Brief #128: Windows WSUS RCE Exploited, Claude AI Data Leak, CISO Budget Gaps

Happy Sunday!

In this week's brief:

YouTube's become a malware playground with over 3,000 malicious videos targeting gamers and software crackers - Check Point found this network has been operating since 2021 and attacks tripled this year
AI-generated code is creating serious security headaches with 70% of organizations finding vulnerabilities in AI-written code, which now makes up nearly a quarter of all production code
The cybersecurity job market is brutal right now - even experienced professionals from major tech companies are struggling to land new roles, with some positions getting 5,000 applications in 72 hours

A quick note before we dive in.

Industry News

Check Point Research discovered a sophisticated YouTube malware distribution network operating since 2021, using over 3,000 malicious videos to distribute infostealers like Rhadamanthys and Lumma. The network employs compromised accounts with specialized roles – video uploaders, community post managers, and engagement manipulators – to create false legitimacy through positive comments and likes.
The network primarily targets users seeking game hacks (especially Roblox with 380 million monthly users) and software cracks (particularly Adobe products like Photoshop). The most viewed malicious video garnered 293,000 views promoting cracked Adobe Photoshop, while actors frequently update payloads every 3-4 days and rotate C2 servers to evade detection.
Malicious videos tripled in 2025 compared to previous years, with threat actors shifting from Lumma to Rhadamanthys infostealer following Lumma's disruption by law enforcement. Videos redirect users to phishing pages on Google Sites or file-sharing platforms, distributing password-protected archives that commonly instruct victims to disable Windows Defender before execution.

Socket's Threat Research Team discovered 10 malicious npm packages using typosquatting to mimic popular libraries like TypeScript, discord.js, and ethers.js. The packages automatically execute via postinstall hooks, spawn new terminal windows to avoid detection, and use four layers of obfuscation including XOR encryption and control flow obfuscation to hide their payload.
The malware displays a fake CAPTCHA prompt for social engineering, performs IP fingerprinting against the C2 server at 195.133.79.43, then downloads a 24MB PyInstaller-packaged information stealer called data_extracter. This cross-platform stealer harvests credentials from system keyrings, browsers, SSH keys, and authentication tokens across Windows, Linux, and macOS.
Published by threat actor andrew_r1 on July 4, 2025, the packages remained live for over four months and accumulated 9,900+ downloads. Organizations should audit dependencies immediately, assume compromised systems, reset all stored credentials, revoke authentication tokens, and implement Socket's supply chain protection tools to prevent similar attacks.

Google's Threat Intelligence Group reports UNC6512 threat actor actively exploiting CVE-2025-59287 across multiple victim organizations, with attackers conducting reconnaissance and exfiltrating data from compromised hosts.
The vulnerability affects Windows Server Update Services with an unauthenticated remote code execution flaw stemming from insecure deserialization – Microsoft's initial October patch was incomplete, requiring an emergency fix last Thursday.
Researchers observe approximately 100,000 exploitation attempts in seven days targeting publicly exposed WSUS instances on default TCP ports 8530/8531, with attackers using PowerShell commands to gather network intelligence before data exfiltration.

Member-Only Content

Get instant access to this article and the Mandos Brief - your weekly 10-minute security leadership update.

Already a member? Sign in