In September 2025, Trend Micro researchers noted a striking decline in new command and control infrastructure activity associated with Lummastealer (which Trend Micro tracks as Water Kurita), as well as a significant reduction in the number of endpoints targeted by this notorious malware.
This sudden drop appears to align with a targeted underground exposure campaign that has put the spotlight on individuals allegedly linked to the Lummastealer operation. Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Google Releases Security Update for Chrome
July 18, 2025
Google has released version 138.0.7204.157/.158 for Chrome for Windows and Mac and 138.0.7204.157 for Chrome for Linux, which will roll out over the coming days/weeks. The updates address three high severity vulnerabilities, including CVE-2025-6558, which has an exploit in the wild. CVE-2025-6558: Incorrect validation of untrusted input in ANGLE and GPU vulnerability – CVSSv3 score: 8.8 Read ...
- Ransomware gang attacking NAS devices taken down in major police operation
July 18, 2025
A 44-year-old Romanian national has been arrested during a law enforcement operation to dismantle a ransomware campaign called “Diskstation”. Diskstation usually targets Synology Network-Attached Storage (NAS) devices, often used in an enterprise environment for centralized file storage and sharing, data backup and recovery, and general content hosting. The group was first spotted in 2021, and has ...
- British spies and SAS named in Afghan data breach
July 17, 2025
The identities of more than 100 British officials, including members of the special forces and MI6, were compromised in a data breach that also put thousands of Afghans at risk of reprisal, it can be reported. The latest fallout from the breach was kept secret by an injunction until Thursday, when the order was lifted in ...
- Hackers are trying to steal passwords and sensitive data from users of Signal clone
July 17, 2025
Hackers are targeting a previously reported bug in the Signal clone app TeleMessage in an effort to steal users’ private data, according to security researchers and a U.S. government agency. TeleMessage, which earlier this year was revealed to be used by high-ranking officials in the Trump administration, already experienced at least one data breach in May. ...
- GhostContainer backdoor: Malware compromising Exchange servers of high-value organizations in Asia
July 17, 2025
In a recent incident response (IR) case, Kaspersky researchers discovered highly customized malware targeting Exchange infrastructure within government environments. Analysis of detection logs and clues within the sample suggests that the Exchange server was likely compromised via a known N-day vulnerability. Kaspersky in-depth analysis of the malware revealed a sophisticated, multi-functional backdoor that can be dynamically ...
- Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor
July 16, 2025
Google Threat Intelligence Group (GTIG) has identified an ongoing campaign by a suspected financially-motivated threat actor we track as UNC6148, targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. GTIG assesses with high confidence that UNC6148 is leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access ...