Tuesday, Aug 12, 2025 // (IG): BB // GITHUB // SN R&D
Insider Leak Exposes Full Arsenal of North Korean Kimsuky APT, Including Backdoors, Phishing Kits, and Stolen Certificates
Bottom Line Up Front (BLUF): A 34,000-page leak allegedly from insiders has exposed the internal toolkits, infrastructure, and source code of North Korea’s Kimsuky APT group. The dump includes live phishing platforms, kernel-level backdoors, custom Cobalt Strike beacons, and stolen South Korean government PKI certificates. The breach offers unprecedented insight into Kimsuky’s tradecraft and persistent access methods against high-value South Korean government targets.
Analyst Comments: If authentic, this leak is one of the most damaging public exposures of a state-sponsored APT’s tooling to date, potentially crippling active Kimsuky operations. Disclosing live infrastructure, unrevoked certificates, and hardcoded access mechanisms could allow defenders to proactively block, patch, and hunt for compromise indicators worldwide. However, given the sophistication of North Korean cyber programs, replacement tooling may emerge quickly, and attribution to “insiders” raises counterintelligence considerations — the leak could be part of a strategic deception or intra-APT conflict.
FROM THE MEDIA: The toolkit included config files blacklisting security vendor IPs, a Tomcat kernel LKM backdoor activated via a secret TCP sequence, and a hardcoded master password. Also recovered was a private Java-based Cobalt Strike beacon configured for HTTP C2 over port 8172, with recent development activity logged in June 2024. The data dump included stolen Government Public Key Infrastructure certificates, cracked Java utilities for certificate handling, and the complete source code for South Korea’s Ministry of Foreign Affairs email server. Brute-force logs showed attempts against unification.go.kr and spo.go.kr, while an SSO tool (“onnara_sso”) indicated persistent access to internal government portals. Security experts urge immediate certificate revocation, network monitoring for anomalous TCP/IP “knocks,” and codebase reviews to identify reused malware components.
READ THE STORY: CSN
BreachForums Seized and Turned into Global Law Enforcement Honeypot
Bottom Line Up Front (BLUF): ShinyHunters claims that BreachForums, a central cybercrime marketplace, has been secretly seized by French, U.S., and FBI authorities and transformed into a surveillance honeypot. All administrative accounts, PGP keys, plaintext messages, and user credentials have been compromised, enabling complete deanonymization of members. If true, the incident marks a significant escalation in coordinated dark web infiltration by international law enforcement.
Analyst Comments: If this takeover occurred as described, it would represent a textbook “Operation Trojan Shield”–style maneuver, turning an active criminal forum into a live intelligence-gathering asset. The exposure of unhashed passwords, IPs, and message histories could unravel multiple cybercriminal networks and lead to arrests worldwide. However, the claims originate from a single actor with their motives, so disinformation remains a possibility. Regardless, the announcement will likely trigger distrust in centralized forums and accelerate the migration of threat actors to encrypted, decentralized platforms.
FROM THE MEDIA: According to the threat actor, all private messages (stored in plaintext), unhashed passwords, IP addresses, email accounts, and login metadata have been accessed. ShinyHunters alleges that a federal agent now operates the “Founder” account and that source code changes added persistent logging, keystroke capture, and file upload monitoring—effectively turning the forum into a law enforcement honeypot. The disclosure warns users to abandon all BreachForums reincarnations, citing the risk of surveillance and legal action. Following the announcement, the forum went offline, and its fate—shutdown or controlled monitoring—is still unclear.
READ THE STORY: GBhackers
Fortinet SSL VPNs Face Coordinated Brute-Force Surge Before Attackers Pivot to FortiManager
Bottom Line Up Front (BLUF): Threat intelligence firm GreyNoise has detected a significant spike in brute-force activity against Fortinet SSL VPN devices beginning August 3, 2025, involving over 780 malicious IP addresses. After initial targeting of FortiOS, attackers shifted their focus to FortiManager systems post-August 5, possibly using the same infrastructure. The activity pattern mirrors pre-CVE disclosure surges seen in other enterprise edge technologies.
Analyst Comments: The pivot from SSL VPNs to FortiManager could indicate attackers probing secondary management interfaces once initial vectors are hardened. Given that past spikes have preceded new CVEs within six weeks, organizations should anticipate a possible zero-day release targeting Fortinet products and proactively enforce multi-factor authentication, IP-based restrictions, and aggressive credential hygiene.
FROM THE MEDIA: Early traffic on August 3 matched a FortiOS profile, while subsequent activity from August 5 used a different TCP signature to target FortiManager instead. Historical data linked the post-August 5 signature to an earlier June spike involving a FortiGate device on a residential ISP, suggesting possible use of residential proxies or local testing. GreyNoise noted that such activity against enterprise edge infrastructure often precedes CVE disclosures by several weeks. Fortinet has not yet commented on the findings.
READ THE STORY: THN
China Orders Suspension of Nvidia H20 GPU Imports Over Security Concerns, Pressuring Shift to Domestic Chips
Bottom Line Up Front (BLUF): The Cyberspace Administration of China has directed major tech firms, including ByteDance, Alibaba, and Tencent, to halt purchases of Nvidia’s H20 GPUs pending a security review. The move, reportedly aimed at promoting adoption of domestic hardware such as Huawei chips, follows recent U.S. approval for Nvidia and AMD to resume certain AI chip sales to China under revenue-sharing conditions. Nvidia denies any security backdoors in its processors.
Analyst Comments: While the U.S. recently loosened restrictions to extract financial concessions from Nvidia and AMD, China’s countermeasure signals an intent to reduce long-term reliance on U.S. AI hardware. Chinese firms may face performance trade-offs in the short term, but the policy could accelerate domestic GPU development, potentially altering the competitive balance in AI compute within five years.
FROM THE MEDIA: The regulator also encouraged sourcing from local manufacturers like Huawei. The order comes just days after the U.S. Department of Commerce granted Nvidia and AMD licenses to resume selling the H20 and MI308 chips to China, contingent on a 15% revenue share with Washington. President Trump confirmed the revenue-sharing agreement on August 11. Nvidia has rejected claims of security vulnerabilities, stating its hardware has no backdoors. The suspension may complicate Nvidia’s efforts to maintain market share in China, one of its largest AI markets, while giving Chinese chipmakers a stronger foothold.
READ THE STORY: Seeking Alpha
Researchers Break DarkBit Ransomware Encryption, Linking Attack to Iran-Backed MuddyWater APT
Bottom Line Up Front (BLUF): Cybersecurity firm Profero successfully cracked the encryption used by the DarkBit ransomware, enabling victims to recover files without paying ransom demands. The operation has been linked to Iran-aligned MuddyWater, which targeted Israeli organizations in politically motivated attacks. While a public decryptor is not yet available, Profero’s findings render DarkBit’s encryption largely ineffective.
Analyst Comments: The political motivation behind the attack—combined with the ransomware’s focus on operational disruption over financial gain—underscores its role as a cyber influence tool. If Profero releases the decryptor publicly, DarkBit’s brand within the cybercrime ecosystem could be permanently damaged, discouraging copycats. However, Iran-linked APTs may adapt quickly, improving their cryptographic schemes to prevent future defeats.
FROM THE MEDIA: The ransomware campaign was attributed to MuddyWater, a known Iran-backed threat group, and coincided with geopolitical tensions involving Iranian drone strikes. DarkBit demanded 80 Bitcoin in ransom and embedded anti-Israel rhetoric in its notes, but showed little interest in negotiation, indicating a disruption-driven motive. Profero’s technical analysis revealed that DarkBit’s AES-128-CBC key generation method relied on weak, predictable seeds, significantly reducing the brute-force search space. Researchers also exploited the sparsity of VMDK files to recover unencrypted data directly, bypassing decryption in many cases. While Profero has not released a public decryptor, its findings open the door for large-scale victim file recovery without ransom payment.
READ THE STORY: Security Affairs
RomCom and Paper Werewolf Exploit WinRAR Zero-Day CVE-2025-8088 in Highly Targeted Phishing Attacks
Bottom Line Up Front (BLUF): Russia-linked RomCom and at least one other criminal group exploited a WinRAR path traversal zero-day (CVE-2025-8088) before it was patched on July 31, 2025. The flaw allowed malicious archives to place files in arbitrary directories during extraction, enabling persistent malware installation. The attacks targeted financial, defense, manufacturing, and logistics organizations, using spear phishing disguised as job applications.
Analyst Comments: RomCom’s use of reconnaissance-based targeting, anti-sandbox evasion, and custom backdoors like SnipBot, RustyClaw, and Mythic indicates a mature, adaptable toolkit. Now that the exploit details are public, broader adoption by other threat actors is likely, expanding the risk from targeted espionage to mass exploitation. Enterprises should prioritize patching to WinRAR 7.13 and monitor for persistence mechanisms in the Windows startup directory.
FROM THE MEDIA: . The vulnerability used alternate data streams for path traversal, allowing attackers to deploy malware—such as LNK files and executable payloads—outside the intended extraction folder. Between July 18 and 21, RomCom targeted several organizations in Europe and Canada with phishing emails masquerading as job applications. Payloads included variants of SnipBot, RustyClaw, and the Mythic agent, some hardcoded to execute only on specific corporate domains. Paper Werewolf also exploited the bug around the same time, possibly using an $80,000 exploit advertised by a hacker named “zeroplayer” in June. Although RomCom failed to compromise intended targets, the overlap with prior WinRAR exploits by groups like Fancy Bear underscores the tool’s ongoing attractiveness for espionage and cybercrime.
READ THE STORY: The Register
Scattered Spider And ShinyHunters Allegedly Collaborate in Salesforce-Focused Extortion Campaigns
Bottom Line Up Front (BLUF): Threat groups ShinyHunters and Scattered Spider appear to be coordinating large-scale data extortion operations, targeting Salesforce customers and potentially expanding to financial and technology sectors. The campaign blends social engineering, vishing, Okta-themed phishing, and VPN obfuscation to steal credentials and exfiltrate sensitive data. Evidence from overlapping domain registrations, shared aliases, and synchronized targeting patterns suggests the collaboration has been ongoing for over a year.
