Daily Brief

A new malware campaign, GPUGate, targets IT and software development firms in Western Europe, leveraging Google Ads to mislead users into downloading malicious software. Attackers embed GitHub commits in URLs to direct users to counterfeit sites, exploiting trust in reputable platforms to deliver malware. The initial malware stage is a 128 MB MSI file, designed to evade detection by security sandboxes due to its size and GPU-based decryption mechanism. GPUGate uses GPU functions to decrypt payloads, bypassing virtual machines and older analysis environments that lack proper GPU drivers. The attack chain involves Visual Basic and PowerShell scripts to disable defenses, establish persistence, and execute secondary payloads for information theft. Indicators suggest the threat actors possess Russian language skills, with evidence pointing to a cross-platform strategy involving Atomic macOS Stealer. The campaign's sophistication challenges traditional detection methods, emphasizing the need for enhanced vigilance and adaptive security measures.

Microsoft has officially deprecated Windows Server Update Services (WSUS), prompting IT administrators to seek modern alternatives for patch management solutions. Action1, a cloud-native platform, presents an efficient alternative, offering rapid deployment without the need for server installation or complex configurations. Unlike WSUS, which only supports Microsoft products, Action1 extends patching capabilities to third-party applications, addressing significant security gaps. Action1's cloud-based approach eliminates the need for VPN connections, allowing seamless updates for remote and hybrid workforces. The platform supports policy-driven automation, enabling automatic deployment of critical patches and reducing manual intervention. Real-time dashboards and compliance reports enhance visibility and simplify audits, a notable improvement over WSUS's limited reporting capabilities. Action1 scales effortlessly in the cloud, providing consistent performance regardless of the number of endpoints managed, unlike the infrastructure-heavy WSUS. With a predictable cost model, Action1 reduces overhead compared to WSUS, which incurs hidden costs through licensing and maintenance.

PACER, the U.S. court document access system, is experiencing significant delays due to challenges in rolling out mandatory multi-factor authentication (MFA) for users. Users, including lawyers, report extensive wait times, with some experiencing up to five-hour delays when seeking support for MFA enrollment issues. The system's administrators have advised users to wait for email prompts before enrolling in MFA to reduce call center congestion. In response to the support delays, PACER has postponed its MFA enrollment deadline, opting for a phased implementation to manage the transition more effectively. A recent cyberattack on the U.S. Courts' case management system, reportedly linked to Russian actors, has exposed sensitive documents, prompting increased security measures. The attack exploited vulnerabilities dating back to 2020, highlighting the need for the U.S. Courts to modernize their IT infrastructure and enhance cybersecurity defenses. Collaboration with the Justice Department and Homeland Security is ongoing to mitigate risks and prevent future breaches, ensuring the protection of sensitive court records.

CISA has issued an alert regarding two vulnerabilities in TP-Link routers, CVE-2023-50224 and CVE-2025-9377, which are currently being exploited by unidentified attackers. The first flaw allows attackers to bypass authentication and retrieve credentials, while the second enables remote code execution on specific TP-Link router models. TP-Link's growing market share in the U.S., now at nearly 60%, raises concerns over potential security risks due to its connections with the Chinese government. An additional vulnerability in TP-Link's CWMP protocol could cause routers to crash, adding to the security challenges faced by users. Organizations are urged to prioritize patching these vulnerabilities as part of their cybersecurity management practices to mitigate exposure to potential attacks. The situation underscores the broader issue of balancing cost with security, as reliance on inexpensive hardware may lead to increased vulnerability risks.

UK Prime Minister Sir Keir Starmer initiated a cabinet reshuffle, appointing Liz Kendall as the new science, innovation, and technology secretary, replacing Peter Kyle. The reshuffle follows Angela Rayner's resignation as deputy PM amid tax-related controversies, prompting changes in key ministerial roles. Liz Kendall will now oversee the Online Safety Act, a subject of debate due to privacy and censorship concerns. Peter Kyle transitions to secretary of state for business and trade after contributing to the Cyber Security and Resilience Bill and a tech upskilling partnership with Google. The reshuffle includes several new appointments, such as Jason Stockwood as minister for investment and Kanishka Narayan as under-secretary in DSIT. The changes aim to enhance public sector efficiency, with initiatives like the AI tool package "Humphrey" designed to streamline services. The reshuffle reflects ongoing efforts to position the UK as a leader in tech innovation and investment attraction.

A security breach involving Salesloft and Drift led to the theft of OAuth tokens, compromising Salesforce data of numerous major tech companies. Companies such as Cloudflare, Google Workspace, and Palo Alto Networks were among those affected, highlighting the widespread impact of the incident. The breach is linked to a supply chain attack targeting the Drift marketing software-as-a-service product, emphasizing the vulnerabilities in third-party integrations. Salesloft plans to take Drift offline temporarily to conduct a comprehensive security review and enhance system resilience. The threat activity is tracked by Google and Cloudflare as UNC6395 and GRUB1, respectively, indicating coordinated efforts by advanced threat actors. This incident serves as a critical reminder of the importance of securing third-party integrations and maintaining robust supply chain defenses. Organizations are urged to review and strengthen their security measures to prevent similar breaches in the future.

Organizations face a new threat as cybercriminals infiltrate companies by posing as legitimate remote hires, bypassing traditional phishing defenses. A report identified over 320 cases of North Korean operatives infiltrating firms with fake identities, marking a 220% increase year-over-year. These operatives use AI-generated profiles and deepfakes to pass interviews and background checks, targeting Fortune 500 companies. The scheme involves accomplices providing operatives with US-based setups, enabling data theft and salary diversion to North Korea. Companies risk operational paralysis by over-restricting access, which can lead to productivity issues and increased security exceptions. Implementing a Zero Standing Privileges (ZSP) approach can balance security and productivity, granting access only as needed. BeyondTrust Entitle offers a cloud solution to manage access dynamically, aligning with ZSP principles to prevent unauthorized access. Organizations are encouraged to pilot ZSP in sensitive systems to assess effectiveness and drive broader adoption.

Cybercriminals are exploiting iCloud Calendar invites to send phishing emails that appear to originate from Apple's servers, potentially bypassing spam filters and reaching users' inboxes. The phishing emails mimic payment notifications, falsely claiming a $599 charge to the recipient's PayPal account, urging them to call a provided phone number. Victims are lured into contacting scammers who attempt to gain remote access to their computers, posing risks of financial theft, data loss, and malware deployment. The phishing tactic leverages legitimate Apple email addresses, passing SPF, DMARC, and DKIM checks, enhancing the perceived authenticity of the messages. The scam involves sending invites to a Microsoft 365 account, which forwards the emails to a mailing list, targeting multiple recipients simultaneously. Microsoft 365's Sender Rewriting Scheme (SRS) is used to pass SPF checks, ensuring the emails maintain their legitimacy when forwarded. Users are advised to treat unexpected calendar invites with caution and verify the legitimacy of any suspicious messages claiming to be from trusted sources.

The Czech Republic's cybersecurity agency, NUKIB, advises critical infrastructure organizations to avoid Chinese technology and data transfers to China due to elevated security risks. NUKIB's risk assessment of disruptions from China has been updated to a "High" level, indicating a significant probability of occurrence. The agency has confirmed malicious activities by Chinese cyber actors, including an APT31 campaign targeting the Czech Ministry of Foreign Affairs. Concerns include Chinese government access to data stored by private cloud services within China, posing risks to sensitive information. NUKIB's warning extends beyond infrastructure to consumer devices like smartphones and medical equipment, which may transfer data to Chinese servers. Critical sectors such as energy, healthcare, and finance must incorporate these threats into their risk analyses and implement mitigation strategies. While not legally binding, the guidance urges Czech entities to evaluate Chinese products and adopt necessary security measures.

VirusTotal's AI Code Insight detected a phishing campaign using SVG files to mimic Colombia's judicial system, bypassing traditional antivirus scans. The campaign employs SVG files to display HTML and execute JavaScript, creating fake portals with download prompts for malicious files. Users are deceived into downloading a password-protected zip archive, containing a legitimate executable and a malicious DLL for malware deployment. VirusTotal identified 523 previously uploaded SVG files linked to this campaign, which had evaded detection until now. The discovery showcases the increasing use of SVG files in cyberattacks, exploiting their capability to embed executable scripts. VirusTotal's AI Code Insight enhances detection capabilities, providing context and efficiency in identifying emerging malicious campaigns. The campaign's sophistication, including visual cues and security tokens, emphasizes the need for robust security measures and user awareness.

