Daily Brief

APT28, a Russian state-sponsored group, has been conducting a sustained credential-harvesting campaign against users of Ukraine's UKR[.]net from June 2024 to April 2025. The campaign employs UKR[.]net-themed login pages hosted on legitimate services to capture user credentials and two-factor authentication codes. Phishing emails containing PDF documents with shortened links direct victims to these malicious login pages, exploiting services like tiny[.]cc and tinyurl[.]com. APT28 has shifted from using compromised routers to proxy tunneling services such as ngrok and Serveo for capturing and relaying stolen credentials. This activity is part of broader operations targeting government and defense sectors, aiming to collect intelligence for Russia's strategic objectives. Recorded Future notes this reflects an adaptive strategy in response to Western infrastructure takedowns, maintaining GRU's focus on Ukrainian targets. The campaign illustrates the ongoing cyber threat landscape amid the geopolitical tensions of Russia's ongoing conflict with Ukraine.

NATO is accelerating efforts to develop sovereign cloud technologies, crucial for maintaining strategic advantage in modern warfare, as emphasized by Assistant Secretary General Jean-Charles Ellermann-Kingombe. The ongoing conflict in Ukraine has demonstrated the importance of secure data management and cloud platforms in military operations, highlighting a need for rapid digital transformation. NATO's strategy involves building a robust digital infrastructure to enhance intelligence sharing, decision-making, and operational readiness across its 32 member nations. The alliance faces competition from China and Russia, who are advancing in AI, machine learning, and quantum computing, necessitating a swift and coordinated technological response. Digital sovereignty is being redefined to balance autonomy with alliance capabilities, employing diverse cloud models from globally connected to isolated environments. Collaboration with industry and academia is vital, with NATO encouraging partnerships beyond traditional defense sectors to leverage innovative solutions. The UK has announced a significant investment in drone technology, reflecting a broader trend towards integrating advanced tech in defense strategies. NATO's approach underscores the necessity of designing systems that support sovereignty while fostering innovation and resilience through international cooperation.

Kaspersky identified a new phishing campaign by Operation ForumTroll targeting Russian scholars in political science and economics using fake eLibrary emails. The campaign exploited a zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver malware, including the LeetAgent backdoor and Dante spyware. Attackers registered the domain "e-library[.]wiki" six months prior to the campaign, hosting a replica of the legitimate eLibrary site to deceive victims. Phishing emails included personalized links leading to a ZIP file download, containing a Windows shortcut that executes a PowerShell script to deploy malware. The final payload, Tuoni, provides remote access to infected devices, allowing attackers to control victim machines through a command-and-control framework. Kaspersky notes that ForumTroll has been active since 2022, targeting entities in Russia and Belarus, indicating a persistent threat to these regions. The campaign's strategic planning and domain aging tactics highlight the sophistication and long-term planning of cybercriminals in executing targeted attacks.

Traditional MFA methods are increasingly ineffective against credential attacks, with businesses facing rising costs and operational inefficiencies from outdated authentication processes. Phishing, spoofed portals, and social engineering enable attackers to bypass traditional security measures, leading to significant financial and operational impacts. Token's wireless biometric authentication technology reduces login time from 22 seconds to 2 seconds, enhancing productivity and minimizing workplace friction. The technology requires a live fingerprint, exact domain match, and physical presence, effectively neutralizing common identity-based attack vectors. Organizations can achieve a return on investment of up to fifteen times, with annual productivity gains exceeding $1,400 per employee. By eliminating passwords, Token's solution drastically reduces the risk of credential theft, a common entry point for ransomware and other cyber threats. The adoption of this technology marks a shift towards more secure, efficient, and economically viable authentication methods, promising a passwordless future.

Microsoft's December 2025 security update causes MSMQ failures on Windows 10 and older Windows Server versions, affecting enterprise environments relying on these systems. Issues include MSMQ queues becoming inactive, IIS site failures, and misleading error logs indicating insufficient resources despite adequate disk space and memory. The root cause is linked to changes in MSMQ's security model and NTFS permissions, requiring write access to a folder typically restricted to administrators. Impacted systems include Windows 10 versions 22H2 and earlier, and Windows Server 2012 to 2019, primarily affecting enterprise or managed IT environments. Microsoft advises contacting support for workarounds, though some users found uninstalling the update resolves the issue, at the cost of losing security fixes. MSMQ's failure can disrupt numerous applications, highlighting the risks of maintaining older systems in enterprise settings. The incident serves as a reminder of the challenges in balancing security updates with system stability, especially in legacy environments.

