Daily Brief

The Bluetooth Special Interest Group (SIG) has released Bluetooth Core Specification 6.1, introducing significant privacy enhancements. A key feature in the update is the randomization of the Resolvable Private Addresses (RPA) update timing, making device tracking by third parties significantly more difficult. Before this update, RPAs were refreshed at predictable 15-minute intervals, which could have been exploited in correlation attacks for long-term device tracking. With Bluetooth 6.1, RPA updates will now occur randomly between 8 to 15 minutes, and settings can be further customized to any interval between 1 second to 1 hour. The random selection uses a NIST-approved generator, enhancing security measures against pattern tracking and correlation attacks. Bluetooth 6.1 also improves power efficiency by allowing the Bluetooth controller to manage RPA updates autonomously, reducing demand on the host device's CPU and memory. This update is particularly beneficial for devices with limited battery resources, such as fitness bands, earbuds, and IoT sensors. Full implementation and support of Bluetooth 6.1 features in devices may not be seen until around 2026, pending further testing and validation.

iClicker's website was hacked between April 12 and April 16, 2025, introducing a fake CAPTCHA that tricked users into downloading malware. The attack utilized a ClickFix social engineering strategy, requiring users to paste a malicious PowerShell script into their system to "verify" themselves. Targeted visitors received a PowerShell script that connected to a remote server, downloading different malware based on the visitor type. Non-targeted visitors received benign software. The malware potentially allowed attackers full access to the infected devices, capable of extracting sensitive information like passwords, credit card details, and cryptocurrency wallets. BleepingComputer’s inquiries regarding the attack received no response from Macmillan, although iClicker later posted a security bulletin advising affected users to run security checks and update passwords. The security bulletin was made difficult to find due to a 'noindex, nofollow' tag, potentially limiting public awareness of the incident and its resolution. Users of iClicker’s mobile app or those who did not interact with the fake CAPTCHA were not affected by this security breach.

Fake AI video generation websites are being utilized to deploy the Noodlophile infostealer malware. These sites, attracting users via social media platforms like Facebook, pose as advanced AI tools capable of generating videos from uploaded files. The Noodlophile malware is being marketed on dark web forums as a malware-as-a-service, frequently packaged with data theft services. The infection begins when a user uploads files to the malicious site, thinking they are receiving an AI-generated video, but instead receives a malware-laden ZIP file. The ZIP file contains executables and scripts that perform a multi-stage infection to deploy the Noodlophile Stealer, covertly bypassing some security measures. The malware primarily targets browser-stored information, including credentials, session cookies, and cryptocurrency wallet details, with data exfiltrated via Telegram. The malware setup is enhanced with optional remote access tools, increasing threat capabilities, particularly on systems without adequate security protections. Recommendations for protection include verifying file sources and extensions, and using updated antivirus software to scan all downloaded files.

Fake AI video generation tools are being used to spread the new Noodlophile stealer malware, targeting data from web browsers. Advertised on high-visibility Facebook groups, these tools bait users with the promise of AI-generated video content. The malware campaign was identified by Morphisec, noting that Noodlophile is sold on dark web forums as part of a malware-as-a-service operation. Victims downloading a ZIP file expecting an AI video find a malicious executable instead, which initiates a multi-stage infection process. Noodlophile steals information such as account credentials, session cookies, and cryptocurrency wallet files. The stolen data is sent to the attackers via a Telegram bot used as a covert command and control server. Increased risk stems from potential bundling with XWorm, a remote access trojan, amplifying the threat level.

The FBI disrupted a sizable botnet and issued indictments against four individuals, including three Russians and one Kazakhstani, for operating a criminal proxy-for-hire service utilizing outdated routers. This botnet was part of a proxy network that sold access to compromised routers, enabling various cybercrimes like DDoS attacks through domains like 5socks and Anyproxy. Federal investigations revealed that the criminal operation, active since 2004, generated over $46 million by offering monthly subscriptions for these proxies. The affected routers, from manufacturers such as Linksys, Ericsson, and Cisco, were targeted due to their older status and lack of current security updates. The FBI issued a FLASH bulletin and a PSA urging the replacement of vulnerable, end-of-life routers to prevent further exploitation by cybercriminals using TheMoon malware. In a joint effort titled Operation Moonlander, European and US law enforcement collaborated to take down this network, which advertised over 7,000 proxies while actual active proxies were significantly lower. The indictments emphasize issues like false registration information used in setup and operations of these proxy services, highlighting deceptive practices in cybercriminal operations.

