Technology

Nation-State Hacks, Spyware Alerts, Deepfake Malware, Supply Chain Backdoor

32 Min Read
32 Min Read
Nation-State Hacks, Spyware Alerts, Deepfake Malware, Supply Chain Backdoor

What happens if the attacker has not infiltrated?

This week we showed a sharp increase in stealth tactics built for long-term access and silent control. AI is used to shape opinions. Malware is hidden within the software we trust. And the old threat is coming back under new names. The real danger is not just a violation, it’s not clear who is still hiding in the system. If your defenses cannot be adapted immediately, you are already at risk.

Here are some important cyber events you will need to pay attention to this week:

⚡This week’s threat

Lemon Sand Storm is targeting Middle Eastern Critical Infrastructure – Tracked as the Lemon Sandstorm, Iranian state-sponsored threat groups targeted unnamed critical national infrastructure (CNI) in the Middle East and maintained long-term access, which lasted nearly two years, using custom backdoors such as Hanifnet, Hxlibrary and Neoexpressrat. According to Fortinet, activities that lasted at least from May 2023 to February 2025 were “a suspected of widespread espionage and network prepositions.”

🔔Top News

  • Claude was abused for “impact as a service” manipulation – Humanity, an artificial intelligence (AI) company, revealed that unknown threat actors have leveraged their Claude chatbots for real accounts and “impact as a service” manipulations that involve X using over 100 fake personas. What’s novel about this operation is to use Claude to make tactical engagement decisions, such as determining whether social media bot accounts prefer, share, comment or ignore specific posts created by a particular account created based on political purposes that suit the client’s interests. The bot account was used to amplify the client’s political narrative.
  • Sentinelone reveals the activity of the purple goby – Cybersecurity company Sentinelone has revealed that a China-Nexus threat cluster called Purplehaze has carried out reconnaissance attempts against some of its infrastructure and high-value customers. PurpleHaze is rated as a hacking crew with a loose connection with another national sponsor group known as APT15, and has also been observed to target entities supported by an unnamed South Asian government in October 2024, employing Goreshell, dubbed with an operational relay box (ORB) network and Windows backdoor.
  • Ransomhub ransomware operations become darker – With an interesting twist, Ransomhub is an offensive ransomware (RAAS) manipulation that has become prominent over the past year by courting affiliates following law enforcement measures against Rockbit and Blackcat, apparently suddenly went offline in early April. The sudden halt raised speculation that cybercriminals associated with the ransomware scheme may have migrated to Qilin. It is also allegedly claimed that Ransomhub has moved its business to Dragonforce, a rival ransomware group that announced the formation of a new “cartel.” In addition to providing malware for multi-platform cryptocurrencies, Ransomhub has attracted attention in giving affiliates more autonomy to communicate directly with victims and collect ransom payments. They also provided detailed guidance on how to force victims to pay ransoms.
  • Meta announces new private processing capabilities for WhatsApp – To balance privacy and artificial intelligence capabilities, Meta has announced a new WhatsApp setting that says is a privacy-oriented way to interact with Meta AI. This feature, called private processing, is an option and will be released in the coming weeks, and Meta, WhatsApp and third-party companies will not be able to see the interactions they use. The systems described by Meta are very similar to Apple’s private cloud computing (PCC). Like Apple, Meta says it relays private processing requests through third-party OHTTP providers to obscure the user’s IP address. But one important difference is that all of WhatsApp AI requests are handled by Meta’s servers, and the current architecture is exclusive to WhatsApp. In a statement shared with Wired, security researcher and cryptologist Matt Green said “end-to-end encrypted systems using off-device AI inference are more risky than pure end-to-end systems,” saying “more private data will be removed from the device, and the machines processing this data will be targeted by hackers and national orders.”
  • Tiktok has fined $601 million from the Irish DPC – Irish Data Privacy Watchdog fined Tiktok about $601 million for failing to guarantee that user data sent to China was protected from government access under Chinese laws related to espionage and cybersecurity. We also approved Tiktok for users and non-transparent purposes in our privacy policy regarding where personal data is being sent. The Data Protection Commission (DPC) has ordered the social video app to stop the transfer of user data within six months if it cannot guarantee the same level of protection as the EU. Regulators said Tiktok previously claimed that it had not stored European user data on its Chinese servers, but notified in April that it discovered that “EA user data was kept in China.” The data is said to have been deleted. The threat of Chinese government’s access to user data is a permanent thorn in the Tiktok side on both sides of the Atlantic. The platform was temporarily banned in the US at the beginning of the year, but the service continues to access as trading is taking place in the background. Tiktok said it plans to sue EU fines and claimed it had “never received a request” from Chinese authorities over data from European users. This is the second time Tiktok has been blamed by DPC. $368 million was fined in 2023 for violating the Privacy Act on the Processing of Children’s Personal Data in the EU. This has been imposed so far by the DPC after Amazon sanctioned €746 million on target behavioral advertising practices and Facebook, and then granted €12 billion to transfer EU-based users’ data to the US. Because its European headquarters is based in Dublin, Ireland’s Watchdog will act as a lead data privacy regulator for Tiktok in the EU.

