This Week in Issue

Android’s Godfather malware adopts virtualization to stealthily hijack banking apps. A misconfigured Gerrit repo exposed Google-linked projects to code injection risks, while MITRE flags rising abuse of insecure GitHub Actions in open source. Anubis ransomware now includes a destructive wiper, escalating stakes for victims. Legacy TP-Link routers are being actively exploited, and cyberattacks surged against journalists, underscoring evolving threat priorities.

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

Godfather Android Malware Now Uses Virtualization to Hijack Banking Apps
A new variant of the Godfather Android malware is leveraging virtualization to mask its presence while targeting banking applications, allowing it to intercept credentials and hijack sessions in real time. This evolution makes detection harder and significantly increases the risk to financial data on mobile devices. Nexus-Dragon warns SMBs to treat mobile device security with the same rigor as desktops, especially as BYOD trends rise.
Read more: Godfather Android Malware Now Uses Virtualization to Hijack Banking Apps

Krispy Kreme Says November Data Breach Impacts Over 160,000 People
Krispy Kreme has confirmed a data breach exposing the personal information of over 160,000 customers, including names and partial credit card details. The breach stemmed from a November 2023 attack and highlights ongoing risks in customer-facing retail systems. Nexus-Dragon urges SMBs handling customer data to prioritize breach detection and incident response plans, regardless of industry.
Read more: Krispy Kreme Says November Data Breach Impacts Over 160,000 People

Gerrit Misconfiguration Exposed Google Projects to Code Injection
A critical misconfiguration in Gerrit, a popular code review tool, exposed several Google projects to potential code injection and manipulation. This highlights the hidden risks in CI/CD pipelines and how misconfigured open-source tools can create serious supply chain vulnerabilities. Nexus-Dragon underscores the importance of access controls and regular audits for all dev tools used by SMBs in modern software environments.
Read more: Gerrit Misconfiguration Exposed Google Projects to Code Injection

Insecure GitHub Actions in Open-Source Projects – MITRE
MITRE has revealed that thousands of GitHub repositories are running insecure GitHub Actions workflows, which attackers could exploit to gain unauthorized access or inject malicious code. These issues arise from poor configurations and over-privileged tokens in automation scripts. Nexus-Dragon advises SMB developers to audit GitHub Actions regularly, as even small projects can be exploited in wider supply chain attacks.
Read more: Insecure GitHub Actions in Open-Source Projects – MITRE

Organizations Warned of Vulnerability Exploited Against Discontinued TP-Link Routers
A vulnerability in discontinued TP-Link routers is being actively exploited in the wild, despite the devices no longer receiving firmware updates. Attackers are using them to launch botnet-driven attacks and maintain persistence within small networks. Nexus-Dragon highlights this as a cautionary tale for SMBs still using end-of-life hardware, emphasizing the importance of regular asset reviews and hardware lifecycle management.
Read more: Organizations Warned of Vulnerability Exploited Against Discontinued TP-Link Routers

Anubis Ransomware Packs a Wiper to Permanently Delete Files
A new strain of Anubis ransomware has been discovered with wiper functionality that permanently destroys victim files if ransom isn’t paid. This destructive shift indicates a rise in “no-win” scenarios for targeted organizations. Nexus-Dragon urges SMBs to maintain robust, offline backups and to test recovery plans regularly to withstand such catastrophic threats.
Read more: Anubis Ransomware Packs a Wiper to Permanently Delete Files

Surge in Cyberattacks Targeting Journalists – Cloudflare
Cloudflare reports a sharp increase in cyberattacks targeting journalists and media outlets, with DDoS and credential phishing campaigns being the primary tactics. These attacks aim to silence reporting and access sensitive sources. Nexus-Dragon flags this as a warning to SMBs in media and advocacy to harden their defenses and adopt secure communication tools.
Read more: Surge in Cyberattacks Targeting Journalists – Cloudflare

Hackers Stole 300,000 Crash Reports from Texas Department of Transportation
A breach at the Texas DOT led to the theft of 300,000 crash reports containing personal and sensitive data, now surfacing on dark web forums. This data could be exploited for identity theft, fraud, or social engineering. Nexus-Dragon reminds SMBs in regulated sectors to enforce strict data encryption and vendor oversight protocols.
Read more: Hackers Stole 300,000 Crash Reports from Texas Department of Transportation

