AVCheck goes dark in Operation Endgame. - CyberWire Daily

Summary8 min read

CyberWire Daily Summary: "AVCheck Goes Dark in Operation Endgame" Release Date: June 2, 2025
Host: N2K Networks

1. International Law Enforcement Dismantles AVCheck

An international law enforcement operation successfully took down AVCheck, a significant counter-antivirus service abused by cybercriminals to test malware against commercial antivirus software prior to deployment. Executed on May 27, the operation involved seizing AVCheck's domains and servers, now displaying seizure notices from multiple authorities, including the FBI and Dutch police. Authorities discovered connections between AVCheck and crypting services Cryptor Biz and Crypt Guru, which facilitate malware obfuscation to evade detection. While Cryptor Biz was seized, Crypt Guru remains offline. This action is a component of Operation Endgame, a larger initiative targeting cybercriminal infrastructure, resulting in the dismantling of 300 servers and 650 domains linked to ransomware activities and the confiscation of €3.5 million in cryptocurrency. Undercover agents played a pivotal role by making transactions on these platforms, establishing their use in cybercrime and associating them with ransomware groups targeting both U.S. and international entities.

Notable Quote:
"The takedown of AVCheck marks a significant milestone in our ongoing battle against cybercriminal infrastructure," stated an FBI spokesperson at [04:30].

2. Trump Administration's 2026 Budget Cuts to CISA

The 2026 budget proposal from the Trump administration includes a drastic reduction of over 1,000 positions at the Cybersecurity and Infrastructure Security Agency (CISA), decreasing its workforce from 3,700 to 2,600. The proposed cuts, amounting to nearly $500 million, span all divisions with the most substantial reductions in stakeholder engagement and integrated operations. Specifically, the cybersecurity division faces a loss of over 200 roles. Other affected areas include Mission Support and Emergency Communications. DHS Secretary Kristi Noem attributed these cuts partly to the cessation of election security initiatives, which account for 14 positions. Additionally, the budget proposal reduces funding for cyber training, stakeholder engagement, and national risk efforts, with programs like chemical security and school safety set to be transferred to state and local agencies. This proposal still awaits congressional approval.

Notable Quote:
"Reducing the workforce is a necessary step in reallocating resources more effectively," explained DHS Secretary Kristi Noem at [07:45].

3. Cyber Command's Defensive Wing Gains Subunified Command Status

The Department of Defense Information Network, under the Joint Force Headquarters, has been elevated to a subunified command within U.S. Cyber Command, now renamed the Department of Defense Cyber Defense Command (DCDC). This restructuring, directed by Congress and Secretary of Defense Pete Hegseth, underscores DCDC's expanded role in safeguarding the Pentagon's global network. Although this elevation does not bring additional authorities or funding, it enhances alignment with strategic objectives and resource accessibility. Lieutenant General Paul Stanton, leading DCDC, emphasized the shift towards proactive defense strategies to fortify networks against adversaries. This change aligns DCDC with the upgraded offensive Cyber National Mission force, positioning both key cyber operations equally to bolster the U.S.'s digital defense posture.

Notable Quote:
"Our goal is to transition from a reactive stance to a proactive defense mechanism," stated Lieutenant General Paul Stanton at [10:20].

4. Critical V Bulletin Vulnerability Being Exploited

A critical vulnerability in V Bulletin, an Internet forum software, has been actively exploited following its disclosure by researcher Egidio Romano on May 23. The remote code execution flaw affects versions 5.1 through 6.0.3, with exploits appearing in honeypots by May 25 utilizing Romano's proof of concept to execute system commands. Although the vulnerability was reportedly patched in April, initial responses lacked a CVE assignment. Subsequently, two CVEs have been issued, marking the first significant exploit wave targeting V Bulletin since 2020.

Notable Quote:
"The exploitation of V Bulletin vulnerabilities underscores the persistent threats in forum management software," remarked cybersecurity analyst at [12:05].

5. Accrede Infostealer Dominates Credential Theft

According to a June 2 report by cybersecurity firm ReliaQuest, the Accrede infostealer has emerged as a leading threat in credential theft, surpassing malware like Redline, Raccoon, and Vidar. Following the May 2025 shutdown of Lumasteeler, which previously controlled 92% of credential theft alerts in late 2024 within the Russian market, Accrede has rapidly filled the void. The dark web platform Russian Market remains highly active, with over 136,000 alerts issued in 2024 for stolen credentials, primarily targeting SaaS and SSO accounts in professional and information sectors. In 2025 alone, over 50,000 alerts have been recorded, indicating a growing threat landscape.

