Atomic Stealer Gets a Backdoor Feature — The macOS information stealer known as Atomic Stealer (aka AMOS) has been updated with an embedded backdoor to obtain persistent access to compromised systems. The new component allows executing arbitrary remote commands, gaining full user-level access, and even surviving reboots, allowing attackers to maintain control over infected hosts indefinitely. According to Moonlock Lab, campaigns distributing Atomic have recently shifted from broad distribution channels like cracked software sites to targeted phishing aimed at cryptocurrency owners and using staged job interview invitations to infect freelancers. The United States, France, Italy, the United Kingdom, and Canada are among the most affected by the stealer malware. It is only the second known case of backdoor deployment at a global scale targeting macOS users, after North Korea. "The upgrade to AMOS represents a significant escalation in both capability and intent, whether the changes were made by the original malware authors or by someone else modifying the code," the company said. "It’s clear that the Russia-affiliated authors of Atomic macOS Stealer are following in the footsteps of North Korean attack groups." Call of Duty Makers Takes Game Offline After Reports of RCE Exploit — The makers of Call of Duty: World War 2 announced that the PC version of the game has been taken offline following "reports of an issue." The issue appears to be a security problem, specifically a remote code execution (RCE) vulnerability in the popular video game that could allow an attacker to take over others' PCs during live multi-player matches. The RCE exploit has been found to be abused to open command prompts on victim PCs, send mocking messages via Notepad, and forcibly shut down players' computers, among others. Activision has not officially commented on the issue, but it's said to be working to remediate the bug. BaitTrap Uses Over 17K Sites to Push Scams — A network of more than 17,000 websites is mimicking trusted brands, including CNN, BBC and CNBC, to redirect visitors to online scams. The BaitTrap network uses Google and Meta ads, social media posts, and YouTube videos to lure victims. The bogus sites typically collect personal information and attempt to hijack online crypto accounts. They target audiences in more than 50 countries all over the globe. The sites publish fake stories featuring prominent public figures, including national leaders and central bank governors, and falsely link those figures to “fabricated investment schemes in order to build trust and get engagement from victims." Dutch Police Arrest 5 Phishing Gang Members — Dutch police have arrested five members of a phishing gang that operated out of the city of Lelystad. Four of the group's members are teenagers aged 14 to 17. Authorities said the suspects used QR codes sent via email to collect login credentials for local banks. In a related law enforcement development, Nepalese authorities have apprehended 52 people for allegedly running online dating and crypto investment scams. The group ran a call center and a dating app called METOO to lure young Nepali women and facilitate fraudulent online transactions. Six of the detained suspects are Chinese and are believed to have managed the operation. German Court Orders Meta to Pay €5K Over GDPR Violation — A German court has ruled that Meta must pay €5,000 ($5,900) to a German Facebook user who sued the platform for embedding its Pixel tracking technology in third-party websites. The ruling could open the door to large fines down the road over data privacy violations relating to similar tracking tools. The Regional Court of Leipzig in Germany ruled that Meta tracking pixels and software development kits embedded in countless websites and apps collect users’ data without their consent and violate the continent's General Data Protection Regulation (GDPR). "Every user is individually identifiable to Meta at all times as soon as they visit the third-party websites or use an app, even if they have not logged in via the Instagram and Facebook account," the court said. LFI Flaw in Microsoft Export to PDF Feature — A Local File Inclusion (LFI) vulnerability has been disclosed in Microsoft 365's Export to PDF functionality, potentially allowing attackers to access sensitive internal data when converting HTML documents to PDF. The vulnerability, reported by security researcher Gianluca Baldi, was subsequently patched by Microsoft, earning them a $3,000 bounty reward. "It turned out there was an undocumented behavior that allowed converting from HTML to PDF files," Baldi said. "By embedding specific tags (<embed>, <object>, and <iframe>) into the HTML content, an attacker could force the inclusion of local files from the server’s file system into the resulting PDF—even files located outside the server's root directory." Unpatched Flaws in Ruckus Wireless — Multiple unpatched security flaws have been disclosed (CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, and CVE-2025-6243) in Ruckus Wireless management products Virtual SmartZone (vSZ) and Network Director (RND) could be exploited by an attacker to leak sensitive information and compromise the wireless environment. The flaws include authentication bypass, hard-coded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. "An attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment," CERT/CC said. "Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks." Noam Moshe of Claroty Team82 has been credited with discovering and reporting the issues. In the absence of patches, users are advised to limit access to trusted users and their authenticated clients to manage the infrastructure via a secure protocol like HTTPS or SSH. Security Flaws in Gigabyte UEFI — Multiple security flaws have been disclosed in UEFI modules present in Gigabyte firmware (CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029) that an attacker could exploit to elevate privileges and execute arbitrary code in the System Management Mode (SMM) environment of a UEFI-supported processor. "An attacker with local or remote administrative privileges may exploit these vulnerabilities to execute arbitrary code in System Management Mode (Ring -2), bypassing OS-level protections," CERT/CC said. "These vulnerabilities can be triggered via SMI handlers from within the operating system, or in certain cases, during early boot phases, sleep states, or recovery modes – before the OS fully loads." Successful exploitation of the vulnerabilities can disable UEFI security mechanisms such as Secure Boot and Intel BootGuard, facilitating stealthy firmware implants and persistent control over the system. The flaws were discovered and reported by Binarly. Android did not have a patch for the first time in July 2025 in a Decade — Google announced that no security patches have been released for Android and Pixel devices for the month of July 2025, ending a decade-long streak of security updates. This is the first month no security updates have been released since Google started rolling out monthly Android fixes in August 2015. Indonesia Extradites Russian National for Selling Personal Data on Telegram — Indonesia has extradited a Russian citizen named Alexander Zverev for allegedly running a Telegram channel that sold personal data obtained from law enforcement databases. Russian authorities claimed that Zverev operated an unnamed criminal network between 2018 and 2021 that profited from selling sensitive personal information sourced from databases belonging to Russia's Interior Ministry (MVD), Federal Security Service (FSB), and mobile phone operators. Subscribers of the Telegram channel could allegedly purchase details about Russian citizens, including private information. Authorities have not disclosed the name of the channel or whether it is currently operational. Law Enforcement Catches Up on Ransomware Actors — The Brussels criminal court sentenced the Russian developer of Crylock ransomware to seven years in prison for masterminding the malware's deployment on thousands of computers. His former co-conspirator, a female involved in advertising Crylock and negotiating with the victims, was sentenced to five years. More than €60 million (~$70 million) in cryptocurrency representing illegal proceeds from the ransomware operation have been seized by law enforcement. The development came as French authorities arrested a 26-year-old Russian basketball player for his alleged role in ransomware attacks. Daniil Kasatkin was arrested on June 21, 2025, at the Charles de Gaulle Airport in Paris at the request of U.S. authorities. It's alleged that Kasatkin helped an unnamed ransomware gang negotiate ransoms. Kasatkin's lawyer denied the charges and claimed his client had no technical skills. "He bought a second-hand computer. He did absolutely nothing. He's shocked," his lawyer, Frédéric Bélot, told AFP. "He's useless with computers and can't even install an application. He didn't touch anything on the computer: it was either hacked, or the hacker sold it to him to act under the cover of another person." He's currently being held pending extradition to the U.S. The ransomware group Kasatkin was allegedly involved with has not been named, but is said to have attacked roughly 900 companies. The U.S. Federal Bureau of Investigation (FBI) said recently that it's aware of 900 organizations hit by the Play ransomware group. RansomedVC Returns After Hiatus; Leaks Medusa Data — The RansomedVC ransomware group has returned after a two-year absence and leaked the internal chat transcripts of the Medusa ransomware group from December 11, 2022, to March 2023. RansomedVC claimed Medusa's admin "seems completely absent and unresponsive to the needs of his members" and indicated that they may either be trying an exit scam or might have been compromised by law enforcement. "From the transcript and analyzing previous events, the group is mainly focused on targeting Fortinet Access as an SQLi Vulnerability was exploited by the group in 2024 and the current leaked chat that mentions 'Forti' also underlines its importance which dates back to 2023," security researcher Rakesh Krishnan said. The development coincides with the emergence of new players, including BERT. Another ransomware group, SafePay, which emerged last year has since evolved to become "one of the most active and dangerous actors," mainly targeting managed service providers (MSPs) and small-to-midsize businesses (SMBs). "The group uses classic but effective techniques: RDP- and VPN-based intrusion, credential theft, privilege escalation and living-off-the-land binaries to quietly move through victim networks, exfiltrate sensitive data and then encrypt files," Acronis said. Ransomware assaults on businesses around the world have increased by 213% in the first quarter of 2025, with 2,314 victims reported over 74 distinct data breach sites, compared to just 1,086 in the first quarter of 2024. Disgruntled IT Worker Jailed for Cyber Attack — Mohammed Umar Taj, 31, of Hyrst Garth, Batley, U.K., was sentenced to seven months and 14 days in prison for unlawfully accessing his former employer's premises, altering login credentials, and changing access credentials and multi-factor authentication configuration to disrupt the company's operations. He was suspended from work in July 2022. Hacker Behind GMX Exchange Returns Assets — An unknown hacker behind the $42 million theft from decentralized exchange GMX has returned the stolen assets in return for a $5 million bug bounty. The development happened after GMX promised not to pursue charges if the hacker returned the funds. In a post-mortem report, the company said it has addressed the root cause in a subsequent update. "Based on a review of the incident by contributors, auditors and security researchers, the root cause of the exploit is a reentrancy attack," it said. "By utilizing this reentrancy and bypassing the average short price calculations, the attacker was able to open positions and manipulate the average short price for BTC downwards from the initial value of $109,505.77 to $1,913.70." Flaws in Thermomix TM5 Appliance — A security analysis of Thermomix TM5's has uncovered several weaknesses that could render the kitchen appliance susceptible to firmware downgrade attacks (limited to versions prior to 2.14. Version 2.14) and secure boot bypass, allowing an attacker to gain persistence. "This vulnerability can be chained with the firmware downgrade vulnerability to gain arbitrary code execution and apply a controlled firmware update file without messing up with the NAND flash," Synacktiv said. "By exploiting these flaws, one can alter the firmware version block to bypass anti-downgrade protections, downgrade the firmware, and potentially execute arbitrary code." API Client Security Risks Detailed — An analysis of API clients like Postman, Insomnia, Bruno, and Hoppscotch has uncovered potential vulnerabilities within their JavaScript sandboxing implementations that could be exploited to achieve code execution. "Running untrusted code without any isolation is, of course, a bad idea, but it is also problematic to use seemingly working solutions such as Node.js's built-in vm module or the third-party vm2 package," Sonar researchers Oskar Zeino-Mahmalat and Paul Gerste said. "These are known to have bypasses that let malicious code escape the sandbox and get access to system resources." Ubuntu Turns Off Intel GPU Security Mitigations — Ubuntu has disabled a security feature that protected Intel GPUs against Spectre side-channel attacks. Canonical said it now uses kernel-level protections, making it no longer necessary to have those safeguards. Ubuntu developers can expect the operating system to see a 20% in improvement in performance following the update. "After discussion between Intel and Canonical's security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level," Ubuntu maintainers said. "At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff." Botnet Engages in Web Scraping — A new botnet comprising more than 3,600 unique IP addresses has been observed involved in web scraping activity at least since April 19, 2025. The majority of the botnet's infected hosts are located in Taiwan, Japan, Bulgaria, and France, GreyNoise said, with targeted systems predominantly located in the United States and United Kingdom. "The dominance of Taiwanese IP space could suggest: A common technology or service deployed widely in Taiwan has been compromised, or that local exposure to a shared vulnerability is driving the clustering," the threat intelligence firm said. Czechia Becomes the Latest Country to Issue Warning About DeepSeek — Czechia's cybersecurity agency, the National Cyber and Information Security Agency (NÚKIB), issued a formal warning detailing the national security risks posed by the use of software provided by Chinese artificial intelligence company DeepSeek. "The primary security concerns stem from insufficient protection of data transmission and handling, from the collection of data types which, in greater volume, may lead to user deanonymization, and lastly, from the legal and political environment of the People's Republic of China to which the company DeepSeek is fully subject," NÚKIB said. To that end, the government has banned the use of DeepSeek on state-owned devices, urging the public to be mindful of the information shared with the platform. However, NÚKIB noted that the decision does not apply to open-source large language models (LLMs) developed by the company DeepSeek, provided that their source code is made available for review and can be deployed locally without any contact with servers associated with DeepSeek or its related entities. Several other nations, including Canada, Germany, Italy, the Netherlands, South Korea, and Taiwan, have issued similar warnings. TikTok Comes Under E.U. Radar Again — Ireland's Data Protection Commission (DPC) said it's opening a probe into TikTok over the transfer of user data in the European Union to servers located in China. "The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers [under GDPR]," the DPC said. The development comes a little more than two months after the DPC fined TikTok €530 million ($620 million) for infringing data protection regulations in the region by transferring European users' data to China and for allowing TikTok's China-based staff access European user data. TikTok, which is owned by China's ByteDance, has been the subject of intense scrutiny on both sides of the Atlantic over how it handles personal user information amid concerns that it poses a national security risk. As per stringent data protection laws in the region, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. TikTok is also facing the heat in the United Kingdom after the First-tier Tribunal ruled that the Information Commissioner's Office (ICO), the British data regulator, has the power to issue a monetary penalty notice (MPN) to TikTok. The ICO fined TikTok £12.7 million in 2023, but the company argued that "its processing was for artistic purposes, so the 'special purposes' provisions applied." Google Details Advanced Protection in Android — Back in May 2025, Google launched Advanced Protection, a security feature that "ensures all of Android's highest security features are enabled and are seamlessly working together to safeguard you against online attacks, harmful apps, and data risks." Similar to Lockdown Mode in Apple iOS, iPadOS, and macOS devices, Advanced Protection aims to provide improved guardrails for journalists and other high-risk targets. In Google Chrome, this includes always using secure connections, full site isolation on mobile devices with 4GB+ RAM to keep malicious sites away from legitimate sites, and disabling JavaScript optimizations. SatanLock Announces Abrupt Shutdown — SatanLock, a newer ransomware group on the threat landscape, has announced that it will be shutting down. The exact reasons behind the sudden move is unclear. The group first emerged in early April, and published 67 victims within a span of a month. However, Check Point found that 65% of these victims had already been listed by other ransomware groups. Russia Rejects Law to Legalize White-Hat Hacking — Russia's State Duma has rejected legislation that would have legalized ethical hacking, citing national security concerns. Politicians expressed worries that finding vulnerabilities found in software made by companies headquartered in hostile countries would require sharing them, which, in turn, could lead to those nations abusing the defects for strategic gain, local media reported. GitHub Repos Used to Distribute Malware as Free VPN — Threat actors have been observed using GitHub as a mechanism for staging stealer malware like Lumma by disguising it as 'Free VPN for PC and Minecraft Skin Changer. "The analysis of the 'Free-VPN-For-PC' sample revealed that, behind its seemingly legitimate facade, it functions as a sophisticated malware dropper designed to implant the Lumma Stealer," CYFIRMA said. "Disguised as a helpful tool, the dropper uses multiple layers of obfuscation, in-memory execution, and process injection to evade detection. The same malware was also repackaged under the name 'Minecraft Skin,' indicating a broader social engineering tactic targeting different user interests." NFC-Enabled Fraud Targets Philippines' Financial Sector — Chinese mobile malware syndicates that rely on NFC relay attacks have now spread to the Philippines, Resecurity revealed. "Major underground shops managed by Chinese cybercriminals list the Philippines as one of the most impacted areas, based on the volume of compromised credit cards (CCs)," the company said. Some of the other top regions targeted by Chinese cybercriminals include Australia, Taiwan, Malaysia, New Zealand, Singapore, Thailand, Hong Kong, Korea, and Indonesia. These groups, active on Telegram, enable fraudsters to acquire compromised cards and also check whether they are valid or not, using micro-charges performed via fraudulent merchants set up by Chinese cybercriminals. Attackers can then use tools like Z-NFC, X-NFC, SuperCard X, Track2NFC to clone stolen card data and perform unauthorized transactions using NFC-enabled devices. GitPhish Tool to Automate GitHub Device Code Phishing — Cybersecurity researchers have demonstrated
|
|
|
|
|
|
Threat of the Week
Top News
Trending CVEs
Around the Cyber World
Comments
Post a Comment
Please leave a comment about our recent post.