Good Morning Cyber Gang,
Tuesday dawned with an overflow of security developments touching every layer of business—from endpoint patching and supply-chain sabotage to geopolitical espionage and privacy regulation fallout.
James Azar’s latest CyberHub Podcast episode dissects Apple’s urgent iOS 18.5 fix-fest, a Turkish APT’s silent foothold in niche chat software, and the cascading real-world impact of cyber disruptions at UK grocer Co-op. Add a hacktivist hit on a U.S. charter airline, rising Click-Fix attacks that now snare Linux users, and an ASUS driver hub flaw with near-max CVSS, and it’s clear defenders have no room to coast.
Below, every story is unpacked in detail, followed by a practitioner-focused action list to harden defenses before the next headline breaks.
Apple Ships iOS 18.5 and Companion OS Patches
Apple pushed iOS 18.5, iPadOS, macOS Sequoia/Sonoma/Ventura, watchOS, tvOS and visionOS updates that close critical code-execution bugs in AppleJPEG, Core Media, Core Audio, Core Graphics and Image IO. Eight WebKit flaws that could hand hostile websites full browser control are also quashed, alongside kernel memory-corruption fixes and the industry-wide libexpat CVE-2024-8176. The patches cover devices from iPhone XS onward; Apple urges immediate deployment, noting attackers can weaponize booby-trapped media or webpages with little user interaction.
“Marble Dust” Exploits Output Messenger Zero-Day
Microsoft Threat Intelligence attributes a stealthy campaign to Marble Dust, a Turkey-linked actor targeting Kurdish military-aligned users in Iraq. The group chained directory-traversal CVE-2025-27920 in the little-scrutinized Output Messenger chat server to plant scripts in startup folders, unload a multi-stage backdoor and exfiltrate data via look-alike domains such as api.wordinfo.com. Vendor Serimax has patched in v2.0.62+, but many on-prem installations remain exposed.
Cyberattack Starves UK Co-op Stores of Stock
Two weeks after detecting unauthorized network access, UK retail chain Co-op is still running core logistics offline, leaving some depots shipping < 20 % of normal volume and store shelves visibly empty. Customer/member data was confirmed stolen, and staff fear the threat actors may yet retain footholds. The incident underscores how business-continuity planning—not just ransomware response—determines consumer-facing fallout.
Anonymous Breaches GlobalX Charter Airline
Hacktivist collective Anonymous defaced a Global Crossing Airlines (GlobalX) sub-domain, protesting the carrier’s charter role in U.S. deportation flights. Leaked passenger manifests and flight logs were sent to media outlets, though an SEC 8-K states flight operations were unhindered. Segmentation between business and operational networks appears to have limited impact, but regulators will probe data-protection obligations.
Lee Enterprises Counts the Cost of February Ransomware
Regional-newspaper giant Lee Enterprises disclosed US $2 million in restoration expenses and advertising-revenue disruption after February’s ransomware event encrypted critical apps and stalled billing. The publisher of 70+ titles reported a quarterly net loss of US $12 million, illustrating how even brief downtime reverberates through cash flow and vendor relations when cyber insurance and contingency plans fall short.
Click-Fix Social Engineering Evolves for Linux
Researchers at Hun.io caught Pakistan-aligned APT-36 adapting the Click-Fix tactic—fake CAPTCHA or “usage rights” pop-ups that copy malicious commands to a victim’s clipboard—to target Linux alongside Windows. A spoofed Indian Defence Ministry site profiles visitors, delivering either an MSHDA payload for Windows or Bash commands for Linux, ultimately dropping info-stealers and remote shells.
ASUS DriverHub RCE Flaws (CVE-2025-3462/-3463)
ASUS patched two high-severity vulnerabilities (CVSS 8.4 & 9.4) in DriverHub, its motherboard auto-update service. Improper origin and certificate validation let attackers serve crafted HTTP responses that trigger remote code execution with system privileges. Threat actors routinely abuse driver-updaters; organizations running ASUS endpoints should deploy the fixed build and monitor for rogue outbound traffic.
Fake AI Tools Push “Noodlophile” Infostealer
Morphic analysts uncovered a campaign luring creatives with slick websites and Facebook ads touting “AI-powered” video and image editors. The installers instead drop Noodlophile, a modular info-stealer that siphons browser cookies, crypto wallets and cloud-storage tokens. One post logged 62 k views, proving malware peddlers no longer need email spam when social virality suffices.
Bulgarian Spy Cell for Hire Sentenced in UK
A six-person Bulgarian network conducting Kremlin-directed surveillance across Europe—ranging from Ukrainian troop sites to high-profile dissidents—received a cumulative 50-year sentence in London’s Old Bailey. Evidence showed coordination by Wirecard fugitive Jan Marsalek and Russia’s GRU/FSB, spotlighting how Moscow outsources espionage to plausibly deniable “freelancers.”
📌 Practitioner Action List
Patch Apple & ASUS Endpoints: Push iOS 18.5 and DriverHub updates via MDM/EPP tools to shut down media-parsing and RCE vectors.
Update Output Messenger to v2.0.62+: Scan for CVE-2025-27920 exploitation and outbound traffic to wordinfo[.]com or similar C2 domains.
Test Logistics DR Plans: Use Co-op’s shortages as a tabletop template—ensure your supply chain keeps moving during IT isolation.
Harden Airline & Travel Data Stores: Encrypt PNRs, enforce least-privilege, and log all access for incident-response proof.
Review Ransomware Financial Exposure: Validate cyber-insurance clauses and offline billing contingencies in light of Lee Enterprises’ $2 M outlay.
Block Clipboard Command Abuse: Disable clipboard pastes from untrusted origins; add Click-Fix IOCs to web-filtering rules.
Deploy Social-Media Threat Intel: Monitor trending AI-tool hashtags for malicious domains before employees click.
Track Outsourced Espionage Tactics: Integrate GRU/FSB freelance indicators into geopolitical risk models for European operations.
✅ Story Links:
https://www.securityweek.com/apple-patches-major-security-flaws-in-ios-macos-platforms/
https://thecyberexpress.com/marbled-dust-exploit-output-messenger-zero-day/
https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system
https://www.securityweek.com/us-deportation-airline-globalx-confirms-hack/
https://www.cybersecuritydive.com/news/lee-enterprises-2-million-ransomware-attack/747773/
https://thehackernews.com/2025/05/asus-patches-driverhub-rce-flaws.html
https://thehackernews.com/2025/05/fake-ai-tools-used-to-spread.html
https://therecord.media/bulgarian-members-russian-spy-ring-sentenced-uk
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
