Scattered LAPSUS$ Hunters claims dossiers on US officials including NSA employees

Check out my brief CSO news item on how two new surveys show that security leaders fear generative AI is accelerating ransomware attacks.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Hacking group Scattered LAPSUS$ Hunters, which recently doxed hundreds of government officials, including those from the Department of Homeland Security (DHS) and Immigration and Customs Enforcement (ICE), has now built dossiers on tens of thousands of US government officials, including NSA employees, according to a group member.

The member said the group did this by digging through its caches of stolen Salesforce customer data. The person provided 404 Media with samples of this information, which 404 Media was able to corroborate.

As well as NSA officials, the person sent 404 Media personal data on officials from the Defense Intelligence Agency (DIA), the Federal Trade Commission (FTC), Federal Aviation Administration (FAA), Centers for Disease Control and Prevention (CDC), the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), members of the Air Force, and several other agencies.

They also sent 404 Media personal data related to DIA, FTC, FAA, CDC, ATF, and Air Force members. They also sent personal information on officials from the Food and Drug Administration (FDA), Health and Human Services (HHS), and the State Department. 404 Media verified parts of the data by comparing them to previously breached data collected by cybersecurity company District 4 Labs.

Except for the earlier DHS and DOJ data, the hackers don’t appear to have posted this more wide-ranging data publicly. Most of those agencies did not immediately respond to a request for comment. The FTC and Air Force declined to comment. DHS has not replied to multiple requests for comment sent since Thursday. Neither has Salesforce. (Joseph Cox / 404 Media)

Related: Databreaches.net

Last week, European law enforcement in an operation codenamed 'SIMCARTEL' dismantled an illegal SIM-box service that enabled more than 3,200 fraud cases and caused at least 4.5 million euros in losses.

The cybercriminal online services had about 1,200 SIM-box devices with 40,000 SIM cards to provide phone numbers that were used in telecommunication crimes ranging from phishing and investment fraud to impersonation and extortion.

Europol says that the cybercrime service operated through two websites, gogetsms.com and apisim.com, which have been seized and now display a law enforcement banner.

Taking down the digital infrastructure was a collaborative effort between Europol and the Shadowserver Foundation.

The fraudulent SIM-box service offered phone numbers registered to individuals in more than 80 countries, and rented them to customers who needed to create and verify fake online accounts, allowing them to hide their true identity and location. (Bill Toulas / Bleeping Computer)

Related: Europol, IT Pro, Infosecurity Magazine, SC Media, Data Breach Today, Security Affairs, Computing, Tech Radar, CyberScoop

Researchers at Google Threat Intelligence Group (GTIG) say that the Russia-sponsored threat group COLDRIVER is using two new backdoors tracked as YESROBOT and MAYBEROBOT, which are spread using ClickFix and a loader called NOROBOT.

COLDRIVER, which targets high-profile targets, including NATO member governments, policy advisors, former intelligence officers, and non-governmental organizations (NGOs), previously conducted credential phishing attacks without the deployment of malware.

However, GTIG reported in May 2025 that the group began wielding a novel credential-stealing malware dubbed LOSTKEYS.

In its latest report, published Monday, GTIG said COLDRIVER seems to have abandoned LOSTKEYS following its May exposure and has rapidly developed new malware that serves as a backdoor to execute commands and exfiltrate information.

Similar to its LOSTKEYS campaign, COLDRIVER uses ClickFix to deploy a loader tracked as NOROBOT. While both campaigns use a fake CAPTCHA, the newer attacks convince the user to execute NOROBOT DLL via rundll32 rather than using PowerShell commands.

GTIG noted that Zscaler previously reported the use of these backdoors. Zscaler tracks YESROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX.

In response to COLDRIVER’s changing tactics, Google has incorporated the latest intelligence into its products, such as the Safe Browsing feature in Chrome. It also published indicators of compromise (IoCs) and YARA rules in its report. (Laura French / SC World)

Related: Google Cloud, GBHackersto protect consumer data better, Infosecurity Magazine

In a parliamentary inspection, Lee Chan-jin, governor of Korea's Financial Supervisory Service (FSS), said his agency and the financial regulator will jointly seek to draft a bill on financial consumer data protection.

According to Lee, the bill would require financial companies to heavily invest in IT systems and others to block cybersecurity breaches and safeguard consumer data. It would also require exchanges of virtual assets to protect consumer data better,.

The watchdog chief's remarks came as Lotte Card Co., the country's fifth-largest card issuer, said last month that the personal data of some 3 million customers had been leaked in a hacking incident.

The country's financial regulator said earlier it will take stern measures against any rule violations by Lotte Card, vowing to impose the highest-ever penalty on the card issuer should there be any serious violation. (Park Sang-soo / Yonhap News Agency)

Related: The Chosun Daily

Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and still vulnerable to a critical issue (CVE-2025-9242) that could allow a remote attacker to execute code without authentication.

Firebox devices act as a central defense hub that controls traffic between internal and external networks, providing protection through policy management, security services, VPN, and real-time visibility through WatchGuard Cloud.

Scans from The Shadowserver Foundation currently show that 75,835 vulnerable Firebox appliances exist worldwide, most of them in Europe and North America.

Specifically, the United States tops the list with 24,500 endpoints, followed by Germany (7,300), Italy (6,800), the United Kingdom (5,400), Canada (4,100), and France (2,000).

WatchGuard disclosed CVE-2025-9242 in a security bulletin on September 17 and rated the vulnerability with a critical-severity score of 9.3. The security problem is an out-of-bounds write in the Fireware OS ‘iked’ process, which handles IKEv2 VPN negotiations. (Bill Toulas / Bleeping Computer)

Related: Security Week

Researchers at endpoint security provider Koi report that a new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm that has been installed an estimated 35,800 times.

The malware hides its malicious code by using invisible characters. It can also spread itself using stolen account information to infect more extensions that the victim can access.

GlassWorm operators use Solana blockchain for command-and-control, making takedown very difficult, with Google Calendar as a backup option.

Microsoft Visual Studio and the OpenVSX platforms host extensions and integrations for Visual Studio products and are constant targets of threat actors looking to steal cryptocurrency.

The current GlassWorm campaign relies on "invisible Unicode characters that make malicious code literally disappear from code editors." Once installed, the malware attempts to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions.

Additionally, GlassWorm deploys a SOCKS proxy to route malicious traffic through the victim’s machine and installs VNC clients (HVNC) for invisible remote access. (Bill Toulas / Bleeping Computer)

Related: Koi, Dark Reading

A new bug discovered in Windows 11's October build, KB5066835, causes users' USB keyboard and mouse to stop working entirely, so they cannot interact with the recovery UI at all.

This problem has already been recognized and highlighted by Microsoft, which, clarified that a fix is on its way to address this issue.

Any plugged-in peripherals will continue to work just fine inside the actual operating system, but as soon as users go into Windows RE, their USB keyboard and mice will become unresponsive. It's important to note that if their PC fails to start up for any reason, it defaults to the recovery environment. (Hassam Nasir / Tom's Hardware)

Related: Microsoft, Bleeping Computer, Bleeping Computer, The Register, Fudzilla, PC Gamer, PC World, Beta News, Tweak Town, Windows Report

A group of House Democrats is asking Homeland Security Secretary Kristi Noem to explain why the Department of Homeland Security reassigned many of its cybersecurity staff to roles focused on Trump-era immigration and deportation work, and how those shifts impact US cyberdefenses.

The letter, led by Rep. James Walkinshaw (D-VA), and also signed by Reps. Suhas Subramanyam (D-VA), Eugene Vindman (D-VA), and Shontel Brown D-OH), along with Del. Eleanor Holmes Norton (D-DC), argues that DHS violated the Antideficiency Act when it reassigned those Cybersecurity and Infrastructure Security Agency staff to roles within Immigration and Customs Enforcement, the Federal Protective Service and Customs and Border Protection.

The Antideficiency Act prohibits agencies from spending or obligating funding without congressional approval during a government shutdown. Amid the ongoing lapse in federal funding, the moves “raise serious concerns” about the Trump administration’s motives, the lawmakers say in the missive. (David DiMolfetta and Edward Graham / NextGov/FCW)

Related: GovExec

Google Project Zero’s Ivan Fratric and Natalie Silvanovich discovered a high-severity vulnerability in Dolby’s Unified Decoder that could be exploited for remote code execution, without user interaction in some instances.

Built on top of the Dolby Digital Plus (DD+) standard, the Unified Decoder is a software/hardware component used for processing DD+, Dolby AC-4, and other audio formats, converting them into formats that can be played back through speakers.

The decoder was impacted by an out-of-bounds write issue that could be triggered during the processing of evolution data.

Tracked as CVE-2025-54957 (CVSS score of 7.0), the security defect can be triggered using malicious audio messages, leading to remote code execution.

The researchers published proof-of-concept (PoC) exploit code demonstrating how the bug can be exploited to trigger a process crash on Android devices (Pixel 9 and Samsung S24), and on macOS and iOS.

Microsoft resolved the flaw as part of its October Patch Tuesday updates, noting that user interaction is required for successful exploitation on Windows. Last week, Google said patches were included in the latest ChromeOS updates. (Ionut Arghire / Security Week)

Related: Project Zero, SC Media, Daily Security Review

Defakto, the non-human identity security company formerly known as SPIRL, announced it had raised a $30.75 million Series B venture funding round.

XYZ Venture Capital led the round with continued participation from The General Partnership, Bloomberg Beta, and WndrCo. (Chris Metinko / Axios)

Related: Fortune

Private network security startup OneLayer announced it had raised $28 million in a series A venture funding round.

Maor Investments led the round with participation from McRock Capital, Chevron Technology Ventures, and existing backers Viola Ventures, Grove Ventures, and Koch Disruptive Technologies. (Dan Jones / Fierce Network)

Related:  FinSMEs, OneLayer, CTech, Tech in Asia, Pulse 2.0. 

Best Thing of the Day: Signal Is Only Secure If Both Parties Agree

Lawfare's great Anna Bower brilliantly eviscerates Trump's former personal attorney Lindsey Halligan, who is the top prosecutor in the Eastern District of Virginia, charged with legally persecuting Trump's enemies, by publicly sharing Signal text exchanges the pair had, which could have been avoided had the inexperienced Halligan known to say "off the record" with the press.

Worst Thing of the Day: Doing the Right Thing Can Cost You Everything

Charles Borges, then chief data officer for the vast Social Security Administration, who last summer blew the whistle on DOGE's dubious copying of all our social security records, was shunned and subject to a hostile work environment, prompting him to resign and give up a decades-long government career and dream job.

Closing Thought