Cybersecurity Newsletter 28th July 2025
In this week’s news: A hacker injected a malicious prompt into Amazon Q via GitHub, new Linux AI-generated malware that was developed for cryptomining, Russian airline Aeroflot canceled dozens of flights on Monday following what the company described as a failure in its information systems, Arizona woman has been sentenced to over eight years in prison in a fraudulent operation that funnelled more than $17 million to North Korea, BlackSuit’s dark web data leak site and private negotiation panels have been taken offline, UpGuard has uncovered a wide-open Elasticsearch database exposing a staggering 22 million web traffic records, critical command injection vulnerability has been identified in the GitHub Action component tj-actions/branch-names, BreachForums has mysteriously resurfaced on its original dark web domain, 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account, and Austria is set to legalise the use of highly-intrusive spyware by state authorities.
A security vulnerability recently surfaced involving Amazon’s AI coding assistant, ‘Q’, integrated with VS Code. The core of the issue lies in how the hacker manipulated an open-source pull request. By doing so, they managed to inject commands into Amazon’s Q coding assistant. A hacker injected a malicious prompt into Amazon Q via GitHub, aiming to delete user files and wipe AWS data, exposing a major security flaw.
https://hackread.com/hacker-added-prompt-amazon-q-erase-files-cloud-data/
Koske is a new Linux AI-generated malware that was developed for cryptomining activities. Aquasec researchers reported that the malicious code uses rootkits and polyglot image file abuse to evade detection. Attackers exploit a misconfigured server to drop backdoors and download two JPEG polyglot files via shortened URLs. The images are polyglot files that hide malicious code appended at the end and execute directly in memory to evade antivirus detection. One is C code compiled into a rootkit .so file; the other is a stealthy shell script using standard system tools to persist without leaving visible traces.
https://securityaffairs.com/180355/malware/koske-a-new-ai-generated-linux-malware-appears-in-the-threat-landscape.html
Russian airline Aeroflot canceled dozens of flights on Monday following what the company described as a failure in its information systems. The national carrier did not provide additional details about the cause of the problem or offer an estimated timeline for resolution. A hacking group called Silent Crow claimed responsibility for what it described as a crippling cyberattack on the airline.
https://www.investing.com/news/stock-market-news/aeroflot-cancels-flights-after-system-failure-hackers-claim-responsibility-93CH-4154623?utm_source=dlvr.it&utm_medium=bluesky
An Arizona woman has been sentenced to over eight years in prison for her significant role in a fraudulent operation that funnelled more than $17 million to North Korea. According to the US Department of Justice (DoJ), Christina Marie Chapman, 50, from Litchfield Park, assisted North Korean Information Technology (IT) workers in posing as US residents to secure remote jobs at 309 American companies, including Fortune 500 corporations.
https://hackread.com/arizona-woman-jailed-help-north-korea-it-job-scam/
BlackSuit’s dark web data leak site and private negotiation panels have been taken offline in what appears to be a large-scale law enforcement operation. On July 24, the ransomware group’s leading site, usually accessible via The Onion Router (TOR), displayed a banner stating, “This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation.”
https://www.infosecurity-magazine.com/news/blacksuit-ransomware-sites-seized/
On July 28, 2025, the notorious hacker collective known as d4rk4rmy struck again, this time targeting Digitall Evolution, a digital services company. The alert came from ThreatMon Ransomware Monitoring, a specialized arm of the ThreatMon Threat Intelligence Platform, which actively tracks ransomware activities and exposes actors on the dark web.
https://undercodenews.com/digitall-evolution-falls-victim-to-d4rk4rmy-ransomware-attack-alarming-new-breach-hits-cybersecurity-radar/
Medusa Ransomware breached NASCAR, demanded $4 million, leaked sensitive data including maps and staff info, exposing major security failures. According to the data breach notification filed with the Office of the Maine Attorney General, the incident occurred on March 31, 2025, and was discovered on June 24, 2025.
https://hackread.com/nascar-ransomware-confirm-medusa-ransomware-data-breach/
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned a North Korean front company and three associated individuals for their involvement in the fraudulent remote information technology (IT) worker scheme designed to generate illicit revenues for Pyongyang.
https://thehackernews.com/2025/07/us-sanctions-firm-behind-n-korean-it.html
UpGuard has uncovered a wide-open Elasticsearch database exposing a staggering 22 million web traffic records. The leak is centered around Leakzone.net, a well-known underground forum peddling hacking tools, exploits, and stolen credentials. Among the data points revealed are sensitive user identifiers, IP addresses, and even location metadata
https://undercodenews.com/massive-data-leak-exposes-22-million-records-from-underground-hacking-forum-leakzone/
A critical command injection vulnerability has been identified in the GitHub Action component tj-actions/branch-names, tracked as CVE-2025-54416. This vulnerability affects more than 5000 code repositories, posing significant risks of command injection attacks. GitHub Actions are automated workflows that facilitate continuous integration and continuous deployment (CI/CD) processes.
https://www.cyberhub.blog/article/10541-critical-command-injection-vulnerability-in-github-action-tj-actionsbranch-names-cve-2025-54416-exposes-over-5000-repositories
Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2 million, fake currency operation in India. This report details the exposure of individuals and their activities on Facebook and Instagram.
https://hackread.com/researchers-online-fake-currency-operation-in-india/
The notorious cybercrime and hacker platform BreachForums has mysteriously resurfaced on its original dark web .onion domain. The site appears to be fully restored, including its infrastructure, user-leaked databases, official breach listings and forum posts.
https://hackread.com/breachforums-resurface-original-dark-web-onion-address/
The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic intelligence. "The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems," Arctic Wolf Labs said in a technical report published this week.
https://thehackernews.com/2025/07/patchwork-targets-turkish-defense-firms.html
The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America. "The group's core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk," Google's Mandiant team said in an extensive analysis.
https://thehackernews.com/2025/07/scattered-spider-hijacks-vmware-esxi-to.html
Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridium's Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances.
https://thehackernews.com/2025/07/critical-flaws-in-niagara-framework.html
More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. Post SMTP is a popular email delivery plugin for WordPress that counts more than 400,000 active installations. It’s marketed as a replacement of the default ‘wp_mail()’ function that is more reliable and feature-rich.
https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks/
Austria is set to legalise the use of highly-intrusive spyware by state authorities. The government has justified the law in the name of monitoring encrypted messaging applications. Opponents warn that there is no way to prevent the authorities accessing reams of sensitive information on targeted individuals, despite official promises to the contrary. Civil society organisations and opposition parties have promised to challenge the law in court.
https://www.statewatch.org/news/2025/july/austria-legalises-state-spyware-amidst-strong-opposition/