{ "id": "5e6de91b-b542-4639-a885-ea9361150963", "created_at": "2026-04-06T00:18:00.395824Z", "updated_at": "2026-04-10T03:36:47.675211Z", "deleted_at": null, "sha1_hash": "cdfaf37f45face1ed7d14916dbd061b1893f8963", "title": "Cyber Intel Brief: NightEagle APT, AI deepfakes, SPNEGO flaw", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 229251, "plain_text": "Cyber Intel Brief: NightEagle APT, AI deepfakes, SPNEGO flaw\r\nArchived: 2026-04-02 10:41:31 UTC\r\nStay up to date the most pressing cyber threats, emerging trends and what they mean for enterprise security,\r\ncritical infrastructure and global risk.\r\nTLP: CLEAR\r\nExecutive Summary\r\nThe July 4-11 intelligence collection period revealed critical vulnerabilities requiring immediate attention and\r\nsophisticated campaigns targeting democratic institutions and critical infrastructure. Microsoft's July Patch\r\nTuesday addressed 137 vulnerabilities including a critical wormable Windows SPNEGO flaw (CVE-2025-47981)\r\nwith self-propagating potential similar to WannaCry, while CISA added six known exploited vulnerabilities to the\r\nKEV catalog with federal compliance deadlines of July 28-31, 2025.\r\nMost significant this week was the emergence of NightEagle APT—representing a rare suspected North American\r\nstate-sponsored operation targeting Chinese strategic technology sectors—alongside unprecedented AI-powered\r\nimpersonation campaigns against U.S. Secretary of State Marco Rubio. These developments signal a concerning\r\nescalation in both offensive cyber capabilities and the weaponization of artificial intelligence against democratic\r\ninstitutions, requiring enhanced defensive measures across government and critical infrastructure sectors.\r\nCritical Incidents\r\n1. Wormable Windows SPNEGO Vulnerability Poses Enterprise Propagation Risk\r\nhttps://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw\r\nPage 1 of 6\n\nMicrosoft's July Patch Tuesday included CVE-2025-47981, a critical Windows SPNEGO Extended Negotiation\r\nvulnerability (CVSS 9.8) enabling unauthenticated remote code execution with wormable characteristics. The flaw\r\naffects Windows 10 version 1607 and above, allowing network-based exploitation through SMB, RDP, and IIS\r\nprotocols without user interaction. Security experts are drawing parallels to WannaCry due to its self\r\npropagating potential, with Microsoft addressing 137 total vulnerabilities including 14 critical flaws. Additionally,\r\nCVE-2025-49719 represents a publicly disclosed SQL Server information disclosure vulnerability with proof-of-concept code available.1\r\nAnalyst Comment: The combination of pre-authentication remote exploitation and wormable characteristics\r\ndemands immediate patching prioritization across all Windows environments, particularly in enterprise networks\r\nwith extensive lateral movement potential.\r\n2. CISA KEV Catalog Additions Signal Active Federal Compliance Deadlines\r\nCISA added six vulnerabilities to the Known Exploited Vulnerabilities catalog during the collection period,\r\nrequiring federal agency remediation by July 28-31, 2025. Critical additions include CVE-2025-5777 (Citrix\r\nNetScaler, CVSS 9.3) dubbed \"CitrixBleed 2,\" CVE-2014-3931 (Multi-Router Looking Glass, CVSS 9.8), CVE\r\n2016-10033 (PHPMailer, CVSS 9.8), and CVE-2019-9621 (Zimbra Collaboration Suite, CVSS 7.5) previously\r\nexploited by Earth Lusca APT. All vulnerabilities show confirmed evidence of active exploitation in the wild,\r\ndemonstrating continued targeting of federal infrastructure.2,3\r\n3. Nippon Steel Solutions Zero-Day Breach Exposes Critical Infrastructure Vulnerabilities\r\nNippon Steel Solutions confirmed a sophisticated data breach following zero-day exploitation of network\r\nequipment on March 7, 2025, with disclosure delayed until July 9. The attack compromised customer, partner, and\r\nemployee personal information, representing advanced adversary capabilities against critical infrastructure\r\nsubsidiaries. The incident demonstrates ongoing targeting of strategic technology sectors, with the company\r\nimplementing device isolation and reconstruction protocols while confirming no cloud service impact or dark web\r\ndata exposure.4\r\nAnalyst Comment: The four-month disclosure delay highlights the critical need for enhanced zero-day detection\r\ncapabilities across critical infrastructure networks, particularly for network equipment that forms the backbone of\r\norganizational security.\r\n4. Qantas Airways Data Breach Exposes 5.7 Million Customer Records\r\nQantas Airways confirmed a cyber incident affecting 5.7 million unique customer records through a compromised\r\nthird-party call center system, disclosed July 9, 2025. The breach exposed varying levels of personal information\r\nincluding four million records limited to name, email, and frequent flyer details, while 1.7 million records\r\ncontained additional data including addresses (1.3M), dates of birth (1.1M), and phone numbers (900K). The\r\nairline confirmed no credit card details, financial information, passport data, or frequent flyer account credentials\r\nwere compromised, with no evidence of stolen data being released publicly. The incident represents one of the\r\nlargest transportation sector breaches of 2025, affecting Australia's flag carrier and prompting enhanced\r\ncybersecurity measures across the organization.5\r\nhttps://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw\r\nPage 2 of 6\n\nAnalyst Comment: The targeting of third-party call center infrastructure demonstrates sophisticated threat actors'\r\nfocus on supply chain vulnerabilities as attack vectors into major transportation providers, requiring enhanced\r\nvendor security assessments.\r\nActive Threat Actors\r\nNightEagle APT (APT-Q-95)\r\nQiAnXin researchers identified a sophisticated threat actor representing a rare suspected North American state-sponsored operation targeting Chinese strategic sectors. NightEagle exploits unknown Microsoft Exchange zero-day vulnerability chains to steal machineKey credentials, focusing on quantum technology, semiconductors, AI\r\nresearch, and military industrial targets. Operations occur exclusively between 9pm-6am Beijing time, suggesting\r\nNorth American time zone operators with substantial infrastructure investment indicating state-level funding. The\r\ngroup employs custom malware for each target, demonstrating advanced operational security and significant\r\nresource allocation against Chinese strategic technology development.6\r\nFamous Chollima (North Korean APT)\r\nThe DPRK-linked threat actor deployed PylangGhost RAT, a Python-based variant of GolangGhost, targeting\r\ncryptocurrency and blockchain professionals in India since May 2025. The campaign uses fake job interview and\r\nskill-testing sites as initial infection vectors, demonstrating continued evolution in North Korean cryptocurrency-focused operations. The malware mirrors its Golang predecessor's capabilities while expanding targeting to\r\nWindows systems, representing ongoing North Korean efforts to compromise financial technology sectors through\r\nsophisticated social engineering campaigns.7\r\nPay2Key Ransomware-as-a-Service\r\nIranian-backed cybercriminals resurged the Pay2Key ransomware operation with 80% profit sharing for Iran\r\nsupporters, hosted on the Invisible Internet Project (I2P) for enhanced anonymity. The group claims over 51\r\nsuccessful ransom payouts generating $4+ million in four months, primarily targeting Israeli and U.S.\r\norganizations for ideological reasons. The operation added Linux targeting capabilities as of June 2025 and\r\nrepresents the first known RaaS platform hosted entirely on I2P, demonstrating Iranian state-sponsored actors'\r\nadaptation to evade traditional detection methods.8\r\nTrends\r\nAI Weaponization Against Democratic Institutions Escalates\r\nUnknown threat actors successfully impersonated U.S. Secretary of State Marco Rubio using artificial intelligence\r\nvoice and text generation, contacting three foreign ministers, one U.S. Governor, and one member of Congress\r\nthrough Signal messaging. The campaign used sophisticated voice cloning and writing style mimicry with fake\r\n\"marco.rubio@state.gov\" display names, prompting State Department global diplomatic warnings on July 3.9\r\nThis represents part of a broader campaign targeting senior U.S. officials including previous impersonation of\r\nhttps://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw\r\nPage 3 of 6\n\nChief of Staff Susie Wiles, demonstrating the urgent need for voice authentication protocols and enhanced\r\nverification procedures across government communications.\r\nAnalyst Comment: The sophisticated AI capabilities demonstrated against high-level government officials signal a\r\ncritical escalation requiring immediate implementation of voice authentication protocols across all government\r\ncommunications.\r\nFinancial Fraud Schemes Target U.S. Investors Through Social Engineering\r\nFBI reported a 300% increase in \"ramp-and-dump\" stock manipulation schemes targeting U.S. investors through\r\nsocial media platforms.10 Criminals target investors through social media \"investment clubs\" using secure\r\nmessaging apps and potentially employing bots or fake accounts to impersonate legitimate brokerage firms and\r\nstock analysts. The schemes involve coordinated efforts to artificially inflate low-priced stock prices before\r\ndumping shares, representing a significant evolution in financially motivated social engineering campaigns against\r\nretail investors.\r\nAnalyst Comment: The dramatic increase in coordinated financial manipulation through social media platforms\r\ndemonstrates sophisticated threat actors' adaptation to exploit retail investor behavior and platform vulnerabilities.\r\nCritical Infrastructure Zero-Day Exploitation Accelerates Across Technology Sectors\r\nAnalysis of the collection period reveals sophisticated threat actors increasingly targeting network equipment and\r\ncommunication platforms with zero-day vulnerabilities. Wing FTP Server (CVE-2025-47812, CVSS 10.0)\r\nexperienced active exploitation starting July 1 with 8,103 publicly accessible instances globally,11 while\r\nTeleMessage SGNL platforms (CVE-2025-48927, CVE-2025-48928) were added to CISA KEV due to insecure\r\ndefaults and core dump exposure.12 This pattern demonstrates systematic targeting of file transfer and\r\ncommunication infrastructure across critical sectors.\r\nAnalyst Comment: The focus on communication and file transfer platforms suggests coordinated campaigns to\r\nestablish persistent access points into organizational networks through commonly overlooked infrastructure\r\ncomponents.\r\nRansomware Group Ecosystem Evolution Shows 67% Victim Overlap Rates\r\nMajor ransomware operations experienced significant disruption with Hunters International shutting down July 3\r\nwhile offering free decryption keys, and SatanLock ceasing operations July 7 while threatening to leak all stolen\r\ndata. SatanLock claimed 67 victims since April 2025, with 65% previously compromised by other groups,\r\nindicating systematic targeting of already-vulnerable organizations. Both shutdowns follow increased law\r\nenforcement pressure and declining profitability, with groups pivoting to data theft-only models under new\r\nbranding such as \"World Leaks.\"13\r\nAnalyst Comment: The high victim overlap rate demonstrates that organizations successfully breached once face\r\nsignificantly elevated risk of repeated targeting, requiring enhanced monitoring and incident response capabilities\r\nbeyond initial remediation.\r\nhttps://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw\r\nPage 4 of 6\n\nVulnerabilities\r\nCritical Patches Required This Week\r\nContinuing Active Exploitation\r\nRecommendations\r\nImmediate Actions (0-24 Hours)\r\n• Deploy Microsoft July 2025 patches immediately, prioritizing CVE-2025-47981 and CVE-2025-49719 across all\r\nWindows environments\r\n• Update Wing FTP Server to version 7.4.4+ and audit for unauthorized Lua files or ScreenConnect installations\r\n• Validate all six CISA KEV catalog vulnerabilities are remediated by federal compliance deadlines (July 28-31,\r\n2025)\r\n• Implement enhanced voice authentication protocols for sensitive government and executive communications\r\nhttps://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw\r\nPage 5 of 6\n\n• Scan for and remediate PHPMailer, MRLG, and Zimbra vulnerabilities across all federal systems\r\n1. Bleeping Computer. (2025, July 8). Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-july-2025-patch-tuesday-fixes-one-zero-day-137-flaws/\r\n2. Cybersecurity and Infrastructure Security Agency. (2025, July 10). CISA adds one known exploited\r\nvulnerability to catalog. https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog\r\n3. Cybersecurity and Infrastructure Security Agency. (2025, July 7). CISA adds four known exploited\r\nvulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog\r\n4. Security Affairs. (2025, July 9). Nippon Steel Solutions suffered a data breach following a zero-day attack.\r\nhttps://securityaffairs.com/179766/data-breach/nippon-steel-solutions-data-breach.html\r\n5. Qantas Airways. (2025, July 9). Update on Qantas cyber incident: Wednesday 9 July 2025. Qantas\r\nNewsroom. https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025/\r\n6. The Hacker News. (2025, July 5). NightEagle APT Exploits Microsoft Exchange Flaw to Target China's\r\nMilitary and Tech Sectors. https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html\r\n7. Check Point Research. (2025, July 6). 6th July -- Threat intelligence report.\r\nhttps://research.checkpoint.com/2025/6th-july-threat-intelligence-report/\r\n8. The Hacker News. (2025, July 3). Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit\r\nShare for Cybercriminals. https://thehackernews.com/2025/07/iranian-backed-pay2key-ransomware.html\r\n9. The Washington Post. (2025, July 8). A Marco Rubio impostor is using AI voice to call high-level officials.\r\nhttps://www.washingtonpost.com/national-security/2025/07/08/marco-rubio-ai-imposter-signal/\r\n10. Federal Bureau of Investigation Internet Crime Complaint Center. (2025, July 3). Fraudsters target US\r\nstock investors through investment clubs accessed on social media and messaging applications [Alert I-070325-PSA]. https://www.ic3.gov/PSA/2025/PSA250703\r\n11. The Hacker News. (2025, July 2). Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively\r\nBeing Exploited in the Wild. https://thehackernews.com/2025/07/critical-wing-ftp-server-vulnerability.html\r\n12. Cybersecurity and Infrastructure Security Agency. (2025, July 7). CISA adds four known exploited\r\nvulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog\r\n13. Check Point Research. (2025, July 6). 6th July -- Threat intelligence report.\r\nhttps://research.checkpoint.com/2025/6th-july-threat-intelligence-report/\r\nTags\r\nThreat intelligence\r\nSource: https://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw\r\nhttps://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.authentic8.com/blog/cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw" ], "report_names": [ "cyber-intel-brief-nighteagle-apt-ai-deepfakes-spnego-flaw" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "31d93f1d-7d73-4f7a-996d-1c57540d31b1", "created_at": "2025-08-30T02:00:04.339323Z", "updated_at": "2026-04-10T02:00:03.887045Z", "deleted_at": null, "main_name": "NightEagle", "aliases": [ "APT-Q-95" ], "source_name": "MISPGALAXY:NightEagle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434680, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cdfaf37f45face1ed7d14916dbd061b1893f8963.pdf", "text": "https://archive.orkl.eu/cdfaf37f45face1ed7d14916dbd061b1893f8963.txt", "img": "https://archive.orkl.eu/cdfaf37f45face1ed7d14916dbd061b1893f8963.jpg" } }