Murky Panda Espionage, INTERPOL Serengeti, and Oil Ransomware

Chinese Groups Escalate Cloud and Telecom Espionage

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

Resurgence of Mirai-Based IoT Malware: Gayfemboy Campaign

🛡️ FortiGuard Labs reports the resurgence of a Mirai-derived IoT malware family, publicly known as “Gayfemboy,” which reappeared in July 2025 targeting vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco devices. The campaign delivers UPX-packed payloads via predictable downloader scripts named for product families and uses a modified UPX header and architecture-specific filenames to evade detection. At runtime the malware enumerates processes, kills competitors, implements DDoS and backdoor modules, and resolves C2 domains through public DNS resolvers to bypass local filtering. FortiGuard provides AV detections, IPS signatures, and web-filtering blocks; organizations should patch and apply network defenses immediately.

GeoServer Exploits, PolarEdge, Gayfemboy Expand Cybercrime

🛡️ Cybersecurity teams report coordinated campaigns exploiting exposed infrastructure and known flaws to monetize or weaponize compromised devices. Attackers have abused CVE-2024-36401 in GeoServer to drop lightweight Dart binaries that monetize bandwidth via legitimate passive-income services, while the PolarEdge botnet and Mirai-derived gayfemboy expand relay and DDoS capabilities across consumer and enterprise devices. Separately, TA-NATALSTATUS targets unauthenticated Redis instances to install stealthy cryptominers and persistence tooling.

Fortinet Supports INTERPOL in Operation Serengeti 2.0

🛡️Fortinet supported INTERPOL’s Operation Serengeti 2.0 by providing preemptive threat intelligence—IOCs, command-and-control data, and forensic insights—that helped plan and execute cross-border takedowns. Conducted June–August 2025 with 18 African nations and nine private partners, the operation led to 1,209 arrests, dismantling of 11,432 malicious infrastructures, and recovery of $97.4 million. Fortinet also contributed investigator training and capacity building to sustain disruption efforts.

Linux Backdoor Delivered via Malicious RAR Filenames

🛡️ Trellix researchers describe a Linux-focused infection chain that uses a malicious RAR filename to trigger command execution. The filename embeds a Base64-encoded Bash payload that leverages shell command injection when untrusted filenames are parsed, allowing an ELF downloader to fetch and run an architecture-specific binary. The chain ultimately delivers the VShell backdoor, which runs in memory to evade disk-based detection.

Malicious Go Module Poses as SSH Brute-Force Tool, Steals

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.

Blue Locker Ransomware Targets Critical Infrastructure

🔒 Pakistan Petroleum Limited (PPL) was struck by the Blue Locker ransomware, detected on 6 August, which appends a .blue extension to encrypted files and has reported deletion of backups and theft of some business and employee data. The incident encrypted servers and disrupted financial operations while recovery work proceeded in a phased manner. Pakistan's NCERT issued a high alert to 39 key ministries and institutions and warned of multiple distribution vectors. Organisations, especially critical infrastructure operators, are urged to verify and isolate backups, implement network segmentation and enhanced monitoring, and engage incident response and forensic teams as needed.

INTERPOL Arrests 1,209 Cybercriminals in Africa Sweep

🔎 INTERPOL coordinated a multi-country crackdown that led to the arrest of 1,209 suspected cybercriminals across 18 African nations, targeting schemes that affected roughly 88,000 victims. The operation, the second phase of Operation Serengeti carried out between June and August 2025, recovered about $97.4 million and dismantled 11,432 malicious infrastructures. Private-sector partners including Group-IB and TRM Labs contributed intelligence on cryptocurrency fraud and ransomware links.

Ex-Developer Jailed for Deploying Kill-Switch Malware

🛑 A former software developer was sentenced to four years in prison after intentionally sabotaging his employer's servers with custom malware that included a kill switch. Davis Lu, 55, abused his access in 2019 to introduce infinite-loop Java code, delete coworker profiles, and deploy a kill switch named 'IsDLEnabledinAD' that locked out users when his Active Directory account was disabled. The DOJ said the incident, reportedly at Eaton Corporation, disrupted thousands of users and caused hundreds of thousands of dollars in losses.

Amazon Bedrock Data Automation Now in GovCloud (US-West)

🚀 Amazon Bedrock Data Automation (BDA) is now generally available in the AWS GovCloud (US-West) Region. BDA automates extraction of actionable insights from unstructured multimodal content—documents, images, video, and audio—helping developers accelerate GenAI-based applications like intelligent document processing and media analysis. It can run standalone or as a parser in Amazon Knowledge Bases RAG workflows and is now offered in eight AWS Regions.