UK Ministry of Defence (MOD) is redirecting its spending from US-based defense contractors like Boeing and Lockheed Martin towards European suppliers, with a particular increase in expenditure towards French firms. Research by Tussell reveals that the total MOD expenditure with private contractors increased by 31% from 2019 to 2024, with real growth recorded at 5%. As of the end of 2024, about half of the MOD's spending was with UK firms such as Rolls-Royce and BAE Systems, while the percentage spent on US firms has been decreasing since 2022. The shift in MOD spending may continue to favor European companies significantly due to political and economic decisions by the current US administration, including possible impacts of tariffs and policy changes. Facilities Management and Construction sectors saw a significant increase in their proportion of MOD financial outlay, attributed mainly to the £1.6 billion Future Defence Infrastructure Services program. Digital and Consultancy services made up 14% of the MOD's spending in 2024, an indication of changing priorities within the defense expenditure framework. Concerns about dependencies on US technology, as highlighted by the F-35 fighter jet program issues, are influencing the MOD’s reassessment of its strategic supply chain and procurement decisions.

Germany's Federal Criminal Police Office (BKA) has shut down the eXch cryptocurrency exchange, accusing it of laundering over $1.9 billion since its 2014 inception. The operation on April 30, 2025, led to the seizure of 8 terabytes of data and €34 million ($38.25 million) in various cryptocurrencies including Bitcoin, Ether, Litecoin, and Dash. eXch was accessible via the clearnet and dark web, and reportedly lacked anti-money laundering safeguards, advertising this as a feature in the criminal underground economy. Authorities highlighted that eXch facilitated anonymous transactions, making it ideal for hiding financial flows and involving in illicit activities. Some of the laundered funds included proceeds from the Bybit hack, with connections to North Korean threat actors. Prior to the shutdown, eXch announced plans to cease operations following indications of an impending crackdown based on accusations of facilitating money laundering and terrorism. The Dutch Fiscal Information and Investigation Service (FIOD) is further investigating individuals linked to the exchange for money laundering and other illegal activities, emphasizing the operation's intent to combat crime, not infringe on privacy rights.

Google settles two lawsuits with Texas for $1.375 billion over unauthorized tracking and biometric data collection. The settlement addresses Google's tracking of personal location and facial recognition data without users' consent. This payment surpasses previous settlements Google made with other U.S. states, including a $391 million payout to 40 states. The original allegations included illegal collection of geolocation, incognito searches, and biometric data despite disabled location settings. Texas Attorney General emphasized the settlement as a major victory for privacy and a warning to other companies about abusing trust. Google has introduced local storage of Maps Timeline data and other privacy measures to auto-delete location history. Google's practices continue to draw global regulatory scrutiny with concerns over antitrust issues. Similar to Google's case, Meta paid $1.4 billion to Texas resolving claims of illegal biometric data collection.

Ascension reported a significant data breach affecting personal and healthcare information of over 430,000 patients. The breach originated from a former business partner's system, compromised through a vulnerability in third-party software. Exposed data includes personal health details like physician's name, diagnosis, and billing codes, as well as personal identifiers such as SSNs and insurance information. Ascension offers two years of free identity monitoring services, including credit monitoring and identity theft restoration to affected individuals. The incident aligns with a pattern of attacks exploiting a zero-day flaw in Cleo secure file transfer software, used in Clop ransomware data theft attacks. Separate from this breach, Ascension faced a ransomware attack in May 2024 affecting almost 5.6 million, disrupting clinical and operational activities dramatically. The healthcare provider had to revert to manual recording and alter medical service offerings to mitigate impact during the 2024 ransomware incident.

Law enforcement has disrupted a botnet, including two proxy services, operating for over 20 years and led to the indictment of four individuals from Russia and Kazakhstan. The botnet, utilizing Anyproxy and 5socks networks, compromised thousands of end-of-life routers globally, turning them into residential proxies. The malicious network, which sold accesses via a subscription model, has reportedly collected over $46 million through its operations. Operation Moonlander involved cooperation between the U.S. Justice Department, Royal Thai Police, Dutch National Police, and others, demonstrating significant international collaboration. The U.S. Justice Department highlighted that the networks leveraged by cybercriminals helped anonymize activities such as cyber-for-hire offenses and cryptocurrency theft. The FBI has issued warnings about the botnet, which targets outdated routers with TheMoon malware, advising the public on potential security vulnerabilities. The dismantlement of the botnet and the arrests have been a crucial step in mitigating a longstanding global cybersecurity threat.

