Sunday, Apr 27, 2025 // (IG): BB // GITHUB // SN R&D
North Korean Lazarus Group Sets Up U.S. Shell Companies to Hack Crypto Developers
Bottom Line Up Front (BLUF): North Korean state-backed hackers from the Lazarus Group created fake U.S. companies to pose as crypto employers, luring developers into downloading malware under the guise of job interviews. The operation violated U.S. sanctions and exposed weaknesses in business registration systems.
Analyst Comments: By setting up U.S.-registered shell companies, Lazarus lowered victims' defenses and improved credibility, making it harder to detect malicious intent. Blending legitimate-seeming employment practices with cyber espionage poses a growing threat to industries beyond cryptocurrency, signaling the urgent need for enhanced vetting of corporate entities and job offers.
FROM THE MEDIA: Victims were approached on platforms like LinkedIn and were tricked into installing malware disguised as hiring software. The FBI has seized the Blocknovas domain. Malware in the attacks enabled data theft and remote access, with clear ties to Lazarus Group's known tools. Previous similar operations by Lazarus include the $625 million Ronin Bridge hack in 2021.
READ THE STORY: Crypto Potato
Incubated ML Exploits: Hybrid Attacks Combining Input Handling Bugs and Model Backdoors
Bottom Line Up Front (BLUF): Trail of Bits researcher Sua introduced the concept of incubated ML exploits, a new hybrid class combining input handling vulnerabilities with model backdoors. These attacks exploit ML model serialization and system integration flaws, enabling malicious actors to inject persistent, hard-to-detect backdoors across the ML supply chain.
Analyst Comments: Incubated ML exploits highlight how machine learning models can no longer be treated as standalone components. Instead, attackers target serialization layers, model deployment pipelines, and system interactions. This expands the attack surface dramatically across hardware, compilers, frameworks, and application layers. Organizations must urgently rethink their ML security postures, including robust input validation, trusted model provenance, and hardened ML infrastructure at every stack layer.
FROM THE MEDIA: In a talk by Sua from Trail of Bits, incubated ML exploits were detailed as hybrid chains linking model vulnerabilities (e.g., model backdoors) with system-level flaws (e.g., serialization bugs). Real-world examples included Python pickle RCEs, parser differentials between TorchScript models, and polyglot file attacks against SafeTensors. Exploits showed how attackers could hide malicious models in seemingly benign files or manipulate model weights and architectures during serialization. Sua urged security professionals to bridge the gap between model and system security, warning that complex ML stacks are introducing new and exploitable attack surfaces at every layer. (slides)
READ THE STORY: Security Boulevard
Long Beach, California Cyberattack Exposes Sensitive Data of Nearly 500,000 Residents
Bottom Line Up Front (BLUF): Following a 2023 cyberattack, Long Beach city officials have disclosed that hackers accessed sensitive data belonging to 470,060 individuals. Compromised information includes Social Security numbers, financial data, biometric records, and medical details. The forensic investigation concluded in March 2025, prompting formal breach notifications across multiple U.S. states.
Analyst Comments: The prolonged 15-month investigation highlights the complexity of large-scale municipal cyber breaches and the resource strain they impose. Despite no public ransomware claims or immediate fraud evidence, the exposure of such a broad range of sensitive data significantly elevates risks for identity theft and financial fraud. This incident underscores the critical need for U.S. local governments to modernize cybersecurity infrastructure, enhance breach response capabilities, and implement stricter data minimization practices to mitigate future damages.
FROM THE MEDIA: Although emergency services remained operational during the incident, several government systems were taken offline. Victims are now being offered one year of identity protection services. City officials explained the lengthy investigation by citing the need for an "extensive forensic review and manual document analysis." No ransomware group has claimed responsibility, and authorities have opted not to disclose specific technical details to avoid exposing remaining vulnerabilities.
