Daily Brief

Chinese-affiliated hackers, known as UnsolicitedBooker, targeted a Saudi organization using spear-phishing with flight ticket lures. Attacks involved multiple backdoors, including Chinoxy, DeedRAT, Poison Ivy, and the newly deployed MarsSnake. MarsSnake was delivered via a malicious Word document disguised as a flight ticket PDF, triggering a harmful VBA macro. The persistent targeting of the organization since 2023 suggests a high strategic interest by the threat group. UnsolicitedBooker's activities show affiliation with larger Chinese cyber operations, sharing methods with groups like Space Pirates. Other Chinese groups, such as PerplexedGoblin and DigitalRecyclers, continue to target European and governmental entities using sophisticated espionage tools. The discovery highlights the ongoing and evolving threat from state-aligned actors against international and governmental organizations.

Virgin Media O2 resolved a privacy issue in its 4G Calling feature that allowed callers to pinpoint the recipients' location. Researcher Daniel Williams discovered that metadata from VoLTE could locate users within 100 meters using IMS, IMEI, and cell ID data. Williams highlighted this vulnerability in May after engaging with the MNO in March, with initial unresponsiveness from the company. Fixes were confirmed by a company spokesperson, stating comprehensive testing and implementation had occurred by May 19. Detailed findings from Williams showed IMSI and IMEI numbers returned by the server identified both caller and recipient's devices on the VMO2 network. The information leakage was demonstrated using tools like CellMapper, which could provide location data up to city center precision. Disabling 4G Calling occasionally halted data transmission but was not deemed a reliable solution to prevent the privacy breach. This resolution came after extensive research by Williams, who has stopped replicating the issue following the repair.

Researchers at Datadog Security Labs identified a new cryptojacking campaign, codenamed RedisRaider, targeting public Redis servers on Linux systems. The campaign uses a customized scanner to locate accessible Redis servers, checks for Linux OS via an INFO command, and then injects a cron job using the SET command. The malware changes the Redis working directory to "/etc/cron.d", setting up a database file "apache" that executes a Base64-encoded shell script. This script downloads the RedisRaider binary, which deploys a specialized XMRig miner to harness computing resources for mining Monero cryptocurrency. The malware also replicates itself to other Redis instances, expanding its impact while incorporating anti-forensics features such as short-key TTLs and database configuration alterations to evade detection. Moreover, RedisRaider supports a web-based Monero miner for additional revenue, signifying a complex, multi-pronged financial strategy by the threat actors. Additionally reported was a separate campaign exploiting Microsoft Entra ID's legacy authentication protocols for targeted brute-force attacks, primarily against accounts in Eastern Europe and Asia-Pacific.

Cybersecurity researchers discovered malicious Python packages on PyPI exploiting social media APIs to validate stolen email addresses. The packages, named "checker-SaGaF", "steinlurks", and "sinnercore", use various techniques to abuse Instagram and TikTok APIs, mimicking legit app functions to evade detection. These tools check if email addresses are associated with existing social media accounts, enabling cybercriminals to refine their attack targets and potentially threaten users through various harmful actions. Validated email lists from these attacks are often sold on the dark web, contributing to broader cybercrime activities like credential stuffing or phishing attacks. Additional functionality in these packages includes targeting Telegram user data and crypto utilities, indicating a complex and multi-purpose nature of the malware. The findings reveal significant risks not only to individual privacy but also to organizations, as these validated emails can lead to targeted and sophisticated cyber attacks. One package named "dbgpkg" served as a backdoor implant on developers' systems, demonstrating a trend in using developer tools as malware dissemination vectors. The techniques and targeted deployment indicate a high level of sophistication among the attackers, seeking to establish a long-term presence on infected systems anonymously.

CISA announced Madhu Gottumukkala as the new deputy director amidst budget reductions and staffing challenges. The agency still lacks a Senate-confirmed leader, with interim duties performed by Bridget Bean. Key focus areas under threat due to a proposed $491 million cut, about 17 percent of CISA's budget. The budget cuts align with an administrative push to limit scope to China-focused defenses, excluding certain red team functions and Russian threats. Resignations include leaders from the Secure by Design program, and other staff have taken voluntary resignation options. Senator Ron Wyden blocked the director nominee, Sean Plankey, demanding the release of a report on vulnerabilities in U.S. telecom networks. CISA's refocus on its mission includes an evaluation of election security, particularly how it handles misinformation and foreign influence. DHS remains tight-lipped about exact numbers on CISA staff reductions or restructuring details, leading to congressional inquiries.

