Cyber Briefing: 2025.05.29

APT41 abuses Google Calendar, PumaBot hits IoT, and NodeSnake targets UK schools. Victoria’s Secret and LexisNexis breached, Cork loses $12M. UK funds cyber army, Oregon bans geo data sales.

May 29, 2025

👉 What's the latest in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Report

🚨 Cyber Alerts

1. APT41 Uses Google Calendar For C2 Operations

Google recently disclosed that Chinese state-sponsored threat actor APT41 utilized a malware named TOUGHPROGRESS, which creatively uses Google Calendar for command-and-control (C2). Discovered in late October 2024, this malware was hosted on a compromised government website and deployed via spear-phishing to target other government entities. The sophisticated attack chain involved a multi-stage payload with components like PLUSDROP and PLUSINJECT, leading to TOUGHPROGRESS interacting with Google Calendar events. Google has since neutralized the campaign by taking down the malicious calendars and associated projects and has notified the affected organizations.

2. New PumaBot IoT Botnet Uses SSH Attack

A new Go-based botnet named PumaBot is targeting embedded Linux IoT devices by conducting SSH brute-force attacks to expand and deliver further malware. Unlike typical botnets, PumaBot retrieves a specific list of target IPs from its command-and-control server and attempts to disguise itself as legitimate system files for persistence. Evidence like the "xmrig" command suggests a primary goal of illicit cryptocurrency mining, although the attackers may deploy other payloads, including sophisticated rootkits. This multi-stage threat also involves credential theft and demonstrates an intent to evade defenses, potentially enabling deeper network infiltration beyond simple DDoS attacks.

3. New NodeSnake RAT Hits UK Universities

The Interlock ransomware group is deploying a new JavaScript-based remote access trojan (RAT) called NodeSnake to gain persistent access to educational institutions' networks. Researchers observed NodeSnake targeting UK universities in early 2025, with the malware showing signs of active development and using phishing for initial infection. NodeSnake employs various evasion techniques, including code obfuscation and disguised persistence mechanisms, while exfiltrating system data and allowing further payload deployment.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Victoria's Secret Site Down After Breach

Fashion retailer Victoria's Secret is grappling with a significant "security incident" that led to its US website being taken offline and some in-store services being disrupted since Monday, May 26th. The company, which confirmed the issue on Wednesday, stated it enacted response protocols and engaged third-party experts, taking systems down as a precaution while stores remain open. The incident occurs amid a rise in sophisticated cyberattacks targeting retailers, prompting concerns about preparedness and potential financial losses similar to those recently experienced by other major brands.

5. Cork Protocol Paused After $12M Exploit

Decentralized finance platform Cork Protocol was recently exploited on May 28th, losing approximately $12 million in digital assets which the attacker quickly converted. In response, Cork Protocol's co-founder announced an investigation and the immediate pausing of all smart contracts to prevent further losses. This incident underscores the significant cybersecurity challenges facing the Web3 industry, highlighted further by the recent $223 million hack of the Cetus DEX on May 22nd. Such exploits lower consumer confidence and intensify calls from industry executives for improved security measures across all crypto platforms.

6. LexisNexis GitHub Breach Affects 364K People

Data broker LexisNexis Risk Solutions has revealed a significant data breach affecting over 364,000 individuals, where personal information was stolen from a third-party GitHub platform used for software development in December 2024. The company, informed of the breach on April 1, 2025, and now notifying victims, stated the exposed data could include names, contact details, Social Security numbers, and driver's license numbers, though no financial information was affected. LexisNexis confirmed its own systems were not compromised but acknowledged an unknown attacker accessed its GitHub account, and it is unclear if a ransom was demanded.

For more incidents, click here!

Get Help

📢 Cyber News

7. UK To Invest £1B In Cyber Army For Defense

UK Defence Secretary John Healey announced plans for a new cyber command and a £1 billion investment in AI, described as creating an "army of hackers" to counter intensifying cyber warfare. This major investment aims to protect Britain, allow offensive cyber operations, and includes an additional £1 billion for a "digital targeting web" by 2027 to enhance battlefield decisions. Prompted by 90,000 recent state-linked cyber attacks, particularly from Russia, General Sir Jim Hockenhull will lead the command focusing on areas like electromagnetic warfare. This new Cyber and Electromagnetic Command will enable the UK to fight enemies online and lead in defensive operations, building on the National Cyber Force's existing hacking activities.

8. Oregon Passes Bill To Ban Geo Data Sales

The Oregon state legislature recently passed a law making it the second US state to ban the sale of precise geolocation data and personal data of children under 16. This new legislation, which strengthens a 2023 privacy law, is more stringent than Maryland's similar bill and federal child privacy laws, according to policy analysts. Consumer Reports praised the move, highlighting that location data is highly sensitive and preventing its commercial sale is a key step to protect constituents' privacy from potential misuse. While similar bills are being debated in states like Maine and Massachusetts, this Oregon law, H.B. 2008, could significantly push other states to adopt tougher data privacy measures.

9. Horizon 3 AI Secures Near $100M Funding

Cybersecurity startup Horizon3.ai is raising $100 million in a new funding round led by NEA, having already secured at least $73 million, valuing the company upwards of $750 million. This new investment follows a $40 million Series C in 2023 and will fuel further R&D and team expansion for the company, known for its autonomous penetration testing tools. Founded in 2019 by former U.S. Special Operations cyber operators and cybersecurity experts, Horizon3.ai helps organizations defend against rising AI-powered automated attacks. The company recently achieved FedRAMP authorization, enabling sales to U.S. federal agencies, and has reported significant year-on-year revenue growth.

For more news, click here!

Check Events

📈Cyber Stocks

On May 28, 2025, Zscaler fell 1.42%, CrowdStrike Holdings dropped 0.72%, Palo Alto Networks rose 1.04%, Fortinet declined 0.22%, and SentinelOne tumbled 11.39%.

💡 Cyber Tip

Be careful with smart devices connected to the internet

A new malware threat called PumaBot is attacking internet-connected devices by breaking into them through weak SSH passwords. Once inside, it hides itself and uses the device’s power to secretly mine cryptocurrency.

✅ What you should do

Always change the default passwords on smart devices like routers, security cameras, and other IoT equipment.
If your device uses SSH (a way to access it remotely), use a strong, unique password and consider disabling it if not needed.
Keep your devices’ firmware up to date to reduce the risk of known vulnerabilities.
Check your smart devices for unusual behavior, like overheating, slowing down, or unknown files.
Secure your network with a firewall and monitor for multiple failed login attempts.

✅ Why this matters

Even one unprotected smart device can be hijacked and silently used by hackers, putting your privacy, security, and bandwidth at risk.