Daily Brief

Cybercrime is increasingly adopting a subscription-based model, offering tools and services akin to legitimate SaaS platforms, making sophisticated attacks accessible to less-skilled individuals. Phishing-as-a-service (PhaaS) platforms now offer comprehensive kits, including AI-enhanced tools like SpamGPT, enabling seamless execution of phishing campaigns with minimal technical expertise. Telegram bots are transforming social engineering into a rentable service, providing capabilities like OTP scams and spoofed calls, with pricing tiers resembling traditional SaaS offerings. Infostealer logs are now aggregated and sold as subscription-based data feeds, allowing criminals to access fresh stolen credentials through user-friendly web interfaces. Initial access brokers commoditize network breaches, selling access to compromised systems, which are validated and categorized, offering a scalable entry point for other cybercriminals. Advanced malware and hacking tools, such as the Atroposia RAT, are available for rent at low monthly fees, reducing the barrier to entry for complex cyberattacks. The evolution of cybercrime into a subscription economy challenges cybersecurity defenses, necessitating scalable and adaptive security measures to counteract these on-demand threats.

Kensington and Chelsea Council confirmed a data breach occurred during a recent IT outage, affecting historical information, though specific data types and quantities remain undisclosed. The breach impacted a shared IT environment with Hammersmith & Fulham and Westminster councils, causing significant service disruptions and a shift to manual processes. External investigators, including the National Cyber Security Centre and the Metropolitan Police, are involved in probing the incident, with no current claims from major ransomware groups. The council advises residents to remain vigilant for potential scams, especially those who purchased services like parking permits, and to monitor financial statements closely. The interconnected IT systems among the councils have complicated recovery efforts, with ongoing delays expected for at least two weeks as services are gradually restored. The breach raises concerns about the security of sensitive data held by councils, including tenancy records and social care notes, which are attractive targets for cybercriminals. Hammersmith & Fulham Council reported no evidence of compromise but has implemented enhanced security measures as a precaution.

GlassWorm has re-emerged, infiltrating Microsoft Visual Studio Marketplace and Open VSX with 24 malicious extensions mimicking popular developer tools such as Flutter and React. The campaign exploits stolen credentials to compromise additional packages, effectively spreading malware and turning developer machines into nodes for further criminal activities. Attackers artificially inflate download counts, making the malicious extensions appear legitimate and deceiving developers into installing them. The latest iteration includes Rust-based implants targeting Windows and macOS, using Solana blockchain and Google Calendar events for command-and-control operations. Despite efforts by Microsoft and Open VSX, the malware continues to evade detection, updating malicious code post-approval and exploiting activation contexts. The campaign's rapid deployment across major repositories poses a significant threat to developers, risking widespread compromise through seemingly trustworthy extensions. Organizations should enhance scrutiny of third-party extensions and implement robust security measures to mitigate risks associated with supply chain attacks.

A joint investigation by BCA LTD, NorthScan, and ANY.RUN revealed a North Korean infiltration scheme involving remote IT workers linked to Lazarus Group's Chollima division. Researchers captured live activity of operators using sandbox environments that mimicked real developer laptops, providing unprecedented insight into their operations. The operation involved impersonating a U.S. developer to engage with a recruiter, "Aaron," who sought full access to sensitive personal information and continuous laptop availability. The ANY.RUN Sandbox created virtual machines with U.S. residential proxy routing, allowing researchers to monitor activities without detection. The scheme focused on identity takeover and remote access, bypassing traditional malware deployment methods, highlighting a shift in tactics. Companies are advised to enhance awareness of remote hiring threats, as attackers can gain access to sensitive data and critical accounts through seemingly legitimate job offers. Proactive internal measures and suspicious activity reporting are crucial to prevent potential compromises from escalating within organizations.

Security researchers uncovered a North Korean operation targeting engineers to rent identities for espionage and fundraising, linked to the Lazarus group's Famous Chollima unit. The scheme involved tricking recruiters to secure jobs at major corporations using stolen identities, deep fake videos, and AI tools to avoid detection. Legitimate engineers were recruited to act as figureheads, receiving a percentage of salaries while DPRK agents used their identities and devices for cover. Researchers Eldritch and García set up a honeypot to study the operation, revealing tactics such as the use of Astrill VPN and AI-powered tools for job applications. The operation involved multiple North Korean agents and highlighted the use of sophisticated techniques to infiltrate companies, posing significant risks to corporate security. Insights from the investigation provide valuable intelligence for organizations to anticipate and defend against similar infiltration attempts. The findings underscore the ongoing threat posed by North Korean cyber activities, emphasizing the need for robust identity and access management strategies.

