Daily Brief

PJobRAT, an Android malware, has recently targeted Taiwanese users through deceptive chat applications. Initially documented in 2021 for attacks against Indian military personnel, the malware can extract sensitive data such as SMS messages, contacts, and media files. Operated by the SideCopy group, linked to Transparent Tribe, the malware has been used in espionage efforts against government and military entities, frequently employing social engineering via fake romantic interests. Sophos revealed that the malware's recent campaign involved fake apps named SangaalLite and CChat, distributed through WordPress sites. The malicious apps were capable of extensive data harvesting and were controlled via command-and-control (C2) servers, which also distributed updates and commands to the malware. Despite the longevity of the campaign, the number of infections was relatively low, suggesting a highly targeted approach. The campaign spanned from January 2023 and paused around October 2024; it included new features enabling broader control over infected devices and the execution of shell commands.

Google issued an emergency Chrome patch for a zero-day vulnerability that compromised the browser's sandbox security following a phishing attack targeting Russian journalists and officials. Kaspersky researchers uncovered the exploit after detecting a phishing campaign inviting victims to a fabricated event, leading directly to sandbox security bypass in Chrome. Mozilla also detected a similar vulnerability within Firefox's inter-process communication code, though it appeared unexploited, prompting a swift security update. The critical vulnerabilities, identified as CVE-2025-2783 in Chrome and CVE-2025-2857 in Firefox, enabled attackers to execute code remotely and escape browser sandboxes on Windows. Additional reports indicated that malware mimicking reputable organizations like the CIA and Ukrainian helplines targeted anti-war Russians, possibly orchestrated by Russian intelligence or affiliated actors. Browsers using Google's Chromium engine, including Edge, Opera, and Brave, are expected to receive similar security patches to address the underlying vulnerability. The Tor browser, leveraged by Mozilla’s technology, issued an urgent Windows-only update in response to the discovered security risks.

Several old but commonly used npm cryptocurrency packages were hijacked to exfiltrate sensitive data like API keys and SSH keys from systems. The hijacked packages, which had been on the npmjs.com registry for over nine years, were recently found to contain obfuscated malicious scripts. These scripts are designed to execute automatically post-installation, harvesting environment variable data and sending it to a remote server. It appears the attackers gained access by possibly using compromised npm maintainer accounts or exploiting expired domains, rather than through direct attacks like phishing. No alterations were found in the GitHub repositories linked to the affected packages, which suggests the malicious code was directly pushed to the npm registry. The exact motive behind stealing sensitive information remains unclear, although the data targeted suggests potential preparation for further attacks or fraud. The incident underscores the importance of two-factor authentication and enhanced monitoring to prevent similar cybersecurity threats within software supply chains.

Mozilla has patched a critical security flaw in Firefox, identified as CVE-2025-2857, which could have allowed for a sandbox escape. The vulnerability was similar to a recent zero-day flaw exploited in Google's Chrome browser, prompting rapid response from Mozilla. Firefox updates fixing the bug have been issued in versions 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. The issue arose from an incorrectly handled process that caused a potent handle return, risking a breach of browser security confines. Unlike the Chrome flaw, there has been no evidence that CVE-2025-2857 has been actively exploited in the wild. Google had earlier addressed the Chrome zero-day, CVE-2025-2783, used in targeted attacks against various sectors in Russia. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Chrome flaw to its Known Exploited Vulnerabilities catalog. Both Mozilla and Google advise users to update their browsers to the latest versions to protect against these vulnerabilities.

A cybercrime group named Arkana claims to have stolen data from cable company WideOpenWest (WOW!), impacting 403,000 users. Stolen data includes usernames, passwords, partial credit card details, email addresses, login histories, modem types, and security questions and answers. Arkana has produced a music video boasting of the breach and threatening to sell or leak the data if WOW! does not pay a ransom by Friday. The cybercriminals position themselves as a security firm on their website, claiming to specialize in identifying critical vulnerabilities and offering "second chances" to companies to rectify security failures. Security firm Hudson Rock confirmed that the breach likely occurred through an info-stealer malware that infected a WOW! employee’s computer. Hudson Rock further linked the breach to penetrations in WOW! backend systems such as Symphonica and Appian Cloud security tools. The incident highlights the increasing threat posed by info-stealers as a precursor to more extensive ransomware attacks. As of now, WideOpenWest has not issued any statement regarding the breach.

