San Mateo, CA, December 8, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
CISA outlines AI safety rules for critical infrastructure
U.S. and international cybersecurity agencies issued new joint guidance outlining how critical infrastructure operators can safely integrate AI into their technology, addressing the efficiency gains machine learning and large language models promise while warning that they also introduce unique risks to critical systems. Developed by CISA and Australia’s cyber agency, with support from partners including the U.K.’s NCSC, the document urges operators to map AI risks, enforce secure development practices, and protect sensitive OT data, such as engineering schematics and process measurements, that may be exposed during model training. It also calls for governance frameworks that keep model testing, regulatory compliance, and transparency central as vendors embed more AI directly into devices. Agencies highlight the need to vet software supply chains, test integrations in controlled environments, and maintain human oversight to catch anomalies and ensure failsafe operation. Read more.
FBI warns of new virtual kidnapping scams
The FBI has warned that criminals are manipulating images taken from social media to create fake proof of life photos in virtual kidnapping scams. This scheme pressures victims into paying ransoms even though no abduction has occurred. Officials say scammers contact targets by text, claim to hold a loved one, threaten violence, and send altered photos that appear convincing until closely compared with genuine images. The agency urges people to stay calm, verify claims, avoid sharing personal details publicly, and establish family code words to authenticate emergencies. It also advises capturing screenshots of any proof-of-life images for later analysis. The FBI notes that scammers often exploit timed messages and spoofed numbers to intensify pressure on victims’ families during these stressful events. Read more.
DPRK runs identity-rental scheme to infiltrate tech firms
Famous Chollima, a North Korean subgroup of Lazarus, is running a wide-ranging identity-rental scheme that targets developers and engineers willing to act as fronts for DPRK IT workers seeking jobs inside Western companies. Researchers found that the group uses social engineering, fake recruiter personas, deepfake videos, and stolen identities to secure positions at major firms. According to threat specialist Mauro Eldritch, the compromised engineer assumes all legal and financial risk because their identity, hardware, and accounts become the operational mask for North Korean agents. Eldritch and colleague Heiner García set up a honeypot to study the operation, allowing a DPRK recruiter to connect through Astrill VPN and reveal tools, AI interview helpers, OTP extensions, and workflow details. Their findings show a coordinated team using GitHub spam, KYC-verified accounts, and 24/7 remote access demands to infiltrate companies. Read more.
ShadyPanda extensions hijack millions of browsers
A sophisticated malware campaign infected 4.3 million Chrome and Edge users after ShadyPanda spent years publishing legitimate-looking extensions that quietly accumulated trust before receiving poisoned updates in mid-2024. Koi researchers said the China-based group exploited a persistent marketplace weakness where reviewers check extensions only at submission, noting that “they don’t watch what happens after approval.” The extensions execute hourly remote code that harvests browsing histories, search queries, credentials, cookies, and full interaction data while enabling complete browser control. A second set of Edge extensions remained active with more than 4 million installs, including WeTab. Earlier phases focused on affiliate fraud, but the latest updates created persistent backdoors across millions of systems, posing privacy and risks for users. Read more.
U.S. shuts down domain tied to Burma scam compound
U.S. agents seized the tickmilleas.com domain, which the DOJ said was run from Burma’s Tai Chang compound to display fake trading balances and lure victims into fraudulent crypto investments. The FBI identified multiple victims within weeks of the domain’s November 2025 registration, prompting Google and Apple to remove linked apps and Meta to take down more than 2,000 associated accounts after receiving alerts. The action comes as Cambodia’s sanctioned Huione Group collapses under U.S. and U.K. pressure, underscoring a wider crackdown on regional scam-compound networks that Interpol says rely on trafficked workers to conduct romance and investment fraud. Officials noted that two additional Tai Chang-related domains were recently seized, reflecting an expanding effort to disrupt crypto schemes across Southeast Asia. Read more.
North Korea launches persistent npm poisoning operation
North Korea’s Contagious Interview campaign has escalated into a persistent npm poisoning operation that has pushed more than 197 malicious packages and logged over 31,000 downloads. The operation uses fake recruiter outreach and test assignments to target blockchain and Web3 developers with OtterCookie and BeaverTail malware that establishes C2 access, steals credentials, and enables remote payload delivery. Socket researchers traced packages like tailwind-magic to a GitHub and Vercel-based delivery stack that shows how “North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows.” Experts warn that the campaign’s continuous operation mirrors legitimate software shipping practices, underscoring the need for stronger dependency governance and risk tooling across development environments. Read more.
Europol dismantles $1.5B Cryptomixer laundering service
European authorities shut down Cryptomixer after alleging the mixing service laundered more than $1.5 billion for cybercriminals, with a weeklong Operation Olympia seizing nearly $28 million in Bitcoin, multiple servers, the cryptomixer.io domain, and twelve terabytes of data. Europol calls the platform a preferred hub for laundering funds by ransomware groups, payment card fraud operators, and drug and weapons traffickers, noting that its randomized pooling and redistribution process helps criminals anonymize funds before cashing out on exchanges. TRM Labs links the Lazarus Group to the use of Cryptomixer before its shift to faster, automated laundering tied to high-volume attacks, including February’s $1.46 billion Bybit theft. The case follows 2023’s ChipMixer takedown and shows a sustained multinational push to dismantle crypto laundering infrastructure. Read more.
Phishing wave uses fake Calendly invites to steal accounts
An ongoing phishing campaign impersonates major brands to deliver Calendly themed lures that steal Google Workspace and Facebook business account credentials. Push Security reports that attackers craft highly targeted emails impersonating more than 75 companies and posing as recruiters, sending meeting invitations that lead to fake Calendly pages. Victims encounter CAPTCHAs and AiTM pages that harvest active login sessions. Variants use Browser in the Browser windows and anti-analysis controls to expand reach and block scrutiny. Attackers also abuse Google Search ads to redirect users to Google Ads-themed phishing pages. Compromised marketing accounts enable malvertising, AiTM phishing and resale on cybercriminal markets. Read more.
Tomiris resurfaces with upgraded multi-language toolkit
The Tomiris hacker group has reemerged with a refined global campaign aimed at foreign ministries and government agencies, shifting its strategy in early 2025 toward diplomatic targets. Analysts at Securelist said the group’s blend of custom implants and open-source tools “makes attribution and mitigation significantly more challenging,” highlighting the expansion into Go, Rust, C, C++, and Python. Attacks begin with precision spear-phishing that relies on password-protected archives and predictable codes, such as min@2025, to evade scanners. Payloads establish persistence, use Telegram and Discord for covert command channels, and deploy frameworks such as Havoc and AdaptixC2. A new Rust-based downloader performs discreet reconnaissance, catalogs sensitive files, and triggers staged payload retrieval designed to minimize detection across infected government networks worldwide today. Read more.
Congress pushes steep penalties for AI-enabled fraud
A bipartisan House proposal called the AI Fraud Deterrence Act would sharply increase criminal penalties for fraud and impersonation carried out with AI, raising fines for mail, wire, bank and money laundering schemes to as much as two million dollars and establishing prison terms of up to thirty years for offenders who use AI-generated audio, video or text. The bill also allows fines of up to $1 million and 3-year sentences for impersonating government officials. Rep. Ted Lieu said “both everyday Americans and government officials have been victims of fraud and scams using AI,” citing recent incidents involving impersonations of senior U.S. leaders, including Susie Wiles and Secretary of State Marco Rubio, along with misuse of the likenesses of Taylor Swift and Joe Biden. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
