Daily Brief

Security researchers uncovered a North Korean operation targeting engineers to rent identities for espionage and fundraising, linked to the Lazarus group's Famous Chollima unit. The scheme involved tricking recruiters to secure jobs at major corporations using stolen identities, deep fake videos, and AI tools to avoid detection. Legitimate engineers were recruited to act as figureheads, receiving a percentage of salaries while DPRK agents used their identities and devices for cover. Researchers Eldritch and García set up a honeypot to study the operation, revealing tactics such as the use of Astrill VPN and AI-powered tools for job applications. The operation involved multiple North Korean agents and highlighted the use of sophisticated techniques to infiltrate companies, posing significant risks to corporate security. Insights from the investigation provide valuable intelligence for organizations to anticipate and defend against similar infiltration attempts. The findings underscore the ongoing threat posed by North Korean cyber activities, emphasizing the need for robust identity and access management strategies.

Google addressed 107 vulnerabilities in its December 2025 Android security bulletin, including two zero-day flaws actively exploited in targeted attacks. The critical vulnerabilities, CVE-2025-48633 and CVE-2025-48572, involve information disclosure and privilege escalation, affecting Android versions 13 through 16. The bulletin suggests limited, targeted exploitation, potentially linked to commercial spyware or nation-state operations targeting high-interest individuals. The most critical fix involves CVE-2025-48631, a denial-of-service flaw in the Android Framework, among 51 flaws addressed in the Android Framework and System components. An additional 56 vulnerabilities were patched in the Kernel and third-party components, with critical fixes for elevation-of-privilege issues in Qualcomm-powered devices. Samsung and other vendors have released their security bulletins, incorporating Google's updates and providing vendor-specific fixes. Users on older Android versions are advised to update via Google Play system updates or consider newer devices for continued security support.

The Federal Trade Commission (FTC) sanctioned Illuminate Education after a breach exposed data of 10.1 million students, using credentials from a former employee. The breach revealed sensitive information, including email and postal addresses, birth dates, and health-related data, stored in plain text until early 2022. Illuminate Education had been alerted to security vulnerabilities as early as January 2020 but failed to implement necessary security measures. The company delayed notifying some school districts of the breach, leaving 380,000 students uninformed for nearly two years. As part of the settlement, Illuminate must implement a comprehensive information security program and adhere to a data retention schedule. The FTC's action serves as a reminder to edtech companies of the importance of fulfilling privacy promises, especially concerning children's personal data. No fines were imposed, but the FTC's vote on the complaint and draft order awaits a 30-day public comment period before finalization.

Cybersecurity researchers identified the npm package eslint-plugin-unicorn-ts-2, designed to manipulate AI-driven security scanners and evade detection by masquerading as a legitimate TypeScript extension. The package, uploaded by "hamburgerisland" in February 2024, has been downloaded nearly 19,000 times, indicating a significant potential impact on developers and organizations using the npm registry. Embedded with a misleading prompt intended to confuse AI security tools, the package includes a post-install hook that exfiltrates sensitive environment variables to a Pipedream webhook. The malicious code was first introduced in version 1.1.3, with the current version at 1.2.1, suggesting ongoing risk if not addressed by users and security teams. This incident reflects a growing trend where cybercriminals exploit AI vulnerabilities, leveraging malicious large language models to automate and enhance cyberattack capabilities. Despite their potential, these malicious AI tools face limitations, such as generating inaccurate code, yet they lower the barrier for inexperienced attackers to execute sophisticated attacks. Organizations should enhance monitoring of third-party packages and AI-based tools to mitigate risks posed by evolving cyber threats.

A phishing campaign is impersonating major brands like Disney and MasterCard to steal Google Workspace and Facebook business account credentials. Push Security discovered the campaign, which uses Calendly-themed lures to target ad manager accounts, enabling malvertising and other attacks. The campaign leverages AI-crafted emails and fake landing pages, featuring CAPTCHA and AiTM phishing methods to capture login sessions. Threat actors exploit ad platforms' geo-targeting and domain filtering capabilities, facilitating precise "watering-hole" styled attacks. Compromised accounts can lead to direct monetization or resale on cybercriminal markets, posing a significant risk to businesses. Anti-analysis techniques, such as blocking VPN and proxy traffic, are employed to evade detection and analysis by security researchers. Security experts recommend using hardware security keys and verifying URLs to counteract AiTM techniques that bypass two-factor authentication.

