Daily Brief

The Royal Canadian Mounted Police (RCMP) has shut down TradeOgre, a cryptocurrency exchange, seizing over $40 million linked to suspected criminal activities. This action marks Canada's first closure of a crypto exchange by law enforcement and its largest asset seizure to date. TradeOgre was known for prioritizing user privacy, dealing in niche altcoins, and supporting Monero, a cryptocurrency favored for its anonymity. The platform did not comply with Canadian regulations, failing to register with FINTRAC or implement Know Your Customer (KYC) policies. The investigation, initiated by a Europol tip, began in June 2024, leading to the platform's shutdown in July, initially sparking exit scam suspicions. The RCMP acknowledged that not all seized cryptocurrencies may be linked to illegal activities, offering non-criminal users potential legal recourse. The case underscores the challenges of balancing privacy in cryptocurrency exchanges with compliance and anti-money laundering efforts.

LastPass has identified a campaign targeting macOS users through fake GitHub repositories distributing the Atomic infostealer malware, posing as legitimate tools. The campaign impersonates popular applications like 1Password, Dropbox, and Shopify, aiming to deceive users into downloading malicious software. Attackers use SEO poisoning to elevate malicious GitHub links in Bing and Google search results, directing users to download malware. The GitHub pages, created under multiple usernames, circumvent takedown efforts and redirect users to execute commands deploying the malware. The Atomic Stealer malware is delivered through ClickFix-style instructions, exploiting macOS Terminal to establish remote server connections. Similar tactics have been used in past campaigns, leveraging Google Ads and bogus repositories to distribute multi-stage droppers. Organizations are advised to enhance monitoring of repository activities and educate users on recognizing suspicious download prompts.

SentinelOne's SentinelLABS has identified MalTerminal, the earliest known malware integrating Large Language Model (LLM) capabilities, as presented at LABScon 2025. MalTerminal utilizes OpenAI's GPT-4 to dynamically generate ransomware or a reverse shell, marking a new category of LLM-embedded malware. The malware includes Python scripts and a Windows executable, suggesting its potential as a proof-of-concept or red team tool, with no confirmed wild deployment. Researchers noted the malware's use of a deprecated OpenAI API endpoint, indicating its creation before November 2023. LLM integration in malware represents a significant shift in cyber threat tactics, complicating detection and response efforts for cybersecurity teams. Concurrently, StrongestLayer reported advanced phishing techniques using LLMs to bypass AI security scanners, exploiting vulnerabilities like Follina (CVE-2022-30190). The rise in AI-driven cyber threats underscores the need for enhanced defensive strategies to counteract sophisticated adversary tactics.

Cybersecurity researchers identified a zero-click flaw in OpenAI's ChatGPT Deep Research agent, named ShadowLeak, potentially exposing Gmail inbox data through a single crafted email. The attack leverages indirect prompt injection hidden in email HTML, bypassing user detection, and exploiting OpenAI's cloud infrastructure to leak data. OpenAI addressed the vulnerability in August 2025 after responsible disclosure in June, highlighting the need for robust security measures in AI integrations. The flaw extends to any connector supported by ChatGPT, including Google Drive and Microsoft Outlook, significantly expanding the potential attack surface. Unlike previous client-side attacks, ShadowLeak operates within OpenAI's cloud, evading traditional security defenses and complicating detection efforts. The incident emphasizes the importance of securing AI systems against indirect prompt injections and maintaining vigilance in AI-driven environments. This case also underlines the necessity for continuous security assessments and red teaming to protect against evolving AI vulnerabilities.

Researchers demonstrated that ChatGPT can be manipulated to solve CAPTCHA puzzles, challenging the reliability of this security mechanism designed to differentiate humans from bots. Using creative prompts, researchers bypassed ChatGPT's policy restrictions, enabling it to solve various CAPTCHA types, including one-click and logic-based challenges. The AI showed difficulty with more complex image-based CAPTCHAs, indicating some limitations in its current capabilities. This breakthrough raises questions about the future effectiveness of CAPTCHAs as a security measure against advanced AI systems. OpenAI has not yet commented on these findings, which suggest potential vulnerabilities in AI policy enforcement. The incident is part of a broader trend where AI systems are tricked into performing actions outside their intended scope, highlighting the need for robust guardrails. Recent examples include prompt injections affecting other AI tools, prompting companies like Amazon to address security flaws promptly.

The US Cybersecurity and Infrastructure Security Agency (CISA) reported exploitation of two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), used to plant malware in an unnamed organization. The exploited vulnerabilities, CVE-2025-4427 and CVE-2025-4428, involve an authentication bypass and a post-authentication remote code execution flaw, respectively, allowing attackers to hijack systems. Attackers deployed two malware sets, with loaders that enable arbitrary code execution by intercepting and processing specific HTTP requests on compromised servers. The malware was delivered in segmented, Base64-encoded forms via separate HTTP GET requests, complicating detection and bypassing signature-based security tools. CISA released indicators of compromise (IOCs) and advised organizations to update to the latest Ivanti EPMM version and treat mobile device management systems as high-value assets. Australia's intelligence agency has alerted large organizations and government entities to potential threats targeting these vulnerabilities, suggesting a broader risk landscape. The incident underscores the critical need for timely patch management and enhanced monitoring of mobile device management systems to mitigate potential threats.

The FBI has issued a warning about cybercriminals creating fake websites mimicking its Internet Crime Complaint Center (IC3) to conduct financial scams and steal personal information. These spoofed websites often use slight domain alterations to deceive users, potentially collecting sensitive data such as names, addresses, and banking details. Examples of such fraudulent domains include icc3[.]live and ic3a[.]com, which mimic the official IC3 site to mislead visitors. The FBI advises users to manually enter www.ic3.gov in browsers and avoid search engine results that could lead to phishing sites. The agency emphasizes that IC3 or FBI personnel will not contact individuals directly to recover funds or request payments for such services. This warning follows a broader trend of scammers impersonating law enforcement, with recent arrests in Spain for similar fraudulent activities. Users are urged to protect their personal information and remain vigilant against unsolicited requests for financial transactions or personal data sharing.

Iranian-linked group UNC1549, associated with IRGC, infiltrated 34 devices in 11 telecom firms across Canada, France, UAE, UK, and the US using LinkedIn job lures. The campaign, tracked as Subtle Snail, involved posing as HR representatives to deliver the MINIBIKE backdoor, exploiting Azure cloud services to avoid detection. Targets included researchers, developers, and IT administrators, with a focus on long-term espionage and data exfiltration within telecommunications and aerospace sectors. Attackers utilized spear-phishing and fake recruitment drives, leveraging LinkedIn to identify and engage potential victims, leading to malware deployment via fraudulent domains. MINIBIKE backdoor executed DLL side-loading, enabling system reconnaissance, credential theft, and data exfiltration while using advanced evasion techniques to resist detection. The campaign's sophistication and tailored approach underscore the persistent threat posed by state-sponsored cyber espionage, impacting critical infrastructure and sensitive data. Concurrently, MuddyWater, another Iranian group, shifted tactics to bespoke malware, reducing reliance on RMM tools, and expanding operations to Europe and the US.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an analysis on malware used in attacks exploiting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities. The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, involve an authentication bypass and a code injection flaw, affecting several Ivanti EPMM versions. Ivanti addressed these issues on May 13, but threat actors had already exploited them as zero-day vulnerabilities against a limited number of clients. EclecticIQ linked the exploitation to a China-nexus espionage group, which has been leveraging these vulnerabilities since at least May 15. CISA's report focuses on the technical aspects of the malware, detailing the use of HTTP GET requests for malicious command execution. The malware was delivered in segmented, Base64-encoded chunks, allowing attackers to execute arbitrary code and conduct reconnaissance. CISA provided indicators of compromise, YARA rules, and a SIGMA rule to assist organizations in detecting similar attacks. Organizations are urged to patch affected systems immediately and treat mobile device management systems as high-value assets requiring enhanced security measures.

Fortra has disclosed a critical vulnerability, CVE-2025-10035, in its GoAnywhere MFT product, rated 10/10 in severity, potentially leading to command injection attacks. The flaw lies in the deserialization process within the License Servlet, allowing attackers to execute arbitrary commands if they forge a valid license response signature. This vulnerability follows a similar issue, CVE-2023-0669, which was exploited by ransomware groups like LockBit and Black Basta, highlighting ongoing risks. Fortra advises customers to upgrade to patched versions 7.8.4 or 7.6.3, or ensure the admin console is not exposed to the internet to mitigate risks. While Fortra has not confirmed active exploitation, security researchers warn that exploitation in the wild is likely, urging immediate patching. Managed file transfer applications remain prime targets for cybercriminals due to their potential access to sensitive data, underscoring the importance of timely patch management. The incident serves as a reminder of the critical need for robust security practices and proactive vulnerability management in software solutions.