Trend CVE

Attackers love software vulnerabilities. These are simple doors to the system. Every week brings fresh flaws and waits too long to patch, turning minor surveillance into a major violation. Below are some important vulnerabilities you should know about this week. Look, quickly update your software and keep locked out attackers.

This week’s list includes CVE-2025-3928 (Commvault Web Server), CVE-2025-1976 (Broadcom Brocade Fabric OS), CVE-2025-46271, CVE-2025-46272, CVE-2025-46273, CVE-2025-46274, CVE-2025-46275 CVE-2025-23016 (FastCGI), CVE-2025-43864 (React router), CVE-2025-21756 (Linux Kernel), CVE-2025-31650 (Apache Tomcat), CVE-2025-46762 (Apache Parquet) CVE-2025-23242, CVE-2025-23243 (NVIDIA RIVA), CVE-2025-23254 (NVIDIA TENSORRT-LLM), CVE-2025-3500 (Avast Free Antivirus), CVE-2025-32354 (Zimbra Collaborator Server), CVE-25-25-4025-4025-4025- CVE-2025-30194 (PowerDNS), CVE-2025-32817 (SonicWall Connect Tunnel Windows Client), CVE-2025-29953 (Apache ActiveMQ), CVE-2025-4148, CVE-2025-4149, CVE-4150 (NetGear), CVE-4150 (NetGear), CVE-4150 (3), CVE-2025-3927 (Digigram Pyko-Out), CVE-2025-24522, CVE-2025-32011, CVE-2025-35996, CVE-2025-36558 (KUNBUS Revolution PI), CVE-2025-5975, CVE202525-36521 (viewers), CVE-2025-2774 (Webmin), CVE-2025-29471 (Nagios), and CVE-2025-32434 (Pytorch).

See also  Malicious peepy package stealing source code that stole Solana Tools with 761 download

Cyber ​​Around the world of cyber

  • Europol announces a new task force to combat violence as a service – Europol has created a new operational task force designed to tackle the growing issue of young people being groomed and forced, as employed by a group of criminal service providers specializing in online and physical attacks. The task force, known as OTF Grimm, is assembled with law enforcement from Belgium, Denmark, Finland, France, Germany, the Netherlands and Norway, seeking to disrupt violence as a service. These schemes use coded languages, memes and gaming tasks to recruit young people through social media platforms and messaging apps, ensuring a luxurious lifestyle. The intent behind this intentional act by criminal networks is to reduce risk to oneself and protect oneself from law enforcement. “The exploitation of young perpetrators to commit criminal acts has emerged as a rapidly evolving tactic used by organized crime,” the agency said. “Violence as a service refers to the outsourcing of violence against criminal service providers, often including the use of young perpetrators to carry out threats, assaults, or murders.”
  • China accuses the US of launching a cyber attack – The US intelligence agency reportedly launched a cyberattack on China’s leading commercial encryption provider in 2024, stealing 6.2 GB of critical project data, according to a report by China’s National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC). The attack is said to have exploited a private vulnerability in the company’s customer relationship management system to gain access and embedded a custom Trojan horse for remote control and data theft. “The compromised system includes over 600 user accounts, 8,000 customer profile records, and over 10,000 contract orders, some of which involve major Chinese government agencies,” reported Global Times. Earlier this January, the agency said it had “treated two cases of a cyberattack (that) born from the US at a large Chinese high-tech company to steal occupational secrets.” The activity targeted China’s advanced material design and research institutes in August 2024 and large-scale high-tech companies in May 2023.
  • Zero-day attack on MYBB software compromised a breach – Breachforums (.)SX) has been revived after an earlier version hosted on “Breachforums (.)ST” was filmed offline through MyBB Zero Day Exploit as part of law enforcement action. The Cybercrime Forum was first deleted in 2023, with the original administrator Conor Brian Fitzpatrick (aka Ponpamplin) arrested for running the site. Since then, the site has resurfaced many times using revolving doors of administrators and site addresses.
  • Two people have been arrested in connection with Jokerotp’s operation – Two individuals, a 24-year-old man from Middlesbrough and a 30-year-old man from the Aust-Brabant area of ​​the Netherlands, were arrested in a joint operation that dismantled Jokerotp, a sophisticated fishing tool used to intercept two-factor authentication (2FA) codes, and dismantled Jokerotp, a sophisticated fishing tool used to steal £7.5 million. “In two years, the tool is believed to be used more than 28,000 times more in 13 countries. Financial accounts have been compromised and a total of £7.5 million has been suspected of being violated,” said Cleveland Police Department’s Cybercrime Division.
  • Microsoft Details CVE-2025-31191 MACOS defects – Microsoft shares details about CVE-2025-31191. This is a MacOS vulnerability in Apple’s CoreServices component that allows malicious apps to access sensitive user data. Apple addressed this issue with the Macos Sequoia 15.4 in late March 2025. According to Microsoft researcher Jonathan Bar, the flaw is “which allows specially written code to escape from the app sandbox and run unlimitedly on the system.” In other words, an attacker can create exploits to escape the MacOS sandbox without user interaction and perform even more malicious actions, such as increasing privileges, removing data, and deploying additional payloads. The company also detailed an attack scenario where the exploit “can allow attackers to “delete and exchange keychain entries used to sign security-scoped bookmarks to ultimately escape the app sandbox without user interaction.” Security-scoped bookmarks are mechanisms designed by Apple to specifically circumvent app sandbox rules using explicit and persistent user selection.
  • New supply chain attacks target Magento sites – What is known as a “coordinated supply chain attack,” hundreds of e-commerce stores operating Magento have been backdolled since late April 2025. Sansec said it has identified 21 application packages with the same backdoor from vendors, Meetanshi and MGS. It is known that the infrastructure associated with these vendors has been violated to inject backdoors into download servers. “The backdoor consists of fake license checks for files called license.php or licenseapi.php,” Sansek said. “Evil is in the adminloadlicense function, and runs the $licensefile as php.” Specifically, it contains code that uploads any payload, such as a web shell, and can be used to perform various malicious actions. Backdoor injection occurred six years ago, but was activated until April 2025 to control the server.
  • US House passes bill to study router risk – A bill that required the US Department of Commerce to study national security issues posed by routers and modems managed by US enemies has passed the House. To ensure reliability and security (router) law, we call our safe technology removed and aim to protect American communication networks from foreign management technologies such as routers and modems. The proposed law requires that the risk pose to be assessed by routers, modems and other devices developed, manufactured or supplied by enemies such as China, Russia, Iran, North Korea, Cuba, and Venezuela.
