- Vulnerable U
- Posts
- 🎓️ Vulnerable U | #123
🎓️ Vulnerable U | #123
Critical Cisco Backdoor, New macOS malware disguised as Zoom updates, Ransomware negotiator was being paid by ransomware operators, and much much more!
Read Time: 7 minutes

Brought to you by:
Howdy friends!
Summer has been nuts! Hope you all are doing well. I’ve been toying with going live streaming on my social channels, Instagram, TikTok, YouTube, etc. - Really appreciate hanging out with a bunch in you there. Feels better then screaming in the void.
Also - I asked a bunch of you last week if you’d upgrade to a premium, and like 30% of you said yes. Which is way higher than statistically probable, but I appreciate the vote of support.
Well, it’s live! Going to be putting out some exclusive content every month, and launching the community a bunch of you asked for once we hit critical mass. Thank you again and if you can expense this as a learning thing, please do so - I’d rather take your bosses money than yours.
ICYMI
🖊️ Something I wrote: pewdiepie is putting out cybersecurity content. Am I cooked?
🎧️ Something I heard: Loved this video. Intentionally have a good summer.
🎤 Something I said: spyware hacking phones via text messages
🔖 Something I read: ZachXBT’s recent investigation uncovered more than $16.58M in payments since January 1, 2025 or $2.76M per month has been sent to North Korean IT workers
Vulnerable News
No, this isn’t the same critical Cisco vulns I covered last week. Been a rough month for them.
They just found and removed another hardcoded root SSH backdoor, this time in their Unified Communications Manager (their IP telephony control system). The bug (CVE-2025-20309) gives attackers root access using static development credentials that can't be changed or deleted. If this feels like deja vu, it is - Cisco's been on a streak of finding these backdoors lately in IOS XE, WAAS, DNA Center, and Emergency Responder.
The only fix is upgrading to version 15SU3 or applying the CSCwp27755 patch. While there's no evidence of exploitation yet, Cisco included IOCs to help detect attempts - look for root user entries in /var/log/active/syslog/secure. This is a max severity bug but at least detection is straightforward since the logging is on by default. (read more)
M&A is exciting – new products, new colleagues, new possibilities. Often overlooked, cybersecurity can make or break the success of the entire deal. Acquirers often face fragmented systems, different security policies, and new vulnerabilities. These issues introduce real security risks.
On July 17th, Dave Lewis, Wendy Nather, and Kane Narraway draw on the collective experience of 30+ M&As to examine the security implications of M&A, outline strategies for mitigating risk, and demonstrate why security architecture must be embedded in the due diligence period.
*Sponsored
We’re seeing Scattered Spider hop industry to industry. Retail in May, Insurance a few weeks ago, now airlines. Hawaiin and Qantas seem to be the public ones we have info on.
Qantas just disclosed a breach at one of their contact centers that exposed a "significant" amount of customer data - though they're being pretty vague on the specifics. Given the recent string of airline attacks like Air Europa's $50M ransomware hit and the Bangkok Airways incident, this feels like part of a concerning pattern targeting the aviation sector. We aren’t positive on attribution here, and Qantas says they've got the incident contained and are working with Australian authorities. They're reaching out to affected customers directly, so if you've flown Qantas recently, keep an eye on your inbox. (read more)
This is a massive plugin, I remember using it back in my WordPress days. Forminator, a WordPress form builder with 600k+ installations, lets attackers hijack sites by exploiting sloppy file validation. The bug (CVE-2025-6463) stems from the plugin not properly checking file paths when deleting form submissions. An attacker can trick it into deleting critical files like wp-config.php, sending the site into setup mode and enabling takeover.
The fix is out in v1.44.3, but download numbers suggest over 400k sites are still vulnerable. Defiant's research team found that attackers don't even need authentication - they just need to submit a form and wait for it to be deleted (manually or automatically). Props to the researcher who found it through Wordfence's bounty program, netting themselves $8,100. Seems like WordPress plugins and file validation issues are becoming quite the trend lately, with recent exploits hitting Motors Theme and OttoKit too. (read more)
🚨 New macOS backdoor alert: North-Korean hackers are disguising a Zoom update that drops malware built to hijack laptops and steal data & passwords.
If you or your devs run macOS, keep scrolling.👇
— Matt Johansen (@mattjay)
5:17 PM • Jul 3, 2025
North Korean hackers have a slick new macOS malware called NimDoor that's particularly annoying to kill - it literally respawns itself when terminated. It uses an unusual signal-based persistence mechanism that catches termination signals (SIGINT/SIGTERM) and triggers a reinstallation routine.
"any user-initiated termination of the malware results in the deployment of the core components, making the code resilient to basic defensive actions."
The attack starts with a fake Zoom SDK update delivered through Calendly/email, then deploys multiple components including 'GoogIe LLC' (yes, with an I) and 'CoreKitAgent'. The main payload beacons home every 30 seconds, steals system data, and particularly loves going after Telegram databases and crypto-related info. What's interesting is the use of Nim-compiled binaries - a less common choice that shows NK operators are expanding their cross-platform toolkit. SentinelLabs has the full IOCs if you need them. (read more)
This is nuts. Guy hired to negotiate ransomware payments negotiated himself kick backs. He’s absolutely cooked.
He’s a former DigitalMint ransomware negotiator and is under DOJ investigation for allegedly double-dipping - working with ransomware gangs to inflate payments while taking a cut of the ransom. Back in 2019, some data recovery firms were caught secretly paying ransomware gangs at discounted rates while charging clients full price. But the scale has changed dramatically, from thousands to now multi-million dollar payments.
When negotiators get a percentage of the ransom payment, objective advice goes out the window. DigitalMint (who's handled over 2,000 negotiations since 2017) claims they're not the target of the investigation and fired the employee when they found out, but some law firms are already warning clients to steer clear while the investigation continues. (read more)
ClickFix is absolutely everywhere and has been wildly successful for threat actors. So it makes sense that the technique is branching off to new forms.
This new phishing technique is being called FileFix and it exploits how browsers save HTML files to bypass Microsoft's Mark of the Web (MoTW) protection. The attack tricks users into saving what they think are backup codes or important files, but are actually malicious HTML pages that can execute arbitrary code. When users make even tiny changes to the filename during save - like replacing an underscore - browsers drop the .html extension, allowing attackers to deliver .hta files that execute malware.
While ClickFix relied on fake browser update messages, FileFix masquerades as legitimate Google/Microsoft auth pages asking users to save backup codes. (read more)
Surmodics, the largest US provider of hydrophilic coatings for medical devices, got hit with a cyberattack on June 5th that forced them to take systems offline. While they've managed to restore critical systems and maintain operations through alternative methods, they're still analyzing what data might have been taken. They're the third publicly traded medical device company to report an incident to the SEC in recent months, following Artivion and Masimo. (read more)

