A picture worth a thousand breaches.

The FBI warns of Kimsuky quishing. Singapore warns of a critical vulnerability in Advantech IoT management platforms. Russia’s Fancy Bear targets energy research, defense collaboration, and government communications. Malaysia and Indonesia suspend access to X. Researchers warn a large-scale fraud operation is using AI-generated personas to trap mobile users in a social engineering scam. BreachForums gets breached. The NSA names a new Deputy Director. Monday Biz Brief. Our guest is Sasha Ingber, host of the International Spy Museum's SpyCast podcast. The commuter who hacked his scooter.

Today is Monday January 12th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FBI warns of Kimsuky quishing. 

The FBI is warning that North Korea–linked advanced persistent threat group Kimsuky is using QR code–based spear-phishing, known as quishing, to target governments, think tanks, and academic institutions. According to the Federal Bureau of Investigation, the campaigns embed malicious QR codes in emails that bypass traditional security tools by hiding destination URLs. When scanned, the codes redirect victims through attacker-controlled infrastructure that profiles devices and presents mobile-optimized fake login pages impersonating services like Microsoft 365, Google, or VPN portals.

The activity, observed in May and June 2025, involved impersonation of trusted figures such as foreign advisors and embassy staff, with lures including fake questionnaires and conference invitations. These attacks often begin on unmanaged mobile devices and can enable session token theft, allowing attackers to bypass multi-factor authentication. The FBI says this makes quishing a highly effective, MFA-resilient identity attack vector and urges layered defenses, including user training, mobile security controls, and phishing-resistant authentication, to reduce risk from groups like Kimsuky.

Singapore warns of a critical vulnerability in Advantech IoT management platforms. 

The Cyber Security Agency of Singapore is warning of a critical vulnerability in multiple Advantech IoT management platforms. The flaw, tracked as CVE-2025-52694 and rated CVSS 10.0, is a SQL injection bug that allows unauthenticated attackers to run database commands and achieve remote code execution. Affected products include several IoTSuite and IoT Edge versions on Linux, Windows, and Docker. Advantech urges immediate patching, noting some fixes require direct customer coordination.

Russia’s Fancy Bear targets energy research, defense collaboration, and government communications. 

Researchers at Recorded Future report that Russian state-sponsored threat group APT28 is conducting an ongoing credential-harvesting campaign against organizations tied to energy research, defense collaboration, and government communications. Also known as Fancy Bear and Sofacy, the group has been active since at least 2004 and is linked to Russia’s GRU.

The campaign relies on phishing pages impersonating Microsoft Outlook Web Access, Google, and Sophos VPN portals, often paired with PDF lures and redirection to legitimate sites after credentials are stolen. Recorded Future says APT28 heavily abuses free hosting, tunneling, and link-shortening services to host phishing infrastructure, collect victim data, and obscure attribution, suggesting the activity is likely to continue.

Malaysia and Indonesia suspend access to X. 

Malaysia and Indonesia have suspended access to X, citing concerns that the service enables the creation of non-consensual sexual imagery. Malaysia’s communications regulator said X failed to implement safeguards required under local law, prompting a block until compliance is achieved. Indonesia’s communications minister said sexual deepfakes violate human rights and digital safety. India has also warned X over similar issues. Owner Elon Musk has argued the actions amount to censorship, though the countries have a history of restricting platforms over objectionable content.

Researchers warn a large-scale fraud operation is using AI-generated personas to trap mobile users in a social engineering scam.

Security researchers at Check Point warn that a large-scale fraud operation dubbed OPCOPRO is using AI-generated personas and fake communities to trap mobile users in a long-running social engineering scam. The campaign begins with SMS messages impersonating brands like Goldman Sachs, promising outsized investment returns. Victims who click the links are funneled into private WhatsApp groups populated largely by bots posing as enthusiastic investors and guided by fictional “experts” with AI-generated profiles.

After weeks of trust-building, targets are directed to download a fraudulent O-PCOPRO app from the Apple App Store or Google Play Store, lending false legitimacy. The app contains no real trading functionality but collects identity documents and selfies under the guise of Know Your Customer checks. Researchers say the stolen identities enable financial theft, account takeovers, and SIM swapping, making OPCOPRO a highly scalable, industrialized fraud model.

BreachForums gets breached. 

The latest version of BreachForums has suffered another data breach, with a leaked user database and administrative PGP key circulating online. The leak appeared in a 7Zip archive posted on a site named after the ShinyHunters gang, though ShinyHunters denied involvement, according to BleepingComputer.

The archive contains a MyBB users table with nearly 324,000 records, including usernames, registration dates, and IP addresses. While most IPs resolve to a local loopback address, more than 70,000 map to public IPs, raising operational security concerns. BreachForums’ administrator said the data originated from an August 2025 backup briefly exposed during site recovery and claimed it was downloaded only once. However, researchers later confirmed the leaked PGP key password was also published, increasing potential risk to users.

The NSA names a new Deputy Director. 

The National Security Agency has named veteran intelligence official Tim Kosiba as its new deputy director, ending months of leadership uncertainty. Kosiba returns after more than three decades of government service, including senior roles at the NSA and Federal Bureau of Investigation, and most recently as deputy commander of NSA Georgia. The appointment follows the administration’s decision to drop a previous nominee amid political backlash, a move first reported by Recorded Future News. As deputy, Kosiba will oversee daily operations and support the NSA director, who also leads U.S. Cyber Command. Attention now shifts to Senate confirmation hearings for the agency’s permanent leader, scheduled later this month.

Monday Biz Brief. 

A wave of global funding and consolidation highlights continued investor confidence in cybersecurity and adjacent markets. Israeli security analytics firm Vega raised $120 million in a Series B led by Accel, valuing the company at $700 million, while Saudi OT security provider DSShield secured $54 million to scale operations and prepare for a potential public listing. Israeli AI identity startup Act Security closed a $40 million Series A, and U.S.-based Armadin, founded by Kevin Mandia, raised $24 million in seed funding amid talks of a much larger round.

Smaller raises included South Korea’s Logpresso, Utah-based Paramify, Belgium’s Wodan AI, and Turkey’s Gardiyan. The sector also saw multiple MSSP acquisitions across Australia, Europe, and the United States, underscoring ongoing market consolidation.

 

The commuter who hacked his scooter. 

A few years ago, self-described ethical hacker Rasmus Moorats bought a new electric scooter, not because it was the best on paper, but because it was proudly local, custom-built in his home nation of Estonia, and felt right. That charm dulled when the scooter maker went bankrupt, and their cloud-dependent app began quietly losing features. Since even basic functions like unlocking depended on servers that might disappear, Moorats did what any calm, rational commuter would do and reverse engineered the entire system.

Digging through a React Native app, Bluetooth traffic, and some unhelpfully obscure bytecode, he uncovered an awkward truth. Every scooter shared the same default Bluetooth authentication key. In practice, that meant anyone nearby could unlock any of this particular brand of scooter. Oops.

With a bit more work, he mapped the scooter’s command structure, wrote his own control app, and restored independence from the cloud. The scooter still works, the servers can vanish, and the lesson stands: local pride is great, but cryptographic defaults are forever.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.