In today’s cybersecurity news…
4 members of Pres. Trump’s cabinet impersonated
A scammer used artificial intelligence to impersonate Secretary of State Marco Rubio, Acting National Security Advisor Marco Rubio, Acting USAID Administrator Marco Rubio, and Acting Archivist of the United States Marco Rubio. Using voice-mimicking tech and spoofed emails like “Marco.Rubio@state.gov,” the impersonator tried reaching foreign ministers, a governor, and a member of Congress via Signal and voicemail. The State Department issued a warning on July 3. The FBI is investigating, presumably after figuring out which Marco Rubio to report to.
(CNN)
Is this some kind of a game?
Security researchers from Fortinet have identified a stealthy new botnet called RondoDox, which is actively targeting internet-connected surveillance systems, routers, and other Linux-based devices in industries like utilities, transportation, and telecom. Once inside, RondoDox disables security tools, hides deep within the system to survive reboots, and renames key files to avoid detection. Its most distinctive trick? It disguises its malicious network traffic to look like common VPN connections or online gaming activity—like Fortnite, Minecraft, and Roblox—allowing it to bypass firewalls and blend in with normal internet use. Infected devices are quietly added to a growing botnet used for launching denial-of-service attacks. There’s no confirmed attribution yet.
(TechNadu)
Batavia attacks Russian industrial companies
Cybersecurity researchers at Kaspersky have uncovered a spyware campaign, active since March, targeting Russian industrial companies. The operation, called Batavia, sends fake emails pretending to share contract documents. The messages include links that download malicious files. The files install spyware to steal data from the device and any connected USB drives and give the attackers a back door to come back later. Kaspersky says the phishing emails come from a domain controlled by the hackers, and that each email contains a unique download link meant just for that victim—suggesting a very targeted and organized operation. So far, the identity of the attackers remains unknown.
(THN, SecureList by Kaspersky)
Series finale: SEC v. SolarWinds
A spinoff of the original 2020 cyber thriller Sunburst: The SolarWinds Hack, this legal drama wrapped quietly as the SEC and SolarWinds reached a settlement, ending the agency’s first breach-related enforcement case without a prearranged deal. The SEC had accused the company and its CISO of misleading investors about cyber risks prior to the infamous breach. After the federal judge cut much of the case down, citing weak hindsight logic, the plot lost steam; disappointing fans, much like the final season of Game of Thrones. Now, with a September 12 deadline to finalize terms, both parties have agreed to a stay.
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks.
But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI. Now that’s…a new way to GRC.
Get started at Vanta.com/headlines
Google’s Gemin-ay-ay-ay!
As of July 7, 2025, Google’s Gemini AI will be able to access Android apps like Phone, Messages, WhatsApp, and more—even if you previously turned off “Gemini Apps Activity.” That setting only stopped the AI from using your data for training, not from tapping into your apps. These permissions allow Gemini to interact with other apps on your behalf, send messages and make calls (I guess I don’t have to have that awkward break-up conversation afterall).To fully block Gemini’s access, users must go into settings and manually revoke permissions for each app. Google says conversations won’t be used for AI training if activity is disabled, but they’ll still be stored for up to 72 hours. Privacy advocates are raising concerns about the vague rollout and the fact that “off” doesn’t really mean off.
The patch release notes didn’t mention malware
A malicious pull request to a popular Visual Studio Code extension called Ethcode infected over 6,000 developers, according to cybersecurity firm ReversingLabs. On June 17, an attacker using a deceptive GitHub account submitted an update that added code to download malware. The attack planted a fake npm package that executed hidden PowerShell scripts likely aimed at stealing crypto or tampering with smart contracts.
Microsoft removed the extension and published a clean version by June 28, 2025. The incident is the latest in a rising wave of supply chain attacks targeting open-source tools.
(THN)
Extensions extended to exploit
Hackers took advantage of a loophole in browser extension systems by first publishing clean, legitimate-looking extensions, then quietly pushing malicious updates months or even years later. The updates installed automatically, without user input, allowing attackers to slip past Google and Microsoft’s security filters.
Security firm Koi Security found 18 such extensions on the Chrome and Edge stores, disguised as harmless tools like emoji keyboards and color pickers. In total, the malware-laced extensions reached over 2.3 million users, enabling spying on browsing activity, session hijacking, traffic redirection, and credential theft—all while appearing perfectly trustworthy.
This isn’t just a breach. This is an M&S breach
In a follow-up to their recent ransomware attack, UK based Marks & Spencer has confirmed that it began with social engineering. On April 17, attackers impersonated an employee and convinced a third-party IT provider to reset that user’s password, giving them initial access. From there, the threat actors, believed to be the DragonForce ransomware group (linked to Scattered Spider), infiltrated systems, encrypted servers, and exfiltrated roughly 150 GB of data. They used a double-extortion strategy, threatening to leak the data if demands weren’t met.
M&S worked with professional negotiators and has not disclosed whether a ransom was paid. As of now, the stolen data has not appeared on any leak sites.