CyberWire Daily - AVCheck goes dark in Operation Endgame.
Episode Date: June 2, 2025An international law enforcement operation dismantles AVCheck. Trump’s 2026 budget looks to cut over one thousand positions from CISA. Cyber Command’s defensive wing gains sub-unified command stat...us. A critical vBulletin vulnerability is actively exploited. Acreed takes over Russian markets as credential theft kingpin. Qualcomm patches three actively exploited zero-days in its Adreno GPU drivers. Researchers unveil details of a Cisco IOS XE Zero-Day. Microsoft warns a memory corruption flaw in the legacy JScript engine is under active exploitation. A closer look at the stealthy Lactrodectus loader. On today’s Afternoon Cyber Tea, Ann Johnson speaks with Hugh Thompson, RSAC program committee chair. Decoding AI hallucinations with physics. Complete our annual audience survey before August 31. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we have our Afternoon Cyber Tea segment with Ann Johnson. On today’s episode, Ann speaks with Hugh Thompson, RSAC program committee chair, as they discuss what goes into building the RSA Conference. Selected Reading Police takes down AVCheck site used by cybercriminals to scan malware (Bleeping Computer) DHS budget request would cut CISA staff by 1,000 positions (Federal News Network) Cybercom’s defensive arm elevated to sub-unified command (DefenseScoop) vBulletin Vulnerability Exploited in the Wild (SecurityWeek) Acreed Emerges as Dominant Infostealer Threat Following Lumma Takedown (Infosecurity Magazine) Qualcomm fixes three Adreno GPU zero-days exploited in attacks (Bleeping Computer) Exploit details for max severity Cisco IOS XE flaw now public (Bleeping Computer) Microsoft Scripting Engine flaw exploited in wild, Proof-of-Concept published (Beyond Machines) Latrodectus Malware Analysis: A Deep Dive into the Black Widow of Cyber Threats in 2025 (WardenShield) The Root of AI Hallucinations: Physics Theory Digs Into the 'Attention' Flaw (SecurityWeek) Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire. An international law enforcement operation dismantles a V-check.
Trump's 2026 budget looks to cut over 1,000 positions from CISA.
Cybercommand's defensive wing gains subunified command status.
A critical V-bulletin vulnerability is actively exploited.
A Creed takes over Russian markets as credential theft kingpin.
Qualcomm patches three actively exploited Zero Days in its Adreno GPU drivers.
Researchers unveiled details of a Cisco iOS XE Zero Day.
Microsoft warns a memory corruption flaw in the legacy JS script engine is under
active exploitation, a closer look at the stealthy Lactradectis loader, on today's
afternoon CyberT Anne Johnson speaks with Hugh Thompson, RSAC program committee chair,
and decoding AI hallucinations with physics.
It's Monday, June 2nd, 2025. I'm Dave Fittner and this is your CyberWire
Intel Briefing.
Thanks for joining us here today. Happy Monday.
It's great to have you with us.
An international law enforcement operation has dismantled AVCheck, a major counter-antivirus
service exploited by cybercriminals to test malware against commercial antivirus software
before deployment.
The takedown, executed on May 27, involved the seizure of AV-CHECK's domains and servers,
which now display seizure notices from the U.S. Department of Justice, FBI, U.S. Secret
Service and Dutch police. Authorities also uncovered links between AVCheck and crypting services Cryptor.biz and Crypt.guru,
which aid in obfuscating malware to evade detection.
Cryptor.biz has been seized, while Crypt.guru remains offline.
This action is part of Operation Endgame, a broader initiative targeting cybercriminal
infrastructure.
Recent efforts under this operation have led to the dismantling of 300 servers and 650
domains associated with ransomware activities and the seizure of 3.5 million euros in cryptocurrency.
Undercover agents facilitated the investigation by making purchases on these
platforms, confirming their use in cybercrime and linking them to ransomware groups targeting
entities in the U.S. and abroad. The Trump administration's 2026 budget proposal aims to
cut over 1,000 positions at the Cybersecurity and Infrastructure Security Agency, reducing
its workforce from 3,700 to 2,600. The cuts, totaling nearly $500 million, impact all divisions
with the steepest reductions hitting risk management, stakeholder engagement, and integrated
operations. While the Cybersecurity Division would lose over 200 roles,
other divisions like Mission Support and Emergency
Communications face significant trims.
DHS Secretary Kristi Noem cited the end of election security
work as a reason, though that only accounts for 14 positions.
The plan also slashes funding for cyber training,
stakeholder engagement, and national risk efforts. Programs like chemical security
and school safety would be phased out, shifting responsibilities to state and
local agencies. Congressional approval is still required. The Joint Force
Headquarters Department of Defense Information Network has been elevated
to a sub-unified command under U.S. Cyber Command and renamed the Department of Defense
Cyber Defense Command.
