Every week, someone somewhere slips up—and threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the perfect entry point. But what happens when the hunters become the hunted? Or when old malware resurfaces with new tricks?
Step behind the curtain with us this week as we explore breaches born from routine oversights—and the unexpected cracks they reveal in systems we trust.
⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day — Google has addressed a high-severity security flaw in its Chrome browser for Windows that has been exploited by unknown actors as part of a sophisticated attack aimed at Russian entities. The flaw, CVE-2025-2783 (CVSS score: 8.3), is said to have been combined with another exploit to break out of the browser’s sandbox and achieve remote code execution. The attacks involved distributing specially crafted links via phishing emails that, when clicked and launched using Chrome, triggered the exploit. A similar flaw has since been patched in Mozilla Firefox and Tor Browser (CVE-2025-2857), although there is no evidence that it has been exploited.
🔔 Top News
- Critical Flaws Uncovered in Ingress NGINX Controller for Kubernetes — A set of vulnerabilities, collectively named IngressNightmare, has been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution. The most severe of the five flaws is CVE-2025-1974 (CVSS score: 9.8), which an unauthenticated attacker with access to the pod network could exploit to achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions. Following responsible disclosure, the vulnerabilities have been addressed in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.
- BlackLock Data Leak Site Exposed — Threat hunters have managed to infiltrate the data leak site associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Thanks to a local file inclusion (LFI) vulnerability, cybersecurity company Resecurity said it was able to extract configuration files, credentials, as well as the history of commands executed on the server. The threat actors have been found using Rclone to exfiltrate data to the MEGA cloud storage service. As many as eight accounts have been created on MEGA to store and backup victim data. The development comes as KELA revealed the possible real-world identities of Rey and Pryx, the key players driving the Hellcat ransomware operations. Rey (aka Saif and Hikki-Chan) is likely of Palestinian and Jordanian origin, while Pryx (aka Adem) is said to be an Arabic speaker involved in carding since 2018. “Ironically, Rey and Pryx, who heavily relied on info stealer logs in their operations, fell victim to it themselves,” KELA said.
- 46 Flaws in Solar Inverters From Sungrow, Growatt, and SMA — As many as 46 security bugs have discovered in products from three solar inverter vendors, Sungrow, Growatt, and SMA that, if successfully exploited, could permit attackers to seize control of devices and cause potential power blackouts. The vulnerabilities, collectively named SUN:DOWN, “can be exploited to execute arbitrary commands on devices or the vendor’s cloud, take over accounts, gain a foothold in the vendor’s infrastructure, or take control of inverter owners’ devices.”
- RedCurl Linked to First Case of Ransomware — RedCurl, a threat actor known for its corporate espionage attacks since late 2018, has been observed delivering a custom ransomware family called QWCrypt via a sophisticated multi-stage infection chain. Bitdefender, which flagged the activity, said the “unusual deviation” in tactics raises more questions than answers about their motivations, raising the possibility that it may be either a cyber mercenary group or it’s a discreet operation designed to generate consistent revenue.
- Hackers Using Atlantis AIO for Credential Stuffing and Brute-Force Attacks — Threat actors are making use of an e-crime tool called Atlantis AIO Multi-Checker to automate credential stuffing attacks across more than 140 platforms, allowing them to test millions of stolen credentials in “rapid succession.” The software also comes with capabilities to conduct brute-force attacks against email platforms and automate account recovery processes associated with eBay and Yahoo.
- Weaver Ant Goes Undetected for Over 4 Years — A suspected Chinese state-backed hacking group called Weaver Ant managed to stay under the radar after it breached a major telecommunications company located in Asia. The attack involved the exploitation of a misconfiguration in a public-facing application to gain initial access and drop web shells for persistent remote access. The web shells were then used to drop additional payloads to facilitate lateral movement and carry out reconnaissance activities. Over the past year, Chinese hacking crews have also targeted a trade group in the United States and a research institute in Mexico to deliver ShadowPad and two new variants of a backdoor known as SparrowDoor. The activity has been attributed to a threat actor tracked as FamousSparrow.
