Risky Bulletin: Syrian Army Infected with Spyware Before Regime Collapse Hosted by Claire Aird | Released on June 4, 2025

Introduction

In this episode of Risky Bulletin, Claire Aird delves into a range of critical cybersecurity incidents impacting global security, corporate integrity, and individual privacy. From state-sponsored spyware targeting military personnel to major breaches in the retail and fashion industries, this bulletin provides comprehensive updates on the latest threats and defensive measures in the cybersecurity landscape.

1. Spyware Infection in the Syrian Army

Timestamp: 00:04

Claire begins the episode by highlighting a significant cybersecurity breach within the Syrian military. According to New Lines Magazine, members of the Syrian army were deceived into installing a malicious spyware application on their Android devices.

• App Details: The spyware was embedded within an app named STFD686, which purportedly offered financial aid to military personnel. This app seemed to be affiliated with the Syria Trust for Development, a humanitarian organization overseen by Bashar al-Assad's wife.

• Malware Used: The app contained a variant of the Spymax Remote Access Trojan (RAT), enabling attackers to monitor the movements of Syrian soldiers effectively.

• Impact Timeline: The app was deployed in June of the previous year, just five months prior to the collapse of the Assad regime, indicating a deliberate and strategic effort to undermine military operations.

"A spyware app infected the Syrian army soldiers before the regime collapsed." — Claire Aird [00:04]

2. NSO Group Appeals WhatsApp Verdict

Timestamp: 02:15

The bulletin shifts focus to the NSO Group, an Israeli spyware manufacturer, which has filed an appeal against a court verdict related to a WhatsApp lawsuit.

• Verdict Details: Last month, NSO was mandated to pay Meta (formerly Facebook) $167 million in damages. The lawsuit arose after an NSO exploit was utilized to hack into 1,400 WhatsApp users in 2019.

• NSO's Stance: The company contests the verdict, labeling it as "unlawful and excessive" and is seeking a reduced financial penalty through a new trial.

"The company is seeking reduced damages for a new trial. It called the verdict unlawful and excessive." — Claire Aird [02:15]

3. Shutdown of Emergency Cybersecurity Assistance Group

Timestamp: 04:50

Claire reports the closure of the Emergency Management and Response Information Sharing and Analysis Centre (EMR ISAC).

• Role of EMR ISAC: This organization provided essential cybersecurity support to first responders, including bomb squads and search and rescue teams.

• Reason for Shutdown: The cessation of operations in late May is attributed to federal funding cuts impacting several Information Sharing and Analysis Centre (ISAC) groups this year.

4. Microsoft’s Quick Machine Recovery Feature

Timestamp: 07:30

A significant update from Microsoft is discussed, introducing a new feature aimed at enhancing system recovery processes.

• Feature Overview: The Quick Machine Recovery allows Windows operating systems to directly consult Microsoft for solutions if they fail to boot, streamlining the recovery process.

• Rationale: This development follows a problematic CrowdStrike update that caused over 8 million Windows computers to enter a reboot loop last year.

5. Cyberattack on Korana Pro

Timestamp: 09:45

An Indian grocery delivery startup, Korana Pro, fell victim to a malicious cyberattack.

• Attack Details: Hackers deleted the company's customer data and source code for its mobile application. While the app remains online, it is currently unable to process payments.

• Source of Attack: The breach originated from an account belonging to a former employee, as reported by TechCrunch.

6. Ransomware Impact on Marks and Spencer

Timestamp: 12:10

Marks and Spencer (M&S) is experiencing disruptions due to a recent ransomware attack.

• Operational Impact: The attack has crippled the UK retail chain’s HR systems, leading to the suspension of online recruitment processes.

• Interim Measures: Individual stores are resorting to Facebook ads, inviting prospective employees to attend walk-in recruitment days in person.

• Outlook: M&S anticipates that the disruption to its systems will persist for at least another month.

7. Data Breach at Cartier

Timestamp: 14:35

Luxury fashion house Cartier has disclosed a significant data breach affecting its customers.

• Stolen Data: The breach compromised names, emails, and countries of residence of Cartier’s clientele.

• Industry Context: Cartier joins other high-profile fashion brands like Christian Dior, Tiffany & Co., Victoria’s Secret, and Adidas in recently experiencing similar breaches.

8. Hacking of Morocco’s Land and Property Service

Timestamp: 17:00

The Moroccan Land and Property Service has been targeted by cybercriminals, resulting in the theft of its database.

• Perpetrators: The Algerian hacking group Jabiroot claimed responsibility, releasing over 10,000 files on Telegram.

• Nature of Data: The leaked information includes real estate transactions conducted by Moroccan public figures.

• Previous Attacks: Jabiroot had previously compromised Morocco's Social Security database in April, releasing manipulated documents that misled officials.

9. Cryptocurrency Heists in Taiwan and Beyond

Timestamp: 19:25

Claire covers a series of cryptocurrency-related cybercrimes affecting different platforms.

• Bitapro Exchange: A Taiwanese crypto exchange, Bitapro, lost $11.5 million worth of cryptocurrency in an attack confirmed this week. The funds were laundered through Tornado Cash and Thorchain.

• ForceBridge Platform: Another breach involved the cross-chain platform ForceBridge, where hackers stole $3.7 million in crypto assets by exploiting weak access controls and manipulating the bridge's security mechanisms, as reported by blockchain security firm Hashex.

