Zero-Day Exploits, Developer Malware, IoT Botnets, AI-powered scams

Table of Contents

What do the source code editor, smart billboard, and web servers have in common? They all became launch pads for attacks as cybercriminals rethink what they consider to be “infrastructure.” Instead of directly chasing high-value targets, threat actors quietly take over things that are often overlooked, such as outdated software, non-acquisitive IoT devices, open source packages and more. It’s not just smart. We are reworking how intrusion, persistence and avoidance occur at scale.

⚡This week’s threat

Using 5Socks Proxy IoT, the EOL system was dismantled in law enforcement operations – The joint law enforcement business undertaken by Dutch and US authorities dismantled the Crime Commission Network known as anyProxy(.)Net(.)Net(.)Net, equipped with thousands of infected Internet (IoT) and ending Internet (EOL) devices, and thousands of infected Internet (IoT) and ending Internet (EOL) devices to join Bottonet to provide malicious actors. The illegal platforms that have been active since 2004 have devices infected primarily in the US, Canada and Ecuador, advertising over 7,000 online proxies every day. The attack targeted IoT devices susceptible to known security flaws and deployed malware called Themoon. The development comes as two other law enforcement operations have overthrew exchange cryptocurrency exchanges to promote money laundering and six DDO employment services that were used to launch thousands of cyberattacks around the world.

🔔Top News

Coldriver uses Clickfix to distribute LostKeys malware – A Russian-related threat actor known as Coldriver has been observed to distribute new malware called Lostkeys as part of a spy-centric campaign using social engineering lures like Clickfix. The attacks detected in January, March and April 2025 targeted current and former advisors of Western governments and military forces, as well as journalists, think tanks, NGOs and individuals connected to Ukraine. LostKeys is designed to steal files from hardcoded lists of extensions and directories, and send system information and execution processes to attackers.
CVE-2025-29824, which played ransomware attacks, was used as 0 days. – Threat actors with links to the PlayRansomware family used a security flaw recently patched in Microsoft Windows as a zero day as part of an attack targeting unnamed US organizations. The attack took advantage of CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver, patched by Microsoft last month. However, ransomware was not actually deployed to attacks. However, Grixba, a custom information steeler known to be used in Play Ransomware Operations, was used.
NSO Group has been ordered to pay whatsapp $168 million in damages – The Israeli company NSO Group has been ordered by a US federal ju apprentice to pay monetary damages from meta-owned WhatsApp WhatsApp Dains more than four months after a federal judge found that the Israeli company violated US law by deploying a WhatsApp server to deploy Pegasus Spyware targeting more than 1,400 individuals on a WhatsApp server. Additionally, the ry judge determined that the NSO group must pay compensatory damages in $444,719 for the important efforts made by WhatsApp engineers to block attack vectors. WhatsApp first filed a lawsuit against the NSO group in 2019, accusing the NSO group of using the then-zero vulnerability of messaging apps to win WhatsApp, targeting journalists, human rights activists and political dissidents. The NSO group said it appeals to the ruling.
Three Malicious NPM Package Target Cursor Users – Three malicious NPM packages, named SW-CUR, SW-CUR1, and AIIDE-CUR, are flagged in the NPM registry as they are designed to target the Apple MacOS version of Cursor, a popular artificial intelligence (AI) source code editor. The package claims to provide the “cheapest cursor API” but includes the ability to modify legitimate files associated with the software to execute arbitrary code on the compromised system. The package is still available for download from NPM and has been downloaded over 3,200 times so far. Discovery tells us new trends in which threat actors are using the Rogue NPM package as a way for threat actors to introduce malicious changes to other legitimate libraries or software already installed on their developer systems.
The sysaid patch is four defects that enable pre-auth RCE – Multiple security flaws in on-premises versions of SYSAID IT support software can be chained to achieve highly privileged, pre-recognized remote code execution. Defects tracked as CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 (CVSS score: 9.3), and CVE-2025-2778 have been addressed in software version 24.4.60 B16.
Hackers exploit the flaws of Samsung Majinfo, Geovision IoT in Mirai attack – Threat actors are exploiting security flaws in Geovision’s End of the Apocalypse (EOL) Internet of Things (IoT) devices, employing unearned vulnerabilities affecting Samsung Magicinfo 9 servers and using them as Mirai Botnet variants to carry out DDOS attacks. Users are advised to upgrade their Geovision devices to a supported model and disconnect the Samsung Magicinfo 9 server instance from the public internet.
DOJ will charge Yemeni National for deploying Black Kingdom ransomware – The US Department of Justice (DOJ) has issued a charge against a 36-year-old Yemeni citizen named Rami Khaled Ahmed, who is allegedly deployed Black Kingdom ransomware against global targets, including US businesses, schools and hospitals, between March 2021 and June 2023. A report published by Kaspersky in June 2021 described ransomware as “amateurs” and lacked the complexity and refinement associated with major ransomware schemes.
Golden chicken returns with Terrastealerv2 and Terralogger malware – Cyber Criminal Group’s Golden Chicken is in the spotlight. This time, we have a fresh set of tools for stealing credentials, cryptocurrency wallet data, browser extensions, and keystrokes. The findings represent the latest evidence of the ongoing efforts of threat actors to evolve the provision of Malware as a Service (MAAS) as a Malware. The golden chicken, also known as the Venom Spider, has long been tied up by More_eggs malware. Unlike the data-sucking counterpart Terrastealerv2, Terralogger takes a simpler but more dangerous approach by capturing keystrokes entered by the victim into the machine. The fact that it lacks a data peeling mechanism suggests that it is likely to be used as a module as part of a wider toolset.

