Cyber Security Headlines: Rubio Spoofed, RondoDox Botnet, Batavia Spyware

Hosted by CISO Series | Release Date: July 9, 2025

Welcome to today’s in-depth summary of the latest cybersecurity developments featured in the "Cyber Security Headlines" episode by CISO Series. Hosted by Hadaska Sorla, this episode delves into significant incidents shaping the information security landscape, including high-profile impersonation scams, emerging botnets, sophisticated spyware campaigns, and notable legal battles in the cybersecurity realm. Below is a comprehensive overview of the key topics discussed.

1. AI-Driven Impersonation of Marco Rubio

Incident Overview

At the outset of the episode, Hadaska Sorla highlights a sophisticated scam where an artificial intelligence (AI) system was employed to impersonate U.S. Secretary of State Marco Rubio in multiple official capacities. The impersonator mimicked roles such as the Acting National Security Advisor, Acting USAID Administrator, and Acting Archivist of the United States.

Techniques Used

The scam utilized advanced voice-mimicking technology and spoofed email addresses like MarcoRubio@ate.gov. These fraudulent communications were directed at foreign ministers, a governor, and a member of Congress through both Signal and voicemail platforms.

Response and Investigation

The U.S. State Department issued a warning on July 3rd regarding these impersonation attempts. The FBI has since launched an investigation to identify and apprehend the perpetrators. Hadaska notes, “[00:45] The FBI is investigating, presumably after figuring out which Marco Rubio to report to. Is this some kind of a game?”

Implications

This incident underscores the escalating sophistication of AI-driven cyber threats, highlighting the need for enhanced verification protocols to prevent such high-stakes impersonations.

2. Emergence of the RondoDox Botnet

Botnet Characteristics

Security researchers from Fortinet have identified a new and stealthy botnet named RondoDox. This botnet targets internet-connected surveillance systems, routers, and other Linux-based devices across crucial sectors like utilities, transportation, and telecommunications.

Operational Tactics

Once infiltrated, RondoDox employs several stealth strategies:

Disabling Security Tools: To prevent detection and removal.
System Evasion: Hiding deep within the system, rebooting, and renaming key files.
Traffic Mimicry: RondoDox disguises its malicious network traffic to resemble common VPN connections or online gaming activities (e.g., Fortnite, Minecraft, Roblox). This tactic allows it to bypass firewalls and blend seamlessly with normal internet usage.

Purpose and Potential Damage

Infected devices are covertly incorporated into a growing botnet, primarily used to launch Denial of Service (DoS) attacks. The sophistication of RondoDox makes it a formidable threat, as noted by Hadaska: “[03:30] Its most distinctive trick? It disguises its malicious network traffic to look like common VPN connections or online gaming activity...”

Attribution Status

As of the episode's release, there is no confirmed attribution for the creators or operators of RondoDox, leaving room for ongoing investigations.

3. Batavia Spyware Campaign Targets Russian Industrial Firms

Campaign Details

Kaspersky cybersecurity researchers have uncovered a persistent spyware campaign named Batavia, active since March. This operation specifically targets Russian industrial companies, aiming to exfiltrate sensitive data.

Methods Employed

Batavia employs highly targeted phishing techniques:

Phishing Emails: Fake emails purporting to share contract documents.
Malicious Links: Each email contains a unique download link intended for a specific victim, increasing the likelihood of successful infiltration.
Spyware Deployment: Clicking the link results in the download and installation of spyware that:
- Data Theft: Steals data from the device and any connected USB drives.
- Backdoor Access: Provides attackers with a persistent backdoor for future access.

Operational Sophistication

The use of unique download links and domain-controlled email sources indicates a highly organized and methodical operation. Hadaska emphasizes, “[05:15] suggesting a very targeted and organized operation.”

Attribution and Impact

The identity of the attackers behind Batavia remains unknown, but the campaign’s focus on industrial sectors suggests potential motives related to espionage or competitive advantage.

4. Series Finale: SEC vs. SolarWinds

Legal Battle Summary

The episode covers the culmination of the legal drama SEC vs. SolarWinds, a spinoff of the infamous 2020 SolarWinds hack. The case marked the SEC’s first breach-related enforcement action, alleging that SolarWinds and its Chief Information Security Officer (CISO) misled investors about cyber risks prior to the breach.

Case Developments

A federal judge significantly reduced the scope of the case, citing "weak hindsight logic," leading to the loss of momentum in the legal proceedings. As a result, the SEC and SolarWinds have agreed to a settlement, which includes a stay with a deadline set for September 12 to finalize terms.

