Newsletters

We've long known that Russian cybercriminals have worked to advance Russian state interests, but the details of the relationship between these criminals and the state has been hard to pin down concretely. 

Last week, however, the US Department of Justice (DoJ) used an indictment to tie the Russian cybercriminals behind the DanaBot malware to a second variant of the malware. Rather than stealing bank account credentials or cryptocurrency, the second variant was designed to conduct espionage for the Russian state. 

The DOJ's criminal complaint and indictment accuses 16 defendants of allegedly developing and deploying the DanaBot botnet and infostealer.

Dutch intelligence agencies have uncovered a new Russian cyber-espionage group while investigating a security breach of its police force last September.

The new group is tracked as Laundry Bear by Dutch intelligence services AIVD and MIVD and Void Blizzard by Microsoft, which aided in the Dutch investigation.

Among the panoply of Russian APTs, the group appears to be a new cluster that was formed and started operations in mid-2024.

Over the course of the past six months, the SVG image format has become a favorite method of hiding and delivering malicious code for email phishing campaigns.

More than a dozen cybersecurity firms have now noted the rise in SVG payloads in their email security detections: AhnLab, Cloudflare, Forcepoint, Intezer, Kaspersky, Keep Aware, KnowBe4, Mimecast, Sophos, Sublime Security, Trustwave, and VIPRE.

In its Q1 2025 trends report, Sublime Security says SVG payloads now account for 1% of all phishing attempts the company sees.

A coalition of law enforcement agencies and cybersecurity firms have dealt two major blows to the cybercrime ecosystem this week by taking down a prodigious malware botnet named DanaBot and Lumma Stealer (aka LummaC2), today's most popular and widely used infostealer platform.

The Lumma Stealer takedown

The takedowns took place on separate days and were unrelated to each other. The first took place on Wednesday and targeted Lumma, a type of malware that infects Windows systems, extracts login credentials from various apps, and sends them to an attacker's servers.

Telegram's moderation policies have markedly improved, but the jury is out on whether its pivot to more responsible practices will be an enduring one.

This week the messaging app shut down Huoine Guarantee and Xinbi Guarantee, two massive Telegram-based criminal marketplaces that connected Southeast Asian fraudsters with criminal services. 

Both were 'guarantee marketplaces', where the market administrators facilitated illicit transactions between anonymous buyers and sellers. Its services included the vetting of merchants, escrow services, and bots that monitor transaction fulfillment. Tether's USDT stablecoin is the primary payment method.  

The European Union has sanctioned three new clusters associated with Russia's disinformation networks across Africa and Europe.

This is the EU's 17th round of sanctions against Russia over its 2022 invasion and ongoing war in Ukraine. The sanctions are far broader and also target Russia's oil sector, its shadow fleet of oil tankers, and its hybrid warfare activities across Europe, which included extensive sabotage and disinformation campaigns.

We will not cover the entire sanctions package since it's out of the scope of this newsletter, but only the three clusters that are cyber adjacent.

The Japanese government passed a new law last week that allows local agencies to carry out preemptive offensive cyber operations to prevent or suppress future attacks on the country's IT infrastructure.

Although named the Active Cyberdefense Law, its scope goes beyond what the name suggests and also includes several other provisions that modernize and upgrade the country's cybersecurity practices as a whole.

The most important section of the new law is not the part about "active cyber defense" but the part that overhauls some of Japan's data collection practices.

Google Chrome will inherit a security feature from Microsoft Edge that will automatically prevent Windows users from launching the browser with elevated admin privileges.

The new feature stops and relaunches the browser with normal user-level permissions every time a user tries to run it as an Administrator.

Chrome will only run with admin rights if passed special command-line arguments or when it's started in Automation Mode—to prevent the browser from breaking complex software automation chains.

A new paper, from researchers at Princeton and The Citizen Lab, has found that apps from the Xiaomi's Mi Store, which services mainland China, are an encryption horror show. Compared to apps found in Google's Play Store, Mi Store apps send significantly more unencrypted traffic. And the encrypted traffic they do send is typically vulnerable to decryption by eavesdroppers.

The researchers examined the top 1,699 apps from the Google Play Store and the Mi Store (more than 800 from each store) and ran them through a measurement pipeline they called WireWatch. The researchers developed WireWatch to automatically identify non-standard encryption. 

It found that nearly half of the top Mi Store apps used proprietary encryption. Only 3.51% of the top Google Play Store apps do the same. The authors then reverse-engineered the nine most popular cryptosystems identified by WireWatch. They found that eight of them sent network traffic that was vulnerable to decryption by adversaries. 

The EU's cybersecurity agency ENISA has launched its own vulnerability database designed to aggregate information on software bugs across the European ecosystem.

Although some infosec researchers might think this is the EU's reaction to the recent MITRE funding issues in the US, the new EUVD database was coming anyway, regardless of what was happening to the CVE program.

The EU actually ordered ENISA to create the new database via the NIS2 directive that passed in December 2022—see paragraphs 62 and 63.