therecord.media - Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay.
Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang.
The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities.
A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site.
The cybercriminals are attempting to sell data stolen from the charity for 20 bitcoin, equivalent to around $2.1 million, although it is not clear whether WHH’s computer networks have also been encrypted. The charity said it would not be making an extortion payment to the criminals behind the attack.
“The affected systems were shut down immediately and external IT experts who specialise in such cases were called in. We have also further strengthened the security of our systems with additional technical protective measures,” said a WHH spokesperson.
“We have informed the relevant data protection authority, consulted our data protection officer and involved the police authorities. We continue to liaise closely with the authorities,” they added.
The charity stressed it was “continuing our work in our project countries unchanged. We continue to stand by the side of the people who need our support. In view of the many humanitarian crises worldwide, our work is more important than ever.”
The RaaS group that is extorting WHH was previously responsible for attacks on multiple hospitals — including The Ann & Robert H. Lurie Children’s Hospital of Chicago and hospitals run by Prospect Medical Holdings — and last year also attempted to extort the disability nonprofit Easterseals.
The spyware operation's exposed customer email addresses and passwords were shared with data breach notification service Have I Been Pwned.
A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator.
The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app’s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims.
Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras.
Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.
Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain, and is at least the fifth spyware operation this year to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings that expose both paying customers and unsuspecting victims to data breaches.
According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims’ devices.
Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows.
The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers.
Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
BRASILIA, July 2 (Reuters) - Brazil's central bank said on Wednesday that technology services provider C&M Software, which serves financial institutions lacking connectivity infrastructure, had reported a cyberattack on its systems.
The bank did not provide further details of the attack, but said in a statement that it ordered C&M to shut down financial institutions' access to the infrastructure it operates.
C&M Software commercial director Kamal Zogheib said the company was a direct victim of the cyberattack, which involved the fraudulent use of client credentials in an attempt to access its systems and services.
C&M said critical systems remain intact and fully operational, adding that all security protocol measures had been implemented. The company is cooperating with the central bank and the Sao Paulo state police in the ongoing investigation, added Zogheib.
Brazilian financial institution BMP told Reuters that it and five other institutions experienced unauthorized access to their reserve accounts during the attack, which took place on Monday.
BMP said the affected accounts are held directly at the central bank and used exclusively for interbank settlement, with no impact on client accounts or internal balances.
The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.
Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.
A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.
Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.
“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”
Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.
North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations.
Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.
The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff.
Advanced macOS malware
In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice."
One of the Nim-compiled binaries, 'installer', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries - 'GoogIe LLC,' 'CoreKitAgent', onto the victim's system.
GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages.
The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution.
It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions.
The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.
CERTFR-2025-CTI-009
Date de la dernière version 01 juillet 2025
In September 2024, ANSSI observed an attack campaign seeking initial access to French entities’ networks through the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance (CSA) devices. French organizations from governmental, telecommunications, media, finance, and transport sectors were impacted. ANSSI’s investigations led to the conclusion that a unique intrusion set was leveraged to conduct this attack campaign. The Agency named this intrusion set « Houken ». Moderately sophisticated, Houken can be characterized by an ambivalent use of resources. While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers. Houken’s attack infrastructure is made up of diverse elements - including commercial VPNs and dedicated servers.
ANSSI suspects that the Houken intrusion set is operated by the same threat actor as the intrusion set previously described by MANDIANT as UNC5174. Since 2023, Houken is likely used by an access broker to gain a foothold on targeted systems, which could eventually be sold to entities interested in carrying out deeper post-exploitation activities. Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new to ANSSI’s knowledge. The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence. However, ANSSI also observed one case of data exfiltration as well as an interest in the deployment of cryptominers, indicating straight-forward profit-driven objectives.
2.1 The attack campaign in a nutshell
At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024-
8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code
on vulnerable Ivanti Cloud Service Appliance devices [1, 2, 3, 4]. These vulnerabilities were
exploited as zero-days, before the publication of the Ivanti security advisory [5, 6, 7].
