CTO at NCSC Summary: week ending June 15th
Sausages and incentives: rewarding a resilient technology future..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note..
In the high-level this week:
Sausages and incentives: rewarding a resilient technology future - NCSC UK blogs - “The technology to raise cyber resilience at scale exists, but it will require us – amongst other things – to 'think big' and drive a strategic policy agenda that fundamentally alters the dynamics of the existing market in technology and services.”
Authentication methods: choosing the right type - NCSC UK updates - “Recommended authentication models for organisations looking to move 'beyond passwords'.”
Security principles for protecting the most sensitive personal information in datasets - NCSC UK publishes - “This guidance is for anyone responsible for protecting personal data in an organisation – or who designs or implements systems that process personal data – such as policy makers, data risk owners, security architects and other cyber security professionals.”
Call for views on the cyber security of enterprise connected devices - Department for Science, Innovation & Technology announce - “The government is proposing a two-part intervention, including the publication of a Code of Practice and several policy interventions that are being considered to boost uptake of important security requirements.”
Government Cyber Security Policy: Cyber Incident Exercising - UK Government Security publishes - “Lead Government Departments (LGDs), their arm’s length bodies (ALBs) and other public organisations in their remit shall exercise their cyber incident response plan (CIRP), at least annually.”
UK cyber agency pushes for 'strategic policy agenda' as government efforts stall - The Record reports - “The cost of underinvestment in cyber security is ultimately borne not by the vendors, but downstream by customers, insurers, the government and wider society,” wrote the NCSC. “It is these market fundamentals that need to be addressed if we are to prevent software and hardware vulnerabilities being exploited.”
Scammers stole £47m from HMRC in phishing attack - BBC reports - “It said the scammers used phishing attacks to gain customer details and attempted to claim rebates.”
Fact Sheet: President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America - The White House summarises - “The Order directs technical measures to promulgate cybersecurity policy, including machine readable policy standards and formal trust designations for “Internet of Things” as a way to ensure that Americans can know that their personal and home devices meet basic security engineering principles.”
The SEC Pinned Its Hack on a Few Hapless Day Traders. The Full Story Is Far More Troubling - Bloomberg reports - “When a notorious gang of Ukrainian cybercriminals hit a crucial database, the regulator quickly downplayed the breach. One of the hackers says the system is still a soft target.”
China’s tech invasion is a national emergency - Washington Examiner with Rob Joyce writing - “It’s not just about spying. It’s about control. Through parts like these, Beijing could cripple key parts of the American economy without firing a shot. And these solar components are just one example of a much larger, more dangerous problem.”
Cyber and the Strategic Defence Review: All Pervasive But Light on Details - RUSI asserts -
Regional banks must protect themselves from cyber attacks - Nikkei reports - ”The Financial Services Agency is rushing to improve the cyber security measures of regional financial institutions. In addition to starting simulated cyber attack tests on regional banks in fiscal 2024, it has stopped publishing some reports to prevent them from providing hints to attackers. This is to prevent regional financial institutions, which do not have as many personnel and funds as major banks, from becoming the epicenter of a cyberattack that threatens the stability of the financial system.”
Publication of the 4th edition of the 2025 Careers Observator - ANSSI publishes - ”A large majority of men, or 85% of respondents, make up the French cyber ecosystem.”
Reporting on/from China
Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry - Eugenio Benincasa writes - “China’s cyber ecosystem reflects a deeply embedded mindset: “To defend, one must first know how to attack” (未知攻,焉知防).2 Popularized within grassroots hacker communities in the 1990s, this defense-through-offense philosophy has since extended throughout China’s cyber landscape. Today, it underpins a tightly integrated ecosystem of state-aligned private companies, in which offensive cyber capabilities are a major engine of cybersecurity innovation.3 These capabilities likely serve as key enablers of the country’s advanced persistent threat (APT) groups, given China’s extensive reliance on private-sector proxies for cyber operations.”
