⚡ Weekly Recap: VPN 0-Day, Encryption Backdoor, AI Malware, macOS Flaw, ATM Hack & More

Malware isn’t just trying to hide anymore—it’s trying to belong. We’re seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It’s not just about being malicious—it’s about being believable.

In this week’s cybersecurity recap, we explore how today’s threats are becoming more social, more automated, and far too sophisticated for yesterday’s instincts to catch.

⚡ Threat of the Week

Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers’ networks to target foreign embassies in Moscow and likely collect intelligence from diplomats’ devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-in-the-middle (AiTM) position within domestic telecom companies and ISPs that diplomats are using for Internet access to push a piece of malware called ApolloShadow. This indicates that the ISP may be working with the threat actor to facilitate the attacks using the System for Operative Investigative activities (SORM) systems. Microsoft declined to say how many organizations were targeted, or successfully infected, in this campaign.

Inside the 2025 Security Shift: What Every Cloud Leader Must Know Now

Cloud security is shifting fast. Sysdig’s 2025 Cloud Defense Report shows how AI tools like Sysdig Sage™ cut response time by 76%, while runtime security and open source tools like Falco reshape defense. Get insights and strategies to stay ahead.

Get the report ➝

🔔 Top News

• Companies that Employed Hafnium Hackers Linked to Over a Dozen Patents — Threat actors linked to the notorious Hafnium hacking group have worked for companies that registered several patents for highly intrusive forensics and data collection technologies. The findings highlight China’s diverse private sector offensive ecosystem and an underlying problem with mapping tradecraft to a specific cluster, which may not accurately reflect the true organizational structure of the attackers. The fact that the threat actors have been attributed to three different companies shows that multiple companies may be working in tandem to conduct the intrusions and those companies may be providing their tools to other actors, leading to incomplete or misleading attribution. It’s currently not known how the threat actors came to possess the Microsoft Exchange Server flaws that were used to target various entities in a widespread campaign in early 2021. But their close relationship with the Shanghai State Security Bureau (SSSB) has raised the possibility that the bureau may have obtained access to information about the zero-days through some evidence collection method and passed it on to the attackers. The discovery also highlights another important aspect: China-based Advanced Persistent Threats (APTs) may actually consist of different companies that serve many clients owing to the contracting ecosystem, which forces these companies to collaborate on intrusions. In June 2025, Recorded Future revealed that a Chinese state-owned defense research institute filed a patent in late December 2024 that analyzes various kinds of intelligence, including OSINT, HUMINT, SIGINT, GEOINT, and TECHINT, to train a military-specific large language model in order to “support every phase of the intelligence cycle and improve decision-making during military operations.”
• Likely 0-Day SonicWall SSL VPN Flaw Used in Akira Ransomware Attacks — SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. Arctic Wolf Labs said that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day vulnerability, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn’t been ruled out. The development came as watchTowr Labs detailed multiple vulnerabilities in SonicWall SMA 100 Series appliances (CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598) that an attacker could exploit to cause denial-of-service or code execution. “We stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming,” security researcher Sina Kheirkhah said. “While we understand (and agree) that these vulnerabilities are ultimately difficult – or in some cases, currently not exploitable – the fact that they exist at all is, frankly, disappointing. Pre-auth stack and heap overflows triggered by malformed HTTP headers aren’t supposed to happen anymore.”
• UNC2891 Breaches ATM Network via 4G Raspberry Pi in Cyber-Physical Attack — The threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack. The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank’s network. The end goal of the infection was to deploy the CAKETAP rootkit on the ATM switching server and facilitate fraudulent ATM cash withdrawals. UNC2891 is assessed to share tactical overlaps with another threat actor called UNC1945 (aka LightBasin), which was previously identified compromising managed service providers and striking targets within the financial and professional consulting industries. UNC1945 is also known for its attacks aimed at the telecom sector.
• Active Exploitation of Alone WordPress Theme Flaw — Threat actors are actively exploiting a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394 (CVSS score: 9.8), is an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been fixed in version 7.8.5 released on June 16, 2025. In the observed attacks, the flaw is averaged to upload a ZIP archive containing a PHP-based backdoor to execute remote commands and upload additional files. Alternatively, the flaw has also been weaponized to deliver fully-featured file managers and backdoors capable of creating rogue administrator accounts.
• Multiple Flaws Patched in AI Code Editor Cursor — Several security vulnerabilities have been addressed in Cursor, including one high-severity bug (CVE-2025-54135 aka CurXecute) that could result in remote code execution (RCE) when processing external content from a third-party model context protocol (MCP) server. “If chained with a separate prompt injection vulnerability, this could allow the writing of sensitive MCP files on the host by the agent,” Cursor said. “This can then be used to directly execute code by adding it as a new MCP server.” Also addressed in Cursor version 1.3 is CVE-2025-54136 (CVSS score of 7.2), which could have allowed attackers to swap harmless MCP configuration files for a malicious command, without triggering a warning. “If an attacker has write permissions on a user’s active branches of a source repository that contains existing MCP servers the user has previously approved, or an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution,” the company said.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-7340, CVE-2025-7341, CVE-2025-7360 (HT Contact Form plugin), CVE-2025-54782 (@nestjs/devtools-integration), CVE-2025-54418 (CodeIgniter4), CVE‑2025‑4421, CVE‑2025‑4422, CVE‑2025‑4423, CVE‑2025‑4424, CVE‑2025‑4425, CVE‑2025‑4426 (Lenovo), CVE-2025-6982 (TP-Link Archer C50), CVE-2025-2297 (BeyondTrust Privilege Management for Windows), CVE-2025-5394 (Alone theme), CVE-2025-2523 (Honeywell Experion PKS), CVE-2025-54576 (OAuth2-Proxy), CVE-2025-46811 (SUSE), CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078 (Partner Software).

