Daily Brief

CTM360 uncovered over 17,000 fake news websites fueling online investment scams across 50 countries. These sites mimic reputable news outlets like CNN and BBC, using fake articles to endorse fraudulent financial platforms. Scammers engage victims through ads with clickbait headlines and direct them to phony trading systems following initial contact. A two-phase scam process involves gaining trust via fake advisors and fake profit dashboards, followed by requests for money and personal information. The scams are sophisticated, utilizing local languages, media logos, and targeting specific regional audiences. Victims are induced to invest small initial amounts, which later escalate through pressure and manipulated profit displays. These schemes also harvest personal data for potential use in phishing, identity theft, and secondary scams. CTM360 tracks these fraudulent operations, providing takedown support and risk protection to affected regions and organizations.

Russian firms are facing an ongoing cyber-espionage effort utilizing a new malware dubbed Batavia, effective since July 2024. The attack is initiated with phishing emails disguised as contract agreements, containing malicious links from the domain "oblast-ru[.]com." The malware deploys by downloading an encoded script which gathers system profiling data and introduces more malicious payloads for deeper infiltration. Batavia, written in Delphi, masquerades as a contract document to mislead victims while it silently collects various data types, including office documents and screenshots. The collected data is sent to another attacker-controlled domain and further escalates the attack by downloading additional payloads targeting even more file types. Kaspersky has identified over 100 victims in several dozen organizations who have received these phishing emails in the last year, reflecting the attack's broad impact. Disclosed findings are part of a broader pattern of information-stealing campaigns, including another detailed instance dubbed NordDragonScan that affects Windows systems via similar attack vectors.

A significant portion of data breaches in 2025 still involve stolen credentials, emphasizing ongoing issues with password security. Regulatory bodies worldwide are enforcing stricter guidelines on password management, stressing on password length and the necessity of multi-factor authentication (MFA). EU’s updated NIS2 Directive and PCI-DSS 4.0 highlight these stringent requirements, potentially leading to severe consequences for non-compliance, including the removal of senior management. Organizations are finding it challenging to keep up with these evolving standards, risking regulatory actions and issues with cyber-insurance claims. Specops Software introduces tools like Password Auditor to help organizations assess and improve their compliance with password security best practices across various regulatory frameworks. These tools provide extensive reports and recommendations, helping close the audit visibility gap and ensure continuous monitoring of password policies. Password Auditor tool offers a free, robust solution for organizations to evaluate their current password policies against compliance standards and identify potential vulnerabilities.

Scattered Spider has created approximately 500 domains resembling corporate login pages to orchestrate phishing attacks across various sectors, impacting airlines, manufacturers, and restaurant chains. Although initially targeting the aviation industry, notably Qantas and other airlines, the criminal group has diversified its targets to include manufacturing, medical technology, financial services, and enterprise platforms. The fake domains are crafted to mimic legitimate portals like “victimname-servicedesk[.]com” or “victimname-okta[.]com”, intending to deceive employees into sharing login credentials. Check Point Research, which identified these domains, suggests the infrastructure might currently be in use or reserved for future attacks. Qantas recently experienced a breach involving the theft of 6 million customer records, followed by attempted extortion by the perpetrator to prevent data leakage. The shift in Scattered Spider’s focus from insurance and retail sectors to a broader range of industries illustrates an adaptive and opportunistic attack strategy. There is ongoing engagement with law enforcement to address these security incidents, without evidence to date of leaked personal data from the reported breaches.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog, adding four critical security flaws. These updates were prompted by actual incidents of exploitation by cybercriminals, particularly highlighting a vulnerability linked to a China-associated threat actor, Earth Lusca, using CVE-2019-9621 to install web shells and Cobalt Strike. New technical disclosures reveal significant issues in the Citrix NetScaler ADC system, specifically CVE-2025-5777, known as Citrix Bleed 2, which has also been actively exploited. Hackers exploit these Citrix vulnerabilities to steal sensitive data such as credentials and session tokens by manipulating memory read functions in the server. Federal Civilian Executive Branch (FCEB) agencies are urged to rectify these vulnerabilities by July 28, 2025, to mitigate potential security risks. Technical insights provided by watchTowr and Horizon3.ai indicate that attackers are compromising endpoints by crafting malicious HTTP requests aimed at data exfiltration.

