Read Time: 9 minutes

Brought to you by:

Howdy friends!

Writing you from the airport on my way home after a week away at BSidesSF and RSA. Lost my voice. My feet are killing me. My inbox is full. But, my cup is full since I got to see a lot of people I only ever see this week. Some of which I’ve known for 15+ years, some of which I just met recently.

I’ll write some takeaways from events I got to go to, but I can say that starting my newsletter, Instagram, tiktok, and youtube have all changed my life in so many ways. One of those ways was how many of you grabbed me to say hi!

“My kids sent me your tiktok video and I was cool to them for a second because I knew you already!”

“I’m in school and your videos help put what I’m learning into context and have me interested in the field even more.”

“Wow you’re even better looking in real life!”

“I have had a non traditional path into the field and your content has helped me learn along the way”

One of the above is made up, I’ll let you guess. But seriously thank you for any of you that took the time to say something nice to me, it really keeps me going.

ICYMI

🖊️ Something I wrote: Link

🎧️ Something I heard: researcher figures out how to duplicate ticketmaster tickets

🎤 Something I said: Saw so many Deel and Rippling ads in SF this week, Couldn’t help but think of the video I made of the corporate espionage drama between them.

🔖 Something I read: I got to meet Zach from Detection Engineering Weekly this week, he’s one of my favorite practitioner driven newsletters. In a shocking turn of events, he’s also a really great dude. Go check him out.

Vulnerable News

We identified a North Korean hacker who tried to get a job

I’m writing this from the airport on the way back from RSA and I can’t emphasize enough how many people I talked to struggling with this issue. This has gone from “yeah we’ve heard about a few instances” to “nearly every practitioner I talked to has chased at least one of these as a incident.”

Kraken's security team turned the tables on a North Korean hacker trying to infiltrate the company through their job recruitment process. After getting tipped off about NK hackers targeting crypto companies, they spotted matching email addresses and suspicious behavior during initial interviews - including the candidate switching between different voices while being coached in real-time.

Instead of shutting it down, Kraken's team played along to study their tactics. The finale was brilliant - they set up a "casual chemistry interview" with their CSO that was actually a trap, peppering in 2FA-style verification questions about the candidate's claimed location. The hacker completely fell apart when asked basic questions about local restaurants and couldn't properly verify their ID. The investigation also uncovered a network of fake identities this person had used to successfully land jobs at other companies.

If you don’t have a playbook for this with your recruiting team, you’re behind the curve and should prioritize it immediately IMO. (read more)

Inside the AI Arms Race: How Cybercriminals Exploit Trusted Tools & Malicious GPTs*

Inside the AI Arms Race: How Cybercriminals Exploit Trusted Tools and Malicious GPTs explores how generative AI, once hailed for its human-like fluency and adaptability, is now being weaponized. This white paper reveals how attackers bypass safeguards, create malicious GPTs, and use AI to deceive and defraud. Backed by real-world experiments, it offers actionable insights and strategies to defend against evolving AI-enabled threats.

Download the white paper.

*Sponsored

Google Data Shows Drop in Zero Days in 2024, But More Focus on Security Products

Google's Threat Intelligence team tracked 75 zero-days in 2024, down from 98 in 2023 but showing a steady upward trend since 2021. The most interesting shift is that enterprise tech (especially security and networking products) made up 44% of zero-days - up from 37% in 2023. Attackers are realizing that hitting security appliances and VPNs gives them more bang for their buck than traditional browser/OS exploits.

Browser and mobile zero-days actually dropped by about a third (thanks to better mitigations), while Windows exploitation kept climbing to 22 zero-days. On the actor front, China and North Korea tied for most attributed zero-days (5 each). Two interesting cases: a WebKit exploit chain targeting Ukrainian diplomats that stole browser cookies, and CIGAR (a financially-motivated group with Russian connections) using Firefox exploits with a fancy privilege escalation trick. (read more)

North Korean IT worker scam is now a threat to all companies, cybersecurity experts say

More coverage on this topic worth reading. Seriously, I heard so many people fighting this.

The North Korean IT worker infiltration has exploded beyond tech and crypto into basically every industry. At RSA, Palo Alto Networks revealed that for one client, 90% of their job postings had NK applicants, and Mandiant's CTO says nearly every Fortune 500 they've talked to has hired at least one NK worker.