READ THE STORY: The Record
Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks
Bottom Line Up Front (BLUF): Security researchers have uncovered malicious npm packages that target Linux developers by exploiting the Telegram Bot API to install SSH backdoors. These supply chain attacks compromise developer machines, granting attackers persistent, unauthorized access and enabling data exfiltration.
Analyst Comments: This new wave of npm-based attacks highlights the growing vulnerabilities in open-source ecosystems, where naming confusion and trust in popular libraries are easily exploited. With Linux systems particularly targeted, attackers gain high-value access for lateral movement within organizations. Expect an uptick in attacks leveraging legitimate-looking developer tools. Organizations must immediately bolster supply chain security with real-time dependency scanning and stricter validation practices to protect critical assets.
FROM THE MEDIA: Malicious npm packages such as node-telegram-utils, node-telegram-bots-api, and node-telegram-util have been discovered injecting SSH public keys into .ssh/authorized_keys files on Linux systems. The malware uses Telegram's bot ecosystem to evade detection and communicates with command-and-control infrastructure disguised under the domain solana.validator.blog. Attackers also collect external IP addresses and usernames via ipinfo.io, heightening risks of persistent access and intelligence gathering. Experts recommend developers adopt tools like Socket’s GitHub app and CLI to monitor package behavior during installation and integrate multiple layers of security into the development lifecycle.
READ THE STORY: GBhackers
Marks & Spencer Halts Online Shopping After Cyberattack Disrupts Operations
Bottom Line Up Front (BLUF): British retailer Marks & Spencer (M&S) has paused all online orders following a cyberattack, though in-store shopping remains unaffected. The company has engaged external cybersecurity experts and assured customers that they will need to do nothing immediately.
Analyst Comments: While M&S’s swift public communication and decision to suspend transactions likely prevented broader damage, the incident could still impact consumer trust and financial performance. The retail industry must continue investing in resilience strategies, especially ahead of high-traffic periods.
FROM THE MEDIA: Marks & Spencer temporarily suspended online shopping across its websites and apps after managing a cyber incident over the prior few days. Customers can still browse products online, but purchases are paused while the company works to restore full functionality. M&S emphasized there was no need for customers to take action and pledged to issue updates as needed. The retailer’s share price fell nearly 5% on Friday and over 6% weekly. With over 1,400 stores globally and £6.48 billion in revenue for the first half of 2024, the cyberattack presents a significant disruption for the iconic British brand.
READ THE STORY: The Record
Albedo Raises $100 Million to Expand Ultra-High-Resolution Satellite Surveillance
Bottom Line Up Front (BLUF): Albedo, a Colorado-based satellite imaging startup capable of tracking individuals from space, is raising nearly $100 million at a $285 million pre-money valuation. The company’s ultra-high-resolution satellites — already contracted by the U.S. Air Force — are poised to reshape the surveillance landscape, prompting new privacy concerns.
Analyst Comments: Its ability to capture near-ground-level detail from orbit could open new intelligence-gathering avenues for governments while simultaneously escalating fears of mass surveillance abuses. Regulatory scrutiny and ethical debates over the limits of commercial satellite imagery will likely intensify as firms like Albedo proliferate. Organizations should prepare for a future where real-time orbital monitoring is a routine part of security and privacy threat modeling.
FROM THE MEDIA: The company recently launched its first satellite, Clarity-1, and signed a $12 million contract with the U.S. Air Force. Albedo, founded by ex-Lockheed Martin and Facebook engineers, claims its satellites offer the highest commercially available resolution for sectors including defense, energy, insurance, and agriculture. Critics, including the Electronic Frontier Foundation, warn that such imagery could allow governments to track individuals without consent, although Albedo insists its technology cannot identify specific persons.
READ THE STORY: AOL
Two Major AI Jailbreaks Expose Systemic Security Flaws Across Leading Generative AI Models
Bottom Line Up Front (BLUF): Researchers have uncovered two powerful jailbreak techniques that bypass safety measures in popular generative AI models from OpenAI, Google, Microsoft, Anthropic, and others. These vulnerabilities allow attackers to manipulate AI systems into producing restricted or harmful content, signaling a widespread weakness in current safety frameworks.
Analyst Comments: As AI adoption grows in critical sectors, vulnerabilities like these could be weaponized for cybercrime, misinformation, and social engineering attacks. Developers must rethink AI safety architectures, adopting dynamic and context-aware defense models instead of relying on static filters alone.
FROM THE MEDIA: Two new jailbreaks, “Inception” and a context-switching attack, can trick generative AI models into bypassing their safety rules, according to a report from GBHackers on Security. The Inception technique uses nested fictional prompts to confuse AI safety systems, while the second method alternates safe and unsafe queries to manipulate the AI’s internal context tracking. Platforms impacted include ChatGPT, Claude, Gemini, Copilot, and others. Although classified as "low severity" individually, the vulnerabilities’ cross-platform nature elevates the risk significantly. Affected vendors have issued updates, but experts warn that deeper security innovations are urgently needed to protect against emerging AI exploitation strategies.
READ THE STORY: GBhackers
U.S.-China Trade Tensions Trigger Sharp Decline in Cargo Shipments
Bottom Line Up Front (BLUF): Shipments from China to the United States are plunging due to newly intensified tariffs imposed by the Trump administration. Port authorities, freight companies, and retailers report dramatic drops in cargo volumes, with supply chains rapidly shifting toward Southeast Asia to mitigate the impact.
Analyst Comments: The accelerating collapse of cargo flows from China signals a deepening rupture in global supply chains that could cause supply shocks, price spikes, and long-term operational shifts. Retailers and manufacturers are already scrambling to diversify sourcing strategies, but the disruption could worsen if geopolitical tensions escalate further. Companies with dependencies on Chinese manufacturing face heightened risk in the coming quarters.
FROM THE MEDIA: At the Port of Los Angeles, Executive Director Gene Seroka forecast a 35% drop in import volumes within two weeks. Freight forwarders like Flexport noted a 60% decline in bookings from China, with many retailers abruptly shifting production to Vietnam, Malaysia, and Cambodia. Analysts project freight demand from China to West Coast ports could plunge 28% next week, with East Coast ports facing a 42% drop the following week. Although a potential easing of tariffs remains under discussion, freight executives warn that any resolution could unleash a chaotic cargo surge and skyrocketing shipping rates.
READ THE STORY: WSJ
Satellite 'Dogfighting': China’s Space Maneuvers Alarm U.S. Military Planners
Bottom Line Up Front (BLUF): The U.S. Space Force has warned that China is actively developing and practicing "dogfighting" tactics, maneuvering satellites aggressively in orbit to simulate attacks. This capability, alongside China's jamming, dazzling, and kinetic attack options, raises serious risks to U.S. military and civilian satellite networks, particularly GPS and communications systems critical to national security.
Analyst Comments: China’s escalation of counterspace capabilities signals a major shift in the strategic environment of orbital operations. The ability to maneuver satellites for direct engagement introduces new threats beyond traditional missile-based anti-satellite (ASAT) warfare. If left unchecked, this could expose U.S. and allied forces to devastating operational paralysis during a conflict. As the capability gap narrows, urgent investments in space resilience, active defenses, and potential offensive options are critical for the U.S. to maintain its advantage and deter hostile actions in space.
FROM THE MEDIA: Testifying before Congress in March 2025, U.S. Space Force Vice Chief Gen. Michael Guetlein revealed that American surveillance observed Chinese satellites conducting complex maneuvering exercises — described as "dogfighting" — involving five objects operating in close synchronization. China’s military doctrine appears focused on developing technologies to jam, blind, or capture enemy satellites rather than purely destroy them, minimizing space debris while crippling adversary capabilities. The 2007 Chinese ASAT missile test remains a stark reminder of Beijing’s kinetic capabilities, but future tactics may prioritize reversible effects. Guetlein emphasized that the Space Force must accelerate investments in deterrence and defense to confront an increasingly contested and congested orbital environment.
