Brief #141: 65% Abandon Prevention Strategy, Gemini Calendar Injection, Nike Breach

Welcome to the Mandos Brief: Strategic insights to help you stay ahead of threats and the market.

In this week's analysis:

• Phishing Gets Cloud-Native: Attackers are now using GitHub for scripts and Dropbox for malware delivery, making takedowns nearly impossible. Action: Enable Tamper Protection on all endpoints and monitor for suspicious PowerShell execution with GitHub/Dropbox traffic patterns.
• Prevention is Dead: 65% of CISOs have shifted focus to cyber resilience as recovery strategies, with zero achieving same-day recovery from incidents. Strategy: Start building your incident response muscle memory now - downtime costs are becoming the primary business risk metric.
• $28B Automotive Security Gold Rush: UN regulations are forcing security into every vehicle layer, creating a massive market opportunity as cars become computers on wheels. Business Opportunity: Consider partnerships with established players like Infineon or VicOne who are consolidating this space through acquisitions.

Multi-Stage Phishing Campaign Delivers Amnesia RAT and Ransomware via GitHub and Dropbox

• A sophisticated phishing campaign targeting Russian organizations leverages business-themed documents to deploy Amnesia RAT and ransomware while abusing defendnot to disable Microsoft Defender, and uses GitHub for script distribution and Dropbox for binary payloads to complicate takedown efforts and improve campaign resilience.

• This attack demonstrates how adversaries achieve full system compromise without exploiting vulnerabilities, instead systematically abusing native Windows features, administrative tools, and policy enforcement mechanisms to disable endpoint defenses before deploying persistent surveillance tooling that steals credentials, cryptocurrency wallets, browser data, and enables remote control with real-time data exfiltration via Telegram.

• Security teams should enable Tamper Protection on all endpoints to prevent unauthorized changes to Defender settings, monitor for suspicious Windows Security Center API calls and Registry modifications, implement application whitelisting to block unauthorized scripts, and establish detection rules for defendnot abuse patterns and unusual PowerShell execution with extended delays between stages.

Fake Clawdbot VS Code Extension Installs ScreenConnect RAT

• Attackers published a malicious VS Code extension impersonating the popular Clawdbot AI assistant, automatically dropping weaponized ScreenConnect remote access software onto Windows machines every time VS Code starts.

• The extension functions as a legitimate AI coding assistant while silently connecting infected machines to attacker-controlled infrastructure at meeting.bulletmailer[.]net:8041, using a trojan approach that avoids detection.

• The attack includes multiple fallback mechanisms including a Rust-based DLL loader and Dropbox payload delivery, demonstrating sophisticated redundancy planning to ensure successful RAT deployment even if primary infrastructure fails.

Nike Investigates Data Breach After Extortion Gang Leaks Files

• Nike is investigating a potential data breach after an extortion group posted what appears to be stolen files from the company on their leak site.

• The threat actors claimed to have accessed Nike's systems and are demanding payment to prevent further data leaks of sensitive corporate information.

• Nike has not yet confirmed the authenticity of the leaked files or disclosed the full scope of the potential breach, while security researchers analyze the posted evidence.

CISOs Shift Focus From Prevention to Cyber Resilience as Downtime Costs Soar

• A survey of 750 CISOs reveals that 65% now prioritize cyber resilience over traditional prevention methods, with 72% confirming their role has evolved to include leading business continuity recovery following security incidents.

• 55% of organizations experienced a cyberattack or ransomware infection in the past 12 months that rendered endpoint devices inoperable, with not a single CISO able to achieve full recovery within one day.

• The majority of CISOs (53%) expect their organizations to face significant and costly downtime in the next 12-18 months, with 59% expressing personal concern about job loss or legal liability from security incidents.

Fastly Q3 2025 Bot Traffic Report Reveals Financial Services and Commerce Under Heavy Attack

• Headless bots heavily targeted transaction-heavy industries, with 89% of headless bot traffic focused on Financial Services (44%) and Commerce (45%) sectors, likely seeking to compromise accounts and scrape real-time pricing data.

• Organizations are increasingly blocking AI crawlers and fetchers, with 4% of all wanted bot traffic being blocked as companies question whether these bots provide actual business value amid the shift from traditional SEO to generative engine optimization.

• Meta and ChatGPT dominate AI bot traffic, accounting for 60% of all AI crawler traffic and 68% of AI fetcher traffic respectively, while "Common Headless Automation" tools represent 94% of total headless bot activity across Fastly's 6.5 trillion monthly requests.

Arkose Labs Q3 2025 Threat Report: Bot Attacks Surge While Attack Automation Services Decline

• Bot attacks dominated Q3 with 79% of malicious traffic while fake account creation remained the leading attack type at 46% of all incidents, signaling a potential shift toward agentic AI deployment at scale.

• Attack automation services declined 16% in volume but increased 6% in average attack size, while human-based fraud farm operations grew 24% quarter-over-quarter, indicating refined targeting strategies.

• Desktop devices continue to be preferred for attacks (68% vs 32% mobile) with 71% of attacks originating from Chrome browsers, while Brazil leads global attack origins excluding spoofed US traffic.

Researchers Exploit Google Gemini Using Calendar Invite Prompt Injection

• Security researchers discovered a prompt injection vulnerability that allowed attackers to embed malicious instructions in calendar event descriptions, which Google Gemini would execute when users asked routine scheduling questions.

• The attack chain involved creating a calendar invite with a hidden payload that instructed Gemini to summarize private meetings and exfiltrate this data by creating new calendar events visible to the attacker.

