram notification plugin but redirect data to a command-and-control server controlled by the attacker. An npm package named "xlsx-to-json-lh", which typosquats a legitimate tool, contains a payload that can delete project directories when triggered. Packages in the Python repository, PyPI, target Solana private keys and Python scripts, demonstrating sophisticated means to exfiltrate data. The attackers exploit timely geopolitical events, such as the ban on Telegram in Vietnam, to spread malware under the guise of providing proxy services. The campaigns also target developers by using typosquatting and polished documentation to appear legitimate, aiming to infiltrate CI/CD environments. The use of AI toolkits as a vector for infostealers showcases the evolving tactics of threat actors to bypass emerging security defenses.

A hacker using GitHub repositories has been targeting fellow hackers, gamers, and cybersecurity researchers with backdoored source code. Sophos researchers identified malicious backdoors in the Sakura RAT, hosted on GitHub, designed to install malware when the code is compiled. The malicious repositories include scripts and files with obfuscated payloads intended to disguise the backdoor installations and facilitate remote access and data theft. Automated commits and appearances of active development are used by the hacker to lend credibility to these GitHub projects. Victims are lured via YouTube, Discord, and cybercrime forums to download game cheats, mod tools, and exploits which then trigger multi-step infection processes. These infections lead to the execution of info-stealers and remote access trojans, capable of extensive data theft and system manipulation. Due diligence such as scrutinizing source code and build events is crucial before engaging with open-source projects to prevent unwitting malware installation.

The UK Ministry of Defence announced the integration of the Cyber and Electromagnetic (CyberEM) military domain, highlighting its critical role in modern warfare and national defense. The newly formed CyberEM Command will focus on streamlining and enhancing defensive and offensive cyber operations alongside the existing National Cyber Force. The Strategic Defence Review (SDR) portrays CyberEM as the enabling domain that unifies all other military domains, essential for the UK's war-fighting capabilities. Part of the initiative includes a Digital Targeting Web that aims to interconnect all UK military assets for coordinated and precise attacks on targets like warships using advanced technologies like satellites. Existing specialized groups such as the Army's Cyber and Electromagnetic Effects Group and the Royal Navy's Information Warfare Group are noted as current centers of excellence but require further integration to avoid operational inefficiencies. The CyberEM Command is positioned to take a leading role in defining and directing cyber operations across the UK’s military, also setting resilience standards and contributing to NATO efforts. A significant budget allocation of over £1 billion is earmarked to operationalize the CyberEM Command, stressing its crucial role in revamping the UK's military posture towards greater war-fighting readiness.

Mikko Hyppönen, a veteran in cybersecurity, is transitioning to work with anti-drone technology due to the ongoing war in Ukraine. Hyppönen, previously associated with F-Secure, has accepted a position at Sensofusion, a company specializing in drone detection and neutralization systems. He expressed concerns about his proximity to Russia and the significance of drone warfare highlighted by Ukraine’s use of automated drones against Russian targets. At Sensofusion, Hyppönen will work with Airfence technology, which detects drones and can disable them in coordination with military radar systems. He believes that the evolution of drones into fully autonomous weapons could lead to "killer robots," emphasizing the need for robust anti-drone defenses. Hyppönen described the security challenges with drones as a "cat and mouse" game, comparing it to cybersecurity. He plans to officially pivot his career after his final appearance at an annual hacker event in Las Vegas, highlighting his belief in the greater current relevance of anti-drone technology over traditional cybersecurity.

HPE has issued security patches for eight vulnerabilities in its StoreOnce backup solutions, potentially leading to remote code execution and authentication bypass. The highlighted vulnerability, CVE-2025-37093, with a CVSS score of 9.8, affects all versions of the software prior to 4.3.11 and enables an authentication bypass. The flaw could allow an attacker to perform actions such as remote code execution, information disclosure, and arbitrary file deletion with root access. These vulnerabilities were reported to HPE on October 31, 2024, by an anonymous researcher via the Zero Day Initiative. The problematic authentication was due to improper implementation of the machineAccountCheck method. No active exploitations of these vulnerabilities have been reported; however, updating to the latest software versions is vital for security. HPE also addressed other critical-severity issues in its products, including HPE Telco Service Orchestrator and OneView, related to vulnerabilities in Apache components.

KiranaPro, an Indian grocery ordering app, experienced a severe cyberattack that resulted in the deletion of its GitHub and AWS resources. CEO Deepak Ravindran attributed the attack to a malicious insider with a personal grudge, emphasizing that the act was targeted and deliberate. The attack crippled the app, rendering it inoperable and affecting the daily operations which support over 2,000 orders and numerous local store owners. In response to the incident, sensitive customer data was compromised and critical infrastructure critical for the app’s function was destroyed. Ravindran announced plans to enhance security measures to fortify the app's systems against future incidents and vowed to publicly expose the perpetrator. The incident underscores the challenges businesses face when insiders who have access to critical systems and data turn malicious. There was no mention of preventive strategies such as external backups or multi-factor deletions being in place, which might have mitigated the damage.

Security experts uncovered that Meta and Yandex exploited Android localhost ports to connect web browsing data to specific user identities. This technique allowed both companies to circumvent standard privacy measures including cookie clearing and Incognito Mode. Following the revelations, Meta halted the disputed tracking process, and adjusted their systems to avoid potential violations of Google Play's data collection policies. The research highlighted that components like Meta Pixel and Yandex Metrica embedded in websites could silently transfer user data to native apps through localhost connections. The researchers' findings prompted browser vendors like Chrome and Mozilla to develop countermeasures; DuckDuckGo and Brave also took steps to thwart this tracking method. Investigative findings into these practices were published by notable computer scientists across several European institutions. Meta's spokesperson acknowledged the issue and mentioned ongoing discussions with Google to clarify and address policy applications and potential miscommunications.

