Italian cops arrest FBI-wanted Chinese hacker who tried to steal the COVID-19 vaccine

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

According to press reports, Italian police arrested a 33-year-old Chinese man identified as Xu Zewei from Shanghai, who is wanted by US authorities over alleged industrial espionage, which targeted projects including efforts to develop a COVID-19 vaccine.

He was picked up last week after he arrived at Milan's Malpensa airport on a US arrest warrant as part of an FBI investigation.

US authorities allege that he was part of a team of hackers who tried to access a COVID-19 vaccine being developed by the University of Texas in 2020. He faces an extradition hearing in Milan today.

The charges listed on his arrest warrant are wire fraud and aggravated identity theft, conspiracy to commit wire fraud, and unauthorized access to protected computers. (Alfredo Faieta and Emilio Parodi / Reuters)

Related: ANSA, Financial Times, Decode39, Anadolu Ajansi, Dimsum Daily, Devdiscourse, Bleeping Computer

Police in Brazil arrested a suspect, João Roque, an IT employee of a third-party information technology provider, in connection with a cyberattack that diverted more than 540 million Brazilian reais (about $100 million) from the country’s banking systems.

The breach affected Brazil’s widely used instant payment system, known as PIX, which is used by 76.4% of the population. Hackers targeted C&M, a software company that connects financial institutions to the Central Bank to enable PIX transactions.

Police in Sao Paulo said the $100 million loss refers to just one financial institution that worked with C&M, and total losses could be even higher.

Roque allegedly helped others gain unauthorized access to PIX systems. According to police, Roque told investigators he sold his credentials to hackers who recruited him earlier this year.

After breaching the company’s system, hackers carried out massive fake PIX operations. The fraud took place on a single night and did not affect clients. Only financial institutions contracted with C&M. (Associated Press)

Related: Globo, Bitdefender, Bleeping Computer, Reuters, Cointelegraph, Security Week, The Record, Security Affairs, DL News, Databreaches.net, Cryptopolitan, r/cybersecurity

The makers of Call of Duty: World War 2 took the PC version of the game offline over the weekend amid widespread reports online that a remote code execution vulnerability was being used to take over victim computers during live multiplayer matches.

On June 30, the 2017 game was released through Xbox’s GamePass service. On July 5, the X account for game updates announced that the version of the 2017 game for personal computers would be removed from the Microsoft Store “while we investigate reports of an issue.”

But users playing through GamePass quickly began posting videos showing their PCs being taken over during live matches.

According to MalwareBytes, the problem appears to stem from the way older Call of Duty games, like many other titles, switch from dedicated servers to peer-to-peer networking as a game ages out. Rather than run and maintain a fleet of servers to host older games online, many video game companies eventually discontinue or reroute those resources, allowing players to use their machines as the server host.

But that opens those players up to malicious parties who use that connection to hack their opponents. (Derek B. Johnson / CyberScoop)

Related: Meristation AS, Tweaktown, GameLuster, Sports Illustrated, Tom's Hardware, Malwarebytes, GamesSpot, GameRant, Rock, Paper, Shotgun

According to a report in the Financial Times, OpenAI has reportedly overhauled its security operations to protect against corporate espionage.

The company accelerated an existing security clampdown after Chinese startup DeepSeek released a competing model in January, with OpenAI alleging that DeepSeek improperly copied its models using “distillation” techniques.

The beefed-up security includes “information tenting” policies that limit staff access to sensitive algorithms and new products, the report said. For example, during the development of OpenAI’s o1 model, only verified team members who had been read into the project could discuss it in shared office spaces.

Moreover, OpenAI now isolates proprietary technology in offline computers, implements biometric access controls for office areas (by scanning employees’ fingerprints), and maintains a “deny-by-default” internet policy, requiring explicit approval for external connections, the FT report said.

The company has reportedly also increased physical security at data centers and expanded its cybersecurity personnel. (Connie Loizos / TechCrunch)

Related: Financial Times, StrictlyVC, Analytics India Magazine

DragonForce, the ransomware-as-a-service group best known for powering the youth-oriented threat actors Scattered Spider, has begun a turf war with its rivals, RansomHub, triggering a battle within the industry that could bring more hacks and further fallout for corporate victims.

 Experts warn that the conflict between the two groups, which operate in the ransomware-as-a-service (RaaS) market, could increase risks for companies, including the potential of being extorted twice.

Toby Lewis, global head of threat analysis at Darktrace, said there was “no honor among thieves” in the hacking world.