📰 Around the Cyber World

• Critical RCE in @nestjs/devtools-integration — A critical remote code execution flaw (CVE-2025-54782, CVSS score: 9.4) has been uncovered in @nestjs/devtools-integration, a NestJS npm package downloaded over 56,000 times per week. The package sets up a local development server with an endpoint that executes arbitrary code inside a JavaScript “sandbox” built with node:vm module and the now-abandoned safe-eval, ultimately allowing for execution of untrusted user code in a sandboxed environment, Socket said. Further analysis has found that the sandbox is trivially escapable and because the server is accessible on localhost, any malicious website can trigger code execution on a developer’s machine via CSRF using the inspector/graph/interact endpoint. “Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine,” Nestjs maintainer Kamil Mysliwiec said in an advisory. “By chaining these issues, a malicious website can trigger the vulnerable endpoint and achieve arbitrary code execution on a developer’s machine running the NestJS devtools integration.”
• Attackers Exploit Compromised Email Accounts for Attacks — Threat actors are increasingly using compromised internal or trusted business partner email accounts to send malicious emails to obtain initial access. “Using a legitimate trusted account affords an attacker numerous advantages, such as potentially bypassing an organization’s security controls as well as appearing more trustworthy to the recipient,” Talos said. The disclosure comes as bad actors are also continuing to exploit Microsoft 365’s Direct Send feature to deliver phishing emails that appear to originate from within the organization by using a spoofed internal From address and increases the likelihood of success of social engineering attacks. The messages are injected into Microsoft 365 tenants via unsecured third-party email security appliances used as SMTP relays. “This tactic allows attackers to send malicious payloads to Microsoft 365 users with increased credibility, often resulting in successful delivery despite failed authentication checks,” Proofpoint said.
• Signal Warns it Will Exit Australia Over Encryption Backdoor Push — Signal Foundation president Meredith Whittaker said the secure messaging application will leave Australia if the government forces it to incorporate a backdoor into its encryption algorithm or demand access to encrypted user data. Earlier this year, the U.K. government issued a secret order demanding that Apple allow it access to encrypted user data to assist in investigations, resulting in Apple removing its Advanced Data Protection (ADP) feature for users in the region. While the U.K. government appears to be backing down from its earlier demand, Google told TechCrunch that, unlike Apple, it did not receive any request from the U.K. to build a secret backdoor. This is the first time Google has formally commented on the matter.
• Google Hardens Chrome Extension Supply Chain Against Account Compromise — Google has rolled out a new security feature called Verified CRX Upload for Chrome extension developers that enforces cryptographic signatures for all Chrome extension updates and prevents bad actors from compromising developer accounts and publishing malicious updates to the Chrome Web Store (CWS). The security protection is also designed to address scenarios where CWS code reviews may not always flag such malicious attacks. “When opting an extension into Verified CRX Upload, the developer gives Google a public key. After that, the developer can no longer upload unsigned ZIP files for that extension and must instead upload a CRX file signed with the corresponding private key,” Google said [PDF]. “Verified upload acts as a second factor for the act of uploading to CWS. A malicious actor who compromises a developer’s account password, session cookies, or even an OAuth token, would not be able to upload a malicious update unless they also gain access to the developer’s private signing key.”
• Kimsuky Targets South Korea with Stealer Malware — The North Korea-linked Kimsuky hacking group has been linked to a spear-phishing campaign that targets South Korean entities using Windows shortcut (LNK) files as an initial access vector to trigger a multi-stage infection chain to deploy a keylogger, information stealer, establish persistent control over compromised hosts, and deliver unknown next-stage payloads. In parallel, users are displayed with lure PDF documents related to tax notices and government alerts about alleged sex offenders in the area. “Once inside, the malware performs extensive system profiling, steals credentials and sensitive documents, monitors user activity through keylogging and clipboard capture, and exfiltrates data in discreet segments over standard web traffic—helping it blend into normal network operations,” Aryaka said.
