Daily Security Briefing #049

October 23, 2025 | Read Online

Vietnamese fake job scams, F5 long-term breach, YouTube malware takedown report

Executive Summary

Today’s cybersecurity landscape is dominated by sophisticated social engineering campaigns and persistent nation-state threats. Vietnamese and North Korean actors continue leveraging fake job postings, aiming to steal credentials and sensitive corporate data. Meanwhile, a serious breach of F5’s network, potentially spanning years, highlights the growing challenge of detecting long-term intrusions by advanced threat actors. The takedown of the YouTube Ghost Network exposes ongoing exploitation of popular platforms for malware distribution. Critical vulnerabilities in widely used software such as Magento and new malware obfuscation techniques further underscore the evolving threat environment.

Top Articles

Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials
Google Threat Intelligence Group (GTIG) uncovered a financially motivated cluster of threat actors operating from Vietnam. These attackers use fake job postings on legitimate platforms to target professionals in digital advertising and marketing, deploying malware and phishing kits to compromise high-value corporate accounts and hijack digital advertising efforts. This activity is tracked as UNC6229 by GTIG.
Google

Serious F5 Breach
Seattle-based networking software maker F5 revealed a breach attributed to a “sophisticated” nation-state group with long-term, persistent access to its environment, possibly spanning multiple years. The undetected presence of this threat actor inside F5’s network raises serious concerns about the security of critical network infrastructure and the potential impact on customers relying on F5 technologies.
Schneier

The YouTube Ghost Network: How Check Point Research Helped Take Down 3,000 Malicious Videos Spreading Malware
Check Point Research identified and disrupted a large malware distribution operation on YouTube, removing over 3,000 videos used to spread infostealers like Rhadamanthys and Lumma. The threat actors employed fake and compromised YouTube accounts, distributing malware through password-protected content disguised as cracked software and gaming hacks. This takedown significantly disrupted one of the largest known malware operations exploiting the platform.
Check Point | Check Point Research

LockBit Returns — and It Already Has Victims
LockBit ransomware group has resumed activity following disruption earlier this year, deploying a new 5.0 variant “ChuongDong” that attacked a dozen organizations in September 2025. The group targets Windows, Linux, and ESXi environments across Europe, the Americas, and Asia, demonstrating expanded geographical reach and platform diversity. Check Point’s security products have detected these ongoing ransomware campaigns.
Check Point

Cybercriminals Impersonate Aid Agencies to Lure Victims with Fake Financial Offers
Scammers intensify schemes impersonating aid agencies to defraud vulnerable populations via fake financial aid offers circulated on social media. Intelligence and law enforcement stress the international, coordinated nature of these operations, particularly targeting older adults. This trend demonstrates how cybercriminals exploit social engineering to prey on trust and urgency during times of crisis.
GBHackers

Vulnerability in Perplexity’s Comet Browser Screenshot Feature Allows Malicious Prompt Injection
A critical vulnerability in Perplexity’s Comet AI browser enables attackers to inject malicious commands via hidden text in screenshots. Disclosed on October 21, the flaw exposes users’ sensitive accounts, including banking and email services, by exploiting the browser’s AI features. This finding highlights the nuanced risks introduced by the growing integration of AI in browsing tools.
GBHackers

Novel Malware Strategy Employs Dynamic Functions and Cookies for Script Concealment
Wordfence researchers report a sophisticated malware strain using PHP’s variable functions and browser cookies for stealthier script obfuscation. This evolving technique complicates detection and remains widespread in WordPress attacks, with over 30,000 detections reported in September 2025 alone. This malware strategy exemplifies the persistent innovation in attack methods targeting web environments.
CyberPress

Hackers Exploit Magento, Adobe Commerce RCE to Deploy Webshells
Critical unauthenticated remote code execution vulnerability CVE-2025-54236, named SessionReaper, has been actively exploited against Adobe Commerce and Magento platforms. Attackers use this flaw to deploy webshells and hijack customer accounts on thousands of online storefronts globally, amplifying the risk to e-commerce infrastructure and consumer data.
CyberPress

HP pulls update that broke Microsoft Entra ID auth on some AI PCs
HP retracted a Windows 11 OneAgent software update after it caused authentication failures for Microsoft Entra ID in some organizations by deleting essential Microsoft certificates. This disruption affected cloud environment access and illustrates the risks that software updates pose in enterprise identity and access management systems.
BleepingComputer

North Korean Hackers Lure Defense Engineers With Fake Jobs to Steal Drone Secrets
North Korean-linked threat actors have launched Operation Dream Job, targeting European defense companies involved in unmanned aerial vehicle (UAV) development through fake job offers. This ongoing espionage campaign aims to exfiltrate sensitive drone-related technologies, demonstrating the use of social engineering to access critical national security information.
The Hacker News

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.