Microsoft Stream's classic domain was hijacked to show a fake Amazon page promoting a Thai casino. The hijack affected all SharePoint sites still using video links from the deprecated microsoftstream.com domain. Microsoft had previously announced the phasing out of Microsoft Stream classic, with a complete migration to SharePoint by April 2024. Suspicious activities were first reported by users noticing spam instead of videos on SharePoint sites. The affected domain redirected users to a phishing site designed to mimic Amazon. Microsoft responded by shutting down the hijacked domain and blocking the spam pages on SharePoint. It remains unclear how the domain was exactly compromised, whether through DNS changes or other means. Microsoft has not disclosed specifics about the security breach, nor the exact measures taken post-incident.

The China-aligned APT group FamousSparrow, after a period of inactivity, successfully breached a US financial-sector trade group and a Mexican research institute. ESET researchers uncovered the group's activities and new advancements in their SparrowDoor backdoor malware during an investigation initiated in July 2024. The group has also been linked loosely to the Chinese espionage group Salt Typhoon, though they have distinct operational methods according to the researchers. FamousSparrow deployed two newly developed versions of SparrowDoor with enhanced capabilities and architecture on compromised networks. This APT group exploited vulnerabilities in outdated Windows Server and Microsoft Exchange setups to inject malware and establish control over victims' networks. In addition to the new SparrowDoor variants, FamousSparrow employed ShadowPad, a sophisticated backdoor previously used exclusively by other China-aligned actors. The malware infiltration led to remote control, data theft, and deep network penetration, signaling a significant threat to affected organizations.

Ten npm packages were compromised with malicious code aimed at stealing environment variables from developers’ systems. The affected packages included several cryptocurrency-related ones and the popular 'country-currency-map'. Two obfuscated scripts, "/scripts/launch.js" and "/scripts/diagnostic-report.js," were added to the packages to execute upon installation. Stolen data, primarily environment variables containing sensitive information such as API keys and credentials, were transmitted to a remote server. The malicious updates are suspected to have resulted from npm maintainer accounts being compromised due to credential stuffing or expired domain takeovers. Except for 'country-currency-map', the compromised packages are still available on npm, and their latest versions are infected with the info-stealer malware. The hypothesis of account takeover is supported as the repositories on GitHub were not correspondingly updated with the malicious code. Despite npm's mandatory two-factor authentication for popular projects, older packages maintained by less active developers were impacted by this malicious campaign.

The Chinese cyberespionage group FamousSparrow deployed an advanced version of its SparrowDoor malware against a US trade organization. Security firm ESET revealed the upgraded malware features parallel command execution, enhancing efficiency and effectiveness in operations. Recent targets include a Mexican research institute and a Honduran government institution, with initial infiltrations via compromised Microsoft Exchange and Windows Server systems. The new versions of the malware demonstrate significant improvements in code quality, encryption, and architecture, indicating a sophisticated development approach. The malware's recent iteration introduces a modular structure, allowing it to load new, memory-resident plugins from its command and control (C2) server during runtime. FamousSparrow is also utilizing ShadowPad, a high-tier remote access trojan linked to multiple Chinese advanced persistent threat (APT) groups, suggesting access to shared sophisticated cyberespionage tools. ESET categorizes FamousSparrow separately from similar groups due to distinct operational techniques and despite some shared infrastructure, hinting at a possible common third-party supplier.

A new phishing-as-a-service platform called Morphing Meerkat uses DNS MX records to mimic approximately 114 global brands. The phishing kit dynamically serves fake login pages based on the victim's email service provider to steal credentials. Phishing campaigns often exploit open redirects and compromised domains to distribute phishing links, which are shared through platforms like Telegram. Morphing Meerkat has been involved in sending thousands of spam emails, which leverage compromised websites and advertising platforms to avoid detection. The phishing pages can translate content into multiple languages, enabling attacks on a global scale and include features that prevent analysis by disabling right-click and certain keyboard functions. Infoblox highlighted the natural feel of the fake pages as they closely replicate the design of the targeted service providers, increasing the chances of deceiving victims. The use of DNS MX records to identify and attack specific email platforms like Gmail, Microsoft Outlook, or Yahoo makes this technique particularly effective for targeted phishing attacks.