• Apple macOS Flaw Can Bypass TCC — Attackers could have used a recently patched macOS vulnerability to bypass Transparency, Consent, and Control (TCC) security checks and steal sensitive user information from locations such as the Downloads directory and Apple Intelligence caches. The flaw, dubbed Sploitlight by Microsoft and tracked as CVE-2025-31199, was addressed by Apple with the release of macOS Sequoia 15.4 in March 2025. The attack is so named because it exploits Spotlight plugins called importers, which are used to index data found on a device and surface it via its built-in search tool. Sploitlight turns these plugins into a TCC bypass, allowing valuable data to be leaked without a user’s consent.
• Improved Version of XWorm Spotted — A new version of a remote access trojan called XWorm (version 6.0) has been discovered with new features such as process protection and enhanced anti-analysis capabilities, indicating continued attempts by the developers to iterate and refine their tactics. The starting point of the attack is a Visual Basic Script that’s likely delivered to targets via social engineering, which then proceeds to set up persistence on the host via Windows Registry (as opposed to scheduled tasks in the previous version), although it’s important to note that the builder offers three different methods, including the aforementioned techniques and the adding the payload to the Startup folder. It’s also designed to run a PowerShell script that includes the ability to bypass Antimalware Scan Interface (AMSI) via in-memory modification of “clr.dll” to sidestep detection. Some of the new features observed in the latest version of XWorm are its ability to prevent process termination by marking itself as a critical process and killing itself if the compromised host is running Windows XP.
• Mozilla Warns Add-ons Devs Against Phishing Attack — Browser maker Mozilla is warning of a phishing campaign targeting its Firefox Add-ons infrastructure that aims to trick developers into parting with their account credentials as part of emails containing messages like “Your Mozilla Add-ons account requires an update to continue accessing developer features” that are designed to provoke engagement. The disclosure follows the emergence of bogus Firefox add-ons that masquerade as TronLink, Solflare, Rabby Wallet and are designed to steal cryptocurrency wallet secrets, security researcher Lukasz Olejnik said.
• New Stealer Malware Dissected — Cybersecurity researchers have detailed three new stealer malware families called Cyber Stealer, Raven Stealer, and SHUYAL Stealer that combine extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. “Beyond credential theft, SHUYAL captures system screenshots and clipboard content, exfiltrating this data alongside stolen Discord tokens through a Telegram bot infrastructure,” Hybrid Analysis said. “The malware maintains operational stealth through self-deletion mechanisms, removing traces of its activity using a batch file after completing its primary functions.” Cyber Stealer, for its part, maintains communication with its command-and-control (C2) server through heartbeat checks, XMR miner configuration, task checks, and data exfiltration. It also comes with a clipper, remote shell, reverse proxy, DDoS, XMR mining, and DNS poisoning capabilities based on the subscription tier chosen by a customer. “The C2 URL can be dynamically updated through Pastebin, with a hardcoded backup URL if that fails,” eSentire said. While there are a number of stealers on the cybercrime scene already, the emergence of new stealers demonstrates the lucrative nature of such tools to enable data theft at scale. The third new infostealer malware is Raven Stealer, which is actively distributed through GitHub repositories and promoted via a Telegram channel operated by the threat actors. The stealer is consistent with other stealers, facilitating credential theft, browser data harvesting, and real-time data exfiltration via Telegram bot integration.
• NOVABLIGHT Node.js Stealer Spotted in the Wild — Developed and sold by the Sordeal Group, a threat actor demonstrating French-language proficiency, NOVABLIGHT is marketed as an “educational tool” on platforms like Telegram and Discord from €25 for a month to €140 for six months ($28 to $162). However, this aspect masks its true intent: A modular, feature-rich NodeJS-based malware built on the Electron framework, designed to steal sensitive information, including login credentials and cryptocurrency wallet data. The malware is said to be distributed via fake websites advertising video game installers. “NOVABLIGHT is a modular and feature-rich information stealer built on Node.js with the Electron framework,” Elastic Security Labs said. “Its capabilities go beyond simple credential theft, incorporating methods for data collection and exfiltration, sandbox detection, and heavy obfuscation.”
