Newsletters

Over the course of the past six months, the SVG image format has become a favorite method of hiding and delivering malicious code for email phishing campaigns.

More than a dozen cybersecurity firms have now noted the rise in SVG payloads in their email security detections: AhnLab, Cloudflare, Forcepoint, Intezer, Kaspersky, Keep Aware, KnowBe4, Mimecast, Sophos, Sublime Security, Trustwave, and VIPRE.

In its Q1 2025 trends report, Sublime Security says SVG payloads now account for 1% of all phishing attempts the company sees.

A coalition of law enforcement agencies and cybersecurity firms have dealt two major blows to the cybercrime ecosystem this week by taking down a prodigious malware botnet named DanaBot and Lumma Stealer (aka LummaC2), today's most popular and widely used infostealer platform.

The Lumma Stealer takedown

The takedowns took place on separate days and were unrelated to each other. The first took place on Wednesday and targeted Lumma, a type of malware that infects Windows systems, extracts login credentials from various apps, and sends them to an attacker's servers.

Telegram's moderation policies have markedly improved, but the jury is out on whether its pivot to more responsible practices will be an enduring one.

This week the messaging app shut down Huoine Guarantee and Xinbi Guarantee, two massive Telegram-based criminal marketplaces that connected Southeast Asian fraudsters with criminal services. 

Both were 'guarantee marketplaces', where the market administrators facilitated illicit transactions between anonymous buyers and sellers. Its services included the vetting of merchants, escrow services, and bots that monitor transaction fulfillment. Tether's USDT stablecoin is the primary payment method.  

The European Union has sanctioned three new clusters associated with Russia's disinformation networks across Africa and Europe.

This is the EU's 17th round of sanctions against Russia over its 2022 invasion and ongoing war in Ukraine. The sanctions are far broader and also target Russia's oil sector, its shadow fleet of oil tankers, and its hybrid warfare activities across Europe, which included extensive sabotage and disinformation campaigns.

We will not cover the entire sanctions package since it's out of the scope of this newsletter, but only the three clusters that are cyber adjacent.

The Japanese government passed a new law last week that allows local agencies to carry out preemptive offensive cyber operations to prevent or suppress future attacks on the country's IT infrastructure.

Although named the Active Cyberdefense Law, its scope goes beyond what the name suggests and also includes several other provisions that modernize and upgrade the country's cybersecurity practices as a whole.

The most important section of the new law is not the part about "active cyber defense" but the part that overhauls some of Japan's data collection practices.

Google Chrome will inherit a security feature from Microsoft Edge that will automatically prevent Windows users from launching the browser with elevated admin privileges.

The new feature stops and relaunches the browser with normal user-level permissions every time a user tries to run it as an Administrator.

Chrome will only run with admin rights if passed special command-line arguments or when it's started in Automation Mode—to prevent the browser from breaking complex software automation chains.

A new paper, from researchers at Princeton and The Citizen Lab, has found that apps from the Xiaomi's Mi Store, which services mainland China, are an encryption horror show. Compared to apps found in Google's Play Store, Mi Store apps send significantly more unencrypted traffic. And the encrypted traffic they do send is typically vulnerable to decryption by eavesdroppers.

The researchers examined the top 1,699 apps from the Google Play Store and the Mi Store (more than 800 from each store) and ran them through a measurement pipeline they called WireWatch. The researchers developed WireWatch to automatically identify non-standard encryption. 

It found that nearly half of the top Mi Store apps used proprietary encryption. Only 3.51% of the top Google Play Store apps do the same. The authors then reverse-engineered the nine most popular cryptosystems identified by WireWatch. They found that eight of them sent network traffic that was vulnerable to decryption by adversaries. 

The EU's cybersecurity agency ENISA has launched its own vulnerability database designed to aggregate information on software bugs across the European ecosystem.

Although some infosec researchers might think this is the EU's reaction to the recent MITRE funding issues in the US, the new EUVD database was coming anyway, regardless of what was happening to the CVE program.

The EU actually ordered ENISA to create the new database via the NIS2 directive that passed in December 2022—see paragraphs 62 and 63.

Security researchers have discovered a new ad fraud operation named Kaleidoscope that uses the "evil twin app" technique to disguise the origin of its ad impressions.

The botnet consists of clean apps uploaded to the official Play Store and doppelgangers distributed through third-party stores.

These clones are the heart of the botnet and are the ones that use a malicious advertising SDK to bombard users with unwanted and unskippable ads.

VIGINUM, the French government's agency that hunts down and exposes foreign disinformation networks, says that Russian influence operations have now reached a mature level and are often achieving notable results.

The agency published a report this week on Storm-1516—what appears to be one of the Russian government's most sprawling and active disinformation clusters.

Unlike many previous disinformation reports that tend to play down the effectiveness of such operations, VIGINUM doesn't mince words and describes Storm-1516's efforts as successful and "a significant threat to French and European public debate."