🚨Week 27: Qantas Breach, Max Financial Hack, Microsoft Disrupts N. Korea Emails, Cisco Critical Flaws, GDPR AI Clampdown & More

The Cybersecurity Club is running a survey its first survey capturing Top Risk H1 2025. The first half of 2025 has already seen major shifts in the cyber landscape - AI-powered phishing attacks are on the rise, ransomware is hitting critical infrastructure harder than ever, and supply chain breaches continue to disrupt operations worldwide. Emerging threats like quantum risks and AI-driven attacks are reshaping how we think about security, all while talent shortages and new regulations add to the challenge.

This quick 10-minute survey is designed to capture the most pressing cybersecurity risks and trends impacting organizations in the first half of 2025. Your insights are invaluable in helping us build a comprehensive risk landscape overview.

You can access the survey here: Survey Link

North Korea-Linked Hackers Target macOS with "Nimdoor" via Fake Zoom Updates

A North Korea-linked cyber group is deploying a new macOS backdoor called "Nimdoor", delivered via malicious Zoom update packages to infiltrate crypto and Web3 organizations. Disguised as legitimate installers, the fake packages are hosted on compromised or attacker-controlled domains. Upon execution, they drop malware designed to persist on the device and provide full remote access to the attacker.

The malware is coded in Nim, a less common programming language, likely chosen to evade conventional detection methods. Once installed, Nimdoor creates LaunchAgents to maintain persistence and avoid scrutiny. It enables attackers to exfiltrate data, monitor user activity, and potentially expand their foothold within the victim's network. This campaign underscores the DPRK’s continued focus on financially motivated espionage, especially targeting decentralized finance and crypto technologies.

🔍 Key Briefing Points (What Happened)

• Infection Vector: Victims were tricked into downloading malicious Zoom installers from spoofed or attacker-hosted websites.

• Malware Behavior: The "Nimdoor" backdoor establishes persistence via LaunchAgents and provides remote shell capabilities, data collection, and file access.

• Programming Language: Written in Nim, complicating reverse engineering and detection by traditional antivirus tools.

• Targets: Focused on macOS users in Web3, crypto, and blockchain-related sectors, likely selected for their financial value.

• Attribution: Activity linked to North Korean state-sponsored groups known for targeting financial platforms to generate revenue.

• Mitigation:

  • Enforce strict application source validation (install only from official vendors).

  • Monitor for unauthorized LaunchAgents and new executables.

  • Apply macOS behavioral monitoring and endpoint detection controls. LINK

💻 Malware and Vulnerabilities

DPRK deploys “Nimdoor” macOS malware against Web3 firms: SentinelOne documents a Nim-based macOS backdoor - Nimdoor - used by North Korea-linked threat actors to breach at least dozens of Web3 & crypto platforms, exploiting social engineering and developer tooling. LINK

Cisco patches root SSH login flaw in voice systems: Cisco issued four security advisories, including a critical 10/10 CVSS-rated vulnerability - hardcoded root SSH credentials, in its Unified Communications Manager. Users are urged to apply patches immediately. LINK

CISA adds two flaws to KEV catalog amid active exploitation: On July 1, CISA added two newly exploited vulnerabilities (CVEs unspecified) to its Known Exploited Vulnerabilities list, urging public and private sectors to patch systems before further compromises. LINK

📈 Breaches and Incidents

Qantas cyber incident exposes 6 million customer records: Qantas confirmed that a cybercriminal accessed data on a third-party contact-centre platform, compromising personal details—including names, email addresses, phone numbers, birth dates, and frequent-flyer numbers—of approximately 6 million customers. The airline states that no financial details, passenger travel history, passwords, passport or credit-card numbers were accessed. Containment and incident response are complete, and relevant regulatory bodies have been notified. LINK

Max Financial discloses breach at Axis Max Life, scale pending: Max Financial revealed unauthorized access to customer data at its Axis Max Life insurance subsidiary after receiving a threat actor notice. As of now, the company is reviewing access logs and conducting forensic investigations; no specific figures on affected users or data types have yet been shared. LINK

Researcher seizes over 60,000 spyware‑compromised accounts: Security researcher Eric Daigle commandeered more than 60,000 user accounts compromised via spyware, demonstrating how easily commercial surveillance tools can hijack systems. The exposed accounts reveal broad misuse of login credentials without proper user consent or awareness. LINK