- Morphing Meerkat Uses DNS MX and DoH to Distribute Spam — A newly discovered phishing-as-a-service (PhaaS) operation called Morphing Meerkat has been leveraging the Domain Name System (DNS) mail exchange (MX) records to determine the victim’s email service provider and dynamically serve fake login pages that impersonate about 114 brands. The platform also makes use of the DNS-over-HTTPS (DoH) protocol to evade detection when firing a DNS query to Google or Cloudflare to find the MX records of the victim’s email domain. The credentials captured on the spoofed pages are then exfiltrated via Telegram or AJAX requests to external servers. Morphing Meerkat is known to have been active since at least 2020. It features a centralized SMTP infrastructure to distribute thousands of spam emails, with 50% of the traced emails originating from internet services provided by iomart and HostPapa.
️🔥 Trending CVEs
Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-2783, CVE-2025-2476 (Google Chrome), CVE-2025-2857 (Mozilla Firefox, Tor Browser), CVE-2025-1974 (Kubernetes NGINX Ingress Controller), CVE-2025-26512 (NetApp SnapCenter), CVE-2025-22230 (VMware Tools for Windows), CVE-2025-2825 (CrushFTP), CVE-2025-20229 (Splunk), CVE-2025-30232 (Exim), CVE-2025-1716, CVE-2025-1889, CVE-2025-1944, CVE-2025-1945 (picklescan), and CVE-2025-2294 (Kubio AI Page Builder plugin).
📰 Around the Cyber World
- 23andMe Files for Bankruptcy — Genetic testing business 23andMe filed for Chapter 11 bankruptcy, amplifying concerns that the DNA records and personal information of its 15 million customers could soon be up for sale. “Any buyer will be required to comply with applicable law with respect to the treatment of customer data,” the company said in an FAQ. The development has prompted California Attorney General Rob Bonta to issue a privacy consumer alert, detailing the steps users can take to delete their genetic data and destroy their samples. The U.K. Information Commissioner’s Office said it’s “monitoring the situation closely.” While 23andMe notes that genetic data is anonymized and stored separately from personally identifiable information, its privacy policy states the company will retain users’ genetic information, date of birth, and sex as required for compliance with applicable legal obligations. In October 2023, it suffered a major data breach, exposing the genetic information of more than six million people.
- Konni Uses AsyncRAT in New Campaign — The North Korea-linked Konni threat actor has been observed using Windows shortcut (LNK) files that masquerade as PDF files to trigger a multi-stage infection sequence that involves using legitimate cloud services like Dropbox and Google Drive to host intermediate payloads that pave the way for the download and deployment of AsyncRAT. The hacking group gets its name from the use of an eponymous RAT called Konni RAT, which offers data exfiltration, command execution, and persistence capabilities. “The final execution of AsyncRAT has been changed to operate by receiving C&C server information as an execution argument,” Enki said. “This is more flexible than the previous method of hard-coding C&C server information into malicious code, and anyone can take advantage of malicious code by building a separate server.”
- FBI Warns of Fake File Converters Used to Push Malware — Malware peddlers are targeting users who are searching for free file converter services and tools that give them access to the victims’ machines. “These converters and downloading tools will do the task advertised, but the resulting file can contain hidden malware giving criminals access to the victim’s computer,” the U.S. Federal Bureau of Investigation (FBI) said. The tools can also scrape the submitted files for any sensitive information, including credentials and financial details.
- New SvcStealer Information Stealer Emerges in the Wild — A new information stealer called SvcStealer, written in Microsoft Visual C++, has been detected in the wild spreading via phishing campaigns. This malware harvests sensitive data such as system metadata, files matching certain extensions, running processes, installed software, and user credentials, as well as information from cryptocurrency wallets, messaging applications, and web browsers.
- Meta Begins AI Rollout in Europe But With Limitations — Meta has announced that its AI-powered virtual assistant, Meta AI, is finally launching across Facebook, Instagram, WhatsApp, and Messenger in the European Union and United Kingdom over the coming weeks. “It’s taken longer than we would have liked to get our AI technology into the hands of people in Europe as we continue to navigate its complex regulatory system,” the company said. The European launch follows regulatory and privacy pushback about tapping user data to train AI models. Meta’s approach to seeking user consent has come under scrutiny by the Irish Data Protection Commission (DPC), the company’s lead data protection regulator in the bloc, forcing the company to halt processing local users’ information to train AI models. “The model powering these Meta AI features wasn’t trained on first-party data from users in the E.U.,” Meta told TechCrunch.