Threat actors distributed trojanized KeePass versions for eight months to deploy Cobalt Strike beacons and ransomware. Malicious KeePass installer was promoted through Bing ads, leading to fake software download sites. The modified KeePass, named KeeLoader, included functionality that stole credentials and exported password databases in cleartext. KeePass alterations linked to Black Basta ransomware and believed to be operated by Initial Access Brokers. Researchers unearthed various signed variants fooling users through typo-squatting domains. The compromised companies' VMware ESXi servers were encrypted in the ransomware attacks. WithSecure linked the activity to UNC4696, a group associated with past Nitrogen Loader and BlackCat/ALPHV ransomware campaigns. The investigation revealed an extensive infrastructural setup for disseminating various malware and credential phishing schemes under impersonated domains.

Security flaw in O2 UK's VoLTE and WiFi Calling allowed location tracking through call metadata. Researched by Daniel Williams, the vulnerability persisted since March 2017 until its recent resolution. The breach leaked sensitive information such as IMSI, IMEI numbers, and cell tower locations. Williams used the Network Signal Guru app and public tools to pinpoint user locations accurately. O2 UK, with nearly 23 million mobile users, implemented the fix without requiring customer action. Virgin Media O2 confirmed the issue and its resolution, assuring no customer action needed. Uncertainty remains on whether O2 UK previously knew about the flaw or if any exploitation occurred.

Eric Council Jr., 26, from Huntsville, Alabama, was sentenced to 14 months in prison for initiating a SIM-swap scam that targeted the SEC's official social media account. Council and accomplices hijacked the SEC's X account and posted a fake announcement about government approval of Bitcoin ETFs, causing significant market fluctuations. The fraudulent post led to a temporary increase in Bitcoin's price by over $1,000; however, the value plummeted by more than $2,000 after the SEC regained control and issued a retraction. To execute the scam, Council used a fake ID at an AT&T store to obtain a new SIM card linked to the victim C.L.'s number, and subsequently accessed C.L.'s two-factor security codes. Incriminating searches by Council on his personal computer, including "SECGOV hack" and "how can I know for sure if I am being investigated by the FBI," were instrumental in his capture and conviction. The FBI highlighted the case as a deliberate attempt to deceive the public and manipulate financial markets, endangering trust in public communications platforms. Following his prison term, Council will undergo three years of supervised release, underscoring the legal penalties for cybercrimes involving identity theft and fraud.

Arla Foods, a major international dairy producer, confirmed a cyberattack at its Upahl, Germany facility, impacting local IT network and production. The incident caused disruptions, leading to potential product delivery delays or cancellations. Arla is actively working on resuming normal operations, with expectations to restore full functionality within the week. The cyberattack specifics, including whether data was stolen or encrypted, remain undisclosed by Arla. No reports have linked this incident to known ransomware groups or featured on extortion portals, leaving the attacker's identity unclear. This event affected only the Upahl location, with production at other Arla sites continuing unaffected. Arla has informed customers potentially affected by delivery issues resulting from the disruption.

The official website of RVTools was hacked to distribute a malicious installer for the VMware utility software. An infected installer was found sideloading a harmful DLL identified as the Bumblebee malware loader. The extent of the infection and the duration of the compromised installer's availability are unknown. RVTools has cautioned users against downloading their software from any sources other than their official websites. A separate malware threat through Procolored printer software included a backdoor and a clipper malware capable of cryptojacking. The clipper malware, SnipVex, intercepted and altered Bitcoin wallet addresses in clipboard data to reroute transactions. Procolored has acknowledged the issue, stating the source might have been infected USB drives used in October 2024. Despite the command and control server for the backdoor being offline since February 2024, the clipper malware remains active and damaging.