  • New Openeox framework published to adjust product termination security disclosures – Tech Giants’ Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat and others teamed up for the new Openeox framework, which hopes to standardize end-of-life (EOL) and end-of-support (EOS) information to better protect the supply chain and combat cybersecurity risks linked to unsupported software and hardware. “Openeox introduces a much-needed unified framework designed to streamline the exchange of end-of-life (EOL) and security support (EOSSEC) data, which enables transparency and efficiency.”
  • Hackers scan for leaked Git tokens and secrets – Threat intelligence company Greynoise said that between April 20th and 21st, 2025, a significant increase in crawl activity targeting GIT configuration files was observed. Nearly 4,800 unique IP addresses have participated in efforts targeting mainly Singapore, the US, Germany, the UK and India. Since September 2024, there have been four such spikes, with three other cases being November 2024, December 2024 and early March 2024. Grey Noise said it had witnessed a “sudden and sustained decline” in Palo Alto Network’s opportunistic scan PAN-OS global protect portal. “The majority of IPs involved in this activity are associated with provider 3XK Tech GmbH, which accounts for nearly 20,000 of the over 25,000 IPs observed in the last 90 days,” he said.
  • Garantex will probably rebrand as Grinex – The now-certified cryptocurrency exchange Garantex, which seized its website by law enforcement in March 2025, is likely rebranded by Grinex, TRM Labs revealed. “A few days after Garantex’s takedown, the telegram channels affiliated with the exchange began promoting Grinex, a platform with almost identical interfaces registered in Kyrgyzstan in December 2024,” the company said. Grinex has since signed a client onboard agreement with Garantex and announced that it had been considering hiring a former Garantex employee. We also started distributing our previous Garantex user assets with the new token A7A5. “From January 2025, Garantex began moving funds to A7A5, which is said to be fixed in the Russian ruble. It is promoted as a way to recover frozen user assets, and the A7A5 appears to be designed to avoid sanctions.
  • Flaws disclosed in Jan AI – Multiple security flaws (CVE-2025-2439, CVE-2025-2445, CVE-2025-2446, and CVE-2025-2447) have been disclosed in Jan AI at Menlo Research. “Attackers can leverage state-changing endpoints for attackers to direct injections to control their own hosted servers or issue drive-by attacks against LLM developers,” Snyk said. The issue has since been addressed.
  • New MacOS Malware Family Details – Kandji researchers have flagged a new, suspicious MacOS program called Pasivrobber, which can collect data from a variety of apps, including Wechat, QQ, web browsers, and email clients, through 28 different plugins. The tool is believed to be linked to a Chinese company called Meiya Pico, which develops forensic tools, and was previously identified by the US Treasury as one of eight companies: “China’s biometric surveillance and ethnic and religious minorities tracking, particularly the minority minority of Xinjiang.” This disclosure coincided with the discovery of another malware called ReaderUpdate, which acts as a loader that provides Mynieo (Dolittle) adware using variants of malware written in Python, Crystal, Nim, Rust and Go. The malware first detected in 2020 is distributed via free and third-party software download sites in the form of package installers that contain fake or troilerized utility applications. “If compromised, the host remains vulnerable to operators choosing to deliver, whether the operator is theirs, or whether it is being paid in the underground market or sold as malware,” the company said.
  • Apple sends notifications of spyware attacks – Apple has sent threat notifications to users in 100 countries advising that their phones may be targeted by advanced commercial spyware. According to TechCrunch, this included Italian journalists and Dutch activists. If known, it is not yet clear what spyware campaigns Apple notifications are related to. Since 2021, Apple has sent such notifications to targeted people in state-sponsored attacks. As the Meta NSO Group case has moved to the next stage, Meta is asking Spyware Company to pay more than $440,000 in compensatory damages. The NSO group responds, accusing the meta of inflating damage and leaving malware on WhatsApp servers to “steal NSO trade secrets.”
  • France blames Russia for years of cyberattacks – The French Ministry of Foreign Affairs has condemned the Russian GRU Military Intelligence Agency for conducting cyberattacks on dozens of entities, including ministries, defense companies, research institutes and think tanks, in an attempt to destabilise the country since 2021. The attack is linked to a hacking group called APT28 (also known as Bluedelta or Fancy Bear). The ministry said that the APT28 attack on France dates back to 2015, when French television channel TV5Monde was targeted, and awful military intelligence hackers tried to obtain strategic information from European and North American entities. Intrusions are said to rely on phishing, exploitation of vulnerabilities (e.g. CVE-2023-23397), inadequate devices on edge devices, and brute force attacks on webmail as an early access vector, but are said to repeatedly target round-cub mail servers and repeatedly target normal emails like malware, to use normal emails like malware while depicting inbox data. A low-cost, ready-to-use outsourcing infrastructure. The development is because Russia-lined hacktivists like Nonamet (16) are responsible for a massive DDOS attack targeting Dutch organizations as a recall to send 6 billion euros of military aid to Ukraine.