The operation is wild - workers are crammed 10 to an apartment, managing multiple jobs that can generate 70+ paychecks monthly. They're required to earn $5-20k each month (up from previous quotas) or face punishment. When companies started cracking down last October, some workers turned to extortion or handed access to NK APT groups. Most companies report these workers perform well, leading to resistance when they need to be removed. The scheme's been so successful that groups in Pakistan and Iran are now copying the playbook. (read more)

SAP CVE-2025-31324 Targeted by Attackers

Heads up if you're running SAP NetWeaver, there's a vulnerability (CVE-2025-31324) being actively exploited in the wild. It's in the Visual Composer Metadata Uploader component and scores a perfect 10.0 CVSS, letting attackers upload arbitrary files through a malicious POST request. Exploit activity has been observed since March 27, almost a month before SAP published their advisory on April 24.

ReliaQuest researchers caught threat actors uploading web shells through the vulnerability to deploy malware and establish C2 connections. Rapid7 also spotted exploitation, mostly targeting manufacturing companies. If you're running any 7.xx version of NetWeaver, SAP recommends emergency updates outside your normal patch cycle, restricting access to the affected endpoint (/developmentserver/metadatauploader), and hunting for signs of compromise. Remember, patching won't fix existing compromises, so check your environment even after updating. (read more)

Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks

Apple just patched "AirBorne" - a nasty set of 23 vulnerabilities in AirPlay that could let attackers execute zero-click RCE attacks on the same network. Two of these flaws (CVE-2025-24252 and CVE-2025-24132) can be chained together to create wormable exploits, meaning malware could spread automatically between AirPlay devices. Another flaw lets attackers bypass those "Accept" prompts we usually rely on for protection.

The impact radius is massive - 2.35 billion Apple devices plus millions of third-party AirPlay speakers and TVs. While the attacker needs to be on the same network, they could potentially use compromised devices to leapfrog through networks and deliver ransomware or espionage payloads. The fixes are in iOS/iPadOS 18.4, various macOS versions, and visionOS 2.4. If you're not using AirPlay, might want to just disable it entirely. (read more)

France blames Russian military intelligence for years of cyberattacks on local entities

France is finally naming names, publicly calling out Russia's military intelligence (GRU) for running years of attacks against French targets. They've specifically fingered APT28 (aka Fancy Bear) for hitting about ten French entities since 2021, including government services, private companies, and even a sports organization prepping for the Olympics. This is the same crew that took down TV5Monde back in 2015 and tried to mess with France's 2017 presidential election.

This public callout comes as Macron is pushing Western allies to put more pressure on Moscow over Ukraine in the next ten days. France isn't alone in getting tired of APT28's antics - Germany accused them of targeting their defense sector earlier this year, and Poland got hit with a large-scale espionage campaign last May. What's notable technically is how low-budget APT28's infrastructure reportedly is - just rented servers and VPNs, proving you don't need fancy tools when simple ones work fine. (read more)

Data breach at Connecticut’s Yale New Haven Health affects over 5 million

Yale New Haven Health just disclosed a massive ransomware hit from March that exposed data on over 5 million patients - making it one of the largest healthcare breaches this year. What's frustrating about this one is we're just hearing about it now, over a month later. While details are still light on the specific ransomware group or how they got in, the delayed disclosure raises questions about incident response and notification timelines in healthcare. This follows a concerning pattern we've seen with other major health systems like Ardent and Prospect Medical getting hammered by ransomware recently. (read more)

Gremlin Stealer: New Stealer on Sale in Underground Forum

A new C# infostealer called Gremlin has popped up in the wild, being sold through Telegram since March 2025. It’s effective bypass of Chrome's v20 cookie protection and a surprisingly polished backend infrastructure that comes with purchase stands out to me. The malware targets the usual suspects - browser data, crypto wallets, and credentials - but does it through a well-organized exfiltration system that packages everything into neat ZIPs before sending it to a centralized server.

The technical implementation shows some sophistication - it's not just scraping files but actively parsing data from Chromium/Gecko browsers and has specific modules for various crypto wallets, FTP clients, and VPN services. The authors are actively developing it and providing a turn-key operation through their Telegram channel "CoderSharp", complete with a web portal for buyers to manage their stolen data. Unit 42 has been tracking samples since March, and while there's nothing revolutionary here, it's another example of the continuing professionalization of malware-as-a-service. (read more)

Fake GIF Leveraged in Multi-Stage Reverse-Proxy Card Skimming Attack

A gnarly new card skimming attack was spotted in the wild using a fake .gif file as part of a multi-stage reverse proxy attack on Magento stores. The attackers hid their code inside what appeared to be Bing tracking tags, but it actually loaded a malicious .gif that was really a PHP script. This script acted as a reverse proxy, intercepting all traffic between customers and the store while staying completely invisible.