Notable Quote:
"Accrede's swift rise demonstrates the evolving nature of credential theft and the resilience of cybercriminal ecosystems," said a ReliaQuest representative at [14:50].

6. Qualcomm Patches Actively Exploited Zero Days

Qualcomm has released patches addressing three actively exploited zero-day vulnerabilities in its Adreno GPU drivers, impacting numerous chipsets. The vulnerabilities include two critical flaws reported by Google in January, enabling unauthorized command execution through memory corruption, and a third high-severity bug from March involving a use-after-free flaw during Chrome's graphics rendering. Google's Threat Analysis Group warns of targeted exploitation, urging OEMs to apply the May-issued patches promptly. Additionally, Google uncovered spyware infections involving Serbian authorities exploiting Qualcomm's vulnerabilities, highlighting the ongoing trend of GPU and DSP driver flaws being leveraged for device access and persistent surveillance.

Notable Quote:
"The exploitation of GPU drivers represents a significant threat vector that requires immediate attention," warned Google's Threat Analysis Group at [16:30].

7. Cisco iOS XE Zero-Day Flaw Details

Researchers at Horizon 3 unveiled detailed information on a critical zero-day vulnerability in Cisco iOS XE wireless LAN controllers, heightening the risk of imminent exploitation. Disclosed on May 7 by Cisco, the flaw allows unauthenticated remote attackers to upload files and execute arbitrary commands with root privileges by exploiting a hardcoded JWT secret. Although no complete exploit script is available, Horizon 3's analysis provides sufficient information for skilled attackers to develop one. The vulnerability affects several Catalyst 9800 controller models. As a mitigation, Cisco recommends disabling the vulnerable out-of-band AP image download feature and urges users to upgrade their systems.

Notable Quote:
"This vulnerability could potentially allow complete control over affected systems if exploited," stated a Horizon 3 researcher at [18:10].

8. Microsoft Warns of Active Exploitation of JScript Engine Flaw

Microsoft has issued a warning regarding the active exploitation of a memory corruption flaw in its legacy JScript engine, patched in May 2025. The vulnerability, rated at 7.5 CVSS, permits remote code execution if a user accesses a malicious URL via Microsoft Edge’s Internet Explorer mode. Despite the retirement of IE 11, certain systems remain susceptible. A GitHub proof of concept increases the urgency for patch deployment. Microsoft advises users to apply patches immediately and consider disabling IE mode in Edge as an interim protective measure.

Notable Quote:
"Users must prioritize patching to safeguard against this actively exploited vulnerability," advised a Microsoft security official at [19:25].

9. Lactrodectus Malware Loader Analysis

Researchers at Wardenshield have detailed the Lactrodectus malware loader, associated with the Lunar Spider group behind Iced ID. Emerging in late 2023, Lactrodectus has quickly become a significant cyber threat following the dismantling of Iced ID and other botnets in Operation Endgame. It spreads through phishing, deceptive emails, and malicious attachments, deploying DLL payloads designed for stealth, persistence, and versatile malware delivery. Lactrodectus facilitates remote command execution, information theft, and the installation of ransomware and infostealers such as Iced ID, Quackbot, and Darkgate. Its sophisticated obfuscation, sandbox evasion techniques, and encrypted communications make it challenging to detect. In less than a month, over 44,000 infections were recorded, primarily targeting North America and Europe. The malware's advanced delivery tactics, including fake CAPTCHAs and TikTok lures, position Lactrodectus as a top-tier threat, necessitating layered defenses, user awareness, and proactive incident response strategies.

Notable Quote:
"Lactrodectus represents a new generation of malware loaders that demand heightened security measures," noted a Wardenshield analyst at [21:00].

10. Afternoon Cyber Tea Interview with Hugh Thompson

In a featured segment, Ann Johnson of the Afternoon Cyber Tea podcast interviews Hugh Thompson, RSAC Program Committee Chair and Managing Partner at Crosspoint Capital Partners. The conversation delves into the intricacies of organizing the world's largest cybersecurity conference, emphasizing the extensive 18-month planning cycle required to accommodate over 44,000 attendees. Thompson discusses the strategic selection of conference themes, highlighting the importance of the "Human Element" track initiated 12 years ago, which focuses on the interplay between people and cybersecurity systems. This theme has persisted for over seven years, reflecting the industry's recognition that cybersecurity fundamentally involves human actors—both defenders and attackers.