The attacker opportunistically chained these vulnerabilities to gain initial access on Ivanti CSA
appliances, with the intention of:
• Obtaining credentials through the execution of a base64 encoded Python script1
.
• Ensuring persistence, by:
– deploying or creating PHP webshells;
– modifying existing PHP scripts to add webshells capabilities;
– occasionally installing a kernel module which acts as a rootkit once loaded.
Likely in an effort to prevent exploitation by additional unrelated actors, the attacker attempted
to self-patch web resources affected by the vulnerabilities.
On occasions, and after establishing a foothold on victim networks through the compromise
of Ivanti CSA devices, the attacker performed reconnaissance activities and moved laterally.
In-depth compromises allowed the attacker to gather additional credentials and deploy further
persistence mechanisms. Most recent activities around this attack campaign were observed
at the end of November 2024 by ANSSI.
Several incidents affecting French entities, and linked to this attack campaign, were observed
by ANSSI at the end of 2024. The campaign targeted french organizations from governmental,
telecommunications, media, finance, and transport sectors.
In three cases, the compromise of Ivanti CSA devices was followed by lateral movements toward
the victims’ internal information systems. The malicious actor also collected credentials and
attempted to establish a persistence on these compromised networks. Attacker’s operational
activities time zone was UTC+8, which aligns with China Standard Time (CST).
ANSSI provided significant support to these entities, a
L’ordre international est en pleine mutation. La rivalité entre les États-Unis et la Chine va profondément influencer la politique de sécurité mondiale dans les années à venir. La Russie, la Chine, la Corée du Nord et l’Iran resserrent leur coopération et cherchent à modifier l’ordre international perçu comme dominé par l’Occident. La guerre menée par la Russie contre l’Ukraine devrait se poursuivre en 2025. Parallèlement, le conflit entre Israël et l’Iran s’est intensifié: Israël a lancé en juin 2025 des frappes militaires contre le programme nucléaire iranien. La simultanéité de ces crises renforce l’insécurité mondiale.
Espionnage, contournement des sanctions et prolifération: la Suisse comme cible stratégique
La confrontation mondiale accroît la pression sur la Suisse. En tant que siège de nombreuses organisations internationales et centre d’innovation, elle est dans la ligne de mire des services de renseignement étrangers. Les principales menaces d’espionnage proviennent de la Russie et de la Chine qui maintiennent une forte présence en Suisse. Elles s’intéressent aux autorités fédérales, aux entreprises, aux organisations internationales et aux instituts de recherche.
La concurrence accrue entre grandes puissances fait aussi de la Suisse une cible privilégiée pour les tentatives de contournement des sanctions et la prolifération. La Russie, l’Iran et la Corée du Nord tentent de plus en plus d’obtenir via la Suisse des biens à double usage et des technologies pour leurs programmes militaires et nucléaires.
Le SRC apporte ici une contribution importante, en étroite collaboration avec le Secrétariat d’État à l’économie (SECO), dans le domaine de la détection et de la prévention des tentatives de contournement des sanctions. Le SRC et le SECO sensibilisent également les entreprises suisses aux risques liés à l’espionnage, au contournement des sanctions et à la prolifération.
Menace terroriste: focus sur la prévention et la détection précoce
La menace terroriste en Suisse est élevée et est marquée par des personnes inspirées par le djihadisme. La radicalisation en ligne des jeunes constitue un défi majeur. Ce processus peut être rapide, rendant la détection précoce essentielle. Les intérêts juifs et israéliens – notamment les personnes et établissements concernés – restent exposés.
Le SRC coopère étroitement avec les écoles, les organisations de jeunesse et les polices. L’objectif est de détecter les processus de radicalisation à un stade précoce et d’agir de manière préventive.
Infrastructures critiques comme cibles
Pour les opérateurs d’infrastructures critiques suisses, les cyberattaques représentent une menace majeure. Des attaques de sabotage ciblées – menées de façon cinétique ou cybernétique – par des acteurs étatiques pourraient viser à nuire à d’autres États, alliances ou institutions dépendant de ces infrastructures, dans le cadre de conflits hybrides.
