Cybersecurity threats have escalated with sophisticated attacks from North Korean-linked groups targeting the Web3 sector, alongside the discovery of novel side-channel vulnerabilities impacting Trusted Execution Environments (TEEs) in Intel and AMD processors. These developments highlight the persistent and evolving nature of cyber threats across various technological domains.
A recent analysis reveals that BlueNoroff, a financially motivated group associated with North Korea’s Lazarus umbrella, has launched new campaigns, “GhostCall” and “GhostHire.” These campaigns leverage social engineering tactics on platforms like Telegram and LinkedIn, employing deceptive meeting invitations and job offers to deliver multi-stage malware. The payloads are designed to compromise Windows, Linux, and macOS systems, with the ultimate goal of data acquisition for further exploitation, including supply chain attacks. This marks an advancement in BlueNoroff’s operational stealth and data harvesting capabilities, moving beyond cryptocurrency theft to a broader range of assets.
In parallel, researchers have detailed the “TEE.fail” side-channel attack, which effectively bypasses the confidentiality protections of Intel and AMD’s TEEs in systems utilizing DDR5 memory. This attack requires physical access and root privileges to exploit, enabling the extraction of cryptographic keys and the subversion of secure attestation. The vulnerabilities affect Intel SGX and TDX, as well as AMD SEV-SNP, posing a significant risk to data secured within these hardware-based trusted environments.
Ransomware operations continue to be a prevalent threat, with the Qilin ransomware group observed employing the Windows Subsystem for Linux (WSL) to deploy Linux encryptors within Windows environments. This tactic aims to evade traditional security detection mechanisms. Concurrently, international law enforcement efforts have led to the extradition of a Ukrainian national to the United States in connection with the Conti ransomware operation. Conti was responsible for numerous high-profile attacks, including those targeting critical infrastructure, and is estimated to have extorted over $150 million in ransoms.
Several critical vulnerabilities have also been disclosed this week. The Veeder-Root TLS4B Automatic Tank Gauge System is affected by command injection flaws (CVE-2025-58428) and an integer overflow vulnerability (CVE-2025-55067) related to the year 2038 problem, both of which could lead to remote command execution or denial of service, according to CISA advisories. Additionally, security researchers have identified flaws in LUKS2 disk encryption used in eight confidential computing systems, raising concerns about potential data extraction. The Canadian Centre for Cyber Security has also issued warnings about hacktivists targeting industrial control systems (ICS), impacting sectors such as water and oil/gas. In Poland, authorities have dismantled an international criminal group involved in an investment scam, reportedly defrauding over 1,500 victims of approximately $20 million.
On a different front, WhatsApp is enhancing its user security by introducing passkey support for chat backups. This feature will allow users to encrypt their backups using device biometrics or screen lock codes, offering a more secure and convenient alternative to passwords or encryption keys.
The weekly recap also notes the emergence of new Remote Access Trojans (RATs) utilizing Discord for command and control, security weaknesses discovered in Tata Motors’ websites, and the release of MITRE ATT&CK version 18, which incorporates updated detection strategies and expanded coverage for mobile and ICS environments.