March 27, 2025 – Cyber Briefing

👉 What’s going on in the cyber world today?

New ReaderUpdate, Malware, Apple, macOS, China, FamousSparrow, U.S., Mexico, SparrowDoor, EncryptHub, Windows, Zero-Day, Rhadamanthys, StealC, RedCurl, Ransomware, QWCrypt, Malicious npm Packages, Ethers Library, Backdoor, Russia, Lukoil, Cyberattack, Fuel Distribution, StreamElements, Data Breach, France, AUTOSUR, Data Breach, Brazilian Navy, Crossroads Trading, Consumer Information, Donald Trump, Katherine Sutton, Pentagon Cyber Policy, ETSI, Quantum-Safe Encryption, MORSE Corps, Settlement, Cybersecurity Violations, Island, Series E, Enterprise Browser Security, OpenAI, Bug Bounty Program, Critical Vulnerabilities.

Listen to the full podcast

🚨 Cyber Alerts

1. New ReaderUpdate Malware Targets macOS Users

Researchers from SentinelOne have identified new variants of the ReaderUpdate malware, now written in Crystal, Nim, Rust, and Go. Initially observed in 2020, the malware has evolved significantly, with recent versions actively targeting macOS users through malicious software downloads and infected applications. Despite primarily delivering adware so far, ReaderUpdate’s design suggests it could be used for more dangerous payloads, offering its loader as a service for other cybercriminals.

2. FamousSparrow Hackers Target U.S. and Mexico

FamousSparrow, a Chinese cyberespionage group, has been actively targeting organizations in the U.S. and Mexico using newly upgraded versions of its SparrowDoor malware. The group’s recent activity marks the first known deployment of ShadowPad, a widely used malware by Chinese state-sponsored actors. The two new SparrowDoor variants, one modular and the other improved over previous versions, feature advanced capabilities like parallel command execution and a plugin-based architecture.

3. EncryptHub Exploiting New Windows Zero-Day

EncryptHub exploited a recently-patched Windows zero-day vulnerability (CVE-2025–26633) to deploy malware, including Rhadamanthys and StealC. The attack targeted the Microsoft Management Console (MMC) framework by manipulating .msc files and the MUIPath feature to bypass security controls. Using techniques like creating malicious .msc files with identical names, the threat actor executed malicious payloads without detection.

4. RedCurl Shifts from Espionage to Ransomware

RedCurl, a threat actor known for corporate espionage, has shifted tactics by deploying QWCrypt ransomware, which specifically targets Hyper-V virtual machines. Previously focused on data exfiltration, RedCurl has now started encrypting virtual environments, a new strategy that could either serve as a cover for their data theft activities or a direct monetization method. The ransomware, delivered through phishing emails, encrypts files and disrupts services, making it a significant threat to organizations using virtualized infrastructures.

5. Malicious npm Packages Target Ethereum Code

Researchers recently identified two malicious npm packages targeting the ethers library, a popular tool for interacting with Ethereum blockchain applications. These packages replaced legitimate files within the library with a modified version that executed a reverse shell payload. Upon execution, the reverse shell connects to the attacker’s server via SSH, ensuring persistent access even if the malicious packages are later removed.

💥 Cyber Incidents

6. Lukoil Cyberattack Disrupts Internal Systems

Lukoil, the Russian oil giant, experienced a significant cyberattack on March 26, 2025, which caused a full system shutdown. Employees across various regional offices, including Tyumen, Kogalym, and Perm, were unable to access their accounts due to error messages, leading to internal instructions to avoid logging in to prevent data leaks. Disruptions affected both internal company systems and customer-facing services, including payment systems at fuel stations, causing payment issues and halting some fuel distribution.

7. StreamElements Confirms Data Breach Exposure

StreamElements confirmed a data breach stemming from a third-party service provider they stopped working with last year. The breach exposed personal data from around 210,000 users, including names, phone numbers, addresses, and email addresses. The threat actor responsible shared samples of the stolen data, confirming its authenticity through a journalist’s personal verification. Although no StreamElements servers were impacted, the company has warned users, especially those registered between 2020 and 2024, to remain vigilant for potential phishing and scam attempts.

