Sophos researchers found this operation has similarities or connections to many other campaigns targeting GitHub repositories dating back to August 2022.

Backdoored Malware Reels in Newbie Cybercriminals

In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.

Thursday, June 5, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve discovered that being a rent guarantor for someone is an involved experience. While I’m glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed payments required handing over far more personal and financial data than I was comfortable with. 

I asked the agent about their information security policies and cybersecurity posture. I was relieved to hear that they delete all the personal data within two weeks of processing, but I was concerned that the person dealing with my dossier didn’t think that they were at risk of a cyber attack. They believed that because they had a low online profile and their organisation was small, they didn’t present as a target. 

Not wanting to jeopardise my position as a guarantor, I didn’t argue further beyond offering a few words of advice. The truth is that everyone is a target. Many criminals do not discriminate; they seek to compromise anyone and see how they can make money from a compromise once access is achieved. Sophisticated criminals research their targets and their wider ecosystem of suppliers and partners in depth to identify potential weak points. It only takes a moment’s inattention for anyone to fall for a phishing or social engineering scam. 

Cybersecurity training needs to reinforce the fact that anyone can be a victim of a cyber attack. No matter how careful you might be, how insignificant you think that you might be, an attack can still catch you off guard. The good news is that by ensuring basic cyber hygiene, we can make a lot of progress towards preventing harm. 

Impressing on users the need to install updates promptly, the importance of having end-point protection and using multi-factor authentication is not a panacea, but it is a basic foundation upon which more advanced protection can be built. 

Good cybersecurity begins with an awareness of the threat, an acknowledgement that we are all at risk, and knowing the potential consequences. Nobody is too insignificant, too small or too well hidden to escape the risk of cyber attack. Suitable protection follows from reflecting on what is at risk and what could possibly go wrong.

**The one big thing **

Talos has uncovered a destructive attack on Ukrainian critical infrastructure involving a new wiper malware, "PathWiper," deployed through a legitimate endpoint administration framework. Talos attributes this attack to a Russia-linked APT actor, underscoring the persistent threat to Ukraine's infrastructure amid the ongoing war. 

**Why do I care? **

This attack highlights the sophisticated tactics of state-sponsored threat actors and the risks critical infrastructure entities face, which could have global implications for cybersecurity and geopolitical stability. 

**So now what? **

Organizations, particularly those managing critical infrastructure, should strengthen their endpoint security, monitor for unusual administrative activity, and stay informed on evolving threats to mitigate potential risks.

**Top security headlines of the week**

**New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch**   
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. (The Hacker News) 

**Vanta bug exposed customers’ data to other customers**   
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. (TechCrunch) 

**Data Breach Affects 38K UChicago Medicine Patients**   
UChicago Medicine released a statement that the data of 38K patients may have been exposed by a third-party debt collector's system breach. The exposed data may include SSNs, addresses, dates of birth, medical information, and financial account information. (UPI)

**Can’t get enough Talos? **

**Fake AI installers target businesses.** Catch up on the ransomware and malware threats Talos discovered circulating in the wild and masquerading as legit AI tool installers. Read the blog or listen to our most recent Talos Takes to hear Hazel and Chetan, the author, discuss the blog more in-depth.

**Talos at Cisco Live 2025**. From sessions featuring a live IR tabletop session to learning how to outsmart identity attacks, there’s plenty of Talos to keep you going in San Diego next week. Browse sessions Talos is participating in, and we'll see you there!

**Upcoming events where you can find Talos **

*   Cisco Live U.S. (June 8 – 12) San Diego, CA 
*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2–  7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection 

**SHA 256:**   
**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Simple\_Custom\_Detection 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

Everyone's on the cyber target list

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs…

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs at risk, reveals a report from vpnMentor. Cybersecurity expert Jeremiah Fowler uncovered an unsecured database containing a whopping 12.2 terabytes of sensitive data, linked to an app-building platform.

The exposed database, which was neither encrypted nor protected by a password, held 3,637,107 records. These records included names, email addresses, physical addresses, and details about payments for what appeared to be both users and app creators.

According to Fowler’s report, internal files and the database’s name suggested the data belonged to Passion.io, a company based in Texas/Delaware. Passion.io provides a no-code platform, allowing individuals like creators, coaches, and celebrities to build their own mobile apps without needing technical skills. These apps enable users to offer interactive courses and earn money through subscriptions or one-time purchases.

The exposed information, including personally identifiable information (PII) like names addresses, and even images, carries significant risks. Fowler warns that such data can be used by criminals for “phishing or social engineering attacks,” which are a common starting point for cybercrimes. Leaked email addresses and purchase histories can be used to trick individuals into revealing more personal or financial details by impersonating a trusted company.

