Darknet drug marketplace closed for business.

International law enforcement takes down a darknet drug marketplace. The Washington Post is investigating a cyberattack targeting several journalists' email accounts. Anubis ransomware adds destructive capabilities. The GrayAlpha threat group uses fake browser update pages to deliver advanced malware. Researchers uncover a stealthy malware campaign that hides a malicious payload in a JPEG image. Tenable patches three high-severity vulnerabilities in Nessus Agent. Attackers can disable Secure Boot on many Windows devices by exploiting a firmware flaw. Lawmakers introduce a bipartisan bill to strengthen coordination between CISA and HHS. Harry Coker reflects on his tenure as National Cyber Director. Maria Varmazis checks in with Brandon Karpf on agentic AI. When online chatbots overshare, it’s no laughing Meta. 

Today is Monday June 16th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

International law enforcement takes down a darknet drug marketplace. 

Law enforcement from six countries have shut down the notorious Archetyp Market, a darknet drug marketplace active since 2020. The site hosted over 3,200 vendors and 17,000 listings, trafficking a wide range of drugs and amassing more than 612,000 users. Transactions totaled €250 million in Monero. As part of “Operation Deep Sentinel,” led by German police with Europol and Eurojust, Dutch authorities dismantled the platform’s infrastructure. A 30-year-old German suspect, believed to be the site’s admin, was arrested in Spain. Authorities also detained a moderator and six top vendors in Germany and Sweden. Officers seized digital devices, drugs, and €7.8 million in assets. This follows May’s “Operation RapTor,” which targeted dark web dealers globally, resulting in 270 arrests, 2 tonnes of drugs, €184 million in assets, and 180 firearms seized.

The Washington Post is investigating a cyberattack targeting several journalists' email accounts. 

The Washington Post is investigating a cyberattack that targeted email accounts of several journalists, including those covering national security and China. Discovered Thursday, the breach prompted a company-wide password reset on Friday. While no other systems or customer data were impacted, the attack is suspected to involve a foreign government. The Wall Street Journal first reported the incident, noting Microsoft accounts were compromised. This follows a similar 2022 breach at News Corp, which also targeted journalists’ data and communications.

Anubis ransomware adds destructive capabilities. 

Anubis ransomware, active since late 2024, is a growing threat due to its destructive capabilities. Initially known for data extortion without encryption, Anubis now encrypts files and includes a wiper module that permanently deletes them, making recovery impossible. Trend Micro reports that it operates under a ransomware-as-a-service (RaaS) model and shares code with Sphinx ransomware. Promoted on cybercrime forums by “supersonic” and “Anubis__media,” it targets sectors like construction, healthcare, and engineering in Australia, Canada, Peru, and the U.S. Anubis gains access via spear phishing, escalates privileges, disables defenses, and uses ECIES encryption. Victims receive a ransom note threatening to leak stolen data. Its use of file wiping sets it apart, adding urgency and pressure on victims. Seven organizations are currently listed on its Tor-based leak site.

The GrayAlpha threat group uses fake browser update pages to deliver advanced malware. 

Researchers at Recorded Future have uncovered a stealthy campaign by the GrayAlpha threat group using fake browser update pages to deliver advanced malware, including a new PowerShell loader named PowerNet. Active since April 2024, this campaign marks a shift in GrayAlpha’s tactics, combining fake updates, malicious 7-Zip sites, and the TAG-124 traffic system. Victims ultimately receive NetSupport RAT, a remote access trojan granting full system control. GrayAlpha’s infrastructure mimics trusted brands like Google Meet and SAP Concur, using JavaScript-based profiling to tailor attacks. Their infrastructure is hosted through bulletproof providers, notably Stark Industries Solutions. Analysts link GrayAlpha to FIN7, a well-known cybercrime group. The campaign’s continued activity into 2025 and use of enhanced loaders like PowerNet and MaskBat show a technically advanced and persistent threat targeting multiple industries globally.

Researchers uncover a stealthy malware campaign that hides a malicious payload in a JPEG image. 

Internet Storm Center researchers uncovered a stealthy malware campaign that hides a malicious payload in a JPEG image using steganography and a modified Base64 encoding technique. The malware is embedded after the image’s End Of Image (EOI) marker, making it invisible to standard file viewers and many security tools. Hosted at a suspicious domain, the image looks normal but contains a .NET DLL payload. To avoid detection, the attackers substituted ‘@’ for ‘A’ in the Base64 encoding. Specialized tools like jpegdump.py and byte-stats.py revealed the anomaly. When decoded, the payload matched known malware linked to a documented threat campaign. This method highlights a growing risk, as media files, commonly shared with little scrutiny, can now be exploited for malware delivery, data theft, or establishing command-and-control channels.

Tenable patches three high-severity vulnerabilities in Nessus Agent. 

Tenable has patched three high-severity vulnerabilities in Nessus Agent (versions 10.8.4 and earlier) affecting Windows hosts. These flaws—CVE-2025-36631, CVE-2025-36632, and CVE-2025-36633—allow non-admin users to escalate privileges, execute code, or overwrite/delete system files with ‘System’ privileges. CVSS scores range from 7.8 to 8.8. While there’s no evidence of active exploitation, Tenable advises immediate updates to version 10.8.5, available on its Downloads Portal. The vulnerabilities are pending full analysis by the National Vulnerability Database (NVD).

Attackers can disable Secure Boot on many Windows devices by exploiting a firmware flaw. 

Researchers at Binarly uncovered a vulnerability (CVE-2025-3052) that allows attackers to disable Secure Boot on many Windows devices by exploiting a flaw in UEFI firmware. The flaw, found in a module by a rugged display vendor, allows arbitrary memory writes via the IhisiParamBuffer variable, stored in non-volatile RAM. This could let attackers overwrite Secure Boot variables without detection, even though the OS still appears protected. While the exploit requires admin and physical access, the risk is significant due to UEFI’s pre-OS role. Some UEFI distributions are immune, but most systems remain vulnerable. The flaw has likely circulated since October 2022. Microsoft has patched the issue and revoked certificates for 14 affected modules in its June 2025 Patch Tuesday update. 

Lawmakers introduce a bipartisan bill to strengthen coordination between the CISA and HHS. 

Lawmakers have introduced the bipartisan Healthcare Cybersecurity Act to strengthen coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS). The bill, led by Reps. Brian Fitzpatrick (R-PA) and Jason Crow (D-CO), would create a formal liaison to improve threat sharing, communication, and incident response for the healthcare sector. It also mandates cybersecurity training for hospital staff and directs both agencies to study sector-specific vulnerabilities, particularly in small and rural hospitals. A report to Congress would identify high-risk medical devices and recommend actions to protect electronic health records and healthcare delivery. Critics argue the bill may overemphasize training over structural issues like underfunding. Still, it responds to a rise in hospital cyberattacks that have disrupted care and leaked sensitive patient data.

Harry Coker reflects on his tenure as National Cyber Director. 

In an interview with The Record, Harry Coker Jr., former National Cyber Director, emphasized a collaborative and apolitical approach during his tenure in the Biden administration. He prioritized implementing the National Cybersecurity Strategy and its actionable implementation plan, advocating for role clarity among federal cyber agencies, and building trust across the interagency. Coker celebrated progress on eliminating unnecessary degree requirements for cyber roles and spotlighting long-standing internet vulnerabilities, such as weaknesses in the Border Gateway Protocol. He highlighted the need to improve support for state, local, tribal, and territorial governments under constant cyber assault, and he urged a better balance between political appointees and career professionals in his former office. On regulatory harmonization, Coker called for mutual recognition of compliance across sectors and tailoring based on core cybersecurity standards. His advice to his successor: prioritize cyber, clarify roles, and build strong interagency collaboration to ensure national security and economic prosperity remain tightly interwoven.

Coming up, we’ve got a segment from T-Minus Space Daily. T-Minus Space Daily host Maria Varmazis discusses agentic AI with Brandon Karpf, friend of the show, founder of T-Minus Space Daily, and cybersecurity expert.

When online chatbots overshare, it’s no laughing Meta. 

And finally, imagine asking a chatbot a private question—only to find out you accidentally shared it with the world. That’s the awkward reality unfolding on Meta’s new AI app, where users are unknowingly posting their chats publicly. The app includes a “share” button that brings up a post preview, but some people seem unaware they’re broadcasting everything from innocent queries to very personal matters. One user asked about skin irritation; another wanted help writing a letter for someone facing legal trouble—full names included. And yes, someone asked about the science of smelly farts. The app doesn’t clearly explain what’s being shared or with whom, especially if it’s linked to a public Instagram account. It’s a surprising misstep from one of the world’s biggest tech companies. While the app only has 6.5 million downloads so far, it’s already gaining attention—for all the wrong reasons. Let this be a reminder: read the fine print before you click “share.”

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed.  </Mondays>

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.