DeFi Heist, Insider Threats & AI Malware – 11/03/2025

Today’s security landscape is marked by audacious insider threats, including the indictment of US ransomware negotiators for conducting their own attacks and an executive selling zero-day exploits to Russia. A massive $128 million DeFi heist highlights ongoing risks in the cryptocurrency space. Additionally, a novel malware campaign has been discovered using OpenAI’s API for covert command-and-control, showcasing the evolving abuse of emerging technologies by threat actors.

Top 5 Critical Security Alerts

• Hacker steals over $120 million from Balancer DeFi crypto protocol: A major DeFi exploit on the Balancer Protocol has resulted in the theft of over $128 million in cryptocurrency, marking a significant financial breach. Read more
• How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia: A former executive at defense contractor L3Harris Trenchant, Peter Williams, has been exposed for stealing and selling eight zero-day exploits to a Russian broker. Read more
• DOJ accuses US ransomware negotiators of launching their own ransomware attacks: The DOJ has indicted three individuals, including two US ransomware negotiators, for allegedly conducting ALPHV/BlackCat ransomware attacks themselves in an unprecedented insider plot. Read more
• Microsoft: SesameOp malware abuses OpenAI Assistants API in attacks: Microsoft has identified a new backdoor malware, SesameOp, which cleverly uses the OpenAI Assistants API for its command-and-control communications to evade detection. Read more
• Fake Solidity VSCode extension on Open VSX backdoors developers: A malicious VSCode extension for Solidity developers, named SleepyDuck, has been found on the Open VSX registry, using an Ethereum smart contract for C2 communications. Read more

Threat Intelligence

• New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea: The Kimsuky APT group is using a new backdoor called HttpTroy, disguised as a VPN invoice, in targeted spear-phishing attacks against entities in South Korea. Read more
• Android Malware Mutes Alerts, Drains Crypto Wallets: A new Android banking trojan, BankBot-YNRK, is targeting users in Indonesia by masquerading as legitimate applications to mute security alerts and steal from crypto wallets. Read more
• Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data: Analysis reveals two Android trojans, BankBot-YNRK and DeliveryRAT, are actively harvesting sensitive financial data from compromised mobile devices. Read more

Security Breaches & Incidents

• Data breach costs lead to 90% drop in operating profit at South Korean telecom giant: SK Telecom’s operating profit plummeted by 90% due to the high costs of compensating customers and recovery efforts after a massive data breach affecting 27 million people. Read more
• Cargo theft gets a boost from hackers using remote monitoring tools: Threat actors are using Remote Monitoring and Management (RMM) tools to infiltrate trucking and logistics companies, enabling them to hijack and steal physical cargo shipments. Read more
• Japanese retailer Askul confirms data leak after cyberattack claimed by Russia-linked group: Online retailer Askul has confirmed a data breach exposing customer and supplier information following a cyberattack attributed to a Russia-linked threat group. Read more

Security Tools & Best Practices

• Ground zero: 5 things to do after discovering a cyberattack: An essential guide outlines the first five critical steps an organization should take immediately after discovering a cyberattack to contain the threat and mitigate damage. Read more
• AI Developed Code: 5 Critical Security Checkpoints for Human Oversight: Experts outline five essential security checkpoints where human developers must review AI-generated code to prevent introducing vulnerabilities. Read more

Cloud & Network Security

• Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching: A recent Microsoft out-of-band patch for an actively exploited Windows Server Update Service (WSUS) vulnerability has inadvertently broken the hotpatching feature. Read more
• OAuth Device Code Phishing: Azure vs. Google Compared: A technical comparison explores the different attack surfaces and risks for OAuth device code phishing when targeting Microsoft Azure versus Google Cloud environments. Read more

Security Standards & Frameworks

• Lawmakers ask FTC to probe Flock Safety’s cybersecurity practices: US lawmakers are urging the Federal Trade Commission to investigate surveillance tech provider Flock Safety’s security measures, citing concerns over weak account protection. Read more
• CISA and NSA Outline Best Practices to Secure Exchange Servers: CISA and the NSA have jointly released a new blueprint with best practices and guidelines to help organizations harden their Microsoft Exchange Servers against attacks. Read more

Emerging Security Technologies

• A self-rewriting AI from KAUST revives Jürgen Schmidhuber’s vision of a Gödel Machine: Researchers have developed the Huxley-Gödel Machine (HGM), an AI agent capable of evolving by rewriting and improving its own source code. Read more