Daily Brief

The Tsundere botnet is actively expanding, targeting Windows users by executing arbitrary JavaScript code from a command-and-control server, according to Kaspersky's recent analysis. The botnet employs game-themed lures, such as Valorant and Counter-Strike 2, to entice users searching for pirated versions, potentially increasing its reach among gaming communities. Attackers utilize a legitimate Remote Monitoring and Management tool to download malicious MSI installer files, which install Node.js and execute botnet payloads. The malware ensures persistence by using the pm2 package to write to the registry, allowing it to restart upon system login and maintain activity on infected systems. The Tsundere botnet leverages the Ethereum blockchain to dynamically update its WebSocket C2 server addresses, enhancing its resilience and adaptability. Analysis reveals the botnet's infrastructure includes a control panel for managing botnets, facilitating the creation of new artifacts, and even hosting a marketplace for botnet transactions. Evidence suggests Russian-speaking origins, with the source code containing Russian language and restrictions on targeting Russia and CIS countries, indicating possible geopolitical motivations. The presence of the 123 Stealer on the same server, offered on a subscription basis, suggests a broader malicious ecosystem supporting various cybercriminal activities.

An Ohio IT contractor, Maxwell Schultz, pleaded guilty to sabotaging his former employer's network, causing $862,000 in damages after his termination. Schultz accessed the company's systems by impersonating another contractor, resetting 2,500 passwords, and locking out thousands of employees and contractors. The incident disrupted operations significantly, impacting employee productivity, customer service, and necessitating costly remediation efforts. Schultz employed a PowerShell script to execute the attack and attempted to cover his tracks by deleting system logs and clearing PowerShell events. The attack occurred on May 14, 2021, and Schultz faces up to ten years in prison and a $250,000 fine, with sentencing scheduled for January 30, 2026. Insider threats remain a persistent challenge for organizations, with similar cases reported across various sectors, highlighting the need for robust insider threat management. The company affected, reportedly Houston-based Waste Management, exemplifies the ongoing risks posed by malicious insiders in today’s digital landscape.

Salesforce is investigating a data breach involving Gainsight-published applications, which may have enabled unauthorized access to certain customers' Salesforce data. The breach does not originate from Salesforce's CRM platform but is linked to external connections via Gainsight applications. In response, Salesforce revoked all active access and refresh tokens associated with Gainsight applications and temporarily removed them from the AppExchange. Impacted customers have been notified, and Salesforce has advised them to contact the Salesforce Help team for further assistance. The incident is reminiscent of the 2025 Salesloft breach, where the Scattered Lapsus$ Hunters group accessed sensitive data from Salesforce instances. ShinyHunters claims to have accessed 285 Salesforce instances through secrets stolen in the Salesloft breach, affecting numerous high-profile companies. Gainsight confirmed the breach involved stolen OAuth tokens, compromising business contact details and support case contents. The ongoing investigation aims to prevent further unauthorized access and ensure the security of Salesforce's customer data.

TP-Link has initiated legal proceedings against Netgear, alleging a smear campaign that falsely linked TP-Link to Chinese government infiltration, damaging its reputation in the U.S. market. The lawsuit, filed in Delaware, claims Netgear violated a previous agreement by spreading misleading information about TP-Link, affecting its business operations and market perception. TP-Link seeks damages for commercial disparagement, defamation, and breach of contract, citing a $135 million settlement with Netgear in 2024 as part of the violated agreement. The complaint includes exhibits from Netgear's earnings calls, where TP-Link alleges false statements were made regarding its security posture and ties to Chinese state-sponsored cyber activities. TP-Link asserts its U.S. incorporation and operations, emphasizing its California headquarters and local workforce, countering claims of being a national security risk. Netgear has responded to the lawsuit, declaring the allegations unfounded and stating intentions to address the claims through legal channels. The case draws attention to competitive tensions in the networking industry and the impact of national security concerns on corporate reputations.

SonicWall has identified a critical vulnerability, CVE-2025-40601, in its SonicOS SSLVPN service, which could allow remote attackers to crash Gen8 and Gen7 firewalls. The vulnerability is a stack-based buffer overflow that could lead to a denial-of-service (DoS) attack, though no active exploitation has been reported. SonicWall's Gen6 firewalls and certain SSL VPN products are not affected by this vulnerability, reducing the potential impact on some users. The company recommends immediate patching or disabling of the SSLVPN service to mitigate risks, especially for those unable to deploy updates promptly. Additional vulnerabilities, CVE-2025-40604 and CVE-2025-40605, have been patched in SonicWall's Email Security appliances, addressing risks of arbitrary code execution and unauthorized data access. Recent incidents include a state-sponsored breach exposing firewall configurations and a firmware update to counteract OVERSTEP rootkit malware in SMA 100 devices. SonicWall's proactive advisories and patches aim to strengthen defenses against potential exploitation and enhance overall network security.

