Daily Brief

North Korean hackers, linked to the Lazarus Group, are targeting European defense companies to steal drone technology, as part of the ongoing Operation Dream Job campaign. The campaign, active since March 2025, involves social engineering tactics, offering fake job opportunities to defense engineers to install malware on their systems. Targeted firms include a metal engineering company in Southeastern Europe and a Central European aircraft component manufacturer, focusing on unmanned aerial vehicle (UAV) technology. The malware families ScoringMathTea and MISTPEN are used to extract proprietary information, with ScoringMathTea previously linked to attacks in India and Poland. Attackers use trojanized PDF readers and decoy documents to deliver malware, employing techniques that evade detection while maintaining consistent attack patterns. The operation's persistence since 2020 highlights the strategic importance of drone technology to North Korea's military ambitions and the ongoing threat posed by state-sponsored cyber activities. Companies in the defense sector are urged to enhance their cybersecurity measures, particularly against social engineering threats, to safeguard sensitive technological information.

Researchers at SquareX identified a vulnerability in the AI sidebars of OpenAI's Atlas and Perplexity's Comet browsers, allowing threat actors to execute spoofing attacks. The attack involves injecting a fake sidebar via a malicious browser extension, indistinguishable from the real AI sidebar, potentially leading users to follow harmful instructions. Scenarios tested include cryptocurrency theft, unauthorized access to Gmail and Google Drive, and device hijacking, highlighting the potential severity of these spoofing attacks. The spoofing technique requires only common browser permissions, making it feasible for attackers to exploit without raising immediate suspicion. SquareX has reached out to both Perplexity and OpenAI regarding the vulnerability, but no response has been received from either company. Users are advised to limit the use of these AI browsers to non-sensitive tasks, as they are not yet secure enough for handling private or financial information. The findings emphasize the need for enhanced security measures in agentic AI browsers to protect users from emerging threats.

The rise of AI agents in enterprises introduces significant security challenges, particularly around identity governance and trust, posing risks to traditional Zero Trust architectures. AI agents often inherit credentials without clear ownership or identity governance, leading to potential security vulnerabilities and unauthorized access within enterprise systems. The NIST AI Risk Management Framework (AI RMF) offers guidance to manage AI risks, emphasizing the importance of identity as the root of trust for AI agents. Organizations are encouraged to inventory AI agents, assess their access permissions, and ensure continuous monitoring to detect anomalous behavior and potential security breaches. Implementing identity-driven Zero Trust principles involves right-sizing permissions, revoking stale credentials, and enforcing lifecycle policies for AI agents. Orphaned AI agents can act as backdoors for attackers, and over-permissioned agents pose risks of data exfiltration, highlighting the need for stringent identity controls. By embedding identity governance into AI deployment, businesses can enhance their security posture and ensure compliance, transforming AI agents into governed entities.

Google removed over 3,000 YouTube videos spreading malware disguised as cracked software and game cheats, significantly impacting the "YouTube Ghost Network." Check Point identified the network's use of hijacked YouTube accounts to post tutorials promising free software, which instead installed infostealers like Rhadamanthys and Lumma. The operation surged in 2025, tripling the number of malicious videos compared to previous years, highlighting a shift in malware distribution tactics. The Ghost Network leveraged fake accounts to simulate trust through views, likes, and comments, making malicious content appear legitimate to unsuspecting users. Victims were misled into disabling antivirus software and downloading malware from platforms like Dropbox and Google Drive, compromising credentials and crypto wallets. Despite takedowns, the network's modular design allowed it to quickly regenerate, using rotating payloads and updated links to maintain resilience. The campaign's success with gaming cheats, particularly for Roblox, underscores the evolving threat landscape where social credibility on mainstream platforms is exploited. Check Point warns that while current operators are profit-driven cybercriminals, similar tactics could be adopted by nation-state actors targeting high-value individuals.

North Korean Lazarus hackers targeted three European defense companies in a campaign called Operation DreamJob, focusing on unmanned aerial vehicle (UAV) technology. The campaign used fake recruitment offers to trick employees into downloading malicious files, granting hackers access to company systems. ESET researchers noted the campaign aligns with North Korea's efforts to enhance its drone capabilities, inspired by Western designs. The attack chain involved trojanized applications and DLL sideloading to deploy the ScoringMathTea RAT, enabling remote access and control. The RAT supports 40 commands, allowing attackers to manipulate files, execute commands, and download additional malware. Despite previous exposure, Operation DreamJob remains effective, highlighting the ongoing threat posed by North Korean cyber activities. ESET provided indicators of compromise (IoCs) to help organizations detect and mitigate the threat from Lazarus hackers.

A recent webinar addresses the security challenges posed by the rapid adoption of AI agents, which are proliferating at an unprecedented rate in organizations. Companies now deploy approximately 100 AI agents for every human employee, with 99% lacking proper management and oversight, creating potential security vulnerabilities. Traditional security tools are inadequate for managing the lifecycle and oversight of AI identities, leading to increased risk exposure. The webinar, "Turning Controls into Accelerators of AI Adoption," offers strategies to integrate security measures without hindering business agility. Participants will learn how to transform security controls into enablers for safe and accelerated AI adoption, moving from a reactive to a proactive security posture. The session is designed for engineers, architects, and CISOs who are grappling with the challenges of AI security management. By implementing the strategies discussed, organizations can enhance their security frameworks while continuing to innovate with AI technologies.

The Lumma Stealer group has faced significant operational disruption following a doxxing campaign exposing five core members' identities, including their PII and financial records. The exposure campaign, driven by internal rivalries, has led to a decline in Lumma Stealer's activity and customer trust, pushing clients towards alternatives like Vidar and StealC. Lumma Stealer's communication channels, particularly Telegram accounts, were compromised, further hindering their ability to coordinate operations. The doxxing campaign suggests insider access to compromised accounts and databases, indicating deep infiltration within the group. Despite previous law enforcement actions against Lumma Stealer, the group had resumed operations, but current developments threaten its future viability. The emergence of Vidar Stealer 2.0, with advanced evasion capabilities and credential extraction methods, poses a new threat in the information stealer landscape. Organizations are advised to remain vigilant and update security measures to mitigate risks associated with evolving information stealer threats.

Organizations are moving from static secrets to managed identities, achieving significant productivity gains and reducing credential management complexities in cloud environments. Traditional static secrets, such as API keys and passwords, pose risks due to manual lifecycle management and potential credential leaks. Managed identities offer a shift to short-lived, automatically rotated credentials, enhancing security and reducing management time by up to 95% per application component. Despite the benefits, managed identities don't address all authentication challenges, particularly with third-party APIs and legacy systems that still require static credentials. Organizations are adopting a hybrid approach, reducing reliance on static secrets by 70-80% while maintaining robust secret management for necessary use cases. Comprehensive visibility into existing credential landscapes is crucial; platforms like GitGuardian's NHI Security help identify and manage hidden API keys and passwords. Strategic reduction of static secrets creates resilient architectures that leverage both managed identities and effective secret management solutions.

SpaceX has deactivated over 2,500 Starlink terminals in Myanmar, which were used by criminal networks for cyber-fraud and human trafficking activities. These terminals supported operations in Myanmar's border zones, where traditional telecom services face restrictions or monitoring. The action follows a major raid by Myanmar's military on a compound near the Thai border, resulting in over 2,000 arrests and the seizure of Starlink equipment. Criminal syndicates, often linked to Chinese-speaking groups, exploited Starlink's global coverage for scams, including crypto fraud and fake romance schemes. Black market Starlink terminals have been entering Southeast Asia through Thailand and China, sold at high prices and activated with foreign accounts. SpaceX's senior vice president stated the company is committed to preventing misuse and ensuring compliance with local laws across its operational markets. This incident highlights the dual-use nature of satellite technology, underscoring the need for vigilant oversight to prevent exploitation by illicit actors.

Cybercriminal group Jingle Thief targets retail and consumer services sectors, focusing on exploiting cloud environments for unauthorized gift card issuance. The group employs phishing and smishing tactics to steal credentials, gaining access to organizations' cloud infrastructure to issue and resell gift cards. Jingle Thief's operations coincide with festive seasons, leveraging the anonymity and traceability challenges associated with gift cards for financial gain. Researchers have linked Jingle Thief with moderate confidence to criminal groups Atlas Lion and Storm-0539, with origins traced to Morocco. The group maintains long-term access within compromised systems, conducting extensive reconnaissance and lateral movement to avoid detection. Recent attacks in April and May 2025 involved coordinated phishing campaigns, breaching 60 user accounts in a single organization over 10 months. Jingle Thief's tactics include creating inbox rules to forward emails, bypassing MFA with rogue apps, and enrolling devices to maintain persistent access. Organizations are advised to bolster cloud security measures and enhance phishing awareness to mitigate risks associated with such stealthy cybercriminal activities.

Over 250 Magento stores were targeted within 24 hours due to a critical vulnerability in Adobe Commerce, identified as CVE-2025-54236, with a CVSS score of 9.1. The flaw, known as SessionReaper, involves improper input validation via the Commerce REST API, potentially allowing attackers to take over customer accounts. Despite Adobe releasing a patch last month, 62% of Magento stores remain unpatched, leaving them susceptible to exploitation and urging immediate action from administrators. Threat actors have been observed using the flaw to deploy PHP webshells and extract PHP configuration data, posing significant security risks to affected platforms. The vulnerability, a nested deserialization flaw, allows for remote code execution, similar to a previous Adobe Commerce vulnerability, CosmicSting, exploited in 2024. Security firms, including Sansec and Searchlight Cyber, emphasize the urgency of applying patches to prevent further exploitation as proof-of-concept exploits become publicly available. The ongoing threat highlights the critical importance of timely patch management in safeguarding e-commerce platforms from emerging vulnerabilities.

CISA has added CVE-2025-61932, a critical Lanscope Endpoint Manager flaw, to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The vulnerability affects on-premises Lanscope Endpoint Manager versions, allowing arbitrary code execution through specially crafted packets. Impacted versions include 9.4.7.1 and earlier, with the flaw stemming from improper verification of communication channels. Motex has confirmed at least one customer received a malicious packet targeting this vulnerability, though the attack's scale and perpetrators remain unknown. Federal Civilian Executive Branch agencies are advised to remediate the vulnerability by November 12, 2025, to protect their systems. The vulnerability's CVSS v4 score of 9.3 underscores its critical nature, necessitating immediate attention and patching from affected organizations. Organizations should prioritize updating to patched versions to mitigate potential risks associated with this security flaw.

MuddyWater, an Iranian state-sponsored group, targeted over 100 government entities in the Middle East and North Africa using the Phoenix backdoor malware. The campaign began on August 19, utilizing phishing emails from a compromised account accessed via NordVPN, aiming at diplomatic and governmental organizations. Attackers employed malicious Word documents with macro code to deploy the FakeUpdate malware loader, despite macros being disabled by default in Microsoft Office. The Phoenix backdoor, now in its fourth version, includes enhanced persistence mechanisms and gathers detailed system information for profiling. The malware connects to command-and-control servers via WinHTTP, supporting various commands for data exfiltration and system control. Additional tools used include a custom infostealer targeting browser credentials and the PDQ utility for software management, indicating sophisticated operational capabilities. Group-IB attributes these attacks to MuddyWater with high confidence, based on malware signatures and targeting patterns consistent with previous campaigns.

Security researchers at Pwn2Own Ireland 2025 exploited 56 zero-day vulnerabilities, earning $792,750 in rewards during the competition's second day. Ken Gannon and Dimitrios Valsamaras notably breached the Samsung Galaxy S25 using a five-flaw chain, securing $50,000 and leading the Master of Pwn leaderboard. Additional devices compromised include the QNAP TS-453E NAS, Synology DS925+, and Phillips Hue Bridge, with awards of $20,000 to successful teams. The competition targets a wide array of devices, including smartphones, printers, NAS systems, and smart home technology, expanding attack vectors to USB port exploitation. Vendors are allotted 90 days post-competition to patch identified vulnerabilities before public disclosure by the Zero Day Initiative (ZDI). Meta, Synology, and QNAP co-sponsor the event, emphasizing the importance of proactive security measures in protecting consumer devices. The contest continues to drive innovation in cybersecurity, encouraging researchers to uncover and address critical vulnerabilities across diverse technology platforms.

Cybercriminals are actively exploiting the SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce, affecting thousands of online stores globally. Sansec, an e-commerce security firm, identified over 250 exploitation attempts, with many attacks originating from five specific IP addresses. The vulnerability allows attackers to control account sessions via the Commerce REST API, posing significant risks to customer data security. Despite an emergency patch released by Adobe, 62% of Magento stores remain unpatched, leaving them vulnerable to attacks. Technical analysis by Searchlight Cyber could potentially increase exploitation attempts as it provides insights into the vulnerability. Sansec's security measures, including Sansec Shield, have successfully detected and blocked initial real-world attacks. Adobe advises immediate application of the patch or recommended mitigations to protect against potential breaches. The slow adoption of patches highlights the need for improved cybersecurity practices and awareness among e-commerce platforms.