Daily Brief

Cybercriminals exploit TikTok videos to distribute Vidar and StealC information-stealing malware via ClickFix attacks. These TikTok campaigns use AI-generated videos encouraging users to execute PowerShell commands under the guise of activating software like Windows, Office, Spotify, and CapCut. One deceptive video promoting enhanced Spotify features quickly amassed nearly 500,000 views, demonstrating the effectiveness of social platform algorithms in spreading such malicious campaigns. Executed commands disguise the downloading and running of remote scripts that install malware, enabling theft of credentials, credit card details, and other sensitive data. Infected devices are further manipulated to download additional scripts ensuring persistence with startup registry keys. Similar tactics have been employed by state-sponsored groups in recent espionage efforts, showing the adaptability and dangerous evolution of the ClickFix tactic. Previous malware distribution via TikTok includes the ‘Invisible Challenge’ leading to vast infections by WASP Stealer malware.

Tonny Iheoma Ezeh, a cyber fraudster, manipulated elderly victims into smuggling methamphetamine disguised as chocolates. Ezeh, involved in a West African crime syndicate, operated from Mexico and targeted pensioners through email scams. Two German victims, aged 80 and 67, were caught at Heathrow Airport with 3 kg of meth hidden in chocolate truffle boxes. Initially charged with drug smuggling, the pensioners were acquitted after the investigation revealed they were scammed. Ezeh was arrested as he entered the UK and was convicted at Isleworth Crown Court, receiving a nine-year and three-month prison sentence. The National Crime Agency emphasized the predatory nature of Ezeh's crimes, highlighting the exploitation of vulnerable elderly individuals. Authorities continue to caution the public against too-good-to-be-true offers involving the transport of goods internationally.

The U.S. Department of Justice announced the disruption of DanaBot malware infrastructure and charged 16 individuals linked to a Russia-based cybercrime group. DanaBot infected over 300,000 computers globally, enabling large-scale fraud and ransomware activities, causing damages of at least $50 million. Primary accused, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, remain at large, facing charges including conspiracy, wire fraud, and aggravated identity theft. Malware's self-infection incidents led to accidental data compromise of the criminals, aiding in their identification. Law enforcement seized DanaBot's command-and-control servers as part of Operation Endgame, significantly disrupting the malware's operations. DanaBot, active since 2018, started as a banking trojan and evolved into a multi-functional malware-as-a-service, capable of stealing a wide range of personal and financial data. Several private sector firms provided assistance in the operation, highlighting the importance of public-private partnerships in combating cyber threats.

International law enforcement seized 300 servers and 650 domains under Operation Endgame, targeting ransomware activities. Efforts led to the arrest of 20 individuals and confiscation of EUR 3.5 million in cryptocurrency, totaling EUR 21.2 million seized throughout the operation. Coordinated by Europol and Eurojust, the crackdown involved partnerships with private sector and affected multiple malware operations such as DanaBot, Bumblebee, and Qakbot. The U.S. Department of Justice charged 16 Russian nationals linked to the DanaBot malware, which has compromised over 300,000 computers worldwide. DanaBot, part of a malware-as-a-service economy, offered capabilities like keystroke logging, data theft, and remote access, causing over $50 million in damages. The disruption efforts are aimed at dismantling the infrastructure used by cybercriminals to launch ransomware and other malicious cyber activities. Previous phases of Operation Endgame included similar actions against various other malware services, showing continued international commitment to combating cybercrime.

CISA reported Commvault's observation of cyber threats exploiting vulnerabilities in applications on Microsoft Azure. Unauthorized access to Commvault's Metallic M365 backup SaaS solution was identified, stemming from compromised client secrets. The incident suggests a larger campaign against SaaS providers, exploiting default configurations and excessive permissions. A nation-state actor exploited a zero-day in the Commvault Web Server, leading to potential unauthorized command executions. Despite the breach, Commvault confirmed no unauthorized access to customer backup data; remedial steps include rotating application credentials. CISA has added the exploited vulnerability (CVE-2025-3928) to its Known Exploited Vulnerabilities Catalog and is investigating further with partners. The agency emphasized the need for enhanced security practices among users and administrators of SaaS applications to prevent similar breaches.

Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's AI assistant, Duo, that could allow attackers to manipulate AI responses and inject malicious content. The vulnerability could enable theft of source code from private projects, manipulation of code suggestions, and exfiltration of undisclosed zero-day vulnerabilities. Attack methods include embedding rogue instructions in comments, commit messages, or source code that Duo processes, which could then execute malicious code or direct users to harmful sites. Techniques like Base16 encoding, Unicode smuggling, and invisible text rendering were used to make the prompts less detectable to human reviewers. This vulnerability is significant due to Duo's deep integration into development workflows, which allows it to access and process extensive contextual information from user projects. The security issue was responsibly disclosed to GitLab, and the vulnerabilities have since been addressed. The breach highlights broader challenges with AI-driven tools, including potential data breaches and unintended harmful outcomes when manipulated by threat actors.

The US Department of Justice has indicted 16 individuals linked to the DanaBot malware affecting over 300,000 computers. Those indicted include the alleged leaders of the operation, developers, and various support roles, all based in Russia and currently at large. DanaBot is offered as malware-as-a-service on the dark web, with pricing up to $4,000 including technical support and testing tools. The malware variant aimed at espionage targets military, diplomatic, and government sectors, capturing keystrokes, screenshots, and network traffic. The FBI estimates the financial damage from DanaBot’s banking-focused variant to exceed $50 million worldwide. Operation Endgame II, part of global efforts to counter such cyber threats, has seen success in disrupting the botnet associated with DanaBot. A significant decline in active DanaBot command-and-control servers has been reported, indicating successful mitigation efforts.

Suspected Chinese spies, identified as UNC5221, exploit Ivanti software vulnerabilities to target organizations worldwide, including sectors like healthcare, finance, and defense. The attacks leverage two Ivanti bugs, CVE-2025-4427 and CVE-2025-4428, enabling unauthenticated remote code execution and control over affected systems. Victims include major entities in North America, Europe, and Asia-Pacific, such as the largest German telecommunications provider and the NHS in the UK. Ivanti disclosed the security flaws recently, emphasizing that the exploits had affected a limited number of customer-deployed systems. The Chinese group deployed the KrustyLoader backdoor using compromised AWS S3 bucket, facilitating further intrusions with malware like the Sliver suite. This series of attacks marks the fourth incident in three years involving similar exploitation tactics by the same group on Ivanti products. Threat intelligence from EclecticIQ and other firms correlates the attacks with previous patterns of espionage attributed to Chinese state-backed actors.

The FBI has charged US Navy Petty Officer 3rd Class Rumaldo Valdez with possession and distribution of child sex abuse material (CSAM) and extortion. Valdez allegedly used the username "Duck" on Discord, through which he distributed CSAM and blackmailed minors. An investigation triggered by tips to the National Center for Missing and Exploited Children led to Discord providing account details linked to Valdez. According to a confidential insider, Valdez was active on a Discord server where malware was used to blackmail victims. Valdez was stationed at the Naval Computer and Telecommunications Area Master Station Pacific in Hawaii when arrested. The FBI found over 10,000 Discord URLs and evidence of malware activity in Valdez’s logs on the military network. A raid on Valdez's residence led to the seizure of devices containing encrypted CSAM files and chat logs that confirmed his participation in the illegal activities. Valdez faces multiple charges and is currently held without bail pending trial.

Security teams in smaller organizations face high protection expectations despite limited budgets and personnel. Recent survey highlights under 63% of these organizations find their security budgets insufficient, with skilled personnel shortages being a prevalent issue. Effective utilization of existing security tools such as EDR, vulnerability management, and MFA is critical for maximizing coverage and confidence in defenses. Continuous control monitoring ensures critical security measures are correctly deployed and operational, offering ongoing visibility rather than reactive audits. Continuous threat exposure management allows teams to assess defenses against real-world threats continually, enhancing preparedness and response capabilities. Implementing continuous methodologies can be challenging for small teams, but essential tools and strategies like those provided by Prelude can facilitate this without added overhead. Emphasizing foundational security practices and leveraging continuous monitoring and threat management can help lean teams achieve enterprise-level security outcomes.

Russian national Rustam Rafailevich Gallyamov charged with cybercrimes involving Qakbot malware that infected over 700,000 computers globally. Qakbot facilitated numerous ransomware attacks causing losses worth tens of millions of dollars, demanding ransoms and stealing sensitive data. Despite a massive international crackdown in 2023, seizing 52 servers and $8.6 million in crypto, Qakbot activities resumed with new tactics. Post-2023 strategies included spam bomb attacks, tricking employees into downloading malicious codes under the guise of IT remediation. Recent FBI operation led to the seizure of more than 30 bitcoins and $700,000 in USDT tokens from Gallyamov, aiming to refund victims with over $24 million in captured illicit proceeds. Multi-national cooperation in Gallyamov's investigation featured contributions from German BKA, Netherlands National Police, French Police Cybercrime Central Bureau, and Europol. This case forms part of "Operation Endgame," a broad international law enforcement initiative to dismantle cybercriminal networks.

Rustam Rafailevich Gallyamov, a Russian national, has been indicted for leading the Qakbot botnet malware operation, impacting over 700,000 computers globally. Initiated in 2008, Qakbot served various malicious roles, including banking trojan, malware dropper, and backdoor capable of keystroke recording. Since 2019, Qakbot has been a primary infection method for several notorious ransomware gangs including Conti and REvil, providing them initial access to victims’ networks. Gallyamov allegedly received payments from these gangs, with amounts based on specific arrangements, contributing to his accumulation of significant digital assets. U.S. authorities have recently seized over $24 million in cryptocurrency from Gallyamov and dismantled parts of the Qakbot botnet in a major FBI operation. The financial damage linked to Qakbot-related ransomware attacks has climbed beyond $58 million in less than two years, affecting numerous sectors such as healthcare and government. Despite the botnet's partial dismantlement, Gallyamov continued malicious activities, including spam bomb attacks against U.S. targets as recently as January 2025.

A Chinese cyber group exploited a serious vulnerability in Trimble Cityworks software before it was patched, targeting US local government networks. The exploited security flaw, CVE-2025-0994, allowed remote code execution on Microsoft Internet Information Services (IIS) servers used by Cityworks. This vulnerability was actively used by the group, identified as UAT-6382, to infiltrate networks, conduct reconnaissance, and access systems related to utilities management. Attackers deployed webshells including AntSword and Chopper, as well as custom malware like TetraLoader, emphasizing their focus on long-term access and control. Tools used in these intrusions demonstrate sophisticated techniques and suggest high confidence in attribution to Chinese-speaking actors. The US Cybersecurity and Infrastructure Security Agency (CISA) reported active exploitation of this vulnerability shortly after Trimble issued a patch. Exploitation details remain partly undisclosed as additional facts about specific targets and ongoing attacks were not shared by the investigating teams.

Cybercriminals are targeting macOS users by mimicking Ledger wallet apps to steal cryptocurrency through phishing. The malware, identified in a Moonlock Lab report, strategically prompts users to enter seed phrases, which are crucial for accessing and recovering crypto wallets. Initially, the fake apps gathered basic wallet information, but recent updates allow attackers to directly access and steal funds using stolen seed phrases. A new strain of malware called "Odyssey" has enhanced the effectiveness of these attacks by substituting the legitimate Ledger app with a malicious version which incorporates a phishing screen. Odyssey and its variations, including campaigns by threat actors like 'Rodrigo' and '@mentalpositive,' have been discussed and spread on dark web forums. Security experts have discovered MongoDB campaigns using deceptive installation files to bypass macOS security and deliver similar phishing tactics. Users are strongly advised only to download wallet apps from official sources and rigorously verify any request for entering seed phrases to avoid falling victim to these sophisticated phishing attempts.

The Irish Data Protection Commission (DPC) has authorized Meta to start using European citizens' data to train AI models, overriding earlier privacy concerns. Improvements to Meta's data collection proposal include updated transparency notices, an enhanced objection form, and stronger data protection measures. Meta plans to commence AI training on May 27, despite ongoing legal challenges and criticisms from privacy advocacy groups. Privacy group None Of Your Business (noyb) has threatened Meta with a class-action lawsuit citing GDPR violations and is awaiting a German court's injunction decision. The DPC requires Meta to submit a report by October evaluating the effectiveness and appropriateness of the enacted safeguards. Other EU data protection agencies remain skeptical and might independently challenge Meta's data practices. Meta has not commented on the DPC’s decision or responded to the impending legal actions.