Morning, cyber pros! ☕ It's been a slightly quieter 24 hours, but we've still got some critical updates to chew on, from a dominant threat actor exploiting Ivanti RCEs to North Korean fake recruiters and a low-tech crypto phishing scam. Let's dive in:

Ivanti RCE Exploitation Dominance ⚠️
- A single threat actor, using bulletproof infrastructure from IP 193.24.123.42, is behind 83% of recent active exploitation attempts targeting two critical Ivanti EPMM RCE vulnerabilities (CVE-2026-21962 and CVE-2026-24061).
- This IP address is not widely published in IOC lists, meaning many defenders might be missing the primary source of these automated attacks, which also target Oracle WebLogic and GNU Inetutils Telnetd.
- Ivanti has released hotfixes and recommends using specific RPM packages or, for the most conservative approach, rebuilding EPMM instances and migrating data until full patches are available in Q1.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/one-threat-actor-responsible-for-83-percent-of-recent-ivanti-rce-attacks/

Lazarus Group's Fake Job Scams 🕵️
- North Korean threat actors, likely the Lazarus Group, are targeting JavaScript and Python developers with fake job offers that include malicious coding challenges.
- These challenges trick developers into installing compromised packages from npm and PyPi (dubbed 'Graphalgo'), which then deploy a sophisticated Remote Access Trojan (RAT) capable of exfiltrating files and checking for MetaMask installations.
- Developers who may have installed packages like 'bigmathutils' or those with 'graph' or 'big' in their name from suspicious sources should immediately rotate all credentials, tokens, and consider a full OS reinstall.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Crypto Wallet Phishing via Snail Mail ✉️
- Threat actors are employing a rare physical phishing tactic, sending fake letters impersonating Trezor and Ledger to trick hardware wallet users into revealing their recovery phrases.
- The letters create urgency, claiming mandatory "Authentication Checks" or "Transaction Checks" and directing users to scan QR codes that lead to sophisticated phishing websites designed to steal 12-, 20-, or 24-word seed phrases.
- Remember: reputable hardware wallet manufacturers will NEVER ask you to enter your recovery phrase on a website or computer; it should only be entered directly on the device itself during restoration.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #Ivanti #LazarusGroup #APT #Malware #RAT #Phishing #SocialEngineering #CryptoSecurity #InfoSec #IncidentResponse

The “Graphalgo” campaign represents a modular software supply-chain intrusion targeting developers directly.

Per ReversingLabs findings:
• 192 malicious npm/PyPI packages
• Delayed payload activation (post-version change)
• GitHub repos clean — malicious logic introduced via dependency chain
• RAT variants in JS, Python, VBS
• MetaMask wallet targeting
• Token-protected C2 channels
• GMT+9 commit indicators

Attribution aligns with historical tradecraft associated with Lazarus Group:
Crypto-focused targeting
Recruitment vector infection
Patience-based staged activation

This is a direct developer-layer attack bypassing enterprise perimeter defenses.

Source: https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Are dependency registries the new primary attack surface?
Engage below.

Follow @technadu for advanced threat analysis.

#ThreatIntel #SupplyChainSecurity #MalwareAnalysis #RAT #OpenSourceSecurity #DevSecOps #LazarusGroup #PackageSecurity #AppSec #BlueTeam #CyberThreats #IoC #Infosec

📰 North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code

North Korean hackers' 'Contagious Interview' campaign targets macOS developers using malicious VS Code projects on GitHub. Fake job offers lead to backdoors via trusted IDE features. 👨‍💻⚠️ #LazarusGroup #macOS #InfoSec #SupplyChain

🔗 https://cyber.netsecops.io/articles/north-korean-contagious-interview-campaign-weaponizes-vs-code-projects/?utm_source=mastodon&utm_medium=socia…

RE: https://social.troll.academy/@mushu/115937976404644181

https://runjak.codes/posts/2026-01-21-adversarial-coding-test/

Seems really similar to a recently reported variant of a North Korean state aligned campaign, ContagiousInterview. They've moved to VS Code tasks now

cc @lazarusholic

https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
https://opensourcemalware.com/blog/contagious-interview-vscode

#DPRK #ContagiousInterview #lazarus #LazarusGroup #FamousChollima

"Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera"

#CyberSecurity #LazarusGroup #LaptopFarms #ITrecruitment #Pattern ... https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html

You fail to realize you are on a honeypot.

https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/

#LazarusGroup #SituationalAwareness

North Korea lures engineers to rent identities in fake IT worker scheme
#NorthKorea #LazarusGroup #dprk

https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/

Alright cyber pros, it's been a pretty packed 24 hours! We've got major data breaches impacting millions, new insights into nation-state tactics, a huge takedown of a crypto mixer, and a stark warning about the security implications of agentic AI browsers. Let's dive in:

Major Data Breaches Unfold ⚠️
- South Korean e-commerce giant Coupang, often dubbed the "Amazon of Korea," confirmed a data breach impacting 33.7 million customers, over half the country's population. Exposed data includes names, emails, phone numbers, addresses, and order history, with local reports suggesting a former Chinese employee used unrevoked access tokens.
- The French Football Federation (FFF) also reported a breach of its member management software via a compromised account, exposing personal details like names, gender, DOB, nationality, and contact info for an undisclosed number of its 2.2 million members.
- The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, pushing a malicious update that included a hidden library for device fingerprinting and remote configuration. Users are urged to revert to older, safe builds and reset Google account passwords.

🗞️ The Record | https://therecord.media/coupang-south-korea-data-breach
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/coupang_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/french_football_federation_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/

Nation-State Actors Evolve Tactics 🕵🏼
- North Korea's Lazarus Group is accused by South Korean officials of stealing $30 million from the Upbit cryptocurrency exchange, using tactics similar to a 2019 attack. The group allegedly impersonated administrators to transfer funds, prompting Upbit to suspend services and move assets to cold storage.
- The Tomiris APT, linked to Kazakhstan-based Storm-0473, is increasingly leveraging public services like Telegram and Discord for command-and-control (C2) in attacks targeting government entities and foreign ministries across Central Asia and Russia. This shift aims to blend malicious traffic with legitimate activity, making detection harder.
- Leaked documents, analysed by Iranian opposition activist Nariman Gharib, allegedly link Iran's "Charming Kitten" (APT35) to assassination operations, suggesting compromised airline, hotel, and medical databases are used to locate regime enemies.

🗞️ The Record | https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange
📰 The Hacker News | https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Malicious Browser Extensions Run Rampant 🛡️
- A seven-year-long "ShadyPanda" campaign infected over 4.3 million Chrome and Edge users through 145 seemingly legitimate browser extensions that later pushed malware-laden updates. These extensions evolved from affiliate fraud and search hijacking to deploying remote code execution (RCE) backdoors and spyware.
- The RCE backdoor checks for new instructions hourly, executing arbitrary JavaScript with full browser API access, while spyware components exfiltrate extensive user data including browsing history, keystrokes, and sensitive identifiers to Chinese servers.
- Despite Google removing some, several extensions with millions of installs remain active on the Microsoft Edge Add-ons platform, highlighting a critical gap in ongoing marketplace security reviews post-approval.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/

AI Browsers: A New Security Nightmare 🧠
- The emergence of "agentic" AI browsers, like OpenAI's ChatGPT Atlas, is transforming browsers from passive tools into autonomous AI agents that can perform actions on behalf of users.
- These agents require maximum privileges, including access to session cookies, credentials, and payment details, creating an unprecedented attack surface and bypassing traditional "human-in-the-loop" safeguards and MFA.
- Prompt injection is a significant risk, where hidden text can command the AI to exfiltrate data, and traditional security tools often miss these threats due to a "session gap" where actions occur locally within the browser.

📰 The Hacker News | https://thehackernews.com/2025/12/webinar-agentic-trojan-horse-why-new-ai.html

Data Privacy Under Scrutiny 🔒
- Switzerland's data protection officers (Privatim) have advised public bodies to avoid hyperscale clouds and SaaS, specifically Microsoft 365, for sensitive data due to a lack of true end-to-end encryption, exposure to the US CLOUD Act, and providers' ability to unilaterally change terms.
- Exercise-tracking app Strava is updating its terms of service to require users to accept all risks associated with geolocation features, following past incidents where user data revealed sensitive locations like military bases.
- Edtech provider Illuminate Education settled with the FTC over a 2021 data breach affecting 10.1 million students, with allegations of poor security practices, deceptive claims, and delayed breach notifications (up to two years for some).

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/
🗞️ The Record | https://therecord.media/illuminate-education-data-breach-settlement-ftc

