This week’s cybersecurity landscape highlights how familiar systems can become powerful tools in the wrong hands. From zero-click smartphone exploits to large-scale crypto scams, attackers continue to exploit routine services, trusted workflows, and ordinary files to gain unauthorized access, often without detection.
Spear-Phishing Targets Afghan Government
A campaign dubbed Operation Nomad Leopard has been observed targeting Afghan government entities. Attackers distributed a backdoor named FALSECUB via a GitHub-hosted ISO file. The ISO included a PDF-themed lure and a C++ executable capable of receiving external commands. Seqrite Lab notes the campaign shows moderate sophistication and likely originates from a regionally focused threat actor.
Denial-of-Service Attacks in the UK
Russian-aligned hacktivist groups, including NoName057(16), continue targeting UK critical infrastructure and local government services with DoS attacks. The U.K. National Cyber Security Centre (NCSC) emphasized that even low-complexity DoS attacks can disrupt operations and cause significant economic and operational impact.
Malicious DLL Side-Loading
A new campaign exploits DLL side-loading via trusted applications to deploy info-stealing malware. Payloads like CoreMessaging.dll are bundled in ZIP archives masquerading as legitimate installers, including apps such as Malwarebytes, to exfiltrate sensitive data without alerting users.
Windows Subsystem for Linux Exploited
A new Beacon Object File (BOF) targets WSL (Windows Subsystem for Linux) environments, bypassing process creation to run commands directly within memory. Released by SpecterOps, the tool allows attackers to enumerate WSL distributions and execute arbitrary commands stealthily.
Malvertising Pushes Remote Access Trojans
Legitimate-looking ads for file conversion tools—such as Easy2Convert, ConvertyFile, and PowerDoc—have been used to deliver persistent RATs. While the tools function normally in the foreground, a hidden .NET payload communicates with remote servers, enabling continuous system access.
Short-Lived TLS Certificates
Let’s Encrypt now offers 6-day short-lived TLS certificates for automated environments. These opt-in certificates aim to reduce long-term key compromise risks, although adoption remains voluntary.
Exploitation of Support Platforms
Zendesk has warned that attackers are abusing unsecured support ticket submission to send relay spam emails. Organizations are advised to restrict ticket creation to verified users to prevent exploitation.
EU Cybersecurity Regulations
The European Commission proposed new cybersecurity rules to remove high-risk suppliers from telecom networks, strengthen critical infrastructure protection, and improve testing through a renewed European Cybersecurity Certification Framework (ECCF).
Large-Scale Reconnaissance
GreyNoise reported extensive WordPress plugin scanning, targeting 706 plugins and over 40,000 events, including Post SMTP, Loginizer, LiteSpeed Cache, and Elementor. Admins are urged to keep plugins updated to mitigate risks.
C2 Servers and Espionage
Hunt.io identified over 18,000 C2 servers in China, primarily used for IoT botnets like Mozi, Cobalt Strike, and Mirai. Separately, a former Swedish military IT consultant was detained for allegedly spying for Russia, highlighting continued nation-state espionage risks.
Critical Platform Vulnerabilities
Bluvoyix, a cloud-based supply chain platform, patched critical flaws that could have granted full platform control and API access. Security researcher Eaton Zveare noted the potential for unauthorized admin accounts and shipment manipulation.
Record-Breaking Crypto Scams
Crypto scams in 2025 surpassed $17 billion, fueled by high-yield investment fraud, pig butchering operations, and AI-generated deepfakes. Chainalysis reports that scammers increasingly leveraged sophisticated infrastructure for industrial-scale fraud and laundering.
Malware and Exploit Campaigns
- Five Venezuelan nationals pleaded guilty for ATM jackpotting attacks using malware.
- Zero-click exploit for Google Pixel 9 leveraged the Dolby audio decoder and BigWave driver for kernel-level privilege escalation.
- TamperedChef infostealer spread via Google Ads targeting PDF editing tools.
- Phony pharmaceutical invoices in ZIP files delivered PureLogs Stealer via PNG payloads.
- Fake loan sites in Peru harvested bank credentials and PINs using 370 cloned domains.
- Fake Notepad++ installers deployed proxyware in South Korea to monetize unused bandwidth.
These incidents underscore how routine systems and trusted workflows have become the front line for attackers. The pattern of small, quiet exposures accumulating into significant threats emphasizes the need for vigilant security monitoring.
