Daily Brief

India's telecommunications ministry mandates pre-installation of the Sanchar Saathi app on all new mobile devices within 90 days to combat telecom fraud and enhance cybersecurity. The app, which cannot be removed or disabled, enables users to report fraud, spam, and malicious links, block stolen handsets, and check mobile connections under their name. A key feature allows reporting of international calls disguised as domestic, aiding government actions against illegal telecom setups that threaten national security. Since its May 2023 launch, the app has been installed over 11.4 million times, blocking 4.2 million lost devices and recovering over 723,000. The directive requires manufacturers to update existing supply chain phones with the app, addressing threats like spoofed IMEI numbers used in scams. This move aligns India with countries like Russia, which also mandates pre-installed apps for cybersecurity, though critics raise concerns over potential user tracking. The initiative reflects growing global trends in government-led cybersecurity measures amidst increasing telecom fraud and security threats.

ShadyPanda, a threat actor, turned legitimate browser extensions into spyware, impacting over 4.3 million users globally, according to Koi Security's report. Five extensions, initially verified by Google, were modified in mid-2024 to execute remote code, exfiltrating browsing data and monitoring user activity. The extensions engaged in affiliate fraud by injecting tracking codes on e-commerce sites, generating illicit commissions from user purchases. The attack evolved to include browser hijacking, redirecting search queries through a known hijacker site, and exfiltrating cookies for profit. Extensions utilized extensive obfuscation and adversary-in-the-middle techniques, enabling credential theft and session hijacking without user suspicion. Despite the removal of some extensions, others like WeTab remain available, continuing to facilitate comprehensive surveillance on user activities. Users are advised to uninstall affected extensions and change credentials to mitigate potential data breaches and unauthorized access risks. The campaign underscores the need for continuous monitoring of browser extensions post-approval to prevent exploitation through trusted update mechanisms.

Coupang, South Korea's largest retailer, experienced a data breach affecting 33.7 million customers, exposing personal data such as names, phone numbers, and addresses. The breach was discovered on November 18, 2025, though the unauthorized access occurred on June 24, 2025, indicating a significant delay in detection. Payment information, including credit card data and passwords, was reportedly not compromised during the breach, limiting financial exposure for customers. Coupang has informed relevant authorities, including the National Police Agency and the Personal Information Protection Commission, and is notifying affected customers via email and SMS. The breach reportedly involved a former employee exploiting unrevoked access tokens, although these details remain unconfirmed by all sources. This incident marks the second major cybersecurity breach in South Korea this year, following a similar large-scale event at SK Telecom. Customers are advised to be vigilant against phishing attempts and communications impersonating Coupang, as the breach increases the risk of social engineering attacks.

Cybercriminals are posing as cybersecurity and IT professionals to gain insider access, manipulating the hiring process to infiltrate organizations and access sensitive data. These imposters create fake personas using deepfake technology and fabricated resumes, exploiting remote work environments to bypass traditional identity verification. The primary objectives of these fake workers include data theft, financial fraud, and cyber espionage, posing significant risks to company reputation and compliance. North Korean operatives have been identified using fake identities to secure remote tech jobs, generating illicit revenue and exfiltrating sensitive information. Companies are advised to implement multi-factor identity validation, thorough background checks, and secure onboarding protocols to mitigate these threats. Advanced technical controls such as network segmentation, user activity monitoring, and hardware-based multi-factor authentication are recommended to enhance security. Managed Service Providers face heightened risks due to their access to multiple client systems, necessitating stringent security measures and tailored incident response plans. Continuous security awareness training and vigilance for warning signs can help organizations protect against these sophisticated insider threats.

ShadyPanda, a long-running malware campaign, has infected over 4.3 million users through Chrome and Edge browser extensions, initially appearing as legitimate productivity tools. Koi Security discovered the operation, which evolved in phases, introducing spyware capabilities to extensions that initially seemed harmless. The campaign includes 145 extensions, with 125 on Edge and 20 on Chrome; Google has removed these from its store, but some remain on the Edge platform. Extensions engaged in affiliate fraud by injecting tracking codes into e-commerce links, generating illicit revenue from user purchases. A backdoor was introduced in 2024, enabling remote code execution and data exfiltration, including browsing URLs and user identifiers, using AES encryption. The campaign's final phase involves five Edge extensions, accumulating 4 million installs, with spyware components sending data to 17 domains in China. Users are advised to uninstall these extensions and reset passwords to mitigate potential security risks, as the campaign remains active on Microsoft Edge.

A Dutch government report finds that teenage cybercriminals typically abandon illegal activities by age 20, with only a small percentage continuing into adulthood. The study compares teenage cyber offenses to other crimes like drug and weapon offenses, noting they are among the least common adolescent crimes. Research shows that young cybercriminals often reach peak activity around age 20, though this can vary slightly by decade. Only about 4% of teenage offenders continue cybercriminal activities beyond their early 20s, often due to a sustained interest in technology. The report acknowledges the lack of comprehensive longitudinal data on cybercrime, making it challenging to assess its social cost accurately. The Netherlands faces an annual social cost of €10.3 billion from adolescent crime, with cybercrime contributing significantly despite being hard to quantify. A UK study highlights the economic impact of cybercrime, with major hospital attacks costing approximately £11.14 million annually, underscoring its financial burden. The Dutch government's reluctance to quantify cybercrime costs reflects the complexity of measuring impacts like intellectual property theft and psychological effects.

Coupang, South Korea's largest retail platform, confirmed a breach affecting 33.7 million customers, exposing personal details such as names, emails, phone numbers, and shipping addresses. The breach, initially detected on November 18, was traced back to June 24, with unauthorized access originating from overseas servers, compromising more than half of South Korea's population. Coupang reported the incident to local authorities, including the National Police Agency and the Korea Internet & Security Agency, and has enhanced internal security measures. The breach did not compromise login credentials or payment card details, which remain secure according to Coupang's statement. Local media suggest the breach may involve a former Coupang employee who allegedly used an active authentication key post-resignation to leak data. Coupang has warned customers to be vigilant against phishing attempts and issued public apologies for the incident's impact. The breach follows a recent incident involving SK Telecom, highlighting vulnerabilities in South Korea's major commerce and communication sectors. Coupang's response includes engaging an independent security firm to investigate, though the company has not disclosed the firm's identity.

A self-replicating worm named "Sha1-Hulud: The Second Coming" attacked the npm registry, affecting over 800 packages and 27,000 GitHub repositories. The malware aimed to steal sensitive data, including API keys and authentication information, facilitating deeper supply chain compromises. It created GitHub Actions workflows for command-and-control operations and injected malicious payloads into npm packages. By dynamically installing Bun during package installation, the malware evaded traditional defenses focused on Node.js behavior. GitGuardian identified 294,842 secret occurrences, with 3,760 valid secrets, including GitHub tokens and AWS IAM keys. Trigger.dev reported credential theft and unauthorized access to its GitHub organization due to the installation of a compromised package. The Python Package Index (PyPI) confirmed it was not impacted by this supply chain incident.

The rise of agentic AI browsers introduces a shift from passive viewing tools to autonomous digital agents, altering the traditional threat landscape. These AI browsers, such as OpenAI's ChatGPT Atlas, can autonomously execute tasks, requiring elevated privileges that increase vulnerability. The need for maximum privileges creates a vast attack surface, as AI agents require access to sensitive user data, including session cookies and credentials. Malicious actors can exploit these browsers through prompt injection, bypassing standard security measures like Multi-Factor Authentication. Traditional security tools struggle to detect threats within AI browsers, as activities occur locally and are masked by encrypted traffic. Organizations must recognize agentic browsers as a distinct endpoint risk and adapt their security strategies accordingly. Security leaders are encouraged to attend specialized webinars to gain insights into securing AI browsers and mitigating associated risks.

The French Football Federation (FFF) experienced a data breach through a compromised account, affecting its member management software and exposing player data. The breach involved the unauthorized access of personal information, including names, birth details, contact information, and license numbers of members. The FFF swiftly disabled the compromised account, reset all user passwords, and secured the software to prevent further unauthorized access. No financial or national identity data was compromised, minimizing potential financial fraud risks for affected individuals. The FFF has filed a criminal complaint and informed French cybersecurity and data protection authorities, ANSSI and CNIL, to address the incident. Members have been advised to exercise caution with emails claiming to be from the FFF, especially those requesting sensitive information or containing attachments. The breach highlights the need for robust cybersecurity measures as the FFF enhances its defenses against the rising tide of cyber threats.

