ThreatsDay Bulletin: PQC Migration Accelerates, AI Uncovers Vulnerabilities, Pirated Software Delivers Backdoors, Phishing Campaigns Emerge & 20 More Updates
In the ever-evolving landscape of cybersecurity, recent developments highlight a concerning trend: the increasing sophistication of cyber threats and the need for robust defenses. This week’s ThreatsDay Bulletin reveals a series of significant updates that underscore the urgency for organizations to adapt and respond to emerging vulnerabilities and attack vectors.
Accelerating Post-Quantum Cryptography Migration
Google has announced a timeline for the migration to post-quantum cryptography (PQC) by 2029, emphasizing the need for other engineering teams to follow suit. This initiative is driven by advancements in quantum computing hardware and the potential threats posed to current cryptographic standards. Google stated, “Quantum computers will pose a significant threat to current cryptographic standards, specifically to encryption and digital signatures.” The company is integrating PQC digital signature protection into Android 17, utilizing the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). This upgrade aims to enhance the security of software during the boot sequence and ensure that authentication services transition to a PQC-compliant architecture.
AI-Powered Vulnerability Detection
GitHub is expanding its application security coverage through AI-powered security detections in GitHub Code Security. This initiative aims to surface potential vulnerabilities across various programming languages and frameworks, complementing existing tools like CodeQL. GitHub indicated that this hybrid detection model will assist developers in identifying security issues that traditional static analysis may overlook. The new model is expected to enter public preview in early Q2 2026, marking a significant step in enhancing application security.
Exploiting Pirated Software for Backdoor Access
The Russian threat actor known as Sandworm (APT-C-13) has been linked to a campaign that uses pirated versions of legitimate software, such as Microsoft Office, to deliver backdoors to high-value targets. These attacks reportedly leverage social engineering tactics to lure Ukrainian users seeking software cracks. The backdoors, identified as Tambur, Sumbur, Kalambur, and DemiMur, are designed to facilitate unauthorized access and control over compromised systems. The 360 Advanced Threat Research Institute noted that attackers use these modules to manipulate the trust chain and evade detection.
Phishing Campaigns Utilizing Fake Extensions
A cryptocurrency scam named ShieldGuard has emerged, masquerading as a security tool designed to protect crypto wallets. However, further analysis revealed that it was engineered to drain digital assets from users’ wallets. The scam was promoted through a dedicated website and social media channels, employing a multi-level marketing strategy to entice users. Okta reported that the extension was designed to harvest sensitive data from major cryptocurrency platforms, including Binance and Coinbase.
Global Spread of Firmware Backdoors
Sophos has identified a malicious firmware infection known as Keenadu, which targets Android devices. This backdoor injects itself into the Zygote process, granting attackers total control over infected devices. The malware acts as a downloader for additional malicious payloads, with over 500 unique compromised devices detected across nearly 50 models. The infections have been reported in 40 countries, raising concerns about the global reach of this threat.
Resilience of Phishing-as-a-Service Operations
Despite law enforcement efforts, the Tycoon2FA phishing service has quickly rebounded after the seizure of 330 active domains. CrowdStrike noted that the disruption had only a minor impact on Tycoon2FA’s operations, which returned to pre-disruption levels shortly after. The service continues to employ sophisticated tactics, including phishing emails that direct users to malicious CAPTCHA pages and leveraging stolen credentials to compromise cloud environments.
Weaponizing Meeting Invites for Remote Access
Phishing campaigns are increasingly using fake meeting invites for popular video conferencing applications to distribute remote access tools. Attackers trick users into executing malicious payloads disguised as mandatory software updates. Netskope reported that these tools enable attackers to gain full administrative control over victims’ machines, potentially leading to data theft or further malware deployment.
Fileless Phishing Campaigns Targeting Sensitive Sectors
A fileless phishing campaign has been identified, targeting healthcare and government organizations in Germany and Canada. This campaign delivers the PureLogs data-stealing malware through phishing emails that lure victims into downloading malicious executables. Trend Micro highlighted the sophisticated nature of this attack, which employs encrypted payloads and anti-analysis techniques to evade detection.
Targeting Vulnerable MS-SQL Servers
The Larva-26002 threat actor continues to exploit improperly managed MS-SQL servers, utilizing the Bulk Copy Program (BCP) to deploy malware locally. AhnLab reported that the attackers have introduced a scanner malware named ICE Cloud Client, which functions as both a scanner and a brute-force tool to compromise vulnerable servers.
Vulnerability in ClawHub Allows Ranking Manipulation
A critical vulnerability in ClawHub, a skills marketplace for OpenClaw, has been discovered, allowing attackers to artificially inflate skill rankings. Security researcher Noa Gazit noted that the flaw stems from an exposed download counter function, enabling attackers to bypass protections and manipulate download metrics.
Malicious npm Packages Stealing Crypto Keys
Five malicious npm packages have been identified that typosquat a legitimate cryptocurrency library, exfiltrating private keys to a hard-coded Telegram bot. Socket reported that these packages hook into functions that developers use to pass private keys, silently sending them to the attackers.
Google Forms Used for Malware Distribution
A campaign utilizing Google Forms has been reported, leveraging business-related lures to distribute malware, including the PureHVNC remote access trojan. Malwarebytes indicated that the attack begins with victims downloading a malicious file linked from a Google Form, triggering a multi-stage infection process.
Targeting Web3 Support Teams with Sophisticated Malware
A multi-stage malware campaign targeting customer support staff in Web3 companies has been identified. This campaign uses suspicious links sent via chat to deliver a malicious executable disguised as a photograph, which retrieves a second-stage loader from an AWS S3 dead drop. This operation has been attributed to APT-Q-27, a financially motivated threat group suspected to be operating out of China.
Cloud Phones Fueling Financial Fraud
Cloud phones, which are internet-based virtual phone systems, are being exploited for financial fraud. Group-IB reported that these devices, often sold on darknet markets, are used in Account TakeOver (ATO) and Authorized Push Payment (APP) scams. Fraudsters can manipulate unsuspecting users into providing personal banking credentials, facilitating financial crimes.
Outdated IIS Servers Present Security Risks
The Shadowserver Foundation reported over 511,000 end-of-life Microsoft IIS instances in its daily scans, with more than 227,000 instances beyond the official Microsoft Extended Security Updates (ESU) period. These outdated servers pose significant security risks, particularly in regions like China, the U.S., and Europe.
Crackdown on CCTV Systems Following Espionage Exposures
In India, authorities have ordered a comprehensive audit of CCTV systems after the exposure of a Pakistan-linked spy network exploiting surveillance cameras for espionage. The Indian government has outlined measures to strengthen the security of these systems, while multiple arrests have been made in connection with the espionage activities.
New Traffic Distribution System for Phishing Attacks
A new traffic distribution system, TOXICSNAKE, has been identified as a tool to route victims to phishing scams or malware payloads. This system employs a JavaScript loader capable of fingerprinting site visitors, returning either a redirect URL or a malicious payload link.
PowerShell Ransomware Evades Detection
The Crytox PowerShell Encryptor has been reported to evade endpoint detection and response (EDR) solutions. Halcyon noted that this ransomware targets virtual infrastructure and exploits VPN vulnerabilities, indicating a shift towards more targeted operations.
Exposing North Korean Cyber Operators
Research from Hudson Rock has uncovered a North Korean IT worker who inadvertently infected their machine with Lumma Stealer malware while searching for GTA V cheats. The exfiltrated logs revealed corporate credentials for a content delivery network used by state-sponsored actors.
Polyfill Supply Chain Attack Linked to North Korea
The 2024 Polyfill.io supply chain attack has been connected to North Korean threat actors. A significant operational security blunder led to the infection of a machine with Lumma Stealer, revealing critical credentials and operational details.
Dismissal of WhatsApp Case Against Meta
A U.S. judge has dismissed a case against Meta brought by a former WhatsApp employee who alleged negligence regarding user privacy and security. The judge determined that the complaint lacked sufficient factual support for the claims made.
New Powers for Hong Kong Police
Hong Kong police now have the authority to demand passwords from individuals suspected of breaching the National Security Law. Those who refuse to comply could face significant penalties, raising concerns about privacy and civil liberties.
Android RAT Available as Malware-as-a-Service
A new Android RAT, Oblivion RAT, is being marketed as a malware-as-a-service platform on cybercrime networks. The service includes tools for real-time device control and is distributed through social engineering attacks, exploiting Android’s accessibility services to gain additional permissions.
For further insights into the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East, visit Middle East.
