Originally reported by BleepingComputer, Malwarebytes Labs
TL;DR
CISA released technical details on RESURGE malware exploiting Ivanti zero-days, while North Korean APT37 unveiled new tools for breaching air-gapped networks via removable drives. Law enforcement made significant progress with 30 arrests in the Europol-led takedown of The Com cybercrime collective.
CISA's warning about RESURGE malware targeting critical infrastructure devices combined with APT37's new air-gap infiltration tools represents significant active threats to enterprise security.
This week brought critical infrastructure warnings, sophisticated nation-state tooling, and significant law enforcement victories against cybercriminals.
The Cybersecurity and Infrastructure Security Agency released detailed technical analysis of RESURGE, a persistent malware implant targeting Ivanti Connect Secure devices. The malware exploits CVE-2025-0282, a zero-day vulnerability that allows attackers to establish dormant backdoors on critical network infrastructure.
CISA's advisory emphasizes that RESURGE can remain undetected for extended periods, making it particularly dangerous for organizations relying on Ivanti solutions for secure remote access. The implant's persistence mechanisms allow threat actors to maintain access even after apparent remediation efforts.
North Korean state-sponsored group APT37 has deployed newly discovered malware specifically designed to breach air-gapped networks. The tools enable data exfiltration between isolated and internet-connected systems through removable drives, representing a significant evolution in the group's capabilities.
The malware suite includes components for covert surveillance and automated data staging, allowing operators to systematically compromise high-security environments that rely on physical network isolation for protection.
Operation Compass, a year-long international investigation, resulted in 30 arrests and identified 179 suspects linked to The Com cybercrime collective. The network specifically targeted children and teenagers through sophisticated social engineering campaigns.
The operation demonstrates enhanced coordination between international law enforcement agencies in dismantling organized cybercrime groups that exploit vulnerable populations.
Microsoft's latest Windows 11 Insider Preview builds introduce security improvements for batch file and CMD script execution. The enhancements focus on preventing common attack vectors that exploit Windows scripting capabilities while maintaining backward compatibility for legitimate administrative tasks.
A Ukrainian national admitted to operating OnlyFake, an artificial intelligence-powered service that generated over 10,000 fraudulent identification documents. The platform sold fabricated driver's licenses, passports, and other official documents to customers worldwide.
The case highlights the increasing sophistication of AI-enabled fraud services and their potential impact on identity verification systems.
Security researchers discovered that publicly exposed Google API keys, previously considered low-risk, can now provide unauthorized access to Gemini AI services and associated data. The finding challenges conventional assumptions about API key sensitivity in cloud environments.
The research underscores the need for organizations to reassess their API key management practices as cloud services expand their functionality.
Security analysts highlighted the persistent challenge of managing vulnerabilities in third-party applications like PDF readers, email clients, and archive utilities. These commonly deployed tools often represent significant portions of an organization's actual attack surface despite receiving less attention than enterprise applications.
Originally reported by BleepingComputer, Malwarebytes Labs