Daily Brief

75% of financial institutions are currently using AI, with an additional 10% planning to integrate it within the next three years, per a survey by the Bank of England and Financial Conduct Authority. A profound gap in understanding AI technologies exists, with only about a third of institutions confident in their AI knowledge. Adversarial AI poses significant threats by manipulating algorithms or data, benefiting attackers through distorted market forecasts or unnoticed fraudulent transactions. Traditional cybersecurity measures like firewalls and malware detection are insufficient against adversarial AI tactics that involve data poisoning and model contamination. Financial companies and regulators need to adapt to these emerging threats by expanding compliance requirements to include adversarial AI risks and ensuring a more flexible security risk management approach. Training and awareness are crucial; financial entities must develop a strong training regime to both leverage AI benefits and mitigate potential adversarial risks effectively. QA's role extends to educating and lobbying for regulatory updates to incorporate best practices for tackling adversarial AI issues in the financial sector.

Chinese hacking group APT41 employs new malware, 'ToughProgress', utilizing Google Calendar for command-and-control communications to disguise their activities. Google's Threat Intelligence Group uncovered and dismantled the attacker's infrastructure on Google Calendar and Workspace, implementing safeguards against future misuse. The initial stage of the attack involves a malicious email containing a link to a ZIP file hosted on a compromised government website, appearing to contain ordinary files but actually housing malicious payloads. The malware uses Windows LNK files masquerading as a PDF document and image files to hide and launch encrypted payloads entirely in memory, minimizing detection by conventional security tools. Google identified and terminated all related accounts and events associated with the misuse, updating its Safe Browsing blocklist to protect users from these threats. Reported targets and organizations potentially affected by APT41's campaign were directly notified by Google, in collaboration with Mandiant, and supported with malware samples and traffic logs to aid in mitigating the attack.

A new Go-based Linux botnet, PumaBot, has been discovered specifically targeting IoT devices by brute-forcing SSH credentials. PumaBot operates by receiving a list of targeted IPs from its command-and-control server and proceeds with brute-force attacks on port 22 to gain SSH access. The malware is programmed to specifically look for the “Pumatronix” string during its operations, indicating a likely focus on surveillance and traffic camera systems. Once access is gained, PumaBot verifies the legitimacy of the device, ensures persistence via systemd service installation, and manipulates 'authorized_keys' to maintain access. The botnet has the capability to steal data, deploy additional malware, and execute commands from the control server, including data exfiltration of SSH credentials stored locally. Security countermeasures recommended including upgrading IoT firmware, changing default credentials, using firewalls, and segregating IoT networks from critical systems. The extent of PumaBot’s spread and its success rate are currently unreported, though its targeted approach suggests potential for significant impact on infected networks.

LexisNexis Risk Solutions experienced a cyberattack where data on 364,333 individuals was stolen via a third-party software development platform on December 25, 2024. The intrusion was discovered on April 1, 2025; however, the company confirmed its own networks or systems were not directly impacted. The breach involved unauthorized access to software artifacts and personal information; sensitive personal data like financial and credit card details remained secure. LexisNexis has initiated notifications to approximately 360,000 affected individuals and communicated with regulators and law enforcement. The company's response included an extensive investigation with cybersecurity experts, enhancements to security controls, and an in-depth review of affected data. Affected parties are advised to monitor for fraud and offered 24 months of free credit monitoring and identity protection services by Experian. LexisNexis's breach is among several recent high-profile data incidents, including those at Adidas and Coinbase.

The Interlock ransomware gang has introduced a new remote access trojan, NodeSnake, aimed at infiltrating educational institutions. Researchers at QuorumCyber identified NodeSnake in at least two incidents involving UK universities in early 2025, with evidence of ongoing development to enhance its functionalities. Initial infection vectors include phishing emails with malicious attachments or links leading to the deployment of the NodeSnake RAT. NodeSnake utilizes sophisticated evasion techniques such as heavy code obfuscation, XOR encryption, and uses PowerShell or CMD scripts to mimic legitimate software updates. Once installed, NodeSnake gathers critical system information and can execute additional malicious activities, including process termination and loading further malware. The trojan modifies its command and control communication dynamically, complicating detection and mitigation efforts. The report by QuorumCyber details the indicators of compromise for NodeSnake, providing essential information for early detection and prevention of further attacks by the Interlock group. The discovery underscores Interlock's strategic shift towards sustained, stealthy operations within target networks, particularly in the education sector.

Sina Gholinejad, an Iranian national, has pleaded guilty to charges related to a ransomware attack utilizing Robbinhood ransomware. The attacks targeted multiple U.S. organizations, including significant disruptions in Baltimore, leading to over $19 million in losses. Gholinejad and co-conspirators encrypted files and demanded ransom in Bitcoin, significantly impacting city services in Baltimore and Greenville. The cybersecurity breach lasted from January 2019 to March 2024, involving data theft and ransomware deployment. Gholinejad was apprehended and pleaded guilty to computer fraud and conspiracy to commit wire fraud; faces up to 30 years in prison. The cybercrime group used sophisticated methods like cryptocurrency mixing and chain-hopping to launder the ransom payments. The sentencing is scheduled for August 2025, highlighting the long-term legal consequences of cyber attacks.

Over 9,000 ASUS routers compromised by a botnet named "AyySSHush," impacting models like RT-AC3100, RT-AC3200, and RT-AX55. The botnet also targeted routers from Cisco, D-Link, and Linksys, employing methods such as brute-forcing, authentication bypass, and exploiting older vulnerabilities. The attackers exploited a specific CVE (CVE-2023-39780) to implant an SSH backdoor, allowing persistent access even after device reboots and firmware updates. No malware was used; instead, tactics included disabling logging and security features to avoid detection, with only a few malicious requests needed for effective intrusion. The exact goals of the AyySSHush botnet remain unclear, but it shows potential for creating a substantial botnet for future operations. ASUS released security updates to mitigate CVE-2023-39780 and owners are urged to update their firmware promptly and check for signs of compromise. GreyNoise and other cybersecurity entities are tracking this campaign, highlighting the sophisticated nature of the threat likely linked to nation-state actors.

Dark Partners cybercrime gang uses fake AI, VPN, and crypto software download sites to distribute malware and infostealers like Poseiden and Lumma. The group impersonates legitimate apps, misleading users to download harmful software aimed at extracting cryptocurrency and sensitive data such as credentials and private keys. On Windows, malware is digitally signed with certificates from multiple companies; Poseidon Stealer specializes in macOS targeting wallet folders in web browsers. Law enforcement recently disrupted the distribution of Lumma Stealer by seizing thousands of linked domains and infrastructure components. Lumma Stealer, an electron-based application on Windows, includes modules for stealth and persistence, avoiding detection by terminating itself if analysis tools are detected. Payload delivery varies based on the operating system of the download request, with additional checks to prevent bot downloads. g0njxa, a cybersecurity researcher, highlights the technical tactics of Dark Partners, including detailed operation of Payload delivery and anti-sandbox features. The report concludes with a broad list of compromised domains and indicators of compromise, underlining the extensive reach of the campaign.

The Czech Republic formally attributed a 2022 cyberattack on its Ministry of Foreign Affairs to China-linked APT31. Described as a state-sponsored group, APT31 used diverse techniques, including leveraging public file-sharing sites for command and control operations. APT31, also known by multiple aliases such as Bronze Vinewood and Judgement Panda, operates under the auspices of China's Ministry of State Security. The specific breach involved an unclassified network and is part of ongoing investigations, with its full impact yet unknown. The US Department of Justice has indicted several individuals linked to APT31 for conducting espionage that served China's intelligence and economic motives. Recent reports by entities like Secureworks and ESET indicate APT31's continued focus on government and defense entities in Central Europe. The Czech government criticized China for contradicting its public commitments to responsible state behavior in cyberspace as defined by the UN. Czechia urged China to conform to international norms and cease such cyberattacks.

The Czech Republic has attributed a series of cyberattacks on its Ministry of Foreign Affairs to the China-backed APT31 group. These attacks have been ongoing since 2022 and also targeted other critical infrastructure within the Czech Republic. The European Union and NATO allies expressed their condemnation of these actions, urging China to comply with UN norms and international laws. Past incidents linked APT31 with significant cyber espionage, including an attack on Finland's parliament in 2021 and global Microsoft Exchange server hacks. APT31, also known as Zirconium or Judgment Panda, is connected to the Chinese Ministry of State Security and has been involved in espionage and data theft globally. The US and UK have imposed sanctions and filed charges against individuals associated with APT31 for various cyberattacks, including breaches into U.S. and U.K. critical infrastructures and government systems. The U.S. State Department is currently offering a reward for information that could lead to the arrest of the individuals linked to APT31 and their operations.

Cybersecurity researchers identified a critical flaw in Microsoft's OneDrive File Picker that could allow unauthorized access to a user's entire cloud storage. The vulnerability arises from overly broad OAuth permissions and unclear user consent screens, potentially leading to significant data breaches. Several commonly used applications, including ChatGPT, Slack, Trello, and ClickUp, might be affected due to their integration with OneDrive. The issue is exacerbated by the storage of OAuth tokens in plaintext within the browser's session storage, posing a further security threat. Insecure authorization workflows could lead to ongoing unauthorized access as apps can obtain new access tokens without user interaction. Microsoft has acknowledged the flaw but has not yet provided a fix; recommendations include avoiding the use of refresh tokens and enhancing token security. The flaw highlights the need for improved management of OAuth scopes and continuous security monitoring to protect sensitive data. Oasis Research Team stresses the importance of vigilance and regular security checks in preventing user data exposure and compliance violations.

PumaBot, a new botnet targeting Linux IoT devices, conducts brute-force attacks on SSH instances to expand and deliver malware. The malware obtains lists of potential victim IP addresses from a command-and-control server and checks systems for suitability and honeypot avoidance. Upon successful SSH credentials compromise, it establishes persistence using spoofed system service files like "redis.service" or "mysqI.service" to avoid detection. PumaBot is utilized for illicit cryptocurrency mining using commands like "xmrig" and "networkxm" on compromised devices. The botnet mimics legitimate system files and uses native Linux tools for persistence, demonstrating sophisticated evasion techniques against security defenses. Analysis highlights an increase in SSH brute-force attacks, suggesting a rise in IoT-related cyber threats. Recommendations for mitigation include monitoring SSH logs for unusual activity, maintaining strict firewall rules, and verifying system files and services for unauthorized changes.

Russian IT professional Aleksandr Levchishin sentenced to 14 years in high-security penal colony for leaking sensitive medical records of Russian soldiers to Ukraine. Levchishin also found guilty of transferring funds to the Ukrainian military, leading to an additional charge of treason. Arrested by FSB in July 2023; trial was conducted behind closed doors and concluded with multiple charges including influencing critical information infrastructure. Historical context provided on the use of Russian courts under Putin's regime to suppress dissent and target critics, highlighted by the Human Rights Foundation. Russia's exit from the Council of Europe in 2022 mentioned, affecting Russian citizens' rights to appeal domestic court decisions internationally. Following the invasion of Ukraine, a significant increase in treason charges in Russia noted; 359 convictions in one year, with some detainees dying in custody. Added penalties include a monetary fine, one year of restricted freedom post-release, and a four-year ban from working with critical information infrastructure. Context on penal colonies in Russia described as harsh labor camps often located in severe environments, emphasizing the dire conditions faced by those convicted of high treason.

Flare's research on "The Account and Session Takeover Economy" highlights millions of enterprise threats from stealer malware. Stealer malware like Redline, Raccoon, and LummaC2 now prioritize hijacking enterprise session tokens, not just stealing passwords. Within hours of infection, cybercriminals use bots and dark web marketplaces to sort and sell access to high-value enterprise accounts. Detailed marketplace offerings enable attackers to bypass multi-factor authentication and gain immediate access. Once in possession of session tokens, attackers gain seamless entry into platforms like AWS and Microsoft 365, potentially leading to substantial breaches. According to Verizon's 2025 Data Breach Investigations Report, 88% of breaches involved stolen credentials, underscoring the significance of these attacks. Organizations are urged to adapt their defenses, emphasizing the importance of monitoring and securing session tokens alongside passwords.

Mimo hackers exploited CVE-2025-32432, a critical vulnerability in Craft CMS, to install cryptomining malware and proxyware. The attack deploys a web shell for sustained access, using a script to download further payloads and ensure no other competing miners are active. Besides cryptojacking, the hackers leverage compromised systems to profit from the victim's internet bandwidth via proxyjacking. The payloads include a loader named Mimo Loader and a cryptocurrency miner known as XMRig. The Mimo group, active since early 2022, has previously exploited vulnerabilities in several other systems, including Apache Log4j and Atlassian Confluence. Sekoia researchers pinpointed a Turkish IP address as the origin of the exploitation attempts, linking it to the Mimo group. Ongoing investigations emphasize the Mimo group’s continuous adaptation and exploitation of newly disclosed vulnerabilities for financial gain.