Daily Brief

Threat actors are using SourceForge to distribute cryptocurrency miner and clipper malware disguised as cracked Microsoft Office software. The project titled "officepackage" on SourceForge cloned legitimate content from GitHub but added malicious downloads. Clicking the download links redirects users to another site, presenting a malicious MSI installer inside a ZIP archive. The installer deploys various scripts that download additional malicious payloads, including miner and ClipBanker malware. The malware campaign, primarily targeting Russian-speaking users, achieved over 4,600 potential victim encounters within three months. Attackers exploit legitimate-looking URLs and search engine indexing to ensnare users seeking pirated software. The cybersecurity report suggests that such malware distribution campaigns also open doors for additional system exploitation by other malevolent actors.

Exploitation of TVT NVMS9000 DVRs detected with a peak on April 3, 2025, involving over 2,500 unique scanning IPs. Vulnerability allows attackers to bypass authentication and execute administrative commands via exposed DVRs. Increased activity linked to Mirai-based malware, aiming to incorporate DVRs into a botnet for malicious purposes like DDoS attacks and cryptomining. Attacks primarily originating from Taiwan, Japan, and South Korea; targeted DVRs are mostly located in the U.S., the U.K., and Germany. GreyNoise identifies and confirms 6,600 distinct malicious IPs related to this exploitation. Recommended mitigation includes upgrading to firmware version 1.3.4, restricting DVR ports from public internet access, and blocking IPs listed by GreyNoise. Symptoms of infection include increased outbound traffic, high CPU/memory usage, frequent crashes, and altered DVR configurations. Uncertainty remains about current support for DVRs as the last firmware update released was in 2018.

AWS has integrated ML-KEM, a post-quantum cryptographic algorithm, into its Key Management Service, Certificate Manager, and Secrets Manager to improve TLS security against potential quantum computing threats. ML-KEM, based on CRYSTALS-Kyber algorithm, aims to protect against future quantum threats that could potentially decrypt currently secure encryption methods like RSA and ECC. The National Institute of Standards and Technology (NIST) selected CRYSTALS-Kyber as the foundation for its post-quantum cryptography standard, finalized in August 2024. AWS plans to deprecate CRYSTALS-Kyber by 2026, transitioning fully to ML-KEM across all related service endpoints. Users need to update their client SDKs and enable ML-KEM explicitly to utilize this new security feature in their AWS environments. AWS has conducted performance benchmarks, indicating minimal impact on service performance when ML-KEM is enabled, with notable efficiency during TLS connection reuse. AWS encourages users to conduct their own performance tests to ensure compatibility and performance standards are met within their specific operational environments.

Despite multiple arrests in previous years, the cybercriminal group Scattered Spider has persisted with its social engineering attacks into 2025. The group has introduced multiple phishing kits and a new version of Spectre RAT malware to steal sensitive data and gain persistent access in victim systems. Silent Push, a threat detection firm, has analyzed and published details on these phishing kits and provided tools for defenders like a Spectre RAT string decoder and a C2 emulator. Scattered Spider's recent targets include major corporations across various sectors, using domains that impersonate well-known companies and software vendors for phishing. The cybercriminals have stopped using the "Rickrolling" tactic in their phishing schemes, focusing instead on more direct methods to compromise security. Silent Push has identified and replicated findings of a new phishing domain that integrates multiple brands, enhancing the detection and understanding of Scattered Spider's techniques. The group has also started using publicly rentable subdomains, complicating the tracking and attribution of their activities by cybersecurity experts.

Agentic AI autonomously handles alert triage and investigations, acting like an experienced analyst within Security Operations Centers (SOCs). Unlike traditional AI tools that aid as assistants requiring human direction, Agentic AI operates independently, increasing operational efficiency and effectiveness. This advanced AI technology reduces the burden on human analysts by managing high-volume, repetitive tasks, which reduces fatigue and burnout. Agentic AI delivers consistent investigations and prioritizes alerts based on real risk indicators, ensuring thorough scrutiny and reducing oversight risks. Implementation of Agentic AI in SOCs leads to substantial cost savings, better resource utilization, and enhanced security outcomes by optimizing alert handling processes. It supports SOC teams by providing scalability and capacity to handle large volumes of alerts without additional human resources, crucial in the context of ongoing cybersecurity skills shortages. For security leaders considering Agentic AI, it is vital to select solutions that are transparent, adaptive, and maintain a human-centric approach for optimal integration and functionality.

