Daily Brief

Rise in social engineering attacks employing generative AI and deepfake technology to create highly personalized scams. Attackers utilize stolen branding, mimic executives, and clone communication channels such as emails and websites to deceive targets. Multi-channel impersonation campaigns are pervasive across emails, LinkedIn, SMS, and support portals, targeting a broad audience. Increased use of AI by attackers results in faster adaptation and automation, reducing the effectiveness of traditional security measures. The webinar introduces Doppel's AI platform which can detect and disrupt these sophisticated impersonation threats in real time. Key learning points include understanding attacker behavior, tracking campaigns across platforms, and instant threat response. Intended audience includes security leaders, SOC teams, and professionals in risk, fraud, or threat intelligence. Urges immediate proactive measures to defend against these evolving cyber threats before they cause reputational or financial damage.

UK cybersecurity firm Adarma has entered administration, with all operations ceasing immediately. Joint administrators Will Wright and Alistair McAlinden from Interpath Advisory were appointed following the company's financial struggles, marked by pulled funding from investor Livingbridge and loss of major contracts. Staff were informed of the immediate termination of their roles via an urgent meeting, with follow-up communications stressing cessation of operations. Former employees reportedly express concern over unpaid wages for July and potential non-payment of owed overtime, despite having been paid for the previous month. The future of the company appears bleak as prospective buyers showed interest only in its dwindling client list, rather than its operational assets. More than 170 employees across Scotland and England are likely to lose their jobs, receiving redundancy information but facing financial uncertainty. The redundancy package, handling of the staff layoffs, and locked company devices have been managed by the administrators, indicating a structured wind-down process.

Google has issued an update for Chrome, addressing a critical vulnerability, CVE-2025-6558, actively exploited in the wild. The security flaw, rated 8.8 CVSS, involves inadequate validation of untrusted input in the browser's ANGLE and GPU components, enabling attackers to escape Chrome’s sandbox. Discovered by Google's Threat Analysis Group, the flaw's exploitation hints at possible nation-state involvement. This is one of five zero-day vulnerabilities patched in Chrome this year, all either actively exploited or demonstrated as PoC. Users are urged to update their Chrome to the latest versions available for Windows, macOS, and Linux to mitigate risk. The vulnerability allows attackers to execute attacks directly from a malicious webpage without any user interaction like downloads or clicks. Browsers using the Chromium engine, including Microsoft Edge and Opera, should also update promptly as the same vulnerabilities may affect them.

Google's AI, Big Sleep, preemptively identified a critical vulnerability in the SQLite database engine, preventing potential exploitation. The detected issue was a memory corruption flaw, categorized under CVE-2025-6965, with a high-risk CVSS score of 7.2. This AI-driven discovery was part of a collaboration between Google's DeepMind and Project Zero, highlighting the use of AI in cybersecurity. The vulnerability could allow attackers to cause significant damage through SQL statement injections, such as integer overflow and unauthorized data access. Google cited the incident as the first known instance where an AI directly prevented a cyber attack by predicting and addressing a software vulnerability before it was exploited. Concurrently, Google released a white paper outlining the implementation of secure AI systems, emphasizing a balanced approach combining traditional security controls with AI reasoning capabilities. The white paper stressed the importance of enforced operational boundaries for AI agents to prevent adverse outcomes from sophisticated attacks or unexpected inputs. Google aims to refine AI security measures by incorporating multiple layers of defense to ensure robust protection against emerging cyber threats.

Curl's bug bounty program is inundated with low-quality, AI-generated security reports, leading to consideration of its discontinuation. Daniel Stenberg, the creator of curl, has noticed a significant increase in so-called "AI slop," with about 20% of all submissions in 2025 being low-quality due to AI tools. The small curl security team, consisting of only seven members, finds it challenging to manage the growing number of reports, which are around two per week. Only about 5% of the submissions in 2025 turned out to be genuine vulnerabilities, a notable decrease in validity from previous years. The bug bounty program, managed by HackerOne, discourages but does not ban AI-assisted submissions and advises thorough verification of AI-generated reports. Stenberg is exploring potential solutions such as imposing a fee for report submissions or entirely removing the financial incentives to curb the misuse of AI in reporting. Emotional toll and significant time investment are required from the curl security team to sift through the surge of ineffective and incorrect reports.

