Daily Brief

CERT-UA disclosed a campaign by Russian-linked APT28 using Signal chat to deliver malware in Ukraine. Two new malware types, BEARDSHELL and COVENANT, were identified, employing techniques like downloading and executing PowerShell scripts. BEARDSHELL was first spotted in March-April 2024 in a Windows system, initially without clear infection vectors. Traces of unauthorized access were later linked to a "gov.ua" email and exploitation of XSS vulnerabilities in webmail software. The malware distribution method involves a macro-laced Word document dropped through Signal, triggering payloads and registry modifications once opened. COVENANT framework downloads additional payloads to launch the BEARDSHELL backdoor. CERT-UA has advised monitoring network traffic related to specified malicious domains to mitigate risks, highlighting targeted attacks on outdated webmail applications.

Psylo, a new private browser, aims to enhance user privacy by isolating each browser tab with unique IP addresses and anti-fingerprinting measures. Developed by Mysk, a Canada-based software firm, Psylo uses WebKit to ensure that each tab operates in a separate "silo," making it challenging for marketers to track users. The browser includes features like canvas randomization and adjustments of browser's time zone and language per silo to guard against tracking. Uses Mysk Private Proxy Network to anonymize user IP addresses, and does not store any personally identifiable information or browsing data. Psylo's release coincides with a new report highlighting the extensive use of browser fingerprinting for ad tracking, despite privacy regulations like GDPR. Psylo offers encrypted TLS communications and blocks plain-text HTTP traffic, making it more secure than typical VPN solutions. Available on iOS and iPadOS, Psylo could expand to Android based on user reception; it's currently priced at $9.99 per month or $99 annually.

The China-linked Salt Typhoon exploited a critical vulnerability in Cisco IOS XE software, CVE-2023-20198, to infiltrate a major Canadian telecommunications provider. Salt Typhoon's activities involved modifying network configuration files to create a GRE tunnel for collecting traffic, indicating espionage intent. The cyberattacks by Salt Typhoon have raised concerns beyond the telecommunications sector, potentially affecting multiple networks and leveraging further devices. The U.S. FBI and Canadian Centre for Cyber Security issued advisories highlighting the threat of Salt Typhoon targeting telecommunications networks as part of an espionage campaign. Investigations revealed that similar methods and vulnerabilities were used by Chinese state-sponsored actors to infiltrate telecom and internet firms in the U.S., South Africa, and Italy. The U.K. NCSC also reported the discovery of two malware families, SHOE RACK and UMBRELLA STAND, targeting Fortinet devices, with some links to Chinese threat actors. These incidents underscore the ongoing threat posed by state-sponsored cyber activities targeting critical infrastructure for espionage and data exfiltration purposes.

A sophisticated cyber campaign led by China's ‘Typhoon’ hacking groups has targeted over 1,000 devices, primarily in the US and Southeast Asia. Intruders use fake TLS certificates that appear to be issued by the Los Angeles Police Department to access critical infrastructure. Victims are mostly outdated routers and IoT devices, exploited to build a covert operational relay box (ORB) network to obscure cyberattack origins. These ORB networks allow traffic to appear as if it is coming from local IP addresses, complicating tracking efforts and facilitating cyberattacks on victims. Five key regions, including the US, Japan, South Korea, Taiwan, and Hong Kong, are heavily affected with these regions accounting for 90% of infected devices. Compromised devices, predominantly old and unpatched, include Linux-based systems from Ruckus Wireless and Buffalo Technology. The campaign deploys a custom backdoor named ShortLeash, allowing persistent control to facilitate future malicious operations possibly aimed at critical infrastructure disruption. Security analysts recommend heightened monitoring for unusual encrypted traffic from residential IPs at high port numbers to detect such malicious activities.

APT28, a Russian state-backed cyber group, employed Signal messaging to target Ukrainian government entities with new malware variants, BeardShell and SlimAgent. The threat was initially spotted by Ukraine's CERT-UA in March 2024, uncovering novel tactics involving Signal but limited info on the exact infiltration methods. May 2025 saw ESET discovering unauthorized activities in a gov.ua email, leading to further investigations that unearthed the exploitation of Signal for delivering malicious documents. The malware, delivered via an encrypted Signal message, includes a document that activates Covenant, a malware loader for further infections using complex payloads. BeardShell executes through DLL files and encrypted PowerShell scripts, ensuring persistence in the system and secretive communication via third-party API. SlimAgent, a separate screenshot capturing tool, secures data using AES and RSA encryption, indicating sophisticated data exfiltration techniques. APT28’s continuous targeting of Ukraine highlights ongoing cyberespionage, urging monitoring of specific data interactions such as those with app.koofr.net and api.icedrive.net. Despite its secure communication claims, Signal faced criticism from Ukrainian officials over perceived non-cooperation to mitigate such security threats.

The Department of Homeland Security (DHS) warns of increased cyberattacks from Iran and pro-Iranian hacktivists following U.S. airstrikes on Iranian nuclear facilities. Iranian government and hacktivists have previously targeted U.S. networks, mainly exploiting weak security to initiate disruptive attacks. Tehran's cyber capabilities involve sophisticated methods like using custom malware and default passwords to infiltrate U.S. water and fuel management systems, though their impact has often been overstated. Recent disruptions mirror potential future threats, including wiper and malware attacks on critical sectors like government, finance, and utilities, as anticipated by cybersecurity experts. Iran has dabbled in ransomware and is expected to escalate DDoS campaigns, alongside disinformation strategies including deepfake propaganda and social media manipulation. Cyberespionage remains a significant threat, with Iranian operatives targeting both institutional and personal accounts to gather sensitive geopolitical and personal information. U.S. citizens remain at risk of both cyber and physical threats linked to Iranian activities, with law enforcement continuously disrupting Iranian-backed lethal plots within the U.S.

A new malware, SparkKitty, identified on Google Play and Apple App Store, targets photos and cryptocurrency data. SparkKitty is likely an evolution of SparkCat, using optical character recognition (OCR) to detect and steal crypto wallet seed phrases from images. The malware has spread through legitimate app stores and affects both Android and iOS devices via apps and fake frameworks. Malicious activities involve stealing all images from device galleries, which could be used for crypto theft or potentially for extortion. Detection methods on mobile devices include requesting access to photo galleries and indiscriminately uploading images and text. The official response includes app removals from stores, developer bans, and protective measures like Google Play Protect. Recommendations for users include enhanced scrutiny of app permissions and avoiding storing sensitive wallet information on mobile devices.

The U.S. Department of Homeland Security (DHS) issued a warning about escalating dangers of cyberattacks from Iran-backed hackers and pro-Iranian hacktivists. A National Terrorism Advisory System bulletin highlighted a heightened threat environment in the U.S. due to ongoing conflicts involving Iran. DHS advisory noted an increased likelihood of U.S.-based violent extremists incited by potential religious rulings from Iranian leadership. Previous attacks have involved poorly secured U.S. networks, often targeted by Iranian government-affiliated hackers and independent hacktivists. U.S., Canadian, and Australian authorities noted increased Iranian hacker activities in sectors like healthcare, government, and energy, employing methods like password spraying and MFA fatigue. The advisory named an Iranian threat group, Br0k3r, linked with state-sponsored activities including selling access to breached networks for ransomware attacks. The escalated cyber threat level follows recent U.S. military actions against key Iranian nuclear facilities. Iran's Foreign Minister warned of "everlasting consequences," signaling potential escalatory actions in cyberspace and beyond.

Researchers have identified a new method, "Echo Chamber," which effectively manipulates large language models (LLMs) like those from OpenAI and Google to produce undesirable content despite implemented security measures. Echo Chamber uses indirect references and multi-step reasoning to subtly guide LLMs into generating responses that violate content policies. This method contrasts with previous tactics by progressively steering the conversation without obvious adversarial prompts, making it harder for models to detect and block. In tests, Echo Chamber attacks showed over a 90% success rate in prompting LLMs to generate harmful content on topics like sexism, violence, and hate speech. The technique highlights significant vulnerabilities in model safety mechanisms, suggesting that as LLMs enhance their inference capabilities, they also become more susceptible to indirect forms of manipulation. Another related method, coined "Crescendo," involves a series of progressively malicious questions, demonstrating that multiple attack vectors are possible by exploiting AI's extensive context window. The study underscores the ongoing challenges in aligning LLM behaviors with ethical standards and maintaining robust defenses against evolving exploitation strategies.

McLaren Health Care experienced its second major cybersecurity incident within a year, affecting 743,131 individuals at Detroit’s Karmanos Cancer Institute, which is part of McLaren’s network. The breach, which occurred on July 17, 2024, but was undetected until August 5, involved unauthorized access that compromised personal and protected health information. McLaren is currently notifying affected individuals and has filed a breach notification with Maine's attorney general; the incident was not explicitly labeled as a ransomware attack, although it was claimed by a group called INC. In response to the incident, McLaren is implementing additional safety measures and offering 12 months of free credit monitoring to those impacted. No evidence suggests that the stolen data has been misused, according to McLaren’s communication. This recent breach follows a prior incident in July 2023, where data pertaining to 2.5 million people was reportedly compromised by the ALPHV/BlackCat group. Despite these breaches, McLaren has not faced regulatory penalties, though several law firms are investigating and considering class action lawsuits. McLaren and Karmanos have yet to respond to requests for further information regarding the breach.

The Chinese state-sponsored hacking group, Salt Typhoon, exploited a critical vulnerability in Cisco IOS XE software to breach a Canadian telecom provider in February 2025. This vulnerability, identified as CVE-2023-20198, allows unauthenticated remote attackers to create accounts with admin-level privileges. It was initially disclosed and exploited as a zero-day in October 2023. Despite previous breaches and warnings, the affected telecom provider had not applied the necessary patches to prevent exploitation. Salt Typhoon's activities included retrieving and modifying configuration files of network devices to establish a GRE tunnel for traffic interception. Canadian authorities had observed reconnaissance activities by the same group targeting multiple sectors in October 2024, but no breaches were confirmed at that time. The attacks, which have extended beyond telecommunications to other critical industries, involve data theft potentially used for lateral movements and supply chain attacks. The Canadian Cyber Centre warned that such attacks are likely to continue, urging increased network protection especially for telecommunication providers handling sensitive data. Salt Typhoon has previously targeted multiple major telecom companies globally, demonstrating a pattern of strategic, state-sponsored espionage.

The U.S. has conducted airstrikes on Iranian nuclear sites, escalating the Iran–Israel war since June 13, 2025. Following these military actions, the Department of Homeland Security (DHS) has issued warnings about potential retaliatory cyber attacks from pro-Iranian groups. The DHS indicates a likely increase in low-level cyber attacks and potential significant threats from Iranian government-affiliated cyber actors targeting U.S. networks. These cyber threats primarily aim at poorly secured U.S. networks and Internet-connected devices, raising concerns over cybersecurity vulnerabilities. The attacks include potentially disruptive actions, with a recent example being the DDoS attack by pro-Iranian group Team 313 on Trump's Truth Social platform. President Trump has deemed the strikes a “spectacular military success” and has threatened further action if peace overtures are not made by Tehran.

Four members of the REvil ransomware gang were released by the Russian courts after pleading guilty to carding and malware distribution, having served their pre-trial detention. Arrested initially in January 2022, these individuals were part of a larger group involved in significant global cybercrimes, including the notorious Kaseya attack. Other REvil members who did not plead guilty received sentences ranging from 4.5 to 6 years on various charges including illegal circulation of payment means and distribution of malware. REvil, known for demanding large ransoms, had allegedly accrued over $100 million within a year before law enforcement pressures led to a temporary cessation of their operations. The group resumed activities briefly before being infiltrated by law enforcement, leading to further arrests and the eventual claim by Russian FSB that they had dismantled the criminal community. The breakdown in U.S.-Russia cybersecurity communications following the Ukraine conflict has affected negotiations and cooperative efforts to manage cybercrime activities linked to REvil. The history of REvil’s activities and the recent legal outcomes highlight significant challenges in international efforts to combat ransomware and cybercrime.

McLaren Health Care suffered a significant data breach impacting 743,000 patients, attributed to the INC ransomware gang's attack in July 2024. The data breach was discovered on August 5, 2024, following an IT and phone systems outage at the beginning of that month. Forensic investigations were completed by May 5, 2025, determining the extent of the affected patients and data, with notifications beginning shortly thereafter. The breach affected systems including those of the Karmanos Cancer Institute, with ongoing implications on patient data security. An employee inadvertently exposed the ransomware attack after ransom notes were automatically printed at a Bay City hospital. McLaren Health Care has a history of cybersecurity issues, having previously suffered another ransomware attack in July 2023 by the ALPHV/BlackCat group that compromised sensitive data of 2.2 million individuals. The latest incident underscores persistent vulnerabilities in healthcare systems to ransomware attacks and the critical need for enhanced cybersecurity measures.

Go-based XDigo malware used to attack governmental entities in Eastern Europe in March 2025. Attacks leveraged a Windows LNK file exploit, exploiting a remote code execution flaw publicized by Trend Micro. The flaw allows attackers to execute code under the guise of the current user by manipulating LNK file data. Malware deployment includes a complex chain involving ZIP archives, decoy files, and a rogue DLL, ultimately leading to data theft. XDigo can harvest files, capture screenshots, extract clipboard content, and exfiltrate data via HTTP. Evidence suggests XDigo is a new version of malware previously analyzed by Kaspersky in 2023, with expanded capabilities. The targeting strategy of the attackers aligns with a focus on Eastern European governments, highlighting ongoing nation-state cyber espionage activities.