Daily Brief

ScarCruft, a North Korean-linked hacking group, launched Operation HanKook Phantom, targeting South Korean academics and former officials with RokRAT malware via spear-phishing emails. The attack begins with a deceptive email containing a ZIP file attachment, which includes a Windows shortcut masquerading as a PDF, leading to RokRAT deployment. RokRAT malware can collect system information, execute commands, and exfiltrate data using cloud services like Dropbox and Google Cloud, aiming for intelligence and espionage. A secondary campaign uses a PowerShell script to deploy malware, disguising network traffic as legitimate Chrome file uploads, further complicating detection efforts. The campaign underscores the persistent threat posed by APT37, employing sophisticated spear-phishing and fileless malware techniques to gather sensitive intelligence. This activity coincides with broader North Korean cyber operations, including sanctions by the U.S. Treasury against entities supporting North Korea's illicit revenue schemes. Organizations are advised to enhance email security measures and conduct regular threat assessments to mitigate risks from such advanced persistent threats.

A study by Rashna Kumar reveals that government website traffic in 58 countries frequently crosses borders, raising security concerns about data exposure and interception risks. The research highlights that 23 to 43 percent of traffic paths to government services in countries like Malaysia and Norway route through third-country jurisdictions. Many less-developed countries route government traffic through offshore infrastructure and lack HTTPS encryption, increasing vulnerability to man-in-the-middle attacks. Kazakhstan, while keeping traffic domestic, relies heavily on a single telco, posing risks of service disruption if the telco is compromised. Canada, Sweden, and the USA distribute government traffic across multiple operators, enhancing resilience against technical failures and geopolitical issues. The study suggests that historical ties may influence current routing paths, as seen with Moroccan traffic frequently passing through Spain and France. Interactive maps detailing the research findings are available, providing insights into the internet traffic paths of 58 nations.

Meta disclosed a critical vulnerability in WhatsApp, CVE-2025-55177, potentially exploited in targeted attacks, allowing unauthorized URL content processing on devices. Amnesty International suggests the flaw is likely used by commercial surveillanceware vendors against journalists and human rights activists, raising privacy concerns. Apple recently patched a related zero-click vulnerability, CVE-2025-43300, indicating a trend of sophisticated exploits targeting mobile communication apps. FreePBX users face a critical CVSS 10 vulnerability enabling remote code execution; an emergency patch has been issued, stressing the need for immediate updates. Systems running outdated FreePBX versions remain vulnerable, prompting advisories to upgrade or risk exploitation by malicious actors. Organizations are urged to implement robust patch management and consider automatic updates to mitigate risks from such severe vulnerabilities.

Cybercriminals exploit Meta's ad platforms to distribute Brokewell malware through fake TradingView Premium app offers, targeting Android users interested in cryptocurrency. The campaign, active since July 22nd, uses approximately 75 localized ads to lure victims, specifically affecting Android devices. Once installed, the malware gains extensive permissions, enabling it to steal sensitive data, monitor, and remotely control compromised devices. The malicious app mimics an Android update to obtain the device's PIN, further compromising security and user privacy. Bitdefender's investigation reveals the campaign's sophistication, with Brokewell possessing over 130 command capabilities for extensive data theft and device manipulation. This operation is part of a broader scheme initially targeting Windows users through Facebook ads impersonating multiple well-known brands. Organizations and individuals should remain vigilant against such deceptive ads and ensure robust security measures on mobile devices.

Cybercriminals are using Google ads to distribute TamperedChef, an info-stealing malware, through a deceptive PDF editing application called AppSuite PDF Editor. Over 50 domains host fraudulent apps signed with certificates from at least four companies, indicating a sophisticated operation. The campaign began in June, with malicious capabilities activated in August, allowing the malware to collect sensitive data like credentials and web cookies. TamperedChef utilizes the Data Protection Application Programming Interface (DPAPI) to access encrypted browser data, evading detection by security agents. Truesec and Expel researchers identified that the malware campaign also involves turning systems into residential proxies, further complicating detection and response. Code-signing certificates have been revoked, but existing installations remain at risk, emphasizing the need for vigilance and updated security measures. The operation includes additional apps capable of distributing malware, with indicators of compromise provided to aid in defense strategies.

Cyber attackers have misused the Velociraptor forensic tool to deploy Visual Studio Code, establishing a command-and-control (C2) tunnel to an attacker-controlled server. The attack involved downloading an MSI installer via the Windows msiexec utility from a Cloudflare Workers domain, which served as a staging ground for additional malicious tools. By leveraging Velociraptor, attackers minimized the need for bespoke malware, signaling a tactical shift towards using legitimate incident response tools for malicious purposes. Sophos advises organizations to monitor unauthorized Velociraptor usage and consider it a precursor to ransomware, recommending robust endpoint detection and response systems. Parallel campaigns have exploited Microsoft Teams for initial access, using impersonation tactics to deploy remote access software and deliver malware. These campaigns bypass traditional email defenses, exploiting trust in collaboration tools, and employ techniques linked to ransomware groups like Black Basta. Security teams are urged to monitor audit logs and train users to identify IT/help desk impersonations to mitigate these evolving threats.

WhatsApp released an emergency update to fix CVE-2025-55177, a critical vulnerability affecting iOS and macOS devices, discovered by its internal security team. The flaw allowed unauthorized processing of content from arbitrary URLs, potentially exploited in zero-day attacks targeting specific users. This vulnerability may have been used in conjunction with CVE-2025-43300, an Apple-disclosed flaw involving memory corruption in the ImageIO framework. Amnesty International's Security Lab noted that the attack impacted both iPhone and Android users, including civil society members. WhatsApp has alerted affected individuals, advising a full device reset and regular updates for enhanced security. The attack method, described as "zero-click," requires no user interaction, posing significant risks to journalists and human rights defenders. The identity of the threat actors or spyware vendors behind these sophisticated campaigns remains unknown.

A cybersecurity researcher identified significant security vulnerabilities in Pudu Robotics' service robots, potentially allowing attackers to redirect or disable them. Pudu Robotics, a key player in the commercial service robot market, left admin controls inadequately secured, exposing them to potential exploitation. Attackers could exploit the robots by obtaining a valid authentication token, achievable through cross-site scripting or account setup. The vulnerabilities could lead to severe disruptions, such as redirecting food orders or executing a DDoS-style attack on restaurant operations. Initial attempts to alert Pudu Robotics were ignored, prompting the researcher to contact the company's restaurant clients directly. Following customer pressure, Pudu Robotics addressed the security flaws, illustrating the effectiveness of involving stakeholders in vulnerability disclosures. This incident serves as a reminder of the critical need for robust security measures in IoT devices, particularly those deployed in commercial environments.

Researchers at watchTowr Labs identified three new vulnerabilities in the Sitecore Experience Platform, potentially allowing remote code execution and unauthorized information access. Sitecore released patches for two vulnerabilities in June and a third in July 2025, addressing these critical security issues. The exploit chain involves combining a pre-auth HTML cache poisoning flaw with a post-authenticated remote code execution vulnerability. Attackers could exploit the ItemService API to enumerate HTML cache keys and send cache poisoning requests, leading to code execution. The vulnerabilities enable threat actors to inject malicious HTML code, utilizing an unrestricted BinaryFormatter call for execution. Organizations using Sitecore should apply the latest patches immediately to mitigate potential exploitation risks. This incident underscores the importance of regular security assessments and timely patch management to protect against evolving threats.

AWS disrupted a cyber-espionage effort by Russia's APT29, aiming to access Microsoft user accounts through a sophisticated watering hole attack. APT29, linked to Russia's SVR, is known for the 2020 SolarWinds breach and continues targeting Microsoft credentials. Attackers compromised legitimate websites, injecting JavaScript to redirect 10% of visitors to domains mimicking Cloudflare verification pages. The campaign involved tricking users into entering device codes, granting attackers access to Microsoft accounts and data. AWS confirmed no compromise of its systems, analyzing APT29's methods, including randomization and base64 encoding to evade detection. The scale and specific targets of the campaign remain unclear, but past attacks focused on governments, NGOs, academia, and defense sectors. This incident reflects APT29's ongoing evolution and adaptability in expanding their intelligence-gathering operations.

WhatsApp has patched a zero-day vulnerability affecting its iOS and macOS clients, potentially exploited in sophisticated targeted attacks. The flaw, CVE-2025-55177, involved incomplete authorization in device synchronization, allowing unauthorized URL processing on targeted devices. This vulnerability, combined with an Apple OS-level flaw (CVE-2025-43300), was part of a complex attack against specific users, prompting emergency updates. WhatsApp has alerted potentially affected users, advising a device factory reset and regular updates to prevent further compromise. Amnesty International's Security Lab noted WhatsApp's warning to users about being targeted in an advanced spyware campaign over the past 90 days. In March, WhatsApp also patched another zero-day vulnerability linked to Paragon's Graphite spyware, affecting journalists and civil society members. These incidents underscore the importance of timely patching and maintaining updated security protocols to mitigate such sophisticated threats.

Starting October 2025, Microsoft will enforce multi-factor authentication (MFA) for all Azure resource management actions to enhance security against unauthorized access attempts. This initiative is part of Microsoft's Secure Future Initiative (SFI) and will be rolled out gradually across all Azure tenants worldwide. Users must enable MFA on Azure CLI, PowerShell, SDKs, and APIs to safeguard accounts from potential attacks, with specific version upgrades recommended for compatibility. Global administrators have the option to delay compliance until July 2026, allowing additional time for adaptation to the new requirements. Enforcement applies to all public cloud Azure tenants and includes automation and scripts using user identities, not just application IDs. A Microsoft study indicates that MFA-enabled accounts resist 99.99% of hacking attempts, significantly reducing the risk of compromise. This move aligns with Microsoft's broader strategy to increase MFA adoption, following similar enforcement on platforms like GitHub.

Passwordstate's latest vulnerability affects up to 29,000 organizations and 370,000 IT professionals, including sectors like government, finance, and defense. The flaw allows attackers to exploit an authentication bypass using a "carefully crafted URL," granting full administrator access via the Emergency Access portal. Click Studios has released Passwordstate Build 9972, addressing the vulnerability and a related clickjacking issue, urging immediate updates. The vulnerability is rated "high" due to its ease of exploitation, though email alerts are triggered upon unauthorized access attempts. This is the fourth authentication bypass flaw identified in Passwordstate 9, raising concerns over the software's security posture. To mitigate risks, administrators are advised to restrict Emergency Access portal access by IP address and apply the latest patch. Organizations using Passwordstate should assess their exposure and ensure rapid deployment of security updates to maintain system integrity.

Amazon identified and disrupted a watering hole campaign linked to APT29, a Russian state-sponsored group, targeting Microsoft device code authentication to gather intelligence. The campaign involved compromising legitimate websites to redirect users to malicious domains mimicking Cloudflare, tricking them into authorizing attacker-controlled devices. APT29, also known as Cozy Bear, has been active in targeting Ukrainian entities and leveraging phishing techniques to access Microsoft 365 accounts. The threat actor employed evasion tactics like Base64 encoding and cookie settings to avoid detection and maintain persistence in their operations. Amazon's intervention forced APT29 to shift infrastructure, yet the group continued its efforts by registering new domains to sustain their attack strategy. This incident reflects APT29's adaptive capabilities and persistent focus on expanding their intelligence collection through sophisticated cyber operations. Organizations are urged to enhance monitoring and authentication security to mitigate risks from such advanced persistent threats.

A hijacked server from the Sogou Zhuyin IME software was used in a targeted espionage campaign affecting users in Eastern Asia, with Taiwan being the most impacted. The campaign, named TAOTH, involved sophisticated malware delivery methods, including hijacked software updates and fake cloud storage pages, to collect sensitive data. Threat actors leveraged the abandoned domain sogouzhuyin[.]com to distribute malware families like GTELAM and C6DOOR, enabling remote access and data theft. The attack chain exploited the automatic update feature of Sogou Zhuyin, redirecting users to malicious domains to initiate the malware download process. Phishing tactics were also employed, using decoy documents and booby-trapped URLs to execute multi-stage attacks and gain unauthorized access to cloud services. The operation shares similarities with past activities by ITOCHU, indicating a persistent threat actor focused on reconnaissance and espionage. Organizations are advised to audit and remove unsupported software and scrutinize cloud application permissions to mitigate such threats effectively.