Mandos
Brief

Brief #92: Russian APTs Target Signal, GitHub Security Issues, Importance of Career Growth

Nikoloz Kokhreidze

Nikoloz Kokhreidze

9 min read

Security architects face limited career growth, GoLang backdoor using telegram as C2 channel, 86% of orgs have exposed secrets in private GitHub repos

mandos brief cybersecurity leadership newsletter week 8 of 2025

Happy Sunday!

Hope you're having a great weekend. There's quite a bit happening in our space this week that I think you'll find valuable:

  • Russian threat actors found a clever way to intercept Signal messages through device-linking - definitely worth checking if your team uses Signal for sensitive communications.
  • NVIDIA shared write-up about Agent Morpheus that analyzes CVEs in seconds instead of the usual days-long process. If you're dealing with vulnerability management, this could save you tons of time.
  • Interesting data from IANS Research shows that even with great salaries, security pros are looking elsewhere due to limited growth paths. Might be worth reviewing your team's career development plans if you're in a leadership role.

Let's dive into the details below.

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

INDUSTRY NEWS

Russia-Aligned Threat Actors Target Signal Messenger Through Device-Linking Attacks

  • Multiple Russian state threat actors are exploiting Signal's "linked devices" feature by tricking users into scanning malicious QR codes that connect victim accounts to attacker-controlled devices, enabling real-time message interception.

  • Threat actors including APT44 (Sandworm) and UNC5792 use various methods including fake military apps, group invites, and security alerts to deliver malicious QR codes, while also deploying tools to steal Signal databases directly from compromised devices.

  • The targeting extends beyond Signal to other messaging apps like WhatsApp and Telegram, with attacks combining both remote phishing operations and close-access physical device exploitation when possible.

New Threat Actors TA2726 and TA2727 Emerge in Web Inject Campaigns, Introduce MacOS FrigidStealer

  • TA2726 operates as a TDS provider, facilitating traffic distribution for multiple threat actors including TA569, primarily targeting North America with SocGholish, while redirecting other regions to TA2727's malware campaigns.

  • TA2727 delivers multiple payloads based on geography and device type, including Lumma Stealer (Windows), Marcher (Android), and a newly discovered FrigidStealer targeting MacOS systems through fake browser update lures.

  • The threat landscape has become increasingly complex with multiple actors using similar web inject techniques, making attribution challenging, with infrastructure patterns showing both actors leveraging compromised legitimate websites to distribute their malware.

Golang Backdoor Uses Telegram as Command & Control Channel

  • A Russian backdoor malware written in Golang has been discovered that uses Telegram for C2 communications, making detection challenging by blending with legitimate API traffic.

  • The malware installs itself as "svchost.exe" in Windows temp directory and supports three main commands: executing PowerShell commands, self-persistence, and self-destruction. A screenshot feature exists but is not yet implemented.

  • The backdoor uses a hardcoded Telegram bot token for C2 operations and executes commands through hidden PowerShell windows, demonstrating how threat actors leverage legitimate cloud services to avoid traditional detection methods.

LEADERSHIP INSIGHTS

Wiz Report: GitHub Dominates Enterprise VCS with 80% Market Share, Reveals Security Gaps

  • GitHub leads enterprise version control systems with 80% market share, while only 5% of organizations use multiple VCS platforms. Public repositories are 3x more common on GitHub compared to other platforms.

  • Analysis reveals concerning secrets exposure with 7% of private repos containing secrets (including cloud keys), and 86% of organizations having at least one private repo with exposed secrets.

  • Branch protection is inadequately implemented across repositories, with only 31% of private repos and 66% of public repos having protection enabled, while 80% of GitHub Actions workflows run with excessive write permissions.

My Post About Security Industry's Leadership Crisis Highlighted by Tool-Focused Hiring Practices

  • A SOC Manager candidate with engineering leadership experience was rejected solely due to lack of proficiency in a specific security tool, despite having relevant leadership capabilities.

