San Mateo, CA, March 31, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Russian hackers pose as CIA in Ukraine intelligence grab
A recently uncovered cyber espionage campaign shows Russian hackers impersonating the U.S. Central Intelligence Agency, among other organizations, to steal sensitive information from Russian defectors and Ukraine sympathizers. Using phishing websites that mimic official pages of legitimate organizations, the hackers target individuals who seek to share information with Western agencies. Identified by Silent Push threat researchers, the campaign comprises phishing clusters that spoof “not only the CIA but also the Russian Volunteer Corps, Legion Liberty, and Hochuzhit (an appeals hotline for Russian service members in Ukraine operated by the Defense Intelligence of Ukraine).” It is believed that state-sponsored threat actors or official Russian Intelligence Services are running the operation. Read more.
Morphing Meerkat phishing kit targets 114 global brands
A new phishing-as-a-service (PhaaS) provider that uses Domain Name System mail exchange records to send out fake login pages has been reported on by Infoblox. Called Morphing Meerkat, the platform can impersonate around 114 brands. “The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram,” the company said in a report. The campaign is believed to have sent thousands of spam emails and can translate scam content text into more than 12 different languages. A sophisticated aspect of the campaign is its ability to use DNS MX records to “identify the victim’s email service provider (e.g., Gmail, Microsoft Outlook, or Yahoo!) and dynamically serve fake login pages.” According to Infoblox, “the overall phishing experience feels natural because the design of the landing page is consistent with the spam email’s message. This technique helps the actor trick the victim into submitting their email credentials via the phishing web form.” Read more.
Pentagon warns Russian hackers target Signal messaging app
Days after top U.S. officials inadvertently invited a journalist into a Signal group chat discussing military strikes in Yemen, the Pentagon has issued a warning regarding the use of the app. “Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations,” reads the notice. It also says that Google has identified Russian hackers “targeting Signal Messenger to spy on persons of interest.” A 2023 memo also warned of using Signal for nonpublic official information. “These are things that are absolutely basic,” John Bolton, former national security adviser during the first Trump administration, told NPR’s Here & Now. “Yet these are Cabinet-level people in our government, and yet not one of them ever said, ‘Why are we on Signal?'” Read more.
Chinese hackers spent four years hidden in Asian telecom
A major Asian telecommunications company was breached by Chinese state-sponsored hackers who were then able to spend four years in the system without being detected. These findings come from incident response firm Sygnia, which said, “using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage… The group behind this intrusion […] aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information.” The activity is being tracked under the name Weaver Ant and Sygnia said that it shows all the signs of typical Chinese cyber espionage, going on to say “the modus operandi of Chinese-nexus intrusion sets typically involves the sharing of tools, infrastructure, and occasionally manpower—such as through shared contractors.” Read more.
Top U.S. officials mistakenly add journalist to Signal war chat
The Atlantic’s editor-in-chief, Jeffrey Goldberg, was accidentally invited into a group chat with top-ranking Trump administration officials that included discourse regarding “operational details of forthcoming strikes on Iran-backed Houthi-rebels in Yemen, including information about targets, weapons the U.S. would be deploying, and attack sequencing.” It is not currently known if the details discussed in the chat, which included Vice President JD Vance, Defense Secretary Pete Hegseth, Secretary of State Marco Rubio, and Director of National Intelligence Tulsi Gabbard, were classified. Those involved, as well as President Trump, are downplaying the error via jokes and memes as a bipartisan response from the government seeks to understand not only how Goldberg’s presence was not noticed in the chat but also why top officials were using Signal to discuss war plans and what the implications may be around national security. Read more.
California moves to ban AI-only hiring and firing decisions
Introduced by Senator Jerry McNerney, California’s “No Robo Bosses Act” would “bar California employers from solely using artificial intelligence tools or other automated decision-making systems to make hiring, promotion, discipline, or termination decisions without human oversight.” McNerney says of the law’s intentions, “I want to make sure is that AI is beneficial and not harmful,” McNerney told StateScoop in a recent interview. “And having an AI management of a person’s life seems to me to be detrimental, and so I want to make sure there’s a human in the loop.” The law would also prohibit the use of AI systems that use workers’ personal information in predictive models. Predictive models are often used in transportation, weather forecasting, health care, and other industries.” Read more.
Nearly 248,000 mobile banking users hit with malware
2024 saw mobile banking malware surge, with almost 248,000 users victimized. Compared to 2023, 69,000 users were affected, a 3.6 times increase. The uptick reveals a dramatic turn as cybercriminals hone in on mobile platforms and social engineering to steal from unsuspecting marks. Infection processes include using fraudulent app stores or phishing sites with malicious downloads. Installed malware then requests administrative permissions that “allow it to intercept authentication codes and overlay legitimate banking apps with phishing screens.” The most prolific malware families observed include Mamont, which accounted for 36.7% of all mobile banking malware attacks, Agent.rj, and UdangaSteal.b. Read more.
VanHelsing ransomware debuts with user-friendly service
Since its launch on March 7, 2025, the VanHelsing ransomware-as-a-service operation has claimed three victims with ransom demands as high as $500,000. A report published by Check Point highlights the details of the new service: “The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20% … The only rule is not to target the Commonwealth of Independent States (CIS).” The $5,000 deposit is only required of new users, while reputable, experienced affiliates can join for free. VanHelsing offers a control panel that works on desktop and mobile devices and even supports dark mode. Read more.
California AG urges customers to delete 23andMe data
Biotech firm 23andMe has declared bankruptcy, leading experts and privacy advocates to voice concern over what will happen with the company’s trove of customer genetic data. California Attorney General Rob Bonta reminds customers that they can have their data deleted under California’s Genetic Information Privacy Act (GIPA) and the California Consumer Protection Act (CCPA). These two laws give Californian customers the right to have their genetic data deleted from 23andMe, revoke permission to have their genetic data be used for research, and have their 23andMe test sample destroyed. 23andMe, despite its recent troubles, remains operational with the company saying that it is still “open for business, and there are no changes to the way we store, manage or protect customer data.” Read more.
North Korea sets up AI-powered hacking division
According to Daily NK, a North Korea-focused news outlet, the country has established a new unit within its Reconnaissance General Bureau (RGB) intelligence agency to focus on “offensive hacking technologies and programs.” Daily NK reports that the Research Center 227 unit, “will research Western cybersecurity systems and computer networks, strengthening the regime’s capabilities to steal digital assets; develop AI-based techniques for information theft; and work to respond to information from North Korean overseas hacking units.” Financially motivated North Korean hacker groups have stolen millions in cryptocurrency to fund the country’s weapons and defense programs, and the FBI has accused RGB of hacking and espionage campaigns. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
