In today’s cybersecurity news…
Pentagon welcomes Chinese engineers into its environment
In an unfortunate case of the fox guarding the henhouse, U.S. military systems are receiving backend support from engineers based in China. That may sound like a security risk, and that’s because it is. ProPublica reports that while these foreign engineers work through “digital escorts” in the U.S., the escorts often lack the technical skills to detect malicious code or misuse. The arrangement was approved by the Pentagon despite serious internal warnings from Microsoft staff about national security risks.
HazyBeacon: It’s not a beer, but it leaves a bitter aftertaste
A new state-backed cyber campaign, likely linked to China, is hiding in plain sight. Called HazyBeacon, the malware targets Southeast Asian governments using stealthy tactics. It installs via Dynamic Link Library (DLL) side-loading, tricking trusted programs into running malicious code. For command and control, it uses AWS Lambda URLs, disguising traffic as normal cloud activity. Once inside, it exfiltrates trade and policy documents through services like Google Drive—then wipes its tracks to avoid detection. Analysts at Unit 42 uncovered it through cloud traffic anomalies and forensic traces left behind after failed cleanup.
What the world needs now is another framework
On July 14, 2025 MITRE launched AADAPT:Adversarial Actions in Digital Asset Payment Technologies. This new cybersecurity framework was designed specifically for blockchain and digital-payment systems. Built on the familiar ATT&CK architecture, AADAPT diverges by focusing on financially driven threats such as double-spend exploits, flash loans, smart‑contract hacks, and fraud. It offers hands-on guidance to crypto exchanges, DeFi developers, and under-resourced financial organizations.
All That Glitters Isn’t Gold
Konfety Android malware is scattering itself across the Google Play Store—again. It evades detection by manipulating the internal ZIP structure of APK files to hide malicious payloads during app review. Once installed, it quietly harvests user data and floods ad networks with fake traffic using CaramelAds, a legitimate ad platform exploited here for invisible ad fraud. Earlier Konfety variants racked up more than 10 billion fake ad requests per day, getting all over the place, just like its namesake.
Huge thanks to our sponsor, ThreatLocker
I Do Not Think That Means What You Think It Means
WeTransfer—a popular cloud service used to send large files—wreaked havoc when it updated its terms in July with language like: “You grant us a license to use, reproduce, modify, create derivative works of… and publicly display your content.” These phrases, often tied to AI training, received criticism from artists, writers, and voice actors who use the service. Another clause said they could use content to quote promote the service end-quote. Creators pushed back wanting to know if that gave WeTransfer the ability to use their work in ads, While denying that they meant that at all, WeTransfer revised the language, removing the AI-adjacent terms and limiting usage to what’s “strictly necessary” to run the platform.
(BBC news)
Hey, Who’s Keys Are These?
Marko Elez, a government staffer working under the Department of Government Efficiency (DOGE) accidentally posted an active xAI API key to GitHub, exposing access to more than 50 Grok language models. The key stayed live even after it was removed, raising red flags about how tightly AI credentials tied to government work are being handled. It’s sloppy. But, for now the real-world impact is likely limited. To actually access sensitive data or systems, an attacker would also need login credentials or access to private government deployments.
.
(Krebs)
And The Hits Just Keep On Coming
Cloudflare says it’s already blocked more DDoS attacks in 2025 than it did in all of last year—over 27 million so far, and we’re only halfway through. In just the last quarter, they stopped more than 6,500 major attacks, including one that hit 7.3 terabits per second. Telecom, gaming, even agriculture got hit hard, with most attacks coming out of Asia and targeting countries like China, Brazil, and Germany. These attacks are smarter, faster, and hitting industries no one expected.
How to Be a North Korean Hacker in Five Easy to Learn Steps
North Korean “Contagious Interviews” just got more viral. Here’s what’s new in their latest supply chain campaign targeting developers. Step one: they pose as recruiters on LinkedIn and offer fake jobs—usually in crypto or tech. Step two: during the “interview,” they send a coding challenge and ask the target to install an npm package to complete it. What’s new? That package now includes a stealthy malware loader called XORIndex, found in 67 packages downloaded over 17,000 times. Step three: XORIndex runs silently and connects to a command server. Step four: it pulls down tools like BeaverTail and InvisibleFerret to steal browser data, crypto, and open a persistent backdoor. And step five: if that developer later joins your company and brings the same machine, credentials, or Git access—you’ve now got a nation-state backdoor inside your environment.
