Good morning, security gang! In this special pre-recorded edition of the CyberHub Podcast, we travel to Israel in anticipation of one of the world’s largest cybersecurity conferences, CyberTech. Host James Azar highlights his upcoming speaking engagement on the intersection of geopolitics and cyber threats.
Then, the episode delves into major developments in the cybersecurity world, including massive data breaches, insider threats, and emerging forms of ransomware and spyware.
From educational associations grappling with leaked personal information to corporate espionage sagas and nation-state-facilitated ransomware gangs, this installment paints a vivid picture of the ever-evolving threat landscape and what security professionals need to do about it.
Pennsylvania State Education Association Breach
In July 2024, the Pennsylvania State Education Association (PSEA)—the largest public-sector union in the state—experienced a cyberattack that led to the leak of personal information belonging to over half a million individuals. Although the attack occurred in mid-2024, notification letters went out much later due to extensive forensics and investigations.
The breach was claimed by the Rhysida ransomware group, who threatened to release the stolen data unless a ransom in Bitcoin was paid. PSEA has not confirmed payment, but the group’s leak listing has since been removed from the dark web. This incident underscores the vulnerabilities faced by large organizations that handle vast quantities of sensitive personal data.
Rippling vs. Deel: Corporate Espionage Allegations
Global payroll and HR solutions provider Rippling recently filed a lawsuit against rival company Deel, alleging corporate espionage by a Rippling employee named Keith O’Brien. O’Brien, based in Rippling’s Dublin office, purportedly searched internal systems for proprietary information and leaked it to Deel. Rippling uncovered the alleged spying through a sophisticated “honeypot” setup. When confronted, O’Brien reportedly locked himself in a bathroom to delete incriminating data from his device. This case highlights the ever-present risk of insider threats, emphasizing the need for strong internal security measures and vigilant monitoring of anomalous activities.
BlackBasta Chat Logs Reveal Russian Aid and Advanced Operations
Leaked internal chat logs from the Black Basta ransomware gang shed new light on how the group operates. The logs suggest that leader Oleg Nefadov (aka “GG” or “AA”) received help from Russian officials following his June 2024 arrest in Armenia, paving the way for his escape back to Russia.
The communications confirm the group’s use of ChatGPT to craft phishing lures and analyze malicious code, as well as the existence of two physical offices in Moscow. The multi-national crew, which reportedly includes Ukrainian nationals, appears adept at recruiting skilled developers to maintain a variety of sophisticated malware tools and frameworks, underscoring just how professionalized ransomware operations have become.
Compromised Signal Accounts Target Ukrainian Defense Personnel
Ukraine’s Computer Emergency Response Team (CERT-UA) has discovered a malicious operation employing hijacked Signal messaging accounts to target defense industry employees and military personnel. Attackers send phishing messages that contain archives with disguised malware, dubbed “Dark Tortilla,” which in turn deploys a Remote Access Trojan (Dark Crystal RAT). Investigations suggest these targeted attacks are likely orchestrated by Russian-aligned threat actors aiming to siphon sensitive military intelligence from Ukrainian organizations.
WhatsApp Zero-Click Vulnerability and Paragon Spyware
WhatsApp quietly mitigated a zero-click exploit leveraged by Paragon’s “Graphite” spyware. The spyware campaign, discovered by the University of Toronto’s Citizen Lab, infected user devices without any direct interaction from the target. Paragon, an Israel-based firm, asserts it sells its spyware only to law enforcement and intelligence agencies in democratic nations. Despite the company’s stated policies, the exploit demonstrates that advanced spyware solutions remain a grave concern for journalists, activists, and private citizens alike.
PHP Flaw for Cryptominers and RATs
Researchers have identified threat actors exploiting a severe PHP vulnerability to drop cryptominers and remote access trojans such as the Quasar RAT onto targeted systems. The flaw, affecting certain outdated PHP installations, enables attackers to gain privileged access, pivot laterally, and potentially exfiltrate data. Server administrators are urged to patch PHP installations promptly, given the popularity of the language across web-based applications.
Shift in Phishing Tactics: Windows to Mac OS
A widespread phishing campaign that initially targeted Windows users has evolved its tactics in response to new security measures in Chrome, Firefox, and Edge according to a report from LayerX. After these browsers introduced enhanced anti-scareware capabilities, attackers pivoted to targeting Mac OS users—particularly Safari—to steal credentials via spoofed security alerts. Threat actors deploy compromised websites and domain-redirect schemes, highlighting the perpetual cat-and-mouse dynamic between browser security advancements and cybercriminal adaptability.
Dollyway Campaign Compromises WordPress Sites
Since at least 2016, the Dollyway malware campaign has infected over 20,000 WordPress sites globally, redirecting unsuspecting visitors to malicious pages pushing dating scams, fake gambling platforms, and crypto or sweepstakes frauds. While current iterations of Dollyway may focus on large-scale scam distribution, past activities have included ransomware infections and banking trojans. This long-running operation underscores the importance of vigilance and rigorous patch management for WordPress site owners.
StilachiRAT: Microsoft Warns of Evasive New Malware
Microsoft’s Incident Response Team issued warnings about a newly discovered, stealthy piece of malware called StilachiRAT. Although currently not widespread, the RAT’s capability to log RDP sessions in real time could allow attackers to move laterally across compromised networks.
The precise infection vectors remain unclear, but experts suggest emails, trojanized downloads, and malicious websites are all possible routes. Early detection and rigorous endpoint monitoring are key to preventing infiltration and propagation.
Action Items:
Update and Patch: Ensure operating systems, applications (including PHP), and security software are consistently patched to mitigate known vulnerabilities.
Monitor Insider Threats: Implement real-time logging and anomaly detection for unusual data access, particularly for privileged roles and sensitive projects.
Enhance Messaging Security: Encourage employees to validate messaging app contacts and beware of unsolicited file archives, especially for Signal and WhatsApp.
Bolster Browser Protections: Educate Mac OS and Safari users on phishing tactics and deploy anti-scareware solutions on all endpoints.
Secure WordPress Installations: Regularly update plugins, employ security plugins or firewalls, and monitor for malicious redirects to protect site visitors.
Adopt Strong Malware Defenses: Utilize advanced behavioral detection tools to identify and block evolving threats like Stellachi RAT or new cryptominers.
Stay Informed and Vigilant: Keep up with threat intelligence feeds and industry alerts to respond proactively to shifts in cybercriminal tactics.
✅ Story Links:
https://thehackernews.com/2025/03/leaked-black-basta-chats-suggest.html
https://thehackernews.com/2025/03/hackers-exploit-severe-php-flaw-to.html
https://www.securityweek.com/scareware-combined-with-phishing-in-attacks-targeting-macos-users/
https://www.securityweek.com/microsoft-warns-of-new-stilachirat-malware/
Level Zero Conference Discount Code: L020RESPOND at www.levelzeroconference.com
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post