READ THE STORY: 1945
ToyMaker IAB Deploys LAGTOY Malware to Facilitate CACTUS Ransomware Double Extortion Attacks
Bottom Line Up Front (BLUF): Researchers from Cisco Talos have uncovered that the threat actor "ToyMaker" uses a custom malware called LAGTOY to breach systems and sell access to ransomware groups like CACTUS. This initial access broker (IAB) strategy highlights an evolving ecosystem where ransomware operations leverage specialized partners to expedite attacks.
Analyst Comments: The activity attributed to ToyMaker reinforces the critical need for organizations to monitor for early-stage compromises such as credential harvesting and memory scraping. The efficient transfer of compromised access to ransomware groups signals a maturing cybercriminal supply chain. Organizations must prioritize rapid detection of lateral movement and credential theft to interrupt these handoffs before full ransomware deployment occurs.
FROM THE MEDIA: LAGTOY connects to a command-and-control (C2) server, executes commands, and supports privilege escalation through user-specific processes. Once access is secured, ToyMaker sells it to ransomware affiliates like CACTUS, who then perform reconnaissance, establish additional persistence through SSH and remote access tools like AnyDesk, and execute double extortion attacks. Researchers noted ToyMaker’s lack of data exfiltration, suggesting purely financial motives rather than espionage.
READ THE STORY: THN
SpaceX Challenges AST SpaceMobile's Next-Gen Satellite Plans Over Orbital Safety Concerns
Bottom Line Up Front (BLUF): SpaceX is urging the FCC to scrutinize AST SpaceMobile’s request for an experimental license to test its next-generation FM-1 satellite, citing concerns about the spacecraft’s large size and potential risks to orbital safety. The dispute highlights rising tensions between satellite providers as competition for low-Earth orbit space and telecommunications dominance intensifies.
Analyst Comments: Larger satellites like AST’s FM-1, with its 223 square meter footprint, could exacerbate congestion and collision risks if not adequately regulated. With AST pushing for rapid deployment to satisfy partners like AT&T and Verizon, regulatory bodies like the FCC will increasingly face high-stakes decisions balancing innovation against safety and sustainability in orbit.
FROM THE MEDIA: SpaceX asked the FCC to ensure that AST SpaceMobile’s "enormous experimental satellites" comply with operational safety standards. AST’s FM-1 satellite is roughly three times the size of its earlier BlueBird models, and the company hopes to test it soon to meet carrier demands for satellite-to-smartphone connectivity starting next year. SpaceX warned that inadequately vetted large satellites could pose orbital debris hazards and disrupt existing operations, as both companies race to expand their space-based communication networks.
READ THE STORY: MSN
FBI Seeks Public Help to Investigate PRC-Linked 'Salt Typhoon' Cyber Campaign
Bottom Line Up Front (BLUF): The FBI has issued a public alert through its Internet Crime Complaint Center (IC3) requesting assistance in investigating ‘Salt Typhoon,’ a Chinese government-linked cyber operation targeting U.S. telecommunications firms. The campaign involved data theft, including call records and private communications, raising urgent national security concerns.
Analyst Comments: The Salt Typhoon investigation highlights the persistent vulnerabilities in critical infrastructure, particularly in telecommunications networks. The campaign's broad scope—spanning call data theft to unauthorized access to law enforcement communications—underscores the sophisticated threat posed by PRC-backed cyber actors. Growing political pressure on federal agencies to release more information about such intrusions suggests an escalating demand for transparency and stronger defensive measures against nation-state threats.