Google addressed 107 vulnerabilities in its December 2025 Android security bulletin, including two zero-day flaws actively exploited in targeted attacks. The critical vulnerabilities, CVE-2025-48633 and CVE-2025-48572, involve information disclosure and privilege escalation, affecting Android versions 13 through 16. The bulletin suggests limited, targeted exploitation, potentially linked to commercial spyware or nation-state operations targeting high-interest individuals. The most critical fix involves CVE-2025-48631, a denial-of-service flaw in the Android Framework, among 51 flaws addressed in the Android Framework and System components. An additional 56 vulnerabilities were patched in the Kernel and third-party components, with critical fixes for elevation-of-privilege issues in Qualcomm-powered devices. Samsung and other vendors have released their security bulletins, incorporating Google's updates and providing vendor-specific fixes. Users on older Android versions are advised to update via Google Play system updates or consider newer devices for continued security support.

The Federal Trade Commission (FTC) sanctioned Illuminate Education after a breach exposed data of 10.1 million students, using credentials from a former employee. The breach revealed sensitive information, including email and postal addresses, birth dates, and health-related data, stored in plain text until early 2022. Illuminate Education had been alerted to security vulnerabilities as early as January 2020 but failed to implement necessary security measures. The company delayed notifying some school districts of the breach, leaving 380,000 students uninformed for nearly two years. As part of the settlement, Illuminate must implement a comprehensive information security program and adhere to a data retention schedule. The FTC's action serves as a reminder to edtech companies of the importance of fulfilling privacy promises, especially concerning children's personal data. No fines were imposed, but the FTC's vote on the complaint and draft order awaits a 30-day public comment period before finalization.

Cybersecurity researchers identified the npm package eslint-plugin-unicorn-ts-2, designed to manipulate AI-driven security scanners and evade detection by masquerading as a legitimate TypeScript extension. The package, uploaded by "hamburgerisland" in February 2024, has been downloaded nearly 19,000 times, indicating a significant potential impact on developers and organizations using the npm registry. Embedded with a misleading prompt intended to confuse AI security tools, the package includes a post-install hook that exfiltrates sensitive environment variables to a Pipedream webhook. The malicious code was first introduced in version 1.1.3, with the current version at 1.2.1, suggesting ongoing risk if not addressed by users and security teams. This incident reflects a growing trend where cybercriminals exploit AI vulnerabilities, leveraging malicious large language models to automate and enhance cyberattack capabilities. Despite their potential, these malicious AI tools face limitations, such as generating inaccurate code, yet they lower the barrier for inexperienced attackers to execute sophisticated attacks. Organizations should enhance monitoring of third-party packages and AI-based tools to mitigate risks posed by evolving cyber threats.

A phishing campaign is impersonating major brands like Disney and MasterCard to steal Google Workspace and Facebook business account credentials. Push Security discovered the campaign, which uses Calendly-themed lures to target ad manager accounts, enabling malvertising and other attacks. The campaign leverages AI-crafted emails and fake landing pages, featuring CAPTCHA and AiTM phishing methods to capture login sessions. Threat actors exploit ad platforms' geo-targeting and domain filtering capabilities, facilitating precise "watering-hole" styled attacks. Compromised accounts can lead to direct monetization or resale on cybercriminal markets, posing a significant risk to businesses. Anti-analysis techniques, such as blocking VPN and proxy traffic, are employed to evade detection and analysis by security researchers. Security experts recommend using hardware security keys and verifying URLs to counteract AiTM techniques that bypass two-factor authentication.

Iranian group MuddyWater, linked to Iran's Ministry of Intelligence, has launched targeted attacks on Israeli sectors using a new backdoor named MuddyViper. The sectors affected include academia, engineering, local government, manufacturing, technology, transportation, and utilities, with one Egyptian technology company also targeted. The attacks utilize sophisticated phishing techniques and exploit known VPN vulnerabilities to deploy the MuddyViper backdoor and other tools. MuddyViper enables attackers to collect system information, execute commands, transfer files, and exfiltrate credentials, supporting 20 covert access commands. The campaign signifies an operational evolution, with new components like the Fooder loader enhancing stealth and persistence. The attacks reflect MuddyWater's ongoing strategy of using custom malware and publicly available tools against critical infrastructure. Recent disclosures also link Iranian APT42 to espionage campaigns, revealing a structured cyber-intelligence apparatus with hierarchical command structures.