• $3.5B LuBian Bitcoin Theft Goes Undetected for Nearly Five Years — A previously undisclosed theft of 127,426 Bitcoin, valued at $3.5 billion at the time (presently approximately $14.5 billion), has been traced back to a December 2020 attack on a little-known Chinese mining pool called LuBian, making it as the largest cryptocurrency theft to date, surpassing the $1.5 billion Bybit hack that occurred in February 2025. “They appear to have been first hacked on December 28th, 2020, for over 90% of their BTC,” Arkham Intelligence said. “Subsequently, on December 29th, around $6M of additional BTC and USDT was stolen from a Lubian address active on the Bitcoin Omni layer. On the 31st, LuBian rotated their remaining funds to recovery wallets.” It’s believed that the unknown attackers may have exploited a flawed private key generation algorithm that left it susceptible to brute-force attacks. “LuBian preserved 11,886 BTC, currently worth $1.35B, which they still hold,” Arkham said. “The hacker also still holds the stolen BTC, with their last known movement being a wallet consolidation in July 2024.” Neither LuBian nor the suspected hacker has ever publicly acknowledged the breach.
• Russia Blocks Access to Speedtest — Russia blocked access to Speedtest, a popular internet speed testing tool developed by U.S. company Ookla, claiming the service poses a national security threat and could aid cyber attacks. The restriction is due to the “identified threats to the security of the public communication network and the Russian segment of the internet,” Roskomnadzor, country’s communications watchdog, said, adding it “collects data on the layout and capacity of Russian communications nodes” that could be used to “plan, conduct, and assess attacks on Russian networks and related systems.”
• CISA Releases Thorium — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the public availability of Thorium, an open-source platform for malware and forensic analysts across the government, public, and private sectors. “Thorium enhances cybersecurity teams’ capabilities by automating analysis workflows through seamless integration of commercial, open-source, and custom tools,” CISA said. “It supports various mission functions, including software analysis, digital forensics, and incident response, allowing analysts to efficiently assess complex malware threats.” The agency has also released the Eviction Strategies Tool, which helps security teams during the incident response by providing the necessary actions to contain and evict adversaries from compromised networks and devices.
• Russian Entities Targeted to Deploy Cobalt Strike — The Russian information technology (IT) sector, and to a certain extent companies in China, Japan, Malaysia, and Peru, has been at the receiving end of a spear-phishing email campaign that delivers the Cobalt Strike Beacon by means of intermediate payloads that reach out to fake profiles on social media platforms to obtain the URL hosting the post-exploitation toolkit. The accounts, created on GitHub, Quora, and Russian-language social networks, are said to have been created specifically for the attacks and act as dead drop resolvers to facilitate operational resiliency. The activity was first recorded in the second half of 2024, reaching its peak in November and December. The campaign has not been attributed to any known threat actor or group.
• APT36 Targets Indian Railways, Oil & Gas Sectors — A suspected Pakistani threat actor known as APT36 (aka Transparent Tribe) has been attributed to attacks targeting Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs via spear-phishing attacks to deliver a known malware called Poseidon. “They use .desktop files disguised as PDF documents to execute scripts that download malware and establish persistence using cron jobs,” Hunt.io said. “The Poseidon backdoor, built on the Mythic framework and written in Go, is used to maintain access and support lateral movement.”
• Qilin Ransomware Attack Leverages BYOVD Technique — Threat actors associated with Qilin ransomware have been observed leveraging a previously unknown driver, TPwSav.sys, to stealthily disable security tools using a custom version of EDRSandblast as part of a Bring Your Own Vulnerable Driver (BYOVD) attack. “This driver, originally developed for power-saving features on Toshiba laptops, is a signed Windows kernel driver, making it an attractive choice for bypassing EDR protections through a BYOVD attack,” Blackpoint Cyber said. Prior to this incident, there has been no evidence of in-the-wild exploitation of the driver. “Compiled in 2015 and holding a valid signature, this driver is an appealing candidate for BYOVD attacks aimed at disabling EDR. While interacting with the driver requires only low-level privileges, loading it and enumerating physical memory demand administrative privileges,” the company added.
• Phishing Campaign Distributes 0bj3ctivity Stealer — Phishing emails bearing purchase order-lures are being used to distribute via JavaScript files a stealer called 0bj3ctivity Stealer, which has been propagated via Ande Loader in the past. “The further stages are uncommon, including custom PowerShell scripts to deploy the next stages and steganography to hide some of the payloads,” Trellix said. “Once decoded, the PowerShell script will download from archive.org a JPG image, which contains the next stage hidden using steganography.” The United States, Germany, and Montenegro exhibit a high volume of detections, although telemetry data has also revealed noticeable activity in Europe, North America, Southeast Asia, and Australia, indicating the global nature of the threat.
