In today’s cybersecurity news…
Spain arrest over data records
Spanish authorities arrested a 19-year-old in Barcelona for allegedly stealing 64 million personal records from nine companies and attempting to sell them online. The data included names, addresses, emails, phone numbers, DNI numbers, and IBANs. The teen used multiple accounts and pseudonyms on hacker forums. Computers and cryptocurrency wallets linked to the sales were confiscated. Separately, Ukrainian cyberpolice arrested a 22-year-old who sold access to hacked social media accounts using custom malware and a 5,000-account bot farm, facing up to 15 years in prison. (BleepingComputer)
Goodbye, dark Telegram
Kaspersky analyzed more than 800 blocked cybercrime channels on Telegram and found the underground is steadily moving away from the platform due to rising shutdowns. The median lifespan of illicit channels grew from five months in 2021–2022 to nine months in 2023–2024, but blocking activity has accelerated since late 2024. Telegram’s lack of default end-to-end encryption, centralized infrastructure, and closed server code make it less attractive to experienced operators. (Secure List)
Scammers poison AI search results
Scammers appear to be manipulating the public websites that AI tools rely on, causing systems like Google’s AI Overview and Perplexity’s Comet to recommend fraudulent customer support numbers. Researchers at Aurascape’s Aura Labs say attackers are planting GEO and AEO-optimized spam across compromised government and university sites, WordPress blogs, YouTube descriptions, and Yelp reviews. LLMs then scrape and merge this poisoned content into answers that look legitimate. Tests showed bogus numbers for Emirates and British Airways surfaced by both Perplexity and Google. (ZDNet)
React2Shell tied to North Korea
Sysdig researchers say new React2Shell attacks are starting to resemble North Korean intrusion campaigns. The team found a compromised Next.js app dropping EtherRAT, a remote access trojan that uses Ethereum smart contracts for command-and-control and installs five persistence mechanisms. The tooling overlaps with DPRK-linked “Contagious Interview” activity, suggesting either North Korean operators have adopted React2Shell or multiple state groups are sharing techniques. Sysdig says EtherRAT reflects a shift from opportunistic cryptomining to stealthy, long-term access with blockchain-based C2 and resilient persistence. (Infosecurity Magazine)
Huge thanks to our sponsor, Adaptive Security
Humanoid robots go mainstream
Security experts warn that the rise of AI-powered humanoid robots poses new cyber risks, including the potential for physical “botnets.” With forecasts of billions of robots by 2060 across industries and households, vulnerabilities in connectivity, AI learning, and embedded sensors could allow attacks, espionage, or hijacking. A recent proof-of-concept exploited Unitree robots’ Bluetooth interface, allowing wormable malware. Experts predict a new sector for humanoid robot cybersecurity will emerge. (The Register)
Fortinet warns of bypass flaws
Fortinet patched critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could let attackers bypass FortiCloud SSO authentication. Exploits abuse weak cryptographic signature verification via malicious SAML messages. FortiCloud SSO is not enabled by default, but admins should disable it if active until updating. Additional fixes address unverified password changes and hash-based authentication bypasses. (BleepingComputer)
Khashoggi widow files complaint
Hanan Elatr Khashoggi has filed a complaint in France alleging Saudi Arabia infected her devices with NSO Group’s Pegasus spyware before Jamal Khashoggi’s 2018 murder. The filing cites Citizen Lab’s analysis showing both her phones were compromised, likely during questioning in the UAE, and argues the interception is linked to events leading to her husband’s death. A French judge will decide whether to investigate. A U.S. judge dismissed her earlier lawsuit against NSO in 2023. (The Record)
CastleLoader as GrayBravo expands malware service
Recorded Future’s Insikt Group has identified four distinct threat clusters using the CastleLoader malware loader, highlighting GrayBravo’s expansion as a malware-as-a-service provider. GrayBravo’s toolkit includes CastleRAT and CastleBot, which deploys DLL, EXE, and PE payloads such as DeerStealer, RedLine Stealer, and NetSupport RAT. The clusters exploit phishing, ClickFix campaigns, fake software updates, and malvertising, often targeting logistics and travel sectors. Operations leverage multi-tiered infrastructure, including Tier 1 C2 servers and VPS backups. (The Hacker News)