AVCheck goes dark in Operation Endgame. - CyberWire Daily

Summary

CyberWire Daily Summary: "AVCheck Goes Dark in Operation Endgame" Release Date: June 2, 2025
Host: N2K Networks

1. International Law Enforcement Dismantles AVCheck

An international law enforcement operation successfully took down AVCheck, a significant counter-antivirus service abused by cybercriminals to test malware against commercial antivirus software prior to deployment. Executed on May 27, the operation involved seizing AVCheck's domains and servers, now displaying seizure notices from multiple authorities, including the FBI and Dutch police. Authorities discovered connections between AVCheck and crypting services Cryptor Biz and Crypt Guru, which facilitate malware obfuscation to evade detection. While Cryptor Biz was seized, Crypt Guru remains offline. This action is a component of Operation Endgame, a larger initiative targeting cybercriminal infrastructure, resulting in the dismantling of 300 servers and 650 domains linked to ransomware activities and the confiscation of €3.5 million in cryptocurrency. Undercover agents played a pivotal role by making transactions on these platforms, establishing their use in cybercrime and associating them with ransomware groups targeting both U.S. and international entities.

Notable Quote:
"The takedown of AVCheck marks a significant milestone in our ongoing battle against cybercriminal infrastructure," stated an FBI spokesperson at [04:30].

2. Trump Administration's 2026 Budget Cuts to CISA

The 2026 budget proposal from the Trump administration includes a drastic reduction of over 1,000 positions at the Cybersecurity and Infrastructure Security Agency (CISA), decreasing its workforce from 3,700 to 2,600. The proposed cuts, amounting to nearly $500 million, span all divisions with the most substantial reductions in stakeholder engagement and integrated operations. Specifically, the cybersecurity division faces a loss of over 200 roles. Other affected areas include Mission Support and Emergency Communications. DHS Secretary Kristi Noem attributed these cuts partly to the cessation of election security initiatives, which account for 14 positions. Additionally, the budget proposal reduces funding for cyber training, stakeholder engagement, and national risk efforts, with programs like chemical security and school safety set to be transferred to state and local agencies. This proposal still awaits congressional approval.

Notable Quote:
"Reducing the workforce is a necessary step in reallocating resources more effectively," explained DHS Secretary Kristi Noem at [07:45].

3. Cyber Command's Defensive Wing Gains Subunified Command Status

The Department of Defense Information Network, under the Joint Force Headquarters, has been elevated to a subunified command within U.S. Cyber Command, now renamed the Department of Defense Cyber Defense Command (DCDC). This restructuring, directed by Congress and Secretary of Defense Pete Hegseth, underscores DCDC's expanded role in safeguarding the Pentagon's global network. Although this elevation does not bring additional authorities or funding, it enhances alignment with strategic objectives and resource accessibility. Lieutenant General Paul Stanton, leading DCDC, emphasized the shift towards proactive defense strategies to fortify networks against adversaries. This change aligns DCDC with the upgraded offensive Cyber National Mission force, positioning both key cyber operations equally to bolster the U.S.'s digital defense posture.

Notable Quote:
"Our goal is to transition from a reactive stance to a proactive defense mechanism," stated Lieutenant General Paul Stanton at [10:20].

4. Critical V Bulletin Vulnerability Being Exploited

A critical vulnerability in V Bulletin, an Internet forum software, has been actively exploited following its disclosure by researcher Egidio Romano on May 23. The remote code execution flaw affects versions 5.1 through 6.0.3, with exploits appearing in honeypots by May 25 utilizing Romano's proof of concept to execute system commands. Although the vulnerability was reportedly patched in April, initial responses lacked a CVE assignment. Subsequently, two CVEs have been issued, marking the first significant exploit wave targeting V Bulletin since 2020.

Notable Quote:
"The exploitation of V Bulletin vulnerabilities underscores the persistent threats in forum management software," remarked cybersecurity analyst at [12:05].

5. Accrede Infostealer Dominates Credential Theft

According to a June 2 report by cybersecurity firm ReliaQuest, the Accrede infostealer has emerged as a leading threat in credential theft, surpassing malware like Redline, Raccoon, and Vidar. Following the May 2025 shutdown of Lumasteeler, which previously controlled 92% of credential theft alerts in late 2024 within the Russian market, Accrede has rapidly filled the void. The dark web platform Russian Market remains highly active, with over 136,000 alerts issued in 2024 for stolen credentials, primarily targeting SaaS and SSO accounts in professional and information sectors. In 2025 alone, over 50,000 alerts have been recorded, indicating a growing threat landscape.