Analyst Comments: The groups can execute multi-stage, high-return attacks by merging ShinyHunters’ forum presence and data monetization experience with Scattered Spider’s infiltration and phishing techniques. Financial services may soon face heightened risk due to a 12% increase in domain registrations targeting the sector. The rumored “ShinySp1d3r” ransomware-as-a-service could also escalate the threat into a broader, LockBit-style criminal enterprise.
FROM THE MEDIA: ShinyHunters, active since 2020, has a history of large-scale data breaches and operated iterations of BreachForums until law enforcement action in mid-2025. Scattered Spider, known for SIM swapping and Okta phishing, shares overlapping infrastructure and tactics with ShinyHunters, including ticket-themed phishing domains and SSO credential harvesting pages. Analysis of 700 phishing-related domains registered in 2025 shows a shift toward financial sector targeting, while tech industry focus slightly declined. A Telegram channel briefly surfaced on August 8 promoting a joint ransomware project, “ShinySp1d3r,” before disappearing within three days. Investigators link the collaboration to prior synchronized attacks against retail, insurance, and aviation companies.
READ THE STORY: THN
DarkBit Hackers Target VMware ESXi Servers to Deploy Ransomware and Encrypt VMDK Files
Bottom Line Up Front (BLUF): A new ransomware group, DarkBit, has targeted VMware ESXi servers in a large-scale encryption attack tied to geopolitical tensions in early 2023. The malware’s flawed AES-128-CBC key generation could allow brute-force recovery of encrypted data. The incident suggests nation-state involvement, with motives leaning toward sabotage rather than financial gain.
Analyst Comments: DarkBit’s operational profile—ignoring ransom negotiations and engaging in influence operations—aligns more with strategic disruption than profit-driven ransomware activity. The cryptographic weaknesses represent an unusually exploitable flaw for defenders, potentially enabling widespread victim file recovery without payment. Such vulnerabilities in custom ransomware code could set a precedent for countering future nation-state-linked campaigns through cryptanalysis.
FROM THE MEDIA: The ransomware, “esxi.darkbit,” is a C++ executable leveraging the Crypto++ library, implementing AES-128-CBC with RSA-2048 for key protection. It stops all virtual machines before encrypting the targeted VMware VMDK and related files, appending “.DARKBIT” extensions. The malware uses chunk-based encryption to render systems unusable while preserving processing speed quickly. Investigators noted predictable key seeds—derived from process IDs, timestamps, and stack addresses—shrinking the keyspace to roughly 2^39 possibilities, enabling feasible brute-force decryption. The attack appears to inflict operational and reputational harm rather than extract payment.
READ THE STORY: GBhackers
Items of interest
Google Warns 2.5 Billion Gmail Users of Hybrid Phone-Email Phishing Campaign Linked to ShinyHunters Breach
Bottom Line Up Front (BLUF): Google has confirmed a surge in hybrid phishing attacks against Gmail users following a breach of its Salesforce database, allegedly linked to the ShinyHunters group. Attackers impersonate Google support via phone, prompting targets to share verification codes from simultaneous password reset emails. This real-time social engineering tactic enables account takeovers even against security-savvy users.
Analyst Comments: The link to the broader ShinyHunters breach increases the likelihood that attackers can access enriched target data, making impersonation more convincing. While Google’s mitigation advice—Security Checkup, Advanced Protection Program, and passkeys—is sound, the scale of Gmail’s user base means even low conversion rates could yield significant compromises. Organizations should update user awareness training to cover phone-email hybrid tactics, which bypass many traditional phishing detection systems.
FROM THE MEDIA: Victims first receive a call from a fake “Google support” representative warning of a hacking attempt, followed by a genuine-looking password reset email. Attackers then request the security verification code over the phone, using it to hijack the account in real time. Google confirmed that email-based password theft attempts rose 84% year-over-year and have intensified in 2025. The advisory follows Google’s acknowledgment of a Salesforce database compromise affecting Gmail and Google Cloud customers. Users are urged to run the Google Security Checkup, enroll in the Advanced Protection Program, and adopt passkeys to mitigate future attacks.
READ THE STORY: Forbes
Google Hit by ShinyHunters Hack: Salesforce Data Breach Explained (Video)
FROM THE MEDIA: Google (GOOGL) has become the latest victim of a data breach involving Salesforce databases, orchestrated by the notorious hacking group ShinyHunters.
DEF CON 32 - Your AI Assistant has a Big Mouth: A New Side Channel Attack (Video)
FROM THE MEDIA: AI assistants like ChatGPT are changing how we interact with technology. But what if someone could read your confidential chats? Imagine awkwardly asking your AI about a strange rash, or to edit an email, only to have that conversation exposed to someone on the net. In this talk, we'll unveil a novel side-channel vulnerability in popular AI assistants and demonstrate how it can be used to read encrypted messages sent from AI Assistants.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.