Risky Bulletin: HackingTeam is back!

Podcast: Risky Bulletin (Risky.Biz)
Date: October 29, 2025
Host: Claire Aird
Prepared by: Catalyn Kimpanu

Overview

This episode covers a broad range of pressing cybersecurity news from around the globe, with a spotlight on the resurfacing of a notorious Italian spyware vendor targeting Russia and Belarus, high-profile breaches, regulatory moves, and notable criminal cases in the cyber domain. The episode is fact-driven and fast-paced, offering succinct updates relevant for infosec professionals and enthusiasts.

Key Discussion Points & Insights

1. Hacking Team Successor Targets Russia and Belarus ([00:04])

• Memento Labs, a company formed from the remnants of the infamous Italian spyware vendor Hacking Team, is actively conducting espionage operations.
• Target: Russian and Belarusian organizations, with activity traced since at least 2022.
• Capabilities: Utilizes a suite of tools including Dante surveillance, the Lead Agent spyware, and at least one Chrome zero-day exploit.
• Attribution: Kaspersky researchers.

Quote:

“A company formed from the remnants of defunct Italian spyware vendor Hacking Team is conducting espionage operations. Kaspersky says the company, Memento Labs, has been targeting Russian and Belarusian organizations since at least 2022.” — Claire Aird [00:04]

2. Afghan Citizens Exposed by UK MoD Data Leak ([01:10])

• A 2022 leak of the UK Ministry of Defence’s files exposed personal data of 19,000 Afghans who supported UK forces.
• Impact: 49 individuals linked to the list have been killed; many more received death threats or suffered torture and beatings.
• Context: Family members and colleagues of the listed individuals were particularly targeted.

Quote:

“49 people have been killed following a UK Ministry of Defence leak in 2022.” — Claire Aird [01:10]

3. Major Italian Hacking and Extortion Scandal ([02:00])

• 15 people, ex-employees of the company Equalize, are expected to plead guilty for hacking government databases for extortion.
• Discovery: Police uncovered the operation through surveillance of a Mafia associate.
• Leader: The operation was led by former police inspector Carmina Gallo, who has since died.

4. F5 Security Breach and Business Slowdown ([02:25])

• F5, a US tech firm, suffered a breach by suspected Chinese state-sponsored actors who exfiltrated source code and vulnerability reports in late 2023.
• Impact: CEO Francois Locodonneux announced increased investment in internal security and anticipated a business slowdown.

5. GCash Data Breach Investigation ([03:00])

• Philippine authorities are probing a potential breach at GCash following a dark web post containing customer details.
• Status: GCash acknowledges the post but hasn’t confirmed breach.
• Compromised Data: Account numbers, names, and other sensitive information.

6. Svenska Kraftnet Ransomware Attack ([03:30])

• Swedish state power grid operator suffered file server breaches claimed by the Everest ransomware group.
• Critical Info: No disruption to the power supply.

7. US House Democrats Resume Database Leak ([04:05])

• Details of over 7,000 job applicants were exposed due to a misconfigured, unprotected database.
• Source: Safety Detectives, breached server lacked password and encryption.

8. Clearview AI Faces Privacy Complaint in Austria ([04:45])

• Group NYOB filed criminal complaints against Clearview AI for operating in five European countries, defying prior injunctions and regulations.
• Complaint: Mass collection and use of EU citizen images for facial recognition sold to law enforcement.

9. Philippines: Arrests in SMS Spam Operations ([05:30])

• Two suspects arrested for disseminating SMS spam using mobile "blasters," reportedly coordinated by a Chinese boss.

10. Charming Kitten: Iranian APT Leak ([06:00])

• Kitten Busters Group published internal documents detailing finances and operations of the Iranian cyber-espionage group, Charming Kitten.
• Findings: Bitcoin payments, ProtonMail accounts, network of shell companies.

11. XWiki Crypto Mining Attacks ([06:30])

• Attackers exploiting an unauthenticated remote template injection flaw in XWiki, a vulnerability patched in February.
• Detected by: Vulnchek, traced to Vietnamese system.