Furthermore, the exposure of user profile images, some of which included children, raises serious privacy concerns. These images could potentially be misused for impersonation, creating fake accounts, or other online scams.

Source: vpnMentor

The researcher noted that even seemingly harmless images could be “potentially weaponized or used for unethical purposes.” Beyond personal data, the database also contained video files and PDF documents that appeared to be premium content sold by app creators, along with internal financial records, which could undermine creators’ revenue and give competitors insight into the company’s operations.

**Kudos to Passion.io’s Transparency**

Upon discovering the leak, Fowler promptly informed Passion.io. The company acted swiftly, restricting public access to the database on the same day. Passion.io acknowledged the finding, stating their “Privacy Officer and technical team are working on fixing the issue, making sure this can’t happen again.”

Nevertheless, if your company processes data, here are 5 key steps to follow to avoid database misconfigurations and prevent data leaks like the one affecting Passion.io. It is worth noting that these following steps won’t guarantee perfection, but they lower the chance of leaving a database exposed and leaking user data:

****1\. Enforce Authentication and Access Controls****

*   Implement multi-factor authentication for administrative access.

*   Use role-based access to limit who can view or modify sensitive data.

*   Never leave a database exposed without a password or access control.

****2\. Encrypt Data at Rest and In Transit****

*   Use strong encryption protocols and manage keys securely.

*   Ensure all sensitive data is encrypted both on disk and during transfer.

****3\. Automate Misconfiguration Detection****

*   Set up alerts for public exposure or unusual access patterns.

*   Use cloud security tools or configuration scanners (e.g., AWS Config, GCP Security Command Center) to detect misconfigurations in real-time.

****4\. Conduct Regular Security Audits and Pen Tests****

*   Test not just your app but also your storage and database layers.

*   Perform routine vulnerability assessments and penetration tests on your infrastructure.

****5\. Train DevOps and Technical Teams on Security Best Practices****

*   Keep documentation updated and enforce policies during development.

*   Make sure all team members handling infrastructure know how to secure cloud databases, manage permissions, and spot risky configurations.

Unsecured Database Exposes Data of 3.6 Million Passion.io Creators

### Impact

On failing connection extension writes commands sequence to logs. AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-g3p6-82vc-43jh: Yii 2 Redis may expose AUTH paramters in logs in case of connection failure

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks.

"Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response

Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials

Major porn sites have blocked access in France in response to age verification demands.

VPNs (Virtual Private Networks) are suddenly popular in France. Not because France has suddenly become super privacy conscious, but because Pornhub, RedTube, and YouPorn, have blocked access in France.

But why? Last year, France enacted a law mandating that pornographic sites implement stricter age-verification technology.

Since March 1, 1994, French law has prohibited exposing minors to pornographic content. To strengthen this, a 2020 law empowered the French Regulatory Authority for Audiovisual and Digital Communication (ARCOM) to issue warnings to non-compliant online services and seek judicial orders to block access if necessary.

In 2024, the French law on securing and regulating the digital environment (SREN) further enhanced ARCOM’s authority, allowing it to administratively block platforms that fail to prevent minors from accessing pornographic content.

On October 9, 2024, ARCOM adopted a technical framework, approved by the French Data Protection Agency (CNIL), outlining minimum requirements for age verification systems.

The requirements consisted of three major pillars:

*   Reliability
*   Third party implementation
*   Mandatory on each access

Services had until January 9, 2025, to comply with a transitional period until April 9, 2025, during which credit card-based verification was temporarily accepted under specific conditions.

In response to these regulations, the major adult websites like Pornhub, YouPorn, and RedTube have now suspended access in France, citing concerns over user privacy and data security associated with the mandated age verification methods.

This is a major decision for Pornhub because France is its second biggest market behind the US. Alex Kekesi, VP of president of brand and community of Aylo Holdings (Pornhub’s owner) said that:

> “French citizens deserve a government and a regulator who are serious about preventing children from accessing adult content. They also deserve laws which protect their privacy and safeguard their sensitive data.”

In the United States, 19 states have passed laws requiring pornographic sites to confirm a user’s age by checking a government-issued ID, scanning their face, or other methods. The laws have led some of the largest adult sites, including Pornhub, to block users from those states, rather than paying millions for ID-checking services.

Naturally, everywhere where people want to View Porn Normally, the use of VPNs has increased because VPNs can be used to circumvent access restrictions imposed by such regulations. While specific figures for France are not publicly available, similar scenarios in other regions provide insight into user behavior:

*   Florida: Following Pornhub’s decision to block access in response to new age verification laws, VPN demand in Florida surged by an astonishing 1,150% within the first few hours.
*   Texas: After the implementation of comparable laws, VPN usage increased by approximately 234.8%.

**Malwarebytes Privacy VPN**

Malwarebytes Privacy VPN can help adults to decide for themselves what they want to see or not. By choosing a location where no age verification block is in place, you will be able to access your coveted websites while also enjoying:

*   **No-log policy**: Your activity is neither tracked nor stored.
*   **WireGuard** **protocol**: Ensures fast and secure connections, good for streaming.
*   **Server coverage**: Plenty of servers near you to cover countries that are not blocked.
*   **Strong encryption:** To keep your web activity safe from prying eyes.

 Pornhub, RedTube, and YouPorn block access in France, VPN use set to soar 

ConnectWise issued a patch to stave off attacks on ScreenConnect customers, but the company's disclosures don't explain what the vulnerability is and when it was first exploited.

Questions Swirl Around ConnectWise Flaw Used in Attacks

Cybersecurity experts warn of widespread data exposure as a recent investigation reveals a staggering number of internet cookies…

Cybersecurity experts warn of widespread data exposure as a recent investigation reveals a staggering number of internet cookies circulating on the dark web.

A new report from NordVPN highlights the severe privacy risks associated with web cookies, which are small files websites store on your device to remember your browsing activity. The research, conducted in partnership with threat exposure management platform, NordStellar, uncovered approximately 93.7 billion stolen cookies available for sale in underground online marketplaces.

Researchers analyzed data from Telegram channels between April 23 and April 30, 2025, resulting in a dataset of around 94 billion cookies. The researchers analyzed the cookies’ active or inactive status, malware used, country of origin, data content, the company, the user’s OS, and keyword categories assigned to users. NordVPN did not buy stolen cookies or access their contents, but only examined the data within them.

****What’s Inside the Digital Cookie Jar?****

The analysis of these stolen cookies revealed a treasure trove of personal data. When analyzing these stolen cookies, ‘ID’ (Assigned ID was associated with 18 billion cookies) and ‘session’ (associated with 1.2 billion cookies) were identified as the most common keywords, indicating the type of data they held.

These are crucial for maintaining active user sessions on websites, meaning a stolen session ID could grant an attacker direct access to an account without needing a password. Alarmingly, out of the total 93.7 billion stolen cookies analysed, 15.6 billion were still active, posing an immediate threat to users.

This vast collection of compromised data poses a significant threat to personal security, potentially allowing malicious actors to access sensitive information and online accounts. Beyond session data, the report reveals that compromised cookies frequently contained personal details such as names, email addresses, countries, cities, and even passwords.

This information can be exploited for targeted phishing attacks or, in more severe cases, identity theft. Here’s a breakdown of the data attackers can steal via cookies.

Source: NordVPN

****Where Did These Cookies Come From?****

The majority of these stolen cookies were traced back to several major online platforms and originated from a diverse set of countries. Google services alone accounted for over 4.5 billion cookies, with YouTube and Microsoft each contributing more than 1 billion. This indicates that widely used platforms are prime targets for cybercriminals due to the sheer volume of user data they handle.

The primary method of theft involved various types of malware, including infostealers, trojans, and keyloggers. Redline emerged as the most prolific, responsible for stealing almost 42 billion cookies. Check out the list of malicious software used to steal these cookies:

Source: NordVPN

****Protecting Your Digital Crumbs****

Given the widespread threat, cybersecurity experts advise users to take proactive steps to safeguard their online presence.

> _“Cookies may seem harmless, but in the wrong hands, they’re digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.”_
> 
> Adrianus Warmenhoven, Cybersecurity Expert – NordVPN

Therefore, to stay safe, always be careful when accepting cookies on websites, opting to reject unnecessary ones, especially third-party trackers. Also, regularly clear cookies from your browser to limit the window of opportunity for attackers.

Furthermore, using security tools like anti-malware software and Virtual Private Networks (VPNs) can significantly enhance protection. It helps block malicious websites, scan downloads for threats, and encrypt internet traffic, making it harder for cybercriminals to snatch your digital cookies.

Nearly 94 Billion Stolen Cookies Found on Dark Web

The US can't afford to wait for political consensus to catch up to technological change.

Finding Balance in US AI Regulation

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government.
That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis.
"Their diverse toolset shows consistent coding patterns across malware families, particularly in

Latest News