  • CloudFlare blocks 20.5m DDOS attacks in Q1 2025 – Speaking of DDOS attacks, CloudFlare said it blocked 20 million people in the first quarter of 2025, up 358% year-on-year and increased 198% quarterly (QOQ). In comparison, it blocked 21.3 million DDOS attacks during the 2024 calendar year. “Of the 20 million DDOS attacks blocked in the first quarter, 16.8 million were network layer DDOS attacks, of which 6.6M are directly targeting CloudFlare’s network infrastructure.” “A further 6.9 million target hosting and service providers protected by CloudFlare.” These attacks were part of an 18-day multi-vector DDOS campaign that included Syn flood attacks, DDOS attacks generated by Mirai, and SSDP amplification attacks. The Web Infrastructure Company said it blocked approximately 700 ultra-volume measurement DDOS attacks that exceed one or one BPP. In late April 2025, the company announced it had mitigated its record-breaking DDOS attack, peaking at 5.8 TBP. This lasted for about 45 seconds. Previously, the record was a 5.6 Tbps DDOS attack that utilizes a Mirai-based botnet consisting of 13,000 devices.
  • Babuk2 Bjorka represents a massive data commodity – Cybersecurity researchers shed light on cybercriminal manipulation, known as Babuk2 bjorka, which ostensibly symbolizes the evolution of Babuklaas operations, but in reality they are “industrial scale data commoditizers” that function by selling stolen data recycled from other ransomware groups in cybercrime. “This group isn’t just copying and pasting old leaks. They’re building brands, establishing market presence, and creating sustainable operational models,” Trustwave SpiderLabs said.
  • The FBI shares a list of 42,000 love host phishing domains – The US Federal Bureau of Investigation (FBI) has released a large list of 42,000 phishing domains tied to the Labhost Cybercrime platform, which was dismantled in April 2024. These domains obtained from the backend servers were registered between November 2021 and April 2024. The FBI said.
  • Polish police disrupt cybercrime gangs – Polish authorities have dismantled an international cybercriminal group accused of scaming dozens of victims out of nearly $665,000. Nine people, ages 19 to 51, have been arrested in connection with the incident. The suspect is believed to have been tricked by bank employees and law enforcement officers to appoint the victim to transfer funds to an account under his control. Since April 2023, at least 55 people have been targeted as part of the fraud.
  • Critical security flaws in your browser wallet – Security vulnerabilities have been identified in browser wallets such as stellar cargo ships, frontier wallets, and Coin98 that allow attackers to release funds without the need for social engineering or phishing attempts. “Just visiting the wrong site can quietly expose recovery phrases, allowing attackers to discharge their funds whenever they want,” Coinspect said. “Malicious sites can steal secret recovery phrases, even if the wallet is locked, without requiring user approval to connect.” There is no evidence that the drawbacks have been misused in the wild.
  • New reverse NFCGATE technique revealed – The legitimate NFCGATE application used to capture, analyze, or modify near field communication (NFC) traffic from Android devices has been misused as of January 2025 to steal 40 million rubles from Russian bank customers. Scammers have been observed to modify applications and carry out activities masking as government and banking services. Last month, we noted that for the first two months of 2025, the total amount of damage from attacks on Russian bank customers using NFCGATE-based malware was estimated at nearly 200 million Rubles. In March 2025, there was an estimated 180,000 compromise devices in Russia, with another malware called NFCGATE and CraxSrat installed on it. However, in what appears to be a further escalation of threat actor tactics, a new attack scheme known as the reverse NFCGATE has been revealed. The attack is trying to trick the victim into downloading a malicious app to secure an account. Once installed and opened, the victim will be notified from a pop-up window that the malware should be set as the default application for contactless payments. The attack then directs them to the ATM and deposits the money into their accounts under various pretexts. “In the reversed version of NFCGATE, the application uses the ability to relay NFC traffic to send drop card data to the user’s device,” F6 says. “As a result of a fraudulent attack, when the victim deposits money into an ATM’s account, they place their smartphones in the ATM’s NFC module, but instead of the card, they log in with a drop card and send the full amount.” As of March 2025, up to 175,000 compromise devices have been detected in the country, using the reverse version of NFCGATE. The average amount of damage caused by attacks using the reverse version of NFCGATE is 100,000 rubles.
See also  How walled gardens of public safety expose the data privacy crisis in America

