svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief November 04, 2025

Private VPN — just $1.2/mo

Fake Solidity VSCode Extension Infects Developers via Open VSX

A malicious VSCode extension called juan-bianco.solidity-vlang on Open VSX poses as a Solidity extension but delivers SleepyDuck, a RAT using Ethereum smart contracts for C2 resilience. The malware activates when opening .sol files, exfiltrates system data, and leverages blockchain for fallback C2 if the primary server (sleepyduck[.]xyz) is down. Over 53,000 downloads were recorded before detection.
Impact: Remote code execution, data theft, and persistence via blockchain redundancy.
Mitigation: Verify extension publishers, use official repositories, and audit installed extensions.
Source: BleepingComputer

BlackCat Ransomware Affiliates Indicted: Former Cybersecurity Experts Charged

Three ex-employees of DigitalMint and Sygnia allegedly conducted BlackCat ransomware attacks against U.S. companies, demanding ransoms up to $10 million. The DOJ indictment cites extortion and computer damage charges, with one victim paying $1.27 million.
Source: BleepingComputer

Microsoft Uncovers SesameOp Malware Abusing OpenAI Assistants API

A new backdoor, SesameOp, uses OpenAI’s Assistants API as a stealth C2 channel, encrypting commands via symmetric/asymmetric encryption. Observed in a July 2025 espionage campaign, it leverages .NET injection and persists via web shells.
Impact: Long-term espionage, data exfiltration via legitimate cloud services.
Mitigation: Audit firewall logs, enable tamper protection, and monitor external service connections.
Source: BleepingComputer

Logistics Firms Targeted via RMM Tools for Cargo Theft

Attackers use phishing to deploy ScreenConnect, SimpleHelp, and PDQ Connect on freight brokers’ systems, enabling cargo diversion. Proofpoint notes 20+ campaigns since August, with stolen goods resold online.
Impact: Physical cargo theft, credential harvesting, and supply chain disruption.
Mitigation: Restrict RMM tool installations, block .MSI/.EXE email attachments.
Source: BleepingComputer

British Library Still Suffering from 2023 Rhysida Ransomware Attack

Two years post-attack, the British Library faces ongoing disruptions—manual workflows, unavailable digital archives, and leaked employee data (573 GB, 490k files). The $600k ransom was unpaid, but long-term recovery challenges persist.
Source: DataBreaches

Chinese APT Deploys Airstalk Malware via BPO Supply Chains

CL-STA-1009 targets BPO firms with PowerShell/.NET malware (Airstalk) abusing AirWatch MDM APIs for C2. Capabilities include Chrome data theft (cookies, history) and screenshot capture.
Impact: Supply chain compromise, data exfiltration.
Mitigation: Monitor AirWatch API usage, inspect signed binaries for anomalies.
Source: SecurityWeek

Google Pays $100K for Chrome V8 Engine Bugs

Chrome 142 patched CVE-2025-12428 (type confusion) and CVE-2025-12429 (implementation flaw), each earning $50K bounties. No exploitation detected; fixes include 19 other vulnerabilities.
Source: SecurityWeek

North Korea’s Kimsuky Targets South Korea with HttpTroy Backdoor

A phishing email with a fake VPN invoice ZIP delivered HttpTroy, a .NET backdoor with screenshot, file transfer, and command execution capabilities. C2 traffic routes to load.auraria[.]org.
Impact: Full system compromise, data theft.
Mitigation: Block suspicious SCR/ZIP attachments, monitor HTTP POST anomalies.
Source: The HackerNews

Share this brief: https://svo.bz/aenp

If you want to support us, you can donate here: Donate