UK calls out Russia’s playbook.

The UK sanctions Russian military intelligence officers tied to GRU cyber units. An AI-powered malware called LameHug targets Windows systems. Google files a lawsuit against the operators of the Badbox 2.0 botnet. A pair of healthcare data breaches impact over 3 million individuals. Researchers report a phishing attack that bypasses FIDO authentication by exploiting QR codes. A critical flaw in Nvidia’s Container Toolkit threatens managed AI cloud services. A secure messaging app is found exposing sensitive data due to outdated configurations. Meta investors settle their $8 billion lawsuit. Our guest is Will Markow, CEO of FourOne Insights and N2K CyberWire Senior Workforce Analyst, with a data-driven look at how AI is affecting jobs. Belgian police provide timely cyber tips, baked right in.

Today is Friday July 18th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The UK sanctions Russian military intelligence officers tied to GRU cyber units. 

The UK has sanctioned 18 Russian military intelligence officers tied to GRU cyber units accused of targeting civilians in Ukraine, including attacks like the Mariupol Theatre strike. The sanctions also cite earlier hacks, such as that of Yulia Skripal’s phone, and broader cyber campaigns to destabilize Europe and threaten UK security. Key GRU units, 26165 (Fancy Bear), 29155, and 74455 (Sandworm), were implicated, along with malware operations like “AUTHENTIC ANTICS.” Many of those sanctioned are already indicted in the U.S., though a few names are newly identified. The UK also targeted a Russian-backed content operation in Africa pushing disinformation. Foreign Secretary David Lammy warned that Russia’s hybrid threats won’t go unchecked, and the UK’s commitment to defending Ukraine and European security is “ironclad.”

An AI-powered malware called LameHug targets Windows systems. 

Ukrainian cybersecurity officials have uncovered a new malware called LameHug, which uses an AI-powered large language model (LLM) to generate commands on compromised Windows systems. CERT-UA linked the malware to the Russian-backed APT28 hacking group, known for targeting Ukraine’s defense sector. The malware was spread via fake ministry emails containing a malicious .pif file. Built with Python and using Alibaba’s Qwen2.5-Coder-32B-Instruct LLM through Hugging Face, LameHug adapts in real time, making it harder to detect. IBM X-Force called this tactic novel for its dynamic execution. APT28, active since 2004, has a long history of attacks against Ukraine, including attempts on critical infrastructure and Western firms aiding Ukraine. 

Google files a lawsuit against the operators of the Badbox 2.0 botnet. 

Google has filed a lawsuit against the operators of Badbox 2.0, a massive botnet infecting over 10 million Android-based devices lacking Google’s security protections. The malware was pre-installed on devices or spread via malicious apps, creating backdoors for fraud and illicit schemes. Badbox 2.0 is the largest known botnet targeting smart TVs and connected devices, with potential for more dangerous attacks like ransomware or DDoS. Operators sold access to infected devices as residential proxies and used them for ad fraud. Google’s lawsuit seeks to disrupt the botnet’s infrastructure, citing links to multiple cybercrime groups in China. These groups collaborated through shared command-and-control systems, each handling different roles, from malware development to infrastructure and monetization. This follows the takedown of the original Badbox in 2023.

A pair of healthcare data breaches impact over 3 million individuals. 

Two major healthcare data breaches have been disclosed, impacting over 3 million individuals. Radiology Associates of Richmond reported a breach from April 2024 affecting 1.4 million people. Hackers accessed systems for several days, but the breach wasn’t confirmed until more than a year later. Exposed data included personal and health information, including some Social Security numbers. In Maryland, Anne Arundel Dermatology revealed a separate breach affecting 1.9 million individuals. Hackers had access to their systems for nearly three months in early 2025. While neither breach shows confirmed misuse or involvement by known ransomware groups, both firms are offering identity protection services. These incidents add to a growing list of large-scale healthcare breaches in recent months, as tracked by the U.S. Department of Health and Human Services.

Researchers report a phishing attack that bypasses FIDO authentication by exploiting QR codes. 

Researchers at security firm Expel report a phishing attack that bypasses FIDO authentication by exploiting QR codes used in cross-device sign-ins. FIDO keys, which are device-bound and offer strong MFA, are typically secure, but this attack tricks users into scanning a malicious QR code. The attacker created a fake Okta login page that mimicked the legitimate portal and relayed login credentials in real time. Once users scanned the QR code, thinking it was part of the legitimate login, the attacker gained access. Expel suspects ties to the PoisonSeed campaign, which has targeted crypto wallets. While no malicious actions were seen after login in this case, Expel warns that attackers have also enrolled their own FIDO keys to lock victims out. To defend against this, experts recommend requiring Bluetooth for cross-device logins, monitoring authentication logs for unusual activity, and watching for unexpected FIDO key registrations. Terminating active sessions quickly is also advised if compromise is suspected.

A critical flaw in Nvidia’s Container Toolkit threatens managed AI cloud services. 

Researchers at Wiz discovered a critical flaw in Nvidia’s Container Toolkit, dubbed NVIDIAScape (CVE-2025-23266), which threatens managed AI cloud services. The vulnerability, shown at Pwn2Own Berlin and scored 9.0 CVSS, allows privilege escalation, data theft, tampering, and denial-of-service attacks. It stems from a misconfigured Open Container Initiative (OCI) hook. A malicious container can gain root access on shared GPU hosts, risking sensitive data and AI models. Wiz warns that containers alone aren’t secure and recommends stronger isolation like virtualization.

A secure messaging app is found exposing sensitive data due to outdated configurations. 

TeleMessage SGNL, a secure messaging app used by U.S. agencies and businesses, was found exposing sensitive data due to outdated configurations in Spring Boot, leaving the /heapdump endpoint open. This flaw, tracked as CVE-2025-48927, allows attackers to extract memory dumps containing credentials and session data. Despite newer Spring Boot versions disabling this by default, vulnerable instances persisted as of May 2025. CISA added the issue to its Known Exploited Vulnerabilities list, warning of active attacks. TeleMessage previously suffered a major breach in May, exposing 410GB of sensitive data.

Meta investors settle their $8 billion lawsuit.  

Meta investors have settled a lawsuit accusing CEO Mark Zuckerberg and other executives of mishandling the Cambridge Analytica data privacy scandal. The case, which sought $8 billion in damages, alleged leaders ignored red flags about the firm’s misuse of Facebook user data. It also focused on Meta’s $5 billion FTC fine in 2019, claiming it was inflated to protect Zuckerberg from personal liability. Settlement terms remain undisclosed. Meta and plaintiff representatives have not commented on the outcome.

 

Belgian police provide timely cyber tips, baked right in. 

In Belgium, cybercrime awareness has gone gluten-full. Police are now printing cybersecurity tips on bakery bags, because nothing says “beware of phishing” like a fresh baguette. The idea is delightfully simple: reach people who aren’t glued to their screens with messages wrapped around their daily bread. It’s a low-cost way to warn about scams, one crusty croissant at a time. Let’s be honest, your gran might skip the cybersecurity blog, but she’ll read whatever’s on her lunch bag. It’s a wry reminder that in the fight against digital threats, sometimes the most effective tech isn’t high-tech at all. Sometimes it’s just a well-placed warning on your sandwich wrapper. Bon appétit, and don’t click suspicious links.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.