Daily Brief

President Trump praises TikTok, describing his affection for the platform due to its popularity among young voters who significantly supported him in the 2024 election. Despite a missed divestment deadline, Trump indicates a potential extension for TikTok’s sale to ensure its operation continues in the U.S. Trump references an ongoing deal for TikTok’s divestment involving significant investors, hinting at a resolution before the new June 19 deadline. Discusses DOGE's role under Elon Musk's leadership, highlighting its success in reducing government waste and fraud. Trump credits his administration's trade policies for significant investments by major tech companies like Apple and potential foreign companies to manufacture in the U.S. Announces a new tariff policy targeting foreign movies to bolster the American film industry, which he claims is declining rapidly. The White House, Department of Commerce, and the U.S. Trade Representative have yet to provide details on the implementation of the new movie tariff.

Golden Chickens, a cybercrime group also known as Venom Spider, has developed new malware versions, TerraStealerV2 and TerraLogger, aiming to enhance their data theft capabilities. TerraStealerV2 focuses on collecting credentials from browsers, cryptocurrency wallet data, and browser extension details, while TerraLogger acts as a keylogger recording keystrokes. The malware is distributed through various file types including EXEs, DLLs, MSI packages, and LNK files, leveraging OCX payloads sourced from a questionable external domain. Despite targeting data extraction, TerraStealerV2 does not yet bypass new Chrome security protocols, indicating potential areas of ongoing development or limitations in the malware's current version. Recorded Future reports that these tools are still under development and have not yet reached the sophistication levels seen in other mature malware tools used by Golden Chickens. There's no evidence of command-and-control communication capabilities in TerraLogger, suggesting it could be part of early development or designed for use alongside other malware in the Golden Chickens suite. This development by Golden Chickens occurs amidst broader trends in the cybercrime landscape, including the emergence of other stealer malware families and improved versions of existing malware with enhanced functionalities.

India's plan to become a significant player in global semiconductor manufacturing faced setbacks as Zoho dropped its $700 million fab investment and Adani Group paused its $10 billion project with Tower Semiconductor. Zoho abandoned its semiconductor manufacturing plans due to the capital-intensive nature of the industry and lack of confidence in the chosen technology path, citing the requirement for substantial government support. Adani Group halted talks over concerns that the semiconductor project did not make commercial sense. China's Cyberspace Administration initiated a three-month campaign to rectify abuses in AI technology, targeting unregistered AIs and enforcing stringent security and content regulations. Indian Supreme Court judges indicated that the use of spyware could be justified for national security, discussing this during a case probing alleged misuse of Pegasus spyware. South Korea's Fair Trade Commission fined Meta for failing to provide required consumer protections on its social platforms and mandated improvements within 180 days. The same regulator is consulting on remedies against Broadcom for alleged monopoly practices, seeking industry input on proposed regulatory changes. SK Telecom in South Korea has halted new customer signups to address issues stemming from a recent cyberattack, impacting millions of customers.

Microsoft announced on World Password Day that it is shifting all new consumer accounts to use passkeys by default, promoting a passwordless security environment. Passkeys, utilizing methods such as biometrics, PINs, or codes, are set to replace traditional passwords, enhancing login security and user experience. Existing Microsoft users are urged to switch to passkeys through their account settings, as the company begins to prioritize passwordless sign-in methods. The initiative is part of Microsoft's ongoing efforts to eradicate passwords, deemed less secure and efficient compared to modern authentication technologies. In related news, Raytheon settles federal charges for failing to meet cybersecurity regulations on defense contracts, agreeing to pay $8.4 million. Cybersecurity researchers have identified critical vulnerabilities in Apple's AirPlay protocol, potentially affecting multiple devices and enabling various attacks. Ecommerce platforms face renewed threats from a six-year-old backdoor affecting software based on the Magento platform, impacting major global retailers. The FBI released a list of 42,000 defunct dark web phishing domains previously associated with the LabHost service, aiding cybersecurity professionals in threat analysis.

Nearly 44,000 attendees converged at the RSAC cybersecurity conference in San Francisco, highlighting emerging technology trends. AI was a dominant theme, with warnings about the vulnerabilities introduced by "agentic AI," which grants operational autonomy to AI systems. The conference emphasized AI's potential in both enhancing security and its exploitation for fraudulent activities, such as phishing and the creation of deceptive documents. China was repeatedly labeled as the top cyber threat to America, with their AI advancements and participation in various cyber espionage activities being focal topics. North Korean IT workers infiltrating companies, including disguised attempts to penetrate Google, were notably buzzworthy discussions, reflecting a growing concern about this tactic. U.S. cybersecurity leadership presence at RSAC was reportedly lower than previous years, amid discussions about federal budget cuts and the impact on private-public sector cooperation. The North Korean infiltration is recognized as a significant concern, highlighted by real cases of detections and disclosures to affected companies.

