APT intrusion, AI malware, zero-click exploits, browser hijacking, etc.

Table of Contents

If this was a security drill, someone would have said it had gone too far. But it wasn’t a drill – it was the real thing. access? Everything looked normal. tool? Easy to find. detection? It’s too late.

This is how the attack will occur now. Defenders don’t just chase hackers. They have a hard time trusting what the system is telling them.

The problem is not very few alerts. It’s too much and has no clear meaning. One thing is clear. If your defense is still waiting for obvious signs, you have nothing to protect. You’re just watching it happen.

This summary highlights key moments and why it is worth your attention.

⚡This week’s threat

APT41 misuses Google Calendar for command and control – A Chinese-sponsored threat actor known as APT41 has deployed a malware called ToughProgress, which uses Google Calendar for command and control (C2). Google said it observed a spear phishing attack in October 2024, and observed that the malware was hosted on unspecified, compromised government websites. ToughProgress is designed to use an attacker-controlled Google Calendar to read and write events, then extract specified commands for subsequent execution. The results of the execution are written back to another calendar event that the attacker has access to. The campaign targeted several other government agencies, but the company did not reveal who was singled out.

🔔Top News

New law enforcement operations remove AvCheck(.)Net – US authorities have worked with Finland and the Netherlands to seize four domains and related infrastructure that provides cryptographic services to counter-antivirus (CAV) tools and other threat actors, helping to prevent malware from being detected in security software. These include AvCheck(.)Net, Crypor(.)Biz, and Crypt(.)Guru. “The seized domains provided services to cybercriminals, including counter-antivirus (CAV) tools,” the U.S. Department of Justice said. “Used together, CAVs and basements allow criminals to obfuscate malware, irrelevant and undetectable access to computer systems,” authorities said Avcheck’s seizure was made possible by exploiting the missteps of the administrators. “The administrators did not provide the security they promised,” the official said in the notification, saying that the databases that included usernames, email addresses and payment information were also confiscated.
Dutch security agency Microsoft lifts veils of void blizzard -A group of hackers, unknown before suspected of ties with the Kremlin, took responsibility for a cyberattack on Dutch police last year and targeted other Western countries providing military assistance to Ukraine. “The Laundry Bear was able to fly under radar by using simple attack methods and attack vectors, including tools that organizations find difficult to distinguish from other known Russian threat actors because they are easily available on the victim’s computer,” the Dutch government said. The group’s existence was revealed after investigating a violation by the Dutch National Police in September 2024. Meanwhile, the group was able to use stolen session cookies to access accounts belonging to the employee, through which they were able to obtain contact information related to the work of other police employees. The attack technology follows the Cyberspy playbook, but the targeting is very specific, a list of victims that overlap with other Russian-related cyberspy. The findings show that Ukraine and NATO member states remain the main hunting grounds for Russian threat groups.
Eddiestealer bypasses Chrome app-bound encryption and steals browser data – A new Rust-based information stolen, called Eddiestealer, is propagated through a fake Captcha validation page that tricks users and runs PowerShell commands. It is worth noting that Steelers can bypass CLOMIUM’s app-bound encryption to access unencrypted sensitive data such as cookies. This is done by implementing an open source project called Chromekatz with Rust In Rust. Eddiestealer is not the only stolen item that strives to avoid the new defenses Google has introduced. Another Stealer malware known as Katz Stealer employs DLL injection to obtain the encryption key used to protect cookies and passwords in Chromium-based browsers. A third steeler malware family, called Zerocrumb, is published on Github, but “achieves the same purpose by using transactional hollow to impersonate a Chrome instance and allowing app bound keys to be decrypted using the IELevator COM interface. This key is ultimately used to decrypt and access browser cookies.
Earth Lamia targets Brazil, India and Southeast Asia -The China-related threat actor known as Earth Lamia has been linked to a broader set of attacks targeting organizations in Brazil, India and Southeast Asia since 2023. The hacking group overlapping with Ref0657, STAC6451, and CL-STA-0048 uses various defects at various stages of the Internet in various sellers that are expanding the latent latency of the recent Internet device latency. Deploy web shells and post-explosion tools such as Cobalt Strike, Vshell, and Blue Tratel C4. Some of the attacks were leveraged previously invisible .NET backdoor codenamed PulsePack to establish communication with remote servers and load different plugins to achieve the goal. Development came as the Czech government said that Chinese hackers had already infiltrated one of the province’s unclassified systems in 2022 and remained undetected within critical infrastructure networks. The Czech government issued a pointy warning to China, publicly accusing the intrusion into the Ministry of Foreign Affairs’ network and the intrusion into APT31, a cyberepion hacking unit associated with Beijing’s Ministry of National Security.
Connectwise says that the suspected national state actor targeted the system – ConnectWise is the developer of ScreenConnect, a remote access and support software, and has revealed that it is a victim of a cyberattack. It has been revealed that investigating violations of Google Mandiant’s services and that “very few Screenconnect customers” were affected. The activity stated to be linked to the exploitation of CVE-2025-3935. CVE-2025-3935 is a sophisticated vulnerability prior to Screenconnect version 25.2.3 and could be exploited for View-State code injection attacks using publicly available ASP.NET machine keys. The attack technique was revealed in February by Microsoft that it was actively exploited by bad actors to inject malicious code and provide a post-Godzilla post-explosion framework. While Microsoft did not attribute the attack to any particular actor or group, Godzilla is linked to a state-sponsored hacker that is sponsored by China-related states.

Pean Trend CVE

Attackers love software vulnerabilities – they are easy doors to your system. Every week brings fresh flaws and waits too long to patch, turning minor surveillance into a major violation. Below are some important vulnerabilities you should know about this week. Look, quickly update your software and keep locked out attackers.

This week’s list includes CVE-2025-3935 (ConnectWise ScreenConnect), CVE-2025-47577 (Ti WooCommerce Wishlist plugin), CVE-2025-2760, CVE-2025-2761 (GIMP), CVE-2025-0072 (ARM MaliGPU), CVE-2025-2742 CVE-2025-27463, CVE-2025-27464 (Citrix Xenserver VM Tools for Windows), CVE-2025-4793 (PHPGURUKUL Online Course Registration), CVE-47933 (Argo CD), CVE-2025-46701 (CVE-CGI-2025-46701 (CVE-2025-46701) (ICINGA 2), CVE-2025-48827, CVE-2025-48828 (Vbulletin), CVE-2025-41438, CVE-2025-46352 (CVE-2025-46352 (CONSILUM SAFEATY CS5000 Fire Station), CVE-2025-1907 (Instantel Micromate), CVE-20-26383 Utility), CVE-2018-1285 (Rockwell Automation FactoryTalk Historian ThingWorx), CVE-2025-26147 (Denodo Scheduler), CVE-2025-24916, and CVE-2025-24917 (Tenable Network Monitor).