The University of Pennsylvania reported a data breach after attackers exploited a zero-day vulnerability in Oracle E-Business Suite, compromising personal information of 1,488 individuals. The breach is linked to a broader extortion campaign by the Clop ransomware gang, targeting multiple organizations using Oracle EBS since August 2025. Affected data includes names and personal identifiers, though no misuse or online leaks have been confirmed at this time. The university is conducting a detailed investigation to assess the full scope and identify all affected individuals, with ongoing communication to those impacted. Clop's campaign has also impacted other institutions, including Harvard and Princeton, raising concerns about security in higher education. The U.S. State Department has offered a $10 million reward for information connecting Clop's attacks to a foreign government, highlighting the severity of these incidents. The breach underscores the critical need for robust security measures and timely patch management to protect sensitive information against emerging threats.

SecAlerts introduces a streamlined, cloud-based vulnerability management service, offering timely alerts tailored to specific software, reducing the burden on cybersecurity teams managing extensive software inventories. The platform operates without invasive network scans, instead using a remote system to match vulnerabilities to listed software, ensuring up-to-date information delivery. SecAlerts employs a three-component system—Stacks, Channels, and Alerts—allowing customized notifications and efficient dissemination of critical vulnerability data within organizations. Businesses can filter alerts based on severity, exploit history, and other criteria, enhancing focus on critical threats and optimizing resource allocation. The service supports integration with existing tools via API, enabling seamless incorporation into broader cybersecurity strategies and workflows. SecAlerts offers flexible plans, including a free 30-day trial and promotional discounts, making it accessible to organizations of varying sizes and budgets. The solution's real-time intelligence and risk analytics capabilities assist in identifying emerging threats, providing valuable insights for proactive cybersecurity measures.

Iranian nation-state actors, MuddyWater, have launched targeted attacks on Israeli sectors, deploying a new backdoor named MuddyViper, affecting academia, engineering, local government, and more. The campaign also targeted an Egyptian technology firm, illustrating the group's broader regional focus beyond Israel. Techniques include spear-phishing and exploiting VPN vulnerabilities, with MuddyViper enabling system information collection, file execution, and credential exfiltration. The attack chain involves using legitimate remote desktop tools and a loader called Fooder to decrypt and execute the backdoor. The Israel National Cyber Directorate reports MuddyWater's focus on local authorities, civil aviation, and telecommunications, posing a threat to critical infrastructure. ESET's analysis indicates an evolution in MuddyWater's operational maturity, with new components enhancing stealth and persistence. The campaign reflects ongoing geopolitical tensions and the strategic targeting of key sectors by Iranian cyber espionage groups.

Google has issued a security update for Android, addressing 107 vulnerabilities, including two high-severity flaws currently being exploited in the wild. The vulnerabilities span multiple components such as Framework, System, and Kernel, with contributions from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unison. Details on the nature of the attacks exploiting these vulnerabilities remain undisclosed, but Google notes potential limited, targeted exploitation. A critical Framework vulnerability (CVE-2025-48631) could allow remote denial-of-service attacks without requiring additional execution privileges. The update introduces two patch levels, 2025-12-01 and 2025-12-05, enabling manufacturers to expedite addressing universal vulnerabilities. Users are urged to update their devices promptly to mitigate potential risks associated with these vulnerabilities. This release follows Google's recent efforts to patch actively exploited flaws in the Linux Kernel and Android Runtime, highlighting ongoing security challenges.

India has directed smartphone manufacturers to pre-install the "Sanchar Saathi" app on all devices sold in the country within 90 days to combat telecom fraud. The app, developed by the Department of Telecommunications, enables users to report suspicious calls and messages, including those on platforms like WhatsApp. Key features include blocking lost or stolen devices from accessing mobile networks and verifying handset authenticity through IMEI checks. The initiative aims to enhance telecom security and address issues with spoofed or tampered IMEIs, prevalent in India's large second-hand mobile market. Concerns have been raised about privacy, as the app can access call logs and messages, sharing data with the government when fraud is reported. The directive reflects India's broader strategy of integrating government apps into daily life, similar to the Aadhar identity service and Unified Payments Interface. Industry response is pending, though past regulatory pushes have seen resistance from tech companies, highlighting potential challenges in implementation.