• Increasing Number of Flaws Leveraged as 0- or 1-Days — A third of flaws leveraged by attackers this year have been zero-day or 1-day flaws, indicating that threat actors are becoming faster at exploiting vulnerabilities. “We observed an 8.5% increase in the percentage of KEVs [Known Exploited Vulnerabilities] that had exploitation evidence disclosed on or before the day a CVE was published — 32.1% in H1-2025 as compared to the 23.6% we reported in 2024,” VulnCheck said. In total, the company added 432 new vulnerabilities to its KEV list in the first half of 2025, with 92 unique threat actors linked to the exploitation efforts. Of these, 56 (60.8%) were attributed to specific countries, including China (20), Russia (11), North Korea (9), and Iran (6). In a related development, a GreyNoise report found that in 80% of reconnaissance spikes against enterprise gear, the increase in activity was followed by the publication of a new CVE within six weeks, suggesting threat actors or researchers are testing their exploits ahead of time. “These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools – the same kinds of systems increasingly targeted by advanced threat actors,” the threat intelligence firm said.
• BreachForums Comes Back Online — BreachForums appears to be back again after it went offline in April. The popular cybercrime forum was shut down and resurrected several times over the past year. According to DataBreaches.Net, the official site appears to be back online on its dark web address, while preserving the original user database, reputation, credits, and posts. What’s more, the site seems to have returned under new leadership – a user with the online moniker “N/A.” In an introductory post, N/A also claimed that none of its administrators have been arrested and that it’s “business as usual.”
• RedCurl’s New Attacks Deliver RedLoader — The threat actor known as Gold Blade (aka Earth Kapre, RedCurl, and Red Wolf) has been linked to a new set of attacks in July 2025 that combine malicious LNK files and WebDAV to execute remotely hosted DLLs to ultimately launch RedLoader using DLL side-loading. The LNK files, disguised as cover letters in the PDF format, are distributed via phishing emails via third-party job search sites like Indeed.
• Mimo Exploits SharePoint Flaws to Deliver Ransomware — The threat actor known as Mimo is exploiting the recently disclosed Microsoft SharePoint flaws to deliver the Go-based 4L4MD4r ransomware. The hacking group was recently linked to the abuse of a critical Craft CMS flaw to drop miners. The development marks the first time the hacking group has deployed ransomware in the wild.
• Silver Fox APT Uses Fake Flash Plugin to Deliver Malware — The threat actor tracked as Silver Fox has been observed delivering the Winos trojan under the guise of popular tools like Adobe Flash, Google Translate, and WPS. Typical distribution vectors include email, phishing websites, and instant messaging software. “However, with the leakage of core remote control Trojan source code (such as Winos 4.0) in the cybercrime circle, Silver Fox has gradually transformed from a single organization into a malicious family widely redeveloped by cybercrime groups and even APT organizations,” the Knownsec 404 team said. “Winos has a rich set of functional plug-ins that enable various remote control functions and data theft on the target host.”
• Girona Hacker Arrested — Spanish authorities have apprehended a cybercriminal who allegedly stole sensitive data from major financial institutions, educational organizations, and private companies across the country. The accused, described as a man with advanced computer programming skills, stands accused of targeting Spanish banks, a driving school, and a public university, among others. The suspect is alleged to have stolen personal databases of employees and customers, as well as internal documents of companies and organizations, and then sold them for profit.
• ShadowSyndicate Infrastructure Analyzed — Cybersecurity researchers have found connections between ShadowSyndicate infrastructure and various malware families like AMOS Stealer, TrueBot, and a number of ransomware strains such as Cl0p, BlackCat, LockBit, Play, Royal, CACTUS, and RansomHub. Aside from having access to a network of bulletproof hosters (BPHs) in Europe, it’s believed that ShadowSyndicate functions as an initial access broker (IAB) fueling Russian, North Korean, and Chinese APTs. “It remains unclear whether ShadowSyndicate has a structured business model with formal clients or partners in cybercrime, or whether it represents a more fluid, hybrid threat actor,” Intrinsec said.