Hackers Leverage VBScript Files to Deploy Masslogger
Attackers are reviving VBScript to deliver Masslogger, an infostealer that harvests browser, email, and FTP credentials from infected systems. These phishing lures are cleverly disguised as corporate documents and are bypassing basic filters. Nexus-Dragon advises SMBs to disable legacy scripting engines and invest in layered phishing defenses.
Read more: Hackers Leverage VBScript Files to Deploy Masslogger

Golden SAML Attack Lets Attackers Gain Full Control of Federated Services
Golden SAML is a sophisticated attack method where adversaries forge SAML tokens to impersonate any user, even admins, in a federated identity environment. This gives them long-term, undetectable access to cloud services like Microsoft 365 or AWS. Nexus-Dragon views this as a critical risk for SMBs relying on cloud authentication and recommends implementing strict key management and conditional access controls.
Read more: Golden SAML Attack Lets Attackers Gain Full Control of Federated Services

Cyber Hygiene Tips – Week of June 30, 2025

Keep your team secure with these actionable recommendations drawn directly from current cyber incidents and vulnerabilities.

Ensure all Android devices used in your environment are running the latest OS and security patches—new variants of the Godfather malware are hijacking banking apps using virtualization, making older versions especially vulnerable.

Review and tighten access controls in your GitHub Actions workflows. MITRE has flagged a wave of attacks exploiting insecure automation pipelines in open-source projects that could easily spread to private repos.

Disable or restrict the use of VBScript across all endpoints. This legacy scripting language is being actively abused by threat actors to deploy Masslogger malware via phishing attachments.

Apply strict backup isolation policies and test restores regularly. Anubis ransomware now includes a wiper module that deletes files permanently, leaving no option for recovery if backups are not secure and offline.

Decommission and replace any unsupported TP-Link routers. Threat actors are exploiting vulnerabilities in discontinued models to hijack network traffic and build botnets.

Harden identity and access management for all federated services, especially those using SAML. The resurgence of Golden SAML attacks enables adversaries to impersonate administrators across major cloud platforms.

Verify all crash reports and logs containing personal data are encrypted both in transit and at rest. The Texas Department of Transportation breach showed how sensitive incident data can be exfiltrated and monetized on the dark web.

Run security configuration reviews on internal code review tools like Gerrit. A misconfiguration at Google exposed critical projects to potential code injection—check who can push code and enforce validation rules.

Enhance journalist and high-risk user protections with anti-DDoS, phishing defenses, and secure email gateways. Cloudflare has reported a surge in politically motivated cyberattacks targeting media personnel.

Use DNS filtering and network traffic inspection to catch covert command-and-control channels. Attackers are increasingly abusing DNS-over-HTTPS and proxies to avoid detection while exfiltrating data.

Government advisories

Ransomware Exploits Unpatched SimpleHelp to Breach Utility Billing Provider
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a

LummaC2 Malware Used to Steal Sensitive Organizational Data
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b

PRC Hackers Maintain Persistent Access to U.S. Critical Infrastructure
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

Why all this matters

This week’s cybersecurity developments highlight a clear shift toward more persistent, evasive, and damaging attacks across both public and private sectors. Malware like Godfather and Masslogger are evolving to exploit mobile platforms and legacy scripting, while ransomware threats like Anubis now include file-wiping capabilities, eliminating recovery options. Supply chain exposures in GitHub Actions and Gerrit underscore the urgent need for tighter controls in DevOps pipelines. Meanwhile, CISA advisories warn of serious threats to AI system integrity and vulnerabilities in widely used infrastructure like PAN-OS and industrial control systems. For SMBs and IT teams alike, these trends signal a critical need to rethink cyber hygiene review access controls, decommission unsupported hardware, enforce endpoint protections, and audit software supply chains. The cost of delay isn’t just financial it’s operational, reputational, and in some cases, irreversible.

THREAT FOCUS

Threat Intelligence Brief: Python Version of Golang.Ghost RAT Used in Espionage Campaign

Overview

A newly discovered Python-based variant of Golang.GhostRAT is being used in an active cyber-espionage campaign targeting government entities in South and Southeast Asia. First identified by Cisco Talos, this variant maintains core RAT functionality while shifting its implementation from Go to Python—an indicator of threat actor adaptability. The malware is delivered through spearphishing and communicates with compromised WordPress websites acting as command-and-control (C2) servers.

