Newsletters

A threat actor named Satoshi has allegedly hacked controversial email provider Cock[.]li and is now selling its data on an underground hacking forum.

They are selling this data on a Russian language underground hacking forum named XSS for 1 Bitcoin, or approximately $105,000.

The hacker allegedly used a recently disclosed zero-day in the Roundcube webmail software (CVE-2025-49113) to dump Cock[.]li's database and steal the details of over one million registered users.

Despite being sanctioned twice by the US Treasury Department last year, surveillance and spyware maker Intellexa has continued to operate and has even set up new server infrastructure for its customers.

In a report published on Thursday, security firm Recorded Future says it identified new customer- and victim-facing infrastructure, along with new systems to avoid detection.

The new infrastructure includes servers and domains for hosting and delivering the Predator mobile spyware, as well as VPS servers for anonymizing traffic and hosting management panels for Intellexa customers.

An executive order signed by US President Donald Trump has scaled back the US government's cyber security ambitions. It has dropped a range of provisions that would encourage organisations to adopt more stringent security standards. 

The order largely takes aim at directives issued in January of this year by then-President Joe Biden. One part of that January order, stipulated that the government "identify a coordinated set of practical and effective security practices to require when it procures software" and that vendors follow those practices. Trump's order keeps the standards development part, but ditches the need for vendors to actually adhere to them.

Biden's order also strongly emphasised the rollout of post-quantum cryptography (PQC), encryption systems that are not susceptible to attacks by quantum computers. Rather than being told to transition to PQC as soon as practicable, federal agencies have now been instructed to prepare to transition to PQC. 

Cybersecurity firm SentinelOne says it narrowly avoided getting hacked by Chinese government hackers after an APT breached one of its IT vendors that handled hardware logistics for its employees.

The company said it detected and stopped the intrusion before it reached its network.

The incident took place at the start of the year, months after SentinelOne also observed extensive reconnaissance of its internet-exposed servers.

The EU launched last week its own DNS service, with versions for government agencies, telcos, and home users.

The DNS4EU service is designed to provide a secure and privacy-focused DNS resolver for the EU bloc as an alternative to US and other foreign services.

The project was announced in October 2022 and was built under the supervision of the EU cybersecurity agency ENISA.

A new hacking group that spawned out of TheCom has breached over 20 companies and stolen their Salesforce data for extortion attempts.

The group, which Google calls UNC6040, operates by calling employees at large companies and posing as their IT support—a now tried and tested technique that's being abused by multiple other threat actors.

The end goal is to get victims to install a modified version of the Salesforce Data Loader app that grants the group's members access to a company's Salesforce backend databases.

For the first time in history it feels like law enforcement may actually be doing some damage to the ransomware ecosystem. Over the last few months Operation Endgame, a multinational joint law enforcement operation, has been tearing through the criminal underground like a bull in a china shop.

Last week Dutch police announced that, in collaboration with US and Finnish authorities, they had taken down AVCheck, a testing service used by cybercriminals. Per Risky Bulletin which has further coverage:

That same month authorities took down Lumma Stealer (aka LummaC2). Lumma is an infostealer, a type of malware that infects systems and extracts login and authorisation credentials from various apps and sends them to attacker-controlled servers. Risky Bulletin described what made Lumma popular amongst the criminal set: 

Four of today's biggest cybersecurity firms—Microsoft, CrowdStrike, Google, and Palo Alto Networks—have announced an initiative to deconflict and harmonize APT naming schemes.

The companies will publish documents on how each of their own APT names maps out to the other.

So far, CrowdStrike and Microsoft have released images, JSON, and Excel files on how their own APT names overlap with their competitors.

Law enforcement agencies from Finland, the Netherlands, and the US have seized AVCheck, an underground service used by cybercriminals.

The service has been around for over a decade and allowed malware developers to test their code against major antivirus engines and malware scanners.

It ran the engines and scanners in isolated cloud environments that cut off telemetry and prevented them from phoning back home to the security firms with warnings when malware was detected.

Microsoft will open up the Windows Update mechanism to third-party apps and driver makers so they can deliver updates to users in a faster and more seamless manner.

The new feature is currently under testing and will ship in a future Windows 11 release.

Microsoft has asked developers this week to sign up and help test out the new software update orchestration platform before its official release.