Good Morning Cyber Gang,
Tuesday dawned with an overflow of security developments touching every layer of business—from endpoint patching and supply-chain sabotage to geopolitical espionage and privacy regulation fallout.
James Azar’s latest CyberHub Podcast episode dissects Apple’s urgent iOS 18.5 fix-fest, a Turkish APT’s silent foothold in niche chat software, and the cascading real-world impact of cyber disruptions at UK grocer Co-op. Add a hacktivist hit on a U.S. charter airline, rising Click-Fix attacks that now snare Linux users, and an ASUS driver hub flaw with near-max CVSS, and it’s clear defenders have no room to coast.
Below, every story is unpacked in detail, followed by a practitioner-focused action list to harden defenses before the next headline breaks.
Apple Ships iOS 18.5 and Companion OS Patches
Apple pushed iOS 18.5, iPadOS, macOS Sequoia/Sonoma/Ventura, watchOS, tvOS and visionOS updates that close critical code-execution bugs in AppleJPEG, Core Media, Core Audio, Core Graphics and Image IO. Eight WebKit flaws that could hand hostile websites full browser control are also quashed, alongside kernel memory-corruption fixes and the industry-wide libexpat CVE-2024-8176. The patches cover devices from iPhone XS onward; Apple urges immediate deployment, noting attackers can weaponize booby-trapped media or webpages with little user interaction.
“Marble Dust” Exploits Output Messenger Zero-Day
Microsoft Threat Intelligence attributes a stealthy campaign to Marble Dust, a Turkey-linked actor targeting Kurdish military-aligned users in Iraq. The group chained directory-traversal CVE-2025-27920 in the little-scrutinized Output Messenger chat server to plant scripts in startup folders, unload a multi-stage backdoor and exfiltrate data via look-alike domains such as api.wordinfo.com. Vendor Serimax has patched in v2.0.62+, but many on-prem installations remain exposed.
Cyberattack Starves UK Co-op Stores of Stock
Two weeks after detecting unauthorized network access, UK retail chain Co-op is still running core logistics offline, leaving some depots shipping < 20 % of normal volume and store shelves visibly empty. Customer/member data was confirmed stolen, and staff fear the threat actors may yet retain footholds. The incident underscores how business-continuity planning—not just ransomware response—determines consumer-facing fallout.
Anonymous Breaches GlobalX Charter Airline
Hacktivist collective Anonymous defaced a Global Crossing Airlines (GlobalX) sub-domain, protesting the carrier’s charter role in U.S. deportation flights. Leaked passenger manifests and flight logs were sent to media outlets, though an SEC 8-K states flight operations were unhindered. Segmentation between business and operational networks appears to have limited impact, but regulators will probe data-protection obligations.
Lee Enterprises Counts the Cost of February Ransomware
Regional-newspaper giant Lee Enterprises disclosed US $2 million in restoration expenses and advertising-revenue disruption after February’s ransomware event encrypted critical apps and stalled billing. The publisher of 70+ titles reported a quarterly net loss of US $12 million, illustrating how even brief downtime reverberates through cash flow and vendor relations when cyber insurance and contingency plans fall short.
Click-Fix Social Engineering Evolves for Linux
Researchers at Hun.io caught Pakistan-aligned APT-36 adapting the Click-Fix tactic—fake CAPTCHA or “usage rights” pop-ups that copy malicious commands to a victim’s clipboard—to target Linux alongside Windows. A spoofed Indian Defence Ministry site profiles visitors, delivering either an MSHDA payload for Windows or Bash commands for Linux, ultimately dropping info-stealers and remote shells.
ASUS DriverHub RCE Flaws (CVE-2025-3462/-3463)
ASUS patched two high-severity vulnerabilities (CVSS 8.4 & 9.4) in DriverHub, its motherboard auto-update service. Improper origin and certificate validation let attackers serve crafted HTTP responses that trigger remote code execution with system privileges. Threat actors routinely abuse driver-updaters; organizations running ASUS endpoints should deploy the fixed build and monitor for rogue outbound traffic.
Fake AI Tools Push “Noodlophile” Infostealer
Morphic analysts uncovered a campaign luring creatives with slick websites and Facebook ads touting “AI-powered” video and image editors. The installers instead drop Noodlophile, a modular info-stealer that siphons browser cookies, crypto wallets and cloud-storage tokens. One post logged 62 k views, proving malware peddlers no longer need email spam when social virality suffices.
Bulgarian Spy Cell for Hire Sentenced in UK
A six-person Bulgarian network conducting Kremlin-directed surveillance across Europe—ranging from Ukrainian troop sites to high-profile dissidents—received a cumulative 50-year sentence in London’s Old Bailey. Evidence showed coordination by Wirecard fugitive Jan Marsalek and Russia’s GRU/FSB, spotlighting how Moscow outsources espionage to plausibly deniable “freelancers.”
📌 Practitioner Action List
Patch Apple & ASUS Endpoints: Push iOS 18.5 and DriverHub updates via MDM/EPP tools to shut down media-parsing and RCE vectors.
Update Output Messenger to v2.0.62+: Scan for CVE-2025-27920 exploitation and outbound traffic to wordinfo[.]com or similar C2 domains.
Test Logistics DR Plans: Use Co-op’s shortages as a tabletop template—ensure your supply chain keeps moving during IT isolation.
Harden Airline & Travel Data Stores: Encrypt PNRs, enforce least-privilege, and log all access for incident-response proof.
Review Ransomware Financial Exposure: Validate cyber-insurance clauses and offline billing contingencies in light of Lee Enterprises’ $2 M outlay.
Block Clipboard Command Abuse: Disable clipboard pastes from untrusted origins; add Click-Fix IOCs to web-filtering rules.
Deploy Social-Media Threat Intel: Monitor trending AI-tool hashtags for malicious domains before employees click.
Track Outsourced Espionage Tactics: Integrate GRU/FSB freelance indicators into geopolitical risk models for European operations.
✅ Story Links:
https://www.securityweek.com/apple-patches-major-security-flaws-in-ios-macos-platforms/
https://thecyberexpress.com/marbled-dust-exploit-output-messenger-zero-day/
https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system
https://www.securityweek.com/us-deportation-airline-globalx-confirms-hack/
https://www.cybersecuritydive.com/news/lee-enterprises-2-million-ransomware-attack/747773/
https://thehackernews.com/2025/05/asus-patches-driverhub-rce-flaws.html
https://thehackernews.com/2025/05/fake-ai-tools-used-to-spread.html
https://therecord.media/bulgarian-members-russian-spy-ring-sentenced-uk
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post