🚨Week 12 Debrief: Europol Warns of Evolving Organised Crime, Data Breach at Stalkerware SpyX Affecting 2 Millon, HK New Cybersecurity Law, Paragon’s Proliferating Spyware Operations and more.

A new report from The Citizen Lab reveals details about Paragon Solutions, an Israeli company selling the Graphite spyware. Despite claims of built-in safeguards against abuse, their technology has been linked to the targeting of journalists and civil society members, particularly in Italy. Infrastructure analysis uncovered potential Paragon deployments in countries like Australia, Canada, and Israel. A WhatsApp zero-click exploit attributed to Paragon was discovered, leading to notifications for approximately 90 targeted individuals. Forensic analysis of Android phones in Italy confirmed Graphite infections. A related case involved an attempted iPhone infection using novel spyware. The report highlights the challenges of abuse-proofing mercenary spyware and the importance of tech companies' notifications in uncovering these activities.

KEY TAKEAWAYS:

• Paragon Solutions is a new player in the spyware market claiming to operate ethically, yet their Graphite spyware has been used to target civil society.

• Their spyware employs advanced techniques, including loading into existing apps, making forensic analysis more difficult.

• WhatsApp and Apple notifications were critical in identifying targets and uncovering Paragon's operations.

• The report raises questions about the oversight and potential misuse of spyware by government customers, including possible links to law enforcement in Ontario, Canada, and acknowledged use in Italy.

• Despite Paragon's claims, the report suggests that no mercenary spyware can be truly "abuse-proof".

💻 Malware and Vulnerabilities

Critical Veeam Backup & Replication Flaw Requires Immediate Patch: Veeam has released patches for a critical remote code execution vulnerability (CVE-2025-23120) in its Backup & Replication product. The flaw could allow attackers to execute arbitrary code remotely if they are authenticated domain users. Users of version 12.3.0.310 and previous version 12 builds are urged to update to version 12.3.1 (build 12.3.1.1139) immediately. The vulnerability stems from deserialization issues.

Critical Nakivo Backup Flaw Exploited, Allowing Data Access: A high-severity vulnerability (CVE-2024-48248) in Nakivo Backup and Replication is being actively exploited, potentially allowing attackers to read sensitive files and execute code remotely. Discovered by watchTowr, the flaw was silently patched in November 2024. CISA has added it to its KEV list, urging immediate patching.

GitHub Action Compromise Exposes Sensitive Data: CISA warns of a supply chain attack affecting the popular tj-actions/changed-files GitHub Action. A compromised GitHub Personal Access Token allowed attackers to inject malicious code, potentially exposing secrets like AWS keys and PATs from action logs. Users should update to version 46.0.1, audit workflows, and rotate secrets. The attack may have cascaded from a compromised reviewdog/action-setup@v1.

📈 Breaches and Incidents

WEMIX Gaming Platform Hit by $6.1 Million Crypto Hack: The blockchain gaming platform WEMIX suffered a cyberattack in February 2025, resulting in the theft of $6.1 million worth of WEMIX tokens. Hackers infiltrated the network over two months after stealing authentication keys. WEMIX was taken offline for security upgrades and aims to restore service on March 21, 2025.

Kimsuky Cyberattack Targets South Korean Reunification Efforts@ A new watering hole attack attributed to the North Korean group Kimsuky exploited a South Korean university website. Malicious HWP files were used to target individuals interested in reunification programs, deploying malware for persistence and further exploitation. Organizations involved in these initiatives should exercise caution.

🚨 Threat Intel & Info Sharing

Spyware SpyX Breach Exposes Data of Million: A data breach at spyware operation SpyX in June 2024 compromised nearly 2 million individuals, including Apple users. The breach exposed email addresses and around 17,000 Apple iCloud usernames and passwords. This incident underscores the significant privacy risks associated with stalkerware.

AiXBT Token Plummets After $100K Ethereum Hack: Popular AI influencer AiXBT experienced a security breach, resulting in the loss of approximately $100,000 in Ethereum. Following the hack, the AiXBT token on Base saw a significant drop of around 20% in the last 24 hours. This decline occurred amidst a broader downturn in the market for AI agent tokens.

Netherlands Pushes for "Tech Sovereignty," Ditching US Tech: The Dutch parliament has passed eight motions urging the government to replace US-made technology with local alternatives to safeguard digital sovereignty. This move is fueled by concerns over government data security, reliance on US tech giants, and the geopolitical climate influenced by the Trump administration. While the government isn't legally obligated, the broad parliamentary support creates pressure for action.

N. Korea Boosts Cyber Warfare Capabilities with New AI Research Center: North Korea is escalating its cyber offensive by establishing Research Center 227 under its military's Reconnaissance General Bureau. This new center will focus on developing AI-powered hacking technologies to neutralize Western cybersecurity, steal assets, and disrupt networks. Around 90 top computer experts will staff the center, which will operate 24/7.

Microsoft Uncovers Stealthy StilachiRAT Malware Targeting Sensitive Data: Microsoft researchers have identified a novel remote access trojan called StilachiRAT that employs advanced methods to evade detection and steal sensitive information, including browser credentials and cryptocurrency wallet data. The malware also monitors clipboards and RDP sessions. Microsoft is sharing findings and guidance to help defenders mitigate this evolving threat.

Iran's Nation's Critical Infrastructure Targeted in Sophisticated Cyber Attack: The Presidential AFTA Strategic Management Center reported that the APT15 hacking group allegedly infiltrated the country's critical infrastructure, gaining access to sensitive information. The attack, using advanced techniques, was detected and contained, with security teams working to secure systems and prevent future incidents. Organizations are urged to bolster their cyber defenses.

Leaked Black Basta Chats Hint at Russian Official Aid: Internal chats of the Black Basta ransomware gang suggest their alleged leader Oleg Nefedov may have received help from Russian officials to escape Armenia after his arrest. The leak also reveals the group's tactics, including using ChatGPT, developing malware like BRUTED, and possible links to other ransomware operations.

⚖️ Laws, Policies and Regulations

EU Requires Apple to Boost Interoperability for Innovation: The European Commission, under the Digital Markets Act, has mandated that Apple enhance interoperability between its iOS platform and third-party devices and apps. This decision aims to foster innovation and provide European consumers with a wider range of connected devices like smartwatches and headphones that work better with iPhones. The new measures also streamline the process for developers seeking interoperability with iPhone and iPad features.

US Scales Back Efforts Against Russian Sabotage Amid Policy Shift: Under the Trump administration, the US has suspended a coordinated effort by several national security agencies to counter Russian sabotage, disinformation, and cyberattacks. This reverses a Biden-era initiative that involved collaboration with European allies. The move has sparked concern among officials who fear a de-prioritization of Russian hybrid warfare threats as Trump seeks improved relations with Moscow.

Hong Kong Passes Cybersecurity Law for Critical Infrastructure: Hong Kong has enacted a new cybersecurity law to bolster the protection of its critical infrastructure systems against cyberattacks, with potential fines reaching HK$5 million for violations. The legislation will apply to sectors such as energy, IT, banking, and transport. While authorities state the law aims to enhance security, some tech firms have expressed concerns about a possible "chilling effect" on tech investment in the city. The government will also have the power to seek court warrants to access systems in certain situations. The law will regulate over a hundred operators, though the list will not be public.

UK Issues Post-Quantum Cybersecurity Migration Roadmap: The UK's NCSC has released new guidance outlining a three-phase plan for organizations to transition to quantum-resistant encryption by 2035. This move aims to safeguard sensitive data against future threats from quantum computers that could break current encryption methods. Organisations are urged to begin planning their migration now to ensure a smooth transition.

⚖️ Cybersecurity Start Ups and VCs

360 Privacy Secures $36 Million to Combat Data Leaks: 360 Privacy, a digital executive protection platform, has raised $36 million to scan the web for leaked personal information and remove it. Their technology safeguards enterprises and individuals from online threats like doxing by identifying and mitigating vulnerabilities. The funding will fuel expansion and product development.

📊 Trends, Reports, Analysis

Europol Warns of Evolving and More Dangerous Organised Crime: A new Europol report reveals that organised crime's "DNA" is changing, becoming more destabilising, leveraging digital tools, and exploiting AI, posing a growing threat to the EU's security. Law enforcement must adapt to these evolving tactics.

📅 Upcoming Events

🚀 Join us for an exclusive virtual event in APril, where AI and cybersecurity experts will discuss how AI and Machine Learning are revolutionizing cyber defense. This session will feature expert panel discussions exploring AI-driven threat detection, automated response strategies, and the future of intelligent security.

This is a limited virtual event tailored for CISOs and executives. It is free to join so register today Form

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.