Cyber Around the world of cyber

In Australia, forced ransomware payment disclosure begins – Australia has become the first country in the world to demand victims of ransomware attacks to declare to the government payments for fear tor made on behalf of cybercriminals. The law, originally proposed last year, applies only to organizations with annual sales of over $3 million ($1.93 million), and is a small group of specific entities working within a critical infrastructure sector. The sales threshold is expected to account for the top 6.5% of all registered businesses in Australia, accounting for about half of the country’s economy. Applicable organizations must report ransomware payments made to Australia’s Signal Station (ASD) reporting tools within 72 hours of making a payment or realizing that a ransomware payment has been made. The report must include the following information: The amount of ransomware payments requested and paid, and the way in which it was requested and used. The requirements do not apply to public sector agencies. Failure to comply may result in civil penalties.
X is pausing encrypted DMs -X said it will pause the encrypted DMS feature and make some improvements under the hood. This feature was originally released in May 2023. “From today, we are suspending the encrypted DMS feature while working on some improvements. The company states in a post on X. Previously, encrypted DMs have only been available for messages between mutually verified users and validated users who have previously accepted DMs to each other. They did not mention when the feature will be available again.
Detected exploitation attempts for Vbulletin defects – Two important security flaws newly disclosed in the open source forum software are subject to aggressive exploitation in the wild. Defects tracked as CVE-2025-48827 (CVSS score: 10.0) and CVE-2025-48828 (CVSS score: 9.0) allow methods on protected API controllers to be called when running on PHP 8.1 or later, and run Arbitrary PHP code with arbitrary PHP code in ambusimplate conditions. The defect discovered by researcher Egidio Romano and disclosed on May 23, 2025, is said to have been quietly patched in April 2024. According to Kevintel’s Ryan Dewhurst, the vulnerability has seen attempts to exploit its Poland-based IP address.
China accuses Taiwan of attacking high-tech companies – Chinese authorities have denounced a hacker group allegedly supported by Taiwan’s Democratic Progressive Party (DPP) for cyberattacking local technology companies and targeting sensitive infrastructure across the mainland, the state media Global Times reported. Authorities alleged that the hacking group coordinated attacks on roughly 1,000 sensitive networks, including military, energy and government systems. “Hackers deployed phishing emails, exploiting public vulnerabilities, implementing brute force password attacks and using low-grade Trojan horse programs to carry out the attack,” Guangzhou police were quoted as saying. In a statement to Reuters, Taiwan’s National Security Agency denied the allegations and changed its responsibility, accusing China’s Communist Party of “manipulating inaccurate information and disrupting the outside world.”
Russian hospital programmer wins 14 years to pass soldier data to Ukraine – A Russian court has sentenced 37-year-old former hospital programmer Alexander Levtsina to 14 years in a security prison after personal data from a Russian soldier allegedly leaked to Ukraine. He is said to have copied electronic medical records of Russian military personnel from a computer at a hospital in Blatsk city in April 2022. He then sent the data to the Ukrainian intelligence agency and posted it to a telegraph channel run by Ukrainian agents. Lebutysin was arrested in July 2023. He is also fined 50,000 rubles (about $627) and is prohibited from working in certain fields for four years after serving his sentence. Earlier this month, an 18-year-old Russian tech student, who allegedly helped a Ukrainian hacker to carry out a cyber attack on Russia, was sentenced to six years in prison for allegedly helping to carry out a cyberattack on Russia.
Apple Safari allows qualification theft via BITM attacks using full screen API – The weakness of Apple’s Safari web browser allows threat actors to leverage full-screen browser-in-the-middle (BITM) techniques to steal account credentials from unsuspecting users. By abusing a full-screen API that tells you to enter the browser’s full-screen viewing mode into content on a web page, a bad actor will make the victim trick the victim into defeating them by entering sensitive data in an attacker-controlled remote browser window just by clicking a link. “Attacks work in all browsers, but full-screen bit attacks are particularly convincing in Safari browsers because there are no clear visual clues when going to full screen,” Squarex says. “In Firefox and Chromium-based browsers such as Chrome and Edge, there are messaging requirements when fullscreen is activated. Regarding the Safari browser, there is no messaging requirements when the request fullscreen() method is called. The only sign that Safari offers when entering fullscreen mode is “swipe animation.” full screen. “In response to the findings, Apple said: “After further research, we decided that there was no security impact, because all websites can already have full control over their appearance and change it. There is already an animation showing the changes.”
Threat Actor installs DB Client Tool for Data Detachment – Hackers have installed legitimate DB client tools such as DBEAVER, NAVICAT, SQLCMD directly on the target system, and directly install the data to remove data to avoid detection. “These actions make detection difficult because they simply disguise legitimate administrator behavior,” Ahnlab said. “Traces for leaks can only be seen through some system logs, local records for client tools, and running logs for SQL servers.”
