Podcasts
CyberWire Daily
Ep 2317
The CyberWire Daily Podcast 5.28.25
Ep 2317 | 5.28.25

Fingers point east.

Show Notes
Transcript

The Czech Republic accuses Chinese state-backed hackers of cyber-espionage. CISA’s leaders head for the exits. Cybercriminals are using fake AI video generator websites to spread malware. A stealthy phishing campaign delivers the Remcos RAT via DBatLoader. A fake Bitdefender website spreads malware targeting financial data. Medusa ransomware claims to have breached global real estate firm RE/MAX. An Iranian national faces up to 30 years in prison for ransomware targeting US cities. Our guest is Tony Velleca, CyberProof's CEO, discussing exposure management and a more risk-focused approach to prioritize threats. Mind reading for fun and profit. 

Today is Wednesday May 28th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Czech Republic accuses Chinese state-backed hackers of cyber-espionage. 

The Czech Republic has accused Chinese state-backed hackers of targeting its Ministry of Foreign Affairs in a cyber-espionage campaign that began in 2022. An investigation by Czech intelligence and cybersecurity agencies linked the attack to APT31, a group associated with China’s Ministry of State Security. The hackers targeted an unclassified network but may not have breached it. Foreign Minister Jan Lipavsky condemned China’s interference, citing efforts to weaken Czech democracy. He summoned the Chinese ambassador and highlighted new security measures. The U.S. and U.K. previously sanctioned APT31. The group also allegedly targeted British lawmakers. Czech officials shared findings with EU and NATO allies. Both organizations backed Prague, with NATO condemning China’s increasing cyber threats. China has not yet responded.

CISA’s leaders head for the exits. 

The Cybersecurity and Infrastructure Security Agency (CISA) is facing a major leadership crisis, with nearly all its top officials having left or set to leave by the end of May, Cybersecurity Dive reports. An internal email revealed that five of CISA’s six operational divisions and most regional offices are losing senior leaders, including key figures like Matt Hartman and Boyden Rohner. These departures come amid rising cyber threats from foreign adversaries and have sparked concern over the agency’s stability and effectiveness.

Experts and insiders warn the loss of seasoned leadership may weaken CISA’s ability to support critical infrastructure and partner agencies. Field directors who helped expand CISA’s reach across the U.S. are also stepping down, further fueling uncertainty. While CISA’s leadership insists the agency remains mission-focused, morale is low, and doubts about the agency’s future are growing. Critics fear this exodus will hurt national cybersecurity and resilience at a critical time.

Cybercriminals are using fake AI video generator websites to spread malware. 

Cybercriminals are using fake AI video generator websites to spread malware, Google’s Mandiant unit has found. These scammers created fraudulent sites mimicking tools like Luma AI and Canva Dream Lab, promoting them through thousands of malicious ads on platforms like Facebook and LinkedIn. Victims lured in by the ads are tricked into downloading malware, such as STARKVEIL, which steals data and opens backdoors for further access. Mandiant attributes the campaign to a group named UNC6032, likely based in Vietnam. Since mid-2024, the campaign has impacted users globally, stealing credentials, cookies, and credit card info via Telegram. Meta removed many of the malicious ads proactively, aided by Mandiant’s use of Meta’s Ad Library. The campaign reveals how fake AI tools are now a widespread threat, not just to tech professionals but to anyone tempted by trendy, seemingly legitimate AI services.

Chrome and Firefox updates address severe vulnerabilities. 

Google and Mozilla have released Chrome 137 and Firefox 139, addressing 21 security vulnerabilities, including three rated high severity. Chrome 137 includes 11 fixes, notably two high-risk memory issues that could allow code execution or crashes. Firefox 139 patches 10 flaws, including a high-severity double-free bug in libvpx. Updates were also issued for Firefox ESR and Thunderbird. Though no active exploitation was reported, users are urged to update promptly, as browser vulnerabilities are common targets for attackers.

A stealthy phishing campaign delivers the Remcos RAT via DBatLoader. 

Researchers at ANY.RUN have uncovered a stealthy phishing campaign delivering the Remcos RAT via DBatLoader. The attack uses obfuscated CMD scripts, User Account Control (UAC) bypass, and legitimate Windows tools (LOLBAS) to evade detection. Victims receive phishing emails containing an archive with “Faktura.exe,” which triggers the attack chain: DBatLoader execution, script obfuscation, and malware injection. Remcos is stealthily embedded into trusted processes, and persistence is ensured through scheduled tasks and registry edits. This campaign shows how attackers exploit curiosity around AI tools and rely on native OS behavior to bypass traditional security. The researchers stress the importance of dynamic analysis to detect and respond to modern, evasive threats effectively.

A fake Bitdefender website spreads malware targeting financial data. 

Cybercriminals have created a fake Bitdefender antivirus website, “bitdefender-download[.]co,” to spread malware targeting financial data and enabling long-term system access. The fraudulent site closely mimics the real Bitdefender download page, tricking users into downloading a ZIP file containing VenomRAT, StormKitty, and SilentTrinity. VenomRAT steals files, crypto wallets, and credit card data, while StormKitty harvests credentials, and SilentTrinity ensures persistent access. The attackers host files via Bitbucket and Amazon S3 to appear legitimate. The campaign is part of a broader phishing operation using shared infrastructure with fake banking sites. DomainTools researchers identified a common command-and-control server and warned of the attackers’ dual goal: quick financial theft and long-term system control. Bitdefender is working to take the site down, and Chrome now blocks the link. Experts urge users to download antivirus software only from official sites and remain cautious of unsolicited prompts.

Medusa ransomware claims to have breached global real estate firm RE/MAX. 

Medusa ransomware claims to have breached global real estate firm RE/MAX, exfiltrating 150GB of data and demanding a $200,000 ransom. The group posted samples on its dark web leak site, threatening public release in under 18 days. While RE/MAX hasn’t confirmed the breach, leaked data includes agent contact details, commissions, internal documents, and property schematics—mostly from 2021–2023. Security experts warn the full data set may contain more sensitive information, posing risks of identity theft, fraud, and property scams, along with reputational and financial damage to RE/MAX.

A CISA advisory highlights a critical ICS memory leak vulnerability. 

CISA has issued an advisory for a critical memory leak vulnerability (CVE-2025-26383) in Johnson Controls’ iSTAR Configuration Utility Tool, impacting all versions prior to 6.9.5. The flaw, due to the use of uninitialized variables, could expose sensitive data and affect industrial control systems (ICS) vital to sectors like energy, transportation, and manufacturing. With a CVSS score of 7.4, the bug requires adjacent network access but no authentication. CISA urges defense-in-depth strategies, such as network segmentation and regular assessments, to mitigate risks.

An Iranian national faces up to 30 years in prison for ransomware targeting US cities. 

Iranian national Sina Gholinejad, 37, pleaded guilty to deploying Robbinhood ransomware in attacks that hit several U.S. cities, including Baltimore and Greenville, North Carolina. His actions caused tens of millions in damages and disrupted essential public services. The 2019 Baltimore attack alone inflicted $19 million in losses, forcing the city offline for months. Prosecutors said Gholinejad and his co-conspirators began the attacks in 2019, extorting victims with threats of similar consequences. They targeted municipalities in New York, Oregon, and beyond until March 2024. Gholinejad faces up to 30 years in prison, with sentencing set for August. He was detained in North Carolina with help from Bulgarian authorities. The Justice Department emphasized that cyberattacks on critical public systems won’t go unpunished and thanked international partners for their support in the case.

Mind reading for fun and profit. 

And finally, imagine popping on a sleek little meditation headband for some self-care, only to find you’ve accidentally signed away the intimate details of your inner monologue. That’s the unsettling reality U.S. Senators Chuck Schumer, Maria Cantwell, and Ed Markey are now raising alarms about. They’ve asked the FTC to investigate brain-computer interface (BCI) companies—because apparently, reading your mind isn’t off-limits if it’s in the fine print.

A Neurorights Foundation study found 29 out of 30 neurotech firms are scooping up users’ brain data, but only 14 bother to ask for permission. And unless you’re in the EU or lucky enough to live in California, your brainwaves are basically up for grabs.

These tools promise breakthroughs—communication for the paralyzed, early Alzheimer’s detection, or boosted focus—but without regulation, they might just become thought-mining machines for profit. The stakes? Your mental privacy, identity, and autonomy. Because apparently, “what were you thinking?” might soon be a data point.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.