Chinese national Xu Zewei was arrested in Milan for alleged links to the state-sponsored hacking group Silk Typhoon. Silk Typhoon, also known as Hafnium, has conducted cyberespionage against the U.S. and other nations, focusing on stealing sensitive data. Xu is accused of participating in the 2020 cyberattacks targeting COVID-19 vaccine researchers and healthcare organizations. The group attempted to steal intellectual property and public health data related to COVID-19 vaccines and treatments. Xu was apprehended at Milan's Malpensa Airport under an international warrant issued by the U.S. government. Recent activities of Silk Typhoon include campaigns against the U.S. Treasury's Office of Foreign Assets Control and cloud services to infiltrate networks. Xu is currently held in Busto Arsizio prison, with the U.S. seeking his extradition.

Researchers released PoC exploits for a critical vulnerability in Citrix NetScaler, identified as CVE-2025-5777 and named CitrixBleed2, susceptible to attackers exploiting it to steal user session tokens. The vulnerability allows attackers to extract memory contents from affected devices by sending malformed POST requests during login attempts. CitrixBleed2 enables extraction of approximately 127 bytes per request, potentially revealing sensitive data after numerous requests. Despite Citrix claiming there's no current exploitation, security findings suggest possible active exploitation, with indicators of memory dumping and session hijacking. Citrix has published patches for the vulnerability and recommends immediate application to prevent attacks. Observations from cybersecurity firms criticize Citrix's response and transparency concerning the exploit’s activity in the wild. All organizations using affected Citrix products are advised to review sessions for suspicious activity and terminate sessions as outlined by Citrix's guidelines.

CVE-2025-5777, known as CitrixBleed 2, is a critical security flaw in Citrix NetScaler devices, rated 9.3 CVSS, allowing attackers to access sensitive information. Despite the availability of patches, a significant number of Citrix users have not updated their systems, leaving them vulnerable to attacks. Exploits for this vulnerability are actively circulating, with security firms releasing vulnerability analyses and proof-of-concept tools. CitrixBleed 2 enables attackers to bypass multi-factor authentication, hijack user sessions, and potentially gain access to critical systems. The exploit involves sending malformed HTTP requests to Citrix gateways, which then leak session tokens and other sensitive data due to improper memory handling. Security researchers from watchTowr and Horizon3.ai have detailed the exploit process, emphasizing its simplicity and high potential for abuse. Citrix has yet to respond with comments regarding the extent of the attacks or additional mitigation measures since the initial patch release.

Hackers bribed an employee of C&M, a financial connectivity firm, to gain access to systems linked to Brazil’s Central Bank. The compromised employee, João Nazareno Roque, sold his credentials for approximately $920 and executed additional commands for $1,850. The attackers converted $30-40 million of the stolen funds to cryptocurrencies using various exchanges and OTC markets. Blockchain investigator ZachXBT is tracking the wallet addresses of the threat actors to assist in freezing the stolen funds. Brazilian police are conducting three separate investigations into the heist, though details about the hackers remain undisclosed. C&M maintains that their systems were not breached through technical vulnerabilities but via social engineering. The case reflects a trend of using simple attack methods effectively, including other instances such as a recent breach at Coinbase.

Malware analysts identified a new version of the Atomic macOS infostealer, now enhanced with a persistent backdoor feature. The backdoor enables attackers to execute remote commands, survive system reboots, and maintain indefinite control over compromised Mac devices. This upgraded version of Atomic malware has potential access to thousands of devices globally, with prevalent attacks in the United States, France, Italy, the UK, and Canada. Initially reported in April 2023, Atomic malware is distributed as Malware-as-a-Service (MaaS) on Telegram, targeting macOS systems including files, cryptocurrency data, and browser-stored passwords. Shifts in distribution methods have been observed, moving from cracked software dissemination to targeted phishing attacks, particularly against cryptocurrency holders and freelancers. Technical details of the backdoor involve a core executable hidden in the user’s directory and a persistent script ensuring execution at system startup with elevated privileges. Enhanced evasion techniques include detecting sandbox or virtual machine environments and employing string obfuscation to hinder detection. The evolution and sophistication of the Atomic infostealer exemplify the rising threat to macOS users from organized cybercrime entities.