The clever part was how it worked with a second piece of malware in the checkout page. The first stage plants a trigger in the user's browser sessionStorage, and the checkout malware looks for that trigger to steal card data. Since it all happens client-side and clears when the browser closes, it's extra sneaky. (read more)

CVE-2025-32433 - State Machine Err-ly RCE in Erlang/OTP SSH Server

A nasty pre-auth RCE (CVE-2025-32433) was discovered in Erlang/OTP's SSH server implementation, affecting versions before OTP-27.3.3, 26.2.5.11, and 25.3.2.20. The bug exists because the SSH server wasn't properly checking message order in its state machine - specifically around channel messages that should only be processed post-authentication.

The exploit is surprisingly straightforward. After completing the SSH handshake and key exchange (but before authentication), you can send SSH_MSG_CHANNEL_OPEN followed by SSH_MSG_CHANNEL_REQUEST messages to execute arbitrary Erlang code. An interesting tidbit is this vuln was apparently discovered using AI-assisted exploit development. The article includes a full PoC that demonstrates RCE by creating a file, though the author notes it can be easily modified for more interesting payloads. (read more)

Malicious PyPI packages abuse Gmail, websockets to hijack systems

Socket's researchers just caught a sneaky set of Python packages using Gmail as a command and control channel. The "Coffin Codes" family of packages (seven variants discovered) establish outbound connections to Gmail's SMTP server using hardcoded credentials, then send notification emails to the attacker's address. They create a WebSocket tunnel that lets attackers access the victim's internal network while flying under the radar since SMTP traffic to Gmail rarely gets flagged by security tools.

Socket found evidence the same threat actor has been at this since at least 2021. Based on the email addresses (blockchain.bitcoins2020[@]gmail[.]com and similar), there might be a cryptocurrency angle, though the attacker could be doing anything from stealing keys to accessing internal dashboards once they've established that tunnel. PyPI has removed the packages. (read more)

Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers

A WordPress plugin masquerading as security software ("WP-antymalwary-bot.php") is making the rounds, giving attackers full admin access and remote code execution capabilities. The malware is pretty resilient and it can recreate itself using wp-cron.php if removed and likes to spread into other directories. Russian-speaking actors appear to be behind it, based on language found in the code.

This ties into a broader wave of WordPress and e-commerce attacks spotted recently. Sucuri caught a skimmer using a fake fonts domain to steal payment data. There's also a CAPTCHA-based campaign dropping Node.js backdoors, linked to the Kongtuke traffic distribution system. (read more)

Pro-Russia hacktivists bombard Dutch public orgs with DDoS attacks

NoName057(16), a Russia-aligned hacktivist group, is hammering Dutch public organizations with DDoS attacks in response to Netherlands' military aid to Ukraine. The group's targeting multiple provinces and municipalities including Groningen, Noord-Holland, and Zeeland, taking their online portals offline for hours. While no internal systems were compromised, it's part of a broader campaign against Western targets since March 2022.

They crowdsourced their DDoS platform 'DDoSIA' that pays "volunteers" to join attacks. Despite Spanish authorities nabbing three members in July 2024, the group's leadership remains at large and the attacks keep rolling. The Dutch NCSC is tracking the situation, but with €6 billion already sent to Ukraine and another €3.5 billion planned for 2026. (read more)

Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape

Microsoft found a way to break out of the macOS App Sandbox by messing with security-scoped bookmarks. The bug (CVE-2025-31191) lets attackers bypass sandbox restrictions without any user interaction - they just need to delete and replace a keychain entry that's used for signing these bookmarks. The exploit works against any sandboxed app using security-scoped bookmarks, making it a pretty universal sandbox escape.

Microsoft's team discovered they could delete the secret key used to sign sandbox access tokens and replace it with their own. Since the key is used to validate file access permissions between reboots, replacing it lets attackers grant themselves access to any files they want. Apple patched it in March 2025 after Microsoft reported it through their vulnerability disclosure program. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay