Daily Brief

Zscaler reports over 42 million downloads of malicious Android apps from Google Play between June 2024 and May 2025, indicating a significant threat to mobile security. The report notes a 67% year-over-year increase in mobile malware, with spyware and banking trojans being the most prevalent threats. Cybercriminals are increasingly targeting mobile payments through phishing, smishing, and SIM-swapping, exploiting social engineering tactics as traditional card fraud becomes less effective. Zscaler identified 239 malicious apps on Google Play, a rise from 200 the previous year, with adware now accounting for 69% of all detections. Anatsa, a banking trojan, and Android Void, a backdoor malware, are among the top threats, affecting users in regions including Germany, South Korea, India, and Brazil. The report advises users to apply security updates, trust only reputable publishers, disable unnecessary permissions, and perform regular Play Protect scans to mitigate risks. Organizations are encouraged to adopt zero-trust technology and enhance IoT security by monitoring for anomalies and securing firmware to protect against expanding threats.

Microsoft will remove Defender Application Guard from Office by December 2027, with the process starting in February 2026 for Office version 2602. Defender Application Guard isolates untrusted Office files in a Hyper-V-enabled container, protecting the host system from potential threats. Microsoft suggests alternatives like Defender for Endpoint attack surface reduction rules and Protected View to maintain security after MDAG's removal. Office files will default to Protected View, a read-only mode, to ensure continued protection against malicious documents. The removal aligns with the end of support for Windows 11 version 23H2 and aims to simplify the security experience for users. The phased removal will affect different Office channels, concluding with the Semi-Annual Enterprise Channel by July 2027. IT administrators are advised to implement recommended security measures to maintain robust defenses against threats.

Bitdefender and the Georgian CERT uncovered a new campaign by Curly COMrades, leveraging Microsoft's Hyper-V to create hidden VMs on compromised Windows systems. The attackers deploy a lightweight Alpine Linux-based VM, bypassing traditional endpoint detection and response tools, allowing for prolonged network access. The VM hosts custom malware, CurlyShell and CurlCat, facilitating reverse shell access and reverse proxy tunneling, masking malicious activities as legitimate network traffic. The campaign targets judicial and government entities in Georgia and an energy company in Moldova, indicating a focus on geopolitical interests. Curly COMrades exploit legitimate virtualization technology to evade detection, demonstrating advanced tactics in bypassing conventional security measures. Security experts stress the importance of a multi-layered defense strategy, as reliance solely on endpoint detection proves insufficient against such sophisticated threats. Bitdefender has released indicators of compromise on GitHub, aiding organizations in identifying and mitigating potential threats from this group.

The Office of the Inspector General's audit found the Consumer Financial Protection Bureau's cybersecurity program has regressed from level-4 to level-2 maturity, indicating significant security challenges. Key issues identified include inadequate system authorizations and the absence of effective cybersecurity risk profiles, affecting the bureau's ability to manage and communicate security objectives. The audit revealed 35 systems operating without proper authorizations, with 21 relying solely on risk acceptance memorandums, lacking comprehensive security assessments. Outdated software still in use at the CFPB poses additional risks, with some programs nearing end-of-life, increasing vulnerability to exploitation. The CFPB acknowledged the findings and agreed to implement six recommendations, although it contested some claims regarding risk management practices. Resource constraints, including a significant reduction in contractor support and staff departures, have hampered the bureau's ability to maintain robust cybersecurity operations. The audit underscores the broader impact of federal workforce reductions on cybersecurity capabilities, reflecting similar challenges faced by other agencies.

A new cybercrime collective, Scattered LAPSUS$ Hunters, has formed, merging Scattered Spider, LAPSUS$, and ShinyHunters, creating 16 Telegram channels since August 2025. The group employs an extortion-as-a-service model, allowing affiliates to leverage its brand for financial gain, targeting organizations including Salesforce users. Trustwave reports that the collective operates under a federated structure, collaborating with other clusters like CryptoChameleon and Crimson Collective. Telegram serves as the primary coordination platform, facilitating both internal communication and public dissemination of the group's activities. Members have accused Chinese state actors of exploiting their vulnerabilities and engaged in campaigns against U.S. and U.K. law enforcement. The group hints at developing a custom ransomware, Sh1nySp1d3r, suggesting potential future operations rivaling established threats like LockBit. DragonForce, aligned with Scattered Spider, uses BYOVD attacks to disable security software, partnering with Qilin and LockBit to enhance capabilities. This alliance reflects a sophisticated blend of social engineering, exploit development, and narrative warfare, indicating a mature cybercriminal operation.

Miljödata, a key IT supplier for Swedish municipalities, faced a significant data breach affecting 1.5 million individuals, with attackers demanding a Bitcoin ransom. The breach led to operational disruptions across several Swedish regions, impacting local government services and citizen data security. The Swedish Authority for Privacy Protection (IMY) is investigating potential GDPR violations, focusing on security measures and data handling practices. The stolen data, including sensitive personal information, was published on the dark web by the threat group Datacarry, raising privacy and security concerns. CERT-SE and Swedish police are actively investigating the breach, with an emphasis on preventing future incidents and enhancing cybersecurity measures. The breach has prompted a review of data protection practices in municipalities, particularly concerning vulnerable groups such as children and protected identity subjects. Have I Been Pwned has included the breach in its database, confirming exposure of data for approximately 870,000 individuals, highlighting discrepancies in reported figures.

Nikkei, a major Japanese media corporation, reported a data breach affecting over 17,000 employees and business partners via compromised Slack accounts. The breach was traced back to stolen authentication credentials following malware infection on an employee's computer, leading to unauthorized access. Exposed information includes names, email addresses, and chat histories, though no sensitive journalistic data or confidential sources were compromised. Nikkei implemented immediate security measures, such as mandatory password changes, upon discovering the breach in September. Despite the breach not falling under Japan's Personal Information Protection Law, Nikkei notified the Personal Information Protection Commission, demonstrating a commitment to transparency. The incident stresses the importance of robust cybersecurity practices, particularly in safeguarding communication platforms like Slack. Nikkei's history of cybersecurity incidents, including a 2022 ransomware attack and a 2019 business email compromise, highlights ongoing vulnerabilities.

Europol and Eurojust coordinated a global operation arresting nine individuals involved in a €600 million cryptocurrency fraud network across Cyprus, Spain, and Germany. The operation, conducted between October 27 and 29, included searches leading to the seizure of €800,000 in bank accounts, €415,000 in cryptocurrencies, and €300,000 in cash. The fraudulent network operated dozens of fake cryptocurrency investment platforms, luring victims with promises of high returns through social media ads and fake testimonials. Victims reported being unable to recover their investments, prompting the investigation and subsequent raids that dismantled the network. The operation involved agencies from France, Belgium, Cyprus, Germany, and Spain, showcasing effective international collaboration in tackling transnational cybercrime. Europol noted the increasing sophistication of crypto-related crimes, emphasizing the need for advanced tools and cross-border cooperation to counter these threats. The success of this operation reflects the growing capability of law enforcement and private sector partners in addressing complex cyber fraud and money laundering activities.

European law enforcement arrested nine individuals involved in a €600 million cryptocurrency fraud across Cyprus, Spain, and Germany, targeting victims with fake investment platforms. The fraudsters created platforms mimicking legitimate investment sites, enticing victims with promises of high returns through social media and cold calling. Victims were unable to recover their funds after transferring cryptocurrency, while criminals laundered the stolen assets using sophisticated blockchain tools. Eurojust coordinated the operation, resulting in the seizure of €800,000 in bank accounts, €415,000 in cryptocurrencies, and €300,000 in cash. This operation follows recent arrests in Europe related to similar cryptocurrency fraud schemes, highlighting a growing trend in financial cybercrime. The U.S. Federal Trade Commission reported record losses of $12.5 billion to fraud in 2024, with investment scams being the most costly, emphasizing the need for enhanced security measures. The incidents underline the importance of vigilance and robust regulatory frameworks to combat evolving cryptocurrency fraud tactics.

A recent webinar by Keep Aware addresses the growing vulnerabilities in browser sandboxes, emphasizing the need for enhanced security measures in enterprise environments. Browsers are now the primary tool for accessing sensitive SaaS applications, AI tools, and cloud systems, yet their built-in security measures struggle against sophisticated threats. Attackers exploit browser features like extensions and user inputs to bypass sandbox restrictions, leading to credential theft and lateral movement within networks. Traditional security tools such as CASBs, SWGs, and EDRs have limited visibility into browser-layer threats, creating a significant security blind spot. Keep Aware offers solutions that monitor real-time user behavior and extension activity, providing dynamic policy enforcement and instant threat response directly within the browser. The session is aimed at CISOs and IT security leaders, offering actionable insights to enhance security strategies for SaaS and browser-based environments. Emphasizing the importance of browser-level visibility and control, the webinar provides strategies to mitigate risks associated with modern browser use in the workplace.