FTC hits GoDaddy with orders that require robust security programs – The US Federal Trade Commission (FTC) has finalised an order requesting a general domain registrar and web hosting company GoDaddy to secure services to resolve charges for “unfair security practices” that have led to several data breaches between 2019 and 2022. The company is ordered to implement at least one multifactor authentication method, employ an independent third-party evaluator to conduct biennial reviews of its information security programs, and report new violations to the US government within 10 days.
US government employee has been arrested for allegedly trying to leak secrets to foreign governments – Nathan Villas Latsch, a 28-year-old IT specialist employed by the Defense Intelligence Agency (DIA), was arrested on May 29, 2025 for attempting to send national defense information to an officer or agent of a foreign government. Laatsch became a private employee of DIA in 2019 and worked with the Insider Threat Division. He is also said to have maintained a secret security clearance. The U.S. Department of Justice (DOJ) said it launched its business after the Federal Bureau of Investigation (FBI) received hints in March 2025 that unrelated individuals offered to provide classification information to friendly foreign governments. “After multiple communications with FBI agents who are said to be a foreign government official, Laatsch began transcribing information classified in the notepad on his desk, repeatedly excluded the information from his workspace over about three days,” the DOJ said. “Laatsch has since confirmed that he is ready to send information to FBI agents.” According to the DOJ, Laatsch has agreed to remove the information classified in parks in northern Virginia. The defendant then sought information from foreign governments and even expressed interest in obtaining citizenship with a country he believed was conspiring in exchange for providing additional confidential information. However, he also said he “is not opposed to other compensation.” Laatsch was finally arrested last week after arrested with a secret agent FBI agent and sent multiple classification documents to foreign countries.
Pakistan arrests 21 in connection with Heartsender malware service – Pakistani authorities have arrested 21 individuals accused of Heartsender (aka manipulator), an illegal service that uses phishing toolkits and tools with fraudulent activities. The electronic crime offering, first revealed in 2020, was hit hard this early January when US and Dutch law enforcement dismantled 39 domains and associated servers and linked them to Heartesender as part of the codenamed Operation Heartblocker. Domaintools revealed last year that it has a physical presence in Pakistan, including Lahore, Fatehpur, Karachi and Faisalabad. According to Dawn, among those arrested included Rameez Shahzad (aka Saim Raza), the alleged ringleader of the criminal enterprise, as well as Muhammad Aslam (Rameez’s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moyz, Hasnain Haider, Bilal Ahmad, Dilbah Hussein, Muhammad Adir Akram, Awais Rasoll, Osama Fauk, Osama Mehmoud, Hamad Nawaz.
Lumma Stealer is active despite the takedown – Despite the coordinated efforts to defeat the infrastructure behind Lumma Infostealer, the malware continues to work. While there appears to be “significant reputational damage,” operators are said to be actively taking on efforts to revive business at every checkpoint. The Lumma Stealer developers have revealed that law enforcement can infiltrate the main server by exploiting unknown vulnerabilities in the integrated Dell Remote Access Controller (IDRAC) and wiping the server and its backups. Authorities are also believed to have created a phishing login page in Lumma’s customer’s harvest qualifications and digital footprint, and planted JavaScript snippets on the dashboard server that attempted to access the customer’s webcam. The Lumma threat actor says, “Everything is back and we are working fine.” Furthermore, information stolen from compromised computers continues to be sold in Lumma’s own Telegram Marketplace and other Russian markets. As Lumma went down, but not completely disappeared, all the success of the disruption could ultimately depend on the psychological tactics adopted by the authorities to instill distrust in their customers.
New Android malware Ghostspy appears – Cybersecurity researchers detail a new Android malware called GhostSpy that allows key logs, screen capture, background audio and video recording, SMS and call log theft, GPS location tracking, and remote command execution. Infection starts with a dropper app that installs secondary payloads containing information gathering capabilities, with accessibility services and user interface automation as a weapon. “It’s extremely permanent and impossible to remove it using traditional means, as it abuses the device administrator API to entrench itself deeply in the system and employs anti-uninstole tactics, such as hijacking system dialogs and obfuscation of full-screen overlays,” Cyfirma said. “Seriously, malware also bypasses the screen lighting protection of banking apps using a skeleton view reconfiguration method that harvests the full UI layout of protected applications. This allows attackers to extract sensitive data from interfaces that normally block screenshots and screen sharing.” There is evidence to suggest that malware is a work of Brazilian threat actors, based on the telegrams and YouTube channels they set up.
Zanubis evolves to focus on Peruvian banks – Speaking of Android Malware, Kaspersky has expressed the evolution of Zanubis Android Banking Trojan as a multi-faceted threat. Zanubis’ main infectious disease vector is to impersonate legitimate Peruvian Android applications and mislead users to enable accessibility transparency,” said a Russian security vendor. “When granted these permissions, malware gains extensive capabilities that allow operators to steal the user’s bank data and credentials, allowing them to take remote actions and control the device without user knowledge.” The new version of malware has been found to improve data stripping and remote control capabilities, along with improved obfuscation methods, add features, switch encryption algorithms, shift targets, set one-time passwords (OTPS) as the default messaging app (OTPS) and set as the default messaging app to enhance fixes in social engineering technology. The Trojans pretend to be legitimate apps from companies in the energy sector and banks previously suspected of threat actors in Peru. “These updates are often consistent with repeated campaigns and suggest intentional efforts to keep malware effective in relation to it,” he added.
Openai’s O3 model sabot shutdown attempt – The Openai O3 model has revealed that its shutdown mechanism is blocked and prevented it from being turned off even when explicitly directed, Palisade’s research revealed. This model found an ingenious way to pull it out, changing the kill command used in the shutdown script, saying instead “intercepted” or “shutdown skip”. Google’s Gemini 2.5 Pro is in accordance with the instructions. “As businesses develop AI systems that can operate without human supervision, these actions become very concerning,” Palisade said.
Stalkerware apps Spyzie, Cocospy, Spyic will be offline – Three “almost identical but different branded” Stalkerware apps, Cocospy, Spyic, and Spyzie, have become dark and the websites promoting them have disappeared. Development takes place several months after a common security flaw is identified in all of them, allowing anyone to access personal data from devices that have installed any of the apps. The app essentially allows those planting the tool to access victim messages, photos, call logs, and real-time location data without knowing or consent. According to TechCrunch, at least 25 Stalkerware operations have been violated since 2017, of which 10 have been closed. Last May, a spyware named Pctattletale said it was “closed and completely done” after the data breaches. The app, which secretly and continuously captured screenshots of hotel booking systems, suffered from security flaws that are available not only to intended users but to anyone on the internet. Then, this early February, another Spanish spyware vendor, Variston, closed.
UTG-Q-015 targets government and enterprise websites – A threat actor called UTG-Q-015 has been observed, leveraging N-Day security flaws (CVE-2021-38647, CVE-2017-9805, and CVE-2017-12611) to infiltrate government and enterprise websites in March 2025, and provide only blockchine websites and instant muscle and financial facilities, using fattications edging and faction edging and byconding and byconding. Backdoors and other malicious payloads. This activity is attributed to Southeast Asian actors who provide infiltration and intelligence agency to local businesses. Another spy campaign, which originates from Southeast Asia, comes from what is called the “New Ocean Rothus Group,” which is said to have exploited zero-day flaws in terminal software to target China’s military, energy and aerospace sectors.
Cursor MacOS app TCC bypass has been disclosed – Security vulnerabilities have been identified in MACOS’s popular AI-powered code editor Cursor. This allows malicious software to bypass Apple’s built-in security protections without proper authorization and to access sensitive user data. In a nutshell, vulnerabilities allow you to circumvent Apple’s transparency, consent, and control (TCC) framework. “The problem is that applications allow for RunasNode fuses,” said AFine researcher Karol Mazurek. “When enabled, the app can run as a generic node.js process, which allows the malware to insert malicious code that inherits the application’s TCC permissions.” Following responsible disclosure, the cursor states that the issue is “outside the threat model” and that there is no plan to fix it.
Lovable’s security flaws allow access to sensitive data – Earlier this year, popular Vibe Coding app Lovable is susceptible to Vibescoming, allowing anyone to create, host the perfect scam page and set up an admin dashboard that tracks stolen data. Now, new research reveals that the service has failed to address a “critical security flaw” that allows remote, unauthenticated attackers to read and write any database tables at the generated site. This included a name, email address, financial information and a secret API key. The vulnerability (CVE-2025-48757, CVSS score: 9.3) is in the implementation of Lovable’s Row Level Security (RLS) policy, according to lepto researcher Matt Palmer. “Applications developed using the platform often lack a secure RLS configuration, allowing rogue actors to access sensitive user data and inject malicious data,” Palmer said in a post on X.
Cyber Toufan’s tactics revealed – Cybersecurity researchers detail operations playbooks of Iranian threat actors called Cyber Toufan, who previously targeted Israeli-based users with their own Pokybright Wiper. Characterized along Handala’s line as a pro-Palestinian threat group, CyberToufan claims liability for more than 100 violations across the sector, including government, defense, finance and critical infrastructure, OP Innovate said. “Each case followed a consistent pattern. We coordinated initial access through weak or reused credentials without MFA, stealth lateral movement across the network, and data leak campaigns that were publicly distributed via Telegram.” “Unlike traditional APTs that rely on sophisticated zero-days, these actors leverage poor security hygiene and turn basic negligence into a major attack vector.”

