July 08, 2025 – Cyber Briefing

👉 What’s the latest in the cyber world today?

AMOS macOS stealer adds persistent backdoor for remote control, NordDragonScan steals browser data via HTA decoys, and BERT ransomware shuts down ESXi VMs before encryption. Louis Vuitton Korea suffers customer data breach, Qilin ransomware hits French chipmaker Semco during IPO, and Virginia school district email system disabled in cyberattack. AT&T settles $177M for two massive breaches, alleged Hafnium hacker arrested in Italy, and Parrot OS 6.4 released with new tools and Microsoft support.

🚨 Cyber Alerts

1. AMOS Mac Stealer Adds Persistent Backdoor

The Atomic macOS Stealer malware, also known as AMOS, has been upgraded with an embedded backdoor for persistent access to infected systems. This transforms the malware from a simple data stealer into a tool for long-term surveillance and remote command execution. The malware is distributed through cracked software sites and spear-phishing campaigns that often mimic job interviews to steal passwords. This evolution demonstrates the increasing sophistication of threats targeting macOS users and has already affected over 120 countries.

2. NordDragonScan Malware Steals Windows Data

Security researchers have discovered a new infostealer called NordDragonScan that targets Microsoft Windows systems. The attack uses a complex chain starting with a malicious LNK shortcut file that runs a weaponized HTA script. The malware establishes persistence and then steals system information, files with specific extensions, and entire browser profiles. It uses advanced string obfuscation to evade static analysis and exfiltrates the stolen data to a remote command-and-control server.

3. New Ransomware BERT Targets ESXi Systems

A new ransomware group known as BERT is targeting virtualized environments with a particularly disruptive new tactic. Its Linux variant can detect and forcibly shut down ESXi virtual machines before it begins encrypting any files. This approach directly undermines disaster recovery efforts by preventing administrators from migrating or backing up live systems during an attack. The cross-platform malware has variants for Windows and ESXi and shows code similarities to the REvil ransomware family.

💥 Cyber Incidents

4. Louis Vuitton Korea Hit By Cyberattack

The South Korean unit of luxury brand Louis Vuitton has confirmed it suffered a cyberattack that leaked some customer data. While customer information like contact details was compromised, the company stated that no financial data was exposed. The company has since contained the breach, notified the relevant authorities, and is working with experts to strengthen its security. This is the second LVMH brand to be targeted in recent months after Christian Dior Couture disclosed a similar data breach in May.

5. French Chip Firm Semco Hacked During IPO

The French semiconductor company Semco Technologies suffered a cyberattack from the Qilin ransomware gang during its initial public offering. The Russian-speaking hackers stole sensitive employee data, including passports and invoices, which they later leaked on the dark web. Semco Technologies confirmed the attack but stated that it had contained the incident and that its core operations were not impacted. The timing of the attack during the company’s IPO was likely a deliberate tactic to maximize pressure on the firm.

6. Virginia School District Hit By Cyberattack

Prince George County Public Schools in Virginia has announced it identified a cybersecurity incident over the Independence Day holiday weekend. Upon discovery, the district took immediate action to contain the issue and engaged external cybersecurity professionals for assistance. While critical safety systems like building access and phones remain operational, some internal systems, including the email server, have been taken offline. The attack occurred during the summer break, minimizing disruption to classroom learning as the district investigates with law enforcement.

📢 Cyber News

7. AT&T Agrees to $177M Breach Settlement

Telecom giant AT&T has agreed to a $177 million settlement to resolve class-action lawsuits from two separate data breaches. The first breach, starting in 2019, exposed the personal data and Social Security numbers of about 73 million customers. A second incident, confirmed in 2024, involved a hacker accessing the call records of nearly all 109 million U.S. customers. While denying responsibility, AT&T will establish a fund for customer claims, with notifications expected to be sent starting in August 2025.

8. Alleged Hafnium Hacker Arrested in Italy

A Chinese national named Xu Zewei has been arrested in Milan, Italy, based on an international warrant from the United States. Xu is allegedly linked to the Chinese state-sponsored hacking group Silk Typhoon, also known as Hafnium. He is specifically accused of being part of a 2020 campaign that targeted and stole data related to COVID-19 vaccine research. Xu is now being held in an Italian prison as the United States government seeks his extradition to face trial.

9. Parrot OS 6.4 Adds New Hacking Tools

The Parrot Security team has released Parrot Security OS 6.4, the final major update in the 6.x series of the ethical hacking distribution. This version includes an upgraded Linux kernel, adds many new hacking tools, and introduces official support for Microsoft PowerShell. This release refines the current Debian 12-based system and sets the stage for the next generation of the platform. The development team is now actively working on Parrot 7, which will be based on Debian 13 and support new architectures.

For more news click here

Get Shield 360

💡 Cyber Tip

Malware Alert as NordDragonScan Compromises Windows Files and Browsers

Security researchers have identified a new infostealer called NordDragonScan targeting Microsoft Windows users. The attack starts with a malicious shortcut file inside a decoy archive, triggering an HTA script that quietly deploys the malware. Once installed, it steals browser data, system information, and documents, and then sends the stolen data to a remote command-and-control server. The malware also establishes persistence to survive system reboots and uses obfuscation to avoid detection.

✅ What you should do:

• Avoid opening shortcut files (.lnk) or archives from unknown sources, especially if delivered via shortened URLs.
• Disable or restrict the use of mshta.exe in your environment if not needed.
• Monitor registry paths like CurrentVersion\Run for unfamiliar entries.
• Use endpoint detection tools that can flag obfuscated payloads and unusual script behavior.
• Train staff to recognize suspicious downloads and document-themed phishing lures.

🔒 Why this matters:

NordDragonScan uses stealthy tactics and decoy documents to steal sensitive data from Windows systems. Its ability to persist and exfiltrate browser and system data makes it a serious threat to both personal and corporate environments. Early detection and caution with unknown files are key to staying protected.

📚 Cyber Book

Speaking Their Language: The Non-Techie’s Guide to Managing IT & Cybersecurity for Your Organization by Rob Protzman

Get Book ➤https://amzn.to/37BtEbJ

Click to See Events

That concludes today’s briefing. You can check the top headlines here!

Copyright © 2025 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.