Daily Brief

A Phishing-as-a-Service (PhaaS) platform called Lucid has been developed and operated by the XinXin group, a collective of Chinese cybercriminals. Lucid has actively targeted 169 organizations across 88 countries using sophisticated iMessage and RCS-based smishing (SMS phishing) campaigns. This PhaaS solution offers subscribers over 1,000 phishing domains and professional spamming tools through a subscription model, purchasable via a dedicated Telegram channel. Automated attack mechanisms via Lucid generate customizable phishing sites distributed mainly through mobile messaging, exploiting iMessage and RCS to avoid conventional spam filtrations. Major entities impersonated in these phishing attacks include USPS, FedEx, Amazon, and various banking institutions, aiming to steal sensitive personal and financial data. Lucid grants users capabilities to validate stolen credit card information, with successful validations leading to the direct use or sale of the data. Operational security for these phishing campaigns includes mobile operations, potentially from vehicles to minimize traceability and evade law enforcement. The widespread and sophisticated nature of Lucid emphasizes a lowered barrier to entry for cybercriminals, improving their success rates and operational scope in cybercrime.

Hackers are increasingly exploiting the WordPress mu-plugins directory to secretly inject malicious code into websites. Security firm Sucuri first identified the technique in February 2025, which involves executing malware on every page load without standard plugin activation. Three main types of malicious payloads were discovered in the mu-plugins directory, aimed at data theft, website redirection, and harmful code injections. The misuse of mu-plugins allows hackers to maintain a persistent presence on the site, complicating detection and removal efforts. Such attacks typically leverage vulnerabilities in existing plugins/themes or exploit weak admin credentials. Sucuri recommends regular updates to themes and plugins, deactivation of unnecessary extensions, and the strengthening of admin accounts with robust passwords and multi-factor authentication. The phenomenon underscores a growing trend of cybercriminals targeting core functionalities of popular content management systems like WordPress for financial gain.

Water Gamayun, a suspected Russian hacking group, has utilized a zero-day vulnerability in the Microsoft Management Console to deploy malware including backdoors SilentPrism and DarkWisp. The group employs sophisticated delivery methods such as provisioning packages, signed .msi files, and .msc files, often mimicking legitimate software. SilentPrism and DarkWisp allow persistent system access, data exfiltration, and execution of commands, featuring advanced evasion measures against detection. The hackers use various malware to steal extensive personal and system information, highlighting a significant interest in cryptocurrency-related data. Water Gamayun has transitioned to using its infrastructure for both malware staging and command-and-control, increasing the effectiveness of its campaigns. The group's malware arsenal includes a mixture of commodity and custom stealers capable of collecting detailed system and user data. EncryptHub, associated with Water Gamayun, previously distributed malware through a deceptive GitHub repository and a fake WinRAR website.

A user on a cybercrime forum claimed to have accessed highly sensitive data from Check Point, including internal network maps, user credentials, and proprietary source code. Check Point contends that the data was old, the incident was previously addressed, and it involved only a limited scope with no impact on customers' primary systems. The cybercriminal used CoreInjection's account to advertise the breach and posted screenshots purportedly showing access to Check Point's admin Infinity portal. Industry experts, including Hudson Rock's CTO Alon Gal, initially found the claims credible but later acknowledged the breach's scope might be narrower than suggested. Check Point asserts no security risk was posed to its customers or employees, describing the published information as a recycling of old data. The breach, clarified to have occurred in December, was due to compromised credentials for a portal account with restricted access, impacting three organizations. Despite claims, Check Point emphasizes that customer systems, production, or security architecture were not compromised.

North Korean Lazarus group has adopted ClickFix tactics to deploy malware targeting individuals seeking jobs in the cryptocurrency industry. ClickFix uses fake error prompts on web documents or websites, tricking users into executing malware through PowerShell commands. Lazarus impersonates reputable companies in the crypto sector such as Coinbase and KuCoin, using fake interviews to lure victims. The campaign involves ClickFake attacks, shifting focus from developers to non-technical roles in cryptocurrency firms, providing tailored instructions based on the user's operating system. Victims infected with GolangGhost malware face risks of system metadata theft and unauthorized file operations, highlighting the need for enhanced cybersecurity measures. Sekoia’s analysis reveals ongoing parallel use of ClickFake and the previous Contagious Interview tactics by Lazarus, indicating an evaluation of both methods. Organizations are urged to verify interview invitations and avoid executing unknown commands, as Sekoia provides detection tools and a list of indicators of compromise to help protect against such threats.

