Brief #130: Amazon Detects APT Zero-Days, Claude AI Exploited for Espionage, $1M-$10M Insider Losses

Happy Sunday!

In this week's brief:

• Chinese state actors just pulled off the first largely autonomous AI-driven cyber espionage campaign, letting Claude Code handle 80-90% of their attack operations from start to finish
• 77% of organizations dealt with insider-driven data loss in the past 18 months, yet most still can't see how their own users are handling sensitive data
• Amazon's honeypot service caught an APT exploiting Cisco and Citrix zero-days before they were publicly known, using sophisticated custom web shells with advanced evasion techniques

A quick note before we dive in.

Is Security Blocking Your Next Enterprise Deal?

Let's discuss how fractional CISO services can unlock your pipeline without the full-time overhead.

Book a Free Discovery Call

Industry News

Amazon Discovers APT Exploiting Cisco and Citrix Zero-Days

• Amazon's MadPot honeypot service detected an APT exploiting CVE-2025-5777 (Citrix Bleed Two) and CVE-2025-20337 (Cisco ISE) as zero-days before public disclosure, indicating sophisticated vulnerability research capabilities.

• The threat actor deployed a custom web shell disguised as "IdentityAuditAction" that operated in-memory with advanced evasion techniques including Java reflection, DES encryption, and non-standard Base64 encoding to avoid detection.

• The campaign targeted critical identity management and network access control infrastructure, demonstrating pre-authentication remote code execution capabilities that provided administrator-level access to compromised Cisco ISE deployments.

DPRK Actors Use JSON Storage Services in Contagious Interview Campaign

• North Korean threat actors behind the Contagious Interview campaign have evolved their tactics to use legitimate JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware disguised as interview demo projects targeting software developers.

• The campaign uses social engineering through fake recruiter profiles on LinkedIn to distribute trojanized Node.js projects containing base64-encoded URLs that fetch obfuscated JavaScript code leading to BeaverTail and InvisibleFerret malware deployment.

• The malware chain includes a new component called Tsunami that establishes persistence, downloads Python if needed, and retrieves additional payloads from Pastebin with over 400 views indicating significant campaign success across multiple platforms including Windows, Linux, and macOS.

Operation Endgame Takes Down 1025 Malware Servers in International Cybercrime Crackdown

• Law enforcement from 11 countries coordinated by Europol dismantled three major cybercrime enablers including the Rhadamanthys infostealer, VenomRAT remote access trojan, and Elysium botnet between November 10-13, 2024.

• The operation resulted in one arrest in Greece, 11 location searches across three countries, and the seizure of 20 domains along with over 1,025 servers that had infected hundreds of thousands of victims worldwide.

• The dismantled infrastructure contained several million stolen credentials and over 100,000 crypto wallets potentially worth millions of euros, with victims now able to check their exposure through dedicated websites established by authorities.