What's clever: they hijack legitimate accounts to abuse trust relationships—victims receive malware from known contacts. Astaroth uses fileless techniques and Living-off-the-Land binaries (LOLBins) to evade detection, making it persistent even in monitored environments. Sophos tracking shows this campaign specifically targets financial data and credentials across Latin America. The social engineering vector through compromised messaging apps bypasses most email security controls.

Source: Sophos

⚠️ DeepSeek Code Flaws Linked to Real-World Attacks and Exploitation

CrowdStrike reports security flaws in code generated by DeepSeek AI are being exploited in active attacks.

What's wild: authenticated admins could expose all stored secrets by changing `type="password"` to `type="text"` in dev tools—no exploit needed, just DOM manipulation. Classic client-side trust failure. PagerDuty patched it by implementing write-only updates with placeholders. Perfect example of "living off the land" attacks using legitimate interfaces.

Source: Praetorian

What's concerning: OAuth tokens for third-party apps grant persistent access to Salesforce data even after initial compromise is detected. The attack pattern is consistent: compromise the integration partner, pivot to Salesforce instances using legitimate API credentials. Same supply chain playbook we've seen repeatedly in SaaS ecosystems.

Source: Help Net Security

What's brutal: they've built an entire money mule infrastructure to cash out compromised ATMs at scale. The operation involves coordinated physical and cyber components—malware infects ATM systems to dispense cash on command, while mule networks handle the withdrawals. This isn't opportunistic fraud; it's organized financial crime with military-level operational security. The group specifically targets ATMs in developing markets with weaker security controls.

Source: Infosecurity Magazine