Newsletters

Chinese police have arrested 67 suspects linked to Silver Fox, the country's largest and most active cybercrime group targeting its domestic audiences.

Arrests took place across five provinces and targeted everyone from developers to phishing site operators and various affiliates.

Authorities identified a man named Ji Moufei as the main individual who wrote and sold the group's malware, the eponymous Silver Fox trojan. Ji and four associates were arrested in Zhejiang.

More than 1,900 Arch Linux packages have been hijacked over the weekend as part of a massive supply chain attack designed to infect users with a rootkit and a credentials harvester.

The attacker(s) targeted Arch Linux packages hosted on the AUR portal, an unofficial repository of Arch packages created by the community. The portal hosts a massive 100,000 entries, but almost a tenth have been abandoned by their maintainers in what AUR calls "orphaned packages."

The attack exploited an AUR mechanism that allowed the hacker to "adopt" the abandoned packages and become a maintainer.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new binding operational directive (BOD) this week that updates the patching rules for federal civilian agencies.

The new order cites the rise of AI-automated attacks as the main reason to prioritize bugs based on the risk they pose to federal networks and shorten patching deadlines.

The order introduces a new decision tree (pictured below) that will prioritize vulnerabilities that are exploited in the wild, are easy to exploit and automate, and grant broad access to a system if they have been exploited.

The European Union Commission has proposed a tech sovereignty package that covers a range of initiatives around semiconductors, cloud computing and AI. We'd be surprised if these initiatives have a major impact in the short term, but this is still a good move for Europe. 

The key initiative of the proposed package, in our view, is the Open Source Strategy which aims to "strengthen digital autonomy through open source". Although it's not stated explicitly, the intent here is to wean Europe off the US tech stack by encouraging open source alternatives. 

The strategy says it will take "concrete actions", for example reforming government procurement rules to make them more open source friendly. EU governments will also award grants to open source projects under the strategy. 

Social media company Meta says it found and disrupted a new NSO Group hacking campaign targeting WhatsApp users, in violation of a US court order issued last October.

The campaign was a spear-phishing operation that tried to lure certain users into clicking a malicious link sent to their WhatsApp accounts that took them to an external site.

Meta filed a legal complaint against the Israeli spyware company on Monday, asking the court to hold NSO in contempt.

The RubyGems package manager has added support for dependency cooldowns as a way to counter a recent spate of supply chain attacks. The move copies similar efforts made in the JavaScript and Python ecosystem this year.

Dependency cooldowns are parameters that tell the package manager to install dependencies only if they are of a certain age in days. For example, a dependency cooldown of "7" will only install packages that are at least a week old.

The idea behind dependency cooldowns is to allow security tools, the admins of package repositories, and library maintainers time to detect compromises and pull down malicious versions.

The European Commission unveiled on Wednesday a plan to decouple from American companies and boost the bloc's tech sovereignty.

The plan would boost chip production, triple data center capacity, and fund open-source projects as alternatives to US-dominated software.

The proposals cut the typical EU red tape around developing new infrastructure, such as data centers, and provide generous funding for homegrown solutions.

Last week, The Grugq and I travelled to Estonia for CyCon, NATO CCDCOE's conference on Cyber Conflict. Our biggest takeaway from the conversations we had there is that NATO, unsurprisingly, is well prepared for one-off, large-scale military attacks. But it is failing to counter small, unremitting cyberattacks, and this needs to change.

NATO was created to deter the Soviet Union from military aggression. It still defines itself as a defensive alliance that can deliver a "resounding response" in the event of an unlikely but devastating Russian military attack.  

Russian cyber operations, however, are continuous and conducted well below the threshold of armed conflict. Individual operations just aren't damaging enough to attract a robust response. These continuous aggressive incursions are favoured by states like Russia and China as a way to harass their adversaries during peacetime. 

One in every ten new domains registered in 2025 were linked to malicious activity and were eventually added to one or more cybersecurity blocklists.

A total of 84,961,989 domains were created last year and 8,496,811 were later added to a blocklist, according to an Interisle report published on Monday.

Researchers believe the actual number of malicious domains may be double that, at around 16.8 million, with new domains expected to be blacklisted once they are deployed in operations in the wild later on.

The Russian government has greatly expanded the amount of personal and technical data that mobile operators and internet service providers must collect from their customers and share with state authorities.

This data collection is part of a surveillance system used in Russia named SORM, which stands for the System for Operative Investigative Activities. SORM works through special equipment installed at local telcos that collects data on the company's traffic and uploads it to a government database where the police and intelligence services can query it for their investigations.

Over the years as networking equipment has become more powerful, SORM has been slowly updated with new collection rules that telcos must comply with or face a fine.