Daily Brief

DomainTools uncovered a cybercrime operation using Russian bulletproof hosting by Proton66, exposing malicious payloads via a fake antivirus site. The operation, linked to an emerging threat actor dubbed Coquettte, was found due to an operational security failure that left crucial infrastructure data exposed. Proton66, also connected to another service named PROSPERO, has been involved in distributing various malware like GootLoader and SpyNote through phishing tactics. The fake antivirus service distributed malware within a ZIP file containing a Windows installer that downloaded additional payloads from a C2 server. Analysis revealed Coquettte’s identity as a 19-year-old self-described software engineer, controlling both the distribution website and the C2 server. The threat actor is also involved in creating online resources for manufacturing illegal substances and weapons, suggesting broader criminal activities. Coquettte is likely associated with a larger hacking group called Horrid, which supports amateur cybercriminals entering underground networks.

The Alan Turing Institute warns that UK law enforcement is currently ill-prepared to combat AI-enabled criminal activities. A new report from the Institute's Centre for Emerging Technology and Security advises the National Crime Agency (NCA) to establish a task force focused on AI-driven crime within five years. The NCA acknowledges the increasing use of AI in serious crimes such as cybercrime, fraud, and child sexual abuse, and is considering the Institute’s recommendations. AI is making cybercrime more sophisticated, allowing criminals to create convincing scams and fraudulent communications that are hard to distinguish from genuine interactions. UK law enforcement is advised to adopt AI technology more effectively in their operations to counteract the sophisticated use of AI by criminals. The report suggests that future AI developments will likely enhance criminals' capabilities, making the need for AI integration into law enforcement tools even more urgent. Academics express significant concern over the gap between the technology available to law enforcement and the evolving nature of AI-enabled threats.

A Russian national and former employee of ASML and NXP is accused of engaging in industrial espionage, sharing secrets with Russian operatives. Dutch intelligence services allege he made multiple trips to Russia, passing sensitive information about semiconductor technology during meetings with intelligence figures. The accused reportedly used Google Drive to upload and share proprietary information with his contacts in Russia. During his trial in Rotterdam, it was revealed that he stored data on USB drives which he transported to Russia. The defendant claimed the documents in his possession were outdated and not useful for semiconductor production. He has admitted to having proprietary documents, stating they were for personal education, not espionage. His employment history includes working for ASML after its acquisition of Mapper, a startup that failed in 2020, and later for NXP and Delft University. Dutch police arrested him in August 2024 following a tip from intelligence services, discovering confidential documents related to ASML and TSMC on his devices.

Ivanti disclosed a severe vulnerability (CVE-2025-22457) in its Connect Secure products, now patched, actively exploited by attackers. The vulnerability allows remote unauthenticated attackers to execute arbitrary code through a stack-based buffer overflow. Attackers have used the flaw to deploy TRAILBLAZE, a dropper, and BRUSHFIRE, a memory-resident backdoor, aiming for persistent access. Mandiant observed the exploitation linked to the China-nexus group UNC5221, potentially associated with established threat groups like APT27. The attackers focused on various Ivanti products, with some evidence of exploitations on unsupported Pulse Connect Secure appliances. Users are advised to monitor ICT environments for signs of compromise and reset affected appliances to a secure version. UNC5221 has also utilized obfuscated networks comprising compromised devices from other manufacturers to conceal its activities. This is part of a trend of increasing aggressive cyber espionage by China-nexus groups targeting global edge device vulnerabilities.

Unauthorized access in Australian superannuation funds led to theft from accounts. Hackers breached secure info, affecting multiple funds, amid high competition among over 100 super funds. ASFA reported efforts to obtain unapproved access to several funds’ portals; most attacks were thwarted. The "Rest" fund acknowledged unauthorized activity and contacted affected members; approximately 8,000 members had personal details exposed. Some reports indicate actual monetary theft from member accounts during night hours to avoid detection. Increased call center and website traffic following the breaches, with some funds' websites becoming unresponsive. Security breaches are part of a troubling trend seen previously in the Australian superannuation industry. Ongoing situation with updates pending as funds continue to assess and mitigate damage.

CERT-UA reported multiple cyberattacks against Ukrainian state and critical infrastructure using WRECKSTEEL malware. Attackers used phishing emails with links to compromised services like DropMeFiles and Google Drive, embedded in PDFs. The malware campaign involved a VBS loader and a PowerShell script designed to steal files and capture screenshots. The attacks, ongoing since fall 2024, are linked to the threat cluster UAC-0219, with no specific country currently attributed. Historically, the malware used combinations of EXE files, VBS stealers, and the IrfanView image editor. Concurrently, Russian entities face threats from the malware PhantomPyramid and attacks by a group named Unicorn. SEQRITE Labs notes similar phishing and malware tactics targeting Russia’s academic, governmental, and defense sectors since December 2024. The campaigns feature social engineering tactics with malware-laced documents disguised as research invitations and government communications.

A severe vulnerability has been disclosed in the Apache Parquet Java Library, identified as CVE-2025-30065, with a CVSS score of 10.0. This flaw enables remote attackers to execute arbitrary code on systems that are running vulnerable versions of Apache Parquet. Attackers can exploit this vulnerability by deceiving a system into processing a maliciously crafted Parquet file. The vulnerability affects all versions of Apache Parquet up to 1.15.0, with a patch provided in version 1.15.1. Although there’s no current evidence of exploitation in the wild, similar Apache project vulnerabilities have previously attracted rapid exploitation by threat actors. The flaw was discovered and reported by Keyi Li from Amazon, highlighting the importance of industry collaboration in cybersecurity. Potential impacts include compromised data pipelines and analytics systems, especially those incorporating files from untrusted sources.

The Department of Defense's Inspector General is investigating Secretary of Defense Pete Hegseth due to his use of the encrypted messaging app Signal for government business. The investigation was triggered by Senators Roger Wicker and Jack Reed, concerned about potential breaches of Pentagon security guidelines and improper handling of classified information. Secret discussions about a military action in Yemen, including targets and timing, were exposed when a journalist was mistakenly added to a Signal group chat involving high-level U.S. officials. Members of the chat, including U.S. VP JD Vance and Secretary of State Marco Rubio, claimed no rules were violated, and the shared military plans were unclassified. It has been revealed that National Security Advisor Michael Waltz frequently uses his personal Gmail for government business and has created multiple private Signal groups for sensitive government communications. The Inspector General will review compliance with DoD policies for using commercial messaging apps for official business, along with classification and records retention requirements. The investigation will take place in Washington DC and at the US Central Command in Florida, with Secretary Hegseth required to designate two points of contact for the Inspector General.

CISA, alongside international cybersecurity agencies, has issued a warning about the dangers of fast flux techniques used by cyber actors to obscure malicious server locations. Fast flux attacks involve quick changes in DNS records to evade detection and facilitate command and control operations for malware dissemination and data theft. The technique is a significant national security threat, used both by cybercriminals and nation-state actors to maintain resilient and elusive cyberinfrastructures. Recommendations for combating this method include employing threat intelligence feeds, DNS resolvers, SIEM services, and anomaly detection systems. Organizations are advised to pay attention to DNS TTL values and inconsistencies in DNS resolution geolocation to identify potential fast flux activities. The advisory highlights the rampant use of fast flux by notable malware campaigns such as Hive, Nefilim ransomware, and Gamaredon Group. CISA also promotes the use of Protective DNS (PDNS) services to help mitigate the challenges posed by fast flux tactics in network security.

A maximum severity remote code execution (RCE) flaw, CVE-2025-30065, was found in Apache Parquet, affecting versions up to 1.15.0. The vulnerability allows attackers to execute arbitrary code via specially crafted Parquet files, leading to data theft, service disruption, or ransomware deployment. Apache issued a fix in version 1.15.1, recommending immediate upgrade due to the flaw's potential impact on big data platforms used by firms like Netflix and LinkedIn. The issue originates from unsafe deserialization processes in the parquet-avro module and has been exploitable since version 1.8.0. Despite its severe CVSS v4 rating of 10.0, exploitation requires that targets import malicious Parquet files, limiting the risk to environments that process unvetted external data. Endor Labs issued warnings and recommended vigilance with data sourced externally, urging validation of Parquet files before processing. Immediate steps for mitigation include upgrading to version 1.15.1, avoiding untrusted files, and increasing system monitoring and logging.

