Cyber Briefing: 2025.06.24

APT28 uses Signal to deploy BEARDSHELL; malware hides in WordPress plugins; China hijacks routers; Hacken token hacked; Saudi Games data leaked; OWASP launches AI security test guide.

Jun 24, 2025

👉 What's happening in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. BEARDSHELL and COVENANT Malware Uncovered

Ukraine's Computer Emergency Response Team (CERT-UA) has warned of a new campaign by the Russia-linked hacking group APT28. The threat actors are using the Signal messaging app to deliver malicious documents to Ukrainian government targets. When opened, these documents install a new malware framework called COVENANT, which then deploys a backdoor named BEARDSHELL. This backdoor allows the attackers to execute commands and exfiltrate data from compromised systems using legitimate cloud storage APIs.

2. New Malware Skims WordPress E-commerce Sites

A highly sophisticated malware campaign is targeting WordPress and WooCommerce sites with advanced credit card skimmers and credential thieves. This malware family is notable for its modular architecture and its use of anti-analysis techniques typically associated with state-sponsored threat actors. The campaign's most innovative feature is packaging the malware as a rogue WordPress plugin that converts compromised websites into custom interfaces for attackers. This approach allows the malware to remain deeply embedded and hidden while providing attackers with persistent infrastructure to manage their operations.

3. Chinese Hackers Build Router Spy Network

A sophisticated China-linked cyber espionage campaign called "LapDogs" has been uncovered targeting over 1,000 home and small office routers. The campaign, attributed to the group UAT-5918, turns these compromised devices into a covert relay network for long-term intelligence operations. The attackers use a custom backdoor named "ShortLeash" which employs clever evasion tactics to maintain persistence and avoid detection. This includes generating self-signed security certificates disguised to look like they are from the Los Angeles Police Department (LAPD) for cover.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Hackers Leak Saudi Games Athlete Data

A pro-Iranian hacktivist group called Cyber Fattah has claimed responsibility for a major data breach targeting the Saudi Games. On June 22, the group leaked thousands of personal records online, including scans of passports, ID cards, and financial details of athletes and visitors. The attack is viewed by security analysts as part of a broader, politically motivated information operation by Iran and its affiliates to undermine regional stability. This incident highlights the growing trend of high-profile sporting events becoming targets for geopolitical cyber-attacks.

5. Hacken Token Crashes 99 Percent After Hack

A leaked private key allowed a hacker to mint and then dump $250,000 worth of Hacken's native token (HAI), causing its price to collapse by 99% over the weekend. The cybersecurity firm confirmed the key was compromised during architectural changes to its blockchain bridge and that core systems were not affected. In response, Hacken has paused bridge transactions and revoked the compromised account's minting rights to regain control. The company announced that tokens purchased after the hack will not be supported and that it will accelerate plans to convert HAI into a security token representing company equity.

6. Paraguayan Government Hit By Cyberattack

Two Paraguayan government institutions were hit by cyberattacks last Saturday, June 21, as confirmed by the nation's technology ministry. The Jury for the Prosecution of Magistrates (JEM) and the Ministry of Public Health both suffered incidents that are now under investigation. The JEM reported it detected a possible unauthorized access attempt and preemptively blocked its servers to protect data. This event follows a separate incident earlier in June where the Paraguayan president's "X" account was briefly hacked.

For more incidents, click here!

Click to Read

📢 Cyber News

7. US House Bans WhatsApp From Staff Devices

The U.S. House of Representatives has banned the WhatsApp messaging app from all government-issued devices used by its staff. A memo from the Chief Administrative Officer cited the app as a high security risk due to a lack of transparency and potential vulnerabilities. Staffers have been directed to remove the application and use approved alternatives like Signal, Microsoft Teams, and iMessage. A spokesperson for Meta, WhatsApp's parent company, strongly disputed the assessment, stating the platform's end-to-end encryption is highly secure.

8. UK Needs More Cyber Advisors For Small Firms

The UK's National Cyber Security Centre (NCSC) is urging more experts to join its Cyber Advisor scheme to help protect small and medium-sized businesses (SMEs). Launched almost two years ago, the program's growth has been too slow to meet the needs of the nation's 5.5 million SMEs. Becoming a certified Cyber Advisor offers a clear competitive advantage by demonstrating competence to an NCSC-approved standard. However, this program and the related Cyber Essentials scheme both suffer from low adoption, with fewer than one in one hundred businesses signed up.

9. OWASP Releases New AI Security Test Guide

The Open Web Application Security Project (OWASP) has launched a new AI Testing Guide to address growing security challenges. The framework is designed to help organizations detect unique AI-specific vulnerabilities that traditional security tools often ignore. It provides specialized testing methodologies for risks like prompt injections, model poisoning, data drift, and adversarial attacks. Led by security experts, the guide aims to provide a comprehensive resource for developers, data scientists, and risk officers to build more secure AI systems.

For more news, click here!

Check Events

📈Cyber Stocks

As U.S. markets open on Tuesday, June 24, 2025, five leading pure-play cybersecurity stocks are showing strong performance, driven by continued demand, positive earnings momentum, and analyst support:

Varonis (VRNS): Trading at $49.44, up 0.95%, supported by strong annual recurring revenue (ARR) growth and sustained investor interest in data-centric security solutions.
Okta (OKTA): Trading at $98.66, down 0.79%, in line with broader sector movement. Analysts maintain a “Moderate Buy” rating, with a consensus price target of approximately $121.59.
CrowdStrike (CRWD): Trading at $491.81, up 3.26%, gaining on continued analyst optimism and strong enterprise demand for its endpoint protection solutions.
Palo Alto Networks (PANW): Trading at $203.32, up 2.04%, driven by its expanding portfolio of AI-powered security tools and a recent earnings beat.
Qualys (QLYS): Trading at $140.38, up 3.37%, extending its rally following robust Q1 earnings and strong technical momentum.

💡 Cyber Tip

Be Alert as New Malware Skims WordPress E-commerce Sites

A sophisticated malware campaign is actively targeting WordPress and WooCommerce sites, using rogue plugins to steal customer payment data and credentials. Disguised as legitimate plugins, the malware embeds itself deeply into compromised sites and creates attacker-controlled backends. It features modular architecture and anti-analysis techniques typically seen in advanced persistent threats, making it difficult to detect or remove.

✅ What you should do:

Audit your WordPress plugins regularly and remove any that are unused or from unverified sources.
Keep all themes, plugins, and the WordPress core fully updated to patch known vulnerabilities.
Use a reputable website security scanner to detect hidden malware or unauthorized changes.
Limit admin access and enforce strong passwords and two-factor authentication.
Back up your site frequently and store backups offline or in a secure location.

🔒 Why this matters:

This malware transforms e-commerce websites into covert control centers for attackers. By mimicking legitimate plugin behavior and resisting analysis, it poses a serious risk to businesses and customers alike. Proactive site security is essential to prevent data theft and reputational damage.