Svoboda Cybersecurity Brief December 02, 2025

Retail Giant Coupang Data Breach Affects 33.7 Million

South Korea’s largest online retailer, Coupang, confirmed a data breach exposing names, phