Cyber Security Headlines — Nov 4, 2025
Host: Sarah Lane, CISO Series
Episode Theme:
A swift yet information-rich roundup of major recent developments in cybercrime and information security, spotlighting advanced malware tactics, API misuse, physical cargo theft by digital means, and the shifting landscape of corporate cyber threats.
Main Topics and Insights
1. Sleepy Duck Malware Uses Ethereum for Stealth (00:17)
-
Details:
- Threat intelligence firm Secure Annex uncovered “Sleepy Duck,” a malicious Visual Studio extension posing as legitimate until it activates as a remote access trojan (RAT) after being downloaded ~14,000 times.
- On opening a Solidity file, the extension:
- Collects user system details
- Contacts its command & control (C2) server every 30 seconds
- Innovation: Attackers leverage an Ethereum smart contract to dynamically update the C2 server’s address, helping them evade domain blocks and takedowns.
- Secure Annex linked the developer to other rogue VS Code extensions that mine Monero via PowerShell scripts.
-
Memorable Quote:
- "The attackers used an Ethereum contract to dynamically update their C2 address to evade blocking." (Sarah Lane, 00:44)
2. SesameOp Backdoor Abuses OpenAI API (01:10)
-
Details:
- Microsoft’s Detection and Response Team warns of “SesameOp”, a backdoor malware that leverages OpenAI’s Assistant API as a covert C2 channel.
- How it works:
- Active since July 2025
- Relays attackers' encrypted commands through OpenAI infrastructure—no need for traditional malicious servers.
- Not exploiting OpenAI vulnerabilities, but misusing legitimate API functions for espionage.
- OpenAI and Microsoft have since disabled the attackers’ accounts and APIs.
-
Notable Quote:
- “SesameOp doesn't exploit a platform flaw, but misuses legitimate API functions for long-term espionage.” (Sarah Lane, 01:35)
3. Organized Crime: Cyber Crooks and Physical Cargo Theft (02:00)
-
Details:
- Proofpoint reports cybercriminals and organized crime groups hacking into US freight broker systems, hijacking cargo shipments.
- Tactics:
- Accessing load boards, posting fake jobs
- Infecting logistics firms with remote monitoring tools (Screen Connect, Enable)
- Intercepting and redirecting shipments (electronics to energy drinks) to criminal addresses
- Impact: $112 million in losses in Q3 2025; hotspots include CA, IL, FL, TX, WA.
-
Memorable Moment:
- "Attackers gain access to US Freight broker load boards...then intercept delivery info and redirect goods to their own addresses." (Sarah Lane, 02:21)
4. Jabber Zeus Group: Extradition in Major Banking Trojan Case (03:00)
-
Details:
- Ukrainian Yuri Egorovich Ribsoff extradited to the US over ties to the Jabber Zeus group.
- Allegations: Managed notifications of compromised organizations, laundered stolen funds.
- Activity: Used the Zeus banking trojan and social engineering to steal millions from US SMBs.
-
Highlight:
- "Zeus used the Zeus banking Trojan and social engineering to steal millions from small and mid-sized US businesses." (Sarah Lane, 03:23)
5. Cyber Experts Indicted as Black Cat Ransomware Operators (04:10)
- Details:
- DOJ indicts three ex-cybersecurity pros for Black Cat ransomware attacks targeting five US companies in 2023.
- Alleged roles:
- Kevin Martin (ex-ransomware negotiator)
- Ryan Goldberg (ex-incident response manager)
- Unnamed co-conspirator
- Victims: Healthcare, engineering, pharmaceuticals
- Ransoms: Demands up to $10M
6. Newly Patched Windows GDI Flaws (04:50)
- Details:
- CheckPoint Research exposes three Windows GDI bugs:
- Enable remote code execution/information disclosure via EMF and EFM+ files.
- Exploitable in text rendering, thumbnail generation, print jobs
- Affects Windows and Microsoft Office, incl. Mac and Android
- Microsoft patched with validation, boundary, and pointer fixes.
- CheckPoint Research exposes three Windows GDI bugs:
7. Askool (Japan): Data Breach Confirmed after Ransom House Attack (05:25)
- Details:
- Japanese retailer Askool confirms breach after October ransomware attack (linked to Ransom House).
- 1.1TB data exfiltrated
- Logistics disruptions for clients like Muji
8. NFC and Host Card Emulation (HCE) Fraud Surge (05:53)
- Details:
- Zimperium Z Labs: 760+ “and write” (hand-written?) apps abusing NFC + HCE to steal payment data.
- Targets: E-banking, payment services, gov portals (esp. in Russia, EU, Brazil)
- Malicious Google Pay apps mimic trusted brands, steal card data via exfiltration on Telegram
- Warning: Any unknown NFC app requesting payment privileges should be deemed high risk.
Notable Quotes & Moments
- “The attackers used an Ethereum contract to dynamically update their C2 address to evade blocking.” (00:44)
- “SesameOp doesn't exploit a platform flaw, but misuses legitimate API functions for long-term espionage.” (01:35)
- “Attackers gain access to US Freight broker load boards...then intercept delivery info and redirect goods to their own addresses.” (02:21)
- “Zeus used the Zeus banking trojan and social engineering to steal millions from small and mid-sized US businesses.” (03:23)
Timeline of Key Segments
| Timestamp | Topic | Details | |-----------|------------------------------------------------------|----------------------------------------| | 00:17 | Sleepy Duck malware | Ethereum-based C2 evasion | | 01:10 | SesameOp backdoor | OpenAI API as command channel | | 02:00 | Cyber-criminals hijack cargo | Physical theft via digital access | | 03:00 | Jabber Zeus extradition | Major banking trojan prosecution | | 04:10 | Cyber experts charged for Black Cat ransomware | Ex-insiders behind major attacks | | 04:50 | Windows GDI flaws | RCE/information leak vulnerabilities | | 05:25 | Askool data breach | Japanese retail sector ransomware | | 05:53 | NFC/HCE fraud apps | Global payment data theft surge |
Tone & Takeaway
The episode’s tone is concise, technical, and urgent. High-profile hacks, insider threats, and sophisticated malware highlight how cybercriminals constantly evolve methods—from leveraging blockchain for stealth C2, to abusing mainstream APIs, to combining online access with physical theft. The message is clear: vigilance is essential, and any new/unexpected behavior (be it development extensions, payment apps, or unexpected job postings) should be seen as a potential threat.
For more details, visit cisoseries.com.
