The Good | Police Charge Cybercriminals Behind Attacks on NATO & Major DeFi Protocols
Following a trail of leaked data on various dark web forums, Spanish police have rounded out a year-long investigation on a suspect behind 40 cyberattacks on state institutions, universities, and private organizations. The suspect was arrested this week for allegedly targeting the Guardia Civil, the Ministry of Defense, NATO, the U.S. army and more while using multiple aliases to obfuscate their trace.
Police report that the suspect launched attacks to access sensitive databases holding personally identifiable information (PII) of employees and customers of high-target entities. Any internal documents stolen were later found circulating on dark forums such as BreachForums or being sold to other threat actors.
Authorities have so far confiscated several computers as well as 50 cryptocurrency accounts as further investigation continues. If convicted, the attacker faces up to 20 years in prison for illegal access, data leaks, and money laundering.
Authorities have also charged Canadian Andean Medjedovic with stealing $65 million. According to the DoJ, Medjedovic exploited vulnerabilities in two decentralized finance (DeFi) protocols, KyberSwap and Indexed Finance.
Medjedovic allegedly manipulated smart contracts to drain $48.4 million from KyberSwap and $16.5 million from Indexed Finance before attempting to extort the former by demanding control of the platform in exchange for returning half of the stolen assets.
The attacker also laundered his illicit funds using fake identities, crypto mixers, and swap and bridging transactions. He faces multiple charges, including wire fraud, attempted extortion, and money laundering, carrying up to 20 years in prison per count.
The Bad | Spyware Delivered to Journalists and Public Figures Via WhatsApp
Around 90 journalists and members of civil society have been the victims of a spyware campaign with attackers leveraging surveillance software from Paragon Solutions, an Israeli-based firm, to infect targets via WhatsApp.
The attack, neutralized in December 2024, used a zero-click exploit that likely involved malicious PDFs sent in group WhatsApp chats. The Meta-owned messaging app said it notified affected users across more than two dozen countries, including Italy, Germany, and Spain, and issued a cease-and-desist letter to Paragon.
Among the victims were an Italian investigative journalist, a Swedish-based Libyan activist, and a co-founder of a humanitarian charity. The attacker behind the campaign remains unknown.
Zero-click attacks are particularly dangerous as they do not require any user interaction to deploy malware. Without needing the user to click a link, download a file, or open an attachment, for example, malicious code can be executed automatically when the target receives a message.
Paragon, acquired by U.S.-based AE Industrial Partners in a $500 million deal, provides surveillance software called Graphite, which was previously used by the U.S. Drug Enforcement Administration (DEA). While the company claims ethical practices, its tools have been linked to controversial spying operations across Europe.
Meanwhile, a separate phishing campaign is actively targeting high-profile X accounts, including those of leading international journalists, U.S. political figures, and large technology and cryptocurrency firms.
A SentinelLabs report explains that the attackers hijacked the accounts to spread crypto scams, locking out victims and posting fraudulent investment opportunities. The tactic, similar to the 2020 celebrity Twitter hacks, helps cybercriminals maximize their financial gains by leveraging the credibility and reach of the compromised accounts.
The Ugly | DPRK ‘FERRET’ Malware Targets macOS Users and GitHub Repos
SentinelLabs has discovered new samples of the macOS FERRET family, dubbed FlexibleFerret, which are currently undetected by Apple’s XProtect.
The discovery comes a week after Apple pushed a signature update to its on-device malware tool to block older variants including FROSTYFERRET_UI – a first-stage payload, FRIENDLYFERRET_SECD – a Go-based second-stage backdoor, and MULTI_FROSTYFERRET_CMDCODES – a configuration file for the backdoor.
The macOS FERRET malware is attributed to the DPRK and associated with its Contagious Interview campaign, which has been running since November 2023. Victims are typically tricked into installing fake video conferencing software, such as VCam or CameraAccess, which then delivers a second stage backdoor.
In previous iterations of the campaign, the FERRET malware was observed running a malicious shell script, installing a persistence agent and executable disguised as a Google Chrome update. FlexibleFerret displays similar behaviour but uses a fake Zoom binary and a persistence agent with the label com.zoom.plist. Unlike previous variants, the malware was signed with a valid Apple Developer signature (VFYPGAKSLY) and Team ID (58CD8AD5Z4), allowing it to sidestep Apple’s Gatekeeper security measures.
The report also notes how DPRK-aligned threat actors are expanding their delivery methods. Instead of only targeting job seekers, they are also opening fake issues on legitimate GitHub repositories to spread FERRET malware, indicating a new branch of focus on developers.
The evolution in the Contagious Interview campaign and FERRET malware family point to how North Korean-aligned attackers are constantly diversifying their tactics, leveraging social engineering, social media, and platforms like GitHub to deploy their malware. SentinelOne customers are protected from all known malicious components of Contagious Interview via the Singularity platform.