German charity Welthungerhilfe hit by ransomware, recovery underway: Welthungerhilfe, a major aid organization, was struck by ransomware that locked systems and disrupted services across its network. An unknown number of devices—and potentially affected personnel—are being remediated through forensic and operational recovery processes to restore full functionality. LINK

Hacker leaks internal Telefónica data in latest breach: An alleged attacker leaked internal Telefónica files—size and user counts remain unspecified—raising alarms about corporate data security. The unscrupulous breach could affect millions given Telefónica’s large customer base in Europe and Latin America. LINK

🚨 Threat Intel & Info Sharing

Russian court jails man over pro‑Ukraine cyberattacks: Russian authorities sentenced an individual to unspecified jail time for executing cyberattacks in support of Ukraine. This is part of a broader campaign by the Kremlin to clamp down on digital dissent. LINK

Microsoft deactivates 3,000 DPRK-linked email accounts: Microsoft has shut down roughly 3,000 email accounts tied to North Korean IT workers, aiming to disrupt their cyber-financing and espionage infrastructure. LINK

Microsoft plans 9,000 job cuts in strategic reset: The tech giant will lay off approximately 9,000 employees—about 5 % of its workforce—as part of a major restructure aimed at refocusing on AI, cloud computing, and operational efficiency. LINK

Spanish police dismantle international phishing and money laundering ring: Spain’s National Police arrested several suspects and seized assets connected to a transcontinental cyber-fraud network. The operation likely involved thousands of phishing messages and millions in illicit transfers. LINK

Pro‑Russian hacktivist groups realign, new risks emerge: Intel 471 reports several pro-Russian hacktivist collectives have merged or rebranded, creating agile cyber units that coordinate across Discord and Telegram—posing escalating threats to Western infrastructure. LINK

Nimdoor spread via fake Zoom updates targets macOS: DPRK-linked actors are distributing the Nimdoor malware to macOS systems in crypto and Web3 sectors via counterfeit Zoom update installers. Impact remains unquantified, but it's a growing campaign. LINK

Germany calls for ban on DeepSeek AI over GDPR violations: German regulators are pushing Apple and Google to remove DeepSeek AI, citing violations of GDPR. Potential user impact includes data profiling across millions of users. LINK

France flags China‑linked Ivanti zero-day exploits: France’s cybersecurity authorities warn of ongoing exploitation of at least two zero-day flaws in Ivanti systems by hackers linked to China, urging immediate patching. LINK

⚖️ Laws, Policies and Regulations

EU finalises DORA Threat-Led Penetration Testing rules: The European Commission’s Delegated Regulation (EU 2025/1190), supplementing the Digital Operational Resilience Act (DORA), has been published in the Official Journal and will take effect on 8 July 2025, 20 days post-publication . It mandates mandatory threat-led penetration testing (TLPT) for financial entities meeting defined impact, risk and systemic criteria. Entities will receive formal TLPT notices and must submit initiation info within 3 months, plus a detailed scope within 6 months. The rules outline internal tester qualifications, red-team methodology, supervisory cooperation, reporting phases and mutual recognition standards. LINK

Former ransomware negotiator probed in U.S. for collusion: U.S. law enforcement is investigating a former ransomware negotiator for alleged collaboration with cybercriminals—potentially profiting from extortion in multiple high-profile breaches. LINK

INTERPOL reports global scam center growth, warns of surge: INTERPOL’s new briefing reveals a 30 % surge in centralized scam hubs worldwide over the past year, calling for enhanced intelligence-sharing among international agencies. LINK

⚖️ Cybersecurity Start Ups and VCs

Mastercard Backs Cybersecurity Startups with Start Path: Mastercard has launched a new Security Solutions program under its Start Path initiative to support startups specializing in cybersecurity, fraud prevention, digital identity, and payment resiliency. The first cohort includes OneID, Scamnetic, Spec, VanishID, and Shield-IoT, selected through a global application process. These startups offer innovative solutions ranging from AI-driven scam detection to safeguarding connected payment systems. Since its inception in 2014, Start Path has supported over 475 startups across 60 countries, aiming to enhance security in the digital economy. LINK

📊 Trends, Reports, Analysis

FoxyWallet haul: 40 malicious Firefox extensions found: Researchers at Koi Security discovered 40 malicious Firefox extensions—collectively used by thousands—to steal crypto assets and credentials, delivered via compromised mirror sites and side-loaded distributions. LINK

📅 Upcoming Events

If you would like to sponsor any of our future in person or virtual events then please email us on [email protected] 

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.