La Suisse dans le viseur: la technologie, clé du pouvoir
«La Suisse doit considérer la situation sécuritaire dans un contexte mondial», explique Christian Dussey, directeur du SRC. «La confrontation globale nous touche directement. Notre radar stratégique identifie actuellement 15 foyers de crise simultanés – un tel niveau de menace est sans précédent. Nous ne sommes pas de simples observateurs – nous sommes directement concernés. À cela s’ajoute la lutte pour la suprématie technologique. La technologie est aujourd’hui une clé déterminante du pouvoir. Et la Suisse, en tant que place innovante, est directement exposée à ces enjeux – notamment à travers l’espionnage et d’autres activités de renseignement. Le SRC et les autres autorités de sécurité du pays sont fortement mis à l’épreuve par ces défis. Des défis auxquels nous ne pouvons répondre qu’ensemble, en étroite collaboration avec nos partenaires nationaux et internationaux.»
Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges.
Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features.
The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing.
The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government.
The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price.
"The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement.
"These sensitive data were directly linked to politicians, members of the central and regional governments, and media professionals."
The first suspect is believed to have specialized in data exfiltration, while the second managed the financial part by selling access to databases and credentials, and holding the cryptocurrency wallet that received the funds.
The two were arrested yesterday at their homes. During the raids, the police confiscated a large number of electronic devices that may lead to more incriminating evidence, buyers, or co-conspirators.
June 26, 2025 by Anil Shetty netscaler.com
Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread.
Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related.
The description of the vulnerability on the NIST website for CVE-2025-5777 initially erroneously identified NetScaler Management Interface as implicated in the vulnerability, but they subsequently updated the description to exclude it. The most accurate description of CVE 2025-5777 can be found in the Citrix security bulletin published on June 17, 2025.
Through our internal review process and by collaborating with customers, we identified the affected NetScaler ADC and NetScaler Gateway builds. CVE 2025-5777 only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Please refer to the security bulletin for more details.
Citrix has signed CISA’s Secure by Design pledge, reinforcing our commitment to building security into every stage of the product lifecycle. As part of this pledge, we prioritize security by default, transparency, and accountability in how we manage vulnerabilities. Our Product Security Incident Response Team (PSIRT) follows industry standards to assess, address, and disclose vulnerabilities responsibly. We work closely with security researchers, government agencies and customers to ensure timely fixes and clear communication. Learn more about our responsible disclosure process at Citrix Vulnerability Response.
Additionally, there’s an issue related to authentication that you may observe after upgrading NetScaler to build 14.1 47.46 or 13.1 59.19. This can manifest as a “broken” login page, especially when using authentication methods like DUO configurations based on Radius authentication, SAML, or any Identity Provider (IDP) that relies on custom scripts. This behavior can be attributed to the Content Security Policy (CSP) header being enabled by default in this NetScaler build, especially when CSP was not enabled prior to the upgrade. For more information on this issue please refer to the KB article.
On June 5th, the FBI released a PSA titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of BADBOX malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers also encountered primarily on Android TV set-top boxes. However, the malware has impacted tablets, digital projectors, aftermarket vehicle infotainment units, picture frames, and other types of IoT devices.
One goal of this malware is to create a network proxy on the devices of unsuspecting buyers, potentially making them hubs for various potential criminal activities, putting the owners of these devices at risk from authorities. This malware is particularly insidious, coming pre-installed out of the box from major online retailers such as Amazon and AliExpress. If you search “Android TV Box” on Amazon right now, many of the same models that have been impacted are still up being sold by sellers of opaque origins. Facilitating the sale of these devices even led us to write an open letter to the FTC, urging them to take action on resellers.
The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov.
The FBI lists these IoC:
The presence of suspicious marketplaces where apps are downloaded.
Requiring Google Play Protect settings to be disabled.
Generic TV streaming devices advertised as unlocked or capable of accessing free content.
IoT devices advertised from unrecognizable brands.
Android devices that are not Play Protect certified.
Unexplained or suspicious Internet traffic.
The following adds context to above, as well as some added IoCs we have seen from our research.
WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election.
