February 17 2025 – Cyber Briefing

👉 What’s happening in cybersecurity today?

XCSSET Malware, macOS Developers, Lazarus Group, Marstech1 Implant, Supply Chain Attacks, Golang-Based Backdoor, Telegram Bot API, Fake Blue Screen of Death, Tkinter, EarthKapre Espionage Group, Law Firms, US Coast Guard, Data Breach, Service Members, Pro-Russian Hacktivists, Bavarian Government Websites, Israel, Credit Card Payments, Germany, Bremen City Websites, Italian Websites, DDoS Attacks, Nebraska Legislature, Cyber Lawsuit Standards, Texas, DeepSeek, Data Privacy Violations, USAID Workers, DOGE, Security Clearance, Personal Data Access, Zelensky, European Army, Android, Fraudsters, Sideloading Apps.

Listen to the full podcast

🚨 Cyber Alerts

1. New XCSSET Malware Targets MacOS Developers

Microsoft Threat Intelligence has identified a new iteration of XCSSET malware targeting macOS developers. This updated version uses advanced obfuscation techniques, multi-layered encoding strategies, and novel infection methods to bypass Apple’s security frameworks. The malware now targets software supply chains, evades signature-based detection, and establishes persistence through multiple mechanisms, including Zshrc injection and Dock API manipulation.

2. Lazarus Targets Developers with Marstech1

The Lazarus Group has been linked to a previously undocumented JavaScript implant called Marstech1. Delivered via an open-source GitHub repository, the malware targets developers and is designed to collect system information, specifically targeting cryptocurrency wallets like MetaMask, Exodus, and Atomic across multiple operating systems. The malware operates through obfuscated payloads, making it difficult to detect, and has already affected 233 victims globally.

3. New Golang Malware Uses Telegram Bot for C2

A new Golang-based backdoor, possibly linked to Russian origin, has been identified. Researchers discovered it communicates through Telegram, using the Telegram Bot API for command-and-control functions. The malware supports commands such as executing PowerShell commands, re-launching itself, and self-destructing, though some features like screenshot capture are incomplete. The use of Telegram adds complexity for defenders, making it easier for attackers to control the malware discreetly.

4. Malicious Python Script Uses Fake BSOD Trick

A peculiar Python script has surfaced using Tkinter to create a fake Blue Screen of Death (BSOD). The script stands out for its unusual anti-analysis trick, effectively blocking other windows and displaying a fake BSOD message, making the system appear crashed. This technique, though not highly destructive, showcases how attackers use everyday libraries like Tkinter to build disruptive and deceptive malware that can evade traditional detection methods.

5. EarthKapre Cyber Espionage Targets Law Firms

EarthKapre, also known as RedCurl, is a highly sophisticated cyber espionage group identified by eSentire Threat Response Unit (TRU) in January 2025. The group has been targeting private-sector organizations, particularly law firms and legal services. Its complex attack chain begins with phishing emails disguised as job applications from Indeed, leading to the download of a malicious ZIP archive containing a mountable ISO file.

💥 Cyber Incidents

6. US Coast Guard Data Breach Delays Payroll

The US Coast Guard recently reported a data breach impacting 1,135 service members’ pay. An investigation is underway by the Coast Guard Investigative Service and Cyber Command to determine the breach’s source and impact. The breach, which delays bi-weekly pay, follows a similar incident earlier this year affecting over 10,000 personnel and involving the exposure of personal information.

7. Bavarian Government Targeted by Hackers

The Bavarian state government in Germany recently fell victim to a hacker attack, suspected to be the work of pro-Russian hacktivists. Although the attack caused temporary disruptions to several government websites, no data was leaked, and no significant damage was done. The State Office for Information Security is conducting an investigation, with the case set to be handed over to the police for further prosecution.

8. Cyberattack Disrupts Israel Credit Payments

Israel’s credit card payment system faced another disruption due to a cyberattack. Shva, the company managing communications between payment clearers, experienced significant service outages, halting credit card transactions for several hours. A denial of service (DDoS) attack was identified as the cause, where multiple servers flooded the payment servers with requests, forcing them offline temporarily.

9. Russian Hackers Hit Bremen Government Sites

Russian hackers claimed responsibility for a cyberattack that temporarily disrupted the websites of various Bremen city departments, including the town hall and departments of finance, social affairs, and education. The attack flooded servers with up to 18,000 requests per minute, making the sites inaccessible. The city’s IT experts successfully mitigated the disruption, and all affected pages were restored later in the day.

10. Pro-Russian Hackers Target Italian Websites

Pro-Russian hackers, identified as Noname057(16), targeted approximately 20 Italian websites, including major banks and airports. The cyberattacks were reportedly in retaliation for Italian President Mattarella’s recent comments comparing Russia’s actions to Nazi Germany’s expansionism. Despite the attack, there were no major disruptions to services, with the cybersecurity agency confirming that no critical damage occurred.

📢 Cyber News

11. Nebraska Bill Raises Cyber Lawsuit Bar

The Nebraska Legislature has given initial approval to LB 241, a bill that would increase the threshold for filing class-action lawsuits in state courts against private entities suffering from cybersecurity breaches. If passed, the bill would require proof of willful, wanton, or gross negligence, instead of ordinary negligence, for such cases to proceed. Despite opposition from some lawmakers, the bill advanced after a vote of 33–9, with concerns raised about the higher burden of proof for victims.

12. Texas Investigates DeepSeek Over Privacy

Texas has launched an investigation into Chinese AI company DeepSeek for allegedly violating the state’s data privacy law. The state’s Attorney General, Ken Paxton, has requested documents from Google and Apple regarding the app’s availability and its security practices. Paxton expressed concerns over DeepSeek’s ties to the Chinese Communist Party, claiming it could undermine U.S. AI leadership and compromise citizens’ data.

13. DOGE Accused of Jeopardizing USAID Security

A new lawsuit alleges that employees of the Department of Government Efficiency (DOGE) had improper access to sensitive USAID data, including security clearance information, social security numbers, and financial records. The suit claims that DOGE staff, who lacked the required security clearances, gained root access to computer systems, allowing them control over highly confidential data.

14. Zelensky Calls for Creation of European Army

Ukrainian President Volodymyr Zelensky has called for the formation of a European army, citing growing concerns over the US’s commitment to Europe’s security. Speaking at the Munich Security Conference, he acknowledged that the traditional Europe-US relationship was changing, with US Vice-President JD Vance indicating the need for Europe to adjust. Zelensky also emphasized that Ukraine would not accept peace deals made without its involvement, following talks between Donald Trump and Vladimir Putin.

15. Android Blocks Fraudsters During Calls

Google is introducing a new security feature for Android to prevent fraudsters from taking advantage of phone calls to manipulate users into altering sensitive settings. This feature blocks actions such as installing apps from unknown sources or granting accessibility access while on a call, which is a common tactic used in telephone-oriented attack delivery. The update, now available in Android 16 Beta 2, aims to reduce the risks of fraud by notifying users if they try to make such changes during a call, protecting them from scams and malware.