Pean Trend CVE

Attackers love software vulnerabilities. These are simple doors to the system. Every week brings fresh flaws and waits too long to patch, turning minor surveillance into a major violation. Below are some important vulnerabilities you should know about this week. Look, quickly update your software and keep locked out attackers.

This week’s list includes CVE-2025-32819, CVE-2025-32820, CVE-2025-32821 (SonicWall), CVE-2025-20188 (CISCO iOS XE Wireless Controller), CVE-2025-27007 (Ottokit), CVE-2025-24977 (CVE-2025-4372 (Google Chrome), CVE-2025-25014 (Elastic Kibana), and CVE-2025-4318 (AWS Amplify Studio), CVE-2024-56523, CVE-2024-56524 (Radware Cloud Web Application) CVE-2025-26168, CVE-2025-26169 (IXON VPN), CVE-2025-23123 (ubiquiti unifi protection camera), CVE-2024-8176 (libexpat), and CVE-2025-471888 (MITEL 6800 series, 6900W).

Cyber Around the world of cyber

Bluetooth Sig releases Bluetooth 6.1 – Bluetooth Special Interest Group has announced the release of Bluetooth 6.1 with improved device privacy via Resolvable Private Addresses (RPA). This feature “randomizing the timing of address changes (and) makes it much more difficult for third parties to track or correlate device activity over time,” says Sig.
AI Slops lead to rising fake bug reports – Software supply chain security company Socket warns of an increase in artificial intelligence (AI)-generated fake vulnerability reports. The consequence of this intentional misuse is that the bug bounty initiative can work effectively. “They distract limited attention from true vulnerabilities, add friction between maintainers and researchers, and reduce the trust that these programs rely on,” the company said. Daniel Stenberg, founder of Curl Project, said in a LinkedIn post he was “stuck in this insanity,” and that any reporter who submitted a report considered an AI slop would be immediately banned. “We’ve reached a threshold,” Stenberg said. “We are effectively dd. If possible, we can charge this time wasted. We don’t see any valid security reports made using AI Help.”
AgeSostaler Stealer disguises video games – A new information stealing called AgeSostealer has been observed using a website hosted on a blogger platform, cheating and installing users under the guise of a video game named Lomina. “Targeting browsers, authentication tokens, and system files enables cybercriminals to carry out identity theft, corporate espionage and fraudulent financial transactions,” FlashPoint said. “In addition, using PowerShell process termination combined with sandbox evasion tactics makes detection particularly difficult through traditional antivirus solutions.”
South Korea says Deepseek has transferred user data to China and the US without consent – The Personal Information Protection Commission (PIPC), the South Korean data protection agency, accused Chinese AI service DeepSeek of transferring user personal data to companies in China and the US without consent. This included device, network, app information, and prompts for a Chinese cloud services platform named Volcano Engine. PIPC has identified Volcanic Engine as a ByteDance affiliate, but WatchDog said it was a “independent corporation.” The survey results are the results of a survey launched by PIPC in February 2025.
Iranian cyber actors pretend to be German model institution – Iranian threat actors are linked to a secret infrastructure (“Megamodelstudio(.)com”) impersonating German model institutions. This site is designed to trigger the execution of malicious JavaScript that is unknown to visitors. This collects browser language, screen resolution, IP address and browser fingerprints to promote even more selective targeting. The activity is thought to be low confidence in Agent Serpen (aka charming kitten), a threatening actor known for his elaborate social engineering campaign. The findings come as an Iranian-backed threat group targeting key national infrastructure (CNI) providers of rival Middle Eastern nations, spreading malicious software to networks over the past two years. According to Fortinet, the hacking group has repeatedly tried various ways to demonstrate operational security by painfully establishing stealth persistence over the long term, and once the network has been captured and eradicated, they have tried again to infiltrate the network again.