StealC, an information stealer and malware downloader, has recently been updated to version 2.2.4, including several stealth and data theft upgrades. Originally launched on the dark web in 2023, StealC gained prominence for its effectiveness in stealing sensitive data, available for a subscription of $200 per month. In its latest iteration, StealC has removed previous features like anti-VM checks and DLL downloading but has introduced significant enhancements including mechanisms to bypass Chrome's cookie theft defenses. Version 2.2.4 enables expired cookie regeneration, facilitating unauthorized access to Google accounts. Recent deployments of StealC have been executed through Amadey, another malware loader, showcasing variation in delivery methods amongst cybercriminals. Zscaler's research and analysis highlight the ongoing evolution and active development of StealC, suggesting potential re-introduction of removed features in future updates. Recommended protection measures include avoiding the storage of sensitive information in browsers, using multi-factor authentication, and avoiding downloads from unreliable sources.

Altman's "Tools for Humanity" startup launched retail stores across six U.S. cities, introducing biometric blockchain orbs for human verification. The initiative encourages users to verify their identity through iris scanning, providing proof of personhood via blockchain, and offering cryptocurrency incentives. Concerns raised about privacy and data collection, following international scrutiny and legal actions in various countries. World aims to mitigate online fraud by ensuring that online profiles used in gaming, dating, and social media are linked to genuine individuals. The technology involves downloading an app, linking with an orb for a biometric scan, which encrypts and converts user data into a unique identity token. Despite the controversy, there are plans for significant expansion in the U.S., with a goal of 7,500 orbs and partnerships targeting online social interactions. World introduced partnerships for the use of biometric-based IDs with major platforms, including a Visa-backed debit card and Match.com in Japan.

Cybersecurity experts discovered three malicious Go modules designed to fetch destructive payloads that overwrite Linux system disks, rendering them unbootable. The targeted modules check if the system is Linux-based; if so, they execute a script that deletes all data on the primary disk by writing zeroes. This attack highlights the risks of supply chain attacks, where trusted components are manipulated to deliver harmful outcomes. Additional compromised npm and PyPI packages were found attempting to steal cryptocurrency keys and facilitate data exfiltration using trusted services like Gmail. These packages have been used to set up covert channels for data theft, leveraging Gmail SMTP and WebSocket connections to evade detection and maintain persistence. Over 6,800 downloads of the harmful packages were recorded, indicating significant exposure. Security recommendations for developers include verifying package authenticity, regularly auditing dependencies, and watching for unusual network traffic patterns to prevent similar attacks.

Microsoft will discontinue the password storage and autofill feature in the Authenticator app, transitioning it to Microsoft Edge by August 2025. The Authenticator app will continue to support multi-factor authentication but will end support for autofill and password management. Users are required to export their saved passwords from Authenticator to Microsoft Edge or another password manager by August 1, 2025, to avoid data loss. For continued autofill functionality, users must install Microsoft Edge and sync it with their Microsoft account. Password export steps include navigating to Autofill settings in Authenticator and saving the exported file to a chosen location. Microsoft assures that the shift will centralize credential management and enhance security by syncing passwords directly with user Microsoft accounts. Payment information will not be migrated automatically and must be manually re-entered for security reasons. Microsoft reaffirms continued support for Passkeys in Authenticator, emphasizing its commitment to multifactor authentication security.

Iranian threat group utilized VPN flaws to infiltrate Middle Eastern critical national infrastructure for nearly two years. The attack, attributed to the nation-state actor Lemon Sandstorm, involved extensive intelligence gathering and prepositioning within the network. FortiGuard Incident Response identified the attack as part of a long-term espionage campaign dating back to at least May 2023. Tools used by hackers included open-source command-and-control frameworks and commodity malware, indicating preparedness for ransomware deployment. Lemon Sandstorm has previously targeted sectors like aerospace and energy in multiple regions, including the U.S. and Middle East. The security breach allowed persistent internal access through chained proxies and custom malware, bypassing network segmentation. Despite comprehensive reconnaissance, there was no evidence of penetration into the Operational Technology (OT) network. Examination revealed possible unauthorized network access dating as far back as May 2021, highlighting deep-rooted security challenges.