Hunters International is transitioning from its Ransomware-as-a-Service model to focus solely on data theft and extortion. Despite announcing a shutdown in November 2024, the group resumed activities under a new name, "World Leaks," starting January 1, 2025. World Leaks will use a new, custom-built tool for data exfiltration, diverging from its previous approach that included data encryption and extortion. This move reflects a strategy shift due to decreasing profitability and increased risk in ransomware operations amid heightened government scrutiny. The group has been highly active since its emergence, claiming over 280 attacks against diverse organizations globally. Notable victims include major entities such as Tata Technologies, U.S. Marshals Service, and Integris Health. Group-IB highlights that the new operation will not encrypt data but will threaten to leak stolen information unless a ransom is paid.

CISA, together with the FBI, NSA, and global cybersecurity agencies, warn against the use of the Fast Flux technique by cyber actors. Fast Flux is a DNS evasion method that complicates tracking and blocking of malicious activities by quickly changing DNS records. This technique encompasses Single Flux and Double Flux methods, where Single Flux changes IP addresses and Double Flux changes both IPs and DNS name servers. Entities such as the Gamaredon group, Hive ransomware, and Nefilim ransomware utilize Fast Flux to evade law enforcement. CISA has published detection methods and recommended mitigations like DNS/IP blocklists, firewall rules, and traffic sinkholing. The agency also suggests improving defenses through enhanced reputational scoring, centralized logging, real-time alerting, and participation in information-sharing networks.

Suspected Chinese government operatives exploited a critical vulnerability, CVE-2025-22457, in Ivanti VPN systems since mid-March. This incident marks the third exploitation of Ivanti products by the same actors in three years. Ivanti has released a patch for the stack-based buffer overflow issue which allows for unauthenticated remote code execution. Attackers deployed two new malware strains, Trailblaze and Brushfire, and versions of Spawn malware on compromised devices. The U.S. government previously warned about Spawn being used in operations targeting earlier Ivanti vulnerabilities. Ivanti urges customers to update their systems or migrate from end-of-support products to secure platforms. Mandiant Consulting identified the threat group as UNC5221, noting their continued targeting of edge devices and development of custom malware. Ivanti's advisory highlights the limited but definite exploitation of vulnerable systems, indicating ongoing security risks.

Ivanti has patched a critical zero-day vulnerability, CVE-2025-22457, in Connect Secure that was exploited by a Chinese-linked espionage group since mid-March 2025. The vulnerability, a stack-based buffer overflow, affected multiple Ivanti products including Pulse Connect Secure 9.1x, Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways. The security flaw allowed remote, complex attacks without requiring authentication or user interaction, particularly targeting Ivanti Connect Secure 22.7R2.6. Although initially underestimated and marked as a non-critical product bug, further investigation revealed its exploitability for sophisticated remote attacks, prompting urgent patch release and advisories. Ivanti and security researchers like Mandiant and Google Threat Intelligence Group identified active exploitations and the deployment of malware families TRAILBLAZE and BRUSHFIRE linked to the UNC5221 espionage actor. The UNC5221 group has been known to target Ivanti and other network edge devices since 2023, leveraging zero-day vulnerabilities. Ivanti has scheduled upcoming patches for ZTA and Policy Secure gateways, meanwhile advising customers to monitor systems with their Integrity Checker Tool and reset any compromised appliances. The exploitation history of UNC5221 includes significant breaches and malware deployments using Ivanti product vulnerabilities, underlining ongoing security challenges and the global implications of such espionage activities.

Microsoft warns of phishing campaigns using tax-related themes to spread malware and stolen credentials. Attackers employ redirection techniques, including URL shorteners and QR codes, and leverage legitimate services to evade detection. Various malware, such as Remcos RAT and Latrodectus, are distributed through these scams. RaccoonO365 PhaaS platforms are used to create deceptive phishing pages mimicking Microsoft 365 login sites. Campaign identified on February 6 targeted hundreds of U.S. users by sending emails with malicious PDF attachments. A second observed campaign between February 12 and 28 targeted over 2,300 U.S. organizations, especially from engineering, IT, and consulting sectors. Other malware disseminated through phishing emails includes AHKBot and GuLoader, each executing different schemes to compromise systems. The need for more robust phishing-resistant authentication and network protections is emphasized to mitigate the impact of these campaigns.