Data on UK SAS forces and MI6 officers exposed in massive Afghan leak

A Special Request

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

Details of members of the SAS or Special Air Service, a highly specialized and secretive special forces unit of the British Army, and officers of MI6, or the UK's secret intelligence service, are among more than 100 Britons named in the database of 18,700 Afghans, the accidental leak of which by a defence official led to thousands being secretly relocated to the UK.

Defense sources said the highly sensitive document contained names and email addresses belonging to people sponsoring or linked to some individual cases.

The identities of members of the SAS and MI6 are a closely guarded secret, and the possibility that such information could have ended up in the public domain was a source of significant official concern.

SAS and other special forces officers were involved in assessing whether Afghans who said they were members of the elite 333 and 444 units, known as the Triples, were allowed to come to the UK.

Sources said the dataset also referred to a “secret route” that Afghans could use to come to the UK. (Dan Sabbagh / The Guardian)

Related: BBC News, The Guardian, The Irish Times, Sky News, The Straits Times, The Mirror, The Sun, Metro, Associated Press, Daily Mail, Reuters

Google sued the anonymous operators of the Android BadBox 2.0 malware botnet, accusing them of running a global ad fraud scheme against the company's advertising platforms.

The BadBox 2.0 malware botnet is a cybercrime operation that utilizes infected Android Open Source Project (AOSP) devices, including smart TVs, streaming boxes, and other connected devices that lack security protections, such as Google Play Protect.

These devices become infected either by threat actors purchasing low-cost AOSP devices, modifying the operating system to include the BadBox 2 malware, and then reselling them online, or by tricking users into downloading and installing malicious apps on their devices that contain the malware.

The malware then becomes a backdoor that connects to command-and-control (C2) servers operated by the attackers, where it receives commands to execute on the device.

Once compromised, devices become part of the BadBox 2.0 botnet, where they are turned into residential proxies sold to other cybercriminals without the victims' knowledge or are used to conduct ad fraud.

Google's lawsuit primarily focuses on the ad fraud component, which the botnet commonly conducts against the company's advertising platforms. Google's complaint states that it has already terminated thousands of publisher accounts linked to the operation, but warns that the botnet continues to grow and poses an increasing cybersecurity risk. 

"If the BadBox 2.0 Scheme is not disrupted, it will continue to proliferate," warns Google. (Lawrence Abrams / Bleeping Computer)

Related: The Keyword, Security Week, The Register, Adweek, Engadget, WebProNews, PCMag

According to a non-public client bulletin issued by Recorded Future, China's Salt Typhoon threat group has continued to target phone and wireless providers around the world, compromising devices tied to seven telecommunications companies since February.

In the past five months, Salt Typhoon has breached network devices at locations on the internet that are owned by the seven companies, including the American telecom and media firm Comcast, South Africa’s MTN Group, and South Korea’s LG Uplus.

The report says the compromised devices likely belong to the seven companies’ clients and doesn’t say the telecommunications firms were breached.

Nonetheless, it shows the hackers’ persistent efforts to infiltrate communications firms and their customers globally, and their success at penetrating the types of devices that have offered paths into organizations’ networks in the past. (Jake Bleiberg and Cameron Fozi / Bloomberg)

The developer of artificial intelligence hiring chatbot Paradox.ai, which security researchers revealed had an easily guessable password of 123456 for its McDonad's account, a situation Paradox.ai said was an isolated instance, has had recent security breaches involving its employees in Vietnam where a developer used the same seven-digit password for several Fortune 500 firms listed as customers on the company’s website, including Aramark, Lockheed Martin, Lowes, and Pepsi.

A review of stolen password data gathered by multiple breach-tracking services shows that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device that stole usernames and passwords for a variety of internal and third-party online services. The results were not pretty.

