Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router
https://securityscorecard.com/blog/operation-wrthug-the-global-espionage-campaign-hiding-in-your-home-router
https://securityscorecard.com/blog/operation-wrthug-the-global-espionage-campaign-hiding-in-your-home-router
SecurityScorecard
Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router
SecurityScorecard’s STRIKE team uncovers how attackers turned thousands of ASUS routers into a worldwide spy network.
Critical Vulnerabilities in FluentBit Expose Cloud Environments to Remote Takeover
https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
www.oligo.security
Critical Vulnerabilities in FluentBit | Oligo Security
A new chain of 5 critical vulnerabilities within Fluent Bit allows attackers to compromise cloud infrastructure
BadBox 2.0 - Scale and Infection: The botnet secretly infected more than ten million connected devices, including streaming TV boxes, tablets, and projectors running a modified version of the Android Open Source Project (AOSP).
A legal complaint (claim for damages and injunctive relief) filed by Google LLC (Plaintiff) in the United States District Court for the Southern District of New York against unnamed cybercriminals (Defendants Does 1-25):
https://storage.courtlistener.com/recap/gov.uscourts.nysd.643466/gov.uscourts.nysd.643466.22.0.pdf
A legal complaint (claim for damages and injunctive relief) filed by Google LLC (Plaintiff) in the United States District Court for the Southern District of New York against unnamed cybercriminals (Defendants Does 1-25):
https://storage.courtlistener.com/recap/gov.uscourts.nysd.643466/gov.uscourts.nysd.643466.22.0.pdf
CourtListener
Complaint – #22 in Google LLC v. Does 1-25 (S.D.N.Y., 1:25-cv-04503) – CourtListener.com
COMPLAINT against Does 1-25. Document filed by Google, LLC. (Attachments: # 1 Appendix Appendix A_REDACTED).(Harris, Laura) (Entered: 07/11/2025)
Shai-Hulud 2.0 kill chain highlights the pattern:
- 𝗣𝗿𝗲-𝗶𝗻𝘀𝘁𝗮𝗹𝗹 𝘀𝗰𝗿𝗶𝗽𝘁 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻:
-- Abuse of preinstall scripts (npm install) as the initial worm entry.
- 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗵𝗮𝗿𝘃𝗲𝘀𝘁𝗶𝗻𝗴 & 𝗲𝘅𝗳𝗶𝗹𝘁𝗿𝗮𝘁𝗶𝗼𝗻:
-- Automated credential harvesting (NPM tokens, PATs, cloud keys, env vars) and exfiltration to attacker-controlled repos.
- 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 & 𝗹𝗮𝘁𝗲𝗿𝗮𝗹 𝗺𝗼𝘃𝗲𝗺𝗲𝗻𝘁:
-- Persistence and lateral movement via backdoored GitHub Actions runners, with RCE and even a wiper fail-safe.
- 𝗣𝗿𝗲-𝗶𝗻𝘀𝘁𝗮𝗹𝗹 𝘀𝗰𝗿𝗶𝗽𝘁 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻:
-- Abuse of preinstall scripts (npm install) as the initial worm entry.
- 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗵𝗮𝗿𝘃𝗲𝘀𝘁𝗶𝗻𝗴 & 𝗲𝘅𝗳𝗶𝗹𝘁𝗿𝗮𝘁𝗶𝗼𝗻:
-- Automated credential harvesting (NPM tokens, PATs, cloud keys, env vars) and exfiltration to attacker-controlled repos.
- 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 & 𝗹𝗮𝘁𝗲𝗿𝗮𝗹 𝗺𝗼𝘃𝗲𝗺𝗲𝗻𝘁:
-- Persistence and lateral movement via backdoored GitHub Actions runners, with RCE and even a wiper fail-safe.
Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption
https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal
https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal
ThreatFabric
Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption
Sturnus is a privately operated Android banking trojan with many fraud-related capabilities, including Device Takeover and capturing decrypted messages.
