CyberWire Daily Summary: "AVCheck Goes Dark in Operation Endgame" Release Date: June 2, 2025
Host: N2K Networks

1. International Law Enforcement Dismantles AVCheck

An international law enforcement operation successfully took down AVCheck, a significant counter-antivirus service abused by cybercriminals to test malware against commercial antivirus software prior to deployment. Executed on May 27, the operation involved seizing AVCheck's domains and servers, now displaying seizure notices from multiple authorities, including the FBI and Dutch police. Authorities discovered connections between AVCheck and crypting services Cryptor Biz and Crypt Guru, which facilitate malware obfuscation to evade detection. While Cryptor Biz was seized, Crypt Guru remains offline. This action is a component of Operation Endgame, a larger initiative targeting cybercriminal infrastructure, resulting in the dismantling of 300 servers and 650 domains linked to ransomware activities and the confiscation of €3.5 million in cryptocurrency. Undercover agents played a pivotal role by making transactions on these platforms, establishing their use in cybercrime and associating them with ransomware groups targeting both U.S. and international entities.

Notable Quote:
"The takedown of AVCheck marks a significant milestone in our ongoing battle against cybercriminal infrastructure," stated an FBI spokesperson at [04:30].

2. Trump Administration's 2026 Budget Cuts to CISA

The 2026 budget proposal from the Trump administration includes a drastic reduction of over 1,000 positions at the Cybersecurity and Infrastructure Security Agency (CISA), decreasing its workforce from 3,700 to 2,600. The proposed cuts, amounting to nearly $500 million, span all divisions with the most substantial reductions in stakeholder engagement and integrated operations. Specifically, the cybersecurity division faces a loss of over 200 roles. Other affected areas include Mission Support and Emergency Communications. DHS Secretary Kristi Noem attributed these cuts partly to the cessation of election security initiatives, which account for 14 positions. Additionally, the budget proposal reduces funding for cyber training, stakeholder engagement, and national risk efforts, with programs like chemical security and school safety set to be transferred to state and local agencies. This proposal still awaits congressional approval.

Notable Quote:
"Reducing the workforce is a necessary step in reallocating resources more effectively," explained DHS Secretary Kristi Noem at [07:45].

3. Cyber Command's Defensive Wing Gains Subunified Command Status

The Department of Defense Information Network, under the Joint Force Headquarters, has been elevated to a subunified command within U.S. Cyber Command, now renamed the Department of Defense Cyber Defense Command (DCDC). This restructuring, directed by Congress and Secretary of Defense Pete Hegseth, underscores DCDC's expanded role in safeguarding the Pentagon's global network. Although this elevation does not bring additional authorities or funding, it enhances alignment with strategic objectives and resource accessibility. Lieutenant General Paul Stanton, leading DCDC, emphasized the shift towards proactive defense strategies to fortify networks against adversaries. This change aligns DCDC with the upgraded offensive Cyber National Mission force, positioning both key cyber operations equally to bolster the U.S.'s digital defense posture.

Notable Quote:
"Our goal is to transition from a reactive stance to a proactive defense mechanism," stated Lieutenant General Paul Stanton at [10:20].

4. Critical V Bulletin Vulnerability Being Exploited

A critical vulnerability in V Bulletin, an Internet forum software, has been actively exploited following its disclosure by researcher Egidio Romano on May 23. The remote code execution flaw affects versions 5.1 through 6.0.3, with exploits appearing in honeypots by May 25 utilizing Romano's proof of concept to execute system commands. Although the vulnerability was reportedly patched in April, initial responses lacked a CVE assignment. Subsequently, two CVEs have been issued, marking the first significant exploit wave targeting V Bulletin since 2020.

Notable Quote:
"The exploitation of V Bulletin vulnerabilities underscores the persistent threats in forum management software," remarked cybersecurity analyst at [12:05].

5. Accrede Infostealer Dominates Credential Theft

According to a June 2 report by cybersecurity firm ReliaQuest, the Accrede infostealer has emerged as a leading threat in credential theft, surpassing malware like Redline, Raccoon, and Vidar. Following the May 2025 shutdown of Lumasteeler, which previously controlled 92% of credential theft alerts in late 2024 within the Russian market, Accrede has rapidly filled the void. The dark web platform Russian Market remains highly active, with over 136,000 alerts issued in 2024 for stolen credentials, primarily targeting SaaS and SSO accounts in professional and information sectors. In 2025 alone, over 50,000 alerts have been recorded, indicating a growing threat landscape.

Notable Quote:
"Accrede's swift rise demonstrates the evolving nature of credential theft and the resilience of cybercriminal ecosystems," said a ReliaQuest representative at [14:50].

6. Qualcomm Patches Actively Exploited Zero Days

Qualcomm has released patches addressing three actively exploited zero-day vulnerabilities in its Adreno GPU drivers, impacting numerous chipsets. The vulnerabilities include two critical flaws reported by Google in January, enabling unauthorized command execution through memory corruption, and a third high-severity bug from March involving a use-after-free flaw during Chrome's graphics rendering. Google's Threat Analysis Group warns of targeted exploitation, urging OEMs to apply the May-issued patches promptly. Additionally, Google uncovered spyware infections involving Serbian authorities exploiting Qualcomm's vulnerabilities, highlighting the ongoing trend of GPU and DSP driver flaws being leveraged for device access and persistent surveillance.

Notable Quote:
"The exploitation of GPU drivers represents a significant threat vector that requires immediate attention," warned Google's Threat Analysis Group at [16:30].