The password data from the Paradox.ai developer was stolen by a malware strain known as “Nexus Stealer,” a form grabber and password stealer that is sold on cybercrime forums. The information snarfed by stealers like Nexus is often recovered and indexed by data leak aggregator services like Intelligence X, which reports that the malware on the Paradox.ai developer’s device exposed hundreds of primarily poor and recycled passwords, using the same base password but with slightly different characters at the end. (Brian Krebs / Krebs on Security)

The European Union sanctioned individuals linked to an operation that used digital assets to evade sanctions and fund pro-Russian disinformation campaigns.

In a decision under the EU’s Common Foreign and Security Policy, sanctions were imposed on nine individuals and six entities. Among them was Kremlin-linked influencer Simeon Boikov, known as AussieCossack, for spreading pro-Russian disinformation.

Boikov was reportedly also responsible for the spread of a fabricated video alleging voter fraud in Georgia in the 2024 US election. According to a Tuesday TRM Labs report, he raised donations through multiple channels, accepting cash and cryptocurrencies.

TRM Labs reports that Boikov engaged with high-risk Russian exchanges that do not enforce know-your-client (KYC) checks and received funds via cash-to-crypto services and darknet markets.

The sanctions were also imposed on A7 OOO, a firm reportedly responsible for efforts to influence Moldova’s 2024 presidential elections and EU accession referendum through vote buying. The firm was founded by Ilan Shor, a fugitive Moldovan oligarch, who reportedly leveraged it to move $1 billion out of three of the nation’s banks.

The United Kingdom already sanctioned A7 OOO in May for its involvement in Moldovan election manipulation. The project is linked to A7A5, a ruble-backed stablecoin, which reportedly emerged as a primary transaction tool on Grinex, a crypto exchange widely seen as the successor to Russia’s sanctioned Garantex platform. (Adrian Zmudzinski / Cointelegraph)

Related: European Union, TRM Labs, The Kyiv Independent, Euro News

Qantas Airways said it has obtained an interim injunction in the New South Wales (NSW) Supreme Court to prevent data stolen by a hacker from being accessed or published by anyone, including any third parties.

Earlier this month, a hacker broke into a database containing the personal information of millions of Qantas customers, Australia's biggest such breach in years.

Australia's flag carrier said that last week it had contacted the 5.7 million affected customers, outlining the specific fields of their personal data that were compromised. (Sherin Sunny / Reuters)

Related: Mi3, News.com, Channel News Asia, Cyber Daily

The US Federal Communications Commission (FCC) said it plans to adopt rules to bar companies from connecting undersea submarine communication cables to the United States that include Chinese technology or equipment.

"We have seen submarine cable infrastructure threatened in recent years by foreign adversaries, like China," FCC Chair Brendan Carr said in a statement. "We are therefore taking action here to guard our submarine cables against foreign adversary ownership, and access as well as cyber and physical threats."

Last year, the FCC said it was considering barring the use of equipment or services in those undersea cable facilities from companies on an FCC list of companies deemed to pose threats to US national security, including Huawei, ZTE, China Telecom, and China Mobile.

The FCC will also seek comment on additional measures to protect submarine cable security against foreign adversary equipment. The cutting of two fiber-optic undersea telecommunication cables in the Baltic Sea prompted investigations of possible sabotage. (David Shepardson / Reuters)

Related: FCC, Financial Times, The Record, Engadget, Tom's Hardware, Data Center Dynamics, Marine Insight, PCMag, Hot Hardware, The Register, Tech Times, WebProNews

Sources say White House officials are preparing an executive order targeting tech companies with what they see as “woke” artificial-intelligence models, their latest effort to go after diversity, equity, and inclusion initiatives.

The order would dictate that AI companies getting federal contracts be politically neutral and unbiased in their AI models, an effort to combat what administration officials see as liberal bias in some models, sources said.

Because nearly all major tech companies are vying to have their AI tools used by the federal government, the order could have far-reaching impacts and force developers to be extremely careful about how their models are developed. (Amrith Ramkumar and Annie Linskey / Wall Street Journal)

Related: Axios

Researchers at the managed detection response company Expel discovered a phishing attack bypassing Fast IDentity Online (FIDO) cryptographic private keys.