Community Reaction

Hadaska compares the dissolution of the case to disappointing finales in popular culture, stating, “[06:50] The plot lost steam, disappointing fans much like the final season of Game of Thrones.”

Implications for Cybersecurity Compliance

This settlement underscores the challenges regulatory bodies face in holding companies accountable for cybersecurity disclosures and highlights the evolving landscape of cyber governance and investor relations.

5. Additional Cybersecurity Headlines

a. Google's Gemini AI Access Expansion

Hadaska reports that as of July 7, 2025, Google's Gemini AI gains the capability to access various Android applications, including phone messages and WhatsApp, even if users disable Gemini Apps Activity. This feature allows the AI to interact with other apps on behalf of the user, performing actions such as sending messages and making calls. To fully restrict access, users must manually revoke permissions for each app. Privacy advocates express concerns over the ambiguity of the rollout and the lack of clarity in privacy settings, noting that disabling activity only prevents data from being used for training, not from being accessed.

b. Malicious Updates in Visual Studio Code Extension

A significant supply chain attack was identified in which a malicious pull request to the popular Visual Studio Code extension Ethcode compromised over 6,000 developers. Attackers injected code that downloaded malware through a fake NPM package, executing hidden PowerShell scripts aimed at stealing cryptocurrency or tampering with smart contracts. Microsoft promptly removed the compromised extension and released a clean version by June 28, 2025. This incident highlights the vulnerabilities in open-source development environments and the importance of vigilant security practices.

c. Surge in Supply Chain Attacks on Open Source Tools

Cybersecurity firm Coy Security uncovered 18 malicious extensions on the Chrome and Edge stores, masquerading as innocuous tools like emoji keyboards and color pickers. These malware-laden extensions, reaching over 2.33 million users, facilitated various malicious activities, including spying on browsing activity, session hijacking, traffic redirection, and credential theft. The attackers exploited loopholes in the extension review systems by initially publishing clean, legitimate-looking extensions before discreetly deploying malicious updates, thus bypassing security filters.

d. Marks & Spencer Ransomware Attack via Social Engineering

In a follow-up to a recent ransomware attack, UK-based Marks & Spencer (M&S) confirmed that the breach commenced with social engineering tactics. On April 17, attackers impersonated an employee, convincing a third-party IT provider to reset the user's password, thereby gaining initial access. The threat actors, believed to be affiliated with the ransomware group Drag and Force, infiltrated systems, encrypted servers, and exfiltrated approximately 150 gigabytes of data. Utilizing a double extortion strategy, they threatened to release the stolen data unless their demands were met. M&S engaged professional negotiators and has yet to disclose whether a ransom was paid. As of now, the stolen data has not surfaced on any leak sites.

Conclusion

Today's episode of "Cyber Security Headlines" provides a compelling overview of the multifaceted threats and challenges in the cybersecurity landscape. From AI-driven impersonations and advanced botnets to sophisticated spyware campaigns and high-stakes legal battles, the breadth of topics underscores the dynamic nature of information security. Additionally, the rise in supply chain attacks on open-source tools and targeted ransomware incidents like those affecting Marks & Spencer highlight the evolving tactics of cyber adversaries.

For those keen on staying abreast of the latest cybersecurity developments, subscribing to the CISO Series on platforms like YouTube and LinkedIn is recommended. Further insights and detailed analyses of these stories are available at CISOseries.com.

Stay vigilant, stay informed, and prioritize your cybersecurity measures to navigate the ever-changing digital threat landscape.

Transcript

Hadaska Sorla (0:00)

From the CISO series It's Cybersecurity Headlines these are the cybersecurity headlines for Wednesday, July 9, 2025. I'm Hadaska Sorla. In today's cybersecurity news, four members of President Trump's cabinet impersonated a scammer used artificial intelligence to impersonate Secretary of State Marco Rubio, Acting National Security Advisor Marco Rubio, acting USAID Administrator Marco Rubio and Acting Archivist of the United States Marco Rubio. Using voice mimicking tech and spoofed emails like Marco Rubiotate.gov, the impersonator tried reaching foreign ministers, a governor and a member of Congress via signal and voicemail. The State Department issued a warning on July 3rd. The FBI is investigating, presumably after figuring out which Marco Rubio to report to. Is this some kind of a game? Security researchers from Fortinet have identified a stealthy new botnet called Rondodocs, which is actively targeting Internet connected surveillance systems, routers and other Linux based devices in industries like utilities, transportation and telecom. Once inside, Rondo, Docs disables security tools, hides deep within the system to survive, reboots and renames key files to avoid detection. Its most distinctive trick? It disguises its malicious network traffic to look like common VPN connections or online gaming activity like Fortnite, Minecraft and Roblox, allowing it to bypass firewalls and blend in with normal Internet use. Infected devices are quietly added to a growing botnet used for launching denial of service attacks. There's no confirmed attribution yet. Batavia attacks Russian Industrial Companies Cybersecurity researchers at Kaspersky have uncovered a spyware campaign active since March, targeting Russian industrial companies. The operation, called Batavia, sends fake emails pretending to share contract documents. The messages include links that download malicious files. The files install spyware to steal data from the device and any connected USB drives and give the attackers a backdoor to come back later. Kaspersky says the phishing emails come from a domain controlled by the hackers and that each email contains a unique download link meant just for that victim, suggesting a very targeted and organized operation. So far, the identity of the attackers remains unknown. Series Finale SEC vs SolarWinds A spinoff of the original 2020 cyber thriller the Solarwinds hack. This legal drama wrapped quietly as The SEC and SolarWinds reached a settlement ending the agency's first breach related enforcement case when, without a prearranged deal, the SEC had accused the company and its CISO of misleading investors about cyber risks. Prior to the infamous breach. After the federal judge cut much of the case down, citing weak hindsight logic. The plot lost Steam disappointing fans much like the final season of Game of Thrones. Now, with a Sept. 12 deadline to finalize terms, both parties have agreed to a stay. Huge thanks to our sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and help you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines Google's Gemin Ay Ay as of July 7, 2025, Google's Gemini AI will be able to access Android apps like phone messages, WhatsApp, and more, even if you previously turned off Gemini Apps Activity. That setting only stop the AI from using your data for training, not from tapping into your apps. These permissions allow Gemini to interact with other apps on your behalf, send messages, make calls. I guess I don't have to have that awkward breakup conversation after all. To fully block Gemini's access, users must go into the settings and manually revoke permissions for each app. Google says Conversations won't be used for AI training if Activity is disabled, but they'll still be stored for up to 72 hours. Privacy advocates are raising concerns about the vague rollout and the fact that off it doesn't really mean off the patch release notes didn't mention malware. A malicious pull request to a popular Visual Studio code extension called Ethcode infected over 6,000 developers, according to cybersecurity firm Reversing Labs. On June 17, an attacker using a deceptive GitHub account submitted an update that added code to download malware. The attack planted a fake NPM package that executed hidden PowerShell scripts, likely aimed at stealing crypto or tampering with smart contracts. Microsoft removed the extension and published a clean version by June 28, 2025. This incident is the latest in a rising wave of supply chain attacks targeting open source tools. Extensions extended to exploit Hackers took advantage of a loophole in browsing extension systems by first publishing clean, legitimate looking extensions, then quietly pushing malicious updates months or even years later. The updates installed automatically without user input, allowing attackers to slip past Google and Microsoft security filters. Security firm Coy Security found 18 such extensions on the Chrome and Edge stores, disguised as harmless tools like emoji keyboards and color pickers. In total, the malware laced extensions reached over 2.33 million users, enabling spying on browsing activity, session hijacking, traffic redirection and credential theft, all while appearing perfectly trustworthy. This isn't just a breach. This is an M and S breach. In a follow up to their recent ransomware attack, UK based Marks Spencer has confirmed that it began with social engineering. On April 17, attackers impersonated an employee and convinced a third party IT provider to reset that user's password, giving them initial access. From there, the threat actors believed to be drag and force ransomware group linked to scattered spider infiltrated systems, encrypted servers and exfiltrated roughly 150 gigabytes of data. They used a double extortion strategy, threatening to leak the data if demands weren't met. M and S worked with professional negotiators and has not disclosed whether a ransom was paid. As of now, the stolen data has not appeared on any leak sites. Remember to subscribe to the ciso series on YouTube, LinkedIn or wherever you spend time online. We're always posting original video clips, demos of new and interesting solutions, podcast episodes and interviews. Just search for CISO series on your favorite platform of choice and and you'll find us. If you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. I'm Hadas Kasorla reporting for the CISO series. Stay Alert, Stay Patched, Stay hydrated. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. Sam.