Cyber Briefing: 2025.08.08

GreedyBear steals $1M via Firefox add-ons, Go malware hides wipers, SocGholish spreads via TDS, Air France/KLM breached, US court hacked, DaVita leak, BlackSuit busted, Hamilton fined, German spyware

Aug 08, 2025

👉 What's going on in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. GreedyBear Steals $1M via Firefox Add-ons

A newly discovered cybercrime campaign, dubbed GreedyBear, has leveraged over 150 malicious extensions in the Firefox marketplace to impersonate popular cryptocurrency wallets like MetaMask and steal more than $1 million in digital assets. The threat actors used a technique called Extension Hollowing to bypass Mozilla's security checks, initially uploading benign extensions and later weaponizing them to steal user credentials.

2. Fake WhatsApp Libraries Hide Wipers

Eleven malicious Go packages have been found to download and execute second-stage payloads on both Windows and Linux systems. These packages exploit the decentralized Go ecosystem and target software supply chains.

3. SocGholish Spreads via Ads to Gangs

Threat actors behind the SocGholish malware are using sophisticated Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to redirect users from compromised websites to malicious content. These attacks are part of a Malware-as-a-Service (MaaS) model where initial access to infected systems is sold to other cybercriminal groups like LockBit and Evil Corp.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Air France, KLM Hit by Third-Party Hack

Air France and KLM have warned customers of a data breach stemming from unauthorized access to a third-party platform used for customer support. The breach, attributed to the ShinyHunters group, potentially exposed non-sensitive customer data such as names, contact details, and Flying Blue loyalty numbers, but did not affect the airlines' core internal systems.

5. US Federal Court Filing System Hacked

A recent cyberattack on the U.S. federal judiciary's electronic case filing system has exposed sensitive court data, including the identities of confidential informants. The full extent of the breach is still being investigated, but it highlights the system's vulnerability to sophisticated cyber threats.

6. Clinical Data Stolen from DaVita

Kidney dialysis provider DaVita has confirmed a data breach impacting over 900,000 customers, where a threat actor stole sensitive personal and clinical data from its systems between March and April 2025. The company has offered free credit monitoring to those affected and has disclosed that the incident cost approximately $13.5 million to remediate.

For more incidents, click here!

Click to Read

📢 Cyber News

7. US Takedown of $370M BlackSuit Gang

U.S. law enforcement agencies, in a coordinated international operation, have successfully dismantled critical infrastructure used by the BlackSuit ransomware gang, a group responsible for over 450 attacks and more than $370 million in ransom payments. This takedown, part of a larger operation called "Checkmate," seized servers and other digital assets, dealing a "critical blow" to the group's operations, although some members have already rebranded and formed a new ransomware operation called Chaos.

8. Hamilton Taxpayers Face $18.3M Cyber Bill

The City of Hamilton must cover the over $18 million in costs from a recent ransomware attack after its insurance claim was denied. The denial was based on the city's failure to fully implement multi-factor authentication, a condition of their policy, for online services.

9. Germany Court Limits Police Spyware Use

Germany's highest court has restricted the use of state spyware, ruling that law enforcement can only deploy it in investigations of serious crimes with a maximum sentence of at least three years. The decision came after a lawsuit from the digital rights group Digitalcourage, which argued the 2017 law allowing such surveillance was too broad and could violate the privacy of non-suspects.

For more news, click here!

Check Events

📈Cyber Stocks

On Friday, August 8, 2025, cybersecurity stocks saw broad declines across the board, dragged down by disappointing earnings from Fortinet, cautious analyst sentiment, and concerns over slowing growth in hardware-dependent security segments.

Zscaler (ZS) closed at $272.50, falling 5.6% as investors reacted to Fortinet’s weak outlook, fueling broader fears about declining enterprise firewall demand and shifting attention to pure-play cloud security.
Rapid7 (RPD) ended at $19.82, down 0.85%, following a bearish analyst downgrade citing decelerating growth and competitive pressure in the SIEM and vulnerability management markets.
Check Point Software Technologies (CHKP) traded at $185.03, slipping 1.7% despite posting a revenue beat, as investors remained concerned about slowing billings and lackluster momentum in cloud transition efforts.
SentinelOne (S) finished at $16.67, losing 3.6% amid sector-wide selloffs and lingering uncertainty around M&A rumors in the endpoint security space, despite its strong positioning in AI-driven protection.
Fortinet (FTNT) dropped sharply to $75.30, tumbling 22% after its Q2 earnings call revealed that its firewall refresh cycle had peaked, raising alarms about slowing growth and heavy reliance on hardware revenue.

💡 Cyber Tip

🦊 Remove Fake Firefox Wallet Extensions

A cybercrime operation known as GreedyBear has stolen over $1 million in cryptocurrency by publishing more than 150 malicious Firefox extensions impersonating wallets like MetaMask and TronLink. Using a method called Extension Hollowing, attackers initially uploaded harmless add-ons, then silently updated them with malicious code to steal credentials and exfiltrate funds.

✅ What you should do:

Immediately review and remove any cryptocurrency wallet extensions from Firefox that were not installed from official sources
Reinstall wallet apps directly from verified developer websites or app stores
Use a hardware wallet for storing large amounts of crypto assets
Avoid downloading cracked or pirated software from unknown sources
Monitor browser permissions and watch for sudden updates in installed extensions
Enable anti-malware tools that can detect information stealers and browser-based threats

🔒 Why this matters:

GreedyBear shows how browser extensions can become silent financial threats. By abusing trust and official marketplaces, attackers stole crypto using stealthy code updates. Staying safe requires tighter extension hygiene, verified downloads, and moving high-value assets to more secure wallets.