• Who is Lionishackers? — Threat hunters have ripped the cover off Lionishackers, a corporate database seller and a financially motivated threat actor focused on exfiltrating and selling corporate databases through Telegram and underground forums since July 2024. “Even though they seem to have an opportunistic approach when choosing their targets, there seems to be a certain preference for victims located in Asian countries,” Outpost24 said. “They have shown a high level of collaboration with the ‘Hunt3r Kill3rs’ group and extensive participation in relevant underground communities’ Telegram channels. Furthermore, they also worked on and offered other services such as pen testing, the commercialization of the Ghost botnet, and the launch of a forum project dubbed Stressed Forums.”
• EdskManager RAT, Pulsar RAT, and Retro-C2 RAT Exposed — Three new remote access trojans called EdskManager RAT, Pulsar RAT, and Retro-C2 RAT have been flagged by cybersecurity researchers, flagging their ability to evade detection and maintain control over compromised systems. “The malware employs a downloader disguised as legitimate software, followed by in-memory decryption and stealth communication with command-and-control servers,” CYFIRMA said about EdskManager RAT. “Its use of HVNC (Hidden Virtual Network Computing), advanced persistence techniques, and anti-analysis measures indicates a strong focus on long-term, covert access to infected systems.” Pulsar RAT, on the other hand, is an Android trojan that exploits accessibility services to gain near-total control of the device, accessing messages, calls, GPS data, the camera, microphone, and other sensitive data. Developed by a Turkish-speaking threat actor known as ZeroTrace, Retro-C2 RAT employs reflective loading techniques to evade detection and siphon data from compromised machines. “The command-and-control infrastructure is fully web-based and provides threat actors with real-time client monitoring, action management such as CMD, PowerShell, Remote Desktop, keylogging, clipboard capture, file and process management, registry and network operations, audio recording, wallet scanning, persistence operations, and credential recovery,” ThreatMon said.
• Apple to Enable Advanced Fingerprinting Protection for All Safari Browsing Sessions — Apple has revealed that it intends to make advanced fingerprinting protection the default for all browsing sessions in Safari with the release of iOS 26, iPadOS 26, and macOS 26 in September 2025. Currently, the option is limited to Private Browsing mode. The feature was first introduced in Safari 17.0.
• Security Flaw Uncovered in Catwatchful Spyware — An SQL injection vulnerability in an Android stalkerware operation called Catwatchful has exposed more than 62,000 of its customers, including its Uruguay-based administrator, Omar Soca Charcov. The bug, discovered by researcher Eric Daigle, could be exploited to leak the application’s database, compromising customers’ email addresses and plaintext passwords. Google has since added protections to flag such malicious apps and suspended the developer’s Firebase account for abusing its infrastructure to operate the monitoring software.
• Ransomware Continues to be a Threat — DragonForce has claimed more than 250 victims on its dark web leak site, with 58 in the second quarter of 2025 alone, indicating that the ransomware cartel is gaining traction after purportedly absorbing RansomHub. Some of the groups that appear to have exited the scene include RansomHub, Babuk-Bjorka, FunkSec, BianLian, 8Base, Cactus, and Hunters International. “With major RaaS services shutting down, many affiliates are operating independently or seeking new partnerships,” Check Point said. “The result is a growing number of smaller, often short-lived, ransomware entities. At the same time, established players are actively competing to recruit these ‘orphaned’ affiliates.” Ransomware attacks have also been observed evolving beyond double extortion to coerce victims into paying up with threats of data leaks and DDoS attacks. “Double, triple, and quadruple extortion tactics add pressure by threatening to expose customer information, disrupting operations with distributed denial-of-service (DDoS) attacks, and sending harassing messages to business partners, customers, and others — including informing media of the breach,” Akamai said.
• Threat Actors Hide Malware in DNS Records — While it’s known that threat actors have leveraged the Domain Name System (DNS) for command-and-control purposes using a technique called DNS tunneling, it has been observed that cybercriminals are evolving their tactics further by concealing malicious commands in DNS TXT records by converting them into their hexadecimal representation and storing them in chunks. The practice is both clever and sneaky as it allows malicious scripts and early-stage malware to fetch binary files without having to download them from attacker-controlled sites or attach them to emails, which have a higher chance of being detected by antivirus software.