8. AUTOSUR Breach Exposes Millions of Records

AUTOSUR, a leading French company providing vehicle inspection services, has fallen victim to a major data breach that exposed over 12.3 million customer records. The breach, first reported on March 16, 2025, was disclosed on the BreachForums platform, revealing sensitive information such as names, phone numbers, email addresses, hashed passwords, vehicle details, and license plate numbers. The exposure of such vast amounts of personally identifiable information (PII) has raised serious concerns about identity theft, phishing, and fraud risks for affected individuals.

9. Brazilian Navy Website Hit by Cyberattack

On March 25, 2025, the Brazilian Navy’s official website was taken offline following a cyberattack attributed to the hacker Azael. The hacker has claimed responsibility for several previous high-profile attacks on institutions like Petrobras, the Brazilian Air Force, and the STJ. This wave of cyberattacks has raised significant concerns about the security of critical national infrastructure, with investigations ongoing by the authorities to track down the source of the breach and address potential vulnerabilities.

10. Crossroads Trading Co. Reports Data Breach

On March 26, 2025, Crossroads Trading Co. informed the Attorney General of Texas about a data breach that exposed sensitive consumer information. An unauthorized party gained access to files containing individuals’ names, Social Security numbers, driver’s license numbers, and other government-issued IDs. Crossroads conducted an investigation and has begun notifying affected individuals, offering credit monitoring services to help protect them from potential identity theft or fraud. The company continues to review the incident and its impact on its IT network security.

📢 Cyber News

11. Trump Nominates Sutton for Cyber Policy Role

President Donald Trump has nominated Katherine Sutton to serve as the assistant secretary of defense for cyber policy. Currently the chief technology adviser to U.S. Cyber Command, Sutton has a wealth of experience, including leading the cybersecurity subcommittee of the Senate Armed Services Committee. Her nomination is particularly significant as Cyber Command works on its ambitious “Cyber Command 2.0” modernization plan, which aims to strengthen the department’s cybersecurity capabilities and move faster in response to evolving digital threats.

12. ETSI Publishes Quantum Safe Standard

ETSI recently introduced quantum-safe encryption standards to address future cybersecurity challenges. The new system, Covercrypt, uses key encapsulation mechanisms to securely transmit session keys, ensuring that only authorized users can decrypt the data. By allowing data encryption based on specific user attributes, the solution strengthens both security and efficiency. It is designed to protect against quantum-based attacks and can be easily integrated into existing commercial security systems, offering a smooth transition to quantum-safe cryptography.

13. MORSE Corp to Pay $4.6M for Cyber Failures

MORSE Corp, a defense contractor based in Massachusetts, has agreed to pay $4.6 million to resolve allegations of cybersecurity violations. The company failed to ensure that a third-party provider it used to host emails met the security requirements outlined by the National Institute of Standards and Technology. This failure, which left the company vulnerable to potential exploitation, was a violation of federal standards, and the company also misrepresented its cybersecurity posture in assessments.

14. Island Raises $250M for Enterprise Browser

Island, a startup focused on providing security-themed enterprise browsers, raised $250 million in a Series E funding round. Led by Coatue Management, this funding boosts Island’s valuation to nearly $5 billion, bringing its total external funding to approximately $730 million since its launch in 2020. The company aims to provide businesses with a browser that replaces consumer-grade browsers, offering enhanced security features for IT teams and knowledge workers. Island plans to use the new investment to accelerate product development, expand its staff, and address the growing demand for secure enterprise browsing solutions amid competition from major players like Microsoft and Google.

15. OpenAI Increases Bug Bounty to $100000

OpenAI has raised its bug bounty payout to $100,000 in a bid to attract top researchers to identify critical security flaws in its infrastructure. This move is part of a broader effort that includes an expanded Cybersecurity Grant Program, funding projects focused on areas like secure code generation, model privacy, and threat detection. The company is also collaborating with academic, government, and commercial experts to enhance its cybersecurity and advance its journey toward artificial general intelligence. These initiatives reflect OpenAI’s ongoing commitment to maintaining robust security as it tackles evolving cyber threats.