FROM THE MEDIA: The FBI’s investigation uncovered that Salt Typhoon actors exploited telecom network access to steal sensitive information globally, including in the U.S. The FBI’s IC3 platform issued a call for information about individuals involved in the operation, while the State Department’s Rewards for Justice program offered up to $10 million for actionable intelligence. Salt Typhoon activity was publicly flagged in late 2024 alongside guidance to bolster telecom defenses. Political leaders increasingly press agencies like CISA for more disclosure, citing national security concerns amid the PRC's expanding cyber espionage campaigns.
READ THE STORY: Industrial Cyber
SAP Zero-Day Vulnerability Under Widespread Active Exploitation
Bottom Line Up Front (BLUF): A critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver's Visual Composer component is being actively exploited in the wild. The flaw, rated CVSS 10.0, allows unauthenticated remote attackers to upload files and achieve full system compromise. Security researchers and the FBI urge immediate patching, as initial access brokers are reportedly using it to plant web shell backdoors across industries.
Analyst Comments: The exploitation of CVE-2025-31324 poses an urgent risk to thousands of SAP installations worldwide. Given SAP's vast footprint in private and government agencies, attackers leveraging this vulnerability could sell access to ransomware gangs or espionage groups. The speed and scale of observed exploitation suggest significant supply chain risks, and defenders must act immediately to patch systems and audit for signs of compromise. If multiple threat actors widely discover the backdoors, opportunistic ransomware attacks could rapidly spike.
FROM THE MEDIA: SAP issued an emergency patch Thursday after cybersecurity firms ReliaQuest and watchTowr confirmed active exploitation of the SAP NetWeaver zero-day. WatchTowr CEO Benjamin Harris warned that threat actors use the vulnerability to drop web shells onto exposed systems, enabling remote code execution. Internet scans estimate that around 10,000 SAP instances could be vulnerable. Although SAP Visual Composer is not installed by default, it is broadly enabled, amplifying the risk. Researchers believe initial access brokers are behind the exploitation, aiming to resell access to ransomware affiliates. Experts urge SAP customers to patch immediately, warning that attacks could escalate rapidly now that details are public.
READ THE STORY: CyberScoop
Items of interest
Zyrex: AI-Powered 20-Foot Construction Robots Set to Transform the Building Industry
Bottom Line Up Front (BLUF): RIC Robotics has announced plans for Zyrex, a 20-foot tall AI-powered construction robot capable of welding, carpentry, and 3D printing. The company aims to address labor shortages and safety concerns in the U.S. construction sector, with human-assisted controls initially and full autonomy expected over time.
Analyst Comments: The rise of AI-driven heavy machinery like Zyrex signals a significant disruption in traditional labor markets, especially in sectors already facing skilled labor shortages. While such advancements can enhance efficiency and safety, they also introduce cybersecurity and operational risks associated with autonomous systems. As Zyrex evolves toward full autonomy, ensuring its cyber resilience and ethical operation will become a critical focus for regulators and industry stakeholders.
FROM THE MEDIA: Zyrex, developed by RIC Robotics, is designed with cognitive capabilities and equipped with LiDAR and Vision-Language-Action AI models to navigate dynamic construction environments. The robot will initially be controlled via VR simulators while learning from real-world job sites, aiming for autonomous operation. Zyrex builds on earlier projects like the RIC-M1 Pro, which 3D-printed Walmart warehouse extensions ahead of schedule. Targeted at solving labor shortages and reducing jobsite fatalities, Zyrex is expected to be commercially available with leasing options under $20,000 per month.
READ THE STORY: The Register
These robot excavators are making workers more money (Video)
FROM THE MEDIA: The technology, developed by Built Robotics, enables machinery to work safely and efficiently within a designated “geofence.” Robots perform tasks, such as digging perfectly straight trenches, while human operators supervise and handle other responsibilities.
This bricklaying robot could build 100 to 300 homes a year (Video)
FROM THE MEDIA: The Hadrian X bricklaying robot made by Fastbrick Robotics has broken its speed record, laying 200 bricks in just one hour. We compare the Hadrian X with the first commercially available bricklaying robot, the SAM100, made by Construction Robotics.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.