Chinese Hacked US Telecom a Year Before Known Wireless Breaches - Blomberg reports - “Corporate investigators found evidence that Chinese hackers broke into an American telecommunications company in the summer of 2023, indicating the country’s attackers penetrated the US communications system earlier than publicly known.”
Police processed more than 440,000 cyber threat intelligence reports targeting Hong Kong last year - Epoch Times reports - “The police published the first cybersecurity report on the Police Force website today (2nd), stating that there were 7,680 technology crimes in the first quarter of this year, a slight increase of 1% over the same period last year, involving a total amount of about 1.4 billion yuan. Among them, there were 14 cases of intrusion activities, an increase of 7.7% over the same period last year, involving a total amount of 12.5 million yuan.”
China eyes 10 new national data zones in digital economy push, AI race with US - South China Morning Post reports - “The National Data Administration (NDA) said the zones would be established in Beijing, Zhejiang, Anhui and other regions. The initiative encourages select local governments to spearhead efforts “in nurturing data-related market entities and expanding the data market”, according to the state broadcaster CCTV.”
China unveils new regulations on government data sharing - CCTV reports
Commission reignites push to exclude Huawei from subsea cable networks - Euractiv reports - “The existing prohibition on deploying Huawei equipment in EU 4G/5G networks “could be extended to submarine cables”, reads the Commission document.”
AI
Uncovering Nytheon AI – A New Platform of Uncensored LLMs - Vitaly Simonovich identifies - “an emerging platform on Tor called Nytheon AI that combines various technologies and LLM jailbreaks to create a suite of uncensored LLMs to facilitate malicious activities.”
Firmly grasp the initiative in the development and governance of artificial intelligence - Guangming Daily reports - “[China] insists on coordinating the development and governance of artificial intelligence, and has explored a path of artificial intelligence development with Chinese characteristics in practice, emphasizing both grasping the opportunities of technological revolution and preventing systemic risks, showing the foresight and scientific nature of governance in a major country. General Secretary Xi Jinping emphasized when presiding over the 20th collective study of the Political Bureau of the CPC Central Committee”
China starts mass production of world’s first non-binary AI chip - South China Morning Post reports - “probabilistic computing leverages the frequency of “high-level” voltage signals over a fixed time to represent values, significantly reducing hardware consumption. It has already been used in fields like image processing, neural networks and deep learning. But probabilistic computing also suffers from long computation delays due to its frequency-based representation of values.”
Artificial Intelligence and Cyber Power - Florida International University FIU Digital Commons publishes - “Regarding AI’s impact on the balance of power in cyberspace, the paper argues that fluctuations are expected in a competitive environment. However, AI advances are more likely to entrench than overturn existing power relationships between states. And while the proliferation of AI tools might lower barriers to entry for less skilled cyber operatives, high-end cyber operations will remain the preserve of the most capable states.”
The Digital Security Equilibrium – does it hold under AI? - Ciaran Martin writes - “It can remain that way, but it requires a sustained effort and smart policymaking over many years. And for now, the most worrying part is the growing accessibility of potent cyber capabilities to new actors.” - based on the number of conversations we have with people applying for AI to cyber defence and who are make step changes - we are more confident/optimistic!
Cyber proliferation
Italy Admits Hacking Activists With Israeli Spyware - Haaretz reports - “An Italian parliamentary committee has confirmed that the government used the Israeli-made spyware Graphite, developed by the offensive cyber company Paragon, to hack the smartphones of several activists working with migrants.”
Italy cuts ties with Israeli spyware firm Paragon amid surveillance scandal - Aljazeera reports -
First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - Citizen Labs reports - “Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200.”
Predator Still Active, with New Client and Corporate Links Identified - Insikt Group® identify - “Insikt Group has detected Predator-related activity in several countries throughout the last twelve months and is the first to report a suspected Predator operator presence in Mozambique.”
Bounty Hunting
20,000 malicious IPs and domains taken down in INTERPOL infostealer crackdown - INTERPOL announce - “41 servers seized and 32 suspects arrested during Operation Secure”
No reflections this week, but a request.
We are doing work on guidance/patterns around engineering in resilience against catastrophic loss events due to a cyber incident (Ransomware or other destructive events e.g. wipers).
Think containment, PAWs, infrastructure as code, minimum viable diverse systems, rehydration of backups etc.
If any of you dear readers have examples of architectures, practices or technology which demonstrably averted (a near miss) or otherwise minimised the impact of incidents or facilitated accelerated recovery then we would love to hear about them (leave a comment / reply to this / put an NCSC sign in the sky etc.).
Finally X (Tweet) of the week is from Sophos on Market Incentives..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine
Jacob Finn, Dmytro Korzhevin and Asheer Malhotra detail this threat which is note and should act as a warning on why preparing for catastrophic loss is not only for ransomware events.
The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints.
Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities.
The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war.
https://blog.talosintelligence.com/pathwiper-targets-ukraine/
Reporting on China
China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
Aleksandar Milenkoski & Tom Hegel show the cyber security industry are allegedly of interest to alleged China based threats.
In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze.
At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time.
A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities.
The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025. The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.
We attribute the PurpleHaze and ShadowPad activity clusters with high confidence to China-nexus threat actors. We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174.
This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors.
The Golden Eyed Dog (APT-Q-27) group recently used the "Silver Fox" Trojan to steal secrets
Reporting from China on interesting sectorial targeting coupled with robust tradecraft.
Golden Eye Dog (Qi'anxin internal tracking number APT-Q-27) is a hacker group that targets people engaged in gambling and dog-pushing in Southeast Asia and overseas Chinese communities.
…
The Golden Eye Dog group has repeatedly used watering hole websites to host malware installation packages and implant Trojans into victims' devices [1, 3] . It has used .NET, C++, Go, Delphi and other languages to develop malware, and the overall anti-killing level of attack samples is relatively high.
Reporting on North Korea
Analysis of the Triple Combo Threat of the Kimsuky Group
Genians reports on how North Korea has been leveraging various communication channels in order to conduct their operations. A number of which do not lend themselves to enterprise security monitoring.
Deployed a covert infiltration strategy using a three-stage communication channel: Facebook, email, and Telegram
Lured targets with seemingly credible content related to North Korean defector volunteer activities to initiate conversations and deliver malicious files
Confirmed linkage to the state-sponsored hacking group 'Kimsuky,' which targets defense and North Korea-related activists
Utilized Korea-specific compressed file formats and encoded malicious scripts, specifically designed to evade security detection patterns
EDR-based threat hunting and triage can provide visibility
https://www.genians.co.kr/en/blog/threat_intelligence/triple-combo
Reporting on Iran
Nothing overly of note this week
Reporting on Other Actors
Scattered Spider Targets Tech Companies for Help-Desk Exploitation
Reliaquest sheds some light on the underlying initial access tradecraft allegedly used by this threat actor.
81% of “Scattered Spider’s” domains impersonate technology vendors, targeting high-value credentials like those of system administrators and executives.
The group primarily leverages phishing frameworks like Evilginx and social engineering methods like vishing to gain initial access into organizations.
70% of Scattered Spider’s targets belong to technology, finance, and retail trade sectors, making them especially vulnerable to credential theft and ransomware attacks.
Scattered Spider and “DragonForce” are increasingly targeting managed service providers (MSPs) and IT contractors, exploiting their "one-to-many" access to breach multiple client networks through a single point of compromise.
https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/
“Grey Nickel” Threat Actor Targeting Banking, Crypto, and Payment Platforms
iProov details attacks trying to bypass biometrics and liveness checks in know-your-customer flows in the wild. Also provides a breakdown on the techniques including ‘advanced virtual camera networks’.
[We] observed live operations of the threat actor, codenamed “Grey Nickel,” targeting organizations globally with concentrated attacks against banking, crypto exchanges, e-wallets, and digital payment platforms in Asia-Pacific, EMEA, and North America. During its investigation of “Grey Nickel”, the iSOC team also documented an unprecedented escalation in attacks specifically designed to bypass Know Your Customer (KYC) processes across the financial services sector.
Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool
Proofpoint detail what looks like a concerted effort around password spraying. Noteworthy due to adoption of a ‘security’ tool.
Proofpoint threat researchers have recently uncovered an active account takeover (ATO) campaign, tracked as UNK_SneakyStrike, using the TeamFiltration pentesting framework to target Entra ID user accounts.
Using a combination of unique characteristics, Proofpoint researchers were able to detect and track unauthorized activity attributed to TeamFiltration.
According to Proofpoint findings, since December 2024 UNK_SneakyStrike activity has affected over 80,000 targeted user accounts across hundreds of organizations, resulting in several cases of successful account takeover.
Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts.
Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others.
Analysis of APT-C-56 (Transparent Tribe) DISGOMOJI variant attack activities targeting Linux systems
Chinese reporting on an attack chain I am surprised ever work. Namely a zip file with a Linux ELF file the victim needs to run!
In this attack, the APT-C-56 organization induced users to execute a file named password. After execution, the file will display the password of the bait document and download the decryptor ec, data file x96coreinfo.txt and a jar file from Google Drive. The decryptor decrypts x96coreinfo.txt into an elf file. In order to prevent download failure, the jar file will also be executed. The function of the jar file is to download the decryptor and intermediate.txt. The decrypted executable program intermediate will create a persistent download x96coreinfo.txt and decrypt it for execution. The final executable program x96coreinfo file is actually a variant of the DISGOMOJI malware. When executed, it will communicate with Google Cloud Services and upload data. At the same time, it will also download the browser stealing plug-in and MeshAgent remote management tool. The entire attack process is shown in the figure below:
The Bitter End: Unraveling Eight Years of Espionage Antics
Nick Attfield and Konstantin Klinger in collaboration with Elshinbary and Jonas Wagner detail the evolution of this alleged state actor. Noteworthy for the continued evolution..
Proofpoint Threat Research assesses it is highly likely that TA397 is a state-backed threat actor tasked with intelligence gathering in the interests of the Indian state.
The group frequently experiments with their delivery methods to load scheduled tasks. However, the resulting scheduled tasks, PHP URL patterns, inclusion of a victim’s computer name and username in the beaconing, and Let’s Encrypt certificates on attacker servers provide a high confidence fingerprint of detecting the group’s activity.
TA397 will frequently target organizations and entities in Europe that have interests or a presence in China, Pakistan, and other neighboring countries on the Indian subcontinent.
Bitter's malware has significantly evolved since 2016, moving from basic downloaders to more capable RATs. The group primarily uses simple and home-grown payloads delivered via their infection chain, rather than relying on advanced anti-analysis techniques within the payloads itself.
Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation. This strongly suggests a common developer base.
Several of their recent malware families continue to undergo active development in 2025, with new variants appearing in recent campaigns.
https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two
Say Hi to HelloTDS: The Infrastructure Behind FakeCaptcha
Vojtěch Krejsa and Milan Špinka detail the level of sophistication in contemporary traffic direction system (TDS). There is some real investment here..
[We] discovered and analyzed an elaborate Traffic Direction System infrastructure delivering FakeCaptcha, tech scams and other malware campaigns to select users.
The campaign entry points are infected or otherwise attacker-controlled streaming websites, file sharing services, as well as malvertising campaigns.
Victims are evaluated based on geolocation, IP address, and browser fingerprinting; for example, connections through VPNs or headless browsers are detected and rejected.
The FakeCaptcha campaign is increasing its stealth by mimicking legitimate software websites.
A new variant of FakeCaptcha spreading information stealers and RATs avoids detection by employing Unicode math fonts.
https://www.gendigital.com/blog/insights/research/inside-hellotds-malware-network
Discovery
How we find and understand the latent compromises within our environments.
JonMon-Lite
Jonathan Johnson provides an interesting capability which will have utility in situations where you want low invasion so as to not tip.
JonMon-Lite is a research proof-of-concept "Remote Agentless EDR" that creates an ETW Trace Session through a Data Collector Set. This session can be created locally or remotely.
https://github.com/jonny-jhnson/JonMon-Lite
The Not So Self Deleting Executable on 24h2
Thomas Keefer details how Windows 11 24H2 behaviour is changing which will trip up some adversaries.
In 24H2, while the file appears empty, it actually still exists on disk its contents have merely been moved to an alternate data stream instead of being deleted. The data persists in this alternate stream rather than the default one, which defeats the purpose of self deletion.
https://tkyn.dev/2025-6-8-The-Not-So-Self-Deleting-Executable-on-24h2/
Timestamp Changes between OS via SMB Share
Crystal shows where the trip hazards are when building timelines through file sharing.
we will dive into how timestamp changes when a file is being moved or copied between macOS and Windows through SMB shared folders.
In conclusion, file timestamp changes across different operating systems via SMB can be affected by various factors. Some of the factors covered include:
File Type
File Operation(s)
OS hosting the SMB folder
Direction of file transfer (macOS ↔ Windows)
Defence
How we proactively defend our environments.
NIST Offers 19 Ways to Build Zero Trust Architectures
NIST released their architectural patterns.
The traditional approach to cybersecurity, built around the idea of solely securing a perimeter, has given way to the zero trust approach of continuously evaluating and verifying requests for access.
Zero trust architectures can help organizations protect far-flung digital resources from cyberattacks, but building and implementing the right architectures can be a complex undertaking.
New NIST guidance offers 19 example zero trust architectures using off-the-shelf commercial technologies, giving organizations valuable starting points for building their own architectures.
https://www.nist.gov/news-events/news/2025/06/nist-offers-19-ways-build-zero-trust-architectures
Turning Off the (Information) Flow: Working With the EPA to Secure Hundreds of Exposed Water HMIs
The Censys Research Team highlight how long hanging some low hanging fruit remains.. in 2025.
In October 2024, Censys researchers discovered nearly 400 web-based HMIs for U.S. water facilities exposed online. These were identified via TLS certificate analysis and confirmed through screenshot extraction.
All systems used the same browser-based HMI/SCADA software and were found in one of three states:
Authenticated (credentials required)
Read-only (viewable without control)
Unauthenticated (full access without credentials)
40 systems were fully unauthenticated and controllable by anyone with a browser.
Censys shared these findings with the EPA and the vendor in question for coordinated remediation. Within nine days, 24% of the systems had been secured, and a few weeks later, this rose to 58%. As of May 2025, fewer than 6% of systems remain online in a read-only or unauthenticated state.
Incident Writeups & Disclosures
How they got in and what they did.
Cause and current status of the hijacking of the official Frontend Conference Hokkaido website
Reporting from Japan which shows the impact of those CNAME DNS records..
This is an attack method in which a third party who does not have administrative authority over the domain name attempts to take over (take over) the subdomain by exploiting the fact that the DNS settings for the subdomain that were set up when the CDN (Content Delivery Network) service or Web service was first used remain even after the service is terminated.
https://note.com/fec_hokkaido/n/n16cfb7a19801
Vulnerability
Our attack surface.
CVE-2025-4318: RCE in AWS Amplify Studio via Unsafe Property Expression Evaluation
Developers will need to upgrade..
In May 2025, a critical vulnerability (CVE-2025-4318) was disclosed in the @aws-amplify/codegen-ui package, a core part of AWS Amplify Studio’s UI generation process. The issue arises from improper input sanitization of JavaScript property expressions, resulting in remote code execution (RCE) during build or render time.
https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/
OpenPGP.js: Message signature verification can be spoofed
Edoardo Geraci and Thomas Rinsma find a clanger of a vulnerability..
A maliciously modified message can be passed to either
openpgp.verifyoropenpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed.This flaw allows signature verifications of inline (non-detached) signed messages (using
openpgp.verify) and signed-and-encrypted messages (usingopenpgp.decryptwithverificationKeys) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case.In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js.
https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
Offense
Attack capability, techniques and trade-craft.
GitHub Device Code Phishing
John Stawinski, Mason Davis and Matt Jackoski detail an attack technique one can expect people to be working on the mitigation for..
The weakness in Device Code Authorization is that there is no guarantee that the user who generated the code is the one who completes the authentication.
Compromising a target’s GitHub account takes five steps:
Code Generation
Social Engineering
User Authentication
Token Retrieval
Own Everything
https://www.praetorian.com/blog/introducing-github-device-code-phishing/
Newtowner
Shubs et al release a tool which is surprising that it works..
This tool is designed to help you test firewalls and network boundaries by masquerading traffic to appear as if it's originating from different datacenters around the world.
Modern cloud environments often have trust boundaries (such as allowing all traffic from the same datacenter) that are weak and can be easily bypassed. This has become a more prevalent issue as cloud platform popularity has increased.
Common misconfigurations of trust boundaries can be tested with this tool.
https://github.com/assetnote/newtowner
TrollRPC
CyberSecTroll releases a capability designed to reduce efficacy of EDR solutions which rely on RPC calls on Windows. Once again demonstrates the value of proof-of-life from observability.
a library to blind RPC calls based on UUID and OPNUM..
This particular DLL will only break the specific RPC call to the AV scan engine, allowing all other RPC calls through. This means you can bypass AMSI for both powershell/clr and then continue running commands that require RPC (everything lol).
https://github.com/cybersectroll/TrollRPC
Dark Kill
Saad Ahla releases a driver which will likely be easy to detect in practice..
A user-mode code and its rootkit that will Kill EDR Processes permanently by leveraging the power of Process Creation Blocking Kernel Callback Routine registering and ZwTerminateProcess
https://github.com/SaadAhla/dark-kill
SilentPulse
Kozmer releases this example of how sleep obfuscation can work on Linux to avoid memory scanners.
single-threaded event driven sleep obfuscation [proof of concept] for Linux
..
uses sigevent (SIGEV_THREAD) for timer callbacks. This proof of concept sleeps for a pre-defined time but it can technically be awoken by external triggers, making it usable beyond a pre-defined sleep...
https://github.com/kozmer/silentpulse
Weaponized Google OAuth Triggers Malicious WebSocket
https://cside.dev/blog/weaponized-google-oauth-triggers-malicious-websocket
Exploitation
What is being exploited..
CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage
CheckPoint detail a campaign which has the lot, zero-days, passive backdoors - the whole lot.
Check Point Research (CPR) discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
CVE-2025-33053 allows remote code execution through manipulation of the working directory. Following CPR’s responsible disclosure, Microsoft today, June 10, 2025, released a patch as part of their June Patch Tuesday updates.
Stealth Falcon’s activities are largely focused on the Middle East and Africa, with high-profile targets in the government and defense sectors observed in Turkey, Qatar, Egypt, and Yemen.
Stealth Falcon continues to use spear-phishing emails as an infection method, often including links or attachments that utilize WebDAV and LOLBins to deploy malware.
Stealth Falcon deploys custom implants based on open-source red team framework Mythic, which are either derived from existing agents or a private variant we dubbed Horus Agent. The customization not only introduce anti-analysis and anti-detection measures but also validate target systems before ultimately delivering more advanced payloads.
In addition, the threat group employs multiple previously undisclosed custom payloads and modules, including keyloggers, passive backdoors, and a DC Credential Dumper.
https://research.checkpoint.com/2025/stealth-falcon-zero-day/
An iMessage Zero-Day in iOS 18
Joseph G details the active exploitation of this vulnerability in the wild.. although suspicions this may be fake
Between Dec 2024 and Apr 2025, an iMessage exploit let attackers hijack iPhones, steal crypto keys, and impersonate users — all triggered by receiving a malicious audio file.
The exploit leverages default frameworks, requires no elevated entitlements, and propagates via Wi-Fi-based peer discovery. It was patched under CVE-2025-31200 and CVE-2025-31201 in iOS 18.4.1 following coordinated disclosure.
weareapartyof1.substack.com/p/the-crypto-heist-apple-kept-quiet
Home Internet Connected Devices Facilitate Criminal Activity
FBI alerts to broad IoT exploitation..
Cyber criminals gain unauthorized access to home networks through compromised IoT devices, such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products. Most of the infected devices were manufactured in China. Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.3 Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services4 known to be used for malicious activity.
https://www.ic3.gov/PSA/2025/PSA250605
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
GDBMiner: Mining Precise Input Grammars on (Almost) Any System
Max Eisele, Johannes Hägele, Christopher Huth and Andreas Zeller release a useful capability which whilst slow will accelerate the grammar production for fuzzing among other things.
GDBMiner leverages the GNU debugger (GDB) to step through the program and determine which code locations access which input bytes, generalizing bytes accessed by the same location into grammar elements.
GDBMiner is slow, but versatile - and precise: In our evaluation, GDBMiner produces grammars as precise as the (more demanding) Cmimid tool, while producing more precise grammars than the (less demanding) Arvada black-box approach. GDBMiner can be applied on any recursive descent parser that can be debugged via GDB and is available as open source.
https://drops.dagstuhl.de/entities/document/10.4230/LITES.10.1.1
Planting a Tradecraft Garden
Raphael Mudge is back..
Tradecraft Garden is a collection of projects centered around the development of position-independent DLL loaders. They include:
The Crystal Palace, a linker and linker script language specialized to the needs of writing position-independent DLL loaders. Crystal Palace solved my page streaming project problems, by making it possible to access appended resources from my PIC via linked symbols. Crystal Palace also gave me PICOs, a BOF-like convention to run one-time or persistent COFFs from my position-independent code. The project has evolved more features since then, but the initial motivation was COFFs and easily working with multiple appended resources.
The Tradecraft Garden, a corpora of well commented, easy to build, and hackable DLL loaders. Today, the focus is on demonstrating design patterns and Crystal Palace features. Over time, the garden will include more examples and commentary on tradecraft ideas best expressed at this place in an attack chain.
https://aff-wg.org/2025/06/04/planting-a-tradecraft-garden/
PoCGen
Deniz Simsek, Aryaz Eghbali and Michael Pradel bring some applied AI use case to the lower end of the exploitation challenge space.
we present PoCGen, a novel approach to autonomously generate and validate PoC exploits for vulnerabilities in npm packages. This is the first fully autonomous approach to use large language models (LLMs) in tandem with static and dynamic analysis techniques for PoC exploit generation. PoCGen leverages an LLM for understanding vulnerability reports, for generating candidate PoC exploits, and for validating and refining them. Our approach successfully generates exploits for 77% of the vulnerabilities in the SecBench.js dataset and 39% in a new, more challenging dataset of 794 recent vulnerabilities. This success rate significantly outperforms a recent baseline (by 45 absolute percentage points), while imposing an average cost of $0.02 per generated exploit.
https://arxiv.org/abs/2506.04962
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Nothing overly of note this week
Rethinking Deception: Why We're Moving from Product to Enablement
Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems - NIST
Russia’s Military Apps Use West’s Open Infrastructure - RUSI thinktanks - “I identified 323 domain names and 387 IP addresses embedded within these apps, over 70% of which were hosted in the United States.”
AI and Intelligence Analysis: Panacea or Peril? - War on the Rocks
Ideas Don’t Need Passports: A New Model of Diplomacy for Developing Countries - Science Diplomacy
Artificial intelligence
Towards Secure MLOps: Surveying Attacks, Mitigation Strategies, and Research Challenges
Memvid - Video-based AI memory library - Store millions of text chunks in MP4 files with lightning-fast semantic search. No database needed.
Books
Nothing overly of note this week
Events
Cyberpsychology Section Annual Conference 2025 - 09 July 2025 - 10 July 2025West Midlands, UK
Two videos this week from Cyber UK 2025
First up Passkeys ..
Then Market Incentives ..
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.