In today’s cybersecurity news…
Apple appeals UK encryption back door order
The UK’s Investigatory Powers Tribunal, or IPT, confirmed Apple filed an appeal on an order that would require it to create a back door in its Advanced Data Protection feature as part of its cloud storage. We know this because the IPT refused an application by the British government to keep to “the bare details of the case,” including the identity of any filing parties, under the argument that it could damage national security. The Financial Times reported that Apple appealed the order, but we now have official confirmation. A hearing on the appeal was already held last month in London, but no media access was permitted.
(Reuters)
Researchers warn about AI-driven hacking tool
Researchers at SlashNext published details about Xanthorox AI, a modular AI-driven hacking tool first spotted on hacker forums last month. Xanthorox uses five operation models to handle “code generation, vulnerability exploitation, data analysis, and integrates voice and image processing, making it capable of both automated and interactive attacks.” Previous AI-based tools we’ve covered like WormGPT, use jailbroken or workarounds to run on existing LLMs, but Xanthorox runs on a self-contained architecture on dedicated servers, with its operators claiming it is a custom LLM.
PoisonSeed campaign weaponizes CRM system
Researchers at Silent Push found a new campaign that uses customer relationship management and bulk email systems to send out phishing emails with crypto seed phrases to potential victims. These emails claim to be from Coinbase, urging users with self-custodial wallets to transfer assets. The seed phrases are included in transfer instructions for setting up new wallets, which grants threat actors access to them. It’s estimated that Coinbase users have lost roughly $46 million in crypto assets since mid-March. The campaign has used a variety of providers to spam people, including Hubspot, Mailchimp, Mailgun, SendGrid, and Zoho.
Everest ransomware site offline
The darknet leak site for the Russian-speaking ransomware group Everest went offline on April 7th after being defaced over the weekend. Before going dark, the site was changed to read, “Don’t do crime CRIME IS BAD xoxo from Prague.” It’s unclear if the site going dark came from activity by law enforcement, an exit scam by the group itself, or another third-party. Everest was linked to an attack on the cannabis dispensary STIIIZY in November. Ironically, it’s now Everest that has appeared to have gone… up in smoke (Editor’s Note: we apologize).
Huge thanks to our sponsor, Nudge Security
Get your free GenAI inventory today.
WK Kellogg feeling soggy after Clop-linked data breach
In late 2024, the Clop ransomware group targeted vulnerabilities in the managed file transfer utility Cleo. In a notice with Maine’s attorney general, the food giant WK Kellogg said it learned of a potential security incident due to the Cleo breach on February 27, 2025, ultimately tracing back unauthorized access to December 7th. The company used Cleo for transferring employee files to a human resources vendor and the breach exposed employee names and social security numbers. WK Kellogg will offer impacted employees the now obligatory one year of credit monitoring services.
State-backed actors could have exploited ESET flaw
The cybersecurity firm ESET confirmed a flaw reported by Kaspersky researchers that could be used by threat actors to plant a malicious DLL and execute it with ESET’s antivirus scanner to bypass system defenses. ESET patched the issue and maintains it didn’t find any evidence of it being exploited in the wild. However, Kaspersky researchers claim the suspected state-backed threat group ToddyCat used the flaw in a campaign, using a modified version of EDRSandBlast to load the malicious DLL under the name TCDSB to execute payloads. ESET said it hasn’t seen the suspected DLLs to review them, but regardless, the approach would have required admin privileges to perform the attack.
Cryptominers pose as VSCode extensions
ExtensionTotal researcher Yuval Ronen discovered nine extensions on Microsoft’s VSCode Marketplace that attempt to fetch a PowerShell script from an external source to install a cryptominer. These malicious extensions pose as tools for popular services like Discord, Roblox, Claude AI, and ChatGPT, or as compilers for various programming languages. These extensions had been installed 300,000, although this likely has been juiced to make them appear legitimate. ExtensionTotal reported the extensions to Microsoft, but they are still on the Marketplace as of this recording.
Threat actors posing as Ukrainian drone companies
Ukraine’s computer emergency response team, CERT-UA, began tracking a campaign in February in which threat actors pose as drone manufacturers and state agencies to infect systems with info stealers. They approach victims with emails with malicious attachments using compromised accounts. Once infected, the campaign uses GiftedCrook malware to steal browser data and exfiltrate it to Telegram. CERT-UA didn’t attribute the campaign to any previously known group, tracking them under the designation UAC-0226.