Daily Brief

North Korean threat group Konni APT, also known as TA406, targets Ukrainian government entities to gather intelligence on Russia’s invasion tactics. The hacking group, operational since at least 2014, has historically focused on entities in South Korea, the U.S., and Russia. Konni APT employed phishing emails feigning affiliation with a non-existent think tank to distribute malware via a password-protected RAR file containing a deceptive CHM file. Interaction with the content triggers a PowerShell command to download further malware capable of system reconnaissance and data exfiltration. Additional attack methods noted by Proofpoint include HTML files sent as email attachments leading to the download of a ZIP archive with malware. Konni APT also engaged in credential harvesting using fake security alerts, preceding their malware deployment campaigns. The threat actor's broader strategy includes collecting strategic intelligence rather than tactical battlefield information, contrasting with other groups linked to Russia. The campaign highlights continued North Korean interest in sophisticated, politically driven cyber espionage tactics targeting not just Ukraine, but also regions pivotal to North Korean geopolitical interests, such as South Korea.

The cybersecurity landscape is changing due to generative AI, enabling attackers to execute large-scale social engineering by impersonating trusted figures. Deepfakes are rapidly evolving, making it difficult to rely on traditional detection methods such as user training or AI analysis for distinguishing genuine from fake interactions. Recent trends indicate that AI impersonation attacks have become a significant threat vector, necessitating a shift from detection to prevention. To establish a robust defense, the establishment of provable, real-time trust rather than mere detection or assumption is critical. Prevention strategies advocate creating conditions that make impersonation fundamentally impossible to enhance security in sensitive communications. Beyond Identity has introduced 'RealityCheck', a tool for Zoom and Microsoft Teams, that uses cryptographic device authentication and continuous risk assessment to ensure verified identity badges for participants. Beyond Identity will be demonstrating the capabilities of RealityCheck in an upcoming webinar, focusing on eliminating deepfake threats in collaboration environments.

Marks & Spencer confirmed the theft of customer data following a cyberattack, raising suspicions of a ransomware incident. The compromised data includes names, dates of birth, contact details, and online order histories, but not payment details or passwords. Since the breach on April 22, M&S has alerted customers, advising no immediate action but recommending password resets on next site visit. The breach led to operational disruptions, including shutdowns of online services and app orders, as well as in-store returns and widespread stock shortages. Share prices fell significantly, resulting in a loss of over £1 billion in market value. Cybersecurity experts warn that the stolen data might be used for phishing attacks or sold on the dark web, urging vigilance among customers. Competing British retailers, including Co-op and Harrods, have also faced similar cybersecurity issues around the same time.

The European Union fully launched the European Vulnerability Database (EUVD) as a proactive measure against security threats, amid uncertainty in US vulnerability tracking. The EUVD offers timely updates and transparency on exploited and critical vulnerabilities, presented through easily navigable dashboard views. This development is in response to the US's budget cuts and operational challenges within its own vulnerability tracking system, which faces potential funding expirations and confusion regarding program continuation. The EUVD is designed to provide a comprehensive source of mitigation measures for affected ICT products and aims to improve overall vulnerability management. Amidst the changes, the US CISA has altered its public notification methods for exploiting vulnerabilities, moving from website alerts to emails and RSS feeds. ENISA, as a CVE Numbering Authority, coordinates closely with MITRE to understand the impacts of funding changes on the US CVE program and ensure collaborative support. The EUVD system was developed under the EU's Network and Information Security 2 Directive, highlighting the bloc's prioritization of robust cybersecurity infrastructures.

Turkish espionage threat group, dubbed Marbled Dust, exploited a zero-day vulnerability in the messaging app Output Messenger to spy on the Kurdish military in Iraq. Microsoft's threat intelligence unit uncovered these attacks, which started in April 2024, utilizing CVE-2025-27920, a directory traversal flaw in Output Messenger. The attacks targeted governmental and military operations, aligning with Turkish interests against the formation of a Kurdish state. Srimax, the developer of Output Messenger, released a patch in December, but not all installations were updated in time to prevent exploitation. Marbled Dust, also known by names such as Sea Turtle and UNC1326, historically targeted entities through DNS hijacking and exploiting known vulnerabilities. This new campaign shows a heightened technical sophistication from the group, potentially indicating escalated operational objectives or urgency. Microsoft and Srimax strongly advise users to update their Output Messenger to the latest version to protect against similar security breaches.

Moldovan authorities arrested a 45-year-old suspect linked to ransomware attacks on Dutch companies, including a €4.5 million incident. The 2021 attack targeted the Netherlands Organization for Scientific Research (NWO), compromising internal documents. During the arrest, police seized €84,000 in cash, electronic wallet, laptops, a mobile device, and multiple storage and memory cards. The attacks were attributed to the ransomware group DoppelPaymer, known for using similar tactics and ransom notes as BitPaymer. Germany and Ukraine recently targeted key members of DoppelPaymer, issuing arrest warrants for three individuals believed to be group masterminds. The suspect, whose identity is undisclosed, faced international warrants for cybercrimes, including blackmail and money laundering.

A threat group, known as Marbled Dust and affiliated with Türkiye, exploited a zero-day vulnerability in Output Messenger to infiltrate Kurdish military servers in Iraq. The Microsoft Threat Intelligence team identified this cyber espionage campaign, indicating it began in April 2024. The vulnerability exploited was a directory traversal flaw in Output Messenger (CVE-2025-27920), allowing remote arbitrary file access or execution. Attackers initiated the campaign by gaining authenticated access, possibly through DNS hijacking or typosquatted domains, and later collected credentials to deploy Golang backdoors. Marbled Dust deployed malware named "OM.vbs" and "OMServerService.vbs/exe" that communicated with a command-and-control domain for data exfiltration. Microsoft observed specific techniques demonstrating increased technical sophistication of the threat group including the use of the aforementioned zero-day. The security flaw has been patched by Srimax in version 2.0.63 of Output Messenger as of late December 2024, but there was no prior acknowledgment of the flaw being exploited. Microsoft also detected an XSS vulnerability (CVE-2025-27921) in the same application version, though no exploitation evidence was found for this flaw.

Microsoft will continue providing security updates for Microsoft 365 (M365) apps on Windows 10 until October 10, 2028, despite Windows 10 support ending on October 14, 2023. Users can purchase an extended support package for Windows 10, but Microsoft emphasizes migration to Windows 11. If M365 app issues on Windows 10 do not occur on Windows 11, users will be encouraged to upgrade operating systems for better support. Future technical support for M365 apps on Windows 10 may be limited; troubleshooting assistance will be available, but no option for logging bugs or requesting additional product updates. Resistance to Windows 11 is notable among users due to its demanding hardware requirements, causing challenges for consumers and corporate IT managers. Surface devices, including early models of Surface books and versions 1-5 of Surface Pro, face compatibility issues with Windows 11. Despite Windows 11's release four years ago, Windows 10 retains a higher market share globally, with only a slight lead over Windows 11.

ASUS DriverHub, a driver management utility, was found to contain a critical remote code execution vulnerability. Independent cybersecurity researcher Paul (aka "MrBruh") discovered the flaw, which involved poor command validation allowing malicious site interactions. The vulnerability was identified in the tool’s management of Origin Headers and in how it processed “UpdateApp” endpoint requests. Attackers could manipulate these flaws to remotely execute malicious code by tricking users into visiting crafted websites. By spoofing headers, hostile sites could command DriverHub to download and silently run malware embedded within legitimate ASUS-signed files. ASUS addressed the security flaws following the researcher's report and issued an important software update to mitigate risks. The update is crucial for users of ASUS motherboards where DriverHub is pre-installed, there was no indication of these vulnerabilities being exploited in the wild.

The US Cybersecurity and Infrastructure Security Agency (CISA) has modified its communication channels; routine cyber alerts will not appear on its website but will be distributed via email, RSS feeds, and X (formerly Twitter). CISA’s primary focus on its website will now be strictly on emerging threats and significant cybersecurity activities to ensure these critical updates receive appropriate attention. The impetus for changing the update distribution channels includes making urgent information more accessible and prioritize it over routine updates. Staff reductions at CISA started in March, influenced by budget cuts proposed in President Trump’s 2026 budget, suggesting a 17% funding reduction for CISA. Former CISA chief Jen Easterly criticized these budget cuts, highlighting global cyber threats including those from the Chinese People's Liberation Army, and expressing concerns over decreasing the capability of America’s cyber defense. Other US government agencies are also centralizing their updates on X, with the National Transportation Safety Board and Social Security Administration moving their communications to the platform, indicating a broader shift in how government information is disseminated.

Aggregating IT asset inventory from multiple tools provides a more complete picture of an organization’s security posture, revealing critical gaps that isolated tool reports might miss. Typical organizations deploy numerous security tools that operate in silos, often resulting in fragmented and contradictory asset reports. Manual processes involved in correlating control inventory can be lengthy and error-prone, with discrepancies frequently appearing only when data is consolidated and analyzed. A unified view of IT assets helps expose blind spots and overlaps in control environments, improving operational efficiency and security coverage. Aggregating data helps ensure that critical security controls such as endpoint detection and response (EDR) and mobile device management (MDM) are consistently applied across all assets, revealing misconfigurations and unprotected devices. This comprehensive visibility enables teams to address vulnerabilities proactively, preventing potential cyberattacks by addressing them before they are exploited. Accurate asset management supports better justification and optimization of investment in security tools, ensuring that all parts of the IT estate are adequately protected. Complete asset inventory aggregation is essential for facing the complexities of modern IT environments, enhancing tool integration, and closing security gaps.

A new campaign using ClickFix social engineering tactics is targeting Windows, macOS, and now Linux systems. ClickFix attacks trick users into executing harmful commands by mimicking errors or verification requests on websites. The recent attack impersonates India's Ministry of Defence and targets systems based on their operating systems, redirecting them to OS-specific attack flows. On Windows, the attack involves a malicious command copied to clipboard leading to a decoy PDF display, whereas on Linux, it prompts execution of a non-malicious script possibly testing the attack effectiveness. The Linux script, identified as 'mapeal.sh', currently only fetches and displays a JPEG image, but could be modified for more malicious purposes. The attacks are attributed to Pakistan-linked APT36, also known as Transparent Tribe, signaling potentially higher geopolitical motives or targeted cyber-espionage. These incidents underline the importance of caution when copying commands from websites into system run dialogs to avoid potential malware infections and data breaches.

A Türkiye-supported cyberespionage group utilized a zero-day flaw in Output Messenger to target users associated with the Kurdish military in Iraq. Microsoft Threat Intelligence identified the exploitation of a directory traversal vulnerability, CVE-2025-27920, which allowed attackers to access and manipulate sensitive data. The flaw was patched in December with the release of Output Messenger version 2.0.63. Post-exploitation, the group, known as Marbled Dust, could impersonate users, access communications, and disrupt operations by deploying a backdoor in the victims' systems. Microsoft's analysis suggests that Marbled Dust might use DNS hijacking or typo-squatted domains to intercept credentials. Marbled Dust's operations have primarily targeted Europe and the Middle East, focusing on telecommunications, IT sectors, and entities opposing the Turkish government. The recent attacks indicate an escalation in Marbled Dust's technical capabilities and operational urgency, reflecting a notable shift in tactics and intensification of their espionage activities. Historically, this group has been involved in espionage campaigns since 2021, specifically targeting telecommunications and internet service providers in the Netherlands.

Global Crossing Airlines Group (GlobalX) reported unauthorized network activity on May 5, 2025, indicating a cybersecurity incident. This airline, contracted by ICE for deportations, discovered the breach through routine SEC filing and not public disclosure. Intruders allegedly accessed and possibly exfiltrated sensitive data, including flight records and passenger manifests related to deportation flights. Immediate response included activating incident protocols, hiring cybersecurity experts for mitigation, and isolating compromised systems to prevent further damage. GlobalX has informed law enforcement and is working to ascertain the full extent and impact of the cyberattack. There’s speculation that stolen data may be used for extortion, although specifics of the data theft and actual misuse are not fully known. The incident coincides with the aggressive deportation strategy pursued by the Trump administration, possibly increasing the sensitivity and impact of the breach. Despite the breach, GlobalX reports no current negative impact on operations, maintaining regular security assessments and training as per their latest SEC disclosures.

Moldovan authorities arrested a 45-year-old implicated in the DoppelPaymer ransomware scheme that targeted Dutch entities in 2021. During the arrest, police confiscated an electronic wallet, cash, electronic devices, and several data storage units. Legal proceedings are underway to extradite the suspect to the Netherlands for his role in a ransom attack on the Dutch Research Council (NWO), which caused approximately €4.5 million in damages. The NWO attack involved shutting down critical systems and leaking stolen documents online when the ransom was not paid. DoppelPaymer, linked to the cybercrime gang Evil Corp, has been active since 2019, attacking major corporations and critical infrastructure globally. The FBI has previously warned that DoppelPaymer not only encrypts data but also exfiltrates it to pressure victims into paying ransoms. The arrest was part of a collaborative effort between Moldovan and Dutch law enforcement agencies, signifying heightened actions against such cybercrime networks.