The U.S. Department of Justice has charged a Yemeni national, Rami Khaled Ahmed, with deploying Black Kingdom ransomware impacting 1,500 systems, including businesses and healthcare facilities. The charges include conspiracy, damage to protected computers, and threats of further damage, with Ahmed allegedly still residing in Yemen. Ransomware encrypted or claimed to steal data, demanding $10,000 in Bitcoin, with payments directed to a conspirator-controlled cryptocurrency address. Attacks exploited a Microsoft Exchange Server vulnerability, ProxyLogon, previously associated with other ransom campaigns. Despite its amateurish nature, the Black Kingdom ransomware has been effectively propagated by exploiting security vulnerabilities. The broader ransomware landscape suggests a shift towards decentralized operations by attackers adopting a "lone-wolf" strategy, as sustained law enforcement pressures reduce traditional group activities. Despite a slight rise in companies opting to pay ransoms in early 2025, overall trends show a declining willingness to meet the demands, with 64% of organizations refusing to pay ransoms.

Co-op reported a significant data theft affecting a large number of current and past members following a cybersecurity breach. Personal data including names and contact details were compromised; however, passwords and financial information were not accessed. Initial reports underestimated the impact, later confirmed to be a serious breach by DragonForce ransomware affiliates. The method of attack involved social engineering which led to resetting an employee's password and accessing network data including Windows account password hashes. Co-op is now rebuilding its IT infrastructure and strengthening security measures with assistance from Microsoft DART and KPMG. The threat actors, identified as affiliates of the DragonForce ransomware operation, boast about stealing data from approximately 20 million people registered in Co-op’s membership program. They have also engaged directly with Co-op executives through Microsoft Teams, displaying the urgency and personalized approach of their extortion tactics. This ransomware-as-a-service operation threatens to publish stolen data if ransoms are not paid, significantly raising stakes for affected organizations.

A supply chain attack compromised 500 to 1,000 e-commerce stores by injecting backdoors into 21 Magento extensions. Extensions from Tigren, Meetanshi, and MGS were affected, including a prominent plugin by Weltpixel concerning GoogleTagManager. The malicious code was hidden in licensing files, enabling attackers to take over admin functions and upload malicious PHP scripts. Sansec discovered that compromised extensions had been planted as early as 2019, but were only activated in April 2025. The backdoors allow significant backend access, potentially enabling data theft, unauthorized admin account creation, and more. Sansec alerted the affected vendors; MGS did not respond, Tigren denied the breach, and Meetanshi acknowledged a server hack but not extension tampering. Sansec and BleepingComputer urge users of the impacted extensions to conduct thorough server scans and restore systems from clean backups if possible.

A 25-year-old from California, Ryan Mitchell Kramer, confessed to hacking Disney and stealing 1.1TB of data, initially thought to be the work of Russian activists. Kramer is charged with illegally accessing a computer to obtain information and threatening to damage a protected computer. He faces up to ten years in prison under a plea agreement following his admission of guilt to the U.S. Department of Justice. The breach originated from a deceptive AI art generation app created by Kramer, which installed malware granting him remote access. Using stolen login credentials, Kramer infiltrated Disney’s Slack workspace, accessing thousands of channels and downloading sensitive information. He threatened an employee via email and Discord to leak personal data, proceeding to do so upon non-compliance, including sensitive banking and medical details. The incident prompted Disney to switch communication platforms from Slack to Microsoft Teams, affecting employee workflows. Kramer also admitted to similar offenses involving at least two other victims who downloaded his malware-infected software.

Generative AI has significantly improved the quality and localization of phishing and scam messages, reducing spelling and grammatical errors that were typical identifiers of spam. Scammers are now able to target non-English speaking regions more effectively by crafting messages in local dialects, like Québécois and European Portuguese, which previously helped residents identify spam. The conversational capabilities of AI systems are enhancing the effectiveness of romance scams by managing initial interactions before human scammers take over for financial exploitation. Real-time audio deepfakes are currently being used to impersonate individuals in sensitive positions, misleading employees into revealing confidential information. Skepticism exists around the state of real-time video deepfakes as truly convincing versions are not yet affordable or technologically feasible without significant investment, though this is expected to change within a few years. Future threats are anticipated to require strengthened personal verification processes to counter sophisticated AI-enabled scams and impersonations.