Skip to content
Scattered Spider Arrests, Car Exploits, macOS Malware, Fortinet RCE and More

Scattered Spider Arrests, Car Exploits, macOS Malware, Fortinet RCE and More

In cybersecurity, precision matters—and there’s little room for error. A small mistake, missed setting, or quiet misconfiguration can quickly lead to much bigger problems. The signs we’re seeing this week highlight deeper issues behind what might look like routine incidents: outdated tools, slow response to risks, and the ongoing gap between compliance and real security.

For anyone responsible for protecting systems, the key isn’t just reacting to alerts—it’s recognizing the larger patterns and hidden weak spots they reveal.

Here’s a breakdown of what’s unfolding across the cybersecurity world this week.

⚡ Threat of the Week

NCA Arrests for Alleged Scattered Spider Members — The U.K. National Crime Agency (NCA) announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West Midlands and London on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. They are believed to be associated with the notorious cybercrime group known as Scattered Spider, an offshoot of a loose-knit collective called The Com, which is responsible for a vast catalog of crimes, including social engineering, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping, and murder.

🔔 Top News

  • PerfektBlue Bluetooth Flaws Expose Millions of Vehicles to Remote Attacks — Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from Mercedes-Benz, Volkswagen, and Skoda. “PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” PCA Cyber Security said. Volkswagen said the identified issues exclusively concern Bluetooth and that neither is vehicle safety nor integrity affected. It also noted that exploitation of the vulnerabilities is only possible when several conditions are met simultaneously.
  • North Korean Hacker Behind Fraudulent IT Worker Scheme Sanctioned — The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday sanctioned a member of a North Korean hacking group called Andariel for their role in the infamous remote information technology (IT) worker scheme. Song Kum Hyok, 38, is alleged to have enabled the fraudulent operation by using foreign-hired IT workers to seek remote employment with U.S. companies and planning to split income with them. The sanctions mark the first time a threat actor linked to Andariel, a sub-cluster within the Lazarus Group, has been tied to the IT worker scheme. “While the Treasury’s announcement marks a formal public association of the Andariel (APT45) hacking group with North Korea’s remote IT worker operation, the connection reflects a much broader and long-running pattern,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News.
  • Chinese Hacker Arrested for Silk Typhoon Attacks — A Chinese national has been arrested in Milan, Italy, for his alleged links to a state-sponsored hacking group known as Silk Typhoon and for carrying out cyber attacks against American organizations and government agencies. Xu Zewei, 33, has been accused of being involved in the U.S. computer intrusions between February 2020 and June 2021, including a mass attack spree that leveraged then-zero-day flaws in Microsoft Exchange Server, a cluster of activity the Windows maker designed as Hafnium. Xu, alongside co-defendant and Chinese national Zhang Yu, are believed to have undertaken the attacks based on directions issued by the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).
  • Threat Weaponize Leaked Version of Shellter to Distributed Stealers — Hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware and remote access trojans. The campaigns are believed to have started in April 2025, around the same time a company that procured a licensed version of the software leaked a copy on cybercrime forums. “Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools,” Elastic Security Labs said.
  • Fortinet Patches Critical SQL Injection Flaw — Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. According to watchTowr Labs, the problem is rooted in the fact that a Bearer token Authorization header in a specially crafted HTTP request is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code. The disclosure comes as Sonar detailed multiple vulnerabilities in Fortinet’s FortiClient (CVE-2025-25251, CVE-2025-31365, CVE-2025-22855, CVE-2025-22859, and CVE-2025-31366) that, when chained together, grants an attacker complete organizational control with minimal user interaction. CVE-2025-22859 “enables an authenticated attacker to upload a stored XSS payload to a Linux-based EMS server,” security researcher Yaniv Nizry said. “Exploiting this vulnerability, an attacker can manipulate an EMS user into clicking a malicious link, forcing all registered endpoints to switch connection to a malicious EMS server without any interaction from the clients. This makes them susceptible to arbitrary code execution.”