SystemBC malware is driving the REM Proxy network, affecting approximately 1,500 virtual private servers daily across 80 command-and-control servers. The malware transforms infected systems into SOCKS5 proxies, facilitating communication with C2 servers and downloading additional payloads. SystemBC targets both Windows and Linux systems, with a focus on corporate networks, cloud servers, and IoT devices. Nearly 80% of the compromised systems are VPSs, exploited due to numerous unpatched security vulnerabilities, including critical CVEs. The botnet's infrastructure supports high-volume malicious traffic, aiding various criminal groups and proxy services, including those in Russia and Vietnam. The malware's expansion strategy involves brute-forcing WordPress credentials, aiming to sell harvested data on underground forums. SystemBC's sustained activity and adaptability highlight its role as a persistent threat, evolving from ransomware facilitation to bespoke botnet assembly and sale.

Fortra has issued patches for a critical vulnerability in GoAnywhere MFT's License Servlet, tracked as CVE-2025-10035, which could enable command injection attacks. The flaw arises from a deserialization weakness, allowing remote exploitation with low complexity and no user interaction required. GoAnywhere MFT is a secure file transfer tool used by over 9,000 organizations, making it a significant target for threat actors. Fortra swiftly developed patches, releasing GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3, and advised removing public internet access to the Admin Console. The vulnerability's exploitation risk is heightened if systems are exposed online; over 470 instances are currently monitored for exposure. Although active exploitation has not been confirmed, the Clop ransomware gang previously exploited a similar flaw, impacting over 130 organizations. IT administrators are urged to apply updates promptly and review system configurations to mitigate potential unauthorized access.

Fortra has announced a critical vulnerability in its GoAnywhere Managed File Transfer software, identified as CVE-2025-10035, with a maximum CVSS score of 10.0. The flaw involves a deserialization issue in the License Servlet, allowing potential command injection through a forged license response signature. Exploitation requires the system to be publicly accessible over the internet, prompting urgent patching to version 7.8.4 or Sustain Release 7.6.3. Fortra advises restricting public access to the GoAnywhere Admin Console if immediate patching is not feasible to mitigate risks. Previous vulnerabilities in the same product were exploited by ransomware actors, raising concerns about potential weaponization of this new flaw. Security experts warn that with many GoAnywhere MFT instances exposed online, organizations should act swiftly to apply patches and limit external access. No current reports indicate active exploitation, but the history of similar vulnerabilities suggests a high likelihood of future attacks.

Over 17,500 phishing domains linked to Lighthouse and Lucid PhaaS have targeted 316 brands across 74 countries, impacting various industries including financial, governmental, and postal sectors. The PhaaS platforms offer customizable templates and real-time victim monitoring, with prices ranging from $88 weekly to $1,588 annually, facilitating large-scale phishing campaigns. The XinXin group, a Chinese-speaking threat actor, is associated with Lucid, while Lighthouse operates independently yet shares infrastructure and targeting patterns with Lucid. Recent trends show a shift from Telegram to email for credential harvesting, with a 25% increase in email-based phishing, leveraging services like EmailJS for data collection. Phishing tactics include homoglyph attacks using Japanese characters to mimic legitimate domains, deceiving users into installing malicious software targeting cryptocurrency wallets. Scams exploiting American brand identities have surfaced, requiring victims to deposit cryptocurrency under the guise of job opportunities, illustrating the financial motivation behind these attacks. The federated nature of email complicates takedown efforts, as each address must be individually reported, posing challenges for cybersecurity defenses.

Picus Security's Blue Report 2025 reveals a decline in ransomware prevention effectiveness, dropping from 69% in 2024 to 62% in 2025, highlighting increased vulnerability. Double extortion tactics, involving both data encryption and theft, have become standard, with some groups now focusing solely on data theft to evade detection. Data exfiltration prevention rates plummeted to 3%, exposing organizations to heightened risk during the critical stages of ransomware attacks. Emerging ransomware strains such as FAUST, Valak, and Magniber are bypassing defenses as effectively as well-known families like BlackByte and BabLock. Breach and Attack Simulation (BAS) is emphasized as a critical tool for continuously validating organizational defenses against evolving ransomware threats. The report stresses the importance of moving beyond assumptions of security readiness to proven resilience through continuous testing and validation. Organizations are urged to adopt BAS to identify and rectify weaknesses in their cybersecurity posture, ensuring preparedness against both established and new ransomware threats.