Reading this full report - these are some good looking phishing sites! And if they’re all tied to the same campaign, its a big one.
A network of counterfeit retail sites is targeting online shoppers, with thousands of convincing fakes mimicking major brands like Apple, PayPal, and Nordstrom. First spotted during Mexico's national sales week, the operation has expanded well beyond, hitting English and Spanish-speaking customers globally. The technical breadcrumbs point to China-based actors, with Chinese language snippets found in the infrastructure code.
They're pulling product listings from legitimate retailers and even incorporating Google Pay widgets to look legit. Some slip-ups give them away though, like a "Guitar Center" hawking children's accessories. While many sites have been taken down, thousands are still active. (read more)
Spanish police just wrapped up a pretty impressive takedown of an investment fraud ring that bilked victims out of €10 million. They coordinated raids across Barcelona, Madrid, Mallorca, and Alicante, arresting 21 people and seizing luxury cars plus €1.3 million in cash and crypto. The operation had been running since 2022 and racked up over 300 complaints from victims who got lured in through fake social media ads promising hot crypto and stock investments.
These scammers actually set up shop in Spain with full call centers - complete with "panic buttons" to wipe everything if the cops showed up. (read more)

Arctic Wolf spotted a nasty SEO poisoning campaign that's been running since early June, targeting IT professionals with fake versions of popular tools like PuTTY and WinSCP. The attackers are buying ads and gaming search results to push their malicious sites to the top when people search for these legitimate tools. Once someone downloads and runs the trojanized installer, they get hit with the Oyster/Broomstick backdoor, which sets up a scheduled task that phones home every three minutes using some DLL trickery.
The campaign's pretty clever - they're specifically going after IT folks who are likely to have elevated privileges and access to sensitive systems. Arctic Wolf's recommendation is straightforward: stop using search engines to find your admin tools and stick to official vendor sites or internal repositories. They've also provided a list of malicious domains to block, including updaterputty[.]com and several other suspicious PuTTY-themed domains. (read more)
Miscellaneous mattjay



How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay