October 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Hackers breach fintech firm in attempted $130M bank heist – Bleeping Computer

Sinqia, Evertec’s Brazilian subsidiary, disclosed to the U.S. Securities and Exchange Commission (SEC) that its systems were breached by hackers on August 29, with the intent to conduct unauthorized transactions. The hackers specifically targeted their Brazilian Central Bank real-time payment system, Pix. Access to Pix was gained by the use of stolen credentials belonging to an IT vendor. Evertec has reported that an undisclosed portion of the $130 million has been recovered. No specific hacker group has been linked to the attack. Read full article.

2. Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats – The Hacker News

Dream, the Israeli cybersecurity company, claims an Iranian-nexus group targeted embassies and consulates in Europe via a spear phishing campaign. The emails contained information regarding geopolitical tensions between Iran and Israel, and prompted individuals to open a Word document that “urges recipients to “Enable Content” in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload. The hackers sent emails to organizations located in the Middle East, Africa, Europe, Asia, and the Americas casting a wide net in an attempt to successfully gain access and harvest information. Article here.

3. Kosovo hacker pleads guilty to running BlackDB cybercrime marketplace – Bleeping Computer

Following extradition from Kosovo in May, Liridon Masurica has pled guilty in a Florida Federal Court. Masurica was the lead administrator of the online criminal marketplace BlackDB.cc from 2018 to 2025. Records show he pled guilty to leading the organization and has also been charged with five counts of fraudulent use of unauthorized access devices and one count of conspiracy to commit access device fraud. Read more here.

4. FBI Issues Flash Alert for UNC6040 and UNC6395 – FBI Flash

On September 12, the FBI “releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395”. The alert follows the tracking of UNC6395, which targeted company’s support case information in Salesforce” that occurred from August 8th – 18th. The exfiltrated data was analyzed to extract secrets, credentials, and authentication tokens share din support cases. After discovery, Salesforce was able to revoke all Drift tokens and required customers to reauthenticate the platform. Mandiant disclosed information regarding UNC6040 in June, warning social engineering and vishing attacks connected to Salesforce accounts. Read here.

6. AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack – Bleeping Computer

On August 26, threat actors exploited a flaw GitHub Actions workflow in the Nx repository resulting in the exposure of 2,180 accounts. The telemetry.js malware is a credential stealer that targets Linux and macOS systems. The malware attempted to steal “GitHub tokens, npm tokens, SSH keys, .env files, crypto wallets”. Three separate phases were completed during the attack which led to 7,200 repositories being exposed. Read full article.

7. Massive anti-cybercrime operation leads to over 1,200 arrests in Africa – Bleeping Computer

In an August 22 press release, INTERPOL announced the arrest of 1,209 cybercriminals who targeted nearly 88,000 victims as part of an INTERPOL-coordinated operation dubbed “Operation Serengeti 2.0.” As noted in the statement, the operation took place between June and August 2025 and involved investigators from 18 countries across Africa as well as from the U.K. Nine private sector partners also assisted with the investigation. The operation resulted in the recovery of $97.4 million and the dismantling of 11,432 malicious infrastructures. Read full article.

8. Google nukes 224 Android malware apps behind massive ad fraud campaign – Bleeping Computer

Android ad fraud operation, “SlopAds”, was disrupted following 224 malicious applications on Google Play that generated 2.3 billion ad requests per day. The operation was discovered by HUMAN’s Satori Threat Intelligence team. The applications were downloaded over 30 million times and used obfuscation and steganography to avoid detection. Once detection was avoided “FatModule” malware would be activated. One evasion tactic used by the app was in the way it was downloaded. If installed through the Play Store it acted as a normal app, if installed by clicking through an ad “it downloads four PNG images that utilize steganography to conceal pieces of a malicious APK.” Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.