In today’s cybersecurity news…
Energy Department to release first cyber strategy
According to the acting director of the Office of Cybersecurity, Energy Security, and Emergency Response, Alex Fitzsimmons, the US Department of Energy will release a strategic plan “soon” for how it intends to protect the energy grid from cyberattacks. This will supplement the recently released national cybersecurity strategy, which focuses on sector resilience. Fitzsimmons said this will rely heavily on public-private partnerships. The strategy will also outline areas of investment for defensive AI deployments in the space, with Firzsimmons noting that we’re already seeing an increase in adversaries using it offensively.
Tech giants sign on to fight scammers
One of the pillars of the new US cyber strategy is great public-private partnerships to combat transnational cybercrime organizations. We’re already seeing one example of that. The “Online Services Accord Against Scams,” was signed by some of the biggest names in the industry, with Google, Microsoft (including LinkedIn), Meta, Amazon, OpenAI, Adobe, and Match Group all on board. This accord calls for increasing information sharing about scams seen on their individual platforms, both with others in tech and law enforcement agencies. Each company is also committed to deploying new fraud detection tools and introducing new security features to users, then sharing any best practices from those with the fellow signees. It also calls for clear reporting mechanisms for users. The accord is voluntary with no enforcement mechanisms.
(Axios)
Font-rendering hides malicious commands from AI in plain sight
Researchers at LayerX released a proof-of-concept attack that uses custom font remapping and CSS to follow LLM-based tools while keeping a payload in clear sight. This takes advantage of the fact that an LLM looks at structured text rather than the full page render. AI tools scanning the PoC’s HTML see only meaningless, unreadable content, but when rendered, show malicious instructions for a user. LayerX found the approach worked on most major models from ChatGPT, Claude, Copilot, Gemini, and Grok. LayerX presented the finding to vendors in December, but most found the issue “out of scope” as a social engineering attack, with only Microsoft accepting and addressing the finding.
New tactics spotted for LeakNet
The LeakNet ransomware operation has been active since the end of 2024, but is expanding its bag of tricks. Reliaquest spotted the group using a “bring your own runtime” attack, using the legitimate open-source Deno runtime for JavaScript and TypeScript to deploy a malware loader. The group first gains access through a ClickFix social engineering attack. Then it uses the Deno-based loader to load a JavaScript payment into memory, thereby minimizing forensic evidence. Once executed, the malware connects to a C2 server to extract a secondary payload.
Huge thanks to our sponsor, Adaptive Security
EU hits Iranian threat actors with sanctions
We’ve covered a number of cyberattacks from Iranian-linked groups, and now we’re seeing an array of policy responses. The European Union issued new sanctions against the Iranian company Emennet Pasargad. Back in 2023, Microsoft found that company stole and sold data from the French magazine Charlie Hebdo on illicit forums. These sanctions freeze assets of the company held at European institutions, and bans EU businesses from interacting with them. The EU also issued sanctions against two Chinese firms. Integrity Technology Group was sanctioned for targeting critical infrastructure and selling information to hack-for-hire services. Anxun Information Technology received sanctions for taking part in the Flax Typhoon attacks on EU institutions.
(Politico)
China-nexus dwelling for years in military networks
New research from Palo Alto’s Unit 42 found that a China-nexus threat group breached the military networks in Southeast Asia as far back as 2020. This used at least two novel backdoors malware variant and a version of the Getpass credential-stealing tool. The attackers used this access for “highly targeted intelligence collection,” looking for specifical files on “military capabilities, organizational structures and collaborative efforts with Western armed forces.” The operators used multiple Dropbox accounts as dead-drop resolvers, allowing them to post to legitimate services with embedded domains to hide activity. The researchers say the custom malware and focused approach indicate a highly sophisticated threat actor.
UK CMC looks to expand to US
The UK-based non-profit Cyber Monitoring Center opened in February 2025, assessing the economic impacts of cyber incidents in the country with a 0 to 5 scale modeled after scales used for natural disasters, like the Richter scale. This is based on evaluating the financial cost against the estimated affected population. This is complemented by an in-depth report on the incident and financial ramifications. In 2025, CMC released analyses of the Marks & Spencer retail attacks and the Jaguar Land Rover attacks. At a recent event in London, CMC head of operations Ruth Goodwin said establishing a US Cyber Monitoring Center was on its roadmap for 2026, with plans to start issuing reports in 2027.
Konni group targeting KakaoTalk
The South Korean threat intel firm Genians spotted a new campaign by the North Korea-linked group Konni. This targets victims with a spear-phishing email that appears and a notice of an appointment as a North Korean human rights lecturer. This contains a malicious LNK file that installs the EndRAT trojan, enabling remote access and extended dwell time on infected systems. The attacks use this to exfiltrate system data and access the KakaoTalk app to spread further malware to contacts. These secondary attacks aren’t spray and pray to the entire contact list, but seem targeted at specific individuals.