Ukrainian institutions targeted by phishing campaign distributing malicious Excel files possibly linked to UAC-0226 threat group. Malware known as GIFTEDCROOK and an associated PowerShell script stolen from GitHub facilitates data theft through browser exploits, targeting information like browsing history and authentication details. Emails containing the Excel files use subjects sensitive to Ukrainian affairs, and macros in the files trigger malware deployment once enabled. CERT-UA has not attributed the attack to any specific country, although there are links to other suspicious activities suspected to involve Russia. Attack methods include leveraging victim’s resources such as file system mapping and Remote Desktop Protocol connections through advanced phishing tactics. Recent related activities include the deployment of the Legion Loader through fake CAPTCHA interactions leading to browser extension installations that harvest user data. Global cybersecurity agencies have been documenting and responding to similar phishing techniques, underscoring a continued need for vigilance against such cyber threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical CrushFTP vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-31161 with a CVSS score of 9.8, involves an authentication bypass that allows unauthenticated attackers to take control. Originally misnumbered as CVE-2025-2825, the correct CVE was issued amid disclosures that involved some controversy between the involved parties. Since its active exploitation was confirmed, evidence shows that threat actors are using the vulnerability to execute commands, install malware, and harvest credentials. Outpost24 first reported the flaw and collaborated with CrushFTP on a 90-day disclosure timeline. The technical briefing on the vulnerability has been minimal to avoid further exploitation. As of the latest reports, 815 instances remain unpatched, with significant numbers in North America and Europe. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the updated patches by April 28 to mitigate risks and secure their networks.

Google has rolled out patches for 62 vulnerabilities in the Android system, including two that have been actively exploited. The critical vulnerabilities allow for remote escalation of privilege without the need for additional execution privileges or user interaction. CVE-2024-53197, one of the key vulnerabilities, involves an issue with the Linux kernel which Google had previously addressed. This vulnerability, along with CVE-2024-53104 and CVE-2024-50302, were used in a sequence to compromise a Serbian youth activist's phone in December 2024. Google had previously fixed CVE-2024-53104 and CVE-2024-50302 in February 2025 and March 2025, respectively. The latest update ensures all three vulnerabilities are now patched, closing the exploit path used in these targeted attacks. Android users are urged to update their devices immediately as patches become available from Android OEMs to mitigate the risk of exploitation.

Significant reductions at the Cybersecurity and Infrastructure Security Agency (CISA) are underway, potentially cutting nearly 40% of its workforce. Homeland Security Secretary Kristi Noem spearheads these cutbacks, undermining public-private cybersecurity collaboration efforts and coordination with local agencies. Previous key advisory boards and committees within Homeland Security that addressed cybersecurity threats and information sharing have been dissolved. In March, CISA underwent a firing and subsequent rehiring of employees following a court order, along with a budget cut to essential threat detection services for state and local governments. The personnel and budget cuts are likely to weaken U.S. cyber defenses by reducing threat-hunting teams and diminishing the nation’s capacity to counter foreign cyber threats effectively. It is feared that these actions will severely impair the sharing of threat intelligence between government and private sectors, limiting the response to cyber attacks and technological advisement. Recent congressional discussions highlight CISA’s understaffing issue and the critical need for a robust capability to collect and disseminate threat intelligence across various sectors. The elimination of Sector Coordinating Councils further compounds the collaboration challenges between the government and critical infrastructure entities.

Oracle has confirmed a breach in its public cloud and informed certain customers about the data theft, despite earlier denials. The cyberattack was first exposed by a hacker using the alias “rose87168,” who claimed to have accessed and sold six million records from Oracle’s cloud servers. Experts verified the authenticity of the stolen data, which included private security keys and encrypted credentials, attributing the breach to an unpatched Oracle server vulnerability (CVE-2021-35587). Oracle enlisted cybersecurity firm CrowdStrike to address the aftermath of the breach, though CrowdStrike has not publicly commented on the matter. The FBI is investigating the incident, and the stolen data includes credentials ranging from outdated to as recent as 2024. Oracle is involved in a lawsuit in Texas related to the breach, which remains separate from an additional, undisclosed issue affecting Oracle Health. With potential violations of GDPR and HIPAA looming, Oracle could face significant fines and further legal challenges if they fail to meet regulatory compliance requirements for data breach notification.

EncryptHub, linked to breaches at 618 organizations, also reported critical Windows vulnerabilities. Microsoft addressed the vulnerabilities reported by EncryptHub during March 2025, improving system security. Outpost24's research connected EncryptHub to cyber-security researcher SkorikARI after a self-infection exposed EncryptHub's credentials. Evidence linking EncryptHub to SkorikARI includes password files and activity on GitHub and freelance sites. EncryptHub engaged in conversations with ChatGPT, debating on ethical classifications and planning future hacks. Despite his skills, EncryptHub's operational security flaws led to the exposure of his personal details and activities. EncryptHub's multiple roles include cybercriminal activities, freelance development, and reporting security bugs to major corporations. The threat actor's use of ChatGPT highlights a deep personal and moral conflict regarding his identity in the cyber realm.

A GitHub supply chain attack originating from a stolen SpotBugs token compromised thousands of repositories. Attackers exploited GitHub Actions workflows, beginning with SpotBugs and moving to reviewdog, to leak secrets in build logs. The initial compromise involved a Personal Access Token (PAT) at SpotBugs, exposed in November 2024, allowing attackers to infiltrate the reviewdog project subsequently. Over 23,000 GitHub repositories using tj-actions/changed-files unknowingly leaked sensitive data like API keys and passwords. Key findings revealed that the attack was more extensive and earlier than initially believed, dating back to a PAT exposure in November. The attack chain culminated in March when stolen credentials were used to poison dependencies and leak secrets from multiple projects. Despite significant findings, the motive and full extent of the attack remain unclear, with ongoing investigations by Unit 42. Researchers underscore the stealth and complexity of the attackers’ operations, including their ability to erase traces of malicious activity.

Spanish police apprehended six individuals linked to a major cryptocurrency investment scam leveraging AI-created deepfake advertisements. The scam duped 208 victims worldwide, accumulating approximately 19 million Euros ($20.9 million). Operation "COINBLACK – WENDMINE" was launched following a victim's complaint two years ago, resulting in the seizure of cash, electronics, firearms, and documents. The fraudsters utilized AI to generate fake endorsements from high-profile figures, boosting the perceived legitimacy and security of the investments. The scam operated in phases, initiating with romance or financial advisory approaches, leading to large fake returns on investments, followed by demands for more money to unlock supposedly blocked funds. In a final deceitful twist, victims were contacted by individuals posing as law enforcement or legal officials, claiming they could recover the funds for a fee. Authorities caution the public against investment platforms that promise guaranteed returns and stress the importance of verifying all investment opportunities.

The dark web leak site of the Everest ransomware gang was defaced and is now offline after an apparent hack over the weekend. An unknown attacker left a sarcastic message on the site: "Don't do crime CRIME IS BAD xoxo from Prague." Post-defacement, the Everest site has been completely taken down, currently showing an "Onion site not found" error. Security experts suggest a potential WordPress vulnerability might have been exploited for the defacement. Everest has evolved its operations from solely data theft to include ransomware attacks and selling access to compromised networks. Since its inception in 2020, Everest has posted over 230 victims on its leak site and facilitated double-extortion ransomware attacks. Among the recent victims, California-based cannabis brand STIIIZY was compromised in November 2024, resulting from an attack on its POS vendor. Everest is reportedly intensifying its focus on targeting healthcare organizations across the U.S. as indicated by the U.S. Department of Health and Human Services in August 2024.

Noah Michael Urban, part of the Scattered Spider group, pled guilty to wire fraud and identity theft charges. Urban faces a possible decades-long prison term and a minimum $1 million fine; sentences from two separate indictories will be determined in Florida. He's ordered to pay over $13.2 million in restitution to 59 victims, comprising both individuals and organizations. Urban's crimes occurred between August 2022 and March 2023, involving SIM swapping to hijack victim accounts. Following his arrest in January 2024, authorities seized over $3 million in cryptocurrencies, cash, jewelry, and watches from him. His conviction includes evidence of poor operational security, such as storing victims' passwords on his computer and failing to delete browser history. Urban used aliases like "Sosa" and "King Bob" during his criminal activities, primarily targeting email and crypto wallets through SIM swapping.