“Most cybercrime groups have an ingrained need for kudos and one-upmanship that could lead them to attempt to ‘outcompete’ each other by trying to attack and extort the same target,” he added.

The relationship between DragonForce and RansomHub soured after the former rebranded itself as a “cartel” in March, which widened the services it offered and expanded its reach to attract more affiliate partners. (Kieran Smith / Financial Times)

Related: Tom's Hardware

Cambodia's telecommunications authority, the Ministry of Post and Telecommunications, warned that a Thai hacker group identified as ‘BlackEye-Thai’ has launched multiple attacks on Cambodian government systems.

The ministry issued a strong warning to the public today regarding the spread of misinformation on social media, specifically the recent claims from Thailand alleging Cambodian involvement with North Korean hackers.

In an official statement, the ministry categorically denied the accusations, stating that the Royal Government of Cambodia has “no connection whatsoever with North Korean hacker groups.”

The ministry described the allegations as “a malicious attempt by Thailand to tarnish Cambodia’s reputation on the international stage”, and noted that similar accusations have been previously levelled.

“The ministry further revealed that, contrary to the Thai claims, a Thai hacker group identified as BlackEye-Thai has been regularly launching cyberattacks against nearly all of the Cambodian government’s online systems over the past two weeks,” added the statement. (Hong Raksmey / The Phnom Penh Post)

Related: Cambodianess, Khmer Times, Channel News Asia, The Straits Times

The tax and spending bill Congress sent to Donald Trump and that he signed into law over the holiday weekend contains hundreds of millions of dollars for cybersecurity, with a heavy emphasis on military-related spending.

The biggest single pot of money under the “One Big Beautiful Bill” would be for Cyber Command, a $250 million allocation for “artificial intelligence lines of effort.” Another $20 million would go to cybersecurity programs at the Defense Advanced Research Projects Agency.

The US Indo-Pacific Command, which counts among its geographical areas of responsibility territorial waters for cyber adversaries in Russia, China, and North Korea, would get $1 million for cyber offensive operations.

A $90 million pool of funds for several purposes at the Defense Department would include “cybersecurity support for non-traditional contractors.”

A broader set of funds at the Coast Guard would allow some funds to be spent on cyber. A $2.2 billion allocation for maintenance includes the upkeep of “cyber assets.” A $170 million allocation for “maritime domain awareness” contains “the cyber domain.” (Tim Starks / CyberScoop)

Related: Federal News Network

Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software.

The abuse has kept going for several months, and even though security researchers caught the activity in the wild, Shellter did not receive a notification.

The vendor underlined that this is the first known incident of misuse since it introduced its strict licensing model in February 2023.

Elastic Security Labs disclosed that multiple threat actors have been abusing Shellter Elite v11.0 to deploy infostealers, including Rhadamanthys, Lumma, and Arechclient2.

Elastic researchers determined the activity to have started at least in April, and the distribution method relied on YouTube comments and phishing emails.

Based on the unique license timestamps, the researchers hypothesized that the threat actors were using a single leaked copy, which Shellter subsequently officially confirmed. (Bill Toulas / Bleeping Computer)

Related: Shellter Project, CSO Online, Elastic Security

Researchers at watchTowr and Horizon3 released proof-of-concept (PoC) exploits for a critical vulnerability, tracked as CVE-2025-5777 and dubbed CitrixBleed2, warning that the flaw is easily exploitable and can successfully steal user session tokens.

The CitrixBleed 2 vulnerability, which affects Citrix NetScaler ADC and Gateway devices, allows attackers to retrieve memory contents simply by sending malformed POST requests during login attempts.

This critical flaw is named CitrixBleed2 as it closely resembles the original CitrixBleed (CVE-2023-4966) bug from 2023, which was exploited by ransomware gangs and in attacks on governments to hijack user sessions and breach networks.

The researchers confirmed that the vulnerability can be exploited by sending an incorrect login request, where the login= parameter is modified so it's sent without an equal sign or value.

While Citrix continues to state that the flaw is not actively being exploited, security researcher Kevin Beaumont disputes Citrix's statement, saying the vulnerability has been actively exploited since mid-June, with attackers leveraging the bug to dump memory and hijack sessions. (Lawrence Abrams / Bleeping Computer)

Related: The Register, watchTower, Horizon3, GovInfoSecurity

Nigeria's data protection agency has fined Multichoice Nigeria Limited, Africa's biggest pay television company, 766 million naira ($501,340) for violating the country's data protection law.

