Triaging the Week 075
Surge in Malware Targeting Crypto Devs, AI Deepfake Scams Hit Instagram, and DPRK Hackers Target Zoom
Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week's top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
2025 Blockchain Threat Report Highlights Surge in Malware Targeting Crypto Developers
Socket’s 2025 Blockchain Threat Report reveals a rise in malicious npm and PyPI packages targeting cryptocurrency developers with credential stealers and crypto-drainers. The report urges Web3 devs to adopt dependency scanning and provenance checks to counter these evolving supply chain attacks.
Key takeaways:
🦠 Malware Surge: Approximately 75% of malicious blockchain-related packages tracked in 2025 were hosted on npm, while 20% were hosted on PyPI. These packages targeted Ethereum, Solana, TRON, and TON, utilizing credential stealers and crypto drainers that exfiltrate wallet secrets via Telegram, Discord, or blockchain RPCs.
🕵️♂️ Credential Stealers: These packages scan developer environments for wallet files (e.g., ~/.config/solana/id.json), stealing seed phrases and private keys, often using monkey-patched libraries or trojanized versions, such as solana-web3.js.
💸 Crypto Drainers & Clippers: Drainers initiate immediate on-chain fund transfers, while clipboard hijackers swap wallet addresses using regular expressions (regex) and APIs like clipboardy, evading detection due to their simplicity and cross-platform reach.
🔒 Defensive Measures: Socket recommends blocking clipboard APIs in production, scanning dependencies for wallet regexes, enabling real-time alerts for clipboard monitors, and pinning dependencies with provenance checks to prevent stealth updates.
Google Chrome Zero-Day Exploited in Targeted Attacks
A critical zero-day vulnerability (CVE-2025-2783) in Google Chrome has been actively exploited by the TaxOff threat actor. This sophisticated campaign uses phishing emails to deploy the Trinper backdoor, primarily targeting government agencies.
Key takeaways:
🕵️♀️ Zero-Day Exploit: A critical flaw in Google Chrome (CVE-2025-2783) was actively exploited, allowing attackers to install malware without user interaction.
🎣 Phishing Campaigns: Attackers leveraged deceptive phishing emails, often disguised as event invitations, to trick victims into clicking malicious links.
💻 Trinper Backdoor: The deployed Trinper backdoor is highly capable, designed for data exfiltration, keylogging, and remote control of infected systems.
🏛️ Government Targets: The TaxOff threat actor specifically focused on compromising domestic government agencies using social engineering tactics.
🛡️ Urgent Patching: Google has released a patch for this vulnerability, emphasizing the critical need for users to update their Chrome browsers immediately.
North Korean Hackers Use Deepfake Execs in Zoom Calls to Spread Mac Malware
State-sponsored hackers from North Korea are now using sophisticated deepfake technology to impersonate company executives in Zoom meetings, tricking employees into installing malicious macOS malware. This new tactic is part of a broader campaign aimed at cryptocurrency theft.
Key takeaways:
🕵️♂️ Deepfake Impersonation: The North Korean hacking group, known as BlueNoroff (TA444), is creating deepfake likenesses of executives for video calls, adding a new layer of social engineering to their attacks.
🪲 macOS Malware: The ultimate goal of these deceptive meetings is to persuade employees to install malware on their macOS systems, which is then used to steal cryptocurrency.
🛡️ Evolving Tactics: This campaign showcases the ongoing evolution of threat actor techniques, integrating advanced AI-driven methods with traditional social engineering tactics to circumvent security measures.
💡 Heightened Awareness Needed: This incident underscores the urgent need for employees to be trained to recognize and report suspicious requests, even if they appear to come from a trusted senior-level executive. Verify unusual requests through a separate communication channel.
AI Deepfake Scams Hit Instagram, Impersonating Banks
Scammers are leveraging Instagram ads with AI-powered deepfake videos to impersonate major banks like BMO and EQ Bank, tricking customers into revealing personal information and banking credentials for phishing and investment fraud. These sophisticated campaigns highlight the evolving threat landscape in online advertising.
Key takeaways:
🤖 AI Deepfakes: Fraudsters are using AI-generated deepfake videos to create highly convincing fake ads, making it difficult for users to distinguish legitimate content from scams.
🏦 Bank Impersonation: These scams specifically target banking customers by mimicking trusted financial institutions, such as BMO and EQ Bank, leveraging their branding and even using deepfakes of their executives.
🎣 Phishing & Fraud: The primary goal is to steal personal banking credentials and lure users into fraudulent investment schemes through fake websites or "private investment groups".
⚠️ User Caution: Consumers are advised to exercise extreme caution when encountering financial ads on social media and to always verify legitimacy by contacting banks directly through official channels.
⏱️ Removal Delays: Despite reports, there can be significant delays in social media platforms removing these fraudulent ads, leaving users vulnerable for longer periods.
Scattered Spider Hackers Pivot to Target US Insurance Companies
The financially motivated hacking group known as Scattered Spider is now targeting large U.S. insurance companies, employing sophisticated social engineering and identity-based attacks to breach networks and steal sensitive data. This shift follows their previous campaigns targeting mobile carriers and BPO firms.
Key takeaways:
📞 Social Engineering: Attackers are utilizing their advanced social engineering skills to impersonate IT and help desk personnel, tricking employees into providing credentials or installing remote monitoring tools.
🔑 Identity-Based Attacks: The group focuses on identity and authentication systems, bypassing MFA by tricking users into accepting push notifications or using stolen credentials to access virtual environments.
