Cybersecurity News Worth Your Attention this Week Summarised – 2025-10-27

I go through ~20 different cybersecurity news portals and research site for the most interesting news every week so that you don’t have to.

If you enjoy the content, scroll to the bottom to get such a summary to your inbox every Monday!

1. Lazarus Group Uses Fake Recruitments and Trojanized Open-Source Tools to Infiltrate European Drone Firms

ESET researchers have uncovered a new phase of North Korea’s Operation "Dreamjob", targeting at least three European defense and UAV-technology firms since March 2025. Attackers lured engineers with counterfeit job offers, then dropped a custom DLL loader (“DroneEXEHijackingLoader.dll”) and the ScoringMathTea RAT via trojanized open-source apps to exfiltrate drone design and manufacturing data.  

Key Details

• Spear-phishing emails pose as recruiters from leading defense firms, delivering malicious PDF readers or installers.
• DLL side-loading loads DroneEXEHijackingLoader.dll, which in turn deploys the ScoringMathTea RAT for persistence and data theft.
• Attackers trojanized lesser-known GitHub projects (Notepad++, WinMerge plugins) to evade detection.
• At least three companies across Southeastern and Central Europe, metal engineering, aircraft components, and defense, were targeted.

Next Steps

• Don’t install stuff during job interviews.
• Be suspicious of links from recruiters.

Read more at CSO Online

2. Iran-Linked MuddyWater Deploys Phoenix Backdoor in Global Espionage Campaign

A new MuddyWater operation used a compromised NordVPN-accessed mailbox to phish over 100 government and international organizations in MENA.  Opening weaponized Word attachments and enabling macros installed the Phoenix v4 backdoor via a FakeUpdate loader.

Key Details

• MuddyWater spoofed trusted email correspondence via NordVPN-routed mailbox.
• Targets: 75% embassies, foreign affairs ministries, consulates, plus telecoms and NGOs.
• Attack chain: Word macro dropper → FakeUpdate loader → AES-encrypted Phoenix v4 payload.
• C2 server (159.198.36[.]115) also hosts RMM tools and custom browser credential stealer.

Next Steps

• Block or restrict Office macros by default; allow only via controlled signing.

Read more at Group IB, The Hacker News

3. GlassWorm Self-Propagates in VS Code Extensions via Invisible Unicode

Researchers at Koi Security uncovered GlassWorm, a self-propagating worm hidden in VS Code extensions using non-rendering Unicode characters to evade detection. It leverages the Solana blockchain and Google Calendar for resilient command-and-control, harvests developer credentials to spread across the supply chain, and turns infected workstations into SOCKS proxies and hidden VNC servers. Over 35,800 installs are impacted, posing immediate risk for anyone relying on VS Code.

Key Details

• At least 13 extensions on OpenVSX and one on Microsoft Marketplace infected, downloaded ~35,800 times.
• Malicious payload concealed with Unicode variation selectors invisible to editors and most scanners.
• C2 infrastructure spans Solana blockchain transactions, Google Calendar fallback, and BitTorrent DHT.
• ZOMBI module deploys SOCKS proxy, hidden VNC, and uses stolen tokens to compromise more packages.

Next Steps

• Audit VS Code extensions against Koi’s published IoCs
• Revoke and rotate all NPM, GitHub, and VS Code tokens
• Established review process for VS Code extensions.

Read more at Dark Reading

4. SquareX Warns of AI Sidebar Spoofing via Malicious Extensions

Security researchers at SquareX have uncovered “AI Sidebar Spoofing”, an attack where malicious browser extensions overlay pixel-perfect fake AI assistant sidebars (in Comet, Atlas, Edge, Brave, etc.).  
Unsuspecting users follow attacker-supplied instructions—phishing links to fraudulent login pages or system commands that install reverse shells—believing they come from the genuine AI interface.  
Requiring only basic “host” and “storage” permissions, these extensions can lie dormant until triggered and evade permission-based scans, highlighting the need for runtime extension analysis and browser-native guardrails.  

Key Details

• Attack uses JavaScript injection to overlay fake AI sidebars indistinguishable from real ones.
• Demonstrated in three scenarios: crypto-phishing, OAuth credential theft, reverse-shell installation.
• Works on Comet and confirmed against newly released Atlas; affects any AI sidebar-enabled browser.
• Malicious extensions stay dormant until a trigger prompt, complicating static permission review.
• Attack works on both specialized AI browsers (Perplexity AI’s Comet, OpenAI’s Atlas) and mainstream browsers with AI features.
• Fake sidebar overlays intercept all user interaction without visual or workflow differences.

Next Steps

• Restrict or vet unapproved sidebar extensions centrally

Read more at SquareX Technical Blog, HackRead, SquareX Technical Blog, SiliconAngle

5. PhantomCaptcha Spearphishing Delivers RAT to Ukraine Aid Organizations

SentinelLABS discovered a tightly orchestrated, single-day cyber operation on October 8, 2025, that targeted the Red Cross, UNICEF, Norwegian Refugee Council, and multiple Ukrainian regional administrations with weaponized PDFs. Victims were lured to a fake Zoom/Cloudflare captcha page where a "Paste and Run" trick launched a multi-stage WebSocket-based RAT hosted on Russian-linked servers. 