12. Dalmia Aprizo Vulnerabilities Under Exploitation ([07:00])

• Two new bugs patched in the Dalmia Aprizo factory management platform have seen active exploitation.
• The platform: Industrial use; follows exploitation of earlier bugs this year.

13. WSO2 Software Vulnerabilities ([07:30])

• Lexfo Security identifies nearly a dozen vulnerabilities in WSO2 cloud software products—includes remote code execution, CSRF, and SSRF bugs.
• Action: Proof of concept code released.

14. Europol Calls for Anti-Spoofing Measures ([08:00])

• Europol urges governments and telcos to implement international tracing and blocking mechanisms against caller ID spoofing.

15. Avast Releases Midnight Ransomware Decryptor ([08:30])

• Free decryptor tool released targeting ransomware evolved from Babuk code. Flaws in new encryption allowed recovery.

16. X (Twitter) Security Key Re-Enrollment ([09:00])

• X (formerly Twitter) users must re-enroll security keys by November 10 due to domain retirement.
• Consequence: Accounts locked if not updated.

Quote:

“X users must re-enrol their security keys by November 10th. The platform is retiring its old twitter.com domain that the keys were tied to. Users who fail to update…will have their accounts locked.” — Claire Aird [09:00]

17. Chrome HTTPS-Only by Default ([09:25])

• Google Chrome will enforce HTTPS by default starting October next year. Users will see warnings on HTTP sites; change launches with Chrome 154.
• Stat: “95% of all Chrome traffic already takes place via HTTPS.”

Quote:

“Google Chrome will load all websites via HTTPS connections from October next year. The browser will prompt users every time they try to load a website without encryption.” — Claire Aird [09:25]

Memorable Moments & Notable Quotes

• “[Memento Labs] has been targeting Russian and Belarusian organisations since at least 2022. Its tools include the Dante surveillance platform, the lead agent spyware and at least one Chrome Zero day.” [00:15]
• “49 people have been killed following a UK Ministry of Defence leak in 2022.” [01:10]
• “Fifteen people are expected to plead guilty to a hacking and extortion scheme in Italy this month.” [02:00]
• “The Everest Ransomware group has taken credit for the attack [on Svenska Kraftnet]…didn’t affect electricity supply operations.” [03:45]
• “Google says 95% of all Chrome traffic already takes place via HTTPS.” [09:40]

Timestamps of Key Segments

| Topic | Timestamp | |----------------------------------------|-----------| | Hacking Team successor: Memento Labs | 00:04 | | UK MoD Afghan data leak deaths | 01:10 | | Italian hacking/extortion case | 02:00 | | F5 breach and response | 02:25 | | GCash breach investigation | 03:00 | | Svenska Kraftnet ransomware attack | 03:30 | | US House Democrats resume leak | 04:05 | | Clearview AI privacy complaint | 04:45 | | Philippine SMS spammers arrested | 05:30 | | Charming Kitten APT documents leak | 06:00 | | XWiki remote template injection | 06:30 | | Dalmia Aprizo vulnerabilities | 07:00 | | WSO2 software vulnerabilities | 07:30 | | Europol caller ID spoofing action | 08:00 | | Avast midnight ransomware decryptor | 08:30 | | X (Twitter) security keys update | 09:00 | | Chrome HTTPS-only warning rollout | 09:25 |

Tone:
Direct, factual, concise, and slightly urgent—consistent with a breaking news bulletin for cybersecurity professionals.

Summary

This episode is a rapid-fire dispatch on critical cyber incidents and regulatory moves worldwide, with a strong focus on attack and breach impact, operational insights into both criminal and state-sponsored groups, and practical security updates affecting major organizations and individuals. The resurgence of organizations tied to the notorious Hacking Team, with new espionage operations targeting Russia and Belarus, underscores the evolving and persistent threat landscape. The bulletin ties together global incidents, from deadly data leaks to industrial system attacks, and concludes with urgent security hygiene reminders for users and organizations.