Newsletters

Law enforcement agencies from Finland, the Netherlands, and the US have seized AVCheck, an underground service used by cybercriminals.

The service has been around for over a decade and allowed malware developers to test their code against major antivirus engines and malware scanners.

It ran the engines and scanners in isolated cloud environments that cut off telemetry and prevented them from phoning back home to the security firms with warnings when malware was detected.

Microsoft will open up the Windows Update mechanism to third-party apps and driver makers so they can deliver updates to users in a faster and more seamless manner.

The new feature is currently under testing and will ship in a future Windows 11 release.

Microsoft has asked developers this week to sign up and help test out the new software update orchestration platform before its official release.

We've long known that Russian cybercriminals have worked to advance Russian state interests, but the details of the relationship between these criminals and the state has been hard to pin down concretely. 

Last week, however, the US Department of Justice (DoJ) used an indictment to tie the Russian cybercriminals behind the DanaBot malware to a second variant of the malware. Rather than stealing bank account credentials or cryptocurrency, the second variant was designed to conduct espionage for the Russian state. 

The DOJ's criminal complaint and indictment accuses 16 defendants of allegedly developing and deploying the DanaBot botnet and infostealer.

Dutch intelligence agencies have uncovered a new Russian cyber-espionage group while investigating a security breach of its police force last September.

The new group is tracked as Laundry Bear by Dutch intelligence services AIVD and MIVD and Void Blizzard by Microsoft, which aided in the Dutch investigation.

Among the panoply of Russian APTs, the group appears to be a new cluster that was formed and started operations in mid-2024.

Over the course of the past six months, the SVG image format has become a favorite method of hiding and delivering malicious code for email phishing campaigns.

More than a dozen cybersecurity firms have now noted the rise in SVG payloads in their email security detections: AhnLab, Cloudflare, Forcepoint, Intezer, Kaspersky, Keep Aware, KnowBe4, Mimecast, Sophos, Sublime Security, Trustwave, and VIPRE.

In its Q1 2025 trends report, Sublime Security says SVG payloads now account for 1% of all phishing attempts the company sees.

A coalition of law enforcement agencies and cybersecurity firms have dealt two major blows to the cybercrime ecosystem this week by taking down a prodigious malware botnet named DanaBot and Lumma Stealer (aka LummaC2), today's most popular and widely used infostealer platform.

The Lumma Stealer takedown

The takedowns took place on separate days and were unrelated to each other. The first took place on Wednesday and targeted Lumma, a type of malware that infects Windows systems, extracts login credentials from various apps, and sends them to an attacker's servers.

Telegram's moderation policies have markedly improved, but the jury is out on whether its pivot to more responsible practices will be an enduring one.

This week the messaging app shut down Huoine Guarantee and Xinbi Guarantee, two massive Telegram-based criminal marketplaces that connected Southeast Asian fraudsters with criminal services. 

Both were 'guarantee marketplaces', where the market administrators facilitated illicit transactions between anonymous buyers and sellers. Its services included the vetting of merchants, escrow services, and bots that monitor transaction fulfillment. Tether's USDT stablecoin is the primary payment method.  

The European Union has sanctioned three new clusters associated with Russia's disinformation networks across Africa and Europe.

This is the EU's 17th round of sanctions against Russia over its 2022 invasion and ongoing war in Ukraine. The sanctions are far broader and also target Russia's oil sector, its shadow fleet of oil tankers, and its hybrid warfare activities across Europe, which included extensive sabotage and disinformation campaigns.

We will not cover the entire sanctions package since it's out of the scope of this newsletter, but only the three clusters that are cyber adjacent.

The Japanese government passed a new law last week that allows local agencies to carry out preemptive offensive cyber operations to prevent or suppress future attacks on the country's IT infrastructure.

Although named the Active Cyberdefense Law, its scope goes beyond what the name suggests and also includes several other provisions that modernize and upgrade the country's cybersecurity practices as a whole.

The most important section of the new law is not the part about "active cyber defense" but the part that overhauls some of Japan's data collection practices.

Google Chrome will inherit a security feature from Microsoft Edge that will automatically prevent Windows users from launching the browser with elevated admin privileges.

The new feature stops and relaunches the browser with normal user-level permissions every time a user tries to run it as an Administrator.

Chrome will only run with admin rights if passed special command-line arguments or when it's started in Automation Mode—to prevent the browser from breaking complex software automation chains.