Regulatory Actions and Government Directives 📜
- Singapore's Ministry of Home Affairs has issued directives to Google and Apple, requiring them to prevent fake government messages and spoofed sender names on iMessage and Google Messages, with significant fines for non-compliance.
- Russia's Roskomnadzor has imposed "restrictive measures" on WhatsApp, citing violations of Russian law and its alleged use for terrorism, crime, and espionage, urging users to switch to domestic alternatives and threatening a full block.
- The Israel Defense Forces (IDF) is reportedly banning Android smartphones for top brass, standardising on iOS devices to reduce exposure to surveillance via social media apps.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_news_roundup/
🗞️ The Record | https://therecord.media/russia-whatsapp-restrictions
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Law Enforcement Strikes Back 🚨
- A major cryptocurrency mixing service, Cryptomixer, was taken down by Swiss and German law enforcement in "Operation Olympia," seizing three servers, its domain, and €24-29 million in Bitcoin. The service allegedly laundered over €1.3 billion for cybercriminals since 2016.
- South Korean police arrested four individuals for compromising over 120,000 IP cameras, with some suspects creating and selling sexually exploitative videos from intimate locations by exploiting weak passwords.
- In Australia, a man was jailed for over seven years for using "evil twin" Wi-Fi traps at airports and on flights to steal credentials and intimate material, while in the UK, a man received a 6.5-year sentence for operating a dark web drug empire.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
🗞️ The Record | https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
🤫 CyberScoop | https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/cybercrime_arrests_roundup/

Developer Secrets Exposed 🔑
- A security engineer scanned 5.6 million public GitLab repositories and discovered 17,000 verified live secrets, including over 5,000 Google Cloud credentials, 2,000+ MongoDB credentials, and numerous OpenAI, AWS, and Telegram bot tokens.
- The scan, costing about $770 and completed in 24 hours, found GitLab had a 35% higher density of leaked secrets per repository compared to Bitbucket, highlighting a pervasive issue of exposed credentials in public code.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Teen Cybercrime: Just a Phase? 📊
- A Dutch government report suggests that most adolescent cybercriminals tend to desist from offending by the age of 20, similar to other types of youth crime.
- The study indicates that only about four percent of those who start a "black hat" career maintain it into adulthood, often driven by technological curiosity and skill-building rather than financial gain.
- The report highlights the challenge of quantifying the specific social cost of cybercrime due to a lack of longitudinal data and its rapidly evolving nature, though overall adolescent crime costs the Netherlands €10.3 billion annually.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/dutch_study_teen_cybercrime/

#CyberSecurity #ThreatIntelligence #DataBreach #APT #LazarusGroup #Tomiris #ShadyPanda #Malware #BrowserExtensions #RCE #AI #AgenticAI #DataPrivacy #RegulatoryCompliance #LawEnforcement #CryptoMixer #Cybercrime #InfoSec #IncidentResponse

one of the largest crypto #defi protocols #Balancer is currently being robbed, $88 million stolen and counting. it will probably turn out to be #NorthKorea (because it's almost always north korea) but TBD.

one of the fun things about crypto is that when someone robs a bank you can watch the getaway car drive away just by clicking on some links in a blockchain explorer.

[edit] details of the bug that was exploited if you’re into that kind of thing: https://x.com/moo9000/status/1985262739493687351

[edit] ended up being a ~$130 million heist.

#DPRK #hack #hacking #infosec #threatintel #cybersecurity #cryptocurrency #crypto #ethereum #LazarusGroup

Alright team, it's been a pretty active 24 hours! We've got a mix of ongoing breaches, some serious nation-state activity, critical vulnerabilities under active exploitation, and a look at how we need to adapt our defensive strategies. Let's dive in:

Recent Cyber Attacks and Breaches 🚨

- Toys R Us Canada confirmed a data breach where customer names, addresses, phone numbers, and emails were stolen and dumped online. While no passwords or credit card details were involved, this PII is ripe for follow-up phishing or identity fraud.
- Russia's food safety agency, Rosselkhoznadzor, was hit by a DDoS attack that severely disrupted food shipments across the country by taking down critical electronic certification systems. This highlights the real-world impact of attacks on essential services.
- Amazon's recent 14-hour AWS outage in the US-EAST-1 region was caused by a latent race condition in DynamoDB's DNS management system, which accidentally deleted IP addresses for the service's regional endpoint, causing cascading failures.
- LastPass users are being targeted by the CryptoChameleon phishing group (UNC5356) using fake death claims to trick individuals into initiating the inheritance process and entering their master passwords or passkeys on fraudulent sites.
- A former general manager of US defence contractor L3Harris's cyber arm, Peter Williams, has been charged with selling seven trade secrets, potentially including offensive cyber capabilities, to a Russian buyer for $1.3 million, underscoring the persistent insider threat.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/toys-r-us-canada-warns-customers-info-leaked-in-data-breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/23/toysrus_canada_data_leak/
🗞️ The Record | https://therecord.media/russia-food-safety-agency-rosselkhoznadzor-ddos-attack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/technology/amazon-this-weeks-aws-outage-caused-by-major-dns-failure/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-used-to-breach-password-vaults/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/24/former_l3harris_cyber_director_charged/

Vulnerabilities Under Active Exploitation & Zero-Days 🛡️

- Microsoft has released emergency out-of-band patches for a critical Windows Server Update Service (WSUS) RCE flaw (CVE-2025-59287) that is now under active exploitation. This vulnerability allows unauthenticated attackers to execute code with SYSTEM privileges and is potentially wormable. Patch immediately if you have the WSUS Server Role enabled.
- Pwn2Own Ireland 2025 saw security researchers exploit 73 zero-day vulnerabilities across various devices, including smartphones, NAS, and smart home tech, earning over $1 million. This highlights the ongoing discovery of critical flaws before they hit the wild.
- HP pulled a faulty OneAgent software update (v1.2.50.9581) for Windows 11 AI PCs that mistakenly deleted Microsoft Entra ID "MS-Organization-Access" certificates, disconnecting devices from cloud environments. Affected devices require a manual recovery process.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/microsoft-releases-windows-server-emergency-updates-for-critical-wsus-rce-flaw/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-wsus-flaw-in-windows-server-now-exploited-in-attacks/
🚨 The Hacker News | https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/hp-pulls-faulty-update-that-broke-microsoft-entra-id-auth-on-ai-pcs/

New Threat Research on Threat Actors, Malware, and Tradecraft 🕵🏼

- North Korea's Lazarus Group (Operation DreamJob) is actively targeting European companies involved in drone development and military equipment manufacturing. They use fake job offers with trojanized PDFs to deploy the ScoringMathTea RAT, aiming to steal UAV manufacturing know-how.
- Iran's MuddyWater (APT34) has breached over 100 government entities, embassies, ministries, and telecom providers across the Middle East and North Africa. The campaign uses compromised enterprise mailboxes and NordVPN to send phishing emails with weaponised Word attachments that deploy the "Phoenix" backdoor.
- Check Point uncovered a "YouTube Ghost Network" that has published over 3,000 malicious videos since 2021, using hacked accounts to distribute infostealer malware (Lumma, Rhadamanthys, StealC, RedLine, Phemedrone) disguised as pirated software and game cheats.
- The "Smishing Triad," a China-linked group, is behind a massive global smishing campaign involving over 194,000 malicious domains since January 2024. They impersonate various services (USPS, toll services, banks) to steal credentials, with some attacks targeting brokerage accounts for "ramp and dump" stock manipulation.
- A researcher demonstrated an "indirect prompt injection" attack on Microsoft 365 Copilot, using Mermaid diagrams to trick the AI into exfiltrating sensitive tenant data like emails. Microsoft has patched the vulnerability, though it was deemed out-of-scope for a bug bounty.

🤫 CyberScoop | https://cyberscoop.com/north-korea-lazarus-attacks-drone-companies/
🗞️ The Record | https://therecord.media/north-korea-hackers-target-europe-drone-makers
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/24/iran_muddywater_campaign/
🚨 The Hacker News | https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.html
🚨 The Hacker News | https://thehackernews.com/2025/10/smishing-triad-linked-to-194000.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/

Threat Landscape Commentary 🌍

- An op-ed highlights that nation-state actors like Salt Typhoon are shifting attacks to network perimeters, exploiting old, unpatched, or end-of-life devices (routers, VPNs, firewalls) as endpoints become harder targets. It stresses the need for proactive cyber resilience, rigorous asset management, and assuming breach.
- US National Cyber Director Sean Cairncross emphasised the need for the US to counter China's "surveillance state export" and promote a "clean American tech stack" globally. He criticised China's cyber behaviour, particularly targeting critical infrastructure, and called for strategic stability in the cyber domain.

🤫 CyberScoop | https://cyberscoop.com/proactive-cyber-defense-forgotten-devices-op-ed/
🤫 CyberScoop | https://cyberscoop.com/national-cyber-director-says-u-s-needs-to-counter-chinese-surveillance-push-american-tech/

Data Privacy 🔒

- Mozilla will require Firefox extension developers to disclose their data collection and sharing practices in the manifest.json file, starting November 3, 2025, for new extensions and by H1 2026 for all. This aims to provide users with clear transparency and control over their data.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/software/mozilla-new-firefox-extensions-must-disclose-data-collection-practices/

Regulatory Issues or Changes ⚖️

- The International Counter Ransomware Initiative (CRI), now with 61 member countries, has issued new guidance stressing the importance of improving software supply chain resilience against ransomware. This follows significant supply chain attacks and aims to promote better cyber hygiene and risk assessment practices.

🗞️ The Record | https://therecord.media/counter-ransomware-initiative-software-supply-chain-guidance

#CyberSecurity #ThreatIntelligence #IncidentResponse #Vulnerabilities #ZeroDay #RCE #APT #NationState #Phishing #Malware #DataBreach #SupplyChainSecurity #DataPrivacy #AWS #WSUS #LastPass #LazarusGroup #MuddyWater #Smishing