Mozilla streamlines the data consent experience for Firefox add-ons – Browser maker Mozilla said it has made new features available in Firefox Nightly version 139. This is “The Firefox Add-on Installation Flow itself introduces a new data consent experience for the extension to allow users to share data directly with the extension. As part of the change, Mozilla has created a wide range of categories based on the data types used by the extension, such as personal data and technical and user interaction data. Extension developers can specify what data they want to collect or send in the extension’s Manifest.json file. During installation, manifest information is parsed by the browser and displayed to the user. After that, users can choose to accept or reject data collection.
ChoiceJacking Attack bypasses existing juice jacking defense and steals data – A juice jacking attack occurs when a hacker infects the charger with malware hidden in the charger, and can steal sensitive data from the phone connected to it. While mobile operating systems have since introduced new confirmation prompts for data connections from USB hosts to mobile devices, Graz University of Technology’s newly devised platform attack technology has been found to circumvent existing mitigation where malicious chargers automatically spoof user input to allow for their own data connections. “Despite vendor customization on USB stacks, the select jack attack allows access to sensitive user files (photos, documents, app data) from all eight vendors, including the top six of the market share.” “For two vendors, our attack will allow file extraction from locked devices.” Apple, Google, Samsung, and Xiaomi have all admitted the attack and have released fixes on iOS 18.4 (CVE-2025-24193) and Android 15 (CVE-2024-43085). This issue is tracked for Samsung and Xiaomi under CVE-2024-20900 and CVE-2024-54096, respectively.
Threat actors target IIS servers in GH0st rats – It has been observed that suspected Chinese-speaking threat actors are using malicious IIS modules to target Korean IIS web servers inadequate. “When a malicious IIS native module is loaded into the W3WP.EXE process, all HTTP requests sent to the web server are intercepted,” says Ahnlab. “Then, manipulate the response value to redirect to a specific page or run a web shell function. Through a malicious native module, the threat actor can intercept all traffic coming into the web server and modify it if necessary.” This attack is notable in the use of .NET-based web shells and GH0st rats, a remote access trojan horse widely used by Chinese hacking groups. “By installing a malicious module on a web server, threat actors were able to insert affiliate links into the response values to HTTP traffic requested by the web server,” the company said. “This allowed us to generate revenue by displaying advertisements and banners on our partner’s website. Additionally, threat actors used malware to install phishing pages, redirecting users, and thus leaking sensitive information.”
Microsoft will begin enforcing new Outlook rules for bulk mail – Microsoft has begun to establish stricter rules that domains that send more than 5,000 emails per day must follow. This includes mandatory SPF, DKIM, DMARC settings, functional registration links, transparent mailing practices, and email bounce management. “These measures will help reduce spoofing, phishing and spam activities and empower legitimate senders with brand protection and better delivery potential,” the company said.
Japan warns about threat actors who use hijacked financial accounts to trade – After the Japanese Financial Services Agency (FSA) used stolen credentials harvested from phishing websites to warn users of fraudulent trading regarding Internet stock trading services, the agency revealed that hackers have made around $900.2 billion in sales and over $1 billion in purchases since the start of the year. A total of 18 companies have been affected, with 3,505 transactions reported so far.