Thompson elaborates on balancing program content to cater to a diverse audience, incorporating varying levels of technical sophistication and ensuring sessions are accessible yet insightful. He also shares his personal experience attending the conference, underscoring the value of continuous learning and community engagement. Thompson's leadership aims to foster optimism and collaboration within the cybersecurity community, reinforcing the collective mission against common threats.

Notable Quotes:

Thompson on theme selection: "Cyber really comes down to people, whether it's the folks that you're trying to protect, the defenders that are in cyber, or the attackers." ([15:20])
On conference participation: "You can always learn something from somebody else, no matter who they are." ([17:30])

11. Decoding AI Hallucinations with Physics

Concluding the episode, Dave Bittner explores the enigmatic workings of Artificial Intelligence, highlighting physicist Neil Johnson and his colleague Frank Yingzhi Huo’s efforts to demystify AI’s attention mechanisms. Their theory likens words to quantum particles in a spin bath, suggesting that flawed training data can distort AI outputs, leading to hallucinations or biases. Johnson compares current AI models to a two-body Hamiltonian system, noting their instability, and posits that a three-body system might offer better stability. Despite early design compromises, Johnson's mathematical approach provides a foundation for developing actuarial metrics to predict AI model deviations. This innovative perspective offers hope for enhancing AI reliability and understanding its complex behavior.

Notable Quote:
"With the right actuarial style metrics, we may one day predict just when our friendly LLM might lose the plot. Literally," remarked Neil Johnson at [19:55].

Conclusion

Today's episode of CyberWire Daily provided a comprehensive overview of significant cybersecurity developments, from high-profile law enforcement actions against cybercriminal infrastructure to critical vulnerabilities affecting major technology providers. Insights from industry leaders, such as Hugh Thompson, offered a deeper understanding of the collaborative efforts needed to advance cybersecurity on a global scale. Additionally, innovative theories on AI behavior underscore the ongoing quest to refine and secure emerging technologies. Stay informed and vigilant as the cybersecurity landscape continues to evolve.

For more details on today's stories and to listen to the full episode, visit CyberWire Daily.