  • The interview focused exclusively on technical tool knowledge while ignoring crucial leadership competencies like incident response coordination, team development, process improvement, and crisis management.

  • This widespread hiring practice in cybersecurity demonstrates a fundamental misunderstanding of leadership roles, prioritizing tactical tool knowledge over strategic management skills that typically require years to develop.

Deloitte & CAQ Survey: Cybersecurity Remains Top Priority for Audit Committees in 2025

  • Survey of 237 audit committee members shows cybersecurity remains the #1 priority beyond financial reporting, with 62% of committees having primary oversight and 71% discussing it quarterly.

  • Enterprise risk management ranks as second priority, with 52% of audit committees having primary oversight, though this drops to 21% for financial services companies who typically delegate to risk committees.

  • Finance talent and internal audit oversight is crucial as 92% of committees have primary responsibility, with 82% believing there's opportunity to extract more value from internal audit functions.

📖
Discover my collection of industry reports, guides and cheat sheets in ‣ Cyber Strategy OS.

CAREER DEVELOPMENT

Cybersecurity Professionals Seek Career Growth Despite High Salaries, IANS Research Reports

  • Average compensation remains strong with security architects earning $206,000 annually, while 61% of professionals now work across multiple domains including SecOps, GRC, and AppSec, reflecting industry-wide resource constraints.

  • Only one-third would recommend their employer, with retention challenges stemming from limited advancement opportunities - fewer than 40% are satisfied with career progression prospects despite competitive pay.

  • Regional compensation disparities reach up to $61,000 annually between U.S. West and Southeast regions, while IT experience proves crucial with 70% of security engineers citing it as critical for their current roles.

Top 8 In-Demand Cybersecurity Certifications Reveal Industry Skills Requirements

  • Most sought-after certification is CISSP, requiring 5+ years experience across multiple security domains, with average salary potential of $217,127 for CISO positions.

  • Entry-level professionals should prioritize CompTIA Security+ certification ($404), which covers core security skills and can lead to roles paying $89-157k, with no strict prerequisites beyond recommended Network+ certification.

  • Advanced specialized certifications like CEH and CISA require 2-5 years experience and command salaries of $130-235k for roles in penetration testing, security architecture, and IT auditing.

Reddit User With $10K in Bug Bounties Struggles to Land Entry-Level Pentesting Role

  • Despite earning over $10,000 in bug bounties and achieving top ranking in a HackerOne program, the candidate faces challenges in securing interviews, highlighting the competitive nature of red team positions versus available opportunities

  • Technical skills include development of Python scripts, BurpSuite plugins, and experience with common pentesting tools, but resume feedback suggests need for better documentation of achievements and impact metrics

  • Career experts recommend focusing on blue team roles for entry-level positions, improving resume structure to highlight work experience, and including detailed project outcomes, CVEs, and public disclosures

AI & SECURITY

NVIDIA Launches AI-Powered CVE Analysis Tool for Enterprise Security

  • NVIDIA developed "Agent Morpheus" - a generative AI system that analyzes Common Vulnerabilities and Exposures (CVEs) in software containers, reducing analysis time from days to seconds by autonomously determining vulnerability exploitability.

  • The system uses retrieval-augmented generation with four specialized Llama3 models to create analysis checklists, investigate vulnerabilities, summarize findings, and generate standardized VEX format reports without human prompting.

  • When processing containers with multiple CVEs, the system achieves a 9.3x speed improvement through parallel processing, analyzing 20 CVEs in about 5 minutes versus 47 minutes when run serially.

This Video Shows Multi-Agent Swarm Developing Red Team Tools Using Local LLMs

  • BugOut leverages a local DeepSeek LLM to generate Python-based red team tools through an iterative process where planning agents first discuss objectives before passing requirements to a coding agent for implementation.

  • The system uses a swarm architecture where multiple agents collaborate - planning agents refine requirements and constraints, while a coding agent generates executable Python scripts with built-in unit tests and error handling.