Former U.S. Army soldier, Cameron John Wagenius, pled guilty to conspiracy-related charges including wire fraud and aggravated identity theft. Wagenius, who operated under the alias "kiberphant0m," confessed to participating in schemes that targeted telecom companies with the intention of extorting over $1 million. The hacking activities were conducted while Wagenius was still on active duty, using methods like "SSH Brute" to breach telecom networks. Alongside conspirators, Wagenius managed to access and sell telecom data, funding additional illicit activities including SIM swapping attacks. The group used cybercrime forums such as BreachForums and XSS.is to facilitate their extortion and sale of stolen data. Wagenius also explored defecting to countries without U.S. extradition and had previous interactions attempting to sell information to foreign intelligence. The illegal accesses included telecom giants like AT&T and significant public figures' data, elevating the severity of the security breaches. Scheduled for sentencing on October 6, Wagenius faces over 20 years in prison for his role in the pervasive hacking and extortion operations.

Abacus Market, a major darknet marketplace, has abruptly gone offline, hinting at a possible exit scam. The market, which launched in 2021 and boasted a 70% market share by 2023, handled nearly $300 million in transactions, primarily in Bitcoin and Monero. TRM Labs suggests the sudden shutdown could either be an exit scam or a covert law enforcement operation, although no official announcements have been made. In its peak month of June, Abacus facilitated transactions worth $6.3 million but saw a drastic fall to $13,000 per day in early July due to withdrawal issues and diminishing user trust. The site's administrator cited a DDoS attack and a surge in new users as reasons for withdrawal delays before the site’s complete disappearance. The community and users inclined more towards an exit scam explanation for the shutdown, with no evidence of FBI involvement or law enforcement action at the time of closure.

North Korean-backed cybercriminals have deployed 67 malicious npm packages to distribute XORIndex malware, collecting over 17,000 downloads. The campaign, known as Contagious Interview, targets developers with deceptive job offers to execute malicious code and breach secure environments. XORIndex Loader, deployed via a post-install script in npm packages, profiles victims and retrieves further JavaScript payloads from a C2 server. Malicious payloads include BeaverTail and InvisibleFerret backdoors, enabling data theft and additional malware downloads. Attackers use a mix of new and retooled malware, maintaining persistent threats even after npm repository clean-ups. Socket researchers highlighted the necessity for npm users to scrutinize packages for authenticity and execute new libraries in safe, isolated conditions. Continual variations in malicious npm packages make detection and prevention challenging for defenders.

An international law enforcement operation, "Operation Elicius," successfully dismantled a Romanian ransomware gang targeting NAS devices. The gang, known as 'Diskstation,' disrupted business operations in Lombardy by encrypting company data and demanding ransoms in cryptocurrency. Diskstation targeted Synology Network-Attached Storage (NAS) devices globally, exploiting internet-exposed systems since 2021. Ransom demands ranged from $10,000 to hundreds of thousands of dollars. Forensic and blockchain analyses led to the identification and arrest of suspects in Bucharest, including a 44-year-old man believed to be the primary operator. Victims of the ransomware included graphic and film production companies, event organizers, and NGOs involved in civil rights and charity. Europol coordinated the operation involving French and Romanian police forces. Recommendations for NAS device security include updating firmware, disabling unnecessary services, avoiding internet exposure, and restricting access through VPNs.

Cloudflare mitigated a reduction in total DDoS attacks, down from 20.5 million in the previous quarter to 7.3 million in Q2 2025. There was a significant rise in hyper-volumetric DDoS attacks with 71 occurrences daily, leading to a peak 7.3 Tbps attack. Research showed that 70% of HTTP DDoS attacks were launched from known botnets, with a notable rise in application-layer threats. Geographical insights revealed that the most targeted locations were China, Brazil, and Germany, with Indonesia and Singapore as the primary sources of DDoS attacks. Hyper-volumetric attacks exceeding 100 million packets per second rose by 592% compared to the prior quarter. There was a 68% increase in ransom DDoS attacks, where attackers demand payment to cease or prevent an attack. Cloudflare highlighted the emergence of the DemonBot botnet, which primarily exploits IoT devices, emphasizing the need for improved security measures. The report suggests a growing complexity in DDoS tactics, involving both volume-based and sophisticated probing techniques to explore and exploit vulnerabilities.

GLOBAL GROUP, a new ransomware-as-a-service operation, targets various sectors globally, including in Australia, Brazil, Europe, and the United States. Originally known as BlackLock, the operation rebranded after a data leak incident and traces its lineage back to the Mamona ransomware. The operation utilizes artificial intelligence in its negotiation tools to allow non-English speaking affiliates to manage ransom negotiations more effectively. Affiliates gain network entry through partnerships with initial access brokers exploiting vulnerabilities in edge appliances and by using brute-force on Microsoft services. The ransomware can be tailored for different environments like VMware ESXi, NAS, BSD, and Windows, with a high revenue-sharing model to attract more affiliates. As of mid-July 2025, GLOBAL GROUP has claimed 17 victims across diverse sectors including healthcare, industrial machinery, automotive, and business process outsourcing. Despite a wider decline in ransomware incidents in 2025, this group indicates the evolving sophistication and persistence of cybercriminals in the ransomware arena.

A new variant of the Konfety Android malware utilizes malformed ZIP structures and other obfuscation techniques to escape detection. This malware disguises itself as legitimate apps available on Google Play but only delivers ads, redirects users to malicious sites, and exfiltrates data. The disguised malware uses the CaramelAds SDK to display hidden ads, pushing unwanted app installations and fake notifications. Konfety features an encrypted secondary DEX file within the APK that loads dynamically, enabling the potential addition of more malicious modules during runtime. The malware employs unique anti-analysis strategies, such as setting the General Purpose Bit Flag to falsely declare encryption and utilizing unsupported BZIP compression. Researchers from Zimperium and Human have highlighted how the malware evades standard static analysis tools, making it hard to reverse-engineer. Konfety actively hides its presence after installation, manipulating its visibility and behavior based on the geographical location of the device. Advice against downloading APKs from third-party sources is reinforced, emphasizing the heightened risk of encountering disguised or malicious apps.

A new Windows backdoor, HazyBeacon, is being used to steal sensitive data from Southeast Asian government agencies. This malware campaign, identified as CL-STA-1020 by Palo Alto Networks Unit 42, involves state-backed actors exploiting legitimate cloud services to remain undetected. HazyBeacon employs DLL side-loading, tricking a system into executing malicious code disguised as a legitimate DLL file to establish persistence and control. The malware utilizes Amazon Web Services (AWS) Lambda URLs for command and control communication, exploiting serverless functions to conduct its operations covertly. Additional tactics include using popular cloud storage services like Google Drive and Dropbox for data exfiltration, blending malicious traffic with normal user behaviors. The attackers focus on collecting documents, particularly those related to recent tariffs and trade disputes, and ensure robust cleanup to minimize forensic evidence of their activities. Despite innovative exfiltration methods, Palo Alto Networks successfully prevented some data uploads during their investigations.

AI agents frequently require authentication through high-privilege API keys, OAuth tokens, or service accounts, posing significant security risks. Non-human identities (NHIs) now outnumber human accounts in cloud environments, making them attractive targets for attackers. Successful security strategies for NHIs involve implementing "human-grade" controls across their lifecycle, from creation to retirement. Astrix's platform offers comprehensive solutions such as automated discovery of AI agents and NHIs, lifecycle management, and threat detection and response. Initial deployments of Astrix's platform can achieve significant security improvements, including automated discovery of unauthorized access and credential reduction, within the first 30 days. Companies using Astrix have reported substantial compliance gains and operational efficiencies, leading to faster release cycles and reduced manual workload. Implementing proactive and automated security measures ensures robust protection for AI agents and NHIs, safeguarding enterprise systems from potential cyber threats.

AsyncRAT, an open-source remote access trojan first released on GitHub in 2019, has fostered several dangerous variants. The malware's plug-in-based architecture makes it easy to modify, escalating the dissemination of multiple new threats. Variants like DCRat and Venom RAT have introduced advanced evasion techniques and additional malicious capabilities such as data theft and system surveillance. These variants derive from AsyncRAT but have significant enhancements over the original, indicating a major evolution rather than simple forks. The open-source nature of AsyncRAT lowers the barrier for entry among cybercriminals, enabling even the inexperienced to deploy sophisticated attacks. Rapid adaption and customization of the malware underscore a growing and complicated threat landscape. Security researchers emphasize the necessity for heightened awareness and upgraded defense mechanisms to combat such proliferated malware threats.