Threat Actor Profile

Although the campaign has not been definitively attributed, it exhibits strong similarities to activity historically linked to Chinese state-sponsored threat actors, who frequently target governments, public sector agencies, and defense-related organizations in the Asia-Pacific region. These groups prioritize long-term access, espionage, and data exfiltration through lightweight, modular tooling and carefully staged operations.

Tools and Techniques

• GhostRAT (Python version):
  Rewritten from its Golang predecessor, this variant allows:

  • Command execution via shell

  • File upload/download

  • Screenshot capture

  • Remote control functionality

  • Persistence through scheduled tasks

• C2 Infrastructure:

  • Public-facing and compromised WordPress websites serve as command-and-control endpoints

  • Communications mimic legitimate web traffic to evade detection

• Delivery Method:

  • Spearphishing emails containing malicious links or attachments redirect users to payload delivery infrastructure

Mapped MITRE ATT&CK Techniques

• T1566.002 – Spearphishing via Link

• T1059.006 – Command and Scripting Interpreter: Python

• T1053.005 – Scheduled Task/Job

• T1071.001 – Web Protocols for C2

• T1113 – Screen Capture

• T1005 – Data from Local System

• T1041 – Exfiltration Over C2 Channel

Strategic Implications

The shift from Golang to Python in GhostRAT signals a deliberate move toward agility and obfuscation. Python-based payloads are easier to modify and may better evade static detection systems, especially in environments where Python is already installed for administrative or development purposes.

The use of legitimate WordPress domains as C2 infrastructure further complicates traffic analysis and domain-blocking strategies. The continued focus on South and Southeast Asia also highlights the strategic priority of regional espionage, possibly tied to political influence, infrastructure projects, or military intelligence gathering in the context of rising Indo-Pacific tensions.

Defensive Recommendations

• Restrict Python Interpreter Use:
  Limit or monitor Python usage on endpoints, especially in user-level directories.

• Monitor for Scheduled Task Abuses:
  Alert on the creation of new scheduled tasks or modifications outside standard administrative behavior.

• Deploy Behavioral Detections:
  Use EDR or XDR tools to detect common GhostRAT behaviors such as screen capture, shell execution, and file manipulation.

• Inspect Outbound Web Traffic:
  Monitor for beaconing or unusual POST requests to WordPress URLs, especially those unrelated to normal business operations.

• Harden Email Security:
  Use secure email gateways with advanced phishing detection and sandboxing for URLs and attachments.

• Educate End Users:
  Conduct phishing simulation training and raise awareness about targeted social engineering campaigns.

Why This Matters

This campaign showcases how threat actors are recycling proven malware frameworks in new formats to sidestep detection and continue long-term intelligence-gathering operations. The pivot to Python also lowers the barrier for future variants to emerge, especially from non-nation-state actors or lower-tier APT groups.

In a broader geopolitical context, these operations are part of a persistent and adaptive strategy to gain visibility into government decision-making, regional defense postures, and critical infrastructure planning—especially in politically sensitive regions. Defenders must adopt a proactive, behavior-based defense model that evolves as fast as the threats themselves.

Source

Python version of Golang.Ghost RAT used in espionage campaign – Cisco Talos Intelligence

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats with Curated Threat Intelligence

Nexus-Dragon’s Curated Threat Intelligence Service delivers real-time, tailored insights focused on your risks, your industry, and your assets. We cut through the noise to give you high-confidence IOCs, mapped MITRE ATT&CK techniques, and strategic recommendations so you can act fast and stay protected. Get intelligence built for action.

www.nexus-dragon.com

NEW SERVICE NOW ONLINE!

Dragon Armor Advisors (DAA) by Nexus-Dragon takes the hassle out of hiring by recruiting, vetting, and managing elite cybersecurity professionals for you. From analysts to compliance leads, our mission-ready experts many from NSA, DoD, and CISA integrate seamlessly into your team with zero long-term risk. Fill your security gaps fast. www.nexus-dragon.com

Sponsor Spotlight

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Optery helps businesses and individuals automatically remove their private information from hundreds of data broker websites—reducing exposure to phishing, identity theft, and targeted attacks. It’s a powerful privacy protection platform ideal for SMBs looking to safeguard executives, employees, or clients.
Learn more →

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278