Daily Brief

Nathan Vilas Laatsch, a 28-year-old IT specialist at the Defense Intelligence Agency, was apprehended for attempting to pass classified documents to what he believed was a foreign government. Laatsch, disillusioned with current U.S. administration values, claimed he wanted to act in support of traditional U.S. ideals by sharing top secret information. Initially contacting a foreign entity in March, Laatsch was unaware that his communications were intercepted by the FBI, who then posed as representatives from the foreign government. Over several days, Laatsch transcribed sensitive information onto a USB drive at his workplace, intending to drop it in a public park for retrieval by supposed foreign agents. During the orchestrated drop on May 1, FBI agents recovered the USB drive, finding it contained files classified up to the top secret level. Following a second attempted information drop, where Laatsch transmitted notes concealed within his clothing, he was arrested by the FBI on May 29. Facing serious charges, Laatsch expressed a preference for foreign citizenship as compensation for his actions but stated financial compensation was not his primary motive. FBI director Kash Patel highlighted the case as a stark reminder of the ongoing threat posed by insider risks to national security.

The Fred Hutchinson Cancer Center in Seattle agreed to a $52.5 million settlement following a cyberattack in November 2023. Personal and sensitive data of cancer patients were stolen, including health diagnoses, treatments, and insurance information. Cybercriminals used the stolen data to threaten patients with swatting attacks unless they paid to prevent the sale of their data. The settlement includes cash compensation to affected parties, investments in security infrastructure, and funds for medical fraud monitoring. Around 140,000 people applied for the settlement benefits by the specified deadline, with individual payments up to $5,000 based on material losses. Despite severe tactics by the attackers, Fred Hutch did not pay any ransom and claims no patient data has been sold post-attack. The attack was executed by exploiting the CitrixBleed vulnerability; the responsible group, Hunters International, claimed the attack among others.

An international law enforcement collaboration successfully dismantled AVCheck, a prominent counter antivirus service utilized by cybercriminals. AVCheck allowed attackers to check if their malware would be detected by commercial antivirus programs prior to broader deployment. Authorities have also linked AVCheck to crypting services like Cryptor.biz and Crypt.guru, essential for obfuscating malware to evade detection. The seizure of AVCheck and related crypting services is a strategic move to disrupt cybercriminal activities at early stages, aiming to reduce potential victimization. The operation involved undercover agents purchasing from AVCheck to establish its role in facilitating cybercrimes, which included connections to known ransomware attacks on American targets. This bust was part of Operation Endgame, which also saw the seizure of 300 servers and 650 domains utilized in various ransomware operations. The takedown underscored the intricate ecosystems supporting malware operations and the importance of international cooperation in tackling advanced cyber threats.

Meta, formerly known as Facebook, has formed a partnership with defense firm Anduril Industries for the development of extended reality (XR) products. The collaboration follows Meta's extensive investments totaling $80 billion in virtual, augmented, and mixed reality technologies since acquiring Oculus in 2014. Meta's Reality Labs division has reported significant financial losses, approximating $4.2 billion in Q1 2025 alone, and consistent losses in preceding quarters. This strategic move into defense aims to produce augmented and virtual reality tools that enhance battlefield intelligence and decision-making for the U.S. military. The partnership leverages Anduril's Lattice platform, which integrates AI to provide real-time data and insights to soldiers through AR/VR interfaces. This venture is seen as an opportunity to rejuvenate Meta's struggling tech initiatives and potentially yield returns on their hefty VR investments amid the challenging consumer tech market. Both companies emphasize the dual-use nature of the technology, aiming to support national security and redefine the capabilities of American servicemembers.

Germany's Federal Criminal Police Office (BKA) has identified 36-year-old Russian Vitaly Nikolaevich Kovalev as the leader of the cybercrime gangs TrickBot and Conti. Kovalev, also known as "Stern," is believed to have founded the TrickBot group and was previously charged in a U.S. operation along with six other Russians. The cybercrime operations included the use of various malware such as Trickbot, Ryuk, and Conti affecting hundreds of thousands of systems globally including hospitals and public facilities. Germany has issued an Interpol red notice for Kovalev and suspects he currently resides in Russia. In February 2023, Kovalev's role was detailed further following leaks (TrickLeaks and ContiLeaks) which exposed internal communications and identities of gang members. Following the exposure, the Conti gang was reportedly disbanded, with members migrating to other cybercrime groups. German authorities have described the TrickBot group as highly organized, project-oriented, and consisting of over 100 members at its peak.

