Podcasts
CyberWire Daily
Ep 2320
The CyberWire Daily Podcast 6.2.25
Ep 2320 | 6.2.25

AVCheck goes dark in Operation Endgame.

Show Notes
Transcript

An international law enforcement operation dismantles AVCheck. Trump’s 2026 budget looks to cut over one thousand positions from CISA. Cyber Command’s defensive wing gains sub-unified command status. A critical vBulletin vulnerability is actively exploited. Acreed takes over Russian markets as credential theft kingpin. Qualcomm patches three actively exploited zero-days in its Adreno GPU drivers. Researchers unveil details of a Cisco IOS XE Zero-Day. Microsoft warns a memory corruption flaw in the legacy JScript engine is under active exploitation. A closer look at the stealthy Lactrodectus loader. On today’s Afternoon Cyber Tea, Ann Johnson speaks with Hugh Thompson, RSAC program committee chair. Decoding AI hallucinations with physics.

Today is Monday June 2nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An international law enforcement operation dismantles AVCheck. 

An international law enforcement operation has dismantled AVCheck, a major counter antivirus (CAV) service exploited by cybercriminals to test malware against commercial antivirus software before deployment. The takedown, executed on May 27, 2025, involved the seizure of AVCheck’s domains and servers, which now display seizure notices from the U.S. Department of Justice, FBI, U.S. Secret Service, and Dutch police .

Authorities also uncovered links between AVCheck and crypting services Cryptor.biz and Crypt.guru, which aid in obfuscating malware to evade detection. Cryptor.biz has been seized, while Crypt.guru remains offline .

This action is part of Operation Endgame, a broader initiative targeting cybercriminal infrastructure. Recent efforts under this operation have led to the dismantling of 300 servers and 650 domains associated with ransomware activities, and the seizure of €3.5 million in cryptocurrency .

Undercover agents facilitated the investigation by making purchases on these platforms, confirming their use in cybercrime and linking them to ransomware groups targeting entities in the U.S. and abroad.

Trump’s 2026 budget looks to cut over one thousand positions from CISA. 

The Trump administration’s 2026 budget proposal aims to cut over 1,000 positions at the Cybersecurity and Infrastructure Security Agency (CISA), reducing its workforce from 3,732 to 2,649. The cuts, totaling nearly $500 million, impact all divisions, with the steepest reductions hitting risk management, stakeholder engagement, and integrated operations. While the cybersecurity division would lose over 200 roles, other divisions like mission support and emergency communications face significant trims. DHS Secretary Kristi Noem cited the end of election security work as a reason, though that only accounts for 14 positions. The plan also slashes funding for cyber training, stakeholder engagement, and national risk efforts. Programs like Chemical Security (CFATS) and school safety would be phased out, shifting responsibilities to state and local agencies. Congressional approval is still required.

Cyber Command’s defensive wing gains sub-unified command status. 

The Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) has been elevated to a sub-unified command under U.S. Cyber Command and renamed the Department of Defense Cyber Defense Command (DCDC). This move, directed by Congress and Secretary of Defense Pete Hegseth, reflects DCDC’s growing role in defending the Pentagon’s global networks. While it doesn’t grant new authorities or funding, it allows better alignment with strategic goals and resource access. Led by Lt. Gen. Paul Stanton, DCDC aims to shift from reactive to proactive defense, making it harder for adversaries to breach networks. This elevation follows Cybercom’s earlier move to upgrade its offensive Cyber National Mission Force, putting both key cyber operations on equal footing as the U.S. boosts its digital defense posture.

A critical vBulletin vulnerability is actively exploited. 

A critical vBulletin vulnerability is being actively exploited, shortly after its disclosure by researcher Egidio Romano on May 23. vBulletin is internet forum software used to create and manage online discussion boards. Romano detailed a remote code execution flaw affecting versions 5.1.0 through 6.0.3 and shared proof-of-concept code. Exploits began hitting honeypots by May 25–26, using Romano’s code to run system commands. Though apparently patched in April 2024, no CVE was initially assigned. Two CVEs—CVE-2025-48827 and CVE-2025-48828—have now been issued. This marks the first major vBulletin exploit wave since 2020.

Acreed takes over Russian markets as credential theft kingpin. 

The Acreed infostealer is emerging as a dominant force in credential theft, according to a June 2 report from cybersecurity firm ReliaQuest. Following the May 2025 takedown of Lumma Stealer, which had dominated Russian Market with 92% of credential theft alerts in late 2024, Acreed has quickly surpassed other malware like RedLine, Raccoon, and Vidar. Russian Market, a major dark web platform for stolen credentials, remains active and influential, with logs often recycled from other sources. In 2024, ReliaQuest issued over 136,000 alerts for customer domains appearing on the market, with most stolen credentials tied to SaaS and SSO accounts. The professional and information sectors were the hardest hit. With over 50,000 alerts already in 2025, the threat continues to grow.

Qualcomm patches three actively exploited zero-days in its Adreno GPU drivers. 

Qualcomm has released patches for three actively exploited zero-day vulnerabilities in its Adreno GPU drivers, affecting many chipsets. Two critical flaws (CVE-2025-21479 and CVE-2025-21480), reported by Google in January, allow unauthorized command execution leading to memory corruption. A third high-severity bug (CVE-2025-27038), reported in March, is a use-after-free flaw triggered during Chrome graphics rendering. Google’s Threat Analysis Group warns these are under targeted exploitation. Qualcomm urges OEMs to deploy patches issued in May. In a related investigation, Google found spyware infections involving Serbian authorities exploiting another Qualcomm flaw (CVE-2024-43047). This continues a trend of GPU and DSP driver vulnerabilities being exploited for device access and persistent surveillance, underlining Qualcomm’s critical role in mobile security.

Researchers unveil details of a Cisco IOS XE Zero-Day. 

Researchers at Horizon3 have published technical details about a critical Cisco IOS XE Wireless LAN Controller flaw (CVE-2025-20188), increasing the risk of imminent exploitation. The bug, disclosed by Cisco on May 7, allows unauthenticated remote attackers to upload files and execute arbitrary commands with root privileges via a hardcoded JWT secret (“notfound”). While no complete exploit script was released, Horizon3’s write-up provides enough data for skilled attackers to build one. The flaw impacts several Catalyst 9800 controller models when the ‘Out-of-Band AP Image Download’ feature is enabled. Attackers can bypass JWT validation, perform path traversal, and overwrite system configs to achieve remote code execution. Cisco urges users to upgrade to version 17.12.04 or later. Disabling the vulnerable feature serves as a temporary workaround to reduce exposure.

Microsoft warns a memory corruption flaw in the legacy JScript engine is under active exploitation.

Microsoft is warning of active exploitation of CVE-2025-30397, a memory corruption flaw in the legacy JScript engine (jscript.dll), patched in May 2025. The vulnerability, rated 7.5 CVSS, allows remote code execution if a user clicks a malicious URL in Microsoft Edge running Internet Explorer Mode. Though IE11 is retired, some systems remain vulnerable. A GitHub proof-of-concept increases the risk of exploit development. Users should patch immediately and disable IE Mode in Edge as a temporary safeguard.

A closer look at the stealthy Lactrodectus loader. 

Researchers at WardenShield examine Latrodectus, a stealthy malware loader linked to the Lunar Spider group behind IcedID, which has quickly risen as a major cyber threat following the 2024 takedown of IcedID and other botnets in Operation Endgame. Emerging in late 2023, Latrodectus rapidly gained traction among threat actors TA577 and TA578, filling the void in the malware ecosystem. It spreads through phishing emails and deceptive attachments, deploying DLL payloads designed for stealth, persistence, and versatile malware delivery. Latrodectus supports remote command execution, information theft, and installation of ransomware and infostealers like IcedID, QakBot, and DarkGate. Its obfuscation, sandbox evasion, and encrypted communications make it difficult to detect. Over 44,000 infections were logged in less than a month, mostly targeting North America and Europe. With constant updates and advanced delivery tactics, including fake CAPTCHAs and TikTok lures, Latrodectus is a top-tier threat demanding layered defenses, user awareness, and proactive incident response.

 

Decoding AI hallucinations with physics. 

No one truly knows how AI works—not even the people who build it. But physicist Neil Johnson and his colleague Frank Yingjie Huo have taken a swing at decoding the mystery by applying first-principle physics to AI’s Attention mechanism, the bit that decides what words an AI should “focus” on when generating text. Their theory treats words like quantum particles in a “spin bath,” where bad training data can skew outcomes, resulting in hallucinations or bias. Johnson likens current AI models to a 2-body Hamiltonian (two-particle system), which, it turns out, is about as stable as a toddler on espresso. A 3-body system might be better—but like railway gauges, the QWERTY keyboard and the Windows Registry, early design choices tend to stick. Still, Johnson’s math offers hope: with the right actuarial-style metrics, we may one day predict just when our friendly LLM might lose the plot. Literally.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.