Svoboda Cybersecurity Brief August 23, 2025

Aug 23, 2025

Chinese Silk Typhoon APT exploits cloud trust relationships for espionage

Chinese state-backed hackers Silk Typhoon (aka Murky Panda) exploited trusted cloud relationships to pivot into downstream customer networks. They compromised SaaS providers & Microsoft CSPs, abusing Entra ID service principals and Admin Agent privileges for persistent access to emails/sensitive data. The group also deployed custom CloudedHope RAT and leveraged SOHO device proxies to evade detection.
Source: BleepingComputer

APT36 targets Indian govt/defense with Linux .desktop file malware

Pakistani espionage group APT36 abused Linux .desktop files (disguised as PDFs) to deploy Go-based malware via phishing. The TTP involved command injection in Exec= fields, fetching payloads from Google Drive, and establishing persistence via cron/systemd. Targets included government/defense sectors in India.
Impact: Full system compromise via WebSocket C2 for data exfiltration.
Mitigation: Monitor /tmp for suspicious ELF drops, restrict .desktop file execution.
Source: BleepingComputer

INTERPOL-led Operation Serengeti 2.0 arrests 1,209 cybercriminals in Africa

Authorities across 18 African nations disrupted cybercrime networks, recovering $97.4M and dismantling 11,432 infrastructures linked to ransomware, BEC, and scams affecting 88K victims. Key takedowns included crypto mining rings in Angola ($37M equipment seized) and a Zambian investment fraud ($300M losses). Private-sector intel from firms like Group-IB/Kaspersky aided the arrests.
Source: SecurityWeek

New Shamos macOS stealer spreads via fake troubleshooting guides

Cookie Spider group distributed Shamos malware (AMOS variant) via malvertising impersonating macOS fixes. Victims executed Base64-encoded bash commands fetching payloads that stole Keychain data, wallets, and browser credentials. The malware used xattr/chmod bypasses and deployed fake Ledger Live apps for further compromise.
Impact: Credential theft from 300+ global targets.
Mitigation: Verify commands before execution, avoid sponsored “fix” search results.
Source: BleepingComputer

Linux malware VShell delivered via malicious RAR filenames evades AV

Attackers embedded Bash commands in RAR filenames (e.g., ziliao2.pdf`{echo,...}`) to trigger in-memory execution of VShell backdoor when extracted. The payload avoided disk writes and supported cross-architecture C2 (x86/ARM). Phishing lures promised beauty product survey rewards.
Impact: Remote system control via encrypted WebSocket.
Mitigation: Sanitize filenames during extraction, block outbound C2 to 45.61.185[.]78.
Source: TheHackerNews

DaVita confirms ransomware breach impacted 2.7M patients

Kidney dialysis provider DaVita disclosed Interlock ransomware gang stole SSNs, health records, and lab results during a March-April 2025 breach. The group leaked 1.5TB of data after failed negotiations. The incident highlights healthcare sector targeting.
Source: BleepingComputer

Developer sentenced for deploying kill-switch malware at Eaton

Ex-Eaton engineer Davis Lu coded Java-based kill-switch malware (IsDLEnabledinAD) that activated when his AD access was revoked, crashing servers. The sabotage caused $100K+ losses and led to a 4-year prison sentence.
Source: SecurityWeek

MITRE updates Top 11 Hardware Weaknesses list

The 2025 CWE MIHW list highlights resource reuse flaws (CWE-226) and SoC isolation issues (CWE-1189), adding 6 new entries like CWE-1300 (side channels). Focus areas include debug modes and fault injection vulnerabilities.
Source: SecurityWeek

Share this brief: https://svo.bz/Gv1Q

If you want to support us, you can donate here: Donate