No click, all tricks.
Researchers uncover a new Windows zero-day. A covert Chinese-linked network targets recently laid-off U.S. government workers. Malicious npm packages are found injecting persistent reverse shell backdoors. A macOS malware loader evolves. DrayTek router disruptions affect users worldwide. A new report warns of growing cyber risks to the commercial space sector. CISA issues four ICS advisories. U.S. Marshals arrest a key suspect in a multi million dollar cryptocurrency heist. Our guest is Brian Levine, Co-Founder and CEO of FormerGov.com, speaking about creating a networking directory for former government and military professionals. The UK’s NCSC goes full influencer to promote 2FA.
Today is Wednesday March 26th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Researchers uncover a new Windows zero-day.
A new zero-day vulnerability affects all Windows versions from Windows 7 and Server 2008 R2 up to Windows 11 v24H2 and Server 2025. Researchers at 0Patch [zero patch] say the flaw allows attackers to steal NTLM authentication credentials just by tricking users into viewing a malicious file in Windows Explorer—no clicks required. It can be triggered through shared folders, USB drives, or files downloaded from malicious websites. Though similar in impact to CVE-2025-21377, this issue is technically distinct and previously undocumented. Security researchers have reported the flaw to Microsoft and released temporary micropatches via 0patch, free until an official fix is issued. This marks the fourth zero-day from the same research team. The patches cover a broad range of Windows systems and deploy automatically with no reboot needed.
A covert Chinese-linked network targets recently laid-off U.S. government workers.
A covert Chinese-linked network is allegedly targeting recently laid-off U.S. government workers with fake job ads, aiming to gather sensitive information. Researcher Max Lesser found the campaign uses bogus consulting firms with overlapping websites and fake contact details. One firm, RiverMerge Strategies, posted ads for roles requiring government experience, with connections traced to a Chinese tech company. Some ads ran on LinkedIn and Craigslist but were later deleted. Reuters couldn’t confirm if any hires occurred or direct ties to the Chinese government. U.S. officials warn these tactics mirror past Chinese espionage operations. The FBI confirmed that foreign intelligence often uses fake recruiters to exploit former federal workers’ financial vulnerability. The firms’ activity raises concerns about national security, especially amid recent federal workforce layoffs.
Malicious npm packages are found injecting persistent reverse shell backdoors.
Two malicious npm packages, ethers-provider2 and ethers-providerz, were found injecting persistent reverse shell backdoors into legitimate, locally installed packages. Even if the malicious packages are removed, the backdoor remains active. Discovered by Reversing Labs, the attack replaces files in the popular ethers package with trojanized versions that fetch further payloads from a remote server. The tactic is stealthy and dangerous, targeting developers through clever installer scripts. Additional linked packages were also identified. Developers are urged to scan environments and verify package legitimacy.
A macOS malware loader evolves.
The macOS malware loader ReaderUpdate has evolved, now existing in five variants compiled in Python, Crystal, Nim, Rust, and Go, according to SentinelOne. Originally seen in 2020, it still deploys the Genieo adware but now spreads through trojanized software installers on third-party download sites. The Go variant collects system info and can execute remote commands, hinting at broader malware potential. While current payloads are adware, ReaderUpdate’s design suggests it could be used for more serious threats under a Malware-as-a-Service model.
DrayTek router disruptions affect users worldwide.
A wave of DrayTek router disruptions is affecting users worldwide, causing devices to enter constant reboot loops. The issue began around March 22, 2025, and appears linked to the exploitation of known vulnerabilities. Security firm GreyNoise observed active attacks on three DrayTek flaws, including remote code execution (CVE-2020-8515) and directory traversal bugs (CVE-2021-20123, CVE-2021-20124). Affected regions include the UK, Vietnam, Germany, and others. ISPs confirm that outdated firmware is a key risk factor. DrayTek urges users to disconnect from the WAN and update firmware immediately. Additional steps include disabling remote access features, enabling two-factor authentication, and applying ACLs. The disruptions impact both consumers and businesses, with instability reported across various sectors. Security researchers continue to track live attacks, urging quick action to prevent further outages.
A new report warns of growing cyber risks to the commercial space sector.
The EU’s cybersecurity agency, ENISA, has released a new Space Threat Landscape report warning of growing cyber risks to the commercial space sector. With over 10,000 satellites in orbit—most privately owned—space infrastructure now supports critical services like internet access, logistics tracking, and remote monitoring. ENISA warns that cyber-attacks could trigger cascading effects, from service disruption to geopolitical tensions. The report highlights vulnerabilities from commercial off-the-shelf (COTS) components, legacy systems, weak encryption, and human error. ENISA recommends security-by-design, strong encryption, regular patching, and adopting zero-trust principles. Despite space being classified as an essential sector under the NIS2 directive, many operators still struggle with compliance. The report underscores the urgent need for robust cybersecurity as digital threats to space systems grow alongside sector expansion.
CISA issues four ICS advisories.
CISA issued four ICS advisories revealing critical vulnerabilities in ABB, Rockwell Automation, and Inaba Denki Sangyo products. Flaws with CVSS v4 scores up to 9.3 could enable denial of service, device takeovers, or unauthorized access in systems used across oil, gas, and manufacturing sectors. While ABB and Rockwell have released patches, Inaba Denki Sangyo’s device remains unpatched. CISA urges immediate mitigation, including firmware updates, network segmentation, limiting physical access, and secure remote access to protect critical infrastructure.
U.S. Marshals arrest a key suspect in a multi million dollar cryptocurrency heist.
U.S. Marshals have reportedly arrested Veer Chetal, aka “Wiz,” a key suspect in a $243 million cryptocurrency heist, according to blockchain investigator ZachXBT. The September 2024 scam involved phishing tactics, where hackers impersonated Google and Gemini support to trick a D.C. victim into resetting their two-factor authentication. Chetal, along with “Greavys” (Malone Iam) and “Box” (Jeandiel Serrano), then looted the victim’s crypto holdings. ZachXBT traced the stolen funds and exposed how the group laundered money to fund a lavish lifestyle. Chetal’s arrest marks a major breakthrough in the case. The incident underscores the critical need for strong personal cybersecurity practices—no software can replace user vigilance when facing sophisticated phishing threats. Investigations into the broader scam and remaining suspects are ongoing.
The UK’s NCSC goes full influencer to promote 2FA.
The UK’s National Cyber Security Centre (NCSC) has gone full influencer to sell the masses on two-factor authentication (2FA)—because nothing says cyber resilience like Instagram skits and TikTok laughs. As part of the Stop! Think Fraud campaign, comedy creators like thesquidvids and edjonesuk parody TV hacker clichés—talking firewalls, logic bombs, and “copying the blockchain”—only to be foiled by that pesky second verification step. “What now?” one faux hacker sighs. “Well, that’s the end of the film, really,” another concedes. It’s Mission Impossible with less hacking and more humble pie. Meanwhile, personal finance influencer millennialmoneyuk keeps it serious, reminding us that weak passwords and no 2FA = big trouble. The NCSC, known for blogs and boring-but-useful tips, hopes these social media antics will get more folks locking down their logins. No word yet on what they paid the influencers—but presumably not in cryptocurrency.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