10. Nigerian Sextortion Campaign Arrests

Timestamp: 21:50

Authorities in Nigeria have made significant arrests related to a widespread sextortion campaign.

• Details of the Operation: 22 suspects were detained following a joint investigation between Australian and Canadian police forces.

• Tragic Outcome: The campaign has been linked to the suicide of a two-year-old Australian in 2023, highlighting the severe emotional and psychological impacts of such cybercrimes.

11. Swatting of US Government Officials

Timestamp: 24:05

A Romanian national, Thomas Szabo, has pleaded guilty in a DC court for orchestrating swatting attacks against US government officials.

• Modus Operandi: Szabo, along with a Serbian accomplice, used Google Voice to place fake bomb threats and false police reports, targeting members of Congress, state governors, federal officials, and law enforcement personnel.

• Legal Proceedings: The 26-year-old was arrested last year and admitted his involvement in the large-scale campaign during court proceedings.

12. Emerging Threats in DevOps Infrastructure

Timestamp: 26:20

A new threat actor group is actively breaching DevOps infrastructure to deploy cryptocurrency miners.

• Targets: The attacks focus on software packages such as Consul Docker, Gitea, and Nomad.

• Noteworthy Incident: According to cloud security firm Wiz, this marks the first publicly documented exploitation of Nomad servers in the wild.

13. Malicious Ruby Libraries Targeting Telegram

Timestamp: 28:45

Socket Security has identified two malicious Ruby libraries designed to intercept traffic on the Telegram messenger.

• Functionality: These plugins masquerade as Telegram proxies built on the Fastlane App Automation service socket, aiming to capture sensitive messaging data.

• Target Demographic: Researchers believe the primary targets are developers in Vietnam, especially in light of the recent nationwide block on Telegram announced by authorities.

14. Crocodylus Android Malware Enhancements

Timestamp: 31:10

The Crocodylus Android malware has undergone updates, expanding its malicious capabilities.

• New Features: Attackers can now add contacts to victims’ address books, enhancing the plausibility of social engineering attacks.

• Distribution: The malware spreads primarily through malvertising campaigns and has been active this year.

• Previous Exploits: It has been used to harvest login credentials for mobile banking apps and extract crypto wallet seed phrases.

15. Meta and Yandex Privacy Intrusions

Timestamp: 33:35

A concerning discovery reveals that Meta and Yandex have been exploiting local host ports to monitor mobile user activities.

• Methodology: Websites incorporating MetaPixel and Yandex Metrica scripts connect to local ports on Android devices. Both Meta and Yandex applications listen on these ports to gather browsing metadata, cookies, and advertising IDs.

• Privacy Implications: This technique circumvents standard privacy protections, including incognito mode, Android's permission controls, and cookie clearing.

• Response: Meta ceased using this tracking method following its disclosure by cybersecurity researchers.

16. Collaborative Initiative on APT Group Naming

Timestamp: 36:00

Four major cybersecurity firms have announced a joint initiative to address the complexities of Advanced Persistent Threat (APT) group naming.

• Participants: Microsoft, CrowdStrike, Google, and Palo Alto Networks will collaborate to publish documents that detail overlapping APT names assigned by each entity.

• Objective: While aiming to harmonize naming conventions, the companies do not intend to develop a universal APT naming taxonomy, acknowledging the diversity in threat identification processes.

17. Qualcomm Patches Zero-Day Vulnerabilities

Timestamp: 38:25

Chipmaker Qualcomm has addressed three zero-day vulnerabilities exploited in its Adreno GPU driver.

• Discovery: These vulnerabilities were uncovered by Google's security team, specifically targeting attacks against Android smartphones.

• Remediation: Patches have been distributed to smartphone manufacturers, with updates expected to roll out to end-users promptly.

18. Google Patches Chrome Zero-Day

Timestamp: 40:50

Google has released a critical security update for the Chrome browser addressing an actively exploited zero-day vulnerability.

• Vulnerability Details: The flaw lies in Chrome's V8 JavaScript engine, leading to potential memory corruption issues.

• Context: This marks the third Chrome zero-day vulnerability patched within the current year, underscoring the ongoing challenges in maintaining browser security.

19. Vulnerabilities in Pre-Installed Smartphone Apps in Poland

Timestamp: 43:15

Poland's Computer Emergency Response Team (CERT) has identified significant vulnerabilities in applications pre-installed on smartphones from local vendors.

• Affected Devices: Smartphones from brands like Kruger, Mats, and Ulefone are vulnerable.

• Vulnerabilities Exploited:

  • Stealing PIN Codes: Attackers can extract personal identification numbers.
  • Factory Reset: Malicious actors can remotely reset devices to default settings.
  • Code Injection: Vulnerabilities allow for the injection and execution of malicious code with system-level privileges.

Conclusion

This episode of Risky Bulletin underscores the pervasive and evolving nature of cyber threats across various sectors and geographies. From state-sponsored espionage to vulnerabilities in widely-used software, the bulletin emphasizes the critical need for robust cybersecurity measures and international collaboration to mitigate these risks. Claire Aird effectively navigates through each story, providing listeners with a comprehensive understanding of the current cybersecurity landscape.

Note: This summary excludes sponsor messages and non-content sections to focus solely on the informational aspects of the episode.