Daily Security Briefing 023

DjediTech
Security , Newsletter
September 27, 2025

Table of Contents

September 27, 2025 | Read Online

Fake Teams malware, China-linked telecom attacks, Dutch teens spying for Russia…

Executive Summary

Cybercriminals continue to leverage social engineering and supply chain tactics to target enterprise networks, with fake Microsoft Teams installers spreading the Oyster backdoor. Meanwhile, sophisticated nation-state actors linked to China are deploying advanced malware campaigns against telecommunications and manufacturing sectors across Asia, exploiting DLL side-loading techniques. Law enforcement efforts in Europe scored a win as two Dutch teenagers were arrested for espionage activities on behalf of Russia. These incidents highlight the ongoing risks from both cybercriminal and geopolitical threat actors targeting critical infrastructure and intelligence assets worldwide.

Top Articles

Fake Microsoft Teams installers push Oyster malware via malvertising
Attackers are using SEO poisoning combined with search engine ads to lure users into downloading a malicious fake installer for Microsoft Teams. This installer deploys the Oyster backdoor, granting attackers initial access to corporate networks by infecting Windows devices. The campaign demonstrates the continued effectiveness of socially engineered malware distribution through malvertising channels.
BleepingComputer

China-linked PlugX and Bookworm malware attacks target Asian telecom and ASEAN networks
A new variant of the PlugX malware is being used in a campaign targeting telecommunications and manufacturing firms throughout Central and South Asia. This variant merges features from previous backdoors such as RainyDay and Turian and abuses legitimate applications for DLL side-loading, allowing sophisticated persistence and evasion. The widespread targeting highlights ongoing geopolitical cyber espionage efforts in the region.
TheHackerNews

Dutch teens arrested for trying to spy on Europol for Russia
Two 17-year-old Dutch teenagers have been arrested by local police for allegedly attempting to gather intelligence for Russian operatives. The teens reportedly used hacking devices aimed at spying on Europol, raising concerns about recruitment and involvement of youth in state-sponsored cyber espionage campaigns.
BleepingComputer

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.

Tags :

comments powered by Disqus

Daily Security Briefing 022

September 26, 2025 | Read Online AI-driven penetration testing rises, North Korean cybercrime advances, Cisco ASA zero days actively exploited…

Daily Security Briefing 016

September 20, 2025 | Read Online\n\nRussian botnet exploits DNS flaws, Canadian crypto exchange seized, GPT-4 malware emerges\n\n—\n\n## Executive Summary\n\nCybersecurity threats continue to evolve with sophisticated attacks exploiting overlooked infrastructure and emerging technologies. Researchers uncovered a Russian botnet that leverages simple DNS misconfigurations to launch global malware campaigns via compromised routers. Law enforcement in Canada dismantled a major criminal cryptocurrency exchange, seizing $40 million in illicit funds. Meanwhile, malware incorporating GPT-4 AI capabilities signals a new frontier in automated cyber attacks. Additional concerns raised include zero-click flaws exposing Gmail data and widespread macOS infections via fake repositories. Defensive measures and vigilance remain critical as attackers innovate rapidly.\n\n—\n\n## Top Articles\n\nNew Botnet Exploits Simple DNS Flaws That Leads to Massive Cyber Attack \nSecurity researchers revealed a large-scale Russian botnet operation abusing DNS misconfigurations and compromised MikroTik routers to distribute malware via extensive spam campaigns. By exploiting common DNS errors, the attackers bypassed email security filters, spreading malicious payloads globally since late 2024. This discovery underscores the risk posed by fundamental network misconfigurations in facilitating sophisticated cybercrime. \nGBHackers\n\nCanada Dismantles TradeOgre Exchange, Seizes $40 Million in Crypto \nThe Royal Canadian Mounted Police shut down the TradeOgre cryptocurrency exchange, confiscating over $40 million believed linked to criminal activity. This operation represents a significant crackdown on illicit crypto platforms facilitating money laundering and fraud. The seizure disrupts revenue streams for cybercriminals relying on unregulated exchanges to launder proceeds. \nBleepingComputer\n\nLastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer \nLastPass alerted the community to a widespread malware campaign targeting Apple macOS users through bogus GitHub repositories. These fake repositories trick users into downloading tools infected with the Atomic infostealer, which harvests sensitive information stealthily. The campaign highlights ongoing threats in software supply chains, especially within developer and open source ecosystems. \nTheHackerNews\n\nResearchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell \nA new malware variant named MalTerminal represents the earliest known example of malicious software embedding GPT-4 large language model capabilities. Presented at LABScon 2025, this AI-augmented malware autonomously generates ransomware and reverse shell commands, indicating a shift toward more adaptable and intelligent cyber threats. This raises significant concerns about the future sophistication of automated attacks. \nTheHackerNews\n\nShadowLeak Zero-Click Flaw Leaks Gmail Data via OpenAI ChatGPT Deep Research Agent \nSecurity researchers disclosed ShadowLeak, a zero-click vulnerability in OpenAI’s ChatGPT Deep Research agent that allows attackers to exfiltrate Gmail inbox data simply by sending a crafted email. The flaw requires no interaction from the user and was responsibly disclosed and patched earlier this year. ShadowLeak demonstrates new risks emerging from AI-integrated cloud services handling sensitive user data. \nTheHackerNews\n\nEmad Mostaque on the End of Capitalism \nThought leader Emad Mostaque explores the potential transformations in global economic systems driven by emerging technologies and societal shifts. Though not focused on cybersecurity directly, the essay invites reflection on how digital disruption may impact the broader landscape of technology, governance, and economics. \nDanielMiessler\n\n—

