Daily News Update: Thursday, March 27, 2025 (Australia/Melbourne)
Chinese ‘FamousSparrow’ Hackers Resurface
The Chinese government-backed hacking group FamousSparrow, thought to be dormant since 2022, has allegedly been targeting organisations in the U.S., Mexico, and Honduras.
ESET researchers discovered suspicious activity on a U.S. trade group's network and found hacking tools linked to FamousSparrow.
ESET notes: We believe those links are better explained by positing the existence of a shared third party, such as a digital quartermaster, than by conflating all of these disparate clusters of activity into one.
While it might seem like a small distinction, it's important to note when prioritising TTPs and IOCs/IOAs for detection/mitigation. Protecting against FamousSparrow won't necessarily provide protection against Salt Typhoon TTPs.
The group has upgraded its SparrowDoor backdoor, with ESET finding two previously undocumented versions on victim networks. FamousSparrow has been active since at least 2019, targeting hotels and other organisations.
Recent investigations uncovered activity between 2022 and 2024, including attacks on a government organisation in Honduras and a research institute in Mexico.
The hackers used custom-made tools and malware, including ShadowPad, to transfer files, monitor system changes, take screenshots, run commands, and log keystrokes.
The Record | "Chinese ‘FamousSparrow’ hackers back from the dead and targeting North America, researchers say"
ESET | You will always remember this as the day you finally caught FamousSparrow
RedCurl Cyberspies Deploy Ransomware Targeting Hyper-V Servers
The threat actor 'RedCurl,' known for corporate espionage since 2018, is now deploying "QWCrypt" ransomware to encrypt Hyper-V virtual machines.
Bitdefender Labs researchers observed RedCurl deviating from their usual data exfiltration tactics to deploy ransomware on compromised networks.
The attacks begin with phishing emails containing ".IMG" attachments disguised as CVs. These IMG files contain a screensaver file vulnerable to DLL sideloading, which downloads a payload and establishes persistence via a scheduled task.
RedCurl uses "living-off-the-land" tools, a custom wmiexec variant, and the 'Chisel' tool for tunneling/RDP access.
QWCrypt supports numerous command-line arguments to customise attacks, including the --excludeVM argument to avoid encrypting virtual machines acting as network gateways.
The ransomware uses the XChaCha20-Poly1305 encryption algorithm and appends either the .locked$ or .randombits$ extension to encrypted files. The ransom note is named !!!how_to_unlock_randombits_files.txt$ and contains text from LockBit, HardBit, and Mimic ransom notes.
Bleeping Computer | "RedCurl cyberspies create ransomware to encrypt Hyper-V servers"
StreamElements Discloses Third-Party Data Breach
StreamElements, a cloud-based streaming company, has confirmed a data breach at a third-party service provider after a threat actor leaked samples of stolen data on a hacking forum. The platform reassured users that the attack did not impact its servers, but older data at a third-party provider they stopped working with last year was still exposed.
A threat actor claimed to have stolen the data of 210,000 StreamElements customers, including full names, addresses, phone numbers, and email addresses. Twitch-focused journalist Zach Bussey verified the legitimacy of the data breach.
StreamElements has alerted the community about phishing attacks taking advantage of the security incident.
Bleeping Computer | "StreamElements discloses third-party data breach after hacker leaks data"
Sensitive Documents Stolen from NSW Court System
Australian police are investigating the theft of "sensitive" data from a New South Wales court system, with approximately 9,000 files stolen from the NSW Online Registry website (ORW).
The stolen files include affidavits and apprehended violence orders (AVOs), which are restraining orders to protect victims of domestic violence, child abuse, and other physical harms.
The full extent of the data theft is not yet known, but leaking AVOs could expose the names and addresses of both victims and alleged offenders. Law enforcement officials are contacting those believed to be affected and urging others to file a report via ReportCyber, Australia's cybercrime reporting service.
The Register | "Files stolen from NSW court system, including restraining orders for violence"
NYU Website Defaced, Data Leaked
A hacker compromised New York University's (NYU) website, exposing personal information of over 1 million students. The attacker replaced the homepage with charts and datasets categorising standardised testing scores by race, claiming the action was in response to the Supreme Court's decision on affirmative action.
However, the exposed data included full names, addresses, phone numbers, GPAs, and email addresses.
Cybersecurity expert Zack Ganot from DataBreach.com highlighted the severity of the leak, noting that the hacker failed to redact personal information correctly. NYU's IT team is working with cybersecurity consultants to review the incident and notify affected individuals. The hacker claimed to be part of a group called "Computer Niggy Exploitation," which has previously targeted the University of Minnesota.
Even if the hacker meant to highlight illegal discrimination, leaking the personal data of over a million people is reckless. The collateral damage is real — and the privacy consequences for over 1 million people won’t just disappear after the headlines fade.
The Record | "Hacker defaces NYU website, exposing admissions data on 1 million students"
Defense Contractor to Pay Millions Over Cybersecurity Failures
MORSE Corp, a technology company based in Cambridge, Massachusetts, has agreed to pay $4.6 million to resolve allegations of violating the False Claims Act by failing to meet federal cybersecurity requirements. The company, which has contracts with the U.S. Army and Air Force, used a third-party provider to host emails without ensuring it met NIST security requirements.
The Department of Justice stated that MORSE's failure to implement cybersecurity measures "could lead to significant exploitation of the network or exfiltration of controlled defense information." The company also did not produce a written plan for its information systems.
MORSE overstated its cyber posture in a 2021 assessment, giving itself a score of 104, while a subsequent audit gave it a score of -142, finding it failed to comply with 78% of NIST standards.
The Record | "Defense contractor to pay $4.6 million over third-party provider’s security weakness"
The Register | "US defense contractor cops to sloppy security, settles after infosec lead blows whistle"
New 'Atlantis AIO' Automates Credential Stuffing
A new cybercrime platform named 'Atlantis AIO' provides an automated credential stuffing service against 140 online platforms, including email services, e-commerce sites, banks, and VPNs.
Atlantis AIO features pre-configured modules for brute force attacks, CAPTCHA bypass, automated account recovery processes, and monetisation of stolen credentials/accounts.
The platform offers three main modules: Email Account Testing, Brute Force Attacks, and Account Recovery. Abnormal Security discovered Atlantis AIO, reporting that it is capable of targeting over 140 online services worldwide, including Hotmail, AOL, Mail.ru, Mail.com, Gmx, Wingstop, Buffalo Wild Wings, and Safeway.
Bleeping Computer | "New 'Atlantis AIO' automates credential stuffing on 140 services"
Google Patches Chrome Zero-Day Exploited in Espionage Campaign
Google has addressed a high-severity Chrome zero-day vulnerability, tracked as CVE-2025-2783, which was actively exploited to bypass the browser's sandbox and deploy malware in espionage attacks targeting Russian organisations.
The vulnerability, described as an "incorrect handle provided in unspecified circumstances in Mojo on Windows," was discovered by Kaspersky researchers Boris Larin and Igor Kuznetsov.
The exploit is being used in phishing attacks that redirect victims to the primakovreadings[.]info domain as part of a cyber-espionage campaign dubbed "Operation ForumTroll." Kaspersky's analysis revealed that attackers also used a second exploit for remote code execution.
The malicious emails contained invitations supposedly from the organisers of a scientific and expert forum, 'Primakov Readings,' targeting media outlets, educational institutions, and government organisations in Russia.
Bleeping Computer | "Google fixes Chrome zero-day exploited in espionage campaign"
UK Warns of Emerging Threat from Online 'Com Networks'
The UK's National Crime Agency (NCA) has warned of a growing threat from online networks of teenage boys, known as "Com networks," who are "dedicated to inflicting harm and committing a range of criminality."
These networks, predominantly composed of young, English-speaking cybercriminals, share sadistic and misogynistic material and target individuals their own age or younger.
As these communities grow, so too do the pools of resources that Cyber criminals can draw on.
NCA Director General Graeme Biggar noted that reports of Com network threats increased six-fold from 2022 to 2024. The agency is collaborating with tech companies, psychologists, and safeguarding agencies to understand and combat this phenomenon.
These groups are not lurking on the dark web, they exist in the same online world and platforms young people use on a daily basis. It is especially concerning to see the impact this is having on young girls who are often groomed into hurting themselves and in some cases, even encouraged to attempt suicide.
The Record | "UK warns of emerging threat from ‘sadistic’ online ‘Com networks’ of teenage boys"
