CTO at NCSC Summary: week ending June 22nd
‘States don’t do hacking for fun’
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note over than the malware reports NCSC UK released for capability targeting Fortinet devices..
In the high-level this week:
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategy - ITPro reports - from a couple of weeks back but worth reminding as it features our own Chich - “They do not do things for the sake of it. There is always a reason. We might not know the reason sometimes and that's quite a challenge for us, but we shouldn't assume that they're just doing it because they can.”
Security principles for protecting the most sensitive personal information in datasets - NCSC UK updates - “How to identify and protect against the risks associated with sensitive personal information in your data holdings.”
An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts - Canadian Government first reads - “requires designated operators to, among other things, establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions;”
Quarter One Cyber Security Insights 2025 - NCSC NZ publishes - “In the first quarter of 2025, the NCSC responded to 1,369 incident reports through its two distinct triage processes. Of these, 77 incidents were triaged for specialist support because of their potential national significance.”
Introducing Passkeys on Facebook for an Easier Sign-In - Meta announces - another joints the Passkeys movement - “We’re introducing passkeys on Facebook for mobile devices, offering another tool to safeguard your privacy and security. Passkeys are a new way to verify your identity and log in to your account that’s easier and more secure than traditional passwords.”
BIS Needs to Improve Its Incident Response Capabilities to Handle Sophisticated Cyberattacks - U.S. Department of Commerce Office of Inspector General Office of Audit and Evaluation publishes - the transparency here should be celebrated
BIS lacked effective detection and response capabilities to handle our simulated malicious activities
BIS misconfigured critical security controls for its export control networks
BIS mishandled classified and other privileged credentials
Europe and Australia commit to Security and Defence Partnership - European Commission publishes - “The Partnership will provide a framework for current and future cooperation including in areas such as defence industry, cyber and counter-terrorism.”
The EU Cybersecurity Index 2024 - European Union Agency for Cyber Security publishes - “The EU Cybersecurity Index (EU-CSI) is a tool, developed by ENISA in collaboration with the Member States, to describe the cybersecurity posture of Member States and the EU.”
EU adopts blueprint to better manage European cyber crises and incidents - Council of Europe adopts - “The EU cyber blueprint aims to tackle an increasingly complex cyber threat landscape by strengthening existing EU networks, fostering cooperation between member states and actors involved, and overcoming hurdles that may exist.”
Ukrainian Intel Wipes Out Russian Telecom in Massive Cyberattack - Kyiv Post reports - “Ukrainian cyberattack cripples major Russian provider Orion Telecom, leaving uranium mining city offline and erasing 370 servers, 500 switches, and all backups, intel sources say.”
[Japanese] National Police Agency Commissioner General orders "Thorough information and communication measures for the World Expo, measures against cyber attacks" - The Sankei Shimbun reports - “He also instructed them to strengthen recruitment efforts at science and engineering universities, vocational schools, and technical high schools that have faculties and departments such as information engineering, in order to secure human resources for the information and communications sector.”
Interchain Labs says former Cosmos maintainers unknowingly onboarded North Korea-linked actor, finds no security issues and doubles bounty - The Block reports - “Interchain Labs has confirmed that an individual later identified as being linked to North Korea contributed to Cosmos repositories while employed by former maintainers between 2022 and 2024.”
Too Much of a Good Thing: (In-)Security of Mandatory Security Software for Financial Services in South Korea - Korea University and Sungkyunkwan University publish - “Our analysis uncovered critical flaws, including inconsistencies with web browser threat models, improper TLS usage, sandbox violations, and inadequate privacy safeguards. We identified 19 vulnerabilities that expose users to serious risks, such as keylogging, man-in-the-middle attacks, private key leakage, remote code execution, and device fingerprinting.”
Reporting on/from China
China Unleashes Hackers Against Its Friend Russia, Seeking War Secrets - New York Times reports - “One Chinese government-funded group has targeted Rostec, the powerful Russian state-owned defense conglomerate, seeking information on satellite communications, radar and electronic warfare”
Hacking started before 2022… longer and more widespread? - JTBC reports - “a Chinese hacking group is behind the SK hacking incident, and there are even concerns about confidentiality leaks. In addition, it has been found that SK Telecom was hacked even earlier than initially reported in 2022.”
Viasat identified as victim in Chinese Salt Typhoon cyberespionage, Bloomberg News reports - Reuters reports - "Viasat believes that the incident has been remediated and has not detected any recent activity related to this event," the company said, adding that it was engaged with the government as part of its investigation.