Google has announced a new security feature for Chrome, utilizing the built-in AI 'Gemini Nano' to detect tech support scams. The AI model operates directly within the browser, analyzing web page content for scam indicators such as fake virus alerts and full-screen lockouts. This functionality will be part of Chrome's 'Enhanced Protection' mode and works by analyzing data locally on the user's device to protect privacy and ensure minimal performance impact. Confirmed scams will trigger a warning to the user, with suspicious site data being further assessed by Google's Safe Browsing service. Google emphasizes the AI feature's design to conserve resources, using throttling and quota enforcement mechanisms to limit GPU usage. Chrome 137, which will include this feature, is set to release next week and will activate by default for users who opt into 'Enhanced Protection.' Future updates intend to broaden the detection capabilities to other scam types, and a similar feature is planned for Chrome on Android by 2025. This initiative follows the introduction of a similar anti-scam AI by Microsoft for its Edge browser, showcasing a growing trend of AI utilization in web security.

Insight Partners reported a data breach potentially exposing financial and personal information. Miscreants executed a sophisticated social engineering attack, gaining access to company servers. Detected on January 16, third-party cyber-investigators are assessing the extent of the accessed data. Compromised data may include banking, tax, and personal information of employees and partners. The breach could facilitate business email compromise (BEC) scams, leveraging stolen data. Insight Partners has advised all affected parties to enhance security measures like changing passwords and using multi-factor authentication. The breach highlights the growing risk of scams aided by technologies such as AI deepfakes.

North Korean threat actors have enhanced the OtterCookie malware to steal credentials from web browsers and MetaMask, now including VM detection capabilities. Versions v3 and v4 of OtterCookie were released in February and April 2025, respectively, adding features to exfiltrate various file types and browser data. The malware is distributed through malicious npm packages, tampered GitHub or Bitbucket repositories, and deceptive software like fake videoconferencing apps. OtterCookie v4 specifically targets Google Chrome and MetaMask credentials, and can determine if it's running in a virtual machine environment. This advanced persistent threat is part of the "Contagious Interview" campaign linked to the Lazarus Group, a notorious North Korean hacking collective known for both espionage and financial crimes. Researchers from NTT and other cybersecurity firms observed sophisticated tactics, including the use of deceptive applications and updated stealer modules. The recent escalation in North Korea’s cyber activities coincides with increased targeting of European and Asian firms by fraudulent North Korean IT workers aiming to infiltrate and exfiltrate funds.

Dutch and U.S. law enforcement agencies collaborated to dismantle a significant botnet comprising 7,000 IoT and EoL devices. Russian and Kazakhstani nationals were charged for operating proxy services via the botnet, profiting over $46 million from subscription fees. The botnet, active since 2004, provided anonymity for cybercriminals conducting various illegal activities, including ad fraud and DDoS attacks. The proxy services were sold on anyproxy.net and 5socks.net, offering daily access to thousands of proxies worldwide for a fee in cryptocurrency. The botnet devices were infected using TheMoon malware, targeting a range of vulnerabilities predominantly in end-of-life devices. Lumen Technologies' Black Lotus Labs discovered that most botnet control commands were communicated from servers based in Turkey. FBI and Lumen Technologies issued recommendations for mitigating risks posed by such botnets, including regular router reboots and updates. The operation highlights ongoing challenges and threats posed by compromised IoT devices and outdated technology in global cybersecurity.

Chinese hackers targeted SAP NetWeaver servers, exploiting a severe vulnerability (CVE-2025-31324) allowing unauthenticated file uploads and remote code execution. SAP issued an emergency patch for the flaw on April 24 after initial detections of exploitation attempts by cybersecurity firm ReliaQuest. Attackers uploaded malicious JSP web shells and used the Brute Ratel tool for post-exploitation activities on fully patched servers, indicating a zero-day exploit. Other cybersecurity firms including watchTowr, Onapsis, and Mandiant confirmed repeated exploitation and the uploading of web shell backdoors on vulnerable systems. Onapsis reported detection of reconnaissance activity and payload testing since January 20, with active exploitation from February 10. The Shadowserver Foundation is currently monitoring 204 exposed SAP NetWeaver servers that are susceptible to this exploit. Recent attacks from IP addresses linked to Chinese cloud providers utilized self-signed certificates mimicking Cloudflare. U.S. cybersecurity agency CISA added the security flaw to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to secure their systems by May 20.