A cybersecurity firm, Resecurity, infiltrated the BlackLock ransomware gang's operations and passed crucial data to law enforcement agencies. By exploiting a misconfiguration and an LFI vulnerability on BlackLock's TOR-based leak site, Resecurity accessed server configurations and operator credentials. Resecurity's intervention enabled the closure of BlackLock's data leak site and helped preempt data leaks for several victims. The firm’s proactive measures allowed them to alert victims in France and Canada of impending data leaks, helping them prepare in advance. Attribution of the BlackLock operations suggested ties to Russia and China, with operational behaviors indicating a no-target policy on BRICS and CIS countries. Overlapping victim lists suggested that BlackLock may be connected or a rebrand of other ransomware entities like El Dorado and Mamona. Late in the article, a potential silent exit strategy for BlackLock suggested by Resecurity highlighted a possible coordinated effort with another ransomware brand, DragonForce.

A new Patchstack report identifies the four most exploited WordPress plugin vulnerabilities in the first quarter of 2025. The targeted flaws, all classified as critical in severity, were initially discovered and patched in 2024, yet many remain unpatched. Hackers utilized these vulnerabilities to potentially execute arbitrary code or steal sensitive data from websites. Two of the vulnerabilities were reported as actively exploited for the first time in this quarter. Despite numerous exploitation attempts, not all lead to successful compromises due to preventive measures like security blocks. The report stresses the importance for website administrators to update security on all WordPress components and enforce strong access controls, including multi-factor authentication. The wider WordPress community remains at risk as not all sites use effective security measures such as Patchstack, increasing the possibility of successful hacker exploitations.

Mozilla has issued an update for Firefox, version 136.0.4, to rectify a critical vulnerability that allowed attackers to bypass the browser's sandbox security on Windows platforms. The flaw, identified as CVE-2025-2857, was reported internally by Mozilla developer Andrew McCreight and affects both standard and extended support release (ESR) versions. This security issue bears similarities to a recent Chrome vulnerability (CVE-2025-2783) that was exploited in cyber-espionage operations targeting Russian government and media entities. Mozilla's quick response with a patch follows the discovery of a similar exploit pattern used against Google's Chrome, involving sophisticated malware deployment via deceptive emails. Alongside the primary sandbox escape vulnerability, Mozilla previously addressed another Firefox zero-day exploited by a Russian cybercrime group that paired it with a Windows privilege escalation flaw. CVE-2025-2857 specifically impacts Firefox on Windows, with no current threats identified to other operating systems.

A newly discovered analysis reveals that RansomHub affiliates are utilizing the same EDR killing tool, EDRKillShifter, in coordination with other ransomware groups including Medusa, BianLian, and Play. EDRKillShifter uses the BYOVD tactic with a legitimate yet vulnerable driver to disable security solutions before deploying ransomware. The use of EDRKillShifter by multiple ransomware operations suggests a rare trend of sharing specialized tools among different ransomware groups. This practice is particularly notable as Play and BianLian, both operating under a restricted RaaS model, are typically guarded about their affiliate networks and tools, indicating a high level of trust and collaboration. The research links these activities to a single threat actor known as QuadSwitcher, primarily associated with Play and its operational tactics. Recent trends in ransomware attacks include the increased use of BYOVD techniques to compromise security software, emphasizing the tactical shift towards pre-emptive security disruption. Recommendations for organizations include enhancing the detection of potentially unsafe applications to prevent the implementation of vulnerable drivers, thereby mitigating the risk of such attacks.

Vivaldi has incorporated Proton VPN into its browser, enabling encrypted browsing and IP address obfuscation directly within the platform. This integration is designed to offer users enhanced protection against web tracking and 'Big Tech' surveillance without requiring additional downloads or plugins. Proton VPN was chosen for its status as a non-profit Swiss organization, noted for its independence and proven integrity. The collaboration aims to provide a European alternative to U.S. tech giants, emphasizing privacy and user control over personal data. Vivaldi users need to update their browser and create a Vivaldi account to activate the VPN function, accessible via a new toolbar button. The VPN service is free in its basic form, offering unlimited time and bandwidth but with limitations on speed and server access. Users seeking full functionality from Proton VPN, including higher speeds and expanded server options, have the option to subscribe to a paid plan. While the in-browser VPN protects user privacy during web sessions, it does not cover network traffic from other applications or background services not running through Vivaldi.