Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
North Korean Lazarus Group Deploys ClickFix Attacks to Target Crypto Industry
North Korea’s Lazarus hackers are using ClickFix tactics, posing as crypto giants like Coinbase and Kraken, to trick job seekers into installing malware via fake error fixes. After stealing $1.5B from Bybit, this escalating threat demands vigilance—don’t run unknown commands!
Key takeaways:
🕵️♂️ Lazarus Evolves: The North Korean Lazarus group has adopted ClickFix attacks since Feb 2025, impersonating crypto firms like Coinbase, KuCoin, and Kraken to target job seekers in the crypto space.
📜 ClickFix Deception: Victims are lured with fake errors on job docs or sites, prompting them to run malicious PowerShell commands that deploy malware for system control.
💰 Massive Heists: Linked to the record-breaking $1.5B Bybit theft, Lazarus uses these tactics to steal crypto assets, blending them with their ongoing “Contagious Interview” campaign.
🔍 Dual Approach: Sekoia notes that Lazarus runs ClickFix alongside traditional methods, testing effectiveness while hard-hitting centralized finance (CeFi) targets.
Google Unveils Seamless End-to-End Encryption for Gmail Enterprise Users
Google’s new end-to-end encryption for Gmail business users is here, letting admins secure emails effortlessly without complex setups—privacy just got simpler! Rolling out in beta now, it’s a game-changer for Workspace security.
Key takeaways:
🔒 E2EE Made Easy: Google’s new Gmail feature brings end-to-end encryption (E2EE) to enterprise users, enabling secure email sending with a single toggle—no S/MIME hassles required.
📧 Phased Rollout: Launched in beta on April 1, 2025, it starts with intra-org emails and soon expands to all Gmail users and later any inbox by year-end.
🛡️ Admin Control: IT teams manage encryption keys, keeping Google out of the loop and boosting privacy and data sovereignty for Workspace clients.
🌐 Broad Reach: Even non-Gmail recipients can view encrypted emails via a restricted Gmail portal, simplifying secure cross-platform communication.
DPRK IT Workers Escalate Global Threat with Expanded Scope and Sophisticated Tactics
North Korean IT workers are scaling up, targeting Europe alongside the US with fake personas to infiltrate companies for cash and espionage, per Google’s latest intel. Their tactics—like extortion and virtualized ops—are evolving fast—time to bolster hiring and network defenses!
Key takeaways:
🌍 Global Expansion: DPRK IT workers have broadened their reach beyond the US, now targeting Europe (e.g., Germany, Portugal, UK), using fraudulent personas to secure remote jobs in defense and government sectors.
💻 Evolving Tactics: Since late 2024, they’ve ramped up extortion—threatening to leak sensitive data post-firing—and shifted ops to BYOD virtual environments, evading traditional security.
🕵️♂️ Sophisticated Deception: One worker juggled 12 personas across continents, faking references and credentials, while others exploited job platforms and laptop farms for access.
💰 Dual Motives: Primarily revenue-driven for the regime, their access to sensitive systems raises espionage risks, with a 2024 surge tied to US law enforcement pressure.
QR Code Phishing Surge: Attackers Innovate with Redirects and Turnstile Evasion
QR code phishing is spiking across the US and Europe, with attackers hiding links via redirects and using Cloudflare Turnstile to dodge security scans, per Unit 42’s latest findings. Industries like healthcare and finance are prime targets—train staff and scan smart!
Key takeaways:
📲 QR Code Evolution: Since late 2024, Unit 42 has tracked a rise in “quishing”—phishing via QR codes—using redirects through legit sites to mask malicious destinations.
🛡️ Evasion Upgrade: Attackers deploy Cloudflare Turnstile for user verification, bypassing security crawlers and luring victims to fake login pages with tailored credential theft.
🌍 Widespread Hits: The campaign spans the US and Europe, targeting the medical, automotive, education, energy, and financial sectors with spoofed e-sign documents (e.g., DocuSign, Adobe Acrobat Sign).
🔍 Stealthy Delivery: QR codes in phishing emails or PDFs push users to scan with personal devices, which are often less secure, amplifying the risks of credential exposure.
Critical RCE Flaw in Apache Parquet Exposes Big Data Systems to Attack
A max-severity RCE flaw (CVE-2025-30065) in Apache Parquet up to v1.15.0 threatens big data platforms like Hadoop and cloud services—upgrade to 1.15.1 ASAP to stay safe! There are no active exploits yet, but the risk is sky-high.
Key takeaways:
🚨 Severe Vulnerability: CVE-2025-30065 is a critical remote code execution (RCE) flaw that affects all Apache Parquet versions up to 1.15.0, which are widely used in big data ecosystems.
💾 Exploitation Risk: Attackers can trigger it with a crafted Parquet file, though no in-the-wild exploits are confirmed—its broad adoption makes it a prime target.
🛠️ Fix Available: Apache released v1.15.1 on April 1, 2025, patching the flaw; admins must update urgently to protect systems.
🌐 Wide Impact: Used in Hadoop, AWS, Google Cloud, and more, this flaw could disrupt data lakes and analytics if exploited.
Top Tips of the Week
Threat Intelligence
- Collaborate with threat intelligence researchers. Tap into their expertise to enhance your understanding of specific threats and tactics.
- Monitor third-party risks with threat intelligence. Assess and manage cyber security risks associated with vendors and partners.
- Regularly review CTI sharing agreements. Ensure that partnerships align with organizational goals and requirements.
- Stay agile in CTI. Adapt strategies and tactics based on the evolving threat landscape for effective cyber security.
- Integrate threat intelligence into endpoint protection. Enhance the detection and response capabilities of your endpoint security.
Custom Tooling
- Conduct threat modeling in custom tool design. Identify potential risks and vulnerabilities during the development phase.
- Consider the geographical dispersion of users in custom tool design. Ensure accessibility and optimal performance for users across locations.
Feature Article
A cyber threat intelligence (CTI) project can be a difficult undertaking. There are many hurdles, roadblocks, and pitfalls that can derail your success. To combat these, you must dedicate time and effort to comprehensively planning your CTI project.
This guide will show you how to do this by walking through all the key documentation you need before you start intelligence work.
You will learn why CTI project planning is fundamental for success, the must-have documentation to create (and how this relates to the CTI lifecycle), and how to account for the unpredictable nature of intelligence collection. By the end, you will have the knowledge and tools to plan your next great work. Let’s get started!
Learning Resources
Automate Detection Engineering
Detection engineering is the hot new skill set in cyber security. The only things more cutting-edge are automation and AI. Luckily, this presentation incorporates all three!
In this talk, experts from SANS Institute discuss automated adversary emulation, AI-driven detection rule generation, and how organizations can improve security operations with continuous testing and automation. They emphasize the importance of bridging gaps between offensive and defensive teams for effective cyber security.
Through real-world case studies and demonstrations, the speakers show how AI tools like ChatGPT can help generate detection rules, while automated breach simulation continuously tests security controls. The talk concludes with strategies for scaling purple teaming, ensuring organizations stay resilient against evolving cyber threats by building a robust CI/CD pipeline.
Using Excel to Empower Your Cyber Investigations
This insightful presentation from Black Hills Security focuses on enhancing cyber security investigations through practical Excel techniques. Patterson Cake demonstrates various Excel hacks that can streamline data analysis and improve efficiency in security investigations, from basic Excel functionalities to advanced features like Power Query and Pivot Tables for automation.
Throughout the talk, Cake provides step-by-step instructions on using Excel to manage and analyze large datasets, highlighting how these techniques can be applied in real-world security scenarios. The session aims to equip viewers with the skills needed to leverage Excel for more effective and efficient security investigations.
Start making better use of Excel today!
AWS Security Masterclass Mini-Series
Learn the basics of securing cloud environments with this mini-series on AWS security fundamentals. The series covers securing AWS accounts and addresses common security issues such as misconfigurations in AWS IAM, EC2 AMI, and Lambda serverless.
It includes practical demonstrations and step-by-step guides to setting up secure AWS environments, and it encourages viewers to follow along interactively to gain hands-on experience.
Start learning cloud security right now!
Interviewing ThePrimeagen
Primeagen is a legendary figure in programming, and this episode of the Lex Fridman podcast dives into his journey with programming, from his first profound experience with linked lists to his passion for problem-solving through recursion.
He shares insights on overcoming challenges in the tech industry, his ADHD struggles, and the joy he finds in programming’s infinite possibilities. The conversation also touched on AI, productivity, addiction, and the role of spirituality in his life.
An incredibly insightful conversation that has someone for anyone in tech, whether you’re a season veteran or newcomer. A must-watch!
