DOJ Seizes Almost 400 Websites Illegally Streaming World Cup Games

Clean GitHub repo tricks AI coding agents into running malware

Các nhà nghiên cứu của Mozilla 0DIN phát hiện ra cách tấn công tinh vi khiến các AI coding agent như Claude Code vô tình chạy malware từ kho GitHub sạch. Kẻ tấn công sử dụng ba thành phần hợp pháp: kho chứa tiêu chuẩn, gói Python gây lỗi và hướng dẫn chạy lệnh init, cùng script init tải payload từ record DNS TXT do kẻ tấn công kiểm soát. AI agent tự động sửa lỗi sẽ vô tình kích hoạt toàn bộ chuỗi tấn công, tạo ra reverse shell với quyền của nhà phát triển.

Lập trình viên nên đọc bài này để hiểu cách các công cụ AI tự động hóa có thể bị lừa bằng các kỹ thuật social engineering nhẹ nhàng trong mã nguồn, từ đó bảo vệ dự án của mình khỏi các cuộc tấn công không trực tiếp mà vẫn có thể gây thiệt hại nghiêm trọng.

Weekly Update 510: Live From Mallorca with Scott Helme

Troy Hunt and Scott Helme have launched 'Why no Passkeys?', a site inspired by their 8-year-old 'Why no HTTPS?' project that publicly tracked websites failing to implement HTTPS. The new site aims to similarly shame companies that haven't adopted passkeys, encouraging community pressure by country. Scott built the project largely solo using Claude Code, following Troy's original intent after a phishing incident prompted him to register the domain.

Glitch SPY RAT Distributed Via Fake Polish Rental App

Cyble Research and Intelligence Labs has identified a new Android malware family called Glitch SPY, distributed via a fake Polish apartment rental website that tricks users into sideloading an APK. The dropper is the known Brokewell Android Loader, which installs the Glitch SPY payload. Once installed, the RAT abuses Android Accessibility Service to auto-grant permissions and supports over 70 C&C commands covering live screen streaming, keylogging, SMS/contact/call log theft, camera and microphone surveillance, file management, shell execution, and remote browser control. A crypto-clipper module silently replaces copied cryptocurrency wallet addresses (ETH, TRON, Bitcoin) with attacker-controlled ones. A hidden remote browser runs on the victim's device using their IP and cookies, enabling stealthy web-based account takeover. The Builder module allows operators to generate customized payloads with configurable names, icons, and decoy URLs, indicating a reusable multi-campaign platform still under active development.

How the ToddyCat APT group gains access to Gmail accounts

Kaspersky researchers detail Umbrij, a new .NET malware tool used by the ToddyCat APT group to steal OAuth tokens from corporate Gmail accounts. The tool uses DLL sideloading via legitimate binaries (Bitdefender, Visual Studio, Google Desktop) to execute, then launches Chromium-based browsers in headless mode with remote debugging enabled. It connects via the DevTools protocol using Puppeteer Sharp, navigates to a Google OAuth authorization page using the client ID of legitimate Google Workspace tools (GWMMO/GWSMO), and automates clicks to grant permissions — capturing the resulting OAuth authorization code. The technique, dubbed Shadow Token via Remote Debug (STRD), exploits existing authenticated browser sessions to silently obtain API access tokens without triggering EPP/EDR alerts. Detection guidance includes monitoring for DLL loads from vulnerable apps, browser launches with remote debugging flags, and auditing third-party Google account permissions. Mitigation includes disabling browser developer tools via Group Policy and revoking unauthorized OAuth grants.

Mustang Panda Uses Zoho WorkDrive in India-Focused Espionage Campaigns

China-linked threat actor Mustang Panda has been running two concurrent espionage campaigns targeting Indian government entities and the hydropower sector. The campaigns deploy new malware implants — SHARDLOADER, MINIRECON, and ZOHOMURK — with ZOHOMURK abusing Zoho WorkDrive as a command-and-control channel to blend malicious traffic with legitimate cloud activity. Attack chains use hydropower- and government-themed lure documents delivered via compressed archives, leveraging DLL side-loading. Attribution is high-confidence based on code overlaps with prior Mustang Panda tooling. CISOs are advised to monitor cloud service traffic for anomalies, hunt for DLL side-loading behavior, and model threats around geopolitical and infrastructure-themed lures.

U.S. Offers $10 Million for Hackers Targeting WhatsApp and Signal Users

The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information on two Russian-linked hacking groups, UNC5792 and UNC4221, targeting Signal and WhatsApp users. These groups conduct phishing campaigns impersonating Signal support agents to steal backup recovery keys, compromising thousands of accounts belonging to U.S./NATO officials, military personnel, journalists, and NGOs. The encryption itself has not been broken — attackers exploit human factors instead. CISOs are advised to train users never to share recovery keys, apply stronger protections for high-risk staff, and review encrypted messaging policies for sensitive workflows.

UNC1151 Ghostwriter Hackers Target Belarusian Politician in Gmail Phishing Campaign

The UNC1151 (Ghostwriter) threat group ran a targeted phishing campaign against Belarusian pro-democracy politician Yury Hubarevich using a fake Google account-security warning in Russian. The attack chain used a compromised Ukrainian site to redirect victims to a fake Gmail login page that employed a real-time WebSocket connection to capture credentials and MFA codes, effectively bypassing SMS-based and OTP multi-factor authentication. Researchers at Censys traced the campaign through certificate artifacts and infrastructure pivoting to a broader phishing network targeting users in Belarus and Ukraine, including users of regional portals. Key takeaways for security teams include prioritizing phishing-resistant MFA (hardware keys/passkeys) for high-risk users, training users to verify account warnings via official channels rather than email links, and monitoring certificate reuse and domain naming patterns to uncover related phishing infrastructure.