The UK Legal Aid Agency (LAA) confirmed the theft of extensive applicant data in a recent cyberattack, originally believed to be less severe. This breach affected records dating from 2010, compromising sensitive personal information of those who applied for legal aid. The LAA, an arm of the UK Ministry of Justice, provides crucial legal services to individuals unable to afford legal representation. Following the breach discovery on May 16, immediate measures included securing all LAA systems with assistance from the National Cyber Security Centre and temporarily shutting down the online application platform. The UK government urges all legal aid applicants to be cautious of potential scams and to verify communications before sharing personal information. LAA’s CEO, Jane Harbottle, expressed deep regret over the incident and committed to providing ongoing updates and addressing the breach's implications. It is still unclear if the data theft at the LAA is connected to recent attacks on UK retailers by a group using DragonForce ransomware.

Ransomware actors have adopted Skitnet malware for advanced data theft and remote control of targeted systems. Skitnet, also referred to as Bossnet, was first sold on the dark web in April 2024 and has been actively used in attacks since early 2025. The malware's complex design uses languages like Rust and Nim to evade typical security detections by launching a reverse shell over DNS. Skitnet includes capabilities for persistence, remote access, command execution, data exfiltration, and delivering additional payloads. Notable usage includes a Black Basta phishing campaign in April 2025, which targeted enterprise environments via Teams-themed emails. The malware facilitates stealth by dynamically resolving API function addresses and can manage infected hosts via a command-and-control panel. Concurrently, another malware, TransferLoader, targets US law firms and also features advanced evasion and management techniques.

Pwn2Own Berlin 2025 concluded with security experts exploiting 29 zero-day vulnerabilities, earning a total of $1,078,750. Competitors targeted advanced enterprise technologies across various categories, including AI, browsers, virtualization, servers, and automotive. The event featured rigorous conditions with all devices updated and running the latest OS versions, including contributions from Tesla with their latest models. STAR Labs SG emerged as the top team, securing 35 Master of Pwn points and $320,000 by exploiting systems like Red Hat Enterprise Linux and VMware ESXi. The highest individual reward of $150,000 went to Nguyen Hoang Thach from STAR Labs for an integer overflow exploit in VMware’s ESXi software. Early patches were issued by Mozilla for two exploited zero-days in Firefox, reinforcing the prompt response benefit of the competition's disclosure policy. The disclosed vulnerabilities are held privately for 90 days, giving vendors a window to patch before public release by TrendMicro's Zero Day Initiative. The competition underscored the critical role of ethical hacking in strengthening cybersecurity defenses across multiple technology domains.

Mozilla addressed two critical Firefox zero-day vulnerabilities immediately following their demonstration at the Pwn2Own Berlin 2025. The vulnerabilities impacted both desktop and Android versions of Firefox and related Extended Support Releases. CVE-2025-4918 involved an out-of-bounds read/write issue in the JavaScript engine with Promise objects, unveiled by Palo Alto Networks researchers. CVE-2025-4919 allowed out-of-bounds reads/writes by manipulating array index sizes, discovered by researcher Manfred Paul. Even though no sandbox escapes occurred, Mozilla credited recent enhancements to the Firefox sandbox for preventing further exploitability. The disclosed zero-days prompted the formation of a global task force by Mozilla to quickly develop and deploy fixes. Firefox users are urged to update their browsers to the latest versions as recommended by Mozilla to mitigate potential exploitation risks. The incident underlines the ongoing significance of high-profile security competitions like Pwn2Own in uncovering vulnerabilities.

The UK's Legal Aid Agency, sponsored by the Ministry of Justice, experienced a significant data breach with cybercriminals stealing a "significant amount of personal data" dating back to 2010. Stolen data includes contact details, home addresses, dates of birth, national ID numbers, criminal histories, employment statuses, and detailed financial records. The breach was first detected on April 23, but it was not until May 16 that the full extent of the data accessed was understood, revealing a much greater impact than initially expected. The attack could potentially affect all individuals who applied for legal aid from 2010 to 2025, advising them to be vigilant of suspicious activities and to update security measures like passwords. In the last reported year (April 2023 to March 2024), 388,888 legal aid applications were made, indicating a wide scope of potential data exposure. The Ministry of Justice and the National Cyber Security Centre are working together to enhance security post-incident and guide the public on scam protection. The legal aid agency has taken its online services offline to protect further data and implement security improvements. Legal aid applicants and providers are urged to stay alert and await further updates as the investigation continues and remedial actions are undertaken.