A critical vulnerability in the "@react-native-community/cli" npm package, tracked as CVE-2025-11953, allowed remote command execution, posing a major threat to developers. The flaw, with a CVSS score of 9.8, affected package versions 4.8.0 to 20.0.0-alpha.2 and has been patched in version 20.0.0. The vulnerability stemmed from the Metro development server binding to external interfaces and exposing an "/open-url" endpoint vulnerable to OS command injection. Attackers could exploit the flaw by sending crafted POST requests, executing arbitrary OS commands on Windows, and binaries on Linux and macOS. The issue was particularly perilous due to its ease of exploitation, lack of authentication, and wide attack surface, affecting up to 2 million downloads weekly. Developers using React Native without Metro were not impacted, highlighting the importance of understanding dependencies in development environments. The incident stresses the necessity for automated security scanning in software supply chains to identify and mitigate vulnerabilities swiftly.

Check Point discovered four critical vulnerabilities in Microsoft Teams, potentially allowing attackers to impersonate executives, alter messages, and forge caller identities without detection. These flaws, affecting over 320 million monthly users, could disrupt trust-based communication, vital for decision-making and financial transactions. Vulnerabilities exploited Teams' messaging architecture, enabling silent message overwrites, spoofed alerts, and manipulated caller IDs. Microsoft addressed these issues with patches issued throughout 2024, concluding with a fix for the caller identity flaw in October 2025. Check Point's proof of concept demonstrated how these vulnerabilities could be combined for financial fraud, credential theft, or malware delivery. The incident emphasizes the need for enhanced security measures, such as zero-trust access controls and anomaly detection, to protect collaboration platforms. This case illustrates a shift in attack strategies, focusing on manipulating digital trust within collaboration tools rather than traditional system breaches.

Check Point researchers identified four vulnerabilities in Microsoft Teams that could facilitate impersonation and social engineering attacks, affecting both internal and external users. These flaws allowed attackers to manipulate message content and sender identity without detection, posing significant risks to organizational communication integrity. Microsoft addressed some issues in August 2024 under CVE-2024-38197, with additional patches released in September 2024 and October 2025. The vulnerabilities enable attackers to alter display names in chats and calls, potentially deceiving users into sharing sensitive information or executing malicious actions. Exploiting these flaws could undermine digital trust, turning Teams from a collaborative tool into a deception vector, particularly targeting high-profile executives. Microsoft acknowledged the platform's attractiveness to cybercriminals and state-sponsored actors due to its extensive collaboration features and global adoption. Organizations are urged to enhance security measures, focusing on verifying digital interactions to protect against these types of sophisticated social engineering threats.

The Curly COMrades, a Russian cyber-espionage group, exploited Microsoft's Hyper-V to hide malware within Alpine Linux-based virtual machines, evading traditional endpoint detection and response systems. This technique involved deploying a minimalistic virtual environment to host custom tools, CurlyShell and CurlCat, facilitating stealthy operations and communications. Bitdefender, with Georgian CERT assistance, uncovered these activities targeting Georgian government bodies and Moldovan energy firms, aligning with Russian geopolitical interests. Attackers activated Hyper-V on compromised systems, disabled its management interface, and used the Default Switch network adapter to mask malicious traffic as originating from legitimate IP addresses. The use of ELF binaries and PowerShell scripts for persistence and lateral movement highlights the group's operational sophistication and focus on stealth. Organizations are advised to monitor for unusual Hyper-V activations, LSASS access, and suspicious PowerShell script activities to mitigate such threats. This case underlines the need for a multi-layered security approach to detect advanced evasion techniques leveraging virtualization technologies.

Europe experiences a surge in violent cybercrime, with at least 18 cases reported since 2024, primarily targeting cryptocurrency holders in France and the UK. CrowdStrike's report identifies "violence as a service" as a growing trend, with criminals resorting to physical attacks to extract cryptocurrency assets. High-profile incidents include the kidnapping of Ledger co-founder David Balland in France, where attackers demanded a ransom and inflicted physical harm. French authorities have arrested ten individuals linked to these crimes, including a suspected ringleader detained in Morocco. The UK emerges as Europe's top target for cybercriminals, with over 2,100 attacks claimed on organizations since January 2024, largely involving ransomware and data theft. Initial Access Brokers (IABs) play a significant role in facilitating attacks, particularly against academic, professional services, and retail sectors. The Com, a loosely affiliated cybercrime network, is implicated in orchestrating these violent operations, often recruiting members for close-access attacks. The trend signals a shift in cybercriminal tactics, blending traditional cybercrime with physical violence to achieve their objectives.