Key Details

• Phishing emails spoofed the Ukrainian President’s Office with an embedded malicious PDF.
• Fake Zoom download Domain led to a counterfeit Cloudflare DDoS-protection page prompting users to paste a “token” into Windows Run.
• Executed PowerShell payload staged three obfuscated scripts culminating in a WebSocket RAT for remote control and data theft.
• Infrastructure was active just 24 hours publicly, but backend C2 servers remained online to maintain compromised hosts.

Next Steps

• Validate all PDF senders and disable unauthorized script execution.
• More phishing training?

Read more at Hackread.com, The Record, SentinelLABS blog

6. Smishing Triad’s Global SMS Phishing Campaign Churns Through Nearly 200,000 Domains

A China-linked group known as the "Smishing Triad" has registered over 136,000 root domains (194,000+ FQDNs) since January 2024 to send fraudulent toll-violation and package-delivery texts worldwide. 

By rapidly rotating domains: 29% live two days or less and 82.6% under two weeks; and evolving naming patterns (e.g., gov- prefixes, state names), attackers evade simple blocks and impersonate services from USPS and DMVs to banks and toll operators.  

Key Details

• 136,933 root domains and 194,345 FQDNs identified by Unit42 (Jan 2024–Jun 2025).
• Top impersonated brand: U.S. Postal Service with 28,045 FQDNs; toll-service lures account for ~90,000 domains.
• Very short domain lifespans: 29.19% active ≤2 days, 71.3% ≤1 week, 82.6% ≤2 weeks; <6% survive >3 months.

Next Steps

• Implement DNS filtering to block short-lived, high-risk domains.
• Monitor short-lived domains and flag gov-style prefixes

Read more at Palo Alto Networks Unit42, Dark Reading #1, Dark Reading #2

7. UN Cybercrime Convention Faces Industry Backlash Over Researcher Risks

The UN Convention against Cybercrime, opening for signatures this weekend,is criticized by a coalition of over 100 major tech firms and rights groups for its broad definitions and surveillance powers that could criminalizelegitimate security research and undermine cyber defense.

Key Details

• Cybersecurity Tech Accord members (Arm, Cisco, Meta, Microsoft) warn treaty’s vague scope risks criminalizing benign online activity
• Obligates states to criminalize offences punishable by ≥4 years imprisonment, with expansive data-access and surveillance powers
• No explicit protections for security researchers; critics say treaty reads like a digital surveillance pact
• EU has signaled support; treaty enters into force 90 days after 40 ratifications (deadline Dec 31 2026)
• About 30–36 countries expected to sign; treaty effective after 40 ratifications
• Establishes a 24/7 network for cross-border data requests, extraditions, and asset seizures

Read more at CSO Online, The Record

8. CryptoChameleon Phishing Uses Fake “Legacy Request” About a Death Certificate to Steal LastPass Credentials

Scammers linked to the CryptoChameleon group are sending LastPass users emails spoofing a “legacy request” that claims a death certificate was uploaded to inherit their vault. The messages and follow-up calls urge recipients to cancel the request via a malicious link—harvesting master passwords and passkeys for cryptocurrency theft. LastPass warns it never asks for your master password and has published IOCs and URLs to help defenders block the campaign.

Key Details

• Subject line: “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED)”
• Link redirects to attacker-controlled last passr ecovery[.]com phishing site
• Campaign tied to UNC5356 (CryptoChameleon) and bulletproof host NICENIC
• New domains target both master passwords and FIDO2/WebAuthn passkeys

Next Steps

• Reminder to everyone: LastPass never requests master passwords
• Enforce phishing-resistant MFA or secret-key login for vault access
• Block listed IOCs and monitor for suspicious “Legacy Request” emails

Read more at CSO Online, LastPass Blog

9. Major DNS Bug in DynamoDB Automation Sparks 14-Hour AWS US-EAST-1 Outage #itsalwaysDNS

Amazon’s post-mortem reveals a latent race condition in DynamoDB’s DNS automationc aused deletion of all IP addresses for the us-east-1 endpoint, triggering cascading DNS failures and a 14-hour global outage. 

Key Details

• A race condition in the DynamoDB DNS management system created an empty DNS record for dynamodb.us-east-1.amazonaws.com at 11:48 PM PDT.
• All customer and internal AWS services using that public endpoint experienced immediate DNS lookup failures and timeouts.
• Automated recovery routines failed to correct the empty record, necessitating manual intervention to restore IP entries.
• AWS disabled the flawed DNS automation globally, added protective checks, tightened throttling, and built new test suites to catch similar bugs.

Next Steps

• Introduce locking or consensus mechanisms in critical automation workflows.
• Run manual-override drills for DNS and core service recovery.
• Remember, it’s always DNS

Read more at BleepingComputer, AWS Service Health Post-Mortem

10. Proof-of-Concept “PromptLock” Shows Autonomous AI Ransomware

Security researchers uncovered "PromptLock", the first AI-driven ransomware proof-of-concept that uses large language models to generate unique payloads, choose targets, and craft ransom notes without human intervention.

Key Details

• PromptLock queries public LLM APIs to analyze file systems and dynamically create Lua scripts.
• FunkSec group leverages AI to automate malware coding and attack workflows, hitting 120+ organizations.
• BlackMatter variants adapt encryption algorithms in real time and evade signature-based tools.
• Average ransomware cost rose 574% over six years to US $5.13 million per incident in 2024.

Read more at Cybersecurity News