D-Link has issued a warning about three remote command execution vulnerabilities in its DIR-878 routers, which have reached end-of-life status. Despite the device's discontinuation in 2021, it remains available in several markets, with prices ranging from $75 to $122. Technical details and proof-of-concept exploit code for these vulnerabilities have been released by a researcher, raising potential security concerns. D-Link advises replacing the DIR-878 with a supported product, as no security updates will be provided for this model. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has rated these vulnerabilities with a medium-severity score. Publicly available exploits often attract threat actors, including botnet operators, who may integrate these vulnerabilities into their attack strategies. The RondoDox botnet, known for using numerous flaws, and the Aisuru botnet, which recently launched a significant DDoS attack, exemplify the potential risks.

With Windows 10 support ending in October 2025, businesses face critical decisions regarding operating system upgrades and security implications. Windows 11 migration presents a chance to evaluate and improve overall cybersecurity posture, addressing potential vulnerabilities in legacy systems. Microsoft offers Extended Security Updates for Windows 10 until October 2026, but managing these can be complex and costly for businesses. Unpatched vulnerabilities remain a significant threat vector, particularly for managed service providers, emphasizing the need for timely OS upgrades. Transitioning to Linux or other alternatives is impractical for most businesses due to complexity and potential security challenges. Organizations are encouraged to use the migration to Windows 11 as a catalyst for comprehensive data backup and disaster recovery planning. The Acronis Threat Research Unit identifies unpatched systems as a leading risk, urging proactive measures during OS transitions.

The PowerSchool breach in December 2024 exposed personal data of approximately 3.86 million Ontarians and over 700,000 Albertans, affecting students and staff across multiple school boards. Privacy commissioners from Ontario and Alberta identified inadequate contractual, security, and oversight measures by school boards as significant contributors to the breach's impact. Attackers exploited compromised credentials to access PowerSchool's systems, subsequently exfiltrating entire student and educator database tables, causing widespread data exposure. PowerSchool had previously paid a ransom, believing the data was deleted, but extortionists later targeted individual school districts, indicating the data was not erased. Reports criticized school boards for failing to implement mandatory privacy clauses, proper vendor oversight, and multi-factor authentication, amplifying the breach's severity. The breach underscores the critical need for coordinated sector-wide efforts to enhance contract negotiations, oversight, and compliance with privacy laws among educational institutions. The incident serves as a cautionary tale about the risks of dependency on third-party platforms without adequate responsibility and control measures in place.

Photocall, a TV piracy platform with 26 million annual visits, was shut down following a probe by the Alliance for Creativity and Entertainment (ACE) and DAZN. The service provided unauthorized access to 1,127 TV channels from 60 countries, including popular sports content like MotoGP and Formula 1. Spain accounted for nearly 30% of Photocall's traffic, with significant user bases in Mexico, Germany, Italy, and the United States. Photocall operators agreed to cease operations and transferred all domains to ACE, redirecting them to ACE's Watch Legally website. The shutdown is part of a broader Europol-coordinated effort targeting digital piracy, linking $55 million in cryptocurrency to illegal streaming activities. ACE, comprising over 50 media firms, collaborates with global law enforcement to dismantle illegal streaming networks, impacting services like Rare Breed TV and Streameast. These actions reflect ongoing efforts to protect intellectual property and reduce financial losses in the entertainment industry.

The UK's MI5 has alerted lawmakers to Chinese espionage efforts using LinkedIn to recruit and cultivate relationships with political and economic figures. Chinese operatives allegedly use LinkedIn profiles for outreach, aiming to gather intelligence and establish long-term connections. Targets include parliamentary staff, economists, think tank consultants, and government officials, indicating a broad and strategic approach. The Chinese embassy in the UK has dismissed these accusations as fabrications, highlighting ongoing diplomatic tensions. The warning aligns with global concerns about social media platforms being exploited for espionage activities. This development underscores the need for heightened awareness and security measures among professionals using networking platforms.