Loading summary

Transcript17 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire an international law enforcement operation dismantles AVcheck Trump's 2026 budget looks to cut over 1,000 positions from CISA Cyber Command's defensive wing gains subunified command status A critical V bulletin vulnerability is actively exploited A creed takes over Russian markets as credential Theft kingpin Qualcomm patches three actively exploited zero days in its Adreno GPU drivers researchers unveiled details of a Cisco iOS XE zero day Microsoft warns a memory corruption flaw in the legacy JS script engine is under active exploitation. A closer look at the stealthy lactroductus loader on today's afternoon, Cyber T Anne Johnson speaks with Hugh Thompson, RSAC Program Committee chair and decoding AI hallucinations with physics it's Monday, June 2, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Monday. It's great to have you with us. An international law enforcement operation has dismantled AvCheck, a major counter antivirus service exploited by cybercriminals to test malware against commercial antivirus software before deployment. The takedown, executed on May 27, involved the seizure of AvCheck's domains and servers, which now display seizure notices from the U.S. department of Justice, FBI, U.S. secret Service and Dutch police. Authorities also uncovered links between AvCheck and crypting services Cryptor Biz and Crypt Guru, which aid in obfuscating malware to evade detection. Cryptor Biz has been seized while Crypt Guru remains offline. This action is part of Operation Endgame, a broader initiative targeting cybercriminal infrastructure. Recent efforts under this operation have led to the dismantling of 300 servers and 650 domains associated with ransomware activities and the seizure of 3.5 million euros in cryptocurrency. Undercover agents facilitated the investigation by making purchases on these platforms confirming their use in Cybercrime and linking them to ransomware groups targeting entities in the US and abroad. The Trump administration's 2026 budget proposal aims to cut over 1,000 positions at the Cybersecurity and Infrastructure Security Agency, reducing its workforce from 3,700 to 2,600. The cuts, totaling nearly $500 million, impact all divisions, with the steepest reductions hitting stakeholder engagement and integrated operations. While the cybersecurity division would lose over 200 roles, other divisions like Mission Support and Emergency Communications face significant trims. DHS Secretary Kristi Noem cited the end of election security work as a reason, though that only accounts for 14 positions. The plan also slashes funding for cyber training, stakeholder engagement, and national risk efforts. Programs like chemical security and school safety would be phased out, shifting responsibilities to state and local agencies. Congressional approval is still required. The Joint Force Headquarters Department of Defense Information Network has been elevated to a subunified command under U.S. cyber Command and renamed the Department of Defense Cyber Defense Command. This move, directed by Congress and Secretary of Defense Pete Hegseth, reflects DCDC's growing role in defending the Pentagon's global network. While it doesn't grant new authorities or funding, it allows better alignment with strategic goals and resource access. Led by lieutenant general Paul Stanton, DCDC aims to shift from reactive to proactive defense, making it harder for adversaries to breach networks. This elevation follows cybercom's earlier move to upgrade its offensive Cyber National Mission force, putting both key cyber operations on equal footing as the US Boosts its digital defense posture. A critical V Bulletin vulnerability is being actively exploited shortly after its disclosure by researcher egidio Romano on May 23. V Bulletin is Internet forum software used to create and manage online discussion boards. Romano detailed a remote code execution flaw affecting versions 5.1 through 6.0.3 and shared proof of concept. Code exploits began hitting honeypots by May 25, using Romano's code to run system commands. Though apparently patched in April, no CVE was initially assigned, but now two CVEs have been issued. This marks the first major V Bulletin exploit wave since 2020. The Accrede infostealer is emerging as a dominant force in credential theft, according to a June 2 report from cybersecurity firm ReliaQuest. Following the May 2025 takedown of Lumasteeler, which had dominated Russian market with 92% of credential theft alerts in late 2024. Accrede has quickly surpassed other malware like Redline, Raccoon and Vidar. Russian market, a major dark Web platform for stolen credentials remains active and influential, with logs often recycled from other sources. In 2024, ReliaQuest issued over 136,000 alerts for customer domains appearing on the market, with most stolen credentials tied to SaaS and SSO accounts. The professional and information sectors were the hardest hit, with over 50,000 alerts already in 2025. The threat continues to grow. Qualcomm has released patches for 3 actively exploited 0 days in its Adreno GPU drivers affecting many chipsets. Two critical flaws reported by Google in January allow unauthorized command execution leading to memory corruption. A third high severity bug reported in March is a use after free flaw triggered during Chrome graphics rendering. Google's threat Analysis group warns these are under targeted exploitation. Qualcomm urges OEMs to deploy patches issued in May. In a related investigation, Google found spyware infections involving Serbian authorities exploiting another Qualcomm flawless. This continues a trend of GPU and DSP driver vulnerabilities being exploited for device access and persistent surveillance, underlining Qualcomm's critical role in mobile security. Researchers at Horizon 3 have published technical details about a critical Cisco iOS XE wireless LAN controller flaw, increasing the risk of imminent exploitation. The bug, disclosed by Cisco on May 7, allows unauthenticated remote attackers to upload files and execute arbitrary commands with root privileges via a hardcoded JWT secret. While no complete exploit script was released, Horizon 3's write up provides enough data for skilled attackers to build one. The flaw impacts several Catalyst 9800 controller models. When the out of band AP image download feature is enabled, attackers can bypass JWT validation, perform path traversal and overwrite system configs to achieve remote code execution. Cisco urges users to upgrade. Disabling the vulnerable feature serves as a temporary workaround to reduce exposure. Microsoft is warning of active exploitation of a memory corruption flaw in the legacy JScript engine patched in May 2025. The vulnerability, rated 7.5 CVSS, allows remote code execution if a user clicks a malicious URL in Microsoft Edge running Internet explorer mode. Though IE 11 is retired, some systems remain vulnerable. A GitHub proof of concept increases the risk of exploit development. Users should patch immediately and disable IE mode in Edge as a temporary safeguard. Researchers at Wardenshield examine