Weekly Summary: Zero-Day Vulnerabilities, Developer Malware Threats, IoT Botnet Developments, and AI-Driven Fraud Techniques
What do a source code editor, a smart billboard, and a web server have in common? These elements have all become potential entry points for attacks as cybercriminals redefine what constitutes critical infrastructure. Rather than focusing exclusively on high-value targets, threat actors are systematically exploiting overlooked vulnerabilities such as outdated software, unpatched IoT devices, and unreported open-source packages. This shift in strategy not only reflects ingenuity but also transforms the landscape of intrusion, persistence, and evasion tactics at scale.
⚡ Threat of the Week
5Socks Proxy Utilizing IoT and EoL Systems Neutralized in Multi-National Operation — A collaborative effort between Dutch and U.S. law enforcement agencies successfully dismantled a criminal proxy network, referred to as anyproxy[.]net and 5socks[.]net. This network leveraged thousands of compromised Internet of Things (IoT) and end-of-life (EoL) devices, integrating them into a botnet to provide anonymity to malicious actors. Active since 2004, the platform promoted over 7,000 online proxies daily, primarily deriving infected devices from the U.S., Canada, and Ecuador. The operation mainly targeted IoT devices vulnerable to established security flaws to deploy the malware known as TheMoon. This development is part of a broader enforcement initiative, which also recently led to the shutdown of major platforms involved in cryptocurrency laundering and DDoS-for-hire operations.
🔔 Top News
– COLDRIVER Engages ClickFix to Spread LOSTKEYS Malware — A Russian cyber threat actor identified as COLDRIVER has been observed deploying a new malware dubbed LOSTKEYS as part of an espionage campaign utilizing ClickFix social engineering lures. Detected sporadically in early 2025, this campaign targeted current and former officials of Western governments and military establishments, as well as journalists and NGOs connected to Ukraine. LOSTKEYS is engineered to extract files with prioritized extensions and directories, transmitting system data back to the assailant.
– Play Ransomware Exploits CVE-2025-29824 as Zero-Day — Actors associated with the Play ransomware strain successfully exploited a freshly patched security vulnerability in Microsoft Windows, identified as CVE-2025-29824, within an attack aimed at an unidentified U.S. organization. Although no ransomware was deployed, the operation utilized Grixba, a known information stealer operated by the Play ransomware network.
– NSO Group Ordered to Compensate WhatsApp — A U.S. federal jury has mandated that the Israeli company NSO Group pay approximately $168 million to Meta, the parent of WhatsApp, following a ruling that determined NSO violated U.S. laws by utilizing WhatsApp servers to deploy the controversial Pegasus spyware against more than 1,400 individuals globally.
– Three Malicious npm Packages Target Cursor Users — The npm registry has flagged three malicious packages—sw-cur, sw-cur1, and aiide-cur—designed to compromise the macOS version of Cursor, a popular AI-driven source code editor. These packages masqueraded as legitimate offerings while embedding malicious code capable of altering necessary files associated with the software to execute arbitrary commands on the compromised systems.
– SysAid Addresses Four Critical Vulnerabilities — Multiple security flaws within the on-premise version of SysAid IT support software enable potential pre-authenticated remote code execution with elevated privileges. The vulnerabilities have been coded CVE-2025-2775 to CVE-2025-2778 and were remedied in the software’s latest version.
– Threat Actors Exploit Samsung MagicINFO and GeoVision IoT Vulnerabilities — Cybercriminals are exploiting security gaps in end-of-life GeoVision IoT devices and an unpatched flaw in Samsung MagicINFO 9 Server, incorporating these assets into a variant of the Mirai botnet for DDoS attacks. Users are urged to upgrade their devices and sever any public internet connections related to the Samsung system.
– Department of Justice Charges Individual in Black Kingdom Ransomware Deployment — The U.S. Department of Justice has charged Rami Khaled Ahmed, a 36-year-old Yemeni national, for allegedly deploying the Black Kingdom ransomware against numerous global targets, leveraging a known vulnerability in Microsoft Exchange Server.
– Return of Golden Chickens with TerraStealerV2 and TerraLogger Malware — The cybercriminal group Golden Chickens has resurfaced with enhanced tools to capture user credentials, cryptocurrency wallet information, browser extensions, and keystrokes utilizing a new malware-as-a-service model.
️🔥 Trending CVEs
Every week brings fresh vulnerabilities, creating opportunities for potential exploitations. Here are this week’s critical vulnerabilities that warrant immediate attention and remediation. Some key identifiers include CVE-2025-32819, CVE-2025-32820, CVE-2025-32821 (SonicWall), CVE-2025-20188 (Cisco IOS XE Wireless Controller), and multiple others from various platforms that necessitate prompt application of patches.
📰 Around the Cyber World
– The Bluetooth Special Interest Group has announced the release of Bluetooth 6.1, featuring enhanced device privacy through Resolvable Private Addresses (RPA), making tracking by third parties more challenging.
– Reports indicate an increase in AI-generated fake vulnerability submissions affecting bug bounty programs, presenting significant obstacles for legitimate researchers.
– A new information stealer called AgeoStealer has been detected masquerading as a video game to lure users into installation, with capabilities for identity theft and corporate espionage.
– South Korea’s Personal Information Protection Commission has accused the AI service DeepSeek of unlawfully transferring user data to U.S. and Chinese entities.
– Iranian threat actors have been reported impersonating a German modeling agency for targeted attacks through malware-laden JavaScript.
🔒 Tip of the Week
Prevent AI Bots from Scraping Your Content — With AI companies silently indexing websites to gather content for model training, it’s crucial to safeguard your original material. Incorporating a simple robots.txt file rule can instruct known AI crawlers to refrain from indexing your site, providing a preliminary layer of protection against unauthorized content extraction.
Conclusion
The developments of this week highlight an essential truth: cyber risks extend beyond mere technical issues to encompass business, legal, and reputational ramifications. As incidents increasingly escalate, security decisions reflect leadership choices. Organizations that recognize this imperative and act decisively will be positioned favorably when future breaches occur.