Amazon EKS adds namespace configuration for add-ons

🔧 Amazon Elastic Kubernetes Service (Amazon EKS) now allows you to select a custom Kubernetes namespace when installing both AWS and Community add-ons, giving operators finer control over object organization and isolation within clusters. You can install add-ons into a chosen namespace via the AWS Console, EKS APIs, AWS CLI, or infrastructure-as-code tools like CloudFormation. Note that to move an installed add-on to a different namespace you must remove and recreate it. This capability is available in all commercial AWS Regions.

AWS releases MCP server for Billing and Cost Management

🧾 AWS has published an open-source Model Context Protocol (MCP) server for Billing and Cost Management, available in the AWS Labs GitHub repository. The server exposes AWS service APIs and a dedicated SQL-based calculation engine to produce reliable, reproducible cost calculations across large volumes of usage data. It integrates with any MCP-compatible AI assistant or agent — including Q Developer CLI, the Kiro IDE, Visual Studio Code, and Claude Desktop — enabling customers to analyze historical spend, find optimization opportunities, and estimate costs for new workloads with minimal configuration.

Mesh Messaging Apps: Use Cases, Risks, and Best Practices

📡 Decentralized peer-to-peer "mesh" messaging apps let nearby phones communicate without internet using Bluetooth or Wi‑Fi Direct. Popular and emerging apps — including BitChat, Bridgefy, Briar, and White Mouse — offer offline messaging with varying privacy features and tradeoffs. While useful for disasters, festivals, or local coordination, these tools have limited range, higher battery use, and mixed encryption reliability; favor open-source and independently audited projects.

Amazon EC2 R7g Graviton3 Instances Launch in Cape Town

🚀 Amazon EC2 R7g instances powered by Graviton3 processors are now available in AWS Africa (Cape Town). These instances deliver up to 25% better compute performance versus Graviton2 and can use up to 60% less energy for comparable performance, helping reduce cloud carbon footprint. They come in nine sizes, including bare metal, and offer up to 30 Gbps networking and 20 Gbps EBS bandwidth, running on the AWS Nitro System for secure, high‑performance isolation.

Amazon RDS for PostgreSQL Adds Delayed Read Replicas

🕒 Amazon RDS for PostgreSQL now supports delayed read replicas, allowing you to specify a minimum time period for a replica to intentionally lag behind its source. This configurable time buffer helps protect against human errors such as accidental table drops or unwanted data modifications by preserving a recoverable replica state. In recovery workflows you can pause replication before problematic changes are applied, resume replication to a specific log position, and promote the replica as the new primary to achieve faster recovery than lengthy point-in-time restores.

Amazon RDS for Db2 Adds Support for Read Replicas Now

🔁 Amazon RDS for Db2 now supports read replicas, allowing customers to add up to three replicas per instance to offload read-only workloads and reduce load on the primary database. Replicas can be created in the same Region or across Regions and use asynchronous replication so read queries do not impact the writer. You can promote a replica for disaster recovery to enable read/write operations. Note that IBM Db2 licenses are required for all replica vCPUs; customers may use On‑Demand licenses from the AWS Marketplace or BYOL.

Amazon SageMaker Unified Studio adds S3 file sharing option

📂 Amazon SageMaker Unified Studio now offers a simplified S3-based file storage option for project collaboration. Customers can choose between Git integrations (GitHub, GitLab, Bitbucket Cloud) or Amazon S3 buckets, with S3 set as the default while Git remains fully supported. The S3 option gives a consistent view of files across Studio tools, uses a last-write-wins model, and supports basic versioning when administrators enable it.

Count Tokens API Adds Claude Model Support in Bedrock

🧮 The Count Tokens API is now available in Amazon Bedrock, enabling users to determine token counts for a prompt or input prior to performing inference. Anthropic’s Claude models are supported at launch and the feature is available in all regions where those models run. This improves cost projection, gives more control over token limits, and reduces the risk of unexpected throttling. It also helps ensure inputs fit within a model's context length for more efficient prompt optimization.

Cloudflare AI Week 2025: Securing AI, Protecting Content

🔒 Cloudflare this week outlines a multi-pronged plan to help organizations build secure, production-grade AI experiences while protecting original content and infrastructure. The company will roll out controls to detect Shadow AI, enforce approved AI toolchains, and harden models against poisoning or misuse. It is expanding Crawl Control for content owners and enhancing the AI Gateway with caching, observability, and framework integrations to reduce risk and operational cost.

Europol: Telegram Post Claiming $50,000 Qilin Bounty Is Fake

🔍 Europol has confirmed that a circulated Telegram post claiming a reward of up to $50,000 for information on senior Qilin ransomware operators is false. The message originated on a newly created channel (@europolcti) rather than on Europol's official accounts and was amplified by security outlets after being copied. The bogus announcement named alleged aliases "Haise" and "XORacle", and the channel poster later boasted about fooling researchers and journalists. Europol stressed that Qilin remains a significant threat, previously linked to an attack on a UK NHS provider with severe consequences.

