Cybersecurity Roundup: State-Backed Threats, Banking Malware, and Major Takedowns Recent cybersecurity developments highlight escalating threats from state-sponsored actors, sophisticated banking malware, and large-scale law enforcement operations. Iran’s Cyber Operations Expand with Criminal Partnerships Research from Check Point reveals Iran’s Ministry of Intelligence and Security is collaborating with cybercriminal groups to enhance its cyber capabilities. Iranian APTs like Void Manticore are leveraging tools such as the Rhadamanthys infostealer and engaging in ransomware-as-a-service (RaaS) ecosystems. This strategy obscures attribution by sourcing malware, infrastructure, and initial access from underground markets rather than developing proprietary tools. New Rust-Based Malware Targets Brazilian Banks Brazilian firm ZenoX uncovered VENON, a Rust-based banking trojan targeting 33 financial institutions in Brazil. The malware spreads via DLL side-loading, ClickFix social engineering, and employs nine evasion techniques. It monitors active windows, hijacks shortcuts, and deploys fake overlays to steal credentials particularly from Itaú’s banking app. VENON can also reverse modifications to avoid detection. England Hockey Investigates Ransomware Breach The AiLock ransomware gang claims to have stolen 129GB of data from England Hockey, threatening to leak it unless a ransom is paid. The organization, which oversees 800+ clubs and 150,000 players, is working with law enforcement and cybersecurity experts to assess the breach. AiLock, active since April 2025, uses double-extortion tactics and advanced encryption. Storm-2561 Exploits SEO Poisoning for Credential Theft Microsoft Threat Intelligence reports that Storm-2561 is distributing fake VPN clients via SEO poisoning. Users searching for legitimate VPN software are redirected to malicious sites hosting ZIP files with MSI installers that side-load the Hyrax infostealer. The malware, digitally signed to appear legitimate, captures VPN credentials and maintains persistence via the Windows RunOnce key. Hive0163 Deploys AI-Assisted Malware IBM X-Force researcher Golo Mühr revealed that Hive0163 is using Slopoly, an AI-generated malware, to maintain persistence in ransomware attacks. Deployed via PowerShell scripts and scheduled tasks, Slopoly acts as a backdoor, beaconing system data and executing commands from a C2 server. While AI helped generate structured code, the malware relies on standard persistence techniques. Hive0163 frequently uses ClickFix, malvertising, and access brokers to deliver threats like NodeSnake, Interlock RAT, and Interlock ransomware. Operation Lightning Disrupts SocksEscort Proxy Network A multinational law enforcement operation, Operation Lightning, dismantled the SocksEscort residential proxy network. Authorities seized 34 domains and 23 servers across seven countries and froze $3.5 million in cryptocurrency. The service, which infected routers with AVRecon malware, sold access to 369,000 compromised IPs used for fraud, ransomware, and account takeovers. The network had 124,000 users and caused tens of millions in losses. Veeam Patches Critical RCE Flaws in Backup Software Veeam released patches for multiple vulnerabilities in its Backup & Replication software, including four critical remote code execution (RCE) flaws that could allow low-privileged users to execute code on backup servers. The bugs also enable privilege escalation and credential theft. Fixes are included in versions 12.3.2.4465 and 13.0.1.2067. Veeam warned that attackers often reverse-engineer patches to target unpatched systems, noting backup servers are prime ransomware targets. PixRevolution Trojan Hijacks Brazil’s PIX Payments Researchers at Zimperium discovered PixRevolution, an Android banking trojan that intercepts Brazil’s PIX instant payment system by replacing recipient payment keys during transactions. The malware abuses Android accessibility permissions to monitor screens, stream activity to a command server, and allow real-time intervention by attackers. It spreads via fake Google Play store pages and targets Brazil’s PIX network, used by 76% of Brazilians and processing over three billion transactions monthly.