Swiss and German authorities dismantled Cryptomixer, a cryptocurrency mixing service, seizing three servers and €24 million in Bitcoin, with support from Europol and Eurojust. Cryptomixer was used by cybercriminals to obscure the origins of funds, aiding activities such as ransomware, drug trafficking, and payment card fraud. The service operated on both the clear and dark web, providing anonymity by pooling and redistributing cryptocurrency to hinder traceability. This action follows a similar takedown of ChipMixer in March 2023, where authorities seized servers and $46.5 million in Bitcoin. Crypto mixers are often used by criminals to launder funds before converting them into fiat currency, despite having some legitimate applications. The crackdown on crypto mixers continues globally, with recent legal actions against operators of similar services like Samourai Wallet and Blender.io. These efforts aim to disrupt the financial infrastructure supporting cybercrime and enhance the traceability of illicit cryptocurrency transactions.

Albiriox, a new Android malware, is offered as a malware-as-a-service (MaaS) targeting over 400 applications, including banking and financial platforms, for on-device fraud and screen manipulation. The malware employs social engineering tactics and packing techniques to evade detection, distributing its payload through dropper applications mimicking legitimate software updates. Evidence suggests the malware's developers are Russian-speaking, with recruitment initially limited before expanding to a broader MaaS model. Albiriox uses Virtual Network Computing (VNC) and Android accessibility services to control infected devices, bypassing security measures like FLAG_SECURE protection. The malware's capabilities include credential theft through overlay attacks and remote device control, posing significant risks to financial institutions and their customers. Initial campaigns have specifically targeted Austrian users with fake app listings and SMS lures, exploiting German-language content to enhance credibility. The emergence of Albiriox reflects a growing trend in the democratization of sophisticated cybercrime tools, increasing the threat landscape for mobile users globally.

Tomiris, a threat actor, has targeted foreign ministries and government entities in Russia using public services like Telegram and Discord for command-and-control operations. This tactic aims to disguise malicious traffic as legitimate service activity, complicating detection by security tools. Over 50% of spear-phishing emails used Russian names and text, indicating a focus on Russian-speaking targets, with additional campaigns in Central Asian countries. Attacks utilize reverse shells, custom implants, and open-source C2 frameworks to facilitate post-exploitation, enhancing operational flexibility. Tomiris is linked to the Kazakhstan-based threat actor Storm-0473, with overlaps identified with other threat clusters such as Cavalry Werewolf and Silent Lynx. Phishing emails deliver malicious RAR files containing executables that drop reverse shells, modify Windows Registry, and ensure persistence. The campaign's evolution reflects a focus on stealth, persistence, and strategic targeting of high-value political and diplomatic infrastructure.

South Korean authorities are investigating a data breach involving over 30 million customer records from e-commerce giant Coupang, impacting more than half of the country's population. Initially, the breach was thought to affect only 4,600 individuals, but new estimates reveal a far larger scope, including names, email addresses, and physical addresses. The breach raises significant concerns regarding data security practices within Coupang and the e-commerce sector at large, prompting calls for enhanced protective measures. Authorities have yet to disclose the breach's origin, but the scale suggests potential vulnerabilities in Coupang's data management and security protocols. The incident underscores the critical need for robust cybersecurity frameworks to protect sensitive customer information in the digital marketplace. This breach may lead to increased regulatory scrutiny and potential financial penalties for Coupang, impacting its operational and reputational standing. Businesses are reminded of the importance of regular security audits and updates to safeguard against unauthorized data access and potential breaches.

Switzerland's Conference of Data Protection Officers advises public bodies to avoid SaaS and hyperscale cloud services, citing insufficient end-to-end encryption and potential data access by providers. Concerns are raised over the US CLOUD Act, which could expose sensitive Swiss data to foreign access, undermining confidentiality obligations. The resolution criticizes the unilateral amendment of terms by SaaS providers, which could weaken security and privacy measures. Microsoft 365 is specifically mentioned as a service unsuitable for handling sensitive Swiss government data. Security engineer Luke Marshall's GitLab scan uncovered 17,000 live secrets, including thousands of credentials for major cloud services, highlighting significant repository security risks. Strava's updated terms of service warn users about geolocation risks, particularly for those in sensitive roles, following revelations of military and security personnel locations. Leaked documents analyzed by Nariman Gharib reveal Iran's Charming Kitten group's involvement in espionage and assassination operations, emphasizing its growing sophistication. Reports suggest the Israeli military may restrict Android smartphone use among top officials to minimize surveillance threats, opting for iOS devices instead.