Lactrodectus, a stealthy malware loader linked to the Lunar Spider group behind Iced id, which has quickly risen as a major cyber threat following the 2024 takedown of Iced ID and other botnets in Operation Endgame. Emerging in late 2023. Lactrodectus rapidly gained traction among threat actors TA577 and TA578, filling the void in the malware ecosystem. It spreads through phishing, emails and deceptive attachments, deploying DLL payloads. Designed for stealth, persistence and versatile malware delivery, Lactrodectus supports remote command execution, information theft, and installation of ransomware and infosteelers like Iced id, Quackbot, and Darkgate. Its obfuscation, sandbox evasion and encrypted communications make it difficult to detect. Over 44,000 infections were logged in less than a month, mostly targeting North America and Europe. With constant updates and advanced delivery tactics including fake CAPTCHAs and TikTok lures, lactrodectus is a top tier threat, demanding layered defenses, user awareness, and proactive incident response. Coming up after the break, Ann Johnson from Afternoon Cyber Tea speaks with Hugh Thompson, RSAC Program Committee Chair and Decoding AI hallucinations with physics Stay with us.
[12:16]
Ann Johnson
Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be get started@vanta.com cyber.
[13:36]
Dave Bittner
Microsoft's Ann Johnson is host of the Afternoon Cyber Tea podcast right here on the N2K CyberWire network. She recently sat down with Hugh Thompson, RSAC Program Committee Chair. Here's their conversation today.
[13:51]
Hugh Thompson
I am thrilled to welcome Dr. Hugh Thompson, the Managing Partner at Crosspoint Capital Partners and the Executive Chairman of the RSA Conference. He helps build, execute and secure the world's largest cybersecurity conference. Welcome to Afternoon cybertea.
[14:09]
Unknown
Thanks so much for having me talk.
[14:11]
Hugh Thompson
About what goes into building the event. How far in advance do you start planning each conference?
[14:17]
Unknown
You think about 44,000 humans getting together. There's a lot to pre plan. So we start about 18 months in advance of the actual event and it's everything from what is the theme going to be? How much space do we think we need for different types of sessions? What have we learned from, I guess the conference two years prior in order to plan for the one that's coming up 18 months from now? So it's a long cycle and there's an amazing team that's been working on this for a long time.
[14:57]
Hugh Thompson
What is your approach to choosing a theme? How does that work? How do you think about a theme that resonates with such a diverse, such a global audience?
[15:06]
Unknown
It's tough and there's a lot of debate that goes on internally around the theme every year. And about, I'd say, 12 years ago, we started a track called the Human Element and it was all about how people interact with systems and it was really popular. And then the next year when the debate came up, you know, geez, what's the theme for, you know, 18 months from now? And everybody agreed Human Element was the right one because cyber really comes down to people, whether it's the folks that you're trying to protect, the folks that are the defenders that are in cyber, or the attackers. And ever since then, I think you'll notice if you go back over the last six or seven years, many of the themes have had this Human element touch to it.
[16:04]
Hugh Thompson
You get these speakers that have such high profiles. You also get everything from hackers to CEOs. So how do you ensure the program again appeals to all levels of experience as you work through those program committee decisions?
[16:18]
Unknown
So as part of the submission, there is a level rating of how technical do you have to be to really get something out of this talk? And what we aim for, depending on the track, is to match up the level of technical sophistication with the track. And we always strike the balance between things that are very specific to a field and, and also things that can be accessible by just a wide variety of folks that are just curious and want to learn more. It's been an expansion of our programming to not just have some of the very technical sessions, but also have these higher level philosophical futures policy sessions too. And it really is a testament to how important, important this industry has become in society.
[17:18]
Hugh Thompson
Do you ever get to experience the conference, like as an attendee? Do you get to walk the floor and be an attendee?
[17:24]
Unknown
Yeah, absolutely. I make sure to carve out some amount of time. Obviously it's very busy during the conference week, but some amount of time to walk the show floor because it's very important to go to at least two sessions where I don't know the person and and it's something that's very interesting to me and it's something that I feel like I don't know very much about, even though I've been in security my whole career and have written three books on it. You can always learn something from somebody else, no matter who they are. You can't walk away from from RSA conference, especially this past year, and not be optimistic about what we can accomplish if we band together as a community. You just can't because you see the ethos of the people that are in the fight with you. They're folks that really care. They actually care. It is a mission for them. It is a calling. And when you have smart people that are aligned together with a mission against a common enemy, amazing things can happen.
[18:43]
Hugh Thompson
Thank you for joining me. I know you need some downtime post the conference. I hope you get that downtime and I appreciate you making the time because I know how incredibly busy you are.
[18:53]
Dave Bittner
And you can find the complete Afternoon cybertea podcast wherever you get your favorite podcasts. And finally, no one truly knows how AI works, not even the people who build it. But physicist Neil Johnson and his colleague Frank Yingzhi Huo have taken a swing at decoding the mystery by applying first principle physics to to AI's attention mechanism, the bit that decides what words an AI should focus on when generating text. Their theory treats words like quantum particles in a spin bath, where bad training data can skew outcomes, resulting in hallucinations or bias. Johnson likens current AI models to a two body Hamiltonian system, which it turns out is about as stable as a toddler on espresso. A three body system might be better, but like railway gauges, the QWERTY keyboard, and the Windows Registry, early design choices tend to stick. Still, Johnson's math offers hope. With the right actuarial style metrics, we may one day predict just when our friendly LLM might lose the plot. Literally. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we would love to hear from you. We are conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31st. There is a link in the show Notes. Do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sam.
[21:46]
Unknown
Foreign.
[21:54]
Dave Bittner
Dave here. I've talked about Delete Me before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.