Daily Brief

A new campaign using ClickFix social engineering tactics is targeting Windows, macOS, and now Linux systems. ClickFix attacks trick users into executing harmful commands by mimicking errors or verification requests on websites. The recent attack impersonates India's Ministry of Defence and targets systems based on their operating systems, redirecting them to OS-specific attack flows. On Windows, the attack involves a malicious command copied to clipboard leading to a decoy PDF display, whereas on Linux, it prompts execution of a non-malicious script possibly testing the attack effectiveness. The Linux script, identified as 'mapeal.sh', currently only fetches and displays a JPEG image, but could be modified for more malicious purposes. The attacks are attributed to Pakistan-linked APT36, also known as Transparent Tribe, signaling potentially higher geopolitical motives or targeted cyber-espionage. These incidents underline the importance of caution when copying commands from websites into system run dialogs to avoid potential malware infections and data breaches.

A Türkiye-supported cyberespionage group utilized a zero-day flaw in Output Messenger to target users associated with the Kurdish military in Iraq. Microsoft Threat Intelligence identified the exploitation of a directory traversal vulnerability, CVE-2025-27920, which allowed attackers to access and manipulate sensitive data. The flaw was patched in December with the release of Output Messenger version 2.0.63. Post-exploitation, the group, known as Marbled Dust, could impersonate users, access communications, and disrupt operations by deploying a backdoor in the victims' systems. Microsoft's analysis suggests that Marbled Dust might use DNS hijacking or typo-squatted domains to intercept credentials. Marbled Dust's operations have primarily targeted Europe and the Middle East, focusing on telecommunications, IT sectors, and entities opposing the Turkish government. The recent attacks indicate an escalation in Marbled Dust's technical capabilities and operational urgency, reflecting a notable shift in tactics and intensification of their espionage activities. Historically, this group has been involved in espionage campaigns since 2021, specifically targeting telecommunications and internet service providers in the Netherlands.

Global Crossing Airlines Group (GlobalX) reported unauthorized network activity on May 5, 2025, indicating a cybersecurity incident. This airline, contracted by ICE for deportations, discovered the breach through routine SEC filing and not public disclosure. Intruders allegedly accessed and possibly exfiltrated sensitive data, including flight records and passenger manifests related to deportation flights. Immediate response included activating incident protocols, hiring cybersecurity experts for mitigation, and isolating compromised systems to prevent further damage. GlobalX has informed law enforcement and is working to ascertain the full extent and impact of the cyberattack. There’s speculation that stolen data may be used for extortion, although specifics of the data theft and actual misuse are not fully known. The incident coincides with the aggressive deportation strategy pursued by the Trump administration, possibly increasing the sensitivity and impact of the breach. Despite the breach, GlobalX reports no current negative impact on operations, maintaining regular security assessments and training as per their latest SEC disclosures.

Moldovan authorities arrested a 45-year-old implicated in the DoppelPaymer ransomware scheme that targeted Dutch entities in 2021. During the arrest, police confiscated an electronic wallet, cash, electronic devices, and several data storage units. Legal proceedings are underway to extradite the suspect to the Netherlands for his role in a ransom attack on the Dutch Research Council (NWO), which caused approximately €4.5 million in damages. The NWO attack involved shutting down critical systems and leaking stolen documents online when the ransom was not paid. DoppelPaymer, linked to the cybercrime gang Evil Corp, has been active since 2019, attacking major corporations and critical infrastructure globally. The FBI has previously warned that DoppelPaymer not only encrypts data but also exfiltrates it to pressure victims into paying ransoms. The arrest was part of a collaborative effort between Moldovan and Dutch law enforcement agencies, signifying heightened actions against such cybercrime networks.

The 2025 Enterprise Browser Extension Security Report highlights a significant but overlooked threat vector in browser extensions widely used in business environments. 99% of enterprise users have browser extensions installed, with over half using more than ten, expanding the potential for security breaches. More than half of these extensions access sensitive data under 'high' or 'critical' risk permissions, exposing organizations to data theft and other cyber threats. A significant 20% of employees use GenAI extensions, with a majority categorized under high-risk permissions, necessitating stringent control measures. A large portion of extensions is published anonymously or by first-time publishers, complicating the verification of trust and increasing vulnerability to malicious intents. Many extensions are outdated or not regularly updated, and some are sideloaded, bypassing standard security checks and further intensifying security risks. LayerX advises strict policies for managing browser extension usage and highlights actionable insights to mitigate risks during their upcoming webinar.

