A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP.
The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a group it tracks as UNC6148.
The tech giant assessed with

UNC6148 Backdoors Fully-Patched SonicWall SMA 100 Series Devices with OVERSTEP Rootkit

The decision between immediate action and delayed response made the difference between ransomware prevention and complete encryption in these two real-world Talos IR engagements.

Talos IR ransomware engagements and the significance of timeliness in incident response

The intelligence-gathering cyber campaign introduces the novel HazyBeacon backdoor and uses legitimate cloud communication channels for command-and-control (C2) and exfiltration to hide its malicious activities.

Attackers Abuse AWS Cloud to Target Southeast Asian Governments

Meme coins started as internet jokes, but by 2025, they’ve become one of the most volatile and talked-about…

Meme coins started as internet jokes, but by 2025, they’ve become one of the most volatile and talked-about parts of the crypto world. Once dismissed as unserious, these tokens now account for a major part of trading activity. According to analytics from CoinGecko and LunarCrush, meme coins made up close to one-third of all crypto-related social engagement earlier this year, despite representing only 2.5% of total market value in 2024.

****Constant Flood of New Tokens****

The pace of upcoming meme coins launches hasn’t slowed down. Thousands of tokens hit the market daily, often built on copy-paste codebases or anonymous developer teams. While a few turn into massive hits, most disappear just as quickly. This flood of projects creates space for both fast profits and equally fast losses.

Older names like Dogecoin and Shiba Inu remain relatively stable and continue to build use cases. They’ve managed to build loyal communities that give them staying power. That success has encouraged newer projects to combine humour with actual utility, from staking features to integrations with payment apps.

Price swings remain common. Some meme coins double within hours, only to crash days later. Others hold value thanks to strong community support or added features. It’s never just about the coin anymore; it’s about who’s holding it and why.

****Political Meme Coins and Market Manipulation****

One of the biggest shifts in 2025 has been the arrival of political meme coins. A recent example tied to former President Donald Trump brought in nearly $100 million in trading fees within two weeks, according to data compiled by blockchain analytics firms like Arkham Intelligence and Lookonchain. While those behind the coin profited heavily, tens of thousands of retail traders ended up in the red.

Political coins ride waves of attention during election cycles and major news events, creating unpredictable spikes in volume and volatility. Some are launched with genuine ideological motives, but many are just cash grabs. The risks go beyond financial loss. These projects are increasingly targeted by phishing campaigns, fake token clones, and wallet-draining scams.

The cybersecurity angle is serious. Hackers now follow the political coin trend, launching fake airdrop links and malicious browser extensions disguised as “wallet boosters” or “token claim” tools. Telegram and Twitter are loaded with scam bots pushing fake liquidity pools that drain connected wallets instantly.

****Strong Communities Make the Difference****

The most successful meme coins have one thing in common: strong, active communities. Projects like Bonk and Pepe grew large followings that did more than just speculate. These communities produce memes, build tools, hold contests, and organise meetups.

That activity creates value. It also acts as a first line of defence against scams. When a fake version of a token shows up, it’s usually the community that sounds the alarm first.

Many of these groups also publish guides on how to avoid common traps, like fake presale links or copycat contract addresses. As meme coins attract new investors, education from within the community has become more important than ever.

****Security Risks Beyond the Jokes****

Meme coins often get written off as harmless fun, but the reality is far more complicated. The low barrier to entry makes them a favourite target for cybercriminals. In 2024 alone, nearly $500 million was lost in meme coin rug pulls and contract exploits, based on estimates from Merkle Science.

Most of these scams follow the same pattern: an anonymous team hypes a token, builds a Telegram group overnight, then pulls the liquidity once enough buyers join. Other times, the contract contains backdoors that allow minting unlimited tokens or draining funds.

The growing interest in political and celebrity-backed coins has only increased this risk. Attackers now mimic the branding of real tokens, launch fake versions, and promote them through impersonated social accounts or hijacked YouTube channels.

Investors need to be alert. Always check the contract address from verified sources and avoid interacting with unknown links, especially during high-traffic token launches.

****Smarter Investing Requires Strategy****

Despite the chaos, it’s still possible to make money with meme coins, but not without a strategy. The best investors don’t chase hype blindly. They set clear profit goals and stop-loss points before entering any trade.

Diversification helps reduce damage from individual coin collapses. Spreading funds across several meme coins, ideally those with solid track records and active communities,  makes more sense than betting everything on a single trending token.

Social media can help with timing. Tools that track sentiment across Reddit, X (formerly Twitter), and Telegram are now widely used to predict spikes in interest. That said, traders should always check whether a pump is organic or just a result of influencer promotions.

****Influencer Hype and Paid Promotions****

Influencers still have a strong effect on meme coin markets. A single post from a high-profile figure can boost a token’s value instantly. But not all promotions are genuine. Many influencers are paid to push projects, and not all disclose it.

Smart investors learn to look past the hype. Reputable influencers share disclaimers, explain their reasoning, and warn followers about risks. The best ones avoid making wild promises or price predictions.

Due diligence remains key. Always assume a shill unless proven otherwise.

****Regulations and the Road Ahead****

The regulatory side of meme coins is catching up. In 2025, the US Securities and Exchange Commission released more detailed guidance on what qualifies as a security. Some meme coins now fall under this definition, which brings tighter rules but also more legitimacy.

Other countries vary widely. In Europe, meme coins are mostly unregulated unless tied to financial services. In parts of Asia, they’re outright banned. Traders need to know their jurisdiction’s stance before jumping in.

There’s also a push for greater transparency around developer identity and tokenomics. Several exchanges have begun requiring KYC for project listings to cut down on rug pulls.

Nevertheless, Meme coins in 2025 are no longer just jokes. They’ve become speculative assets that carry real risks and real opportunities. But they’ve also become a major attack surface in crypto, targeted by scammers, exploited by anonymous devs, and manipulated by hype cycles.

Success with meme coins now depends as much on cybersecurity awareness and research as it does on timing or community hype. If you’re jumping in, know the risks, read the contract, question the promo, and don’t assume fun equals safe.

Meme Coins in 2025: High Risk, High Reward, and Rising Security Threats

Governmental organizations in Southeast Asia are the target of a new campaign that aims to collect sensitive information by means of a previously undocumented Windows backdoor dubbed HazyBeacon.
The activity is being tracked by Palo Alto Networks Unit 42 under the moniker CL-STA-1020, where "CL" stands for "cluster" and "STA" refers to "state-backed motivation."
"The threat actors behind this

State-Backed HazyBeacon Malware Uses AWS Lambda to Steal Data from SE Asian Governments

Plus: An “explosion” of AI-generated child abuse images is taking over the web, a Russian professional basketball player is arrested on ransomware charges, and more.

WIRED reported this week on public records that show the United States Department of Homeland Security urging local law enforcement around the country to interpret common protest activities and surrounding logistics—including riding a bike, livestreaming a police encounter, or skateboarding—as “violent tactics.” The guidance could influence cops to use everyday behavior as a pretext for police action.

An AI hiring bot used on the McDonald’s “McHire” site exposed tens of millions of job applicants’ personal data because of a group of web-based security vulnerabilities—including use of the classically guessable password “123456” on an administrator account. The site’s chatbot, known as Olivia, was built by the artificial intelligence software firm Paradox.ai. Meanwhile, in the wake of last week’s devastating floods in Texas that killed at least 120 people, conspiracy theories about the extreme weather event have gained enough traction among anti-government extremists, GOP influencers, and others with large platforms to produce real-world consequences like death threats.

Finally, the metadata of the “full raw” surveillance footage captured near Jeffrey Epstein’s cell the night before the disgraced financier was found hanged shows it’s not “raw” footage at all. Instead, according to a WIRED analysis and digital video forensics experts, the full video is made up of two clips, and it was likely processed using powerful editing software.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**4 Young People Arrested Over Cyberattacks Against UK Retailers**

Earlier this year, three retailers in the UK—Harrods, the Co-Op, and M&S—were disrupted by sprawling cyberattacks. Some shelves were left empty for weeks, and M&S executives expect the attacks will cost around £300 million ($407 million) in total. This week, law enforcement officials at the National Crime Agency (NCA), the country’s equivalent of the FBI, announced the arrest of four people as part of investigations into the three attacks.

