Hello there 👋

Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!

Top 5 News Stories

Eagerbee Backdoor Targets Middle Eastern Government and ISPs

The Eagerbee backdoor, with links to the Chinese threat group CoughingDown, has been deployed against government organizations and ISPs in the Middle East. This stealthy malware operates 24/7, collecting sensitive data.

Key takeaways:
😈 CoughingDown Connection: Kaspersky researchers suggest with medium confidence that Eagerbee is associated with the Chinese threat group CoughingDown.
🕵️‍♂️ Stealth and Persistence: The backdoor runs continuously, appearing as ‘dllloader1x64.dll’, and starts gathering system information like OS details and network addresses upon infection.
🔄 Global Threat: While currently targeting the Middle East, a similar attack chain was also observed in Japan, indicating the malware’s global reach.
💻 Execution Method: Eagerbee uses a sophisticated method involving DLL hijacking through Windows services like Themes, SessionEnv, IKEEXT, and MSDTC to write its payload into memory.
📚 Capabilities: It has extensive capabilities, including executing commands at specified times, maintaining 24/7 operation, and communicating with command-and-control (C2) servers for further instructions.

🎯 Threat Hunting Package: https://lnkd.in/ewakMDzR

Secure List

AI-Powered Spear Phishing Tricks Over 50% of Users

A study shows that AI-supported spear phishing is alarmingly effective, deceiving 54% of users. With AI crafting hyper-personalized emails, vigilance is more crucial than ever. Learn how to spot these sophisticated scams.

Key takeaways:
🤖 AI’s Role in Phishing: AI technologies are being used to create highly personalized phishing emails, significantly increasing their success rate.
📈 Effectiveness: In a controlled experiment, 54% of participants were tricked by AI-generated phishing emails, showcasing the threat’s potency.
🔍 Personalization Tactics: AI leverages publicly available information about targets to tailor messages, making them seem more legitimate and relevant.
🚨 Learning to Recognize: Users are advised to look for signs like unsolicited emails with personal details or too-good-to-be-true offers as indicators of phishing
🔒 Defense Strategies: Implementing strong email filters, user education and skepticism towards unsolicited emails are key defenses against AI-driven phishing.

Malwarebytes

U.S. Government Introduces Cyber Trust Mark for Smart Devices

The White House has launched the U.S. Cyber Trust Mark, a new cybersecurity safety label for smart devices, to help consumers choose products that meet federal security standards. This initiative aims to enhance consumer protection against cyber threats.

Key takeaways:
🏛️ Government Initiative: The U.S. Cyber Trust Mark was introduced by the White House to promote cybersecurity in consumer products.
🔓 Security Standards: Devices that meet the National Institute of Standards and Technology (NIST) cybersecurity criteria can display this label.
🏷️ Label Certification: Eleven companies have been approved as Cybersecurity Label Administrators to manage and certify the use of this mark.
📱 Wide Applicability: The label will appear on various internet-connected devices, helping consumers make informed decisions about the security of smart products.
💡 Educational Impact: The initiative educates consumers about cybersecurity, akin to how EnergyStar labels inform about energy efficiency, potentially incentivizing manufacturers to improve product security.

The White House

FireScam Android Malware Poses as Telegram Premium to Steal Data

A new Android malware, FireScam, is masquerading as a Telegram Premium app, stealing data and controlling devices. It’s distributed through phishing sites mimicking RuStore, with the potential to compromise millions.

Key takeaways:
📲 Disguised as Telegram Premium: FireScam exploits the popularity of Telegram by posing as its premium version, tricking users into downloading it for enhanced features.
🔓 Data Exfiltration: Once installed, it seeks permissions to access personal data like contacts, messages, and call logs, forwarding this information to attackers.
🕵️‍♂️ Surveillance Features: Beyond data theft, FireScam monitors notifications, screen state changes, and even e-commerce transactions to gather more intelligence.
🔗 Phishing Distribution: It’s spread via GitHub.io-hosted sites that falsely claim to be the RuStore App Store, a popular platform in Russia, to evade detection.
🔒 Persistent Control: The malware registers a service to receive commands via Firebase Cloud Messaging, allowing it to maintain covert access to the device.

🎯 Threat Hunting Package: https://buff.ly/3PmWVcB

Cyfirma

Ivanti Warns of Exploited Zero-Day Flaw in Connect Secure VPN

Ivanti has disclosed a new zero-day vulnerability (CVE-2025-0282) in Connect Secure VPNs, already exploited to install malware. Immediate action is recommended to patch or mitigate this high-risk security issue.

Key takeaways:
🔐 Critical Vulnerability: Ivanti’s Connect Secure VPN has a new zero-day flaw, CVE-2025-0282, allowing remote code execution without authentication.
🚨 Exploited in the Wild: Cyber attackers have used this vulnerability to deploy malware on affected systems since mid-December 2024.
🛡️ Patches and Mitigations: Ivanti has released patches for the vulnerability, urging immediate system updates or mitigation actions.
🕵️‍♂️ UNC5337 Group: The attacks have been linked to the cyber espionage group UNC5337, part of the broader UNC5221 cluster.
🔍 Investigation: Mandiant is analyzing multiple compromised systems to understand the full scope of the breach.

Ivanti

Top Tips of the Week

Threat Intelligence

Collaborate with industry-ISACs. Contribute to and benefit from shared threat intelligence in your specific sector.

Threat Hunting

Foster a culture of continuous improvement. Regularly assess and enhance your threat hunting processes for optimal effectiveness.

Foster a culture of collaboration in cyber threat hunting. Engage with internal and external teams to share insights and enhance collective defense.

Integrate threat intelligence into threat modeling in cyber threat hunting. Enhance your security posture by identifying potential threats early in the development process.

Custom Tooling

Implement regular code reviews for custom tools. Gain insights, identify improvements, and ensure code quality.

Create custom tools with a focus on user empowerment. Provide users with features and capabilities that enhance their cybersecurity efforts.

Balance flexibility and simplicity in custom tool design. Create tools that address specific needs without unnecessary complexity.

Feature Video

The Traffic Light Protocol (TLP) is a framework for classifying information’s sensitivity and providing guidance on handling it. It is a designation system widely used in cyber security, particularly cyber threat intelligence.

This quick guide will teach you everything you need to know about the framework, from the four colors it uses to classify information to how to use it in the real world and implement it at your organization using a five-step process.

Watch Now

Learning Resources

Tech Career Advice for 2025

2025 is upon us and there is no better way to start than with some career advice…

This video assembles insights from 15 renowned tech YouTubers, offering practical career advice for 2025. Their shared experiences emphasize proactive learning, showcasing your skills, and leveraging personal branding to build opportunities.

Watch now to discover more key strategies and take ownership of your career trajectory!

Want to Get the Most From 2025?

Check out this video outlining practical strategies to maintain habits beyond January and achieve goals effectively in 2025.

It explores key approaches like building low-impact systems that integrate seamlessly into daily routines, prioritizing consistency, and addressing procrastination with methods like time blocking and momentum-building activities.

The actionable advice outlined is ideal for those seeking sustainable personal growth!

Automating Threat Intelligence to Handle Emerging Threats

In this excellent presentation, experts from Datadog delve into the challenges of handling emerging vulnerabilities in an era where thousands of new vulnerabilities arise yearly.

They highlight how to accelerate detection and response by replacing manual vulnerability management processes with automated workflows powered by threat intelligence, APIs, CI/CD platforms, and honeypots.

It is an exciting look at the power of combining CTI with DevOps principles!

King of the Script Kiddies

John Hammond is back with another engaging presentation. This time he explores if being a script kiddie is really a bad thing!

He argues that using pre-made tools and scripts is not inherently negative but a stepping stone for learning and efficiency in the complex world of cybersecurity. Hammond demonstrates how embracing “script kiddie” strategies fosters innovation, collaboration, and skill development.

Learn the value of accessibility in cybersecurity tools and the value of leveraging community contributions!