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-47227, CVE-2025-47228 (ScriptCase), CVE-2025-24269, CVE-2025-24235 (SMBClient), CVE-2025-30012, CVE-2025-42963, CVE-2025-42964, CVE-2025-42966, and CVE-2025-42980 (SAP), CVE-2025-52488 (DNN), CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, CVE-2025-6243 (Ruckus Wireless), CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 (Apache Tomcat), CVE-2025-6948 (GitLab CE/EE), CVE-2025-0141 (Palo Alto Networks GlobalProtect App), CVE-2025-6691 (SureForms plugin), CVE-2025-7206 (D-Link DIR-825), CVE-2025-32353, CVE-2025-32874 (Kaseya RapidFire Tools Network Detective), CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, CVE-2025-7029 (Gigabyte UEFI), CVE-2025-1727 (End-of-Train and Head-of-Train devices), and a critical double free vulnerability in the Linux kernel’s pipapo set module.

📰 Around the Cyber World

  • Atomic Stealer Gets a Backdoor Feature — The macOS information stealer known as Atomic Stealer (aka AMOS) has been updated with an embedded backdoor to obtain persistent access to compromised systems. The new component allows executing arbitrary remote commands, gaining full user-level access, and even surviving reboots, allowing attackers to maintain control over infected hosts indefinitely. According to Moonlock Lab, campaigns distributing Atomic have recently shifted from broad distribution channels like cracked software sites to targeted phishing aimed at cryptocurrency owners and using staged job interview invitations to infect freelancers. The United States, France, Italy, the United Kingdom, and Canada are among the most affected by the stealer malware. It is only the second known case of backdoor deployment at a global scale targeting macOS users, after North Korea. “The upgrade to AMOS represents a significant escalation in both capability and intent, whether the changes were made by the original malware authors or by someone else modifying the code,” the company said. “It’s clear that the Russia-affiliated authors of Atomic macOS Stealer are following in the footsteps of North Korean attack groups.”
  • Call of Duty Makers Takes Game Offline After Reports of RCE Exploit — The makers of Call of Duty: World War 2 announced that the PC version of the game has been taken offline following “reports of an issue.” The issue appears to be a security problem, specifically a remote code execution (RCE) vulnerability in the popular video game that could allow an attacker to take over others’ PCs during live multi-player matches. The RCE exploit has been found to be abused to open command prompts on victim PCs, send mocking messages via Notepad, and forcibly shut down players’ computers, among others. Activision has not officially commented on the issue, but it’s said to be working to remediate the bug.
  • BaitTrap Uses Over 17K Sites to Push Scams — A network of more than 17,000 websites is mimicking trusted brands, including CNN, BBC and CNBC, to redirect visitors to online scams. The BaitTrap network uses Google and Meta ads, social media posts, and YouTube videos to lure victims. The bogus sites typically collect personal information and attempt to hijack online crypto accounts. They target audiences in more than 50 countries all over the globe. The sites publish fake stories featuring prominent public figures, including national leaders and central bank governors, and falsely link those figures to “fabricated investment schemes in order to build trust and get engagement from victims.”
  • Dutch Police Arrest 5 Phishing Gang Members — Dutch police have arrested five members of a phishing gang that operated out of the city of Lelystad. Four of the group’s members are teenagers aged 14 to 17. Authorities said the suspects used QR codes sent via email to collect login credentials for local banks. In a related law enforcement development, Nepalese authorities have apprehended 52 people for allegedly running online dating and crypto investment scams. The group ran a call center and a dating app called METOO to lure young Nepali women and facilitate fraudulent online transactions. Six of the detained suspects are Chinese and are believed to have managed the operation.
  • German Court Orders Meta to Pay €5K Over GDPR Violation — A German court has ruled that Meta must pay €5,000 ($5,900) to a German Facebook user who sued the platform for embedding its Pixel tracking technology in third-party websites. The ruling could open the door to large fines down the road over data privacy violations relating to similar tracking tools. The Regional Court of Leipzig in Germany ruled that Meta tracking pixels and software development kits embedded in countless websites and apps collect users’ data without their consent and violate the continent’s General Data Protection Regulation (GDPR). “Every user is individually identifiable to Meta at all times as soon as they visit the third-party websites or use an app, even if they have not logged in via the Instagram and Facebook account,” the court said.
  • LFI Flaw in Microsoft Export to PDF Feature — A Local File Inclusion (LFI) vulnerability has been disclosed in Microsoft 365’s Export to PDF functionality, potentially allowing attackers to access sensitive internal data when converting HTML documents to PDF. The vulnerability, reported by security researcher Gianluca Baldi, was subsequently patched by Microsoft, earning them a $3,000 bounty reward. “It turned out there was an undocumented behavior that allowed converting from HTML to PDF files,” Baldi said. “By embedding specific tags (, , and