A significant increase in malicious traffic targeted Palo Alto Networks' GlobalProtect portals, with activity surging nearly 40-fold in just 24 hours, raising concerns about potential vulnerabilities. GreyNoise reported approximately 2.3 million sessions aimed at the "global-protect/login.esp" endpoint, with the majority originating from AS200373, a network based in Germany. The activity was widespread, impacting GlobalProtect systems in the US, Mexico, and Pakistan, suggesting a broad, opportunistic scanning effort rather than a targeted attack. GreyNoise identified recurring TCP and JA4t signatures, linking the activity to known threat actors involved in previous campaigns against Palo Alto products. Historical patterns indicate that such spikes often precede vulnerability disclosures, though no specific CVE has been identified in connection with this surge. GreyNoise has released a dedicated blocklist to help organizations mitigate potential threats, advising increased vigilance and the implementation of access controls and anomaly detection. While no exploit has been confirmed, organizations are advised to prepare for possible escalation by tightening security measures on exposed GlobalProtect login portals.

CTM360 has identified a global WhatsApp hacking campaign, HackOnChat, targeting users through deceptive authentication portals and impersonation pages. The campaign exploits WhatsApp's web interface with social engineering tactics, leading to compromised user accounts worldwide. Thousands of malicious URLs are hosted on inexpensive domains, rapidly deployed using modern website-building platforms for wide-scale attacks. HackOnChat primarily uses session hijacking and account takeover techniques to gain unauthorized access to WhatsApp accounts. Attackers use fake security alerts and lookalike portals to deceive users into surrendering authentication keys. Compromised accounts are exploited to target victim contacts, often requesting money or sensitive information under false pretenses. The campaign has seen a significant surge in activity across the Middle East and Asia, indicating a growing threat landscape. HackOnChat underscores the ongoing effectiveness of social engineering, leveraging familiar interfaces to exploit human trust.

Cybersecurity researchers have identified the Sturnus Android trojan, which targets financial institutions in Southern and Central Europe for credential theft and device hijacking. Sturnus can bypass encrypted messaging by capturing decrypted content directly from device screens, affecting apps like WhatsApp, Telegram, and Signal. The trojan employs overlay attacks with fake login screens to harvest credentials from banking apps and uses accessibility services to monitor user interactions. Utilizing a mixed communication pattern, Sturnus contacts remote servers via WebSocket and HTTP to receive encrypted payloads and allow remote device control. The malware's ability to mimic Android update screens and block uninstallation attempts provides strong protection against user detection and removal. Sturnus is currently in the evaluation stage, with limited spread, suggesting attackers are refining their tactics for potentially larger-scale operations. The threat actor's focus on high-value applications and targeted geographic regions indicates a strategic approach to financial fraud.

Keonne Rodriguez and William Lonergan Hill, founders of Samourai Wallet, received prison sentences for laundering over $237 million through their cryptocurrency mixing service. Rodriguez was sentenced to five years, while Hill received a four-year sentence; both face additional fines and supervised release. The duo operated an unlicensed money-transmitting business and pleaded guilty to money laundering charges, agreeing to forfeit over $237 million in criminal proceeds. Icelandic authorities seized Samourai's servers and domains, while Google removed its app from the Play Store, disrupting its operations. Samourai's features, "Whirlpool" and "Ricochet," were designed to obscure Bitcoin transactions, facilitating illicit activities linked to drug trafficking and cybercrime. The service processed over $2 billion in illegal funds, generating approximately $4.5 million in fees for the founders. The case underscores the ongoing challenge of regulating cryptocurrency services to prevent their misuse in criminal enterprises.

Sturnus, an advanced Android banking trojan, intercepts messages from encrypted apps like Signal, WhatsApp, and Telegram, posing a significant threat to user privacy. The malware is capable of full device takeover, utilizing region-specific overlays to target financial accounts across Europe. Sturnus communicates with its command-and-control server using a combination of plaintext, RSA, and AES encryption, enhancing its operational security. It exploits Android's Accessibility services to read on-screen text, capture user inputs, and control the device remotely, bypassing traditional security measures. The malware disguises itself as legitimate applications like Google Chrome, complicating detection and removal efforts. ThreatFabric's research indicates low-volume targeting in Southern and Central Europe, suggesting ongoing testing before potential broader deployment. Users are advised to download apps only from trusted sources, maintain active security features like Play Protect, and limit Accessibility permissions to mitigate risk.