Summary4 min read

Risky Bulletin: Russia Arrests Meduza Stealer Group

Podcast: Risky Bulletin (Risky.biz)
Date: October 31, 2025
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu

Episode Overview

This edition of Risky Bulletin presents a rapid-fire roundup of the week’s most pressing cybersecurity headlines. Main themes include: a rare Russian crackdown on the Meduza infostealer gang, U.S. espionage against Venezuela, controversial spyware revelations, and the rollout of stronger admin protections in Windows 11. The episode is characterized by Claire’s clear, newsy delivery and focuses on developments with global impact for cyber defenders and policy watchers.

Key Discussions & Insights

1. Russia Arrests Meduza Stealer Operators

[00:08] Russian Interior Ministry announces the arrest of three suspects behind the Meduza infostealer.
- Meduza used in attacks against Russian government networks.
- Malware was sold via underground forums and as-a-service offerings on Telegram.
- “Three suspects believed to be behind the Meduza infostealer have been arrested in Moscow…” (Claire Aird, 00:10)

2. CIA Hacked Venezuelan Intelligence (2020)

[00:21] CNN report: CIA breached Venezuela’s intelligence services the same year U.S. Cyber Command cut off Wagner mercenary satellite comms.
- Motivated by internal U.S. politics: “The attacks were used to placate President Trump during his first term when he pushed for military action against the Maduro regime.” (Claire Aird, 00:32)

3. Secret Data Pipelines: Amazon, Google, Israel

[00:39] Israeli government required Amazon and Google to notify them when Israeli data is shared with foreign authorities through a hidden, payment-based system.
- System mandated for Israeli government contracts.

4. FCC Pulls Back Cybersecurity Rules for Telcos

[00:54] U.S. Federal Communications Commission announces rollback of Biden-era telco cybersecurity requirements.
- Rules originally introduced after major “SALT Typhoon” intrusions.
- FCC claims industry is now sufficiently secure on its own.
- FCC moves to ban U.S. sales of products containing parts from sanctioned Chinese firms (Huawei, ZTE, etc.).

5. TP Link Faces National Security Ban

[01:18] U.S. Commerce Department supports one of the strictest stances yet against Chinese manufacturer TP Link, proposing a ban due to national security risks.
- TP Link calls the proposed ban “nonsensical.” (Claire Aird, 01:33)

6. Ribbon Communications Incident

[01:39] State-sponsored group breached Ribbon Communications (a U.S. telco service provider) in December; detection only occurred in the past month.
- Downstream compromise of at least three Ribbon customers.

7. Canadian ICS Hacktivism

[01:52] Multiple intrusions at Canadian industrial control systems (ICS):
- Water facility pressure spoofed, oil/gas alarm triggered, grain silo environment adjusted.
- “All the hacked systems were exposed on the Internet.” (Claire Aird, 02:08)

8. U.S. Defense Contractor Sold Exploits to Russia

[02:11] Former L3Harris manager Peter Williams pleads guilty to selling 8 zero-days to Russia.
- Earned $1.3 million from “Operation Zero”.
- Faces up to nine years in prison.

9. Memento Labs Spyware Exposed

[02:28] Memento Labs CEO Paolo Lezzi admits their spyware was detected by Kaspersky.
- Spyware used by undisclosed government client; older version (Dante) flagged in attacks on Russian/Belarusian targets.

10. Polish Investment Scam Gang Arrested

[02:44] Eleven people arrested for scams stealing $20M from at least 1,500 Poles via call centers and fake sites.

11. Australian Police Crack Criminal Crypto Wallet

[02:52] Police recovered $6 million after finding the wallet password encoded on the suspect’s phone.
- Money came from renting “Ghost” encrypted communications app.

12. npm “Invisible Dependencies” Attack

[03:01] 126 malicious npm packages evade standard security scans, infecting developers with malware that steals tokens, CI/CD secrets, and GitHub credentials.