Cross-device authentication using FIDO allows a user with one device holding a private key to log into another device that does not hold the key. This is meant to provide convenience in scenarios such as logging in to a public computer or a new device that is not yet enrolled with FIDO.

Typically, a mobile device with a camera, like a phone or tablet, is used to scan a QR code on the second device during login, verifying that the user has possession of the FIDO key-holding device.

In the attack observed by Expel, the attacker set up a spoofed Okta login page that automatically relayed the entered credentials into the legitimate Okta portal, in a man-in-the-middle (MitM) style attack. This phishing page, hosted at the typosquatted domain okta[.]login-request[.]com, was sent to the victim in an email.

To bypass FIDO, the attacker requested cross-device authentication at the next login stage on the legitimate portal, causing Okta to generate a QR code that was automatically relayed back to the victim on the spoofed page.

The victim scanned the QR code using their authenticator app, unwittingly providing the attacker access to their account. Expel reported that, although the attacker successfully logged in, no further malicious activity was observed in this case.

Expel suspects the attack is connected to the PoisonSeed campaign, a cluster of phishing attacks that have leveraged compromised accounts to target cryptocurrency wallets since at least April 2025. (Laura French / SC Media)

Related: Expel

According to Chainalysis, more than $2 billion in cryptocurrency was stolen by hackers in the first half of 2025, with most of that coming from the $1.5 billion stolen from Dubai-based crypto platform Bybit in February by hackers connected to North Korea.

The $2.17 billion stolen so far this year already surpasses the losses seen in all of 2024, and is the highest number seen in the first six months of a year since the company began tracking the figures in 2022. 

Chainalysis estimates that up to $4 billion worth of cryptocurrency may be stolen by the end of the year.

The Bybit incident is currently the largest-ever crypto theft and accounts for 69% of all funds stolen this year. (Jonathan Greig / The Record)

Related: Chainalysis, PYMNTS.com, TechCrunch, CNBC, DL News, Bloomberg, Decrypt, Cryptopolitan, CryptoSlate, CryptoPotato, BeInCrypto, crypto.news

Researchers at Grey Noise report that a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2," was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public, despite Citrix stating that there was no evidence of attacks.

GreyNoise confirmed its honeypots detected targeted exploitation from IP addresses located in China on June 23, 2025. The company told the US Cybersecurity and Infrastructure Security Agency (CISA) on July 9 that the flaw was actively exploited, causing the cyber agency to add it to its Known Exploited Vulnerabilities (KEV) catalog and giving federal agencies one day to patch the flaw.

Despite these early signs and repeated warnings from security researcher Kevin Beaumont, Citrix had still not acknowledged active exploitation in its security advisory for CVE-2025-5777. It only quietly updated its June 26 blog post on July 11, after it appeared in the KEV database the day before.

Citrix finally released another blog post on July 15 on how to evaluate NetScaler logs for indicators of compromise.

However, even with this, the company has been under fire for not being transparent and sharing IOCs. (Lawrence Abrams / Bleeping Computer)

Related: Grey Noise, gbhackers, Cyber Security News, CyberInsider

Kentaro Kawane, a researcher at the Japanese cybersecurity service GMO Cybersecurity by Ierae, discovered a critical vulnerability (CVE-2025-20337) in Cisco's Identity Services Engine (ISE) that could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.

The security issue received the maximum severity rating, 10 out of 10, and is caused by insufficient user-supplied input validation checks.

A remote unauthenticated attacker could leverage it by submitting a specially crafted API request.

The vulnerability was added via an update to the security bulletin for CVE-2025-20281 and CVE-2025-20282. These two similar RCE vulnerabilities also received the maximum severity score, which impacts ISE and ISE-PIC versions 3.4 and 3.3.

Cisco also released four security advisories for less severe vulnerabilities (medium to high severity rating) in several of its products. (Bill Toulas / Bleeping Computer)

Related: TechRadar, The Register, SC Media

A lawyer for the shareholders told a Delaware judge that Mark Zuckerberg and current and former directors and officers of Meta Platforms agreed to settle claims seeking $8 billion for the damage they allegedly caused the company by allowing repeated violations of Facebook users' privacy.