🎥 Cybersecurity Webinars

• Malicious Python Packages Are Everywhere — Learn How to Spot and Stop Them: In 2025, attacks on the Python ecosystem are rising fast—from typosquatting to dangerous container image flaws. If you’re still “pip installing and praying,” it’s time to level up. Join us for a hands-on webinar where we break down real supply chain threats and show you how to defend your code with practical tools, smarter workflows, and hardened images. No hype—just clear steps to secure your Python stack.
• Secure Your AI Stack: Learn How to Defend Identity Before It’s Too Late: AI is changing the way we work—and the way we get attacked. Join Okta’s Karl Henrik Smith to explore how identity is becoming the last, and most critical, line of defense against AI-powered threats. From deepfakes to autonomous agents, attackers are moving faster than traditional tools can handle. In this free webinar, you’ll learn why identity-first security is the key to staying ahead—and how to put it into action.

🔧 Cybersecurity Tools

• Thorium: Released by the U.S. CISA, this new open-source tool is a scalable platform for automating file analysis and aggregating results across diverse tools. It helps cybersecurity teams streamline malware triage, forensics, and tool testing by integrating with existing workflows through event-driven automation and a scalable infrastructure.
• LangExtract: It is an open-source Python library, developed by Google, that helps developers extract structured information from unstructured text using Gemini and other LLMs. It’s designed for tasks like parsing medical records, legal documents, or customer feedback by combining prompt-driven extraction, source-grounded outputs, and schema enforcement. LangExtract supports flexible backends, scales across long documents, and makes it easy to visualize and verify results—all without fine-tuning a model.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Your Keyboard Could Be Spying on You — Here’s How to Tell — Most people don’t realize it, but your smartphone keyboard can do more than just type. Some of them quietly connect to the internet, sending back what you type, when you type, and even what’s in your clipboard. Even trusted apps like Gboard and SwiftKey have cloud sync features that share your typing patterns. And in worse cases, rogue keyboards can log passwords or steal crypto wallet seeds without any visible signs.

The fix isn’t just “don’t use shady keyboards.” It’s knowing how to control what they can do. Start by using a firewall app like NetGuard or RethinkDNS to block your keyboard from sending data over the internet. Go into your keyboard’s settings and turn off “personalization” or sync features. Watch out for weird behavior like a keyboard asking for access to your mic, contacts, or location — those are red flags. On newer Android versions, clipboard alerts will warn you if a keyboard is snooping.

If you want full peace of mind, switch to a keyboard that respects your privacy by design. Options like OpenBoard or Simple Keyboard have no internet access at all. They’re fast, clean, and open source — meaning their code can be audited for hidden behavior. In short: if your keyboard wants to “learn from you,” make sure it’s not learning too much.

Conclusion

Every threat we covered this week tells the same story: attackers are evolving faster because they’re learning from us. From how we code to how we trust, they’re watching closely. But the flipside? So are we.

The more we share, the faster we adapt. Keep pushing, keep questioning, and never let “normal” make you comfortable.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.