Modern SOCs face challenges with alert overload and reactive defense, often resulting in delayed threat responses and increased risk exposure. Reactive SOCs incur higher costs and risks, as they struggle to keep pace with evolving threats and complex attack infrastructures. ANY.RUN's Threat Intelligence Lookup provides SOCs with real-time threat data, enabling faster triage and more informed decision-making. The tool supports industry and geographic threat attribution, allowing SOCs to focus on threats specific to their business environment. Hybrid threats, combining multiple malware families, complicate detection and require SOCs to adopt a proactive, context-rich approach. By integrating continuously updated threat indicators, SOCs can adapt defenses quickly, improving detection and mitigation of incidents. Enhanced visibility into threat landscapes helps SOCs prioritize detection engineering and security awareness, reducing operational blind spots.

The China-linked group Ink Dragon, tracked by Check Point, targets government entities in Europe, Asia, and Africa, using sophisticated malware like ShadowPad and FINALDRAFT. Ink Dragon's campaigns employ disciplined operational strategies, leveraging platform-native tools to evade detection and maintain stealth across compromised networks. Recent attacks involved exploiting vulnerable web applications to install web shells, facilitating further malware deployment and data exfiltration. The group utilizes modular malware frameworks, enabling encoded command execution through victim mailboxes, enhancing stealth and operational flexibility. Ink Dragon's infrastructure allows compromised servers to act as proxy nodes, expanding attack reach and resilience across multiple victim networks. Investigations revealed the presence of another actor, REF3927, in some environments, suggesting shared initial access methods but no direct operational link. The group's advanced tactics highlight the need for comprehensive defense strategies, focusing on dismantling entire attacker-managed ecosystems rather than isolated breaches.

England's exam regulator, Ofqual, proposes maintaining pen and paper exams for most GCSE and A-level subjects, citing infrastructure and benefit concerns. Ofqual's cautious approach allows limited digital expansion, with proposals for only two additional subjects per exam board for screen-based assessments. Current digital assessments in computer science, geology, and food preparation may continue, adhering to new rules and ensuring accessibility for disabled students. The regulator emphasizes the need to manage cybersecurity and technical risks associated with on-screen testing to maintain exam integrity. Despite the digital shift in universities, only a minority use remote invigilation, raising concerns about unsupervised online assessments and the impact of AI tools. Estonia's delay in moving to digital exams due to IT issues highlights challenges in transitioning from traditional testing methods. Ofqual's strategy aims to balance innovation with the protection of qualification standards, maintaining traditional exams as the primary assessment mode.

GhostPoster campaign exploited 17 Firefox add-ons, embedding malicious JavaScript to hijack affiliate links and commit ad fraud, affecting over 50,000 users. The compromised add-ons, now removed, were marketed as VPNs, ad blockers, and other utilities, disguising their true malicious intent. Attackers used logo files to deploy a multi-stage malware payload, stripping browser security and enabling remote code execution. The malware employed evasion tactics, including delayed activation and random payload fetching, complicating detection efforts. All affected extensions communicated with the same C2 infrastructure, suggesting a coordinated effort by a single threat actor. The incident follows recent discoveries of malicious activity in browser extensions, raising concerns about privacy and security in free software offerings. Organizations should reassess the security of browser extensions and educate users on the risks associated with free software.

Ink Dragon, a Chinese espionage group, has infiltrated European government networks, targeting telecommunications and government entities across Europe, Asia, and Africa. The group exploits misconfigured Microsoft IIS and SharePoint servers, avoiding high-profile vulnerabilities to maintain a low profile and reduce detection risk. By compromising servers, Ink Dragon establishes relay nodes for future operations, enhancing long-term access and operational stealth. The attackers use stolen credentials to blend with normal network traffic, installing backdoors and implants to secure domain-level access to high-value systems. Ink Dragon's updated FinalDraft backdoor mimics Microsoft cloud activity, allowing it to operate discreetly during business hours and efficiently transfer large files. The group’s tactics include deploying customized IIS modules on compromised servers, creating a communication mesh that obscures the attack’s origin. Check Point Research also identified similar activities by RudePanda, another Chinese-linked group, indicating evolving tactics among nation-state actors. Amazon has reported related relay-node activities attributed to Russia's GRU, targeting Western energy and tech sectors, highlighting the persistent threat from state-sponsored cyber activities.