China and Taiwan Trade Cybersecurity Accusations - The Diplomat reports - “China too faces many allegations from foreign governments and cybersecurity researchers that it has conducted multiple cyberattacks against Taiwan.”
AI
The Impact of Artificial Intelligence on the Cybersecurity Workforce - NIST publishes - “While the Competency Area will contain a broad, basic set of Knowledge and Skill statements, NICE Framework Work Roles may need to be updated or developed to address the impact of AI.”
Detecting the Abuse of Generative AI in Cybersecurity Contexts: Challenges, Frameworks, and Solutions - Journal of Data Analysis and Critical Management publishes - “This paper suggests a conceptual model for detecting generative AI abuse in cybersecurity scenarios. The framework consists of behavioral analysis, AI-based content fingerprinting, and adversarial prompt detection to learn misuse patterns.”
CyberGym: Evaluating AI Agents' Cybersecurity Capabilities with Real-World Vulnerabilities at Scale - University of California, Berkeley publishes - “Our evaluation across 4 state-of-the-art agent frameworks and 9 LLMs reveals that even the best combination (OpenHands and Claude-3.7-Sonnet) achieves only a 11.9% reproduction success rate, mainly on simpler cases. Beyond reproducing historical vulnerabilities, we find that PoCs generated by LLM agents can reveal new vulnerabilities, identifying 15 zero-days affecting the latest versions of the software projects” - what this work omits is that the vulnerabilities found would likely be mitigated by other mitigations..
Cyber proliferation
Italy: New case of journalist targeted with Graphite spyware confirms widespread use of unlawful surveillance - Amnesty discloses - “The discovery that Paragon’s highly invasive Graphite spyware has been unlawfully used against yet another journalist in Italy, Ciro Pellegrino – adding to a list of other targets – confirms the rampant widening and systemic pattern of spyware abuse in Italy, and elsewhere in Europe”
Bounty Hunting
United States returns over $680,000 in stolen cryptocurrency using civil asset forfeiture - US Department of Justice announce - “The exploiter’s scheme involved manipulating SafeMoon’s cryptocurrency by initiating a transaction that would burn a large number of SafeMoon tokens simultaneously, resulting in an artificial price spike. Then the exploiter could sell tokens back to the liquidity pool at an artificially inflated price at a loss to SafeMoon.”
[Ukrainian] police detained a member of a hacker group who was wanted by the US FBI - Ukraine Cyber Police announce - “law enforcement officers conducted over 80 authorized searches across Ukraine and seized crypto assets worth over 24 million hryvnias, 9 luxury cars, and 24 land plots with a total area of almost 12 hectares.”
No reflections this week..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Same Sea, New Phish Russian Government-Linked Social Engineering Targets App-Specific Password
John Scott-Railton, Rebekah Brown, and Bill Marczak detail this alleged Russian operation. The tradecraft here is noteworthy..
Keir Giles, a prominent expert on Russian information operations, was targeted with a sophisticated and personalized novel social engineering attack.
The attacker took extensive measures to avoid raising Mr. Giles’ suspicions, and deceived him into creating and sending them App-Specific Passwords for his accounts, bypassing Multi-Factor Authentication (MFA).
Google later spotted and blocked the attacker. Their Google Threat Intelligence Group (GTIG) labels the operator Russian state-backed UNC6293, which they link with low confidence to APT29, which is attributed to Russia’s Foreign Intelligence Service (SVR).
We expect more social engineering attacks leveraging App-Specific Passwords in the future.
Gabby Roncone and Wesley Shields provide further perspective on the same operation.
Reporting on China
Silver Fox APT Targets Public Sector via Trojanized Medical Software
Sıla Özeren details an alleged Chinese campaign which is noteworthy for the use of SEO and the fact that medical software is being used for one of the malicious installers.
Silver Fox (also known as Void Arachne or The Great Thief of Valley) is a China-based advanced persistent threat group active since 2024. It is believed to be state-sponsored and is known for conducting cyber espionage, data theft, and, in some cases, financially motivated intrusions.
[x] Initial Infection Vector (from confirmed campaigns)
├─ likely via SEO poisoning or phishing
└─ Operation Holding Hands to download Winos 4.0 (ValleyRAT)
├─ backdoored installers for popular applications including Chrome, VPN clients (LetsVPN, QuickVPN), and AI tools like deepfake generators and voice changers
├─ weaponized versions of legitimate software (Philips DICOM medical viewers, EmEditor, and system driver utilities)
Threat Group Targets Companies in Taiwan
Pei Han Liao details this alleged potential Chinese operation against Taiwanese companies. Nothing overly noteworthy beyond the region and focus.