Your IP Address Might Be Someone Else's Problem (And Here's How to Find Out)
https://www.greynoise.io/blog/your-ip-address-might-be-someone-elses-problem
https://www.greynoise.io/blog/your-ip-address-might-be-someone-elses-problem
www.greynoise.io
Your IP Address Might Be Someone Else's Problem (And Here's How to Find Out)
Your home network might be part of someone else’s attack. GreyNoise IP Check shows if your IP’s been caught scanning the internet—free and private.
A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect
https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-alto-sonicwall
https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-alto-sonicwall
www.greynoise.io
A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect
GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern.
SEEDSNATCHER : Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases
https://www.cyfirma.com/research/seedsnatcher-dissecting-an-android-malware-targeting-multiple-crypto-wallet-mnemonic-phrases/
https://www.cyfirma.com/research/seedsnatcher-dissecting-an-android-malware-targeting-multiple-crypto-wallet-mnemonic-phrases/
CYFIRMA
SEEDSNATCHER : Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases - CYFIRMA
EXECUTIVE SUMMARY At Cyfirma, we are committed to providing up-to-date insights into current threats and the tactics used by malicious...
Behind the Walls: Techniques and Tactics in Castle RAT Client Malware
https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html
https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html
Splunk
Behind the Walls: Techniques and Tactics in Castle RAT Client Malware | Splunk
Uncover CastleRAT malware's techniques (TTPs) and learn how to build Splunk detections using MITRE ATT&CK. Protect your network from this advanced RAT.
US security agency urges Android and iPhone users to stop using personal VPNs
https://www.techradar.com/vpn/vpn-privacy-security/us-security-agency-urges-android-and-iphone-users-to-stop-using-personal-vpns
https://www.techradar.com/vpn/vpn-privacy-security/us-security-agency-urges-android-and-iphone-users-to-stop-using-personal-vpns
TechRadar
US security agency urges Android and iPhone users to stop using personal VPNs
CISA warned that many commercial VPNs could be putting your data at greater risk
Remote code execution via ND6 Router Advertisements
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
BlueDelta’s Persistent Campaign (Technical Analysis)
https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet
https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet
Recordedfuture
BlueDelta’s Persistent Campaign Against UKR.NET
Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques.
Time Nist Gov Incorrect Time
The affected servers are:
https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/o0dDDcr1a8I
The affected servers are:
time-a-b.nist.gov
time-b-b.nist.gov
time-c-b.nist.gov
time-d-b.nist.gov
time-e-b.nist.gov
ntp-b.nist.gov (authenticated NTP)https://groups.google.com/a/list.nist.gov/g/internet-time-service/c/o0dDDcr1a8I
MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
https://www.jamf.com/blog/macsync-stealer-evolution-code-signed-swift-malware-analysis/
Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP
https://malwr-analysis.com/2025/12/31/fake-wordpress-domain-renewal-phishing-email-stealing-credit-card-and-3-d-secure-otp/
https://malwr-analysis.com/2025/12/31/fake-wordpress-domain-renewal-phishing-email-stealing-credit-card-and-3-d-secure-otp/
Malware Analysis, Phishing, and Email Scams
Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP
Overview I investigated a phishing email impersonating WordPress.com that claims a domain renewal is due soon and urges immediate action to prevent service disruption. The campaign leads victims to…
Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection
https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/
https://www.securonix.com/blog/analyzing-phaltblyx-how-fake-bsods-and-trusted-build-tools-are-used-to-construct-a-malware-infection/
Securonix
Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware Infection
https://www.cve.org/CVERecord?id=CVE-2025-36911
In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation
In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation
Dissecting CrashFix: KongTuke's New Toy
https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
Huntress
Dissecting CrashFix: KongTuke's New Toy | Huntress
Fake ad blocker crashes your browser, then offers a "fix." Go inside KongTuke's CrashFix campaign, from malicious extension to ModeloRAT for VIP targets.