Seqrite Labs has identified a new threat actor, Noisy Bear, targeting Kazakhstan's energy sector through Operation BarrelFire, potentially linked to Russian origins. The campaign specifically targets KazMunaiGas employees, using phishing emails with fake IT department documents to distribute malware. Attackers utilize compromised email accounts to send ZIP attachments containing LNK files that execute malicious scripts, leading to PowerShell loader deployment. The infrastructure supporting these attacks is hosted by Russia-based Aeza Group, a bulletproof hosting service sanctioned by the U.S. for aiding cyber activities. The campaign's tactics include deploying a DLL-based implant capable of launching a reverse shell for further exploitation. This development occurs alongside other regional cyber activities, including Belarus-linked campaigns targeting Ukraine and Poland for data collection and malware deployment. The broader geopolitical context involves ongoing cyber tensions, with implications for energy sector security and potential disruptions in Kazakhstan.

The "s1ngularity" attack on GitHub exploited a flawed workflow, affecting 2,180 accounts and exposing 7,200 repositories, with significant ongoing impacts due to valid leaked secrets. Attackers leveraged a malicious version of the Nx package, widely used in JavaScript/TypeScript ecosystems, to deploy credential-stealing malware targeting Linux and macOS systems. The malware utilized AI platforms to harvest sensitive credentials, including GitHub tokens, npm tokens, SSH keys, and crypto wallets, showcasing advanced prompt-tuning techniques. GitHub responded by removing malicious repositories within eight hours, yet substantial data had already been exfiltrated, affecting both individual and organizational accounts. The attack unfolded in three phases, with private repositories being flipped to public, exposing additional accounts and repositories, further expanding the attack's reach. Nx's root cause analysis identified a pull request title injection vulnerability, leading to token exfiltration; they have since implemented enhanced security measures, including two-factor authentication. The incident underscores the evolving threat landscape, where AI-driven malware presents heightened risks, necessitating robust security practices and proactive threat mitigation strategies.

Four malicious npm packages were discovered impersonating Flashbots, designed to steal Ethereum wallet credentials from developers. The threat actor, identified as "flashbotts," uploaded these packages starting September 2023, with the latest in August 2025. These packages exfiltrate private keys and mnemonic seeds to a Telegram bot controlled by the attacker, exploiting developer trust. The "@flashbotts/ethers-provider-bundle" package is particularly dangerous, redirecting unsigned transactions to an attacker wallet. The packages disguise malicious activities under legitimate cryptographic utility functions, complicating detection and removal efforts. Vietnamese language comments in the code suggest the threat actor may be Vietnamese-speaking, indicating a targeted financial motivation. This incident underscores the critical need for vigilance in software supply chains, particularly in the Web3 development community.

Researchers from New York University created a proof-of-concept for AI-driven ransomware, named Ransomware 3.0, to explore the potential threat of AI in cyberattacks. The AI system can perform four phases of a ransomware attack, including generating customized Lua scripts, mapping IT systems, and identifying valuable files for extortion. The malware's polymorphic nature makes it difficult to detect, as it generates unique code for each system, even when executed multiple times on the same machine. During testing, the ransomware was uploaded to VirusTotal, leading to its discovery by ESET analysts who mistakenly believed it to be a real-world threat. The NYU team clarified that the binary is non-functional outside a lab setting, requiring significant modification for real-world use. This development signals a potential shift in ransomware tactics, with AI potentially enabling more targeted and sophisticated attacks. Security teams are advised to prepare for future AI-driven threats, as similar techniques could be adopted by cybercriminals.

TAG-150, a criminal group, has developed CastleRAT malware in both Python and C, using social engineering to trick users into executing malicious commands. The C variant of CastleRAT is adept at harvesting keystrokes, capturing screens, and maintaining persistence, while the Python version focuses on evasion. CastleRAT spreads through ClickFix techniques, which involve fake login prompts convincing users to execute malware under the guise of system fixes. TAG-150's operations are sophisticated, leveraging encrypted communications via Tox Chat and hosting infrastructure across Russia and the Netherlands. The group operates a malware-as-a-service model, with a significant focus on American targets, complicating attribution efforts. Recorded Future advises monitoring network activity on ports 443, 7777, and 80, and warns against trusting established cloud providers blindly. TAG-150's history of developing multiple malware families suggests they may introduce new threats soon, necessitating vigilant cybersecurity defenses.