- INDOHAXSEC Linked to DDoS and Ransomware Attacks — An Indonesian-based hacktivist collective dubbed INDOHAXSEC has been linked to a string of distributed denial-of-service (DDoS) and ransomware attacks against numerous entities and governmental bodies located in Australia, India, Israel, and Malaysia using a mix of custom and publicly available tools. The group, which maintains GitHub, Telegram, and social media accounts, emerged in October 2024. It has since announced partnerships with other hacktivist groups like NoName057(16). The ransomware attacks have been found to use a locker called ExorLock, which has been assessed to be written by an earlier iteration of the group when they were active under the name AnonBlackFlag.
- Orion Framework Paves the Way for Privacy-Preserving AI Models — A group of academic researchers from New York University has detailed Orion, a framework that brings support for fully homomorphic encryption (FHE) to deep learning, thereby allowing AI models to practically and efficiently operate directly on encrypted data without needing to decrypt it first. Orion “converts deep learning models written in PyTorch into efficient FHE programs,” the team said. “The framework also streamlines encryption-related processes, making it easier to manage accumulated noise and execute deep learning computations efficiently.”
- U.S. Court Upholds Conviction of Joseph Sullivan — The U.S. Court of Appeals for the Ninth Circuit unanimously upheld the conviction of former Uber Chief Security Officer Joseph Sullivan, who was previously held liable for failing to disclose a 2016 breach of customer and driver records to regulators and attempting to cover up the incident. The court said the verdict “underscores the importance of transparency even in failure situations — especially when such failures are the subject of federal investigation.”
- Russia Arrests 3 People Tied Mamont Malware — Russian authorities have arrested three individuals suspected of developing an Android malware known as Mamont. The suspects, whose names were not disclosed, were apprehended from the Saratov region, The Record reported. Earlier this January, the Ministry of Internal Affairs of Russia revealed that the malware was being propagated in the form of APK files via Telegram with the ultimate aim of stealing sensitive personal and financial information from victims’ devices. Russian cybersecurity company Kaspersky said it also discovered threat actors using novel social engineering tactics to distribute the banking trojan targeting Android devices in the country.
- 2 Serbian Journalists Targeted by NSO Group’s Pegasus — Two investigative journalists in Serbia, who work for the Balkan Investigative Reporting Network (BIRN), were targeted with Pegasus, a commercial spyware developed by NSO Group. The two journalists received last month suspicious messages on the Viber messaging app from an unknown Serbian number linked to Telekom Srbija, the state-telecommunications operator, Amnesty International said. The messages contained a link that, if clicked, would have led to the deployment of the information-gathering tool via a decoy site. Both the journalists did not click on the link. The development marks the third time Pegasus has been used against civil society in Serbia in two years. Serbian authorities have also recently used Cellebrite software to secretly unlock civilians’ phones so they could install another brand of homegrown spyware codenamed NoviSpy.
- IOCONTROL Found Listed for Sale — The Iran-linked malware called IOCONTROL, which is explicitly designed to target industrial environments, has been listed for sale on Telegram and BreachForums, per Flashpoint. The malware is attributed to a hacking group called Cyber Av3ngers. Also called OrpaCrab, the sophisticated Linux-based backdoor is capable of surveillance, lateral movement, data exfiltration, system manipulation, and remote control.
- U.K. Issues Warning About Sadistic Online Harm Groups — The U.K. National Crime Agency (NCA) has warned of a “deeply concerning” trend of online networks called The Com that have resorted to inflicting harm and committing various kinds of criminal acts. “These online forums or communities […] see offenders collaborate or compete to cause harm across a broad spectrum of criminality – both on and offline – including cyber, fraud, extremism, serious violence, and child sexual abuse,” the NCA said. Part of this cybercrime ecosystem is the infamous Scattered Spider group, which is known for its advanced social engineering techniques to conduct extortion and ransomware attacks. Last month, Richard Ehiemere, 21, an East London member of the network, was convicted on charges of fraud and making indecent images of children. Part of a group called CVLT, the accused and other members are said to target girls on social media platforms such as Discord and persuade them to send intimate photos of themselves. “Members threatened to ‘dox’ their victims, which involves revealing real-world identities and publishing other personal information online, in order to coerce them into complying with their demands,” the NCA said. “Girls were forced to join group calls, where they would be instructed to carry out sexual acts and acts of self-harm for their audience. In severe cases, vulnerable victims were encouraged to kill themselves on camera.” A month prior to that, 19-year-old Cameron Finnigan was jailed for encouraging suicide, possession of indecent images of children, and two counts of criminal damage.
