🚨Week 22 Debrief: Russian Nuclear Facilities Exposed, TikTok Breach Leaks 428M Records, Coca-Cola Employee Data Stolen, AI Tools Used to Spread Malware, Banking Trojan Evolves

APT41 Adopts Innovative Google Calendar Tactic for Malware Command and Control

A new report highlights innovative tactics by the PRC-based threat actor APT41. Discovered in late 2024, they used spear phishing to deliver a malware called TOUGHPROGRESS. The malware chain utilizes stealth techniques and, notably, leverages Google Calendar for command and control (C2). TOUGHPROGRESS sends victim data and receives commands by creating and reading encrypted details within Calendar events on specific dates. This technique helps the malware blend with normal network traffic. Google Threat Intelligence disrupted this campaign by blocking infrastructure and notifying targets. APT41 is known for using cloud services and free hosting for malware distribution in various campaigns.

Here are some key takeaways:

• The threat actor APT41 (also known as HOODOO) is highly confidentially assessed to be PRC-based.

• Their new malware, TOUGHPROGRESS, utilizes Google Calendar as a novel method for Command and Control (C2) communication.

• This Calendar C2 method involves the malware creating and reading encrypted data within specific Calendar events on predetermined dates to send victim information and receive commands from the attacker.

• The malware was initially delivered via spear phishing using a ZIP archive from an exploited government website, containing an LNK file masquerading as a PDF.

• The attack chain involves multiple modules (PLUSDROP, PLUSINJECT, TOUGHPROGRESS) employing sophisticated evasion techniques like memory-only payloads, encryption, compression, and control flow obfuscation.

• Google Threat Intelligence (GTIG) identified and disrupted this campaign by taking down attacker infrastructure and notifying affected organizations.

• APT41 has a history of using legitimate cloud services and free hosting platforms for malware distribution and C2 to evade detection.

💻 Malware and Vulnerabilities

Internet Cafes Hit by Gh0st RAT for Crypto Mining Hackers are targeting South Korean Internet cafes since late 2024, exploiting management software. They deploy the Gh0st RAT and other malware to hijack systems and mine cryptocurrencies like Ethereum and RavenCoin using tools like T-Rex CoinMiner. This campaign, likely linked to Chinese-speaking groups, aims to leverage high-performance gaming PCs. Security updates are recommended.

AI Tool Installers Masquerade as Malware Carriers Cybercriminals are exploiting the popularity of AI by distributing malware disguised as legitimate AI tool installers. Cisco Talos found threats like CyberLock, Lucky_Gh0$t, and destructive malware Numero spread via fake websites and SEO poisoning. These campaigns target businesses and individuals seeking AI solutions, especially in tech and marketing sectors.

Ransomware Groups Abuse Cloudflared Tunnels for Stealthy Access Ransomware affiliates are widely misusing Cloudflared, a legitimate tunneling tool, for persistent access and lateral movement in compromised networks. Groups like BlackSuit and Medusa rename malicious instances for stealth. Security teams can detect this by hunting for renamed executables and tracking unique account IDs within Cloudflared tokens, which attackers rarely change.

📈 Breaches and Incidents

Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale A newly emerged threat actor, "Often9," claims to be selling 428 million unique TikTok user records on a cybercrime forum. The alleged dataset includes emails, mobile phone numbers, and various account details. Often9 claims this data was extracted by exploiting a vulnerability in an internal API that allowed access to private data before it was patched. TikTok is investigating the alleged breach. However, skepticism exists because sample data shows empty or generic fields, many included details are publicly accessible through scraping, and the seller is a new, unverified account with no reputation.

Russian Nuclear Base Blueprints Exposed in Massive Security Breach A massive Russian security breach exposed hundreds of sensitive blueprints for modernized strategic nuclear bases in a public database. Experts deem this unprecedented access invaluable intelligence, revealing vulnerabilities despite Russian efforts to tighten security. Based on the sources, the sensitive details found in the blueprints of the Russian nuclear facilities included:

• Hundreds of original blueprints for the Strategic Missile Forces' bases.

• Detailed information about the enormous upgrade of military infrastructure at Russia’s most protected facilities.

• Specific details about IT systems, electrical installations, and routing of water, heating, and ventilation.

• Detailed descriptions of security systems, including:

  • The presence of three layers of electric fences along the outer perimeter.

  • Sensors for seismic activity and radioactivity.

  • Explosion-proof doors and windows.

  • Reinforced concrete buildings.

  • Alarm systems with magnetic contacts and infrared sensors.

  • In some cases, the type and locations of internal surveillance cameras.

• The facilities' internal layout in great detail, including:

  • Where soldiers eat, sleep, and use the toilet.

  • Where they relax and exercise.

  • Which rooms in the basements store protective gear.

  • Where weapons cabinets stand.

  • Explicit details on the location of control rooms.

  • Which buildings are connected to each other via underground tunnels.

• Information allowing understanding of how electricity is conducted or where water comes from, and how different things are connected in the systems.

Experts consider this type of material "ultimate intelligence" because it can help identify strengths and weaknesses and find weak points to attack. This information is described as something Russia would obviously want to keep hidden and makes the facilities potentially more vulnerable. It offers unprecedented insight into the innermost parts of Russia's nuclear modernization, allowing a view inside the buildings and underground, which was previously only possible via satellite imagery from above.

Victoria's Secret Website Down After Security Incident Victoria's Secret has taken down its US website and some in-store services following a "security incident". The company is investigating with third-party experts and working to restore operations. This incident follows a spree of cyber attacks on other major retailers. As a precaution, customers are advised to change passwords and enable two-factor authentication.

SentinelOne Service Outage: RCA Published On May 29, 2025, SentinelOne experienced a global service disruption due to a software flaw that deleted critical network routes, which was not a security event. While customer endpoints remained protected, management console access was impacted. SentinelOne is accelerating its infrastructure transition and improving recovery automation based on the root cause analysis.

🚨 Threat Intel & Info Sharing

Czech Republic Blames China for Cyberattack on Foreign Ministry The Czech government has attributed a long-running cyberattack targeting a non-classified network of its Foreign Ministry to the People's Republic of China, specifically the APT31 group. Active since 2022 and impacting critical infrastructure, the attack was confirmed with high certainty by Czech security services. Czechia condemns this action and receives solidarity from EU and allies.

FBI Warns of "Pig Butchering" Crypto Scams The FBI has issued a FLASH report on Funnull Technology Inc., a Philippines-based company providing infrastructure for widespread "pig butchering" cryptocurrency investment fraud scams. These scams involve fraudsters building trust and directing victims to fake investment platforms where their money is stolen. The report provides technical indicators and advises vigilance, highlighting that HTTPS doesn't guarantee site legitimacy. Funnull acquires infrastructure from legitimate US providers and sells it to cyber criminals.

Evolving Android Banking Trojan Targets Peru Zanubis, an Android banking Trojan, emerged in Peru in mid-2022. It impersonates legitimate Peruvian apps to trick users into granting accessibility permissions. Continuously developed, it steals credentials and performs remote actions, adding features like SMS hijacking and silent installation. The latest version focuses intently on banks and financial institutions in Peru.

Bitter APT Targets Pakistan Telecom During Conflict Bitter APT likely targeted Pakistan Telecommunication Company (PTCL) in May 2025 during regional conflict. They used credentials from a compromised Counter Terrorism Department (CTD) email, obtained via infostealer, for a spear phishing campaign. A malicious IQY file delivered WmRAT to steal data and gain access to telecom infrastructure.

Vocational College Rises as Vulnerability Powerhouse Qingyuan Polytechnic, a Chinese vocational college from a third-tier city, was honored by CNNVD for its significant vulnerability contributions. Despite its origins, focused programs and dedicated faculty have enabled students to discover and report high-risk vulnerabilities, including 0-days. This boosts student careers and China's national vulnerability resources.

Coca-Cola Employee Data Leaked After Ransomware Attack Following an alleged ransomware attack by the Everest gang, Coca-Cola's internal data has been publicly released. The hackers dumped data, including passport scans, IDs, and addresses, for over 1,100 employees, mainly from the Middle East distributor, after the company reportedly ignored the ransom demand. This leak follows reports of another recent breach at Coca-Cola Europacific Partners.

⚖️ Laws, Policies and Regulations

NATO Embraces New 5 Percent Defense Spending Target NATO Secretary-General Mark Rutte is embracing a new 5 percent defense spending target of GDP, expected for agreement at the upcoming NATO summit. This is a significant jump from the current 2% goal. Driven by U.S. pressure and Russian tensions, some allies are already close or planning to reach this higher benchmark.

Financial Groups Petition SEC to Rescind Rapid Cyber Disclosure Rules Financial industry groups including SIFMA are petitioning the SEC to rescind requirements for rapid disclosure of material cybersecurity incidents (Form 8-K Item 1.05 and Form 6-K). They argue the rule causes premature disclosure, market confusion, can be weaponized by criminals, and harms companies without benefiting investors. They believe existing rules suffice.

Trump Cyber Nominees Face Senate Hearing, Report Hold President Trump's nominees for CISA Director (Sean Plankey) and National Cyber Director (Sean Cairncross) are scheduled for Senate testimony next week. Plankey's confirmation faces a hold by Senator Wyden, tied to the release of a CISA report on telecom vulnerabilities. Cairncross lacks a formal cyber background.

⚖️ Cybersecurity Start Ups and VCs

Horizon3.ai, a cybersecurity startup that provides tools like autonomous penetration testing, is seeking to raise $100 million in a new funding round and has locked down at least $73 million, the company revealed in an SEC filing this week.

Neuralink, Elon Musk’s brain implant startup, reportedly raised $600 million at a $9 billion pre-money valuation.

State-owned Saudi AI company Humain is making progress to launch Humain Ventures, a $10 billion venture fund that will invest in startups in the U.S., Europe, and Asia.

📊 Trends, Reports, Analysis

UK Fraud Cases Hit Record High Despite Stable Losses in 2024

UK Finance's 2025 report shows total fraud losses remained steady at £1.17 billion in 2024, but cases soared 12% to a record 3.31 million. While Authorised Push Payment (APP) fraud cases fell 20%, remote purchase fraud cases jumped 22%. The industry prevented £1.45 billion in unauthorised fraud.

📅 Upcoming Events

If you would like to sponsor any of our future in person or virtual events then please email us on [email protected] 

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.