Microsoft and CrowdStrike announced a collaboration aimed at clarifying threat actor naming conventions but fell short of creating a unified system. Despite efforts to align terminologies, major cybersecurity vendors continue to use multiple aliases for the same threat groups, complicating the landscape. The initiative includes a mapping system that correlates various names used by different organizations for the same cyberthreats. This disparity in naming conventions arises from different perspectives and intelligence frameworks used by each vendor. Stakeholders such as Google and Palo Alto Networks acknowledge the difficulty in standardizing names due to varying visibility into threats and attribution methods. The lack of a single naming standard can hinder prompt and effective response to threats, leading to potential delays in defense actions. While the collaboration aims to simplify terminologies for customers, achieving a single naming standard across the industry remains complex and unattainable currently.

Hewlett Packard Enterprise (HPE) has released patches for eight vulnerabilities in StoreOnce, a disk-based data backup system. The critical flaw, CVE-2025-37093, enables an authentication bypass with a high severity score of 9.8, potentially impacting all functional aspects of the system. Other vulnerabilities include three remote code execution issues, two directory traversal problems, and a server-side request forgery threat. All mentioned vulnerabilities affect versions of HPE StoreOnce Software prior to version 4.3.11, with an update now urged by HPE. Although discovered by the Zero Day Initiative in October 2024, the disclosed vulnerabilities took seven months before patches were made available. There are no known cases of these vulnerabilities being exploited in the wild as of the report. HPE highlights that without the essential upgrades, the security of large enterprises, data centers, and cloud service providers using StoreOnce could be at significant risk.

Google implemented an urgent configuration change to block the active exploitation of a Chrome zero-day vulnerability identified as CVE-2025-5419. The vulnerability, found in Chrome's V8 JavaScript engine, allows out-of-bounds memory read and write, potentially leading to data exposure or arbitrary code execution. Google's Threat Analysis Group discovered the flaw on May 27, and the issue was mitigated the next day across all stable Chrome platforms through a crucial update. The exploit was being used in the wild, though specific details about the attackers and their motives remain undisclosed. The recent patch, which also resolves a medium-severity flaw in the Blink engine, started rolling out in Chrome version 137.0.7151.68 and .69 for various operating systems. This zero-day is part of a series of recent urgent security updates by Google, including a March patch against CVE-2025-2783 used in espionage activities targeting Russian entities. The US Cybersecurity and Infrastructure Security Agency has since added the newly patched vulnerabilities to its catalog of known exploited vulnerabilities.

Elon Musk announced a new encrypted messaging feature on X, formerly Twitter, called XChat, promising major security enhancements including "Bitcoin-style" encryption. Critics and encryption experts quickly pointed out that Bitcoin does not use encryption in the way traditional secure messaging apps do, sparking doubts about the robustness of XChat's security claims. Musk's description of XChat includes features like end-to-end encryption, vanishing messages, and the capability to send various types of files, along with audio/video calling. Despite these announcements, XChat's updated help page still admits the platform cannot protect against man-in-the-middle attacks and may access messages due to legal requirements. The site's explanation of message encryption mirrors that of its prior version, which was critiqued for inadequate security, suggesting little to no improvements have been made. Matthew Hodgson, CEO of secure messaging platform Element, criticized XChat for lack of transparency, no audits, and no open-source framework, which contradicts the security features claimed. X has yet to release a detailed whitepaper or source code for XChat, which Musk has indicated might be available "later this year," leaving many details unclear.

The North Face recently experienced a "small-scale credential stuffing attack" where attackers used previously stolen login details. The unauthorized access targeted customer accounts, potentially exposing names, order histories, shipping addresses, preferences, birthdays, and phone numbers; payment card information was not disclosed. This incident is traced back to reused credentials from multiple website breaches unrelated to The North Face's direct systems. Following the detection of suspicious activities on April 23, the company reset user passwords as a preventive measure. The breach notification stressed that the credentials came from other data breaches, as The North Face retains only a payment token, not full card details. The affected accounts are predominantly U.S. based due to the geo-targeting setup of The North Face's website. The North Face has issued warnings against the reuse of passwords and advised vigilance against possible phishing attempts related to this or similar data breaches.

A data breach at Coinbase was caused by insiders at TaskUs, a customer support outsourcing firm in India, who were bribed by cybercriminals. TaskUs discovered the breach in January 2025 after an employee was caught photographing sensitive customer data. During investigations, two TaskUs employees admitted to distributing Coinbase customer information, including financial details and SSNs, in exchange for bribes. Coinbase publicly revealed the breach in May 2025, stating rogue agents accessed data to aid in social engineering attacks. Threat actors demanded a $20 million ransom from Coinbase, which responded by offering a reward of the same amount for information leading to the arrest of the culprits. Coinbase estimated potential losses from the incident could reach up to $400 million and started notifying impacted customers, nearly 70,000 in total. Following the incident, TaskUs terminated the employees involved, ceased all Coinbase operations in Indore, India, and coordinated with law enforcement. TaskUs believes this was part of a larger, organized criminal effort that affected other service providers of Coinbase as well.