  • Code generation happens locally using a 16B parameter model, with isolation enforced through subprocess execution rather than direct eval(), and the system continues refining code through multiple iterations until successful execution or timeout.

AI SOC Solutions Evolution: Copilot and Autonomous Approaches Reshape Security Operations

  • Copilot solutions function as AI assistants, responding to analyst prompts for alert investigation, enrichment, and threat hunting, offering flexibility but requiring specific queries and human guidance for optimal results.

  • Autonomous investigation tools operate independently with pre-built automation, handling alert triage, correlation, and response actions without manual intervention, ideal for high-volume environments but potentially limited in flexibility.

  • The emerging trend points toward a hybrid approach combining both methodologies - autonomous systems handle routine triage while copilots enable deeper investigation, with some solutions already integrating into existing SIEM/SOAR platforms for enhanced efficiency.

MARKET UPDATES

Israeli Cybersecurity Startup Dream Raises $100M Led by Bain Capital at $1.1B Valuation

  • Dream, founded by former NSO Group CEO, develops AI models for cybersecurity, focusing on protecting critical infrastructure and government entities through preparation, detection, and remediation of cyber threats.

  • Company projects $100M in annual recurring revenue for 2025 and plans to double its workforce to 300 employees, expanding operations into US and South America from current offices in Tel Aviv, Vienna, and Abu Dhabi.

  • Dream's technology includes specialized foundational models for cyber language, anomaly detection, and deep-learning trained on historical cyberattacks, serving customers across Europe, Middle East, and Southeast Asia in critical infrastructure sectors.

Blockchain Security Startup Blockaid Raises $50M Series B Investment

  • Company has secured total funding of $83M, with latest round led by Ribbit Capital, targeting expansion of their web3 security platform that protects blockchain applications through transaction validation and simulation.

  • Platform has prevented over $5.3B in potential losses by blocking 71 million attacks and securing 787 million dApp connections for major clients including Coinbase, MetaMask, and Uniswap.

  • Funding will support scaling of R&D and engineering teams to enhance machine learning capabilities and expand security offerings against evolving blockchain-based threats.

Gomboc AI Raises $13M for Deterministic AI Cloud Security Remediation Platform

  • Company launches platform using deterministic AI to automatically fix cloud security misconfigurations through Infrastructure as Code, moving beyond traditional alert-based approaches to provide consistent, repeatable remediation solutions.

  • Platform integrates with existing cloud infrastructure to reduce security backlogs by providing automated, context-aware fixes while maintaining compliance with NIST and CIS frameworks, without requiring customer data for model training.

  • Investment round led by Ballistic Ventures with participation from Glilot Capital and Hetz Ventures, targeting the growing need for automated security remediation in DevSecOps environments.

TOOLS

Adversa AI

Adversa AI is a cybersecurity company that provides solutions for securing and hardening machine learning, artificial intelligence, and large language models against adversarial attacks, privacy issues, and safety incidents across various industries.

LLM Guard

LLM Guard is a security toolkit that enhances the safety and security of interactions with Large Language Models (LLMs) by providing features like sanitization, harmful language detection, data leakage prevention, and resistance against prompt injection attacks.

Lakera

Lakera is an automated safety and security assessment tool for GenAI application

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedInBlueSky and Mastodon.

Best, 
Nikoloz

Share With Your Network

Check out these related posts

mandos brief cybersecurity leadership newsletter week 7 of 2025

Brief #91: AWS AMI Attack, NVIDIA Container Escape, InfoSec Salaries
mandos brief cybersecurity newsletter week 6 of 2025

Brief #90: Microsoft Outlook RCE, Cloud Security Certs, OpenAI EU Data Centers
mandos brief cybersecurity leadership newsletter week 5 of 2025

Brief #89: DeepSeek AI Breach, TeamViewer Zero-Day, AWS Security Automation