The parties did not disclose details of the settlement, and defense lawyers did not address the judge, Kathaleen McCormick of the Delaware Court of Chancery. McCormick adjourned the trial just as it was to enter its second da,y and she congratulated the parties.

Shareholders of Meta sued Zuckerberg, Andreessen, and other former company officials, including former Chief Operating Officer Sheryl Sandberg, in hopes of holding them liable for billions of dollars in fines and legal costs the company paid in recent years. The Federal Trade Commission fined Facebook $5 billion in 2019 after finding that it failed to comply with a 2012 agreement with the regulator to protect users' data.

The shareholders wanted the 11 defendants to use their personal wealth to reimburse the company. The defendants denied the allegations, which they called "extreme claims." (Tom Hals / Reuters)

Related: Reuters, SiliconANGLE, Benzinga, Reuters, Delaware Online, Wall Street Journal, Engadget, Reuters, Tech Xplore, Associated Press, Cord Cutters News, iPhone in Canada, The American Bazaar, Washington Examiner, BusinessLIVE, The Times, MediaPost, Bloomberg, New York Post, Al Jazeera, PYMNTS.com, Chosun Biz

Researchers from Cisco Talos uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets.

The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. GitHub removed the three accounts that hosted the malicious payloads shortly after being notified by Talos.

The campaign, which Talos said had been ongoing since February, used a previously known malware loader tracked under names including Emmenhtal and PeakLight. Researchers from security firm Palo Alto Networks and Ukraine’s major state cyber agency SSSCIP had already documented the use of Emmenhtal in a separate campaign that embedded the loader into malicious emails to distribute malware to Ukrainian entities. Talos found the same Emmenhtal variant in the MaaS operation, only this time the loader was distributed through GitHub.

The campaign using GitHub was different from one targeting Ukrainian entities in another key way. Whereas the final payload in the one targeting the Ukrainian entities was a malicious backdoor known as SmokeLoader, the GitHub one installed Amadey, a separate malware platform known.

Amadey was first seen in 2018 and was initially used to assemble botnets. (Dan Goodin / Ars Technica).

Related: Cisco Talos, Infosecurity Magazine, HackRead

A new draft proposal co-authored by Jameson Lopp and other crypto security researchers wants to freeze Bitcoin currency secured by legacy cryptography, including those in Satoshi Nakamoto’s wallets, before quantum computers can crack them.

The proposal introduces a phased soft fork that turns quantum migration into a ticking clock. Fail to upgrade, and your coins become unspendable.

That includes the roughly 1.1 million BTC tied to early pay-to-pubkey addresses, like those of Satoshi’s and other early miners.

“This proposal is radically different from any in Bitcoin's history just as the threat posed by quantum computing is radically different from any other threat in Bitcoin's history,” the authors explained as a motivation for the proposal. “Never before has Bitcoin faced an existential threat to its cryptographic primitives.”

“A successful quantum attack on Bitcoin would result in significant economic disruption and damage across the entire ecosystem. Beyond its impact on price, the ability of miners to provide network security may be significantly impacted,” they added. (Shaurya Malwa / CoinDesk)

Related: GitHub, Coinspeaker, Cointelegraph, BeInCrypto

Best Thing of the Day: Enjoy Your Breakfast Roll and Always Use Multi-Factor Authentication

Belgian police are distributing 10,000 bread bags, and all the bakers in the Pajottenland region are participating in a new cybersecurity education campaign targeted at seniors that offers important cybersecurity tips on bread bags, such as never giving out your PIN or password.

Worst Thing of the Day: Toss Cyber Diplomacy on the Trash Heap

The cuts of cybersecurity and technology staff at the State Department, which were first reported by the Washington Post's Joseph Menn earlier this week, are more extensive than previously reported, undercutting efforts to promote democratic norms online and hampering the US's ability to beef up the cybersecurity capabilities of our allies.

Closing Thought