Interesting Cybersecurity News of the Week Summarised – 2025-17-11

Not a huge week but I think that’s actually a good thing. However, Black Hat Europe is just a few weeks away so I am guessing we are going to get some very interesting thing in the next few weeks. If you’re an EU citizen, definitely check out the ombibus thing, the first version is out and maybe it’s time to share your thoughts with your local politicians …

P.S. What do you think if there was also a ~10 minute audio version of this summary? Would it be useful? Let me know at jaana@kordon.app or on LinkedIn

P.S.S You can also get this weekly summary of interesting cybersecurity news to your inbox every Monday. Scroll to the bottom to subscribe.

1. Civil Society Warns EU Digital Omnibus Will Roll Back GDPR and AI Protections

A coalition of 127 civil society groups and trade unions has condemned the European Commission’s upcoming Digital Omnibus package for weakening core GDPR, ePrivacy, Data Act, and AI Act safeguards, expanding cookie tracking and AI data processing while reducing consent and oversight. 

Key Details

• 127 groups, including EDRi, Access Now, CDT Europe and noyb, signed an open letter
• Proposal shifts cookies from opt-in consent to opt-out via a “low-risk” list
• GDPR scope narrowed to “directly revealed” data, excluding inferred/pseudonymous data
• AI training allowed under “legitimate interests”; public developer registry removed

Read more at The Record, Regulation Draft

2. NPM Registry Flooded with 150,000 Packages in Token Farming Supply Chain Attack

Amazon researchers identified over 150,000 auto-generated NPM packages exploiting the tea.xyz reward protocol by inflating download metrics through circular dependency chains. Tea.xys is a blockchain-based system designed to reward developers for open source contributions. Although the packages contain no overt malware, they pollute the registry, strain infrastructure resources, and pose a significant supply-chain integrity risk for development teams.

Key Details

• Detection began Oct 24 using a new Amazon Inspector rule augmented with AI to flag suspicious package patterns.
• Collaborating with OpenSSF, researchers assigned malicious package identifiers (MAL-IDs) to 150,000+ packages by Nov 8.
• Attackers weaponized npm’s package.json scripts and circular dependency chains to self-replicate on install.
• Each package included a tea.yaml linking to blockchain wallet addresses for TEA token rewards.

Read more at Dark Reading, AWS Security Blog

3. Malet Dataset and Katalina Tool Unveil Overlooked macOS Malware Threats

At Black Hat Europe, researchers Obinna Igbe and Godwin Attigah will release Malet—a public dataset of over 48,000 malicious and 22,000 benign macOS binaries—and Katalina, an open-source, platform-agnostic static analysis tool. Malet will be the largest public dataset of macOS malware to date. Katalina, the new, open source, high-performance static analysis tool capable of processing thousands of binaries per minute on commodity hardware. 

Key Details

• Malet catalogs 48,400 malicious and 22,907 benign Mach-O executables.
• 96.1% of malicious samples lack valid code signatures, undermining Apple’s enforcement model.

Read more at Dark Reading

4. Five Plead Guilty to Enabling North Korean IT Worker Infiltration; DOJ Forfeits $15 M in Crypto

The DOJ announced guilty pleas from five individuals who provided stolen or personal U.S. identities and “laptop farms” to North Korean IT workers, allowing them to land jobs at 136 U.S. firms and generate over $2.2 million for the DPRK regime. In parallel civil complaints, the FBI seized more than $15 million in cryptocurrency tied to APT38’s 2023 heists.

Key Details

• Audricus Phagnasay, Jason Salazar and Alexander Travis each lent their real identities and hosted remote-access laptops, facilitating $1.28 M in illicit salaries.
• Oleksandr Didenko stole and sold U.S. citizen identities to North Korean operators for placement at 40 U.S. companies; forfeited $1.4 M.
• Erick Prince’s Taggcar Inc. laundered identities and ran a Florida laptop farm, earning ~$89,000 by placing workers at 64 firms.
• Seized crypto originates from four major 2023 breaches: Estonia ($37 M), Panama ($100 M + $138 M) and Seychelles ($107 M).

Next Steps

• Enforce hardware-based MFA for all remote IT contractors
• Audit and restrict off-site hosting of corporate devices
• Consider face to face interviews for even off-seas aplicants

Read more at U.S. Department of Justice, The Record

5. Quantum Route Redirect Enables One-Click Phishing Campaigns Targeting Microsoft 365

A new phishing tool called Quantum Route Redirect streamlines Microsoft 365 credential theft into a one-click operation while evading email and web security controls.  

Researchers from KnowBe4 have observed over 1,000 domains hosting the tool since August, with successful attacks in 90 countries.  

Key Details

• Approximately 1,000 domains currently host Quantum Route Redirect, active since August.
• Campaigns have compromised users in 90 countries; 76% of victims are in the United States.
• Pre-packaged templates impersonate DocuSign, payroll notices, payment alerts, voicemails and QR-code links.
• Intelligent redirects detect security scanners versus humans, routing scanners to safe sites and real users to phishing pages.

Next Steps

• Enable time-of-click URL analysis in email security and WAF solutions
• Implement sandboxing for inbox attachments and embedded links

Read more at KnowBe4 Blog, Dark Reading

6. DPRK Hackers Use JSON Storage Services to Covertly Deliver BeaverTail Malware via Trojanized Code

North Korean "Contagious Interview" actors now host obfuscated payloads on legitimate services like JSON Keeper, JSONsilo and npoint.io, embedding links in Base64-encoded config files within trojanized GitHub/GitLab demo projects. When developers run these Node.js projects, they pull the BeaverTail infostealer and InvisibleFerret Python backdoor—augmented by TsunamiKit from Pastebin—exfiltrating crypto-wallet data and system information while blending in with legitimate traffic.

Key Details

• Config file “server/config/.config.env” holds a Base64 “API key” that decodes to a JSON service URL.
• Obfuscated JavaScript fetched via Node.js deploys BeaverTail to steal wallet info and system data.
• BeaverTail drops InvisibleFerret backdoor; campaign now also fetches TsunamiKit from Pastebin.
• Attackers use LinkedIn social engineering—posing as recruiters—to lure developers since 2023.

Next Steps

• Inspect any unsolicited code repos for Base64-encoded URLs or fake “API keys.”
• Monitor Node.js processes for outbound calls to JSON Keeper, JSONsilo and npoint.io.
• Block or closely log traffic to public JSON storage services at the network perimeter.

Read more at The Hacker News, NVISO Labs

7. SilentButDeadly Tool Cuts Off EDR and AV Cloud Connectivity

SilentButDeadly is an open-source utility that uses the Windows Filtering Platform to temporarily block outbound telemetry and inbound commands for EDR and antivirus agents without terminating processes. 

Key Details

• Implements bidirectional WFP filters at ALE connect/recv layers with high-priority weights.
• Automatically cleans up dynamic sessions flagged with FWPM_SESSION_FLAG_DYNAMIC unless “–persistent” is used.
• Targets common EDR processes: SentinelOne’s SentinelAgent.exe, Defender’s MsMpEng.exe and MsSense.exe.
• Requires administrator privileges; leaves local detection intact while severing cloud telemetry.
• Detection vectors include WFP event logs (IDs 5441, 5157) and service startup type changes.

Next Steps

• Monitor WFP logs for unexpected ALE filter additions.
• Validate EDR resilience by simulating cloud connectivity loss.

Read more at CybersecurityNews.com

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.