Whistle-blown and wide open.

A whistle-blower claims DOGE uploaded a sensitive Social Security database to a vulnerable cloud server. Allies push back against North Korean IT scams. ZipLine is a sophisticated phishing campaign targeting U.S.-based manufacturing. Researchers uncover a residential proxy network operating across at least 20 U.S. states. Flock Safety license plate readers face increased scrutiny. A new report chronicles DDoS through the first half of the year. LLM guard rails fail to defend against run-on sentences. A South American APT targets the Colombian government. Our guest is Harry Thomas, Founder and CTO at Frenos, on the benefits of curated and vetted AI training data. One man’s fight against phantom jobs posts.

Today is Wednesday August 27th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A whistle-blower complaint DOGE uploaded a sensitive Social Security database to a vulnerable cloud server.

A whistle-blower complaint has revealed that the Department of Government Efficiency (DOGE), a group tied to Elon Musk’s government tech initiative, uploaded a copy of the Social Security Administration’s Numident database—containing records of over 548 million Social Security numbers—to a vulnerable cloud server in June. The New York Times reports the database includes full names, addresses, and birth dates, making it one of the most sensitive U.S. repositories of personal information.

The complaint, filed by Social Security’s chief data officer, Charles Borges, warns of “catastrophic impact” if the data were exposed, including mass identity theft and the costly reissuance of Social Security numbers. Borges alleges DOGE bypassed standard security oversight, excluded him from discussions, and ignored risk assessments labeling the project “high risk.” While no breach has been confirmed, documents show DOGE pushed forward despite repeated warnings. The complaint, supported by whistle-blower lawyers, claims DOGE’s actions may have violated federal laws protecting government data.

Allies push back against North Korean IT scams. 

Governments and tech firms met in Tokyo this week to share strategies against North Korea’s covert IT worker scheme. Organized by the U.S., Japan, and South Korea, the forum gathered over 130 participants from payment providers, crypto exchanges, AI companies, and freelance platforms. For years, North Korean citizens posing as foreign contractors have landed IT jobs at Western firms using stolen IDs, earning millions to fund Pyongyang’s weapons programs. Hundreds have secured roles, sometimes holding multiple jobs at Fortune 500 companies. While their work often appears competent, U.S. officials warn of risks including data theft, reputational harm, and insider access for future hacks. North Korea-linked groups like Lazarus have stolen over $600 million from crypto firms, prompting tighter cooperation and recent sanctions.

ZipLine is a sophisticated phishing campaign targeting U.S.-based manufacturing. 

Check Point Research uncovered ZipLine, a sophisticated phishing campaign targeting U.S.-based manufacturing and supply chain–critical industries. Unlike traditional phishing, attackers begin contact through a victim’s public “Contact Us” form, prompting companies to respond and creating an appearance of legitimacy. They then sustain weeks of credible email exchanges, often under the guise of business partnerships or “AI transformation” initiatives, before delivering a malicious ZIP file.

The payload contains MixShell, a custom in-memory implant using DNS tunneling and HTTP fallback for command-and-control. MixShell enables file operations, proxying, command execution, and persistence. Attackers leverage aged, U.S.-registered domains with cloned websites to boost credibility.

Dozens of organizations, including large manufacturers and smaller firms, were targeted. The campaign demonstrates how patient, trust-based social engineering combined with advanced malware can bypass traditional defenses, highlighting the need to scrutinize even routine inbound business interactions.

Elsewhere, FortiGuard Labs has uncovered a global phishing campaign using personalized emails and spoofed websites to spread UpCrypter, a malware loader that deploys multiple remote access tools (RATs) including PureHVNC, DCRat, and Babylon RAT. Attackers use convincing lures, such as missed voicemail messages or purchase orders, with malicious HTML attachments. These scripts redirect victims to phishing pages tailored with their email domains and logos, making the sites appear legitimate.

Once on the page, victims are prompted to download a ZIP file containing an obfuscated JavaScript dropper. This triggers PowerShell commands, bypasses security checks, and executes payloads directly in memory. UpCrypter ensures persistence, evades analysis, and retrieves additional malware from attacker-controlled servers.

The campaign has already spread rapidly across multiple industries, highlighting how attackers now use advanced loaders to maintain long-term control inside networks, far beyond simple phishing attempts.

Researchers uncover a residential proxy network operating across at least 20 U.S. states. 

Infrawatch and KrebsOnSecurity have identified DSLRoot, a residential proxy network operating across at least 20 U.S. states. Unlike typical proxy providers that rely on mobile SDKs, DSLRoot installs dedicated hardware in American homes, creating persistent access to residential IPs. The service is managed by Andrei Holas, a Belarusian national with residences in Minsk and Moscow. Researchers estimate roughly 300 active devices, primarily using CenturyLink and Frontier IP space.

Technical analysis shows DSLRoot’s custom software can remotely manage consumer routers (ARRIS, Belkin, D-Link, ASUS) and even Android devices, enabling IP rotation and anonymous traffic routing. The network operates without authentication, exposing U.S. infrastructure to foreign control. DSLRoot markets its proxies on underground forums, alongside related services like virtual credit cards and company formation, offering global clients stealth access to U.S.-based IPs for $190/month.

Flock Safety license plate readers face increased scrutiny. 

Customs and Border Protection (CBP) quietly gained access to more than 80,000 Flock Safety license plate reader cameras nationwide, giving federal agents sweeping visibility into vehicle movements across the U.S. According to reporting from 404 Media, this access extended far beyond what local jurisdictions had been told, with many city officials unaware their camera data was being shared. In response to the revelations, Flock announced it would pause all federal pilot programs and limit direct federal access.

The fallout is already unfolding at the local level. On August 26, Evanston, Illinois, voted to shut down its license plate reader system and terminate its contract with Flock Safety by September 26. The decision followed a state audit revealing that Flock had illegally shared Illinois plate data with federal agencies, including CBP, in violation of a 2024 state law. Evanston officials cited both the privacy risks and the company’s noncompliance as reasons for ending the program.

A new report chronicles DDoS through the first half of the year. 

A new NETSCOUT report recorded over eight million global DDoS attacks in H1 2025, the highest ever. Hacktivists and nation-states now time assaults with major political events, crippling communications, energy, and transport. Europe, the Middle East, and Africa bore 3.2 million attacks, including a 3.12 Tbps strike in the Netherlands. Groups like NoName057(16) dominate, launching hundreds monthly, while newcomers like DieNet and Keymous+ quickly spread. With AI-driven automation, cheap DDoS-for-hire services, and vast IoT botnets, experts warn traditional defenses are increasingly obsolete.

LLM guard rails fail to defend against run-on sentences. 

Researchers at Palo Alto Networks’ Unit 42 have found a simple but powerful way to jailbreak large language models (LLMs): run-on sentences with bad grammar. By packing all instructions into one continuous clause without punctuation, attackers can bypass safety guardrails before they activate. Tests showed an 80–100% success rate against major models like Llama, Gemma, and Qwen.

The team introduced the concept of the “refusal-affirmation logit gap,” highlighting that alignment training only reduces, but does not erase, the chance of harmful outputs. Their proposed defenses include a “sort-sum-stop” method and layered protections such as input sanitization, external AI firewalls, and post-generation filtering.

Senior Director Billy Hewlett stressed that alignment is a “patch” on top of models that still contain unsafe knowledge, meaning jailbreak risks will persist. While the technique hasn’t been observed in the wild yet, researchers warn this cat-and-mouse game will likely continue.

A South American APT targets the Colombian government. 

Recorded Future’s Insikt Group has linked five activity clusters to TAG-144, also known as Blind Eagle, a South American APT that conducts cybercrime alongside espionage. The clusters share tactics such as using cracked RATs (AsyncRAT, REMCOS, LimeRAT), dynamic DNS services, and legitimate internet services for staging, but differ in infrastructure and malware deployment. Most victims are within the Colombian government at multiple levels. TAG-144 also shows ties to Red Akodon and has leveraged compromised government email accounts for spearphishing. Recommended defenses include IP/domain blocking, enhanced email filtering, data exfiltration monitoring, and updated YARA, Sigma, and Snort rules.

 

One man’s fight against phantom jobs posts. 

When Eric Thompson lost his job in late 2024, he expected the usual frustrations of job hunting—awkward interviews, long silences, maybe even a rejection or two. What he didn’t expect was to spend months chasing “ghost jobs”—positions posted online that employers never actually plan to fill.

Annoyed enough to turn ghostbusting into a side hustle, Thompson founded the Truth in Job Advertising and Accountability Act (TJAAA) working group. The group’s draft proposal would require employers with 50+ staff to list details like start dates, whether a role is new or just recycling, and even how many times it’s been posted. Violators could face fines of at least $2,500.

About 17% of jobs on Greenhouse in Q2 2025 fell into the ghost category, making it a common headache. Thompson now spends 20–30 hours a week pitching the idea to Congress. Whether lawmakers will prioritize ghostbusting remains… hauntingly unclear.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.