13. Massive Android NFC Payment Data Theft

[03:16] 760+ Android apps found relaying contactless payment card data, fueling fraudulent withdrawals and purchases.
- Trend especially prominent in China and Russia.

14. VPNs: The #1 Ransomware Access Path

[03:29] According to Attbay, 80% of ransomware attacks over five years stemmed from remote access device compromise—mainly VPNs.
- Cisco and Citrix VPNs implicated as disproportionately vulnerable.

15. Confidential Computing Encryption Breaks

[03:44] Two new vulnerabilities defeat LUKS2 disk encryption in 8 confidential computing projects, letting attackers access or tamper with what should be protected data.

16. Chinese Cyber Espionage Targets Japan, Korea

[03:57] Sophos attributes recent Motec’s zero-day exploits to “Bronze Butler” (aka TIC).
- Noted for long-term campaigns against Japan/South Korea.

17. Administrative Protection in Windows 11

[04:10] Windows 11 now features “Administrative Protection Security”—an extra authentication step for admin actions.
- Off by default, aims to hinder abuse of compromised admin credentials.

Notable Quotes & Memorable Moments

On Meduza Stealer arrests:
“The malware was used in attacks on Russian government networks… offered as a service on Telegram.” (Claire Aird, 00:13)
On FCC’s regulatory retreat:
“The agency now says that telcos have strengthened cybersecurity defenses on their own and there’s no need for the rules.” (Claire Aird, 01:06)
On ransomware attack vectors:
“80% of ransomware attacks were traced to remote access devices in the last five years, Atbay has recorded a shift from remote desktop towards VPNs as the main entry point.” (Claire Aird, 03:31)

Important Segments & Timestamps

[00:08] Meduza Stealer arrests in Moscow
[00:21] CIA hacks Venezuela
[01:18] TP Link ban discussion
[02:11] L3Harris zero-day sale guilty plea
[03:01] npm mimicry malware attack
[03:29] VPNs and ransomware epidemics
[04:10] Windows 11 admin protections go live

Tone & Style Notes

Claire delivers cybersecurity news in a brisk, direct, and slightly sardonic tone, confident in headline importance while sticking to the facts and avoiding editorialization.

For listeners new to the episode, this summary covers all primary storylines, dissects their context, and highlights security themes relevant to defenders, policymakers, and tech industry watchers.

Loading summary

Transcript1 lines

[00:04]
A
Russian police arrest the Meduza stealer Trio. A former L3Harris manager pleads guilty to selling exploits to Russia. The US hacked Venezuela in 2020 and Windows 11 administrator protection goes live. This is the Risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 31st of October and and this podcast episode is brought to you by Knock Knock. In today's top story, three suspects believed to be behind the Meduza infostealer have been arrested in Moscow. The Interior Ministry said the malware was used in attacks on Russian government networks. The malware was advertised on underground hacking forums and offered as a service on Telegram. In other news, CNN has reported that the CIA hacked Venezuela's intelligence service in 2020, around the same time US cyber comm cut off satellite communications for Russian Wagner troops stationed in Venezuela. Sources told CNN the attacks were used to placate President Trump during his first term when he pushed for military action against the Maduro regime. The Israeli government demanded that Amazon and Google notify them when Israeli data was shared with foreign courts or law enforcement. Notifications were made through a secretive system where payments were sent to the Israeli government. The value of the payments started with the country COD that had requested data. Amazon and Google were required to set up the system in order to receive Israeli government contracts. The FCC plans to eliminate recent cyber security rules for US Telcos. The requirements were implemented by the Biden era FCC in January following the SALT typhoon intrusions. They dictated that telcos adopt cyber security plans and consider supply chain attacks. The agency now says that telcos have strengthened cybersecurity defences on their own and there's no need for the rules. Meantime, the FCC will no longer allow US retailers to sell devices that contain parts from sanctioned Chinese companies. The agency will also consider revoking authorisations for previously approved devices. Chinese Companies on the FCC's list include Huawei, ZTE, China Mobile and China Telecom. Earlier this month, the FCC warned US retailers to remove those companies devices from stores. Several US Federal agencies support banning the sale of TP Link products in the U.S. the Commerce Department proposed the ban and said the devices pose a national security risk. TP Link is a Chinese company with close ties to the Communist Party. The Commerce Department began investigating its products and practices earlier this year. TP Link has called the potential ban nonsensical. A state sponsored hacking group has breached a US telco services company. Ribbon Communications was breached in December last year, but the intrusion was not detected until last month. Ribbon provides voice and data transfer services between different platforms and providers. According to Reuters. The hackers managed to move downstream into at least three of Ribbon's customers. Hacktivist groups have breached three ICS networks across Canada in recent weeks. Attackers altered a water facility's pressure readings, triggered a false alarm at an oil and gas company and adjusted temperature and humidity levels at a farm's grain silo. All the hacked systems were exposed on the Internet. Canada's Cyber Security Agency has urged organisations to review ICS systems authentication. A former manager of a US defence contractor has pleaded guilty to selling exploits to a Russian zero day broker. 39 year old Australian national Peter Williams worked at American company L3Harris Trenchant. He allegedly made $1.3 million from selling eight exploits to Russian company Operation Zero, according to his plea deal. He faces a maximum sentence of nine years. The CEO of Italian spyware company Memento Labs has confirmed that Kaspersky caught the company's spyware. Paolo Lezzi told TechCrunch the spyware was deployed by a government customer. He said the customer used an older version of the Dante spyware that Memento Plan plans to deprecate by the end of the year. Kaspersky and other Russian security firms found the spyware in attacks against Russian and Belarusian targets. Polish Authorities have arrested 11 suspects accused of running investment scams. The group used overseas call centres to trick Polish citizens into giving their money to fake investment websites. The gang allegedly made more than $20 million from at least 1,500 victims. Australian police have recovered $6 million worth of crypto by cracking a criminal's wallet. The wallet contained payments received from renting out the Ghost encrypted comms app to other criminals. Officers found an encoded version of the wallet password in a password protected note on his phone. A cluster of 126 malicious npm packages infected users with malware using invisible dependencies. The technique relied on using malicious dependencies hosted on custom domains. The libraries are not scann by most NPM security tools. According to Koi Security, the malicious packages dropped malware that stole authentication tokens, CI CD secrets and GitHub credentials. Simperium has discovered more than 760 Android apps that can relay contactless payment card data. The stolen NFC data is used to withdraw funds from users accounts or make purchases. Android NFC relaying is part of a growing trend in China and Russia. Remote access solutions like VPNs were the primary entry point for ransomware attacks last year. Cyber insurance provider Attbay says 80% of ransomware attacks were traced to remote access devices in the last five years, Atbay has recorded a shift from remote desktop towards VPNs as the main entry point. The company said organisations with Cisco and Citrix VPNs were seven times more likely to fall victim to an attack than Those with no VPN. Two vulnerabilities allow threat actors to break the Lux 2 encryption used in eight confidential computing projects. The vulnerabilities allow attackers with access to the underlying disk to trick a trusted execution environment into encrypting data with a null cipher. Attackers can then extract or modify data inside the secure environments. A Chinese cyber espionage group is Behind a recent zero day in the Motec's landscape, endpoint manager. The attacks began in mid-2025. Security fir sophos linked the attacks to a group known as Bronze Butler. The group is also known as TIC and has a long history of targeting Japan and South Korea. And finally, the Administrative Protection Security feature is now live in Windows 11. The feature will require admins to enter a password, PIN or other form of authentication if they want to perform highly sensitive actions. It's designed to prevent threat actors from abusing compromised admin accounts. This feature is turned off by default and that is all for this podcast edition. Today's show was brought to you by Knock Knock. Find them at knocknock IO thanks to your company.