April 16, 2025 – Cyber Briefing

👉 What’s trending in cybersecurity today?

UNC5174, Linux, macOS, SNOWLIGHT, VShell RAT, Node.js, Malware, APT29, GrapeLoader, Phishing, PyPI, MEXC, Cryptocurrency, Tokens, Slow Pisces, Job Challenges, 4chan, Sensitive Data, UK Government, Lucy Powell, Crypto Scam, Cyberattack, Belgium, Jemeppe-sur-Sambre, Switzerland, SZBLIND, IT Network, Data Leak, South Carolina, Home Telecom, Data Breach, MITRE, CVE Program, China, NSA, Asian Winter Games, LabHost, Google, Android, Auto Reboot, Browser Extensions, Enterprise Environments.

Listen to the full podcast

🚨 Cyber Alerts

1. UNC5174 Group Target Linux with VShell RAT

UNC5174, a China-linked threat actor, has been deploying a sophisticated campaign using the SNOWLIGHT malware and VShell RAT to target Linux and macOS systems. This group takes advantage of open-source tools, making their activities more difficult to trace and attribute. The SNOWLIGHT malware serves as a dropper for a fileless in-memory payload called VShell, enabling remote access for cybercriminals to execute arbitrary commands, upload files, and maintain persistence within compromised systems.

2. Hackers Use Node.js to Deliver Malware

Node.js is increasingly being exploited by cybercriminals to deliver advanced malware and steal sensitive data. Attackers use techniques like malvertising, embedding malicious code into legitimate software, and exploiting supply chain vulnerabilities in npm packages. These campaigns bypass traditional security measures and persist within compromised systems by leveraging Node.js’ cross-platform capabilities. Organizations must enhance monitoring, update dependencies, and educate users to defend against these evolving threats.

3. Midnight Blizzard Targets European Embassies

Midnight Blizzard, a Russian state-sponsored espionage group, initiated a spear-phishing campaign targeting diplomatic entities across Europe. This new campaign introduces a malware loader called GrapeLoader and a variant of the WineLoader backdoor. The phishing emails, impersonating the Ministry of Foreign Affairs, contain a malicious link that triggers the download of a ZIP archive with a PowerPoint executable and the GrapeLoader payload. Once executed, GrapeLoader stealthily collects system information, modifies the Windows Registry, and downloads WineLoader.

4. Malicious PyPI Package Steals MEXC Tokens

A new malicious package called ccxt-mexc-futures was discovered on PyPI, targeting MEXC exchange users. This package mimicked a legitimate Python library but rerouted trading orders to a fake server controlled by attackers. The malware intercepted sensitive data, including API keys, and redirected crypto transactions to steal tokens. Developers who downloaded the package are advised to revoke compromised tokens and remove it immediately from their systems.

5. Slow Pisces Target Crypto Developers

Slow Pisces, a North Korean cyber espionage group, is targeting cryptocurrency developers with a sophisticated malware campaign. Using LinkedIn to pose as recruiters, the group sends malware disguised as coding challenges. Victims are enticed to run compromised projects, deploying RN Loader and RN Stealer on their systems. These tools steal sensitive data, including cloud service credentials and iCloud information. The attackers employ stealthy techniques, such as YAML deserialization, to avoid detection, ensuring only carefully selected targets are compromised.

💥 Cyber Incidents

6. 4chan Hack Leaks Moderator and User Data

On Tuesday, 4chan was hacked, leading to the site’s intermittent downtime. Leaked screenshots showed the back end of the site, including sensitive information about moderators, janitors, and their roles. The data breach exposed personal information from 4chan Pass subscribers who paid for special privileges. A janitor confirmed the leaks, expressing concern over the magnitude of the breach and its potential impact on 4chan’s continued operation amid the site’s known links to extremist and alt-right movements.

7. UK Minister Powell X Account Hacked for Scam

UK Government minister Lucy Powell’s X account was hacked to promote a fraudulent cryptocurrency. The hacker posted misleading content about the “$HCC” coin, claiming it was a “community-driven digital currency.” Powell’s office confirmed the breach and acted quickly to secure the account. Similar attacks on high-profile figures like BBC’s Nick Robinson highlight the growing cybercrime trend of hijacking social media accounts for scam promotions.

8. Jemeppe sur Sambre Suffers Cyberattack

On April 10, 2025, the municipality of Jemeppe-sur-Sambre, Belgium, and it’s public center became victims of a significant cyberattack. The attackers infiltrated both the municipal services and the local social assistance center, disrupting their operations. Authorities reported that sensitive data and critical systems were compromised, with the attack affecting communication channels, financial services, and personal data. As a result, the local government has taken urgent measures to secure systems, investigate the extent of the breach, and mitigate the potential damage to public services and residents.

9. Switzerland’s SZBLIND Targets of Cyberattack

On April 14, SZBLIND, a Swiss association for the visually impaired, discovered a cyberattack on its IT network. It is suspected that the breach may have led to a data leak, though the full extent remains unclear. The organization promptly implemented security measures, called in external experts, and notified the relevant authorities. While services are currently operating at a reduced capacity, SZBLIND is working to secure the compromised data and restore its systems, and will keep stakeholders updated as new information becomes available.

10. Home Telecom Reports Data Breach Incident

Home Telecom, a telecommunications company based in South Carolina, reported a data breach on March 17, 2025. The breach involved unauthorized access to sensitive personal information, including customers’ names, Social Security numbers, and addresses. Following the breach, Home Telecom launched an investigation to determine the extent of the attack and identify the impacted individuals. On April 14, 2025, the company began mailing notifications to affected customers, offering them 12 months of free credit monitoring services.

📢 Cyber News

11. MITRE Faces End of CVE Program Contract

MITRE’s management of the CVE program, which tracks cybersecurity vulnerabilities, is at risk as its contract with the U.S. government nears expiration on April 16. The expiration of funding from the Department of Homeland Security (DHS) will halt new CVE additions and potentially shut down the program’s website. The CVE system is critical for cybersecurity professionals, vendors, and government agencies worldwide, supporting vulnerability identification and mitigation efforts. Experts have raised alarms, fearing that a disruption could lead to a national security issue, particularly for critical infrastructure and incident response operations.

12. China Accuses NSA Employees of Cyberattacks

China has accused three alleged employees of the U.S. National Security Agency (NSA) of carrying out cyberattacks during the Asian Winter Games in February. The public security bureau in Harbin stated that the attackers were linked to the NSA’s Office of Tailored Access Operations. These cyberattacks reportedly targeted registration, arrival management, and competition entry platforms, along with critical infrastructure like energy, transportation, telecommunications, and defense research in Heilongjiang province. While such accusations are not new, this marks the first time China has named specific individuals and provided detailed allegations about the incident.

13. LabHost Phishing Ringleader Jailed for Fraud

Zak Coyne, 24, was sentenced to eight and a half years in prison for running LabHost, a phishing site. The platform targeted over one million victims worldwide, defrauding them of £100 million through fraudulent payment sites. LabHost operated as a subscription service, enabling scammers, many without technical expertise, to create convincing fake websites. These scammers stole sensitive personal information, including bank details and PIN codes, from victims, with at least 70,000 victims in the UK alone. The site was taken down in April 2024 following a global law enforcement operation

14. Google Adds Auto Reboot for Android Security

Google has introduced a new security feature in Android, which automatically reboots phones after three days of inactivity. This update, rolled out through Google Play services, is designed to strengthen the protection of user data. By restarting the device, it ensures that any encrypted information remains secure, even if a phone is locked for an extended period. The feature specifically targets forensic analysis tools used by law enforcement, making it more difficult for unauthorized access to data. While this feature mirrors a similar one on iOS, the exact motivation behind Google’s update remains unclear.

15. Browser Extensions Pose Growing Risk

A recent report highlights the significant risks posed by browser extensions in enterprise environments. It reveals that 53% of enterprise users’ extensions have access to sensitive data such as passwords, cookies, and browsing histories, making organizations vulnerable to data breaches. Additionally, the study identifies growing concerns with GenAI extensions, many of which have high-risk permission scopes and are increasingly prevalent in workplaces. The report also points out that many extensions are either unmaintained or sideloaded, further complicating security efforts.