Malware using LLM and law enforcement getting the hackers

Notable news for the week of July 13 - 19, 2025. This week is rich with incidents, from critical vulnerabilities being actively exploited to new ransomware operations using AI-driven tactics. Cybersecurity threats continue to evolve at a rapid pace. Recent vulnerabilities, including the Citrix NetScaler and NVIDIA Container Toolkit flaws, highlight the pressing need for immediate patches and enhanced security measures. Meanwhile, the emergence of the GLOBAL GROUP ransomware-as-a-service (RaaS) operation and significant data breaches underscore the growing threat landscape. Law enforcement actions against notorious cybercrime groups further underscore the ongoing efforts to combat these threats across borders. Until next time, keep it safe, Lior

LAMEHUG Malware

CERT-UA, Ukraine's Computer Emergency Response Team, has discovered a new malware, LAMEHUG, linked to the Russian state-sponsored group APT28 (also known as Fancy Bear). This malware was first identified on July 10, 2025, after suspicious emails impersonating Ukrainian ministry officials were sent to government authorities. The emails contained ZIP files with three variants of LAMEHUG, including executables like AI_generator_uncensored_Canvas_PRO_v0.9.exe and a Python script (image.py). The malware is designed to collect system information, search for .txt and .pdf files in user directories, and exfiltrate data using SFTP or HTTP POST requests.

LAMEHUG's unique feature is its use of a large language model (LLM) from Alibaba Cloud’s Qwen2.5-Coder-32B-Instruct via the Hugging Face API. This integration allows the malware to generate commands based on textual descriptions, enabling sophisticated control and evasion techniques. By leveraging legitimate services like Hugging Face for command-and-control communications, LAMEHUG demonstrates the increasing sophistication of cybercriminal tactics. This development highlights the need for enhanced security measures to detect and mitigate threats using trusted platforms for malicious purposes.

https://thehackernews.com/2025/07/cert-ua-discovers-lamehug-malware.html

NVIDIA's Container Toolkit

A critical vulnerability in NVIDIA's Container Toolkit, identified as CVE-2025-23266 and dubbed NVIDIAScape, has been discovered, posing significant risks to AI cloud infrastructures. This flaw, which has a CVSS score of 9.0, allows attackers to escape container isolation and execute arbitrary code with elevated privileges on the host system. The vulnerability stems from a misconfiguration in the handling of Open Container Initiative (OCI) hooks, specifically the createContainer hook. By manipulating the LD_PRELOAD environment variable within a Dockerfile, an attacker can load a malicious library into a privileged process, leading to a complete container escape.

The impact of this vulnerability is substantial, affecting approximately 37% of cloud environments that use NVIDIA's Container Toolkit. Exploitation could lead to unauthorized access to sensitive data and proprietary models of other customers sharing the same hardware. NVIDIA has addressed the issue in versions 1.17.8 of the Container Toolkit and 25.3.1 of the GPU Operator. For immediate mitigation, users are advised to upgrade to these versions or disable the vulnerable enable-cuda-compat hook by setting the features.disable-cuda-compat-lib-hook flag to true in the configuration file. This incident underscores the importance of robust isolation mechanisms in multi-tenant environments and the need for continuous security vigilance in AI infrastructure.

https://thehackernews.com/2025/07/critical-nvidia-container-toolkit-flaw.html

Unknown Group 0002

The UNG0002 group, also known as Unknown Group 0002, has been conducting cyber espionage campaigns targeting various sectors in China, Hong Kong, and Pakistan. These operations, identified as Operation Cobalt Whisper (May–September 2024) and Operation AmberMist (January–May 2025), have affected industries such as defense, energy, civil aviation, academia, and cybersecurity. The group employs tactics including using shortcut (LNK) files, VBScript, and post-exploitation tools like Cobalt Strike and Metasploit. They often deliver CV-themed decoy documents to lure victims. 

In response to these threats, cybersecurity researchers have been analyzing the group's activities to understand their methods and mitigate potential risks. The ongoing investigations aim to enhance defenses against such cyber espionage tactics and protect sensitive information across targeted regions.

https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html

Security bits:

• Citrix NetScaler CVE-2025-5777: On July 10, CISA added this critical vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which affects Citrix NetScaler ADC and Gateway products, causes input validation to fail, which causes memory to be overused. This could let attackers break into enterprise networks. 

• GLOBAL GROUP Ransomware-as-a-Service (RaaS): Emerging in June 2025, this new RaaS operation has been targeting organizations across Australia, Brazil, Europe, and the United States. The group utilizes AI-driven negotiation tools and has been promoted on underground forums.

• Shopify Plugin Vulnerability: On July 15, a vulnerability in a popular Shopify plugin exposed hundreds of e-commerce websites to attacks. The flaw allowed unauthorized access to sensitive data, highlighting ongoing supply chain security concerns.
• International Criminal Court (ICC) Cyberattack: On June 30, the ICC suffered a "sophisticated and targeted" cyberattack. While the full impact is still being assessed, the court has confirmed the breach and is taking measures to mitigate the effects.
• Compumedics and NeuroMedical Supplies Ransomware Attack: In March 2025, these companies suffered a ransomware attack that compromised data of at least 320,404 individuals. The Van Helsing ransomware group claimed responsibility for the attack. 

• UK Arrests Four in 'Scattered Spider' Ransom Group: On July 10, UK authorities arrested four individuals connected to the 'Scattered Spider' ransom group. The arrests are part of an ongoing investigation into a series of cyberattacks targeting major UK retailers.
• Security News This Week: 4 Arrested Over Scattered Spider Hacking Spree: Plus: An “explosion” of AI-generated child abuse images is taking over the web, a Russian professional basketball player is arrested on ransomware charges, and more.