Babatunde Bamigboye, head of legal at the Nigeria Data Protection Commission (NDPC), said the penalty follows an investigation initiated a year ago, prompted by suspected breaches of subscribers' privacy rights and illegal cross-border transfer of personal data. (Camillus Eboh / Reuters)

Related: Punch Newspapers, TechAfrica News, AFP, Sahara Reporters, Techloy

Researchers at Trend Micro report that a new ransomware group that calls itself Bert has been breaching organizations across Asia, Europe, and the US, with victims reported in the healthcare, technology, and event services sectors.

The ransomware has infected both Windows and Linux systems, the researchers said. Although the initial access method remains unknown, analysts discovered a PowerShell script that turns off security tools on victims' systems before downloading and executing the ransomware.

Once inside a system, the malware drops a ransom note that reads: “Hello from Bert! Your network is hacked, and files are encrypted,” followed by instructions for contacting the attackers to negotiate payment.

Researchers said the ransomware is actively being developed, with multiple variants already observed. While no specific threat actor has been formally linked to the attacks, the use of Russian infrastructure may suggest ties to groups operating in or affiliated with the region.

Trend Micro says Bert may have originated from the Linux variant of REvil, a notorious ransomware gang dismantled in 2021. Although REvil is no longer active, elements of its code appear to have been reused. (Daryna Antoniuk / The Record)

Related: Trend Micro, Infosecurity Magazine, Dark Reading

Researchers at CyberCube identified 287 high-risk companies out of a total of 15,000 companies it analyzed that use three or more technologies frequently exploited by Scattered Spider, combined with security lapses the group is known to target.

These high-risk companies also maintain security conditions that may allow the threat actor to complete critical steps across the attack lifecycle and ultimately achieve their objectives.

An additional 7% (1,037 companies) were categorized as medium risk, using at least one of the group’s preferred technologies and exhibiting vulnerabilities that could allow partial progression of an attack.

CyberCube said that all companies it identified as high risk should be on heightened alert. Among them are seven aviation firms, including Hawaiian Airlines, which was recently confirmed as one of Scattered Spider’s latest victims. (Beth Musselwhite / Reinsurance News)

Related: Cybercube, Insurance Edge, The Insurer, Cyberscoop

Renkim, a third-party vendor used by Ballad Health, a chain of hospitals headquartered in Johnson City, TN, to provide mail processing services, experienced a data security breach in March, and some personal information was reportedly accessed.

Renkim took steps to stop the suspicious activity and secure its network, the notice states. An investigation was launched, which determined the suspicious activity began on March 2, 2025.

The information affected was reportedly limited to what Renkim is provided by its clients, like Ballad, for the provider to create mailings. The notice states that information typically includes people’s full names, contact information, the client's name, client account number, and dates of service.

“In a few instances, it also includes date of birth and Social Security number,” the notice states.

The breach was investigated by experts hired by Renkim, and law enforcement was notified. Renkim is mailing letters to people impacted by the breach.

According to Ballad, in most cases, the affected people did not have enough information taken to result in identity theft or fraud. (Murry Lee / WJHL)

Related: Ballad Health, WCYB

Since developer Xe Iaso launched it in January, Anubis, a program "designed to help protect the small internet from the endless storm of requests that flood in from AI companies,” has been downloaded nearly 200,000 times.

It is being used by notable organizations including GNOME, the popular open-source desktop environment for Linux, FFmpeg, the open-source software project for handling video and other media, and UNESCO, the United Nations organization for education, science, and culture.

Iaso decided to develop Anubis after discovering that her own Git server was struggling with AI scrapers, bots that crawl the web hoovering up anything that can be used for the training data that power AI models. Like many libraries, archives, and other small organizations, Iaso discovered her Git server was getting slammed only when it stopped working. (Emanuel Maiberg / 404 Media)

Related: r/technology, r/antiai, Beehaw, Slashdot

Researchers at Kaspersky say that previously undocumented spyware called ‘Batavia’ has been targeting large industrial enterprises in Russia in a phishing email campaign that uses contract-related lures.

They believe the operation has been active since at least last year in July and is ongoing. Based on telemetry data, the phishing emails delivering Batavia have reached employees at several dozen Russian organizations that have been targeted.

Since January 2025, the campaign has increased in intensity and peaked towards the end of February.