Daily Security Briefing 015

September 19, 2025 | Read Online\n\nSpyware investment surges, Ivanti mobile vulnerabilities exploited, Russian hackers deploy Kazuar backdoor…\n\n—\n\n## Executive Summary\n\nToday’s cybersecurity landscape highlights increasing complexities in both state-sponsored and criminal cyber operations. The spyware market shows significant growth in U.S.-based investments, reflecting heightened interest in surveillance technology. Meanwhile, critical vulnerabilities in Ivanti Endpoint Manager Mobile have been actively exploited to deploy sophisticated malware, prompting urgent alerts from CISA. Russian hacking groups Gamaredon and Turla continue coordinated efforts against Ukrainian organizations, emphasizing persistent geopolitical cyber conflict. Additionally, significant threats have emerged targeting telecom providers, major web platforms, and the booming NFT ecosystem, underscoring the broad attack surface security teams must defend.\n\n—\n\n## Top Articles\n\nSurveying the Global Spyware Market \nThe Atlantic Council’s second annual report, “Mythical Beasts,” reveals a notable increase in U.S.-based investors participating in the global spyware market compared to last year. The detailed report dives deep into surveillance technologies, providing insights into market dynamics and emerging trends in spyware development and deployment. \nBruce Schneier\n\nCISA Alerts of Hackers Targeting Ivanti Endpoint Manager Mobile Vulnerabilities to Distribute Malware \nCyber adversaries have weaponized two critical Ivanti EPMM vulnerabilities (CVE-2025-4427, CVE-2025-4428) to deploy multi-component loaders designed to inject code and maintain persistence mainly on Apache Tomcat servers. CISA has issued warnings following evidence of increasingly sophisticated malware leveraging these flaws for ongoing attacks. \nGBHackers | BleepingComputer\n\nRussian Hacking Groups Gamaredon and Turla Target Organizations to Deliver Kazuar Backdoor \nGamaredon and Turla, linked to Russia’s FSB, have demonstrated unprecedented coordination in cyberattacks targeting Ukrainian entities. Their operations deploy the advanced Kazuar backdoor, allowing stealthy remote access and espionage, signifying continued geopolitical cyber tensions. \nGBHackers\n\nDon’t Get Rekt: The NFT Security Handbook That Could Save Your Digital Fortune \nThe burgeoning NFT market faces rising security risks where poor wallet permissions or malicious smart contracts can result in total asset loss. This handbook outlines common attack vectors and best practices to protect users from NFT theft and fraud. \nCheckpoint\n\nTop 10 Best Security Orchestration, Automation, And Response (SOAR) Tools in 2025 \nThis guide evaluates leading SOAR solutions designed to enhance security teams’ incident response capabilities by automating workflows and reducing alert fatigue, helping organizations stay ahead of growing cyber threats. \nCyberPress\n\nCritical Flaw in HubSpot Jinjava Engine Allows RCE Across Thousands of Websites \nA severe vulnerability in HubSpot’s Jinjava templating engine enables attackers to bypass sandbox controls and execute arbitrary code remotely. The flaw arises from insecure deserialization, threatening thousands of websites relying on Jinjava. Prompt remediation is critical. \nCyberPress\n\nUNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware \nIran-linked espionage group UNC1549 has compromised 34 devices across 11 European telecom companies by leveraging LinkedIn recruitment-themed lures and deploying MINIBIKE malware for reconnaissance and data theft. The campaign highlights continuing targeted threats to telecom infrastructure. \nTheHackerNews\n\nSystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 C2 Servers \nSystemBC malware fuels REM Proxy, an extensive network averaging 1,500 VPS daily victims spanning 80 command-and-control servers. This botnet supports a large proxy pool, including hijacked MikroTik routers and open proxies, posing serious risks to internet security. \nTheHackerNews\n\nMicrosoft starts rolling out Gaming Copilot on Windows 11 PCs \nMicrosoft has initiated the beta rollout of Gaming Copilot, an AI-powered assistant on Windows 11 aimed at providing real-time game guidance and optimization. The feature is currently available for users over 18, excluding mainland China residents. \nBleepingComputer\n\nA Conversation With Grant Lee CO-Founder & CEO At Gamma \nGrant Lee, CEO of Gamma, discusses how their AI-driven platform reshapes presentations by focusing first on storytelling rather than slides, automating visual and structural elements to enhance impact and clarity. \nOmny