ASUS has issued updates for its DriverHub software to fix two critical vulnerabilities allowing remote code execution. The security flaws could enable attackers to execute arbitrary code by manipulating HTTP requests and modifying .ini files. DriverHub, which assists in identifying and updating necessary drivers by connecting to a specific ASUS-hosted site, was the target of these vulnerabilities. An attack involves deceiving a user into visiting a malicious sub-domain and executing altered "AsusSetup.exe" via the DriverHub's endpoint. The attack chain includes a modified ".ini" file that triggers a script to install or execute potentially harmful content on the affected system. Security researcher MrBruh discovered these vulnerabilities and reported them leading to their fix by ASUS after years of potential exposure. ASUS has not detected any instances of the vulnerabilities being exploited in the wild but urges users to update their DriverHub software immediately.

Dutch and U.S. authorities collaborated to dismantle a criminal proxy network, using infected IoT and EoL devices. Active since 2004, the platform, known as anyproxy[.]net and 5socks[.]net, facilitated anonymous activities via a botnet. Daily, over 7,000 proxies were advertised, predominantly affecting devices in the U.S., Canada, and Ecuador. The botnet exploited IoT devices with known security vulnerabilities to install TheMoon malware. This law enforcement action coincides with other major crackdowns including the shutdown of a cryptocurrency exchange involved in money laundering and six DDoS-for-hire services. The action highlights the continuing effort by authorities to combat cybercrime networks that exploit device vulnerabilities for malicious purposes. The focus on preventing botnet activities is part of a broader strategy to curb cyber risks that can lead to significant legal and reputational consequences for businesses.

Research from GitGuardian reveals a high percentage of company secrets and credentials exposed in public repositories remain valid for years, posing significant security risks. Organizations often lack awareness of the exposure or the operational capacity to swiftly remediate the exposed secrets, resulting in prolonged vulnerability. The persistence of valid secrets is due to the complexities of updating hardcoded secrets across multiple systems, which can disrupt production environments. Limited remediation resources prioritize only high-risk exposures, and legacy systems do not support modern security practices such as ephemeral credentials. Analysis indicates that exposed cloud and database credentials in production systems are a direct threat, with valid credentials significantly increasing for cloud services from 2022 to 2024. Practical steps for remediation include immediate rotation of credentials, implementing IP allowlisting, using dynamic secrets, and transitioning to modern authentication methods to minimize risks. Adopting automated secrets management and focusing on short-lived credentials can effectively reduce the attack surface and enhance security. The report emphasizes the urgent need for organizations to improve detection, rapid remediation, and overall management of secret exposures to protect sensitive data and systems.

The UK’s National Cyber Security Centre (NCSC) is advocating for a market structure that rewards security-driven software vendors, addressing the issue at their CYBERUK conference. NCSC's CTO, Ollie Whitehouse, criticized the current market for failing to incentivize companies to prioritize building secure products, shifting the risk onto customers. Industry leaders from Vodafone, Mandiant, and Sage, during a panel discussion, expressed skepticism about the NCSC's approach, highlighting the complexity of cyber security issues and questioning the effectiveness of market intervention. Whitehouse proposed both incentivizing good security practices and penalizing vendors for subpar security measures to foster a better security ecosystem. Amidst varying opinions, there remains a significant divide on whether regulatory interventions or market-driven solutions are more effective in enhancing software security. The debate also covered the role of cyber insurance and international collaboration on setting standardized security expectations for vendors. The NCSC also launched a voluntary Software Security Code of Practice aimed at setting a baseline for security practices, akin to previous successful initiatives in AI security.

Recent weeks have seen significant ransomware attacks on major UK retailers including Marks and Spencer, the Co-Op, and Harrods, causing prolonged system downtimes. The incidents highlight a systemic failure in corporate cybersecurity, exacerbated by inadequate attention and investment in IT security. There is a notable lack of transparency and public disclosure about the details and impacts of these security breaches, reflecting a culture of silence and minimal compliance. The British Library's own report on its 2023 ransomware attack serves as a stark example, revealing major data leaks and permanent system losses due to outdated and underfunded IT infrastructure. The article advocates for an open and collaborative approach to addressing cybersecurity failures, similar to self-help groups, where organizations can learn from each other's experiences and mistakes. It suggests the establishment of industry-wide protocols for managing the security lifecycle of IT projects, emphasizing the importance of regular reassessment and maintenance. The piece criticizes the prevailing corporate attitude towards IT security as a non-urgent expense, calling for a shift towards recognizing and addressing IT vulnerabilities as a critical priority. The article concludes that without a major cultural shift in how companies handle cybersecurity, systemic flaws will continue to pose severe risks.

