Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
SEC SIM-swapper who Googled ‘signs that the FBI is after you’ put behind bars
Source: The Register
An Alabama man who SIM-swapped his way into the SEC’s official X account, enabling a fake ETF announcement that briefly pumped Bitcoin, has been sentenced to 14 months in prison and three years of supervised release. Prior to his conviction and sentencing on Friday, Eric Council Jr., 26, of Huntsville, Alabama, proved once again that cybercriminals are very bad at internet search hygiene. Read more.
Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems
Source: GBHackers
Often compared to .NET for its persistence in malicious campaigns, AutoIT’s simplicity and ability to interact with Windows components make it a favored tool among cybercriminals. This weekend, a particularly intricate malware delivery mechanism was identified, featuring a double-layered AutoIT script designed to deploy a potentially devastating payload. Read more.
Malware of the Day – C2 over ICMP (ICMP-GOSH)
Source: ACTIVE COUNTER MEASURES
The potential for ICMP to be used as a C2 channel is often overlooked precisely because it is such a foundational troubleshooting protocol, integral to the normal functioning of network communication. Many people view it as “background chatter”, not considering its potential to be intentionally leveraged to carry data for this exact reason. Read more.
Backdoor implant discovered on PyPI posing as debugging utility
Source: REVERSING LABS
On Tuesday, the RL threat research team detected a newly uploaded malicious package that poses as a Python debugging utility. When installed, the package implants a backdoor on the developer’s system, enabling malicious actors to execute malicious code and exfiltrate sensitive data. Read more.
Ransomware gangs increasingly use Skitnet post-exploitation malware
Source: BLEEPING COMPUTER
Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Read more.
Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks
Source: The Hacker News
The vulnerability, referred to as Branch Privilege Injection (BPI), “can be exploited to misuse the prediction calculations of the CPU (central processing unit) in order to gain unauthorized access to information from other processor users,” ETH Zurich said. Read more.
Android users bombarded with unskippable ads
Source: Malwarebytes Labs
Researchers have discovered a very versatile ad fraud network—known as Kaleidoscope—that bombards users with unskippable ads. Kaleidoscope targets Android users through seemingly legitimate apps in the Google Play Store, as well as malicious lookalikes distributed through third-party app stores. Read more.
Operation RoundPress
Source: welivesecurity
In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra. Read more.
GovDelivery, an email alert system used by governments, abused to send scam messages
Source: TechCrunch
An email notification system used by U.S. federal and state government departments to alert residents to important information has been used to send scam emails, TechCrunch has learned. Read more.
APT GROUP123
Source: CYFIRMA
Group123 is a North Korean state-sponsored APT group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. The group is known for its cyber espionage campaigns primarily targeting South Korea, however since 2017 it has expanded its operations to Japan, Vietnam, the Middle East, and other regions. Read more.