A 20-year-old female, two males aged 19, and another aged 17 were all arrested at their homes in the West Midlands and London on Thursday morning. One of the 19-year-old males is from Latvia, while the others are from the UK, the NCA says. They are suspected of potential Computer Misuse Act offenses, blackmail, money laundering, and “participating in the activities of an organized crime group,” the NCA said in a statement. The law enforcement agency has not named the individuals arrested or released precise locations of where they are based; however, NCA’s deputy director Paul Foster said the arrests were a “significant step” in its investigations.

The attacks against the three British retailers have been broadly linked, including partially by the NCA, to the loose cybercriminal group Scattered Spider. The hacking group, which first emerged in 2022, is largely made up of young, English-speaking individuals, and has recently been seen targeting retailers, airlines, and the insurance industry across the UK and the US.

**‘Explosion’ of AI-Generated Child Abuse Images Could Overwhelm the Web, Experts Warn**

It didn’t take criminals long to start using generative AI to create ultra-realistic child sexual abuse images. Now huge volumes of illegal, AI-created content are being found online, with criminals moving to use the technology to create videos as well as still images. During the first six months of this year, analysts at the Internet Watch Foundation, a UK-based organization that removes child sexual abuse material (CSAM) from the web, identified 1,286 AI-generated videos that show abuse—more than 1,000 of the videos showed the most serious type of abuse.

“There is an incredible risk of AI-generated CSAM leading to an absolute explosion that overwhelms the clear web,” said Derek Ray-Hill, the interim chief executive of the Internet Watch Foundation. Separate figures from the US-based National Center for Missing & Exploited Children (NCMEC) say it has received 485,000 reports of AI CSAM in the first half of this year—up from 67,000 for the entirety of last year. Around 35 tech companies have reported finding AI-generated CSAM on their platforms, NCMEC said.

**Italian Police Arrest an Alleged Member of China’s Silk Typhoon Hacking Group**

In a rare instance of Western law enforcement actually laying hands on an alleged Chinese state-sponsored hacker, Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3. The police were acting on a warrant issued by the US Department of Justice seeking Xu’s arrest on hacking charges. Authorities allege he’s a member of the espionage group known as Silk Typhoon or Hafnium, which has carried out widespread data theft from Western governments and private sector companies for years. US prosecutors are specifically accusing Xu of taking part in Silk Typhoon’s hacking that targeted researchers working to develop a Covid-19 vaccine in 2020 and 2021. He’s also alleged to have participated in a far less targeted hacking campaign in which the same group broke into tens of thousands of Microsoft exchange servers around the world, leaving behind backdoors for later reconnaissance. Xu’s lawyer denied the charges, saying it’s a case of mistaken identity, and Xu’s wife also has reportedly said that Xu is an IT technician at the company GTA Semi Conductor.

**Russian Pro Basketball Player Arrested on Ransomware Charges**

In more news of alleged hackers arrested in European airports—and a very unusual case of alleged cybercriminal moonlighting—French police this week detained Russian professional basketball player Daniil Kasatkin in the Charles de Gaulle airport in Paris, accusing him of being part of a ransomware group. Authorities haven’t yet named the ransomware crew they claim Kasatkin was a part of, but say that from 2020 to 2022 it hit close to 900 organizations, including two American government agencies. Kasatkin’s lawyer, Frédéric Bélot, denied the accusations, saying his client is “useless with computers and can't even install an application.” Kasatkin, who played for the pro basketball team MBA Moscow, had traveled to France with his fiancée to propose to her.

**Bodyguards Using Strava Leaked the Detailed Locations of Sweden’s Prime Minister**

Here’s your annual reminder, athletic oversharers of the world, to set your Strava account settings to private. This week, Sweden’s Dagens Nyheter newspaper revealed that seven bodyguards for Swedish government officials left their Strava accounts public, revealing their locations as they carried out 1,400 exercise activities—and in many cases, the locations of the people they were protecting, including the Swedish prime minister, Ulf Kristersson. The leaked locations of the prime minister included hotels where he stayed, private addresses, a family vacation, trips abroad, and his private home, which was intended to be secret. Repeat after me, Strava enthusiasts with security clearances: Go to Settings, tap Privacy Controls, then Activities. Future scandal averted.

4 Arrested Over Scattered Spider Hacking Spree

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs…

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs ministry. Learn about their tactics, the LoptikMod malware, and why this cyber espionage campaign matters for global diplomacy.

A sophisticated campaign by the notorious DoNot APT group, also known by names like APT-C-35 and Mint Tempest, has recently targeted a European foreign affairs ministry. This attack, uncovered by the Trellix Advanced Research Centre, highlights the group’s expanding reach beyond its traditional focus on South Asia.

Active since at least 2016, the DoNot APT group is a persistent threat, primarily known for targeting government, military, and diplomatic organisations. This group is believed to operate with a focus on South Asian geopolitical interests and has been attributed by several vendors to have links to India. This recent incident, however, reveals a broadening of their operations into Europe.

Trellix’s researchers were able to identify this campaign by blocking the initial email chain, which allowed them to analyse the attack’s Tactics, Techniques, and Procedures (TTPs). Reportedly, the attackers employed a highly deceptive spear-phishing tactic, impersonating European defence officials.

These malicious emails, which mentioned a visit to Bangladesh, aimed to trick targets into clicking on a harmful Google Drive link. This method of using common cloud services for initial infection showcases the group’s adaptability in their approach.

The attack unfolded in several calculated steps. The initial spear-phishing email originated from a Gmail address (int.dte.afd.1@gmailcom). It featured a subject line related to diplomatic activities, specifically “Italian Defence Attaché Visit to Dhaka, Bangladesh.” The attackers even used HTML formatting with UTF-8 encoding to properly display special characters like “é” in “Attaché,” signifying attention to detail to increase legitimacy.

Attackers’ TTPs (Source: Trellix)

Upon clicking the Google Drive link, victims downloaded a malicious RAR archive named ‘SyClrLtr.rar,’ containing an executable file disguised as a PDF (notflog.exe). It deployed a batch file and established persistence, meaning the malware would remain active through a scheduled task set to run every 10 minutes.

The malware involved in this campaign is LoptikMod, a tool exclusively associated with the DoNot APT group since 2018. This malware gathers system details such as CPU model, operating system information, username, and hostname.

This information is then encrypted and sent to a command and control (C2) server, which allows the attackers to maintain communication and potentially exfiltrate sensitive data. It is worth noting that beyond LoptikMod, the DoNot APT group also uses custom-built Windows malware, including backdoors like YTY and GEdit.

The targeting of a European foreign affairs ministry highlights the group’s unwavering interest in collecting sensitive information and its increasing global reach. Such attacks on diplomatic entities are classic examples of espionage operations, aiming to gain unauthorised access to classified state communications, policy documents, and intelligence reports.

Organisations, particularly those in government and diplomacy, are, hence, urged to enhance their cybersecurity measures, including stronger email security, network traffic analysis, and endpoint detection and response (EDR) solutions, to defend against these evolving threats.

DoNot APT Hits European Ministry with New LoptikMod Malware

Cisco fixes critical root credential vulnerability in Unified CM rated CVSS 10 urging users to patch now to stop remote admin takeovers.

Cisco, a leading networking hardware company, has issued an urgent security alert and released updates to address a severe vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). This critical flaw, identified as CVE-2025-20309, carries the highest possible severity rating, a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.

****Understanding the Threat****

The vulnerability stems from “static user credentials for the root account that are reserved for use during development,” as stated by Cisco in its advisory. In simpler terms, these systems were shipped with a secret, unchanging username and password for a super-user account, known as the root user. A root user has complete control over a system, able to execute any command and access all files. Because these credentials are _static_, meaning they don’t change and cannot be deleted by users, so, they present a constant backdoor.

An attacker could use these hardcoded credentials to remotely log into an affected device without needing any prior authentication. Once logged in as the root user, they could gain full administrative privileges, allowing them to take complete control of the communication system. This could lead to a wide range of attacks, from disrupting services to stealing sensitive data or even using the compromised system to launch further attacks within a network.

****Affected Systems and Solutions****

The security flaw impacts Cisco Unified CM and Unified CM SME versions ranging from 15.0.1.13010-1 through 15.0.1.13017-1. More importantly, this vulnerability exists regardless of how the device is configured, making a broad range of systems potentially susceptible. While Cisco discovered the flaw through its own internal security testing and has not found any evidence of it being actively exploited in the wild, the extreme severity necessitates immediate action.

There are no temporary workarounds to mitigate this risk. Cisco has released software updates to fix the vulnerability, advising all affected customers to upgrade their systems without delay. Customers with service contracts can obtain these updates through their usual channels, while others can contact Cisco’s Technical Assistance Centre (TAC) for a free upgrade. It is crucial for organizations to apply these patches swiftly to protect their communication infrastructure from potential compromise.

“First and foremost, any organization using this platform needs to upgrade as soon as possible. Furthermore, they need to refer to the indicators of compromise details provided in the Cisco advisory and immediately enact their incident response processes,” said Ben Ronallo, Principal Cyber Security Engineer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.

“Because the credentials belong to a root (i.e., admin) account, the potential for malicious activity is significant. One plausible effect of this could be that an attacker is able to modify network routing for social engineering or data exfiltration purposes,” Ben warned.

Cisco Issues Emergency Fix for Critical Root Credential Flaw in Unified CM

SentinelLabs uncovers NimDoor, new North Korea-aligned macOS malware targeting Web3 and crypto firms. Exploits Nim, AppleScript, and steals Keychain, browser, shell, and Telegram data.

A new report from SentinelLabs, released on July 2, 2025, reveals a sophisticated cyberattack campaign targeting Web3 and cryptocurrency companies. Threat actors aligned with North Korea are aggressively exploiting macOS systems with a newly discovered malware called NimDoor, utilizing complex, multi-stage attacks and encrypted communications to remain undetected.

The research, authored by Phil Stokes and Raffaele Sabato and shared with Hackread.com, highlights the attackers’ shift towards less common, cross-platform programming languages like Nim. This change complicates efforts to detect and analyse their malicious activities.

The group also uses AppleScript in clever ways, not just for the initial breach but also as simple, hard-to-spot backdoors. Their methods show a clear improvement in staying hidden and persistent, including using encrypted WebSocket (wss) communication and unusual ways to maintain access even after malware is supposedly shut down.

****How the Attacks Works****

The attacks begin with a familiar social engineering trick: hackers pretend to be trusted contacts on platforms like Telegram, inviting targets to fake Zoom meetings. They send emails with a malicious Zoom SDK update script designed to look legitimate but is actually heavily disguised with thousands of lines of hidden code. This script then downloads more harmful programs from attacker-controlled websites, which often use names similar to real Zoom domains to fool users.

The fake Zoom update notification (Credit: SentinelLabs)

Once inside, the infection process becomes multi-layered. The hackers deploy several tools, including a C++ program that injects malicious code into legitimate processes, a rare technique for macOS malware. This allows them to steal sensitive data like browser information, Keychain passwords, shell history, and Telegram chat histories.

According to SentinelLabs’ blog post, they also install the Nim-compiled ‘NimDoor’ malware, which sets up long-term access. This includes a component named “GoogIe LLC” (note the deceptive capital ‘i’ instead of a lowercase ‘L’), which helps the malware blend in. Interestingly, the malware includes a unique feature that triggers its main components and ensures continued access if a user tries to close it or the system reboots.