Iranian group MuddyWater, linked to Iran's Ministry of Intelligence, has launched targeted attacks on Israeli sectors using a new backdoor named MuddyViper. The sectors affected include academia, engineering, local government, manufacturing, technology, transportation, and utilities, with one Egyptian technology company also targeted. The attacks utilize sophisticated phishing techniques and exploit known VPN vulnerabilities to deploy the MuddyViper backdoor and other tools. MuddyViper enables attackers to collect system information, execute commands, transfer files, and exfiltrate credentials, supporting 20 covert access commands. The campaign signifies an operational evolution, with new components like the Fooder loader enhancing stealth and persistence. The attacks reflect MuddyWater's ongoing strategy of using custom malware and publicly available tools against critical infrastructure. Recent disclosures also link Iranian APT42 to espionage campaigns, revealing a structured cyber-intelligence apparatus with hierarchical command structures.

The University of Pennsylvania reported a data breach after attackers exploited a zero-day vulnerability in Oracle E-Business Suite, compromising personal information of 1,488 individuals. The breach is linked to a broader extortion campaign by the Clop ransomware gang, targeting multiple organizations using Oracle EBS since August 2025. Affected data includes names and personal identifiers, though no misuse or online leaks have been confirmed at this time. The university is conducting a detailed investigation to assess the full scope and identify all affected individuals, with ongoing communication to those impacted. Clop's campaign has also impacted other institutions, including Harvard and Princeton, raising concerns about security in higher education. The U.S. State Department has offered a $10 million reward for information connecting Clop's attacks to a foreign government, highlighting the severity of these incidents. The breach underscores the critical need for robust security measures and timely patch management to protect sensitive information against emerging threats.

SecAlerts introduces a streamlined, cloud-based vulnerability management service, offering timely alerts tailored to specific software, reducing the burden on cybersecurity teams managing extensive software inventories. The platform operates without invasive network scans, instead using a remote system to match vulnerabilities to listed software, ensuring up-to-date information delivery. SecAlerts employs a three-component system—Stacks, Channels, and Alerts—allowing customized notifications and efficient dissemination of critical vulnerability data within organizations. Businesses can filter alerts based on severity, exploit history, and other criteria, enhancing focus on critical threats and optimizing resource allocation. The service supports integration with existing tools via API, enabling seamless incorporation into broader cybersecurity strategies and workflows. SecAlerts offers flexible plans, including a free 30-day trial and promotional discounts, making it accessible to organizations of varying sizes and budgets. The solution's real-time intelligence and risk analytics capabilities assist in identifying emerging threats, providing valuable insights for proactive cybersecurity measures.

Iranian nation-state actors, MuddyWater, have launched targeted attacks on Israeli sectors, deploying a new backdoor named MuddyViper, affecting academia, engineering, local government, and more. The campaign also targeted an Egyptian technology firm, illustrating the group's broader regional focus beyond Israel. Techniques include spear-phishing and exploiting VPN vulnerabilities, with MuddyViper enabling system information collection, file execution, and credential exfiltration. The attack chain involves using legitimate remote desktop tools and a loader called Fooder to decrypt and execute the backdoor. The Israel National Cyber Directorate reports MuddyWater's focus on local authorities, civil aviation, and telecommunications, posing a threat to critical infrastructure. ESET's analysis indicates an evolution in MuddyWater's operational maturity, with new components enhancing stealth and persistence. The campaign reflects ongoing geopolitical tensions and the strategic targeting of key sectors by Iranian cyber espionage groups.

Google has issued a security update for Android, addressing 107 vulnerabilities, including two high-severity flaws currently being exploited in the wild. The vulnerabilities span multiple components such as Framework, System, and Kernel, with contributions from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unison. Details on the nature of the attacks exploiting these vulnerabilities remain undisclosed, but Google notes potential limited, targeted exploitation. A critical Framework vulnerability (CVE-2025-48631) could allow remote denial-of-service attacks without requiring additional execution privileges. The update introduces two patch levels, 2025-12-01 and 2025-12-05, enabling manufacturers to expedite addressing universal vulnerabilities. Users are urged to update their devices promptly to mitigate potential risks associated with these vulnerabilities. This release follows Google's recent efforts to patch actively exploited flaws in the Linux Kernel and Android Runtime, highlighting ongoing security challenges.