The modules' image debug directories indicate that they also belong to the HoldingHands RAT. Some modules appear to be simplified versions, as indicated by the term 'jingjianban' (meaning 'lite version' in Chinese) in the Image Debug Directory.
https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan
Reporting on North Korea
Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion
Alden Schmidt, Stuart Ashenbrenner and Jonathan Semon detail an alleged North Korean operation which is interesting for the use of a malicious Zoom extension lure..
[We] received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension.
..
An employee at a cryptocurrency foundation received a message from an external contact on their Telegram. The message requested time to speak to the employee, and the attacker sent a Calendly link to set up meeting time. The Calendly link was for a Google Meet event, but when clicked, the URL redirects the end user to a fake Zoom domain controlled by the threat actor.
..
Several weeks later, when the employee joined what ended up being a group Zoom meeting, it contained several deepfakes of known senior leadership within their company, along with external contacts. During the meeting, the employee was unable to use their microphone, and the deepfakes told them that there was a Zoom extension they needed to download.
https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
Malicious crypto-theft package targets Web3 developers in North Korean operation
Charlie Eriksen detail an attempt to setup an alleged North Korea ruse..
Last week, our automated malware analysis pipeline flagged a suspicious package
web3-wrapper-ethers. The package impersonates the popularetherslibrary and contains obfuscated code designed to steal private keys. Our investigation revealed that the package may be associated with the threat actor known asVoid Dokkaebi, a group known for stealing cryptocurrency from developers involved in the development of web3, blockchain, and cryptocurrency technologies.
https://www.aikido.dev/blog/malicious-package-web3
Famous Chollima deploying Python version of GolangGhost RAT
Vanja Svajcer details a recent alleged North Korean operation. The noteworthy element is the victimology in Inida.
In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities.
In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns.
The attacks are targeting employees with experience in cryptocurrency and blockchain technologies.
Based on open-source intelligence, only a small number of users, predominantly in India, are affected.
https://blog.talosintelligence.com/python-version-of-golangghost-rat/
Reporting on Iran
Nothing overly of note this week
Reporting on Other Actors
UMBRELLA STAND
NCSC UK release this malware report on malware targeting Fortinet devices
UMBRELLA STAND beacons to its C2 server using fake TLS on port 443
UMBRELLA STAND has functionality to run shell commands
UMBRELLA STAND has been observed targeting FortiGate 100D series firewalls produced by Fortinet
UMBRELLA STAND has command configurable C2 and beacon frequency.
UMBRELLA STAND has been observed deployed in conjunction with a set of publicly available tooling including: BusyBox, nbtscan, tcpdump and openLDAP
UMBRELLA STAND is able to hook the reboot functionality of the device
SHOE RACK
NCSC UK release this malware report on a post-exploitation tool for remote shell access & TCP tunnelling through a victim device.
SHOE RACK’s unusual usage of the Secure Shell (SSH) protocol may offer network fingerprinting opportunities
SHOE RACK uses DNS-over-HTTPS (DOH) to locate the IP address of its C2 server
SHOE RACK has been observed targeting FortiGate 100D series firewalls produced by Fortinet
SHOE RACK is thought to be based, in part, on a public domain reverse SSH GoLang implementation called ‘NHAS’
Cobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure
Hunt.io details a campaign which is interesting for the fact it is criminally motivated allegedly.
We uncovered a simple but effective delivery method for Cobalt Strike using a PowerShell loader hosted in an open directory. The loader executed entirely in memory, contacted a cloud-based C2 server, and relied on evasion techniques like API hashing and reflective DLL loading.
What made this stand out wasn't the techniques themselves, but how quietly they were combined. By tracing code patterns and SSL certificate metadata, we linked the activity to known Cobalt Strike infrastructure and exposed part of a broader setup likely used in post-compromise operations.
While attribution remains unclear, the use of cracked Cobalt Strike beacons and ephemeral infrastructure is consistent with techniques observed in financially motivated threat campaigns.
The PowerShell script (y1.ps1) executes shellcode directly in memory using reflective techniques.
It connects to a second-stage C2 server hosted on Baidu Cloud Function Compute.
The shellcode employs API hashing and sets forged User-Agent strings to evade detection.
The final payload communicates with a known Cobalt Strike IP address in Russia.
SSL metadata and loader behavior confirm links to Cobalt Strike post-exploitation tools.
https://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure
GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT
Insikt Group report on the latest shenanigans by this alleged organised crime group.