- Unknown Threat Actor Registers Over 10k Domains for Smishing Scams — Over 10,000 domains bearing the same domain pattern have been registered for conducting various kinds of SMS phishing scams. “The root domain names all begin with the string: com-,” Palo Alto Networks Unit 42 said. “Since the root domain begins with “com-” next to a subdomain, the full domain might trick potential victims into doing a casual inspection.” The campaigns are designed to trick users into revealing their personal information, including credit or debit card and account information.
- Exploiting Car Infotainment System to Plant Spyware — NCC Group researchers Alex Plaskett and McCaulay Hudson have demonstrated a trio of zero-day exploits (CVE-2024-23928, CVE-2024-23929, and CVE-2024-23930) that could be weaponized to break into Pioneer DMH-WT7600NEX, gain shell access, and install malicious software on the in-vehicle infotainment (IVI) system. This could then be used to exfiltrate data from the infotainment system to track an individual’s location, contacts, and call history. Previously, the duo revealed multiple vulnerabilities in Phoenix Contact CHARX SEC-3100, an electric vehicle (EV) charger controller, that could facilitate privilege escalation and remote code execution (CVE-2024-6788, CVE-2024-25994, CVE-2024-25995, and CVE-2024-25999).
🎥 Expert Webinar
- Is ASPM the future of AppSec—or just another trend? Join Amir Kaushansky from Palo Alto Networks to find out. In this free webinar, you’ll learn how Application Security Posture Management (ASPM) helps teams fix security gaps by connecting code and runtime data. See how it brings all your AppSec tools into one place, so you can spot real risks faster, automate policies, and reduce the need for last-minute fixes. If you want to simplify security and stay ahead of threats, this session is for you. Save your seat now.
- AI Is Fueling Attacks—Learn How to Shut Them Down — AI isn’t the future threat—it’s today’s biggest challenge. From deepfake phishing to AI-powered reconnaissance, attackers are moving faster than legacy defenses can keep up. In this session, Zscaler’s Diana Shtil shares practical ways to use Zero Trust to defend against AI-driven threats—before they reach your perimeter.
- AI Tools Are Bypassing Your Controls—Here’s How to Find and Stop Them — You can’t protect what you can’t see. Shadow AI tools are quietly spreading across SaaS environments—often unnoticed until it’s too late. Join Reco’s Dvir Sasson for a real-world look at hidden AI usage, stealthy attack paths, and how to get visibility before threats become incidents.
🔧 Cybersecurity Tools
- NetBird — NetBird makes it easy to build secure private networks without complex setups. It connects your devices using WireGuard, with encrypted tunnels and no need to open ports or configure firewalls. Use it at home or work, in the cloud, or self-hosted. Manage access from one place with easy-to-use controls. Fast to install, simple to scale, and works anywhere.
- Dalfox — It is a fast, flexible open-source tool built for modern XSS testing. Designed with automation at its core, it streamlines everything from parameter analysis to vulnerability verification—making it a favorite for security researchers and bug bounty hunters. With support for multiple scanning modes, advanced discovery techniques, and customizable payloads, Dalfox offers deep insights into reflected, stored, and DOM-based XSS vulnerabilities—all while providing detailed, developer-friendly output.
🔒 Tip of the Week
Disable Browser Autofill for Sensitive Fields — Autofill might save time, but it can silently leak your data. Attackers can craft hidden form fields on malicious websites that your browser unknowingly fills with your email, phone number, or even credit card info—without you ever clicking a thing. It’s a quiet but real threat, especially in phishing attacks.
To stay safer, disable autofill for personal and sensitive fields in your browser settings. In Chrome, go to Settings → Autofill, and turn off Passwords, Payment methods, and Addresses. In Firefox, head to Settings → Privacy & Security, and uncheck all Forms and Autofill options. For Edge, go to Profiles → Personal Info & Payment Info, and switch off both. On Safari, navigate to Preferences → AutoFill and deselect every category.
For even more control, use a password manager like Bitwarden or KeePassXC—they only autofill when you explicitly approve it. Convenience is great, but not at the cost of silent data leaks.
Conclusion
We often place trust in tools, platforms, and routines—until they become the very weapons used against us.
This week’s stories are a reminder that threat actors don’t break the rules—they bend the conveniences we rely on. It’s not just about patching systems; it’s about questioning assumptions.