India has directed smartphone manufacturers to pre-install the "Sanchar Saathi" app on all devices sold in the country within 90 days to combat telecom fraud. The app, developed by the Department of Telecommunications, enables users to report suspicious calls and messages, including those on platforms like WhatsApp. Key features include blocking lost or stolen devices from accessing mobile networks and verifying handset authenticity through IMEI checks. The initiative aims to enhance telecom security and address issues with spoofed or tampered IMEIs, prevalent in India's large second-hand mobile market. Concerns have been raised about privacy, as the app can access call logs and messages, sharing data with the government when fraud is reported. The directive reflects India's broader strategy of integrating government apps into daily life, similar to the Aadhar identity service and Unified Payments Interface. Industry response is pending, though past regulatory pushes have seen resistance from tech companies, highlighting potential challenges in implementation.

Glassworm malware has reappeared in the OpenVSX and Microsoft Visual Studio marketplaces, introducing 24 new malicious packages targeting developers. Initially identified by Koi Security, Glassworm conceals its code using invisible Unicode characters, making detection difficult during code reviews. The malware aims to steal sensitive information, including GitHub, npm, and cryptocurrency wallet data, and deploys a SOCKS proxy for malicious traffic routing. Researchers discovered Glassworm's evolution, now using Rust-based implants within extensions, and continuing to manipulate download counts to enhance legitimacy. Secure Annex's John Tuckner identified the malware's broad targeting of popular developer frameworks such as Flutter, React Native, and Vue. Despite previous containment efforts, Glassworm has returned, prompting further investigation and response from OpenVSX and Microsoft. The ongoing threat of Glassworm underscores the need for robust security measures in software marketplaces to protect developers and their environments.

A seven-year campaign by ShadyPanda infected 4.3 million Chrome and Edge users with malware, utilizing extensions to deploy backdoors and spyware. These extensions initially appeared legitimate, gaining trust with high install counts and favorable reviews before deploying malicious updates. The malware facilitated extensive surveillance, capturing browsing data, injecting content, and executing remote code with full browser API access. Despite removal from Chrome and Edge stores, the infrastructure for potential attacks remains active on infected browsers. Google confirmed the removal of these extensions from its store, while Microsoft has not commented on their status in the Edge marketplace. The campaign's success highlights vulnerabilities in extension review processes, where updates are not continuously monitored post-approval. ShadyPanda's activities include earlier campaigns that monetized user data through affiliate tracking and browser hijacking. The ongoing threat emphasizes the need for improved oversight and security measures in browser extension marketplaces.

The SmartTube YouTube client for Android TV was compromised after an attacker accessed the developer's signing keys, leading to a malicious update. Users reported Play Protect blocking SmartTube, indicating a risk, prompting the developer to acknowledge the breach and plan a new version release. The compromised app version 30.51 contains a suspicious library, libalphasdk.so, which fingerprints devices and communicates with a remote backend without user awareness. Although no direct malicious activities like account theft have been reported, the potential for such activities remains significant. Developer Yuriy Yuliskov has announced safe beta and stable test builds but has not yet updated the official GitHub repository, causing trust issues. Users are advised to use older safe builds, avoid premium account logins, and disable auto-updates until a detailed post-mortem is available. Affected users should reset Google Account passwords, check for unauthorized access, and remove unrecognized services to mitigate risks. The exact timeline of the breach and which app versions are safe remain unclear, pending further investigation and communication from the developer.

South Korean authorities arrested four individuals for compromising over 120,000 IP cameras, targeting sensitive locations to create and sell illicit videos online. The suspects exploited weak factory passwords to access cameras, earning significant profits from selling footage on an undisclosed website. Australian Federal Police sentenced a man to over seven years for creating fake Wi-Fi networks at airports, stealing credentials to access victims' accounts and personal data. The Australian offender attempted to erase digital evidence and improperly accessed his employer's systems during the investigation. In England, a man was sentenced for running a dark web drug operation, distributing various illegal substances from his rural home. Authorities emphasize the importance of robust password practices and caution when using public Wi-Fi to prevent such cyber threats. These cases illustrate the global reach and diverse methods of cybercriminals, necessitating coordinated international law enforcement efforts.