Threat actors are exploiting the "mu-plugins" directory in WordPress to implement malicious code, enabling persistent access and directing visitors to malicious sites. "Mu-plugins," or must-use plugins, are automatically executed without manual activation, making them less visible in standard security checks. This obscurity facilitates their use for malicious activities such as malware deployment. Sucuri's analysis identified three types of rogue PHP code in the mu-plugins directory that disguise their harmful intents, like redirecting users under the facade of browser updates. These scripts are designed to dodge detection by search engine crawlers, thereby avoiding red flags in SEO analytics and allowing continued malicious activity. Attackers are also leveraging compromised WordPress sites to spread malware through deceptive tactics like fake CAPTCHA verifications leading to the installation of Lumma Stealer. The methods for site compromises potentially include vulnerable plugins or themes, exposed admin credentials, and server configuration errors. Recommended mitigative steps include regular updates to plugins and themes, code audits, strong password policies, and the use of web application firewalls to block malicious intrusions and prevent data leaks.

Google recently patched a high-severity Chrome vulnerability (CVE-2025-2783) that was actively exploited to target Russian entities. The Chrome flaw allowed attackers to execute remote code by escaping the browser's sandbox through specially crafted phishing links. This zero-day vulnerability was also identified and patched in Mozilla Firefox and Tor Browser. The ongoing issue raises concerns about persistent cyber threats and emphasizes the importance of timely software updates to mitigate risks. Recommendations include disabling browser autofill for sensitive fields to prevent data leakage and maintaining updated security practices to protect against evolving cyber threats. The report highlights the use of everyday conveniences by attackers to bend rules and access secure systems, underlining the necessity for continuous vigilance in cybersecurity measures.

AWS follows a Shared Responsibility Model, meaning users must manage security measures within their cloud environments. Vulnerabilities such as Server-Side Request Forgery (SSRF) can occur in user-managed applications on AWS, requiring vigilant access controls and data protection. AWS Identity and Access Management (IAM) is critical, but its effectiveness depends on proper customer implementation and configuration to limit access. Customers are solely responsible for the security and patch management of the operating systems and applications they deploy on AWS EC2 instances. AWS does not manage the security of customer data or applications; users must ensure their data storage and access techniques are secure to thwart exposure risks. Customers need to maintain their own firewall setups and manage their attack surface to protect against potential breaches even if AWS secures its infrastructure. Using tools like Intruder can enhance security by offering cloud security scanning, within the framework of AWS's Shared Responsibility Model.

AWS operates on a Shared Responsibility Model, dividing security obligations between AWS and its customers. Customers are in charge of safeguarding their data, applications, and configurations within the AWS environment, despite AWS securing the underlying infrastructure. Real-world vulnerabilities highlighted include the exploitation of SSRF vulnerabilities which can allow server manipulation and unauthorized data access. Proper application of AWS IMDSv2 is recommended to mitigate SSRF attacks, alongside identifying and rectifying application vulnerabilities. AWS customers are advised to ensure precise configurations and access controls to prevent data exposure, especially in S3 buckets and RDS connections. Organizations using AWS must handle OS and software patching themselves, as AWS only maintains the hardware and firmware updates. The importance of securing network configurations, like employing firewalls or VPNs, is essential to protect against unauthorized access and potential zero-day vulnerabilities in applications. Intruder offers cloud security scanning and vulnerability management tools that help organizations maintain robust security postures within AWS environments.

Ukraine targeted by phishing campaign employing file names related to troop movements to distribute the Remcos RAT malware. The attacks have been attributed to Russian hacking group Gamaredon, believed to be connected to Russia's FSB. Gamaredon has used malicious Windows shortcut files disguised as Microsoft Office documents to trick victims. The campaign involves ZIP archives containing a PowerShell downloader which contacts servers in Russia and Germany. The malicious files download further malware that adopts DLL side-loading techniques to execute the Remcos payload. The phishing campaign also featured false CIA, Russian Volunteer Corps, and other impersonations to collect data on Russian individuals. All observed campaigns share the objective of collecting sensitive personal information using website lures.