EDDIESTEALER is a novel Rust-based malware distributed through deceptive CAPTCHA verification pages, tricking users into downloading it via a PowerShell script. Attackers compromise legitimate websites and insert malicious JavaScript that prompts bogus CAPTCHA verifications, leading victims to initiate the download process themselves. The malware targets a range of data including credentials, cryptocurrency wallets, browser information, and more from various applications including FTP clients and messaging apps. EDDIESTEALER is designed to bypass specific browser security features, allows configuration changes by the command-and-control operator, and uses encrypted communications to exfiltrate data. Elastic Security Labs highlights the increasing use of Rust in malware development for its capabilities to enhance stealth and resilience against detection. The article also discusses other related malware campaigns targeting multiple platforms, indicating a broader trend of sophisticated cyberattacks involving data theft. Security disclosures reveal various tactics like browser redirections and device-specific exploits used to spread different types of info-stealing malware across operating systems.

Global survey of 500 CISOs by Pentera reveals maturing yet incomplete exposure management practices in cyber security. Modern attack surfaces have expanded dramatically with cloud-native architectures, API integrations, and IoT devices, increasing complexity and vulnerability. Nearly half of the CISOs report a growing number of security tools, highlighting that increased complexity often aids attackers. The 2025 State of Pentesting report indicates key at-risk areas: cloud infrastructure, APIs, endpoints, and IoT systems are critical focal points for pentesting. Data suggests that web-facing assets remain highly vulnerable, despite being the most tested and frequently breached components. Internal networks, endpoints, and applications show comparatively lower breach rates, indicating more successful management and focused security efforts. The report highlights a concerning gap in API security, showing a discrepancy between perceived security and actual breach incidents. The overarching theme of the report emphasizes the evolution towards strategic, impact-focused exposure management over traditional vulnerability management.

A group of China-linked hackers, known as Earth Lamia, have been actively exploiting vulnerabilities in SAP NetWeaver and Microsoft SQL Servers across Asia and Brazil. This collective leverages SQL injection vulnerabilities and known security flaws to breach systems primarily in India, Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. The hacking efforts include the deployment of tools like Cobalt Strike, Supershell, and proxy tunnels using Rakshasa and Stowaway. Also used are privilege escalation tools like GodPotato and JuicyPotato. Attack techniques also involve the employment of network scanning utilities and manipulating Windows event logs to cover tracks. Some unsuccessful attempts were made to deploy the Mimic ransomware in Indian networks, with subsequent efforts to delete the ransomware binaries post-deployment. Recently disclosed vulnerabilities include CVE-2025-31324, a critical flaw in SAP NetWeaver, which was used to establish remote control over affected systems. The group’s target industries have evolved from financial services, to logistics and online retail, and most recently to IT companies, universities, and government organizations. Earth Lamia is noted for its continuing development of backdoors and hacking tools, including an updated version of the PULSEPACK backdoor that now employs WebSocket for C2 communications.

MultiCare's CISO, Jason Elrod, has reshaped the IT security approach within the healthcare sphere, focusing on enabling modern care rather than just gatekeeping. Legacy IT systems and stringent protection measures hindered innovation and care delivery, demanding a shift to more responsive and enabling IT practices. Identity-based microsegmentation was implemented through Elisity, changing the security dynamic by focusing on individual identity controls rather than traditional network segmentations. Skepticism from technical teams initially greeted the new microsegmentation strategy, but practical outcomes altered their viewpoint and demonstrated effectiveness. This strategic shift bolstered collaboration between IT and security teams, transforming internal dynamics and reducing operational friction while improving security measures. As part of broader sector movements, similar integration between security and IT is crucial for operational efficiency and competitive advantage, particularly in health care. This transition supports the ongoing digital transformation initiatives across the healthcare industry by allowing smoother, safer patient care and advanced compliance management.

Cybercriminals are using fake AI software installers to disseminate ransomware and other harmful malware via seemingly legitimate websites. Cisco Talos has identified threats involving poisoned installers mimicking real AI vendor sites with slightly altered domain names. The illegitimate software includes varieties of malware such as CyberLock ransomware, RATs, stealers, and a newly discovered malware called “Numero.” A Vietnam-based threat group was reported by Mandiant to utilize social media ads leading to malicious websites that steal credentials and digital wallets. "NovaLeads AI" executable, a fake AI tool, contains PowerShell-based CyberLock ransomware demanding $50,000 in Monero and encrypts sensitive files. Another malware variant, Lucky_Gh0$t, is disguised as a ChatGPT installer, capable of evading antivirus detection and encrypts data using AES-256 and RSA-2048. “Numero” malware, linked to a fake AI video creation tool installer, runs a script that repetitively corrupts the Windows OS, rendering it unusable. Researchers emphasize caution when downloading AI tools and advise verification of the source to avoid these malware threats.