This move, directed by Congress and Secretary of Defense Pete Hegseth, reflects DCDC's
growing role in defending the Pentagon's global network.
While it doesn't grant new authorities or funding, it allows better alignment with strategic
goals and resource access.
Led by Lieutenant General Paul Stanton, DCDC aims to shift from reactive to proactive defense,
making it harder for adversaries to breach networks. This elevation follows Cybercom's earlier move to upgrade its offensive cybernational
mission force, putting both key cyber operations on equal footing as the U.S. boosts its digital
defense posture.
A critical vBulletin vulnerability is being actively exploited shortly after its disclosure
by researcher Egidio Romano on May 23.
vBulletin is internet forum software used to create and manage online discussion boards.
Romano detailed a remote code execution flaw affecting versions 5.1 through 6.0.3 and shared
proof of Concept code.
Exploits began hitting honeypots by May 25, using Romano's code to run system commands.
Though apparently patched in April, no CVE was initially assigned.
Now two CVEs have been issued.
This marks the first major Vulletin exploit wave since 2020.
The Accrede InfoStealer is emerging as a dominant force in credential theft, according to a
June 2 report from cybersecurity firm ReliaQuest.
Following the May 2025 takedown of LumaStealer, which had dominated Russian market with 92% of credential theft alerts
in late 2024, a creed has quickly surpassed other malware like Redline, Raccoon, and Vidar.
Russian market, a major dark web platform for stolen credentials, remains active and
influential with logs often recycled from other sources.
In 2024, ReliaQuest issued over 136,000 alerts for customer domains appearing on the market,
with most stolen credentials tied to SaaS and SSO accounts.
The professional and information sectors were the hardest hit.
With over 50,000 alerts already in 2025, the threat continues to grow.
Qualcomm has released patches for three actively exploited
zero days in its Adreno GPU drivers,
affecting many chip sets.
Two critical flaws reported by Google in January
allow unauthorized command execution
leading to memory corruption.
A third high severity bug reported in March, is a
use-after-free flaw triggered during Chrome graphics rendering.
Google's Threat Analysis Group warns these are under
targeted exploitation.
Qualcomm urges OEMs to deploy patches issued in May.
In a related investigation, Google found spyware
infections involving Serbian authorities
exploiting another Qualcomm flaw. This continues a trend of GPU and DSP driver vulnerabilities
being exploited for device access and persistent surveillance, underlining Qualcomm's critical
role in mobile security.
Researchers at Horizon 3 have published technical details about a critical Cisco IOS XE wireless
LAN controller flaw, increasing the risk of imminent exploitation.
The bug, disclosed by Cisco on May 7, allows unauthenticated remote attackers to upload
files and execute arbitrary commands with root privileges via a hard-coded JWT secret. While no complete exploit script was
released, Horizon 3's write-up provides enough data for skilled attackers to
build one. The flaw impacts several catalyst 9800 controller models when the
out-of-band AP image download feature is enabled.
Attackers can bypass JWT validation, perform path traversal, and overwrite system configs
to achieve remote code execution.
Cisco urges users to upgrade.
Disabling the vulnerable feature serves as a temporary workaround to reduce exposure. Microsoft is warning of active exploitation
of a memory corruption flaw
in the legacy JScript engine patched in May 2025.
The vulnerability rated 7.5 CVSS allows remote code
execution if a user clicks a malicious URL
in Microsoft Edge running Internet Explorer mode.
Though IE 11 is retired, some systems remain vulnerable.
A GitHub proof of concept increases the risk of exploit development.
Users should patch immediately and disable IE mode in Edge as a temporary safeguard.
Researchers at Warden Shield examine Lactradectis, a stealthy malware loader linked to the Lunar
Spider Group behind IcedID, which has quickly risen as a major cyber threat following the
2024 takedown of IcedID and other botnets in Operation Endgame.
Emerging in late 2023, Lactradectis rapidly gained traction among threat actors TA-577
and TA-578, filling the void in the malware ecosystem.
It spreads through phishing emails and deceptive attachments, deploying DLL payloads designed
for stealth, persistence, and versatile malware delivery.
Lactradectis supports remote command execution,
information theft, and installation of ransomware
and infostealers like IcedID, QuackBot, and Darkgate.
Its obfuscation, sandbox evasion, and encrypted
communications make it difficult to detect.
Over 44,000 infections were logged in less than a month,
mostly targeting North America and Europe.
With constant updates and advanced delivery tactics,
including fake captures and TikTok lures,
Lactradectis is a top tier threat,
demanding layered defenses, user awareness,
and proactive incident response.
Coming up after the break, Anne Johnson from Afternoon Cyber Tea speaks with Hugh Thompson,
RSAC Program Committee Chair, and decoding AI hallucinations with physics.
Stay with us.
Compliance regulations, third-party risk, and customer security demands are all
growing and changing fast. Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger, yes, even helping to drive revenue.
And this isn't just nice to have.
According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity.
That's not a typo, that's real impact.
So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious
efficiency to your GRC game.
Vanta.
GRC.
How much easier trust can be.
Get started at Vanta.com slash cyber.
Microsoft's Anne Johnson is host of the afternoon Cyber Tea podcast right here on the N2K Cyberwire
Network.
She recently sat down with Hugh Thompson,
RSAC Program Committee Chair.
Here's their conversation.
Today, I am thrilled to welcome Dr. Hugh Thompson,
the managing partner at CrossPoint Capital Partners
and the executive chairman of the RSA Conference.
He helps build, execute, and secure
the world's largest cybersecurity conference.
Welcome to afternoon cyber tea. Thanks so much for having me.
Talk about what goes into building the event. How far in advance do you start planning each conference?
You think about 44,000 humans getting together. There's a lot to pre-plan. So we start about 18 months in advance of the actual event.
And it's everything from, you know,
what is the theme going to be?
How much space do we think we need
for different types of sessions?
What have we learned from, I guess,
the conference two years prior in order to plan for the one
that's coming up 18 months from now?
So it's a long cycle and there's an amazing team that's been working on this for a long
time.
What is your approach to choosing a theme?
How does that work?
How does it, how do you think about a theme that resonates with such a diverse, such a
global audience?
It's tough, and there's a lot of debate that goes on internally around the theme every
year. And about, I'd say 12 years ago, we started a track called The Human Element,
and it was all about how people interact with systems.
And it was really popular.
And then the next year when the debate came up,
geez, what's the theme for 18 months from now?
And everybody agreed human element was the right one.
Because cyber really comes down to people,
whether it's the folks that you're trying to protect, the
folks that are the defenders that are in cyber, or the attackers.
And ever since then, I think you'll notice if you go back over the last six or seven
years, many of the themes have had this human element touch to it.
You get these speakers that have such high profiles.
You also get everything from hackers to CEOs.
So how do you ensure the programming, again,
appeals to all levels of experience
as you work through those program committee decisions?
So as part of the submission, there is a level rating
of how technical do you have to be to really get something out of this talk.
And what we aim for, depending on the track, is to match up the level of technical sophistication with the track.
And we always strike the balance between things that are very specific to a field and also things that can be accessible
by just a wide variety of folks that are just curious and want to learn more.
It's been an expansion of our programming to not just have some of the very technical sessions, but also have these higher level philosophical futures
policy sessions too.
And it really is a testament to how important
this industry has become in society.
Do you ever get to experience the conference
like as an attendee?
Do you get to walk the floor and be an attendee?
Yeah, absolutely.
I make sure to carve out some amount of time.
Obviously it's very busy during the conference week,
but some amount of time to walk the show floor,
because it's very important to go to at least two sessions
where I don't know the person
and it's something that's very interesting to me. And it's something that I feel like I don't know the person and it's something that's very interesting to me
and it's something that I feel like I don't know very much about
even though I've been in security my whole career and I've written three books on it.
You can always learn something from somebody else no matter who they are.
You can't walk away from RSA Conference,
especially this past year,
and not be optimistic about what we can accomplish
if we band together as a community.
You just can't, because you see the ethos of the people
that are in the fight with you.
They're folks that really care.
They actually care.
Like it is a mission for them.
It is a calling.
And when you have smart people that are aligned together
with a mission against a common enemy,
amazing things can happen.
Thank you for joining me.
I know you need some downtime post the conference.
I hope you get that downtime
and I appreciate you making the time
because I know how incredibly busy you are.
And you can find the complete afternoon CyberT podcast
wherever you get your favorite podcasts. And finally, no one truly knows how AI works, not even the people who build it.
But physicist Neil Johnson and his colleague Frank Ying-Zhi Huo have taken a swing at decoding
the mystery by applying first principle physics to AI's attention mechanism, the bit that
decides what words an AI should focus on when generating text.
Their theory treats words like quantum particles in a spin bath where bad training data can
skew outcomes, resulting in hallucinations or bias.
Johnson likens current AI models to a two-body Hamiltonian, a two-particle system, which,
it turns out, is about as stable as a toddler on espresso.
A three-body system might be better, but like railway gauges, the
QWERTY keyboard, and the Windows registry, early design choices tend to stick.
Still, Johnson's math offers hope. With the right actuarial style metrics, we may
one day predict just when our friendly LLM might lose the plot. Literally.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
We would love to hear from you. We are conducting our annual audience survey to learn more about our listeners.
We're collecting your insights until August 31st. There is a link in the show notes. Do check it out.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thanks for watching! Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.