CISA Seeks Comment on Updated SBOM Minimum Elements

📝 CISA opened a public comment period on updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM), with submissions accepted through October 3, 2025. The draft refines required data fields, strengthens automation and machine-readable support, and clarifies operational practices to help organizations produce scalable, interoperable, and comprehensive SBOMs. Stakeholders are encouraged to provide feedback via the Federal Register to inform a future final release.

CISA Issues Draft SBOM Minimum Elements Guide for Comment

📣 CISA released a draft Minimum Elements for a Software Bill of Materials (SBOM) for public comment, updating the baseline to reflect advances in tooling and increased SBOM adoption since 2021. The guidance adds elements such as component hash, license, tool name, and generation context, and clarifies existing fields like SBOM author and software producer. Comments are open through October 3, 2025.

MoQ: A unified, low-latency media relay on QUIC at scale

🔁 Cloudflare announces the first Media over QUIC (MoQ) relay network, built on a modern transport to unify ingest and delivery for real-time media. MoQ — an open IETF protocol developed alongside vendors like Meta, Google, and Cisco — treats media as named, subscribable tracks and forwards immutable wire Objects via relays without transcoding. The design leverages QUIC features such as no head-of-line blocking, connection migration, and 0-RTT resumption to deliver sub-second latency at broadcast scale, while simplifying architectures that previously required many disparate protocols.

Automation Is Reshaping Penetration Test Delivery Workflows

🔁 Pentesting remains a critical control for uncovering real-world vulnerabilities, but static PDF reports and spreadsheet handoffs create delays and inefficiencies. The piece advocates automating pentest delivery so findings are consolidated and routed in real time through rules-based workflows, enabling teams to act immediately and reduce churn. Platforms like PlexTrac are highlighted for centralizing manual and scanner outputs, automating ticketing into tools such as Jira and ServiceNow, and triggering retests to close the loop. The result is faster remediation, standardized processes, and measurable reductions in MTTR for both service providers and enterprises.

Data Integrity Must Be Core for AI Agents in Web 3.0

🔐 In this essay Bruce Schneier (with Davi Ottenheimer) argues that data integrity must be the foundational trust mechanism for autonomous AI agents operating in Web 3.0. He frames integrity as distinct from availability and confidentiality, and breaks it into input, processing, storage, and contextual dimensions. The piece describes decentralized protocols and cryptographic verification as ways to restore stewardship to data creators and offers practical controls such as signatures, DIDs, formal verification, compartmentalization, continuous monitoring, and independent certification to make AI behavior verifiable and accountable.

Bruce Schneier to Spend Academic Year at Munk School

📚 Bruce Schneier will spend the 2025–26 academic year at the University of Toronto’s Munk School as an adjunct. He will organize a reading group on AI security in the fall and teach his cybersecurity policy course in the spring. He intends to collaborate with Citizen Lab, the Law School, and the Schwartz Reisman Institute, and to participate in Toronto’s academic and cultural life. He describes the opportunity as exciting.

What’s New in Google Cloud: Releases, Previews, and News

🔔 Google Cloud published a consolidated roundup of product releases and previews from early July through Aug 22, 2025, covering GA launches, public previews, and platform enhancements. Highlights include Earth Engine in BigQuery (GA), Vertex AI embedding scaling, new GKE features for NUMA alignment and swap, expanded NodeConfig controls, and Cloud Run with GPUs. Customers should review the linked documentation, request preview access via account teams where needed, and plan upgrades or migrations accordingly.

Microsoft’s open-source journey: from Linux to AI scale

🔎 Microsoft recounts its transition from an early Linux contributor in 2009 to one of the largest open-source supporters in cloud and AI today. The post highlights Azure as a top contributor to the CNCF, the 2015 launch of VS Code, the 2018 GitHub acquisition, and the role of AKS and managed PostgreSQL in enterprise deployments. It also describes COSMIC, explains how OpenAI’s ChatGPT runs at global scale on Azure infrastructure, and lists projects Azure teams are building in the open.

UNWG Releases Video Series on P25 LMR Encryption Importance

🔐 The Joint SAFECOM–NCSWIC Project 25 (P25) User Needs Working Group (UNWG) has published a video series highlighting the importance of P25 land mobile radio (LMR) encryption for national security and first responder communications. The series explains three types of P25 protections — link layer authentication, link layer encryption, and voice traffic encryption — and why each matters. Another installment outlines UNWG’s role in preserving interoperability and encourages public safety stakeholder engagement.

Friday Squid Blogging: Bobtail Squid and Security News

🦑 The short entry presents the bobtail squid’s natural history—its bioluminescent symbiosis, nocturnal habits, and adaptive camouflage—in a crisp, approachable summary. As with other 'squid blogging' posts, the author invites readers to use the item as a forum for current security stories and news that the blog has not yet covered. The post also reiterates the blog's moderation policy to guide constructive discussion.