"SleepyDuck" uses Ethereum, SesameOp abuses OpenAI API, cybercrooks steal physical cargo - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines — Nov 4, 2025

Host: Sarah Lane, CISO Series
Episode Theme:
A swift yet information-rich roundup of major recent developments in cybercrime and information security, spotlighting advanced malware tactics, API misuse, physical cargo theft by digital means, and the shifting landscape of corporate cyber threats.

Main Topics and Insights

1. Sleepy Duck Malware Uses Ethereum for Stealth (00:17)

Details:
- Threat intelligence firm Secure Annex uncovered “Sleepy Duck,” a malicious Visual Studio extension posing as legitimate until it activates as a remote access trojan (RAT) after being downloaded ~14,000 times.
- On opening a Solidity file, the extension:
  - Collects user system details
  - Contacts its command & control (C2) server every 30 seconds
  - Innovation: Attackers leverage an Ethereum smart contract to dynamically update the C2 server’s address, helping them evade domain blocks and takedowns.
- Secure Annex linked the developer to other rogue VS Code extensions that mine Monero via PowerShell scripts.
Memorable Quote:
- "The attackers used an Ethereum contract to dynamically update their C2 address to evade blocking." (Sarah Lane, 00:44)

2. SesameOp Backdoor Abuses OpenAI API (01:10)

Details:
- Microsoft’s Detection and Response Team warns of “SesameOp”, a backdoor malware that leverages OpenAI’s Assistant API as a covert C2 channel.
- How it works:
  - Active since July 2025
  - Relays attackers' encrypted commands through OpenAI infrastructure—no need for traditional malicious servers.
  - Not exploiting OpenAI vulnerabilities, but misusing legitimate API functions for espionage.
- OpenAI and Microsoft have since disabled the attackers’ accounts and APIs.
Notable Quote:
- “SesameOp doesn't exploit a platform flaw, but misuses legitimate API functions for long-term espionage.” (Sarah Lane, 01:35)

3. Organized Crime: Cyber Crooks and Physical Cargo Theft (02:00)

Details:
- Proofpoint reports cybercriminals and organized crime groups hacking into US freight broker systems, hijacking cargo shipments.
- Tactics:
  - Accessing load boards, posting fake jobs
  - Infecting logistics firms with remote monitoring tools (Screen Connect, Enable)
  - Intercepting and redirecting shipments (electronics to energy drinks) to criminal addresses
- Impact: $112 million in losses in Q3 2025; hotspots include CA, IL, FL, TX, WA.
Memorable Moment:
- "Attackers gain access to US Freight broker load boards...then intercept delivery info and redirect goods to their own addresses." (Sarah Lane, 02:21)

4. Jabber Zeus Group: Extradition in Major Banking Trojan Case (03:00)

Details:
- Ukrainian Yuri Egorovich Ribsoff extradited to the US over ties to the Jabber Zeus group.
- Allegations: Managed notifications of compromised organizations, laundered stolen funds.
- Activity: Used the Zeus banking trojan and social engineering to steal millions from US SMBs.
Highlight:
- "Zeus used the Zeus banking Trojan and social engineering to steal millions from small and mid-sized US businesses." (Sarah Lane, 03:23)

5. Cyber Experts Indicted as Black Cat Ransomware Operators (04:10)

Details:
- DOJ indicts three ex-cybersecurity pros for Black Cat ransomware attacks targeting five US companies in 2023.
- Alleged roles:
  - Kevin Martin (ex-ransomware negotiator)
  - Ryan Goldberg (ex-incident response manager)
  - Unnamed co-conspirator
- Victims: Healthcare, engineering, pharmaceuticals
- Ransoms: Demands up to $10M

6. Newly Patched Windows GDI Flaws (04:50)

Details:
- CheckPoint Research exposes three Windows GDI bugs:
  - Enable remote code execution/information disclosure via EMF and EFM+ files.
  - Exploitable in text rendering, thumbnail generation, print jobs
  - Affects Windows and Microsoft Office, incl. Mac and Android
- Microsoft patched with validation, boundary, and pointer fixes.

7. Askool (Japan): Data Breach Confirmed after Ransom House Attack (05:25)

Details:
- Japanese retailer Askool confirms breach after October ransomware attack (linked to Ransom House).
- 1.1TB data exfiltrated
- Logistics disruptions for clients like Muji

8. NFC and Host Card Emulation (HCE) Fraud Surge (05:53)

Details:
- Zimperium Z Labs: 760+ “and write” (hand-written?) apps abusing NFC + HCE to steal payment data.
- Targets: E-banking, payment services, gov portals (esp. in Russia, EU, Brazil)
- Malicious Google Pay apps mimic trusted brands, steal card data via exfiltration on Telegram
- Warning: Any unknown NFC app requesting payment privileges should be deemed high risk.

Notable Quotes & Moments

“The attackers used an Ethereum contract to dynamically update their C2 address to evade blocking.” (00:44)
“SesameOp doesn't exploit a platform flaw, but misuses legitimate API functions for long-term espionage.” (01:35)
“Attackers gain access to US Freight broker load boards...then intercept delivery info and redirect goods to their own addresses.” (02:21)
“Zeus used the Zeus banking trojan and social engineering to steal millions from small and mid-sized US businesses.” (03:23)

Timeline of Key Segments

| Timestamp | Topic | Details | |-----------|------------------------------------------------------|----------------------------------------| | 00:17 | Sleepy Duck malware | Ethereum-based C2 evasion | | 01:10 | SesameOp backdoor | OpenAI API as command channel | | 02:00 | Cyber-criminals hijack cargo | Physical theft via digital access | | 03:00 | Jabber Zeus extradition | Major banking trojan prosecution | | 04:10 | Cyber experts charged for Black Cat ransomware | Ex-insiders behind major attacks | | 04:50 | Windows GDI flaws | RCE/information leak vulnerabilities | | 05:25 | Askool data breach | Japanese retail sector ransomware | | 05:53 | NFC/HCE fraud apps | Global payment data theft surge |

Tone & Takeaway

The episode’s tone is concise, technical, and urgent. High-profile hacks, insider threats, and sophisticated malware highlight how cybercriminals constantly evolve methods—from leveraging blockchain for stealth C2, to abusing mainstream APIs, to combining online access with physical theft. The message is clear: vigilance is essential, and any new/unexpected behavior (be it development extensions, payment apps, or unexpected job postings) should be seen as a potential threat.

For more details, visit cisoseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, November 4, 2025. I'm Sarah Lane. Sleepy Duck uses Ethereum to keep command server alive Threat intelligence firm Secure Annex found a malicious Visual Studio extension called Sleepy Duck that can install a remote access Trojan. The extension looks legitimate at first, but later turns malicious after roughly 14,000 downloads. Once a user opens that solidity file, the extension collects system details and connects to a command and control server every 30 seconds. Secure Annex says the attackers used an Ethereum contract to Dynamically update their C2 address to evade blocking, also tracing the group behind Sleepy Duck to other Rogue Vs code extensions that mine Monera through PowerShell scripts. Sesame OP abuses OpenAI Assistance API Microsoft's detection and response team discovered a new backdoor called SesameOP that uses the OpenAI Assistance API as a covert command and control channel. The malware appears to be active since July, letting attackers remotely manage infected systems by relaying encrypted commands through OpenAI's infrastructure instead of traditional malicious servers. Microsoft says that SesameOp doesn't exploit a platform flaw, but misuses legitimate API functions for long term espionage. OpenAI and Microsoft have since disabled the attacker's account and API. Key Organized crime Cyber crooks steal cargo Researchers from Proofpoint say that cybercriminals are teaming up with organized crime groups to hijack cargo shipments through hacked logistics systems. Attackers gain access to US Freight broker load boards, post fake jobs and infect logistics firms with remote monitoring tools like Screen Connect or Enable, then intercept delivery info and redirect goods to their own addresses. These range from electronics to energy drinks. Cargo Net says that Theft losses hit 1,112 million in Q3 of 2025 with hotspots in California, Illinois, Florida, Texas and Washington. Ukrainian charged in Jaber Zeus cybercrime case Ukrainian national Yuri Egorovich Ribsoff has been extradited from Italy to the US to face charges tied to the Jabber Zeus cybercrime group. Allegedly, the group's developer, Ripsoff, is said to have helped manage notifications of compromised organizations and launder stolen funds. Jabber Zeus used the Zeus banking Trojan and social engineering to steal millions from small and mid sized US businesses funneling money through mules and overseas accounts. The group's purported leader, Vacheslav Panchakov, was sentenced to 18 years in the US last year. Huge thanks to our sponsor Threat Locker. Cybercriminals do not knock. They sneak in through the cracks. Other tools missed. That's why organizations are turning to ThreatLocker as a zero trust endpoint protection platform, Threat Locker puts you back in control, blocking what doesn't belong and stopping attacks before they spread. Zero Trust security starts here with Threat Locker. US Cyber Experts indicted for Black Cat Ransomware Attacks Three former cybersecurity professionals have been indicted for allegedly carrying out Black Cat ransomware attacks against five U.S. companies back in 2023. The DOJ says that Kevin Martin, a former Digital Mint ransomware negotiator, Ryan Goldberg, a former Signia Incident response manager and an unnamed co conspirator posed as black hat affiliates to hack networks, encrypt data and demand ransoms of up to $10 million. Victims included firms in healthcare engineering and pharmaceuticals. GDI flaws could enable Windows Remote code execution CheckPoint research revealed three newly patched Windows GDI flaws that could allow remote code execution and information disclosure via fuzzing of EMF and EFM plus files. They involve out of bounds memory access, affecting text rendering, thumbnail generation and print job initialization. Exploits could let attackers read or write memory without user interaction. Microsoft fixed the issues over the summer with validation checks, boundary trimming and pointer corrections. The flaws also impacted Microsoft Office for Mac and Android. Askool confirms data leak after cyber Attack Japanese retailer Askool confirmed a data breach after an October ransomware attack claimed by Russia linked group Ransom House. The attack disrupted logistics for major clients, including Muji and the loft. Ransom House is known for threatening to publicly release stolen data rather than encrypting it. Now claiming to have exfiltrated 1.1 terabytes more and write apps misusing NFC and HCE X Imperium Z Labs announced that it found more than 760 and write apps misusing NFC and host card emulation, also known as hce, to steal payment data. This points to a surge in NFC relay fraud since since April of 2024, targeting banks, payment services and government portals globally, including Russian, European and Brazilian institutions. Also, Google pay apps mimic trusted services, then exfiltrate card data via Telegram and let operators run transactions remotely. Zimperium warns that any unknown NFC enabled app requesting payment privileges should be treated as high risk and has published IOCs for the campaign. In cybersecurity, we know what controls work well. Think of mfa. But beyond the basics, it's often hard to tell what's actually effective. If we don't know what's working, how do we decide what tools to invest in? That is what we're discussing on this week's episode of the CISO Series podcast. Look for the episode I don't just guess about effectiveness. I make educated guesses. Wherever you get your podcasts and if you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbacksoseries.com we would love to hear from you. I'm Sarah Lane reporting for the CISO series, and you stay classy, Planet Earth. That's in order.
[07:20]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.