Cellik, a new Android malware-as-a-service, is being sold on cybercrime forums, enabling the creation of trojanized versions of apps from the Google Play Store. This malware maintains the original app's interface and functionality, allowing it to remain undetected longer by users and potentially bypassing Play Protect security. Cellik is priced at $150 per month or $900 for lifetime access, offering capabilities like real-time screen capture, file exfiltration, and encrypted command-and-control communication. The malware can inject fake login screens and malicious code into apps, posing a significant risk for credential theft and data breaches. A key feature is its ability to integrate with Google Play, allowing attackers to select apps and create malicious variants, potentially evading automated security reviews. Android users are advised to avoid sideloading APKs from untrusted sources, ensure Play Protect is enabled, and regularly review app permissions and activity for anomalies. Google's response to whether Cellik can evade Play Protect is pending, highlighting ongoing challenges in securing app ecosystems against sophisticated threats.

Koi Security identified the GhostPoster campaign, which embeds malicious JavaScript in Firefox extension logos, affecting over 50,000 downloads and compromising user privacy. GhostPoster grants attackers high-privilege browser access, allowing them to hijack affiliate links, inject tracking codes, and conduct click fraud. The malware uses steganography to hide JavaScript in PNG logos, with the loader activating 48 hours post-installation to fetch payloads from hardcoded domains. The payload retrieval is designed to evade detection, occurring only once in ten attempts, and employs heavy obfuscation techniques for concealment. Affected extensions, including FreeVPN Forever, are urged to be removed by users, who should also reset passwords for critical accounts as a precaution. Despite the threat, the malware does not currently harvest passwords or redirect users to phishing sites, but its stealthy nature poses potential future risks. Mozilla has been contacted regarding the presence of malicious extensions, but no response has been provided at the time of reporting.

Pornhub experienced a data breach involving analytics data, initially attributed to Mixpanel, but later linked to an employee of Pornhub's parent company. The breach affected select Premium users, exposing search and video-watching histories, but did not compromise passwords, credentials, or payment details. Mixpanel denied being the source of the breach, stating the data was accessed by a legitimate Pornhub employee account in 2023. ShinyHunters, a known data extortion group, claimed responsibility for the breach, though details on how the data was obtained remain undisclosed. Pornhub has since secured the affected account and halted unauthorized access, aligning with Mixpanel's assertion of employee involvement. The incident underscores the importance of securing employee access and monitoring for insider threats, as similar tactics were used in recent breaches involving other companies. The breach serves as a reminder of the vulnerabilities associated with third-party service providers and the need for robust security protocols.

Koi Security research reveals four browser extensions, including Urban VPN Proxy, are capturing chatbot interactions from over 8 million users, compromising privacy. These extensions, available on Chrome and Microsoft Edge, intercept and transmit data from platforms like ChatGPT and Microsoft Copilot to developers. The extensions inject scripts into browser sessions, capturing network requests and responses, with no user option to disable data collection except by uninstalling. Data is exfiltrated to analytics endpoints, with Urban VPN's privacy policy indicating data sales for marketing, despite claims of protective monitoring. Google's Chrome Web Store policies are scrutinized as Urban VPN received a Featured Badge, suggesting oversight or policy loopholes in data handling reviews. Users are advised to uninstall these extensions immediately, as AI conversations since July 2025 may have been shared with third parties. The incident raises concerns about extension review processes and the potential misuse of privacy policy exceptions to justify data transfers.

Amazon's Threat Intelligence team identified and disrupted operations linked to the Russian GRU targeting cloud infrastructure, focusing on Western critical sectors, notably energy, since 2021. The threat actors shifted tactics from exploiting vulnerabilities to targeting misconfigured edge devices, such as routers and VPN gateways, for initial access. This strategic pivot aims for persistent access and credential harvesting, maintaining operational objectives with minimal exposure and resource investment. Amazon's analysis connects these activities to GRU-associated groups Sandworm and Curly COMrades, suggesting a broader campaign involving multiple specialized subclusters. Compromised devices were customer-managed appliances on AWS EC2 instances, with no AWS service vulnerabilities exploited. Amazon responded by securing affected instances, notifying customers, and sharing intelligence with vendors and partners, reducing the threat actor's operational capabilities. Amazon advises auditing network devices, monitoring credential activity, and securing administrative access to mitigate risks in cloud environments.