🏢 New Targets: After previously focusing on sectors like mobile carriers and BPO, the group is now actively targeting the U.S. insurance industry for financial gain.
🛡️ Defense Recommendations: Experts recommend that companies strengthen their defenses by improving infrastructure visibility, enforcing phishing-resistant multi-factor authentication (MFA), and educating employees on impersonation tactics.
🌐 Global Threat: This group is persistent and adaptable, representing a significant threat that requires organizations to be highly vigilant and prepared for sophisticated identity-based attacks.
Top Tips of the Week
Threat Intelligence
Establish a threat intelligence sharing community. Collaborate with peers to enhance collective defense against evolving threats.
Use STIX/TAXII standards for CTI sharing. Standardization enhances interoperability and information exchange.
Threat Hunting
Validate threat intelligence in cyber threat hunting. Ensure the accuracy and relevance of information for informed cybersecurity decisions.
Foster cross-industry collaboration. Learn from threat hunting practices in other sectors to enhance your defenses.
Educate your team. A knowledgeable team is your first line of defense. Train regularly for threat awareness.
Foster cross-industry collaboration in cyber threat hunting. Learn from practices in other sectors to enhance your defenses.
Custom Tooling
Implement continuous integration and continuous deployment (CI/CD) for custom tools. Streamline the development and update process.
Feature Article
How much time do you spend wrestling with obfuscated code, decoding strange data formats, or trying to extract meaningful information from a messy block of text? As a cyber security analyst or threat intelligence professional, you know that data manipulation is a daily challenge. What if you had a single tool that could handle it all? You do! It’s called CyberChef.
CyberChef is a free, web-based application that serves as a “cyber Swiss army knife” for various data-related tasks. Developed by the UK’s GCHQ, it empowers you to perform complex encoding, decoding, compression, and data analysis without writing a single line of code. This guide will introduce you to CyberChef, explain why it’s a vital tool, and demonstrate its use for common analysis tasks.
Let’s dive in and see how CyberChef can transform your workflow.
Feature Course
What Will You Learn?
How to use Structured Analytical Techniques (SATs) to perform intelligence analysis.
What intelligence analysis technique to use and when.
Common challenges and how to overcome them.
How to practically apply analysis techniques.
Learning Resources
New from Just Hacking Training!
John Hammond and Corey Macy (Corgi) dive deep into social engineering and phishing techniques.
✅ Learn how to configure campaigns, clone login portals, and even use device code phishing to access services like Teams and Outlook. A must-watch for anyone serious about cyber security!
Corey also shares some wild physical pen-testing stories, including using a fake pregnancy belly for access! This live stream is packed with valuable insights and practical knowledge.
💪 Check it out and level up your social engineering game!
Google’s New AI Prompting Guide
Dive into Google's NEW Prompting Guide and unlock the secrets to effective AI communication with Jeff Su. AI is here to stay, and you need to know how to get the most out of it!
This video is packed with insights for anyone looking to master the art of prompting:
💡 The Power of Three: Instead of relying on the regenerate function, Google recommends asking for three variations in your initial prompt.
✍️ Multi-Step Workflows (Chain of Thought Prompting): Break down large, complex tasks into smaller, sequential prompts.
⏳ Template Timesavers: Ask AI models to brainstorm template ideas based on your role and responsibilities.
🔍 Top-Down Competitive Analysis: Begin with broad prompts to understand the overall landscape, and then use more specific prompts to uncover valuable insights.
📄 Supercharge PDFs with Google Docs (for Google Users): If you're a Google user, you can upload PDFs to Google Drive, open them with Google Docs, and then use Gemini within Google Docs to analyze the document.
Try these tips to improve your AI interactions today!
Level up your knowledge with Google NotebookLM!
This video by Franchesco dives into how you can use this powerful AI note-taking tool to revolutionize your workflow. While it's not strictly cybersecurity-focused, the techniques shown for managing and analyzing large volumes of information are directly applicable to our field.
Imagine using NotebookLM to:
😈 Analyze Threat Intel: Quickly synthesize reports, blog posts, and research papers to identify emerging threats and vulnerabilities.
⚠️ Incident Response: Streamline the process of collecting and summarizing data from various sources during incident investigations.
🪲 Vulnerability Management: Efficiently manage and cross-reference information from vulnerability scans, CVE databases, and vendor advisories.
🧑🔬 Security Research: Organize and analyze research papers, conference talks, and online discussions to stay ahead of the curve.
☑️ Compliance: Keep track of regulatory requirements and audit findings by summarizing and linking relevant documents.
Check out the video for practical examples and see how NotebookLM can boost your productivity!
Embrace the Vibes!
Learn the future of coding with AI! This video introduces "vibe coding" - where you tell the AI what you want, and it builds the code! Forget traditional coding, and embrace the vibes!
Topics explored:
💡 What is Vibe Coding? It's about using natural language prompts to guide AI (like LLMs) in building applications.
🧠 Thinking Frameworks: Plan your project thoroughly using logical, analytical, computational, and procedural thinking.
📚 Knowing Your Frameworks: Direct AI towards existing frameworks for better results.
💾 Checkpoints and Version Control: Use Git/GitHub to save your work.
🐛 Debugging: Identify problems and let the AI suggest solutions.
📝 Context: Provide detailed information to the AI for better outcomes.
🎬 Examples in Action: See vibe coding in action, building an SEO metatag app!
Ready to level up your coding game? Check out the video and think about how you can use vibe coding for cyber security!
🔗 Watch here: