When "out of the box" becomes "out of control."

Children’s DNA in criminal databases. ASUS routers get an unwanted houseguest. New APT41 malware uses Google Calendar for command-and-control. Interlock ransomware gang deploys new Trojan. Estonia issues arrest warrant for suspect in massive pharmacy breach. The enemy within the endpoint. New England hospitals disrupted by cyberattack. Tim Starks from CyberScoop is discussing ‘Whatever we did was not enough’: How Salt Typhoon slipped through the government’s blind spots. And Victoria’s Secrets are leaked.

Today is May 29th, 2025. I’m T-Minus Space Daily host Maria Varmazis in for Dave Bittner. And this is your CyberWire Intel Briefing.

Children’s DNA in criminal databases.

Between 2020 and 2024, U.S. Customs and Border Protection (CBP) collected DNA samples from over 133,000 migrant children—including at least one as young as 4 years old—and uploaded their genetic profiles to the FBI’s Combined DNA Index System (CODIS), a database traditionally reserved for criminal offenders. This expansion of biometric surveillance, justified by the Department of Justice as a crime prevention measure, has raised significant privacy and ethical concerns.

While official policy limits routine DNA collection to individuals aged 14 and older, exceptions were widely made, often without any criminal charges. Notably, 122 minors identified as U.S. citizens had their DNA collected, 53 of whom were not detained for any criminal arrest. Critics argue that this practice blurs the line between civil immigration enforcement and criminal investigation, effectively treating undocumented migrants, especially children, as potential criminals.

Privacy experts warn that storing raw DNA samples indefinitely poses risks of misuse, including unauthorized profiling and surveillance. The inclusion of minors in CODIS, a system designed for tracking criminal offenders, underscores the need for stringent oversight and clear guidelines to protect vulnerable populations from unwarranted surveillance.

ASUS routers get an unwanted houseguest.

GreyNoise has uncovered a sophisticated campaign compromising over 9,000 ASUS routers, primarily targeting small office/home office (SOHO) environments. The attackers gain initial access through brute-force attacks and authentication bypasses, including techniques not yet assigned CVEs. Subsequently, they exploit CVE-2023-39780, a command injection vulnerability, to execute arbitrary commands. 

The adversaries establish persistence by enabling SSH access on a non-standard port (TCP/53282) and inserting their public SSH keys using legitimate ASUS configuration methods. These changes are stored in non-volatile memory (NVRAM), allowing the backdoor to survive reboots and firmware updates. Notably, no malware is deployed; instead, the attackers disable logging and security features like Trend Micro's AiProtection to evade detection. 

New APT41 malware uses Google Calendar for command-and-control.

Google's Threat Intelligence Group says the Chinese threat actor APT41 used a compromised government website to host a new strain of malware dubbed "ToughProgress." Notably, the malware uses Google Calendar events for command-and-control communications.

Google explains, "Once executed, TOUGHPROGRESS creates a zero minute Calendar event at a hardcoded date, 2023-05-30, with data collected from the compromised host being encrypted and written in the Calendar event description. The operator places encrypted commands in Calendar events on 2023-07-30 and 2023-07-31, which are predetermined dates also hardcoded into the malware. TOUGHPROGRESS then begins polling Calendar for these events. When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another Calendar event."

Interlock ransomware gang deploys new Trojan.

The Interlock ransomware gang is using a new Trojan dubbed "NodeSnake" to target universities, BleepingComputer reports. The malware is distributed via phishing emails with malicious links or attachments. Quorum Cyber has published a report on the RAT, noting that the malware is coded in JavaScript and executed with NodeJS. The researchers state, "NodeSnake demonstrates typical capabilities expected from a modern-day RAT. It is designed for persistent access, system reconnaissance, and remote command execution. It employs multiple evasion techniques, communicates with Command-and-Control (C2) servers via HTTP/HTTPS, and deploys secondary payloads to maintain control and facilitate further compromise."

Quorum observed NodeSnake deployed against two universities in the UK within the past two months.

Estonia issues arrest warrant for suspect in massive pharmacy breach.

Estonian authorities have issued an international arrest warrant for a Moroccan national accused of hacking a customer card database belonging to Allium UPI, a major provider of pharmacy and healthcare products across the Baltic countries, the Record reports. The breach, which occurred in February 2024, exposed nearly 700,000 personal identification codes used by pharmacy customers, revealing pharmacy purchases linked to customer accounts. The incident affected data belonging to almost half of the Estonian population.

Estonia's Central Criminal Police alleges that 25-year-old Adrar Khalid gained access to the database using a stolen password for an administrator account.

The enemy within the endpoint.

In mid-2024, Israeli cybersecurity firm Sygnia uncovered a sophisticated North Korean cyberattack involving a threat actor posing as a legitimate IT employee at a Western company. The attacker, operating from within the organization, utilized standard tools like Zoom and basic network protocols to avoid detection. By leveraging access through a corporate VPN and a company-issued laptop, the attacker established a multi-layered covert control channel, enabling lateral movement, execution of malicious code, and data exfiltration—all under the guise of routine remote work activities. Sygnia's investigation began after the FBI recovered a client-issued laptop during a raid on a suspected "laptop farm," a service that facilitates foreign workers impersonating U.S. citizens to secure remote roles in Western companies. Shoham Simon, Sygnia's Senior VP of Cyber Services, emphasized that the breach exploited a "trust vulnerability" rather than a code flaw, highlighting the need for detection models that account for anomalies in protocol usage and the misuse of legitimate tools.

New England hospitals disrupted by cyberattack.

A cyber incident affecting Massachusetts-based health system Covenant Health is disrupting several affiliated hospitals in New England, WMUR reports.

News Center Maine reports that St. Joseph Healthcare in Bangor and St. Mary's Hospital in Lewiston were both impacted, and St. Joseph’s has attributed the disruption to a cyberattack. WMUR says St. Joseph Hospital in Nashua, New Hampshire, is diverting ambulances to different hospitals.

Coming up after the break, Dave Bittner sits down with Tim Starks, senior reporter at CyberScoop. They’ll unpack his recent piece, "Whatever we did was not enough": How Salt Typhoon slipped through the government’s blind spots. Plus, what’s the story behind Victoria’s Secrets getting leaked? Stick around.

Dave Bittner recently caught up with Tim Starks of CyberScoop to dive into how the threat group Salt Typhoon managed to evade government detection—and what this says about our national cybersecurity posture. Here’s their conversation.

That was Tim Starks speaking with Dave Bittner about how Salt Typhoon slipped through the government's blind spots

Victoria’s Secrets leaked.

Victoria’s Secret is making headlines this week—and not for a new collection. The retailer has taken its U.S. website offline and paused some in-store services after a major cybersecurity breach was discovered over the Memorial Day weekend. Online shoppers were met with a black screen and a brief message confirming the incident, as the company scrambles to investigate. With digital sales making up nearly a third of its revenue, this outage isn’t just inconvenient—it’s costly, with shares dropping nearly 7%. So far, the company hasn’t revealed whether customer data was compromised, fueling plenty of speculation. Experts say the timing follows a familiar pattern, with cybercriminals often striking when staff coverage is light. Victoria’s Secret says its team is working “around the clock” to restore operations. And as one viral song goes—“I know Victoria’s Secret”—well, now hackers might too.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.