7. Cisco iOS XE Zero-Day Flaw Details

Researchers at Horizon 3 unveiled detailed information on a critical zero-day vulnerability in Cisco iOS XE wireless LAN controllers, heightening the risk of imminent exploitation. Disclosed on May 7 by Cisco, the flaw allows unauthenticated remote attackers to upload files and execute arbitrary commands with root privileges by exploiting a hardcoded JWT secret. Although no complete exploit script is available, Horizon 3's analysis provides sufficient information for skilled attackers to develop one. The vulnerability affects several Catalyst 9800 controller models. As a mitigation, Cisco recommends disabling the vulnerable out-of-band AP image download feature and urges users to upgrade their systems.

Notable Quote:
"This vulnerability could potentially allow complete control over affected systems if exploited," stated a Horizon 3 researcher at [18:10].

8. Microsoft Warns of Active Exploitation of JScript Engine Flaw

Microsoft has issued a warning regarding the active exploitation of a memory corruption flaw in its legacy JScript engine, patched in May 2025. The vulnerability, rated at 7.5 CVSS, permits remote code execution if a user accesses a malicious URL via Microsoft Edge’s Internet Explorer mode. Despite the retirement of IE 11, certain systems remain susceptible. A GitHub proof of concept increases the urgency for patch deployment. Microsoft advises users to apply patches immediately and consider disabling IE mode in Edge as an interim protective measure.

Notable Quote:
"Users must prioritize patching to safeguard against this actively exploited vulnerability," advised a Microsoft security official at [19:25].

9. Lactrodectus Malware Loader Analysis

Researchers at Wardenshield have detailed the Lactrodectus malware loader, associated with the Lunar Spider group behind Iced ID. Emerging in late 2023, Lactrodectus has quickly become a significant cyber threat following the dismantling of Iced ID and other botnets in Operation Endgame. It spreads through phishing, deceptive emails, and malicious attachments, deploying DLL payloads designed for stealth, persistence, and versatile malware delivery. Lactrodectus facilitates remote command execution, information theft, and the installation of ransomware and infostealers such as Iced ID, Quackbot, and Darkgate. Its sophisticated obfuscation, sandbox evasion techniques, and encrypted communications make it challenging to detect. In less than a month, over 44,000 infections were recorded, primarily targeting North America and Europe. The malware's advanced delivery tactics, including fake CAPTCHAs and TikTok lures, position Lactrodectus as a top-tier threat, necessitating layered defenses, user awareness, and proactive incident response strategies.

Notable Quote:
"Lactrodectus represents a new generation of malware loaders that demand heightened security measures," noted a Wardenshield analyst at [21:00].

10. Afternoon Cyber Tea Interview with Hugh Thompson

In a featured segment, Ann Johnson of the Afternoon Cyber Tea podcast interviews Hugh Thompson, RSAC Program Committee Chair and Managing Partner at Crosspoint Capital Partners. The conversation delves into the intricacies of organizing the world's largest cybersecurity conference, emphasizing the extensive 18-month planning cycle required to accommodate over 44,000 attendees. Thompson discusses the strategic selection of conference themes, highlighting the importance of the "Human Element" track initiated 12 years ago, which focuses on the interplay between people and cybersecurity systems. This theme has persisted for over seven years, reflecting the industry's recognition that cybersecurity fundamentally involves human actors—both defenders and attackers.

Thompson elaborates on balancing program content to cater to a diverse audience, incorporating varying levels of technical sophistication and ensuring sessions are accessible yet insightful. He also shares his personal experience attending the conference, underscoring the value of continuous learning and community engagement. Thompson's leadership aims to foster optimism and collaboration within the cybersecurity community, reinforcing the collective mission against common threats.

Notable Quotes:

• Thompson on theme selection: "Cyber really comes down to people, whether it's the folks that you're trying to protect, the defenders that are in cyber, or the attackers." ([15:20])
• On conference participation: "You can always learn something from somebody else, no matter who they are." ([17:30])

11. Decoding AI Hallucinations with Physics

Concluding the episode, Dave Bittner explores the enigmatic workings of Artificial Intelligence, highlighting physicist Neil Johnson and his colleague Frank Yingzhi Huo’s efforts to demystify AI’s attention mechanisms. Their theory likens words to quantum particles in a spin bath, suggesting that flawed training data can distort AI outputs, leading to hallucinations or biases. Johnson compares current AI models to a two-body Hamiltonian system, noting their instability, and posits that a three-body system might offer better stability. Despite early design compromises, Johnson's mathematical approach provides a foundation for developing actuarial metrics to predict AI model deviations. This innovative perspective offers hope for enhancing AI reliability and understanding its complex behavior.

Notable Quote:
"With the right actuarial style metrics, we may one day predict just when our friendly LLM might lose the plot. Literally," remarked Neil Johnson at [19:55].

Conclusion

Today's episode of CyberWire Daily provided a comprehensive overview of significant cybersecurity developments, from high-profile law enforcement actions against cybercriminal infrastructure to critical vulnerabilities affecting major technology providers. Insights from industry leaders, such as Hugh Thompson, offered a deeper understanding of the collaborative efforts needed to advance cybersecurity on a global scale. Additionally, innovative theories on AI behavior underscore the ongoing quest to refine and secure emerging technologies. Stay informed and vigilant as the cybersecurity landscape continues to evolve.

For more details on today's stories and to listen to the full episode, visit CyberWire Daily.