New scams exploit the loopholes in X ads – Threat actors are using loopholes in X’s ad policy to implement financial scams using the display URL spoofing “CNN(.)com” but clicking will redirect visitors to the Crypto Scam website (“Ipresale(.)World”) that impersonate Apple’s brand. “The scam encourages visitors to create accounts and purchase tokens positioned to come from Apple. The website also includes fake testimony from Apple CEO Tim Cook,” says Silent Push. The findings coincided with the findings of recruitment scams in which job seekers are selected with flexible opportunities offerings that entice them to deposit their funds in order to complete a series of tasks and earn cryptocurrency payments. “After seducing a victim on a phishing website with a promise of substantial rewards, threat actors force them to create prepaid payments to engage in tasks that they believe will release the reward,” Netcraft says. A similar campaign was documented by ProofPoint in October 2024.
Crypto Heist discovers new malware – A massive investigation into cryptocurrency theft with losses of over $1 million has discovered two new malware families: Preterude and Delphys. Prelude is a .NET backdoor that allows you to launch a reverse shell and take screenshots. Delphys, on the other hand, is a 64-bit Delphi loader distributed in exe format and is used to run the HAVOC Command and Control (C2) framework. The campaign was launched on a per Kroll basis via social engineering over the direct message of X, and then victims were directed to Discord servers to download the malware. The activity tracked as the KTA440 is rated as a highly targeted campaign targeting individuals with net worth in the crypto space.
Military conflict between India and Pakistan causes cyber attacks – The recent military conflict between India and Pakistan has resulted in a surge in attacks targeting both countries. Cybersecurity company NSFOCUS said it had observed a 500% increase in cyberattacks targeting India and a 700% increase in Pakistan’s targets at the end of April 2025. There was also an increase in hackchivist activities targeting India in the form of DDOS attacks led by Rippersek, Anonsek, Keemutel, Silhett and his hamza. However, according to CloudSek, the majority of the claims of the HackTivist campaign, which targets India’s digital infrastructure, have been “significantly exaggerated.” That’s not all. The rising military tension is capitalized by threat actors from the Pakistan-related transparent tribe (aka APT36), employing spear phishing and click-fix style lures, respectively, supplying crimson rats and .NET-based loaders.
CISA releases guidance to mitigate the threat of OT from unsleashed cyber actors – The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and the Department of Energy (DOE) are urging critical infrastructure entities to take steps to strengthen security posts within “cybertechnology) and industrial control systems (ICS) that affect cyber incidents (OTs) that affect operational technology (OTs) and industrial control systems (OTs). This includes removing OT connections to the public internet, changing default passwords, protecting remote access to the OT network, and segmenting it with the OT network. “While these activities often include basic and basic intrusion techniques, poor cyber hygiene and the presence of exposed assets can escalate these threats, leading to serious consequences such as damage, configuration changes, operational disruption and, in severe cases, physical damage,” the agency said.
Lock Bit Ransomware Management Panel Hacking – As it took an even more blow to Lockbit operations, Ransomware Scheme’s Dark Web Affiliate Panel was hacked and said, “Don’t commit crimes. The panel will now be available for download in SQL database format, with custom ransomware builds, a list of 75 admins and affiliates with access to the affiliate panel, 59,975 unique Bitcoin addresses, and will be sacrificed between December and the end of April 2024. Monero instead of Bitcoin,” Qualys said. “This isn’t just a random perk. Its privacy-centric design probably shows an intentional preference for Monero.” Lockbit’s main admin Lockbitsupp has since checked the hack. Lockbit continues to operate despite law enforcement lawsuits, but the latest leak may sound a confession of death of what was once the most prolific ransomware group.

Unofficial signal app probe hacks used by Trump government officials – Telemessage, an Israeli company that sells unofficial signal message archive tools used by some US government officials, has stopped all services after being hacked. Details of the hack appeared after a 404 media report. It has been revealed that anonymous hackers have violated the telemege and gained access to direct messages and group chats archived alongside the telemege surge’s unofficial signal clones, WhatsApp, Telegram and Wechat.

🎥Cybersecurity Webinar

Learn how unification of code, cloud, and SOC security eliminates hidden gaps → Modern application security can’t afford to live in silos. As 80% of the security gap appears in the cloud and attackers are exploiting them within hours, organizing needs to be faster and smarter. This webinar reveals how unification of code, cloud, and SOC security not only closes the key gaps, but also allows faster and more resilient defenses throughout the application lifecycle. Please participate. Discover a unified approach that breaks barriers, reduces response times and enhances security attitudes.
A specialist guide to building legally defensible cyber defense programs → Learn how to build a cyber defense program that meets legal standards and regulatory expectations. This step-by-step guide uses CIS Controls, SecureSuite Tools and CSAT Pro to create a practical, defensive, cost-effective security strategy tailored to your organization’s needs.

🔧Cybersecurity Tools

Chainsaw →This is a fast, lightweight forensic triage tool designed for rapid threat hunting and incident response on Windows systems. Built for speed and simplicity, investigators can quickly search Windows event logs, MFT files, Shimcache, SRUM, and registry hives using keyword matching, regex, and Sigma detection rules. Supporting both Sigma and Custom Chainsaw rules allows efficient detection of malicious activity even in environments with EDR coverage.
Hawkeye → This is a powerful command line security scanner designed to detect PII and secrets across your infrastructure. With support for cloud services (S3, GCS, Firebase), databases (MySQL, PostgreSQL, MongoDB, Redis), messaging apps (Slack), and local file systems, discover sensitive data hidden in documents, images, archives, and videos using advanced OCR and pattern matching. Easily integrate into CI/CD pipelines or custom Python workflows to help security teams actively detect risks and prevent data leaks before they occur.
spider →This is Spideroak’s developer tool for building Zero Trust decentralized apps with built-in access control and end-to-end encryption. Simplify security by embedding microsegmentation, authentication, and policy enforcement directly into the software. No external tools are required. Lightweight and portable, Aranya supports Rust and C integration, making it easy to create a secure design system that works safely across any network.

🔒Tip of the Week

Weekly Cybersecurity Tips: Block AI Bots from Scraping on Your Website → AI companies are quietly crawling their websites to collect content to train their models. If you’re running a company blog, research portal, or a site with original content, it’s likely indexed.

You can reduce this risk by adding a simple robots.txt rule that tells you to stay with known AI crawlers. It does not block rogue scrapers, but stops most major bots, such as Gptbot (Openai), Anthropicbot, and CCBot (Common Crawl).

Add this to your site’s robots.txt file:

User Agent: gptbot

Prohibited: /

User Agent: Anthropicbot

Prohibited: /

User Agent: ccbot

Prohibited: /

This file must be live at YourDomain (.) com/robots.txt. For extra visibility, monitor unexpected crawler server logs. In an age where data is currency, limiting content fraud is a simple and aggressive security move.

Conclusion

This week we highlighted the basic reality. Cyber risk is no longer a technical issue, it is a business, legal, and reputation issue. Results have moved upstream, from criminal prosecutions related to ransomware operations to flawed software policies that enable phishing through official advertising platforms.

Security decisions are now leadership decisions, and organizations acting accordingly become organizations that will withstand when the next violation approaches.