Daily Brief

Cardiff City Council's children services director confirmed a data breach affecting the organization. The exact nature and extent of the compromised data have not been disclosed, but it could include sensitive information related to children's welfare. The breach was discussed during a council meeting, emphasizing the issue as one of five elevated corporate risks in children's services. The council is working with the Welsh government and other local authorities to address cybersecurity risks and prevent future incidents. Current security measures being implemented include enhanced security products, staff training, phishing exercises, and cybersecurity workshops for senior management. The breach might be connected to a previous ransomware attack on Data Cymru, a company working with Welsh local governments. The council aims to lower its cybersecurity risk rating by the end of 2025/26 as ongoing initiatives and an action plan are being developed. There has been no immediate response from the council or related organizations about details of the data breach or if affected individuals have been notified.

Cybersecurity experts have identified a new malware variant named CoffeeLoader, which primarily functions as a downloader for secondary payloads. CoffeeLoader employs a unique packer named Armoury, utilizing GPU processes to hinder analysis and detection by virtual environments and security software. This malware includes advanced evasion techniques such as call stack spoofing, sleep obfuscation, and leveraging Windows fibers to escape detection by antivirus and Endpoint Detection and Response (EDR) systems. CoffeeLoader was first observed in September 2024 and uses a domain generation algorithm for robust communication with command-and-control (C2) servers even if primary channels fail. The infection process involves a dropper that tries to execute with elevated privileges and establish persistence through scheduled tasks. It shares similarities with the older SmokeLoader malware, hinting at a possible evolution or relationship between the two, especially after recent law enforcement actions against SmokeLoader. Associated threats include phishing campaigns and targeted malware attacks on cryptocurrency traders and users downloading compromised software.

Over 3,000 IT professionals indicate a shift towards BCDR solutions due to their superior disaster recovery capabilities and cost-effectiveness. Datto BCDR integrates local hardware, software, and cloud-based recovery, ensuring rapid and efficient business continuity. The platform supports both agent-based and agentless backups, providing flexibility across different IT environments and reducing management complexity. Datto BCDR features automated backup and DR testing, minimizing manual effort and ensuring recoverability. Advanced Inverse Chain Technology™ allows for independent recovery points, ensuring faster restores and minimal data loss. The Datto Cloud offers robust security and performance, with features like 1-Click Disaster Recovery to streamline and accelerate disaster response. Frequent backups (as little as every five minutes) paired with efficient off-site data retention enhance the assurance against data loss. Regular testing as per the State of BCDR Report 2025 reveals gaps in frequent backup testing across industries, underlining the need for automated solutions like those offered by Datto.

PJobRAT, an Android malware, has recently targeted Taiwanese users through deceptive chat applications. Initially documented in 2021 for attacks against Indian military personnel, the malware can extract sensitive data such as SMS messages, contacts, and media files. Operated by the SideCopy group, linked to Transparent Tribe, the malware has been used in espionage efforts against government and military entities, frequently employing social engineering via fake romantic interests. Sophos revealed that the malware's recent campaign involved fake apps named SangaalLite and CChat, distributed through WordPress sites. The malicious apps were capable of extensive data harvesting and were controlled via command-and-control (C2) servers, which also distributed updates and commands to the malware. Despite the longevity of the campaign, the number of infections was relatively low, suggesting a highly targeted approach. The campaign spanned from January 2023 and paused around October 2024; it included new features enabling broader control over infected devices and the execution of shell commands.

Google issued an emergency Chrome patch for a zero-day vulnerability that compromised the browser's sandbox security following a phishing attack targeting Russian journalists and officials. Kaspersky researchers uncovered the exploit after detecting a phishing campaign inviting victims to a fabricated event, leading directly to sandbox security bypass in Chrome. Mozilla also detected a similar vulnerability within Firefox's inter-process communication code, though it appeared unexploited, prompting a swift security update. The critical vulnerabilities, identified as CVE-2025-2783 in Chrome and CVE-2025-2857 in Firefox, enabled attackers to execute code remotely and escape browser sandboxes on Windows. Additional reports indicated that malware mimicking reputable organizations like the CIA and Ukrainian helplines targeted anti-war Russians, possibly orchestrated by Russian intelligence or affiliated actors. Browsers using Google's Chromium engine, including Edge, Opera, and Brave, are expected to receive similar security patches to address the underlying vulnerability. The Tor browser, leveraged by Mozilla’s technology, issued an urgent Windows-only update in response to the discovered security risks.

Several old but commonly used npm cryptocurrency packages were hijacked to exfiltrate sensitive data like API keys and SSH keys from systems. The hijacked packages, which had been on the npmjs.com registry for over nine years, were recently found to contain obfuscated malicious scripts. These scripts are designed to execute automatically post-installation, harvesting environment variable data and sending it to a remote server. It appears the attackers gained access by possibly using compromised npm maintainer accounts or exploiting expired domains, rather than through direct attacks like phishing. No alterations were found in the GitHub repositories linked to the affected packages, which suggests the malicious code was directly pushed to the npm registry. The exact motive behind stealing sensitive information remains unclear, although the data targeted suggests potential preparation for further attacks or fraud. The incident underscores the importance of two-factor authentication and enhanced monitoring to prevent similar cybersecurity threats within software supply chains.

Mozilla has patched a critical security flaw in Firefox, identified as CVE-2025-2857, which could have allowed for a sandbox escape. The vulnerability was similar to a recent zero-day flaw exploited in Google's Chrome browser, prompting rapid response from Mozilla. Firefox updates fixing the bug have been issued in versions 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. The issue arose from an incorrectly handled process that caused a potent handle return, risking a breach of browser security confines. Unlike the Chrome flaw, there has been no evidence that CVE-2025-2857 has been actively exploited in the wild. Google had earlier addressed the Chrome zero-day, CVE-2025-2783, used in targeted attacks against various sectors in Russia. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Chrome flaw to its Known Exploited Vulnerabilities catalog. Both Mozilla and Google advise users to update their browsers to the latest versions to protect against these vulnerabilities.

A cybercrime group named Arkana claims to have stolen data from cable company WideOpenWest (WOW!), impacting 403,000 users. Stolen data includes usernames, passwords, partial credit card details, email addresses, login histories, modem types, and security questions and answers. Arkana has produced a music video boasting of the breach and threatening to sell or leak the data if WOW! does not pay a ransom by Friday. The cybercriminals position themselves as a security firm on their website, claiming to specialize in identifying critical vulnerabilities and offering "second chances" to companies to rectify security failures. Security firm Hudson Rock confirmed that the breach likely occurred through an info-stealer malware that infected a WOW! employee’s computer. Hudson Rock further linked the breach to penetrations in WOW! backend systems such as Symphonica and Appian Cloud security tools. The incident highlights the increasing threat posed by info-stealers as a precursor to more extensive ransomware attacks. As of now, WideOpenWest has not issued any statement regarding the breach.

Microsoft Stream's classic domain was hijacked to show a fake Amazon page promoting a Thai casino. The hijack affected all SharePoint sites still using video links from the deprecated microsoftstream.com domain. Microsoft had previously announced the phasing out of Microsoft Stream classic, with a complete migration to SharePoint by April 2024. Suspicious activities were first reported by users noticing spam instead of videos on SharePoint sites. The affected domain redirected users to a phishing site designed to mimic Amazon. Microsoft responded by shutting down the hijacked domain and blocking the spam pages on SharePoint. It remains unclear how the domain was exactly compromised, whether through DNS changes or other means. Microsoft has not disclosed specifics about the security breach, nor the exact measures taken post-incident.

The China-aligned APT group FamousSparrow, after a period of inactivity, successfully breached a US financial-sector trade group and a Mexican research institute. ESET researchers uncovered the group's activities and new advancements in their SparrowDoor backdoor malware during an investigation initiated in July 2024. The group has also been linked loosely to the Chinese espionage group Salt Typhoon, though they have distinct operational methods according to the researchers. FamousSparrow deployed two newly developed versions of SparrowDoor with enhanced capabilities and architecture on compromised networks. This APT group exploited vulnerabilities in outdated Windows Server and Microsoft Exchange setups to inject malware and establish control over victims' networks. In addition to the new SparrowDoor variants, FamousSparrow employed ShadowPad, a sophisticated backdoor previously used exclusively by other China-aligned actors. The malware infiltration led to remote control, data theft, and deep network penetration, signaling a significant threat to affected organizations.

Ten npm packages were compromised with malicious code aimed at stealing environment variables from developers’ systems. The affected packages included several cryptocurrency-related ones and the popular 'country-currency-map'. Two obfuscated scripts, "/scripts/launch.js" and "/scripts/diagnostic-report.js," were added to the packages to execute upon installation. Stolen data, primarily environment variables containing sensitive information such as API keys and credentials, were transmitted to a remote server. The malicious updates are suspected to have resulted from npm maintainer accounts being compromised due to credential stuffing or expired domain takeovers. Except for 'country-currency-map', the compromised packages are still available on npm, and their latest versions are infected with the info-stealer malware. The hypothesis of account takeover is supported as the repositories on GitHub were not correspondingly updated with the malicious code. Despite npm's mandatory two-factor authentication for popular projects, older packages maintained by less active developers were impacted by this malicious campaign.

The Chinese cyberespionage group FamousSparrow deployed an advanced version of its SparrowDoor malware against a US trade organization. Security firm ESET revealed the upgraded malware features parallel command execution, enhancing efficiency and effectiveness in operations. Recent targets include a Mexican research institute and a Honduran government institution, with initial infiltrations via compromised Microsoft Exchange and Windows Server systems. The new versions of the malware demonstrate significant improvements in code quality, encryption, and architecture, indicating a sophisticated development approach. The malware's recent iteration introduces a modular structure, allowing it to load new, memory-resident plugins from its command and control (C2) server during runtime. FamousSparrow is also utilizing ShadowPad, a high-tier remote access trojan linked to multiple Chinese advanced persistent threat (APT) groups, suggesting access to shared sophisticated cyberespionage tools. ESET categorizes FamousSparrow separately from similar groups due to distinct operational techniques and despite some shared infrastructure, hinting at a possible common third-party supplier.

A new phishing-as-a-service platform called Morphing Meerkat uses DNS MX records to mimic approximately 114 global brands. The phishing kit dynamically serves fake login pages based on the victim's email service provider to steal credentials. Phishing campaigns often exploit open redirects and compromised domains to distribute phishing links, which are shared through platforms like Telegram. Morphing Meerkat has been involved in sending thousands of spam emails, which leverage compromised websites and advertising platforms to avoid detection. The phishing pages can translate content into multiple languages, enabling attacks on a global scale and include features that prevent analysis by disabling right-click and certain keyboard functions. Infoblox highlighted the natural feel of the fake pages as they closely replicate the design of the targeted service providers, increasing the chances of deceiving victims. The use of DNS MX records to identify and attack specific email platforms like Gmail, Microsoft Outlook, or Yahoo makes this technique particularly effective for targeted phishing attacks.

A cybersecurity firm, Resecurity, infiltrated the BlackLock ransomware gang's operations and passed crucial data to law enforcement agencies. By exploiting a misconfiguration and an LFI vulnerability on BlackLock's TOR-based leak site, Resecurity accessed server configurations and operator credentials. Resecurity's intervention enabled the closure of BlackLock's data leak site and helped preempt data leaks for several victims. The firm’s proactive measures allowed them to alert victims in France and Canada of impending data leaks, helping them prepare in advance. Attribution of the BlackLock operations suggested ties to Russia and China, with operational behaviors indicating a no-target policy on BRICS and CIS countries. Overlapping victim lists suggested that BlackLock may be connected or a rebrand of other ransomware entities like El Dorado and Mamona. Late in the article, a potential silent exit strategy for BlackLock suggested by Resecurity highlighted a possible coordinated effort with another ransomware brand, DragonForce.

A new Patchstack report identifies the four most exploited WordPress plugin vulnerabilities in the first quarter of 2025. The targeted flaws, all classified as critical in severity, were initially discovered and patched in 2024, yet many remain unpatched. Hackers utilized these vulnerabilities to potentially execute arbitrary code or steal sensitive data from websites. Two of the vulnerabilities were reported as actively exploited for the first time in this quarter. Despite numerous exploitation attempts, not all lead to successful compromises due to preventive measures like security blocks. The report stresses the importance for website administrators to update security on all WordPress components and enforce strong access controls, including multi-factor authentication. The wider WordPress community remains at risk as not all sites use effective security measures such as Patchstack, increasing the possibility of successful hacker exploitations.