The Information Commissioner’s Office (ICO) reprimanded Greater Manchester Police (GMP) for losing critical CCTV footage. An individual held in custody for 48 hours in February 2021 was affected, during which the CCTV system recorded sensitive personal data. GMP was requested to retain this footage beyond the standard 90-day period but later discovered a two-hour gap in the recording. The lost footage was reported by GMP to the ICO, acknowledging a breach of data protection regulations. ICO’s investigation concluded that GMP failed to provide the required personal data without undue delay and lacked adequate technical measures to protect the data. In response to the breach, GMP has invested in better surveillance and security systems, and has revised internal oversight and governance procedures. This incident highlights significant concerns about data protection practices as UK police forces increasingly adopt advanced surveillance technologies like facial recognition.

The UK government announces a £1 billion investment in a new Cyber and Electromagnetic Command to bolster national defense capabilities. The initiative is a response to the evolving nature of warfare, highlighted by the ongoing conflict in Ukraine and the surge in daily cyber-attacks. This new Command will enhance the protection of military networks and adopt a more offensive role in cyberspace in collaboration with the National Cyber Force. Key operations include breaking into systems, jamming enemy equipment, and enhancing intelligence through signal decoding. The Ministry of Defence also plans to develop a Digital Targeting Web to link and coordinate attacks using British military assets, improving response times and operational efficiency. Recruitment focuses on high-skill individuals offering competitive salaries, with positions based at MoD Corsham and with the National Cyber Force in Lancashire. Defense Secretary John Healey emphasizes that modern conflicts require rapid, innovative, and well-connected forces to ensure victory against adversaries. The strategy includes using artificial intelligence to support operations, although the main focus remains on human expertise and capabilities.

Infosecurity Europe marks its 30th anniversary with an expanded program from 3-5 June at ExCeL London, aiming to address the escalation in global cyber threats through strategic insights and practical training. The event features nine content theatres, over 200 session hours, and approximately 250 speakers to tackle pressing cybersecurity challenges and emerging threats, attracting over 13,000 professionals. Highlights include keynotes from Professor Brian Cox on the intersection of science and trust, and former MP Rory Stewart on geopolitics and national security, alongside a strong focus on women in cybersecurity. New additions to the 2025 event include SANS Masterclasses offering hands-on training in critical areas like Cloud Security, and a dedicated AI & cloud security stage providing guidance on emerging technical vulnerabilities. Prominent sessions from government and industry leaders, such as from the UK's Department for Science, Innovation and Technology and analysts from Forrester, address future cybersecurity policies and investment priorities. The event emphasizes community and networking with events such as the Cyber House Party and a celebratory 30th anniversary bash, underscoring the importance of collaborative approaches to cybersecurity. Induction of Ciaran Martin into the Infosecurity Europe Hall of Fame and opportunities to interact with other cybersecurity veterans are also featured, enriching the learning and networking experience.

The U.S. Department of Treasury's OFAC has sanctioned Philippines-based Funnull Technology Inc. and its administrator for running romance baiting scams connected to cryptocurrency fraud. Funnull facilitated schemes causing over $200 million in reported losses to U.S. victims, with an average loss of $150,000 per individual. The Treasury accused the company of acquiring bulk IP addresses from major cloud services to host scam sites, using domain generation algorithms to evade detection. Funnull was implicated in a major supply chain attack on the Polyfill[.]io JavaScript library, raising initial suspicions in June 2024. Silent Push, a cybersecurity firm, linked Funnull’s infrastructure in 2025 to several cybercriminal activities including investment scams and suspicious online gambling operations. The U.S. FBI observed significant patterns in IP address activities linked to Funnull, indicating systematic migrations of domains across IP addresses. The sanctions include allegations that Funnull was involved in strategies like infrastructure laundering to assist cybercriminals in maintaining operational continuity for illegal activities.

ConnectWise, a tech company offering remote access software ScreenConnect, reported a cyberattack attributed to a potential nation-state actor. The security breach, confirmed on May 28, 2025, affected a limited number of ScreenConnect customers. Following the incident, ConnectWise engaged Google Mandiant for an extensive forensic analysis. Details such as the exact number of impacted customers and the identity of the threat actor remain undisclosed. Prior vulnerabilities CVE-2025-3935 were patched in late April, which might be connected to the recent cyberattack. ConnectWise has implemented advanced monitoring and security enhancements to prevent future incidents. No further suspicious activities have been observed post-attack, indicating current containment measures are effective. Similar vulnerabilities in the past were also exploited by cybercriminals and other nation-state actors from China, North Korea, and Russia.