The researchers have not speculated about the purpose of the campaign, but the targets combined with Batavia's capabilities might indicate an espionage operation on Russia’s industrial activity. (Bill Toulas / Bleeping Computer)

Related: Securelist, Security Affairs, GBHackers

On its official Telegram channel and dark web site, the newly formed SatanLock ransomware group said it is shutting down, but not before it leaks all the data it has stolen from victims.

The group has deleted all victim listings that were visible just hours ago. Now, anyone visiting their .onion site sees a message reading, “SatanLock project will be shut down – The files will all be leaked today.” (Waqas / HackRead)

Related: BetaNews

Canadian utility Nova Scotia Power is notifying about 280,000 people of a data breach that occurred following a cyberattack earlier this year.

The company said an investigation revealed that hackers had access to critical systems from March 19 to April 25, allowing them to steal names, addresses, driver's license numbers, Canadian Social Insurance numbers, bank account details, and troves of information from the Nova Scotia Power program including power consumption, service requests, customer payment, billing and credit history, and customer correspondencе.

The investigation is ongoing, and the information stolen varied from customer to customer. Victims are being given two years of credit monitoring services.

Law enforcement and regulatory agencies have been notified of the cyberattack and breach, according to the company. (Jonathan Greig / The Record)

Related: Office of the Maine Attorney General

Russian developers behind a custom firmware used to convert consumer drones for military use in Ukraine reported a cyberattack on their infrastructure, disrupting the system that distributes the software.

According to a statement posted on the Telegram channel Russian Hackers – To the Front, unidentified hackers breached servers responsible for delivering the “1001” firmware, displayed false messages on operator terminals, and then turned off the system.

The developers said the firmware itself was not compromised, calling the risk of backdoors or malicious code “extremely low.” However, drone operators were advised to disconnect their terminals as a precaution.

The firmware, used to modify certain DJI drone models, is not available for public download and is distributed through a network of drone service centers equipped with pre-configured laptops, known as “terminals,” that receive updates from a remote server. Independent Russian cybersecurity expert Oleg Shakirov said on Telegram that the attackers likely targeted this server.

The developers claim that around 200,000 drones had been updated with the 1001 firmware as of March. While not widely known, the software removes manufacturer-imposed flight limits, improves resistance to GPS spoofing, and enables the use of high-capacity batteries, all of which make them more suitable for military missions. (Daryna Antoniuk / The Record)

Related: Telegram

A crypto hacker involved in a Coinbase exploit has sparked the crypto markets once again as they disposed of 26,347 ETH worth $68.18 million in DAI within 12 hours.

The rapid-fire series of transactions spanned several blocks and liquidated the ETH on average for $2,587.77 per ETH. After this mass dump, the attacker is left with $45.36 million in DAI in two wallets.

This purchase of ETH was strange because, on May 22, the same hacker had sold the stolen ETH at a higher price of more than $45M, with each ETH coin being priced at 2,558. And yet he returned and purchased 207.17 ETH with 536,000 DAI. 

Analysts noticed such a transaction and wrote it down as a strange behavior that may represent either a test of market manipulation or an overall calculated long-term action.

Although the ETH sales were quite significant, the attacker still retains $45.36M in DAI that could be purchased back as ETHs or transferred to other assets unless caught or stopped by freezing funds. The holding approach implies that the hacker is waiting till a good time in the market to re-enter. (Ishtiyaq Hussain / Blockchain Reporter)

Related: Crypto Economy, Cryptorank

Google is implementing a confusing change that will enable its Gemini AI engine to interact with third-party apps, such as WhatsApp, even when users previously configured their devices to block such interactions.

An email Google sent recently informing users of the change linked to a notification page that said that “human reviewers (including service providers) read, annotate, and process” the data Gemini accesses. The email provides no practical guidance for preventing the changes from taking effect. The email said users can block the apps that Gemini interacts with, but even in those cases, data is stored for 72 hours.

The email never explains how users can fully extricate Gemini from their Android devices and seems to contradict itself on how or whether this is even possible. At one point, it says the changes “will automatically start rolling out” today and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” A few sentences later, the email says, “If you have already turned these features off, they will remain off.” (Dan Goodin / Ars Technica)

Best Thing of the Day: Helping Those With No Money to Understand Cybersecurity

Cybersecurity company Domain Tools supports journalists, academic researchers, NGOs, and non-profit cybersecurity-related organizations worldwide with grants for access to its services.

Worst Thing of the Day: Open Source Packages Get Even Riskier

Sonatype reports that there was a 188% increase in malicious open source packages in Q2 2025.

Closing Thought