Cybersecurity research reveals an SEO poisoning campaign targeting over 8,500 small and medium-sized business users with malware hidden in popular AI and collaboration tools. Fake websites impersonate legitimate software sources to distribute trojanized versions of tools like PuTTY and WinSCP, introducing Oyster backdoor malware upon installation. Malicious DLLs are employed for persistence, executing every three minutes to maintain the infection even after initial deployment. Recent incidents involve the misuse of search engine results to redirect users to phishing pages delivering Vidar Stealer and Lumma Stealer through concealed ZIP archives. Multiple malware types, including Legion Loader and RedLine Stealer, are being spread using diverse installation scripts and search engine manipulation strategies. The campaign also features a sophisticated attack using Google and Facebook ads to disseminate malware and phish for sensitive data, such as cryptocurrency wallet information. Increasing trend observed in the exploitation of trusted brands and tech support pages, redirecting users to scam numbers and fraudulent websites. Cybersecurity agencies stress the importance of downloading software and tools only from verified and official vendor sites to avoid such malicious traps.

Qantas is currently being extorted following a cyberattack that exposed information for 6 million customers. The breached data includes names, email addresses, phone numbers, dates of birth, and frequent flyer numbers, but no financial or sensitive security details were compromised. Threat actors associated with the group Scattered Spider, known for sophisticated social engineering, are believed to be behind the attack. This group has previously targeted various sectors, including retail and insurance, and has recently focused on transportation and aviation industries. Qantas has engaged with the Australian Federal Police, Australian Cyber Security Centre, and other regulatory entities to investigate and manage the situation. Customers are advised to watch out for scams and phishing attempts utilizing the stolen data. Qantas emphasized it would not request sensitive information via unsecured communication. The attack was first detected due to abnormal activity in a third-party system used by a Qantas contact center.

'Batavia', an undocumented spyware, has been actively targeting numerous Russian industrial enterprises since at least July of the previous year. The spyware is spread through phishing emails featuring fake contract-related lures, significantly intensifying in activity since January 2025. Infected emails contain a malicious link disguised as a contract attachment, which downloads a harmful script that profiles the victim's system. Following the initial breach, Batavia deploys multiple payloads, including WebView.exe and javav.exe, which collect and exfiltrate data such as system logs, documents, and screenshots. The spyware presents fake contracts to distract victims while performing malicious activities in the background. Batavia's complex multi-stage attack involves data theft and system surveillance, suggesting the motive may be espionage focused on Russia’s industrial sector. The campaign's intensity and sophistication, including the use of a potential fourth payload, indicate a well-resourced actor likely targeting specific industrial insights.

Shellter Elite, a tool designed for penetration testing, was abused by hackers following a leak by a customer. The incident involves the use of Shellter Elite to deploy infostealer malware such as Rhadamanthys, Lumma, and Arechclient2. Multiple attacks have been traced to a single leaked copy of Shellter Elite v11.0, utilized since at least April. Distribution of the malware was facilitated through YouTube comments and phishing emails. Shellter responded by releasing an updated version (v11.1) and refining its customer vetting process to prevent future leaks. Elastic Security Labs detected the misuse but faced criticism from Shellter for not promptly notifying them. Shellter reaffirmed its commitment to not supporting criminal activities and expressed readiness to cooperate with law enforcement. This incident represents the first misuse of Shellter products under its tightened licensing introduced in February 2023.

Researchers have noted a 156% increase in cyberattacks targeting user logins, primarily due to advanced phishing kits and info-stealing malware. Identity-based attacks now constitute 59% of all security investigations, up significantly from the previous year. Financially motivated crimes such as business email compromise (BEC) and ransomware are becoming more prevalent due to these attacks. Phishing-as-a-Service platforms like Tycoon 2FA enable sophisticated attacks by providing pre-made phishing pages and tools to bypass multi-factor authentication for a monthly fee. The use of infostealers, which are cheaper than phishing services, allows criminals to purchase logs containing key credentials for as low as $10, though the efficacy of these stolen credentials is questionable due to their age. The ROI on identity-based attacks is exceptionally high, prompting hackers to continue and enhance these methods, undeterred by traditional protective measures. The adoption of passkeys, which utilize public key pairing and biometrics, is being accelerated to counteract the effectiveness of phishing and infostealers. eSentire emphasizes the need for organizations to adopt robust monitoring and rapid response strategies to mitigate the risks of identity-based attacks effectively.