China has initiated a strict enforcement campaign against illegal collection and use of personal data, led by multiple government agencies. The enforcement targets non-government entities, aligning with China's ongoing extensive surveillance practices on its citizens. Indonesia lifts its ban on iPhone 16, contingent on Apple's commitment to establish an R&D facility, enhancing the local tech ecosystem. New Indonesian regulations restrict social media access for users under 18, requiring parental oversight for account creation by minors. Over 20 Japanese companies in the semiconductor sector have formed an alliance to consolidate resources and enhance competitive capabilities globally. Japan Airlines trialed an AI-based system for cabin crew to efficiently create flight reports using offline language processing technology. India's ISRO successfully tests a new rocket engine design, aimed at increasing payload capacity for upcoming space missions, including a manned spaceflight.

Oracle Health, formed after Oracle's acquisition of Cerner in 2022, experienced unauthorized access to patient data. Hackers obtained patient information from a legacy server using stolen customer credentials. Oracle has notified impacted customers and the FBI might be investigating potential ransom demands. OpenAI increased its maximum bug bounty payout from $20,000 to $100,000 to encourage more high-impact security research. A survey uncovered that over half of IT professionals delay software patches, which leaves systems vulnerable to known exploits. Reviewdog, a GitHub tool, experienced a compromise that exposed secrets in GitHub Actions Workflow Logs. INTERPOL's Operation Red Card resulted in 306 arrests across seven African countries, targeting mobile banking and other scams.

Crocodilus is a newly identified Android malware that intercepts cryptocurrency wallet keys using sophisticated social engineering. It exploits Android's Accessibility Services to capture data and control affected devices, bypassing latest security measures including Android 13 protections. The malware employs a proprietary dropper to install itself discreetly, eluding Google's Play Protect and Accessibility Service restrictions. A significant feature of Crocodilus is its ability to use screen overlays to deceive users into revealing their encryption keys, leveraging warnings about potential wallet access loss. Initially, Crocodilus has been observed focusing on users in Turkey and Spain, capturing not only crypto-wallet access but also banking information. The origin of the malware appears to be Turkish, based on debug messages analyzed by researchers. ThreatFabric highlights the malware's versatile command functionality, including RAT operations which allow remote attackers to perform actions like screen taps and swipes. Recommendations for Android users include avoiding downloads from unofficial platforms and maintaining active Play Protect configurations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a new malware, named RESURGE, targeting Ivanti Connect Secure (ICS) appliances. RESURGE has evolved from the SPAWNCHIMERA variant and incorporates rootkit, dropper, backdoor, bootkit, proxy, and tunneler capabilities. It specifically exploits a stack-based buffer overflow vulnerability identified as CVE-2025-0282, which affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This vulnerability allows unauthorized remote code execution and has been actively exploited by a China-nexus espionage group known as UNC5337. RESURGE can survive reboots and has new commands enhancing its ability to alter its operational behavior. The malware also employs a feature that patches CVE-2025-0282 to prevent other malicious actors from exploiting the same vulnerability. Enhanced tradecraft within RESURGE indicates active development and modification to escape detection and maximize impact. CISA's findings emphasize the necessity for organizations to update their Ivanti appliances, reset account credentials, and closely monitor network activity for signs of compromise.

Researchers at the University of Piraeus and others have identified a trend where malware authors use less common programming languages like Delphi and Haskell to evade detection. Malware instances are rising, with 26 million new cases projected in 2025, challenging existing static analysis tools predominantly based on more common languages like C or C++. Less popular languages and their diverse execution models complicate malware detection and automated analysis, providing a form of security through obscurity. Analysis on 400,000 Windows executables revealed that programming language choice and the compiler used significantly impact malware detection rates. Advanced Persistent Threat groups like APT29 are diversifying their programming languages and compilers to decrease detectability and increase difficulties in reverse engineering. Unconventional languages distribute shellcode bytes irregularly, complicating static detection mechanisms traditionally used for popular languages. Examples cited include changes in ransomware programs such as Akira shifting from C++ to Rust, and the blending of multiple languages in other malware variants. The study underscores the need for security researchers to adapt and develop new detection strategies for malware coded in less common languages.