In today’s cybersecurity news…
Drift says exploit was North Korean intelligence operation
A North Korean state-linked group apparently spent about six months infiltrating Drift Protocol by posing as a legitimate trading firm, building trust through meetings, technical collaboration, and depositing more than $1 million before executing a $270 million exploit on April 1st. Investigators say the attackers compromised contributor devices via a malicious TestFlight app and a vulnerability in VSCode/Cursor, letting them secure multisig approvals and drain funds in under a minute. Drift attributed the attack to UNC4736 and warned the operation highlights weaknesses in DeFi’s reliance on multisig security against long-term, identity-based infiltration campaigns. (CoinDesk)
GitHub used in multi-stage attacks targeting South Korea
Researchers at Fortinet FortiGuard Labs report that North Korean-linked hackers are using GitHub as command-and-control infrastructure in multi-stage attacks targeting South Korean organizations. The campaign starts with phishing-delivered LNK files that drop decoy PDFs while silently executing PowerShell scripts, which profile infected systems, evade analysis, and exfiltrate data to attacker-controlled GitHub repositories. The activity is tied to the Kimsuky group, pointing toward a broader shift of “living-off-the-land” techniques that rely on legitimate tools and trusted platforms to maintain persistence and reduce detection. (The Hacker News)
Data leak threatened after Die Linke attack
The Qilin [Chee-Leen] ransomware group claimed a cyberattack on Germany’s left-wing party Die Linke, threatening to leak stolen data if a ransom isn’t paid. The party confirmed a “serious” breach, shut down parts of its IT systems, and warned that internal data and employee information could be exposed, though its membership database wasn’t affected. Officials worry this reflects a broader pattern of cyberattacks on political institutions, with some ransomware operations potentially aligning with Russian geopolitical interests. (The Record)
Russian crypto payments expand into Africa
On the topic of geopolitical interests, a sanctioned Russian crypto network called A7 is expanding into Africa, with reported offices in Nigeria and Zimbabwe as part of Russia’s effort to build alternative payment rails outside Western systems. Founded by Ilan Șor and backed by a Russian defense-linked bank, A7 uses tools like stablecoins and promissory notes to keep ruble-based trade flowing despite sanctions. Analysts say the move aligns with Russia’s broader geopolitical push in Africa, though the network’s actual footprint and usage is unclear. (Financial Times)
Huge thanks to our sponsor, Vanta
Microsoft links Medusa affiliate to attacks
Microsoft says a China-linked cybercrime group known as Storm-1175 is carrying out rapid ransomware attacks by exploiting both zero-day and recently disclosed vulnerabilities, sometimes within days or even before patches are released. The group chains multiple exploits, steals credentials, disables defenses, and deploys Medusa ransomware within as little as 24 hours, targeting sectors including healthcare, education, and finance across the U.S., U.K., and Australia. Microsoft notes the group has used more than 16 vulnerabilities across widely used enterprise software. (BleepingComputer)
Singapore, US warn of latest Fortinet bug
U.S. and Singapore authorities are warning that the critical vulnerability in Fortinet’s FortiClient EMS we covered in Monday’s show is being actively exploited after its disclosure by researchers at Defused. The flaw, rated 9.1/10, is widely used across government networks, prompting CISA to order rapid patching and mitigation to prevent compromise. Researchers say exploitation began almost immediately and may have intensified during the latest holiday window. (The Record)
Stalkerware maker receives no jail time
A U.S. court sentenced Bryan Fleming, founder of stalkerware firm pcTattletale, to no prison time beyond one day served and a $5,000 fine after he pleaded guilty to distributing surveillance software designed to secretly monitor victims. Prosecutors said the app was marketed for spying on others without consent, despite nominal legal disclaimers, following a Homeland Security Investigations probe into more than 100 stalkerware companies. The case marks the first U.S. conviction of a stalkerware maker since 2014 and could signal more enforcement, though prosecutions remain rare. (The Record)
Google DeepMind maps web attacks against AI agents
Google DeepMind researchers identified a new class of “AI Agent Traps,” where malicious web content manipulates autonomous AI agents into leaking data, spreading misinformation, or executing unintended actions. The team outlined six attack categories, including hidden prompt injections, semantic manipulation, memory poisoning, and system-level coordination attacks that exploit how agents process content and follow instructions. The research highlights growing risks in agentic AI systems and calls for stronger defenses like model hardening, runtime protections, and standardized security frameworks to mitigate emerging threats. (SecurityWeek)