In today’s cybersecurity news…
“SleepyDuck” uses Ethereum to keep command server alive
Threat intelligence firm Secure Annex found a malicious Visual Studio extension called “SleepyDuck” that can install a remote access trojan. The extension looks legitimate at first but later turns malicious after roughly 14,000 downloads. Once a user opens a Solidity file, the extension collects system details and connects to a command-and-control server every 30 seconds. Secure Annex says the attackers used an Ethereum contract to dynamically update their C2 address to evade blocking, also tracing the group behind SleepyDuck to other rogue VS Code extensions that mine Monero through PowerShell scripts. (The Hacker News)
SesameOp abuses OpenAI Assistants API
Microsoft’s Detection and Response Team discovered a new backdoor called SesameOp that uses the OpenAI Assistants API as a covert command-and-control channel. The malware appears to be active since July, letting attackers remotely manage infected systems by relaying encrypted commands through OpenAI’s infrastructure instead of traditional malicious servers. Microsoft says SesameOp doesn’t exploit a platform flaw but misuses legitimate API functions for long-term espionage. OpenAI and Microsoft have since disabled the attacker’s account and API key. (Bleeping Computer)
Organized crime cybercrooks steal cargo
Researchers from Proofpoint say cybercriminals are teaming up with organized crime groups to hijack cargo shipments through hacked logistics systems. Attackers gain access to U.S. freight broker load boards, post fake jobs, and infect logistics firms with remote monitoring tools like ScreenConnect or N-able.. then intercept delivery info and redirect goods to their own addresses. These range from electronics to energy drinks. CargoNet says theft losses hit $112 million in Q3 2025, with hotspots in California, Illinois, Florida, Texas, and Washington. (The Register)
Ukrainian charged in Jabber Zeus cybercrime case
Ukrainian national Yuriy Igorevich Rybtsov has been extradited from Italy to the U.S. to face charges tied to the Jabber Zeus cybercrime group. Allegedly the group’s developer, Rybtsov is said to have helped manage notifications of compromised organizations and launder stolen funds. Jabber Zeus used the Zeus banking trojan and social engineering to steal millions from small- and mid-sized U.S. businesses, funneling money through mules and overseas accounts. The group’s leader, Vyacheslav Penchukov, was sentenced to 18 years in the U.S. last year. (SecurityWeek)
Huge thanks to our sponsor, ThreatLocker
US cyber experts indicted for BlackCat ransomware attacks
Three former cybersecurity professionals have been indicted for allegedly carrying out BlackCat ransomware attacks against five U.S. companies in 2023. The DOJ says Kevin Martin, a former DigitalMint ransomware negotiator, Ryan Goldberg, a former Sygnia incident response manager, and an unnamed co-conspirator posed as BlackCat affiliates to hack networks, encrypt data, and demand ransoms of up to $10 million. Victims included firms in healthcare, engineering, and pharmaceuticals. (Bleeping Computer)
GDI flaws could enable Windows remote code execution
Check Point Research revealed three newly patched Windows GDI flaws that could allow remote code execution and information disclosure, via fuzzing of EMF/EMF+ files. They involve out-of-bounds memory access affecting text rendering, thumbnail generation, and print-job initialization. Exploits could let attackers read or write memory without user interaction. Microsoft fixed the issues over the summer with validation checks, boundary trimming, and pointer corrections. The flaws also impacted Microsoft Office for Mac and Android. (Infosecurity Magazine)
Askul confirms data leak after cyberattack
Japanese retailer Askul confirmed a data breach after an October ransomware attack claimed by Russia-linked group RansomHouse. The attack disrupted logistics for major clients, including Muji and The Loft. RansomHouse is known for threatening to publicly release stolen data rather than encrypting it, now claiming to have exfiltrated 1.1TB. (The Record)
More Android apps misusing NFC and HCE
Zimperium zLabs announced it found more than 760 Android apps misusing NFC and Host Card Emulation (HCE) to steal payment data. This points to a surge in NFC relay fraud since April 2024, targeting banks, payment services, and government portals globally, including Russian, European, and Brazilian institutions, and Google Pay. Apps mimic trusted services, exfiltrate card data via Telegram, and let operators run transactions remotely. Zimperium warns any unknown NFC-enabled app requesting payment privileges should be treated as high risk and has published IOCs for the campaign. (Security Affairs)