****Another Day, Another North Korean Campaign****

SentinelLabs’ analysis shows that these North Korean-aligned actors are constantly developing new ways to bypass security. Their use of Nim, a language that allows them to embed complex behaviours within compiled programs, makes it harder for security experts to understand how the malware works. Additionally, using AppleScript for simple tasks like regularly checking in with their servers helps them avoid using more traditional, easily detectable hacking tools.

The report goes on to show how important it is for companies to strengthen their defences as these threats keep changing. As hackers try out new programming languages and more advanced tactics, cybersecurity researchers need to update how they detect and stop these attacks. SentinelLabs sums it up by calling them “inevitable attacks” that everyone should be ready for.

N Korean Hackers Drop NimDoor macOS Malware Via Fake Zoom Updates

Cybercriminals use malicious AI models to write malware and phishing scams Cisco Talos warns of rising threats from uncensored and custom AI tools.

New research from Cisco Talos reveals a rise in cybercriminals abusing Large Language Models (LLMs) to enhance their illicit activities. These powerful AI tools, known for generating text, solving problems, and writing code, are, reportedly, being manipulated to launch more sophisticated and widespread attacks.

For your information, LLMs are designed with built-in safety features, including alignment (training to minimize bias) and guardrails (real-time mechanisms to prevent harmful outputs). For instance, a legitimate LLM like ChatGPT would refuse to generate a phishing email. However, cybercriminals are actively seeking ways around these protections.

Talos’s investigation, shared with Hackread.com highlights three primary methods used by adversaries:

**Uncensored LLMs**: These models, lacking safety constraints, readily produce sensitive or harmful content. Examples include OnionGPT and WhiteRabbitNeo, which can generate offensive security tools or phishing emails. Frameworks like Ollama allow users to run uncensored models, such as Llama 2 Uncensored, on their own machines.

**Custom-Built Criminal LLMs**: Some enterprising cybercriminals are developing their own LLMs specifically designed for malicious purposes. Names like GhostGPT, WormGPT, DarkGPT, DarkestGPT, and FraudGPT are advertised on the dark web, boasting features like creating malware, phishing pages, and hacking tools.

**Jailbreaking Legitimate LLMs**: This involves tricking existing LLMs into ignoring their safety protocols through clever prompt injection techniques. Methods observed include using encoded language (like Base64), appending random text (adversarial suffixes), role-playing scenarios (e.g., DAN or Grandma jailbreak), and even exploiting the model’s self-awareness (meta prompting).

The dark web has become a marketplace for these malicious LLMs. FraudGPT, for example, advertised features ranging from writing malicious code and creating undetectable malware to finding vulnerable websites and generating phishing content.

However, the market isn’t without its risks for criminals themselves; Talos researchers found that the alleged developer of FraudGPT, CanadianKingpin12, was scamming potential buyers out of cryptocurrency by promising a non-existent product.

Image via Cisco Talos

Beyond direct illicit content generation, cybercriminals are leveraging LLMs for tasks similar to legitimate users, but with a malicious twist. In December 2024, Anthropic, developers of Claude LLM, noted programming, content creation, and research as top uses for their model. Similarly, criminal LLMs are used for:

*   Programming: Crafting ransomware, remote access Trojans, wipers, and code obfuscation.

*   Content Creation: Generating convincing phishing emails, landing pages, and configuration files.

*   Research: Verifying stolen credit card numbers, scanning for vulnerabilities, and even brainstorming new criminal schemes.

LLMs are also becoming targets themselves. Attackers are distributing backdoored models on platforms like Hugging Face, embedding malicious code that runs when downloaded. Furthermore, LLMs that use external data sources (Retrieval Augmented Generation or RAG) can be vulnerable to data poisoning, where attackers manipulate the data to influence the LLM’s responses.

Cisco Talos anticipates that as AI technology continues to advance, cybercriminals will increasingly adopt LLMs to streamline their operations, effectively acting as a “force multiplier” for existing attack methods rather than creating entirely new “cyber weapons.”

Tag

#backdoor