🎥Cybersecurity Webinar

  • Discover the cleverest way to secure an ai agent.: AI agents are powerful, but dangerous. If it is not properly protected, you can leak data, fool, or expose your system. Join Michelle Agroskin (Auth0) and learn how to build a smart and secure AI agent. Real risks, clear corrections, no fluff.
  • ☁§Redesign your security on your terms – from code to cloud to SOC: Code scanning alone cannot be saved. Today’s attacks move faster than teams respond, especially when AppSec, Cloud and SOC operate in silos. Join Ory Segal (Palo Alto Networks) to learn how code, cloud, and security OPS connections reduce response times and stop threats before they spread.
  • N Learn to build a compliant cyber defense program that works in practice: Reasonable cybersecurity is not an option. It is expected. Laws, regulators and courts are currently requiring evidence that your defense is practical, prioritized and well documented. Join CIS® experts to learn how to build a defensible program using CIS Control, CSAT Pro, and SecureSuite® tools.

🔧Cybersecurity Tools

  • MCPSAFETYSCANNER – This open source tool audits MCP server configurations for critical security flaws, such as exposed SSH keys, leaked API credentials, or insecure path access. Multi-agent analysis is used to generate actionable safety reports, allowing developers to patch risks before attackers find them.
  • Hanalyzer – This is a new open source tool that automates SAP’s complex security checklists. No manual audit, not applicable. Built by Anvil Secure, runs locally, generates clean HTML reports and checks over 30 controls for users, networks, encryption and more. One command. Instant insights. If you are managing your HANA environment, this is easy.
  • Know your enemy – It is another powerful open source tool that scans IAM’s role and S3 bucket policy to reveal access to third-party access, including unknown vendors and misunderstood trust relationships. Detect confusing secondary risks, match account IDs to known vendors, and generate clear markdown reports that security teams can take action immediately. It runs in a few minutes. Know exactly who’s in your cloud.
See also  The new Chrome Zero Day is actively being used. Google issues emergency out-of-band patches

🔒Tip of the Week

Sandbox Your AI Agent – File Access is a silent threat – Most AI agents do not require access to system files, but often have it by default. This means that if an attacker tricks an agent (via quick injection, plugin abuse, or tool misuse), it could incorrectly expose SSH keys, cloud credentials, logs, and more. This is one of the easiest ways for an attacker to get deeper into your environment and is often unaware.

Even if you lock down API access or IAM roles, the local file system is still a weak spot. Agents may be able to read .ssh/authorized_keys, .aws/credentials, and even secret environment files by simply asking the correct questions. And once that data is released, the game is over.

This can be fixed in a sandbox. Block access to sensitive folders using tools like Firejail (Linux). This will allow the agent to view key files, lock the temperature folder, and add guardrails.

Running AI agents in the sandbox takes a few minutes, but they significantly reduce the attack surface. It’s a small movement that closes the big gap and works even when everything else looks safe.

Conclusion

All this week’s alerts reinforce the simple truth. Cybersecurity is not just defense, it’s detection, speed, and accountability. As the threat becomes quieter and more calculated, the margin of delay decreases. It’s not just about monitoring. measurement. map. Respond. Then ask yourself – where else are you?

Share This Article
Leave a comment

Follow US

POPULAR