Threat actors use AI-powered tool pretenses to distribute Noodlophile, a malicious information stealer. Over 62,000 views were recorded on a single Facebook post, indicating significant user interaction. Fake sites and social media ads prompt downloads of malware through seemingly benign AI-generated content. The malware, disguised as media files, initiates infection by downloading a malicious .exe file. Noodlophile Stealer harvests browser data, crypto wallet information, and more, sometimes bundled with a remote access trojan, XWorm. The malware developer is believed to be from Vietnam, based on their GitHub profile. Cybercriminals continue to exploit public fascination with AI to promote malware, with Meta reporting over 1,000 related URL takedowns since early 2023. A parallel malware threat, PupkinStealer, was also identified, stealing data with minimal detection evasion.

Developer Micah Lee discovered 51 data breach records and four infostealer log dumps linked to DOGE employee Kyle Schutt. Schutt has access to sensitive government data via his role with the Federal Emergency Management Agency. Infostealer logs containing Schutt's credentials suggest potential compromises of his computers. Leaked credentials were found in prominent data dumps, including the 100GB Naz.API and ALIEN TXTBASE, highlighting substantial cybersecurity risks. Infostealer logs indicate personal accounts and possibly work-related accounts at risk, underlining the need for stringent security practices in government and sensitive roles. The article also reports on other serious cybersecurity incidents, including a critical Cisco vulnerability and internal data leaks from the LockBit ransomware gang. The necessity of stronger security measures is underscored by the collapse of a UK business due to a ransomware attack and the sentencing of the Celsius CEO for fraud related to security misrepresentation.

Christiaan Beek of Rapid7 developed a proof-of-concept for CPU ransomware based on a vulnerability in AMD Zen chips. This exploit would enable attackers to inject unauthorized microcode directly into CPUs, bypassing traditional security technologies. Although challenging, rewriting CPU microcode is feasible, demonstrated by Google’s manipulation of random number generation in the same AMD chips. Beek highlights a shift in cybercriminal tactics, referencing UEFI bootkits for sale on cybercrime forums and historical efforts by the Conti ransomware group. CPU-level ransomware poses a significant risk as it could survive operating system reinstalls and modify hardware functions to enforce ransom demands. Despite potential severity, such CPU-focused ransomware is not yet found in the wild, but the theoretical framework is established. Beek calls for a renewed focus on fundamental cybersecurity practices due to continued vulnerability exploitation and insufficient implementation of basic security measures like multi-factor authentication.

The Bluetooth Special Interest Group (SIG) has released Bluetooth Core Specification 6.1, introducing significant privacy enhancements. A key feature in the update is the randomization of the Resolvable Private Addresses (RPA) update timing, making device tracking by third parties significantly more difficult. Before this update, RPAs were refreshed at predictable 15-minute intervals, which could have been exploited in correlation attacks for long-term device tracking. With Bluetooth 6.1, RPA updates will now occur randomly between 8 to 15 minutes, and settings can be further customized to any interval between 1 second to 1 hour. The random selection uses a NIST-approved generator, enhancing security measures against pattern tracking and correlation attacks. Bluetooth 6.1 also improves power efficiency by allowing the Bluetooth controller to manage RPA updates autonomously, reducing demand on the host device's CPU and memory. This update is particularly beneficial for devices with limited battery resources, such as fitness bands, earbuds, and IoT sensors. Full implementation and support of Bluetooth 6.1 features in devices may not be seen until around 2026, pending further testing and validation.

iClicker's website was hacked between April 12 and April 16, 2025, introducing a fake CAPTCHA that tricked users into downloading malware. The attack utilized a ClickFix social engineering strategy, requiring users to paste a malicious PowerShell script into their system to "verify" themselves. Targeted visitors received a PowerShell script that connected to a remote server, downloading different malware based on the visitor type. Non-targeted visitors received benign software. The malware potentially allowed attackers full access to the infected devices, capable of extracting sensitive information like passwords, credit card details, and cryptocurrency wallets. BleepingComputer’s inquiries regarding the attack received no response from Macmillan, although iClicker later posted a security bulletin advising affected users to run security checks and update passwords. The security bulletin was made difficult to find due to a 'noindex, nofollow' tag, potentially limiting public awareness of the incident and its resolution. Users of iClicker’s mobile app or those who did not interact with the fake CAPTCHA were not affected by this security breach.