[We] identified another custom loader, referred to as MaskBat, that has similarities to FakeBat but is obfuscated and contains strings linked to GrayAlpha. Overall, Insikt Group found three primary infection methods: fake browser update pages, fake 7-Zip download sites, and the traffic distribution system TDS
https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
Trellix release some analysis from the leak which gives a sense of the scale of the operations.
Out of 156 unique clients mentioned in the leaked database, we identified 103 victim organizations who engaged in the negotiation with LockBit affiliates. Entities identified as potential victims where negotiation records were absent and only build generations were evident were excluded from the analysis.
Futhermore, out of 103 victim organizations, 12 were victims whose company names appeared on LockBit’s leak blog and one appeared on RansomHUB’s data leak site between the period of January 14, 2025 and May 9, 2025 (even two days after the LockBit’s admin panel leak), authenticating of the dataset analyzed.
Discovery
How we find and understand the latent compromises within our environments.
COMmander
Jacob Acuna provides an enrichment tool for DCOM etc. to enable greater discoverry..
COMmander comes into play, it is based on C# and when run will start a Windows RPC ETW session and continue to monitor the traffic looking for specific rules and create alerts when traffic is met. There are two ways of using COMmander, either as a service that creates Windows Event Logs or as a command-line tool that alerts in the terminal.
https://jacobacuna.me/2025-06-12-COMmander/
https://github.com/HullaBrian/COMmander
Defence
How we proactively defend our environments.
Design Patterns for Securing LLM Agents against Prompt Injections
Luca Beurer-Kellner, Beat Buesser, Ana-Maria Cretu , Edoardo Debenedetti, Daniel Dobos, Daniel Fabian, Marc Fischer, David Froelicher, Kathrin Grosse, Daniel Naeff, Ezinwanne Ozoani, Andrew Paverd, Florian Tramer` and Vaclav Volhejn do a version of Avengers assemble with this release.
In this work, we propose a set of principled design patterns for building AI agents with provable resistance to prompt injection. We systematically analyze these patterns, discuss their trade-offs in terms of utility and security, and illustrate their real-world applicability through a series of case studies.
https://arxiv.org/pdf/2506.08837
Deception Fundamentals: The Missing Piece in Your Security Strategy
An overview of cyber deception fundamentals..
https://deceptiq.com/blog/deception-fundamentals
Incident Writeups & Disclosures
How they got in and what they did.
Report on Contained DPRK-Linked Social Engineering Attempt; Report Confirms No Impact on Cosmos Stack Security
Interchain Labs (ICL), in collaboration with the Security Alliance (SEAL) and Asymmetric Research (AR) detail experience from the line of alleged North Korean operations. The real worry is the developer managed to infiltrate.
has published a security report on past contributions to Cosmos repositories by an individual later identified as linked to the Democratic People’s Republic of Korea (DPRK). This individual was employed by former Core Stack maintenance vendors from mid-2022 to November 2024, before ICL was established and the third-party maintenance model was retired. Following ICL’s formation and takeover in full of all core stack development responsibilities, new security and hiring protocols were introduced that surfaced the issue and prevented further contributions. The report confirmed that there are no immediate or future risks to the Cosmos architecture as a result of these past contributions.
Vulnerability
Our attack surface.
Asana Discloses Data Exposure Bug in MCP Server
Greg Pollock shows the new frontier of AI has the same quality as the old country..
On June 4, Asana identified a bug in its Model Context Protocol (MCP) server and took the server offline to investigate. While the incident was not the result of an external attack, the bug could have exposed data belonging to Asana MCP users to users in other accounts.
https://www.upguard.com/blog/asana-discloses-data-exposure-bug-in-mcp-server
Offense
Attack capability, techniques and trade-craft.
Build-Your-Own-Ransomware
Rad details for the many and also provides an opportunity for detection of early stage activity.
Implement hybrid encryption
Master + Ephemeral Keys
Encryption + Decryption
String - one program
File - one program
File - two program
File System Enumeration
Depth or Breadth First Search
Print out the files you discover
Realize then you want to skip certain folders
https://github.com/rad9800/byor/
Junk Code Engines for Polymorphic Malware
r0keb releases TrashFormer which will cause some detection headaches.
https://r0keb.github.io/posts/Junk-Code-Engines-for-Polymorphic-Malware/
https://github.com/r0keb/TrashFormer
Clippy Goes Rogue (GoClipC2)
Andy Gill releases a tool which is an evolution of what has gone before it. Shows why you want to be able to monitor those VDI/RDP channels.
GoClipC2, a fairly extenive proof of concept I put together that serves as a client and a server setup, drop the server on whatever you want to act as your controller and the client binary onto the VDI/RDP hosts you want to establish C2 into.
https://blog.zsec.uk/clippy-goes-rogue/
Secure Enclaves for Offensive Operations
Cedric Van Bockhaven highlights a new dark corner which detection engineers will want to shine a light into.