🎥Cybersecurity Webinar

Hidden dangers within all AI agents – how hackers are exploiting it -> AI agents cannot run without access – but the service accounts and API keys used are often invisible and unsecured. These invisible identities are becoming the biggest targets of attackers. Join Astrix Security’s Jonathan Sander to uncover the hidden risks behind AI and learn how to lock them down before it’s too late. Please do not wait for a violation. Keep the AI away from the inside.
Trustworthy apps are weaponized – how to find it – attackers no longer need to infiltrate – they fuse. Using the “living from a trustworthy site” (lot) tactic, they exploit popular apps and services, and are clearly hidden. Join Zscaler threat hunting experts Marina Liang and Jessica Lee to dig deeper into how stealth attacks are discovered across the world’s largest security cloud. Learn the tools, techniques and real cases behind modern evasions, as well as how to detect what security stacks are likely to be missing. If you’re advocating for an enterprise system, this is a blueprint to help you find out what others have overlooked.

🔧Cybersecurity Tools

RedTeamTP – This toolkit streamlines the deployment of Red Team Infrastructure using GitHub actions. It supports Cobalt Strike, Mythic, and Phishing setups through AWS, Azure, and DigitalOcean.
CloudRec – An open source multi-cloud CSPM platform that helps you protect your cloud environment through automated asset discovery, real-time risk detection, and customizable OPA-based policies. It uses a flexible and scalable architecture to support AWS, GCP, Alibaba Cloud and more.

🔒Tip of the Week

Use AI models to challenge security assumptions → AI tools like Openai’s O3 aren’t just for writing code. These now help you find serious bugs, such as vulnerabilities that even experts might miss. In one real case, O3 helped to reveal hidden flaws in Linux kernel code by analyzing how different threads could access the same object at the wrong time.

How to apply this: When reviewing your code or system, try giving your AI model a specific function.

What could be a problem if two users interact at the same time?
Can I delete this object while still in use?
Are all fault cases handled properly?

Why does it work: Even experienced security teams make assumptions like timing, logic, or structure that an attacker isn’t. AI is not intended. It explores all paths, including those that are likely to have real threats hidden.

Using AI to think differently, you can catch weaknesses before anyone else does.

Conclusion

The tools may continue to change, but the core challenges remain. Clarity becomes your sharpest defense as new threats emerge and familiar people resurface in unexpected ways.

Use these insights to question your assumptions, update your plans, and enhance weak spots that don’t always appear on your dashboard. Great security isn’t just about going ahead. It’s about staying sharp.