Notable Quote:
"Accrede's swift rise demonstrates the evolving nature of credential theft and the resilience of cybercriminal ecosystems," said a ReliaQuest representative at [14:50].

6. Qualcomm Patches Actively Exploited Zero Days

Qualcomm has released patches addressing three actively exploited zero-day vulnerabilities in its Adreno GPU drivers, impacting numerous chipsets. The vulnerabilities include two critical flaws reported by Google in January, enabling unauthorized command execution through memory corruption, and a third high-severity bug from March involving a use-after-free flaw during Chrome's graphics rendering. Google's Threat Analysis Group warns of targeted exploitation, urging OEMs to apply the May-issued patches promptly. Additionally, Google uncovered spyware infections involving Serbian authorities exploiting Qualcomm's vulnerabilities, highlighting the ongoing trend of GPU and DSP driver flaws being leveraged for device access and persistent surveillance.

Notable Quote:
"The exploitation of GPU drivers represents a significant threat vector that requires immediate attention," warned Google's Threat Analysis Group at [16:30].

7. Cisco iOS XE Zero-Day Flaw Details

Researchers at Horizon 3 unveiled detailed information on a critical zero-day vulnerability in Cisco iOS XE wireless LAN controllers, heightening the risk of imminent exploitation. Disclosed on May 7 by Cisco, the flaw allows unauthenticated remote attackers to upload files and execute arbitrary commands with root privileges by exploiting a hardcoded JWT secret. Although no complete exploit script is available, Horizon 3's analysis provides sufficient information for skilled attackers to develop one. The vulnerability affects several Catalyst 9800 controller models. As a mitigation, Cisco recommends disabling the vulnerable out-of-band AP image download feature and urges users to upgrade their systems.

Notable Quote:
"This vulnerability could potentially allow complete control over affected systems if exploited," stated a Horizon 3 researcher at [18:10].

8. Microsoft Warns of Active Exploitation of JScript Engine Flaw

Microsoft has issued a warning regarding the active exploitation of a memory corruption flaw in its legacy JScript engine, patched in May 2025. The vulnerability, rated at 7.5 CVSS, permits remote code execution if a user accesses a malicious URL via Microsoft Edge’s Internet Explorer mode. Despite the retirement of IE 11, certain systems remain susceptible. A GitHub proof of concept increases the urgency for patch deployment. Microsoft advises users to apply patches immediately and consider disabling IE mode in Edge as an interim protective measure.

Notable Quote:
"Users must prioritize patching to safeguard against this actively exploited vulnerability," advised a Microsoft security official at [19:25].

9. Lactrodectus Malware Loader Analysis

Researchers at Wardenshield have detailed the Lactrodectus malware loader, associated with the Lunar Spider group behind Iced ID. Emerging in late 2023, Lactrodectus has quickly become a significant cyber threat following the dismantling of Iced ID and other botnets in Operation Endgame. It spreads through phishing, deceptive emails, and malicious attachments, deploying DLL payloads designed for stealth, persistence, and versatile malware delivery. Lactrodectus facilitates remote command execution, information theft, and the installation of ransomware and infostealers such as Iced ID, Quackbot, and Darkgate. Its sophisticated obfuscation, sandbox evasion techniques, and encrypted communications make it challenging to detect. In less than a month, over 44,000 infections were recorded, primarily targeting North America and Europe. The malware's advanced delivery tactics, including fake CAPTCHAs and TikTok lures, position Lactrodectus as a top-tier threat, necessitating layered defenses, user awareness, and proactive incident response strategies.

Notable Quote:
"Lactrodectus represents a new generation of malware loaders that demand heightened security measures," noted a Wardenshield analyst at [21:00].

10. Afternoon Cyber Tea Interview with Hugh Thompson

In a featured segment, Ann Johnson of the Afternoon Cyber Tea podcast interviews Hugh Thompson, RSAC Program Committee Chair and Managing Partner at Crosspoint Capital Partners. The conversation delves into the intricacies of organizing the world's largest cybersecurity conference, emphasizing the extensive 18-month planning cycle required to accommodate over 44,000 attendees. Thompson discusses the strategic selection of conference themes, highlighting the importance of the "Human Element" track initiated 12 years ago, which focuses on the interplay between people and cybersecurity systems. This theme has persisted for over seven years, reflecting the industry's recognition that cybersecurity fundamentally involves human actors—both defenders and attackers.

Thompson elaborates on balancing program content to cater to a diverse audience, incorporating varying levels of technical sophistication and ensuring sessions are accessible yet insightful. He also shares his personal experience attending the conference, underscoring the value of continuous learning and community engagement. Thompson's leadership aims to foster optimism and collaboration within the cybersecurity community, reinforcing the collective mission against common threats.

Notable Quotes:

Thompson on theme selection: "Cyber really comes down to people, whether it's the folks that you're trying to protect, the defenders that are in cyber, or the attackers." ([15:20])
On conference participation: "You can always learn something from somebody else, no matter who they are." ([17:30])

11. Decoding AI Hallucinations with Physics

Concluding the episode, Dave Bittner explores the enigmatic workings of Artificial Intelligence, highlighting physicist Neil Johnson and his colleague Frank Yingzhi Huo’s efforts to demystify AI’s attention mechanisms. Their theory likens words to quantum particles in a spin bath, suggesting that flawed training data can distort AI outputs, leading to hallucinations or biases. Johnson compares current AI models to a two-body Hamiltonian system, noting their instability, and posits that a three-body system might offer better stability. Despite early design compromises, Johnson's mathematical approach provides a foundation for developing actuarial metrics to predict AI model deviations. This innovative perspective offers hope for enhancing AI reliability and understanding its complex behavior.

Notable Quote:
"With the right actuarial style metrics, we may one day predict just when our friendly LLM might lose the plot. Literally," remarked Neil Johnson at [19:55].

Conclusion

Today's episode of CyberWire Daily provided a comprehensive overview of significant cybersecurity developments, from high-profile law enforcement actions against cybercriminal infrastructure to critical vulnerabilities affecting major technology providers. Insights from industry leaders, such as Hugh Thompson, offered a deeper understanding of the collaborative efforts needed to advance cybersecurity on a global scale. Additionally, innovative theories on AI behavior underscore the ongoing quest to refine and secure emerging technologies. Stay informed and vigilant as the cybersecurity landscape continues to evolve.

For more details on today's stories and to listen to the full episode, visit CyberWire Daily.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire an international law enforcement operation dismantles AVcheck Trump's 2026 budget looks to cut over 1,000 positions from CISA Cyber Command's defensive wing gains subunified command status A critical V bulletin vulnerability is actively exploited A creed takes over Russian markets as credential Theft kingpin Qualcomm patches three actively exploited zero days in its Adreno GPU drivers researchers unveiled details of a Cisco iOS XE zero day Microsoft warns a memory corruption flaw in the legacy JS script engine is under active exploitation. A closer look at the stealthy lactroductus loader on today's afternoon, Cyber T Anne Johnson speaks with Hugh Thompson, RSAC Program Committee chair and decoding AI hallucinations with physics it's Monday, June 2, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Monday. It's great to have you with us. An international law enforcement operation has dismantled AvCheck, a major counter antivirus service exploited by cybercriminals to test malware against commercial antivirus software before deployment. The takedown, executed on May 27, involved the seizure of AvCheck's domains and servers, which now display seizure notices from the U.S. department of Justice, FBI, U.S. secret Service and Dutch police. Authorities also uncovered links between AvCheck and crypting services Cryptor Biz and Crypt Guru, which aid in obfuscating malware to evade detection. Cryptor Biz has been seized while Crypt Guru remains offline. This action is part of Operation Endgame, a broader initiative targeting cybercriminal infrastructure. Recent efforts under this operation have led to the dismantling of 300 servers and 650 domains associated with ransomware activities and the seizure of 3.5 million euros in cryptocurrency. Undercover agents facilitated the investigation by making purchases on these platforms confirming their use in Cybercrime and linking them to ransomware groups targeting entities in the US and abroad. The Trump administration's 2026 budget proposal aims to cut over 1,000 positions at the Cybersecurity and Infrastructure Security Agency, reducing its workforce from 3,700 to 2,600. The cuts, totaling nearly $500 million, impact all divisions, with the steepest reductions hitting stakeholder engagement and integrated operations. While the cybersecurity division would lose over 200 roles, other divisions like Mission Support and Emergency Communications face significant trims. DHS Secretary Kristi Noem cited the end of election security work as a reason, though that only accounts for 14 positions. The plan also slashes funding for cyber training, stakeholder engagement, and national risk efforts. Programs like chemical security and school safety would be phased out, shifting responsibilities to state and local agencies. Congressional approval is still required. The Joint Force Headquarters Department of Defense Information Network has been elevated to a subunified command under U.S. cyber Command and renamed the Department of Defense Cyber Defense Command. This move, directed by Congress and Secretary of Defense Pete Hegseth, reflects DCDC's growing role in defending the Pentagon's global network. While it doesn't grant new authorities or funding, it allows better alignment with strategic goals and resource access. Led by lieutenant general Paul Stanton, DCDC aims to shift from reactive to proactive defense, making it harder for adversaries to breach networks. This elevation follows cybercom's earlier move to upgrade its offensive Cyber National Mission force, putting both key cyber operations on equal footing as the US Boosts its digital defense posture. A critical V Bulletin vulnerability is being actively exploited shortly after its disclosure by researcher egidio Romano on May 23. V Bulletin is Internet forum software used to create and manage online discussion boards. Romano detailed a remote code execution flaw affecting versions 5.1 through 6.0.3 and shared proof of concept. Code exploits began hitting honeypots by May 25, using Romano's code to run system commands. Though apparently patched in April, no CVE was initially assigned, but now two CVEs have been issued. This marks the first major V Bulletin exploit wave since 2020. The Accrede infostealer is emerging as a dominant force in credential theft, according to a June 2 report from cybersecurity firm ReliaQuest. Following the May 2025 takedown of Lumasteeler, which had dominated Russian market with 92% of credential theft alerts in late 2024. Accrede has quickly surpassed other malware like Redline, Raccoon and Vidar. Russian market, a major dark Web platform for stolen credentials remains active and influential, with logs often recycled from other sources. In 2024, ReliaQuest issued over 136,000 alerts for customer domains appearing on the market, with most stolen credentials tied to SaaS and SSO accounts. The professional and information sectors were the hardest hit, with over 50,000 alerts already in 2025. The threat continues to grow. Qualcomm has released patches for 3 actively exploited 0 days in its Adreno GPU drivers affecting many chipsets. Two critical flaws reported by Google in January allow unauthorized command execution leading to memory corruption. A third high severity bug reported in March is a use after free flaw triggered during Chrome graphics rendering. Google's threat Analysis group warns these are under targeted exploitation. Qualcomm urges OEMs to deploy patches issued in May. In a related investigation, Google found spyware infections involving Serbian authorities exploiting another Qualcomm flawless. This continues a trend of GPU and DSP driver vulnerabilities being exploited for device access and persistent surveillance, underlining Qualcomm's critical role in mobile security. Researchers at Horizon 3 have published technical details about a critical Cisco iOS XE wireless LAN controller flaw, increasing the risk of imminent exploitation. The bug, disclosed by Cisco on May 7, allows unauthenticated remote attackers to upload files and execute arbitrary commands with root privileges via a hardcoded JWT secret. While no complete exploit script was released, Horizon 3's write up provides enough data for skilled attackers to build one. The flaw impacts several Catalyst 9800 controller models. When the out of band AP image download feature is enabled, attackers can bypass JWT validation, perform path traversal and overwrite system configs to achieve remote code execution. Cisco urges users to upgrade. Disabling the vulnerable feature serves as a temporary workaround to reduce exposure. Microsoft is warning of active exploitation of a memory corruption flaw in the legacy JScript engine patched in May 2025. The vulnerability, rated 7.5 CVSS, allows remote code execution if a user clicks a malicious URL in Microsoft Edge running Internet explorer mode. Though IE 11 is retired, some systems remain vulnerable. A GitHub proof of concept increases the risk of exploit development. Users should patch immediately and disable IE mode in Edge as a temporary safeguard. Researchers at Wardenshield examine Lactrodectus, a stealthy malware loader linked to the Lunar Spider group behind Iced id, which has quickly risen as a major cyber threat following the 2024 takedown of Iced ID and other botnets in Operation Endgame. Emerging in late 2023. Lactrodectus rapidly gained traction among threat actors TA577 and TA578, filling the void in the malware ecosystem. It spreads through phishing, emails and deceptive attachments, deploying DLL payloads. Designed for stealth, persistence and versatile malware delivery, Lactrodectus supports remote command execution, information theft, and installation of ransomware and infosteelers like Iced id, Quackbot, and Darkgate. Its obfuscation, sandbox evasion and encrypted communications make it difficult to detect. Over 44,000 infections were logged in less than a month, mostly targeting North America and Europe. With constant updates and advanced delivery tactics including fake CAPTCHAs and TikTok lures, lactrodectus is a top tier threat, demanding layered defenses, user awareness, and proactive incident response. Coming up after the break, Ann Johnson from Afternoon Cyber Tea speaks with Hugh Thompson, RSAC Program Committee Chair and Decoding AI hallucinations with physics Stay with us.