• This vulnerability highlights a fundamental shift in application security where attacks are semantic rather than syntactic, making traditional pattern-based defenses ineffective against AI-powered authorization bypass exploits.

Group-IB Report Reveals AI-Powered Cybercrime Economy Worth Millions

• Dark web discussions about AI abuse have surged by 371% between 2019-2025, with criminals now offering AI-powered tools like DarkLLMs and deepfake services for as little as $30 per month in subscription models that mirror legitimate SaaS businesses.

• The report identifies cybercrime's "fifth wave" where AI has industrialized attacks by turning human skills like persuasion and coding into scalable services, enabling even novice actors to launch sophisticated campaigns that were previously limited to advanced threat groups.

• APT groups including APT28, APT35, and Lazarus are now integrating AI into their operations, while new attack vectors emerge including AI-generated synthetic identities that have infiltrated over 300 companies and caused $347 million in verified deepfake fraud losses.

Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

• A sophisticated phishing campaign is hitting Russian organizations with a multi-stage attack that deploys Amnesia RAT and ransomware, leveraging GitHub for scripts and Dropbox for binaries while abusing the defendnot tool to disable Microsoft Defender before deploying surveillance and destructive payloads.

• This attack demonstrates how adversaries are weaponizing legitimate cloud services and open-source security tools to evade detection and complicate takedown efforts, with the campaign achieving full system compromise without exploiting any software vulnerabilities by systematically abusing native Windows features and policy enforcement mechanisms.

• Security teams should enable Tamper Protection on endpoints to prevent unauthorized changes to Defender settings, monitor for suspicious API calls to Windows Security Center, implement application control policies to block unauthorized PowerShell execution, and establish behavioral detection rules for defendnot abuse and unusual GitHub/Dropbox traffic patterns from endpoints.

Automotive Cybersecurity Market Set to Hit $28 Billion by 2036 as Regulators and SDVs Force Security Into Every Layer

• The automotive cybersecurity market is projected to grow from $4.4 billion in 2026 to $28.1 billion by 2036 at a 20.4% CAGR, driven by mandatory UN R155/R156 regulations that transform vehicle security from optional to a type-approval requirement across Europe, Asia, and Latin America, while software-defined vehicles and OTA updates multiply attack surfaces across embedded ECUs, cloud platforms, and sensor fusion systems.

• This isn't just about protecting cars anymore, it's about protecting entire ecosystems where tariffs are forcing localized secure hardware development in the US, high-profile cyber incidents are pushing adoption of in-vehicle and cloud-based SOCs, and OEMs must now secure everything from APIs to telematics as part of integrated defense strategies that cover the full vehicle lifecycle from design to decommissioning.

• Consider evaluating partnerships with established players like Infineon, NXP, Argus, or VicOne who are actively consolidating the market through acquisitions and regional partnerships, assess whether your product roadmap addresses both regulatory compliance and the expanded attack surface of connected vehicles, and explore positioning around secure-by-design architectures that can serve both cost-conscious OEMs facing tariff pressures and premium manufacturers requiring end-to-end cybersecurity governance.

Ex-Palantir Engineer Raises $40M for Cyber Startup Outtake With Microsoft CEO Backing

• Former Palantir engineer Alex Dhillon secured $40 million in Series B funding for Outtake, a cybersecurity startup that uses autonomous AI agents to detect and remove cyberthreats like phishing through email verification and other applications.

• The funding round was led by Iconiq with participation from high-profile investors including Microsoft CEO Satya Nadella, Palo Alto Networks CEO Nikesh Arora, and Palantir CTO Shyam Sankar, demonstrating strong industry confidence in AI-driven cybersecurity solutions.

• Outtake has achieved significant growth metrics including sixfold increase in annual recurring revenue year-over-year and scanning 20 million potential cyberattacks last year, with customers including OpenAI, AppLovin, and Bill Ackman's Pershing Square.

Mesh Security Raises $12M Series A to Unify Fragmented Enterprise Cyber Tools

• Mesh Security secured $12 million in Series A funding led by Lobby Capital with participation from S Ventures (SentinelOne CVC) and Bright Pixel Capital, bringing total funding to $18 million since inception in 2022.

• The platform addresses tool sprawl by unifying enterprise security tools across cloud, SaaS, and networks into a single operational system, eliminating fragmented security data and disjointed processes without vendor lock-in.

• Founded by former offensive and defensive cloud security experts Netanel Azoulay (CEO) and Omri Haring (CTO), the company employs 25 people across Palo Alto headquarters and Israel R&D center.

IONIX External Exposure Management

External attack surface mgmt platform for discovering & remediating exposures

Absolute Security Resilience

Firmware-embedded endpoint resilience platform for device recovery & security

VulnSign Dynamic Application Security Testing

DAST tool for scanning web apps, microservices, and APIs for vulnerabilities

Thank you for reading this week's brief.

If you found this brief valuable, please forward it to one peer who is currently building or securing a B2B startup.

I’m constantly refining this intelligence for you. Was this week's market analysis useful?

Just hit Reply and let me know, I read every message.

P.S. Whenever you’re ready, there are two ways I can help you:

1. Founders: Need a Fractional CISO to unblock enterprise deals or lead your cybersecurity maturity journey? Book a Discovery Call
2. Vendors: Want to get your product in front of 15k+ security researchers on CybersecTools? Submit Your Product

Talk to you in the next one.

Nikoloz