Remember: VTL0 is where the normal kernel lives, VTL1 is where the secure kernel operates (and our enclaves).
In this follow-up post, we will share what we discovered while digging into enclave internals. It’s been a hands-on journey filled with many (failed) experiments. We’ll walk you through some of the practical techniques we used to exploit a read-write primitive in a vulnerable enclave DLL, and how we managed to turn that into VTL1 code execution.
The outcome of this research has been integrated into [our product] for implant sleepmasking. As a result, when the implant is dormant, its memory remains completely hidden. Even from VTL0 ring0 (this is where an EDR typically lives), it’s not possible to inspect the implant’s memory or view the call stack of the VTL1 thread. We also added a sleepmask to Beacon Booster for Cobalt Strike. It handles sleep masking by storing the key material used to encrypt beacon memory in VTL1, while the implant data itself is stored in VTL0.
https://www.outflank.nl/blog/2025/06/16/secure-enclaves-for-offensive-operations-part-ii/
MemLoader
NtDallas provides a loader detection engineers will want to be able to detect and memory forensics engineers to profile for tooling..
MemLoader is a proof-of-concept framework for running native PE executables or .NET assemblies entirely from memory.
https://github.com/NtDallas/MemLoader
Exploitation
What is being exploited..
CVE-2025-33053 Proof Of Concept
DevBuiHieu releases a capability we can expect to enable others..
This repository provides scripts to automatically deploy a WebDAV server on Ubuntu using Apache2, and generate malicious
.urlshortcut files for use in phishing, red teaming, or lateral movement simulation.
https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept
Crowhammer: Full Key Recovery Attack on Falcon with a Single Rowhammer Bit Flip
Calvin Abou Haidar and Mehdi Tibouchi show the value of a single bitflip and row hammer in 2025 against a crypto implementation.
In this paper, we show that Falcon, the hash-and-sign signature scheme over NTRU lattices selected by NIST for standardization, is vulnerable to an attack using Rowhammer.
Falcon's Gaussian sampler is the core component of its security, as it allows to provably decorrelate the short basis used for signing and the generated signatures. Other schemes, lacking this guarantee (such as NTRUSign, GGH or more recently Peregrine) were proven insecure. However, performing efficient and secure lattice Gaussian sampling has proved to be a difficult task, fraught with numerous potential vulnerabilities to be exploited. To avoid timing attacks, a common technique is to use distribution tables that are traversed to output a sample. The official Falcon implementation uses this technique, employing a hardcoded reverse cumulative distribution table (RCDT).
Using Rowhammer, we target Falcon's RCDT to trigger a very small number of targeted bit flips, and prove that the resulting distribution is sufficiently skewed to perform a key recovery attack. Namely, we show that a single targeted bit flip suffices to fully recover the signing key, given a few hundred million signatures, with more bit flips enabling key recovery with fewer signatures. Interestingly, the Nguyen–Regev parallelepiped learning attack that broke NTRUSign, GGH and Peregrine does not readily adapt to this setting unless the number of bit flips is very large. However, we show that combining it with principal component analysis (PCA) yields a practical attack.
https://eprint.iacr.org/2025/1042
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Objective-C helper
Vic releases this work aid..
This IDA plugin helps you reverse-engineer Objective-C code. The main feature is a decompiler hook cleaning up the pseudocode output, mainly removing superfluous Objective-C runtime calls related to ARC (Automatic Reference Couting) automatically added by the compiler.
https://github.com/synacktiv/objc-helper
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Nothing overly of note this week
Call Them What They Are: Time to Fix Cyber Threat Actor Naming
Recommendation to NIS-supervisory authorities on cybersecurity risk management measures - Finish government
A systematic review of sensors to combat crime and routes to further sensor development
US digital asset strategy and the European response - “EU crypto markets regulation (MiCA) and the euro’s legal tender status may need strengthening. While wholesale CBDCs would benefit the cross-border payment infrastructure, the digital euro in itself would not contribute significantly to protecting Europe’s monetary sovereignty.”
Artificial intelligence
ATAG: AI-Agent Application Threat Assessment with Attack Graphs - “Evaluating the security of multi-agent systems (MASs) powered by large language models (LLMs) is challenging, primarily because of the systems' complex internal dynamics and the evolving nature of LLM vulnerabilities.”
Books
The Mitten Mac: Threat Hunting macOS
Practise to Deceive: Learning Curves of Military Deception Planners
Events
Nothing overly of note this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.