In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
Press release: 30 June 2025
Late last week, the International Criminal Court (“ICC” or “the Court”) detected a new, sophisticated and targeted cyber security incident, which has now been contained.
This incident, the second of this type against the ICC in recent years, was swiftly discovered, confirmed and contained, through the Court’s alert and response mechanisms. A Court-wide impact analysis is being carried out, and steps are already being taken to mitigate any effects of the incident.
The Court considers it essential to inform the public and its States Parties about such incidents as well as efforts to address them, and calls for continued support in the face of such challenges.
Such support ensures the Court’s capacity to implement its critical mandate of justice and accountability, which is a shared responsibility of all States Parties.
July 1, 2025
WASHINGTON Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK.
“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”
Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as further amended, and builds on OFAC’s February action targeting ZServers BPH. Today’s action also reflects Treasury’s continued work to combat cybercrime and degrade the support networks that enable malicious actors to target U.S. citizens, technology, and critical industries.
AEZA GROUP: KEY TECHNICAL SUPPORT FOR RANSOMWARE GROUPS, CYBERCRIME, AND ILLICIT DRUGS
Aeza Group, headquartered in St. Petersburg, Russia, has provided BPH services to ransomware and malware groups such as the Meduza and Lumma infostealer operators, who have used the hosting service to target the U.S. defense industrial base and technology companies, among other victims globally. Infostealers are often used to harvest personal identifying information, passwords, and other sensitive credentials from compromised victims. These credentials are then often sold on darknet markets for profit, making infostealer operators a key piece of the cybercrime ecosystem.
Aeza Group has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace for illicit drugs. Darknet drug marketplaces allow for the anonymous purchase and shipment of narcotics over the internet, making them a present and increasing contributor to drug trafficking to the United States and worldwide. According to Treasury’s Financial Crimes Enforcement Network (FinCEN) and its supplemental advisory on fentanyl, criminal organizations use darknet marketplaces to sell precursor chemicals and manufacturing equipment used for the synthesis of fentanyl and other synthetic opioids, as well as to traffic fentanyl and other narcotics into the United States.
OFAC is designating Aeza Group pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being responsible or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
Aeza International Ltd. is the United Kingdom branch of Aeza Group. Aeza Group uses Aeza International to lease IP addresses to cybercriminals, including Meduza infostealer operators.
Aeza Logistic LLC and Cloud Solutions LLC are Russia-based subsidiaries that are 100% owned by Aeza Group. Servers BPH.
A new browser attack vectors just dropped, and it’s called FileFix — an alternative to the well-known ClickFix attack. This method, discovered and shared by mrd0x, shows how attackers can to execute commands right from browser, without requesting target to open cmd dialog. Quick Recap: What’s the ClickFix Attack? First, let's quickly recap ClickFix, the
Qantas can confirm that a cyber incident has occurred in one of its contact centres impacting customer data. The system is now contained.
We understand this will be concerning for customers. We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available.
The incident occurred when a cyber criminal targeted a call centre and gained access to a third party customer servicing platform.
There is no impact to Qantas’ operations or the safety of the airline.
What we know
On Monday, we detected unusual activity on a third party platform used by a Qantas airline contact centre. We then took immediate steps and contained the system. We can confirm all Qantas systems remain secure.
There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Importantly, credit card details, personal financial information and passport details are not held in this system. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed.
Actions we are taking
While we conduct the investigation, we are putting additional security measures in place to further restrict access and strengthen system monitoring and detection.
Qantas has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. Given the criminal nature of this incident, the Australian Federal Police has also been notified. We will continue to support these agencies as the investigation continues.
Qantas has established a dedicated customer support line as well as a dedicated page on qantas.com to provide the latest information to customers. We will continue to share updates including via our website and social channels.
Qantas Group Chief Executive Officer Vanessa Hudson said:
“We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously.
“We are contacting our customers today and our focus is on providing them with the necessary support.
“We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”
Google has issued an urgent security update for its Chrome browser, addressing a critical zero-day vulnerability that is being actively exploited by attackers.
The flaw, tracked as CVE-2025-6554, is a type confusion vulnerability in Chrome’s V8 JavaScript engine, which underpins the browser’s ability to process web content across Windows, macOS, and Linux platforms.
The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025. According to Google, attackers have already developed and deployed exploits targeting this flaw in the wild, prompting the company to act quickly.
The Sudo utility is a privileged command-line tool installed on Linux systems that allows a permitted user to execute a command as the superuser, or another user, as specified by the security policy. It is commonly used to implement the least privilege model by delegating administrative tasks that require elevated privileges without sharing the root password, while also creating an audit trail in the system log.
The Stratascale Cyber Research Unit (CRU) team discovered two local privilege vulnerabilities in Sudo. These vulnerabilities can result in the escalation of privileges to root on the impacted system.
The research focused on infrequently used command-line options. This blog explores how the Sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no Sudo rules are defined for that user.
The default Sudo configuration is vulnerable. Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed. The following versions are known to be vulnerable. Note: Not all versions within the range have been tested.
Stable 1.9.14 - 1.9.17
Note: The legacy versions of Sudo (currently <= 1.8.32) are not vulnerable because the chroot feature does not exist.
Exploitation has been verified on:
Ubuntu 24.04.1; Sudo 1.9.15p5, Sudo 1.9.16p2
Fedora 41 Server; Sudo 1.9.15p5
Established in 2024, the People's Liberation Army Cyberspace Force merges cyber and electronic warfare to disrupt, deter, and dominate in future conflicts.
With the launch of its Cyberspace Force, China has elevated the digital domain to a theatre of war. The Cyberspace Force of the People’s Liberation Army (PLA) is China’s newest military branch, launched on 19 April 2024.
Based in Haidian District, Beijing, and with five antennas across the country, it operates under the direct authority of the Central Military Commission (CMC).
Its creation followed the dissolution of the Strategic Support Force (SSF) and shows a broader shift in China’s approach to modern warfare. The force is tasked with both defending and attacking in the cyber domain. Additionally, it covers:
Network security
Electronic warfare
Information dominance
The Cyberspace Force plays a central role in China’s preparation for future conflicts, particularly in what the PLA calls “informatised warfare”, a doctrine focused on controlling the flow of information across all domains. By placing the unit directly under the CMC, China ensures centralised control, operational discipline, and strategic reach in cyberspace.
On 19 April 2024, the CMC formally dissolved the SSF and created three independent forces:
This marked the first time China designated cyberspace as an independent warfare domain with dedicated command, personnel, and budgetary autonomy. The Cyberspace Force now operates as a Corps Leader-grade service, headquartered in Beijing. It is led by Lieutenant General Zhang Minghua, with Lieutenant General Han Xiaodong serving as its political commissar. Its emergence reflects a shift from fragmented technical capabilities to centralised, strategic integration of cyber warfare into China’s military planning.
Today, Microsoft Threat Intelligence Center is excited to announce the release of RIFT, a tool designed to assist malware analysts automate the identification of attacker-written code within Rust binaries. Known for its efficiency, type safety, and robust memory safety, Rust has increasingly become a tool for creating malware, especially among financially motivated groups and nation-state entities. This shift has introduced new challenges for malware analysts as the unique characteristics of Rust binaries make static analysis more complex.
One of the primary challenges in reverse engineering malware developed with Rust lies in its layers of abstraction added through features such as memory safety and concurrency handling, making it more challenging to identify the behavior and intent of the malware. Compared to traditional languages, Rust binaries are often larger and more complex due to the incorporation of extensive library code. Consequently, reverse engineers must undertake the demanding task of distinguishing attacker-written code from standard library code, necessitating advanced expertise and specialized tools.
To address these pressing challenges, Microsoft Threat Intelligence Center has developed RIFT. RIFT underscores the growing need for specialized tools as cyber threat actors continue to leverage Rust’s features to evade detection and complicate analysis. The adoption of Rust by threat actors is a stark reminder of the ever-changing tactics employed in the cyber domain, and the increasing sophistication required to combat these threats effectively. In this blog post, we explore how threat actors are increasingly adopting Rust for malware development due to its versatility and how RIFT can be used to combat this threat by enhancing the efficiency and accuracy of Rust-based malware analysis.
