Daily Brief

China officially approved a national online identification number system intended to streamline netizen access to various online services through a single logon interface. This system allows citizens to have a central Cyberspace ID, issued after their identities are verified, to access both government and private services, enhancing online security. Participation in acquiring these online numbers is not mandatory, and service platforms cannot discriminate against those choosing to retain traditional access methods. The Cyberspace ID app has been adopted moderately with over 16 million downloads, facilitating above 12.5 million authentications amidst China's massive population. Xiaomi announced the creation of custom silicon chips for its devices, showcasing its long-term commitment to leadership in core technologies. NTT Docomo, the original creator of emoji, plans to retire its custom emoji set, reflecting changes in graphic communication preferences on mobile devices. Taiwanese company MediaTek is advancing in the semiconductor industry with the near completion of its 2nm chip technology, promising integration of AI across its product range.

Glitch announced it will end app hosting and user profiles on July 8 due to high operational costs and abuse issues. CEO Anil Dash stated the decision stems from the platform's outdated architecture and the availability of better alternatives in the market. Existing users can access the dashboard until year's end to download project codes and set up URL redirects, which will be active until at least 2026. All paid Glitch Pro subscriptions will be honored until the shutdown date, with refunds issued for any remaining paid time. Glitch.com has been a prominent figure in the web development community since its launch in 2017, especially noted for its friendly interface and real-time collaboration features. The decision to close was influenced by rising hosting costs and the increasing misuse of the platform by bad actors. Glitch is focusing on guiding users through this transition, with plans to release a detailed guide and ongoing support through the community forum.

Cybersecurity experts revealed a malware campaign using bogus software installers, mimicking LetsVPN and QQ Browser, to distribute the Winos 4.0 framework. The malicious campaign employs a complex loader, Catena, capable of staging payloads in memory to evade detection by traditional antivirus systems. The Winos 4.0 malware, associated with the threat actor group Void Arachne or Silver Fox, has been active throughout 2025, showing evolving tactics to avoid antivirus detection. Key targets of the malware include entities in Taiwan, with phishing efforts disguised as communications from the National Taxation Bureau. Winos 4.0 operates primarily against Chinese-language users, implementing features like data harvesting, remote access, and potential DDoS capabilities using a plugin-based system. The Catena chain embeds shellcode in .ini files and uses reflective DLL injection to maintain persistence and stealth on infected hosts. Recent adjustments in the malware's deployment include the use of a PowerShell command designed to bypass Microsoft Defender and additional checks for specific antivirus processes.

Cybercrime, particularly ransomware and business email compromises, poses a significant risk to US organizations, overshadowing threats from nation-states. Michael Daniel, former White House cybersecurity advisor, emphasizes the broad scope of cyber threats that the US faces, including from China, Russia, Iran, North Korea, and cybercriminal organizations. Budget reductions under the Trump administration have led to significant cuts in cybersecurity staffing and funding, particularly impacting the Cybersecurity and Infrastructure Security Agency (CISA) and related sector-risk management agencies. The ongoing government cost-cutting threatens the nation's ability to manage cybersecurity risks effectively across its 16 critical infrastructure sectors. Daniel advocates for increased federal efforts to assist businesses in protecting against cyber threats and improve their resilience against potential cyber-attacks. Despite the growing need for skilled cybersecurity professionals, the federal government faces staffing challenges due to non-competitive pay scales compared to the private sector. Daniel calls for transparency concerning the number of federal cybersecurity staff reductions and emphasizes the importance of federal support for local governments, healthcare, and educational institutions to enhance their cybersecurity infrastructure.

Bumblebee malware is being distributed via fake versions of popular open-source tools such as Zenmap and WinMTR. Typosquatting domains like zenmap[.]pro and winmtr[.]org mimic legitimate sites, with the former still active showing counterfeit content. SEO poisoning is used to drive traffic to these malicious sites, ranking them high on search engine results for related search terms. The malware, delivered via compromised installers, evades detection by most antivirus engines referenced on VirusTotal. Users are tricked into downloading what appears to be legitimate software which installs a malicious DLL capable of executing a backdoor for further malicious activities. Additional malware payloads include ransomware and infostealers, expanding the threat beyond the initial breach. A similar campaign targets users of Hanwha’s WisenetViewer and Milestone XProtect, distributing trojanized versions via spoofed domains. Official recommendations emphasize only downloading software from trusted sources and verifying installer hashes before execution.

John Young, co-founder of the influential document leak site Cryptome, has died at 89. Cryptome was instrumental in initiating the first digital crypto war and setting the stage for other leak sites like WikiLeaks. Young and his partner Deborah Natsios started Cryptome to share sensitive data about government activities and cryptography, influencing global discourse on data privacy and public access to information. Young was skeptical of fundraising and profit motives in disclosure platforms, notably criticizing WikiLeaks for its approach to financial matters. Despite legal challenges and pressure from entities like Microsoft, Cryptome persisted in hosting controversial materials, serving as a robust archival resource. Young's life experiences and career as an architect deeply influenced his commitment to the unrestricted flow of information, steering clear of traditional journalistic practices by focusing on raw data archival. His steadfast belief in the public's right to know remained unwavering, even in the face of governmental and legal adversities. Young’s enduring legacy underscores his philosophy of transparency and anti-censorship, contrasting sharply with other platforms' handling of similar disclosures.

Nova Scotia Power confirmed a ransomware attack initially detected on April 25 and traced back to March 19, impacting IT systems and customer data. The breach exposed sensitive information such as names, contact details, Social Insurance Numbers, and bank account numbers for autopay clients. Despite the significant data leak, the utility has opted not to pay the ransom, in line with sanctions laws and law enforcement advice. Operations remained unaffected; however, billing, customer portals, and outage reporting services are disrupted. Affected customers are offered a two-year free credit monitoring service by TransUnion to guard against potential fraud. The company has engaged cybersecurity experts to understand the extent of the breach and strengthen defenses. In response to the incident, Nova Scotia Power noted an increase in phishing attempts through various communication platforms urging vigilance.

Researchers discovered 60 malicious NPM packages aiming to collect and transmit critical host and network data. These packages were identified by the Socket Threat Research team and utilized names mimicking legitimate packages to deceive developers. The post-install script in these packages detects the execution environment to evade analysis and collects sensitive data without delivering further payloads. Despite being reported, the packages remained online at the time of discovery, accumulating over 3,000 downloads, but were later removed. Another discovered NPM campaign involved 8 data-wiping packages, targeting popular JavaScript ecosystems and camouflaging as legit tools. The data-wiping packages were capable of file deletion, data corruption, and system shutdown, downloaded 6,200 times over two years. Socket’s findings highlight the need for continuous vigilance and immediate system checks if suspicious packages are installed.

Hackers are now using TikTok videos to distribute Latrodectus malware, leveraging a technique called ClickFix that runs malicious code directly in memory, evading many security measures. The campaign utilizes AI-generated videos on TikTok to trick users into executing harmful PowerShell commands, pretending to offer activation for applications like Windows and Spotify. Latrodectus acts primarily as a downloader for other dangerous payloads, including ransomware, and is believed to be a successor to the IcedID malware. A related discovery involves malicious campaigns using cloned Ledger Live apps to steal seed phrases from Mac users, aiming to drain cryptocurrency wallets. The malware inside these fake Ledger apps can also steal passwords and other sensitive information, exacerbating threats to crypto wallet security. Security firms advise disabling the Windows Run command and modifying Group Policy settings to prevent such attacks. Recent international law enforcement operation, Operation Endgame, has temporarily disrupted these malware networks by shutting down servers and seizing domains.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about increasing attacks targeting SaaS providers, particularly exploiting cloud applications with default configurations and elevated permissions. Commvault experienced a breach in its Microsoft Azure environment, following a report from Microsoft about potential nation-state actor penetration. A zero-day vulnerability in Commvault's system (CVE-2025-3928) was used by attackers to access M365 backup SaaS solutions hosted on Azure, endangering customer M365 environments. This zero-day was added to CISA's Known Exploited Vulnerability catalog, emphasizing the criticality of the breach, with the potential effects still largely unquantified. Commvault has confirmed that while customer data remains secure, attackers aimed to obtain credentials that could exploit M365 environments, with the broader campaign possibly affecting multiple SaaS companies. CISA has urged organizations to utilize Microsoft logs for threat detection and to set incident response plans in motion should any deviations from standard configurations be detected. Recommendations for organizations include rotating secrets and credentials, restricting access to trusted networks, applying necessary patches, and minimizing admin rights to bolster security defenses.

Cetus Protocol announced the theft of $223 million in cryptocurrencies, halting its operations temporarily to investigate. The theft exploited a vulnerability in the DEX's software, which was identified and subsequently fixed to prevent further breaches. Cetus offers a $5 million bounty for information leading to the hacker's arrest, alongside a whitehat deal to forgo legal pursuit if funds are returned. Some of the stolen funds, amounting to $162 million, have been frozen on the Sui blockchain following an emergency intervention by network validators. Elliptic's analysis indicates the exploit might involve automated market maker logic, manipulating pool prices for flash loan-style attacks. The hacker’s wallet address has been identified, with transactions tracked from Sui to Ethereum, and is now flagged on major exchanges to prevent funds laundering. Blockchain analytics and collaboration with law enforcement are ongoing to trace and potentially recover the stolen crypto assets.

The FBI issued warnings regarding the Silent Ransom Group (SRG), also known as Luna Moth, for extortion attacks specifically targeting U.S. law firms. SRG employs social engineering to impersonate IT support through emails, fake websites, and phone calls to gain unauthorized network access. Unlike traditional ransomware, SRG does not encrypt data but threatens to leak stolen sensitive information unless a ransom is paid. The attack method includes the installation of remote access tools on victims' devices, enabling data theft using software like WinSCP and Rclone. SRG has been active since separating from the Conti cybercrime syndicate in 2022 and continues to pose significant threats by also impersonating other legal and financial institutions. The FBI advises strengthening cybersecurity measures including robust passwords, enabling two-factor authentication, conducting regular data backups, and training employees to recognize phishing attempts. EclecticIQ's report highlights that ransom demands by SRG can range up to eight million USD depending on the size of the targeted firm.

Cybersecurity researchers have identified ViciousTrap compromising 5,300 routers across 84 countries using a Cisco flaw. The exploitation primarily uses a shell script, NetGhost, to reroute specific network traffic to an infrastructure controlled by the attacker. These compromised devices, primarily located in Macau, form a honeypot-like network to intercept and study network flows. This strategy likely helps in capturing zero-day exploits and observing multiple exploitation attempts across varied environments. The threat actor leveraged CVE-2023-20118, impacting Cisco Small Business routers, downloading malicious scripts to execute the attacks. Despite similar methods, no direct connection is found between ViciousTrap's activities and another botnet, PolarEdge. All documented attacks originated from IP addresses based in Malaysia, associated with a hosting provider named Shinjiru. The exact purpose of this honeypot network remains uncertain, though the operation seems well-orchestrated to gather crucial cyber intelligence.

Operation Endgame led by Europol seized 300 servers and €3.5M in cryptocurrencies, targeting ransomware infrastructure globally. Approximately 650 domains have been neutralized, and international arrest warrants were issued against 20 key suspects. The operation focused on new malware variants and groups such as Bumblebee, Lactrodectus, and others, aiming to dismantle the ransomware delivery services. The total amount seized during the Operation Endgame accumulated to over €21.2 million, demonstrating significant financial impact. Germany's Federal Criminal Police initiated criminal proceedings against 37 individuals, some now listed on the EU's Most Wanted. The operation is a continuation of efforts to disrupt cybercriminal ecosystems and prevent further ransomware attacks. Europol's latest actions indicate the adaptability and resilience of law enforcement in the face of evolving cyber threats.

SafeLine is the leading open-source Web Application Firewall (WAF) on GitHub, offering preeminent features for self-hosted security solutions. Unlike cloud-based alternatives, SafeLine provides enhanced visibility and total sovereignty over data by operating on local servers. Features comprehensive attack prevention strategies against a wide range of web threats, including SQL injection, XSS, and more. Uses a semantic analysis engine for zero-day attack detection, boasting a 99.45% detection rate and a 0.07% false positive rate. Offers multi-layered defenses against bot attacks and includes HTTP Flood DDoS mitigation through rate limiting and a virtual waiting room for traffic spikes. Supports modern authentication protocols and Single Sign-On (SSO) aligning with Zero Trust security principles to verify and secure user access. Designed for quick deployment and easy management, with a user-friendly configuration interface and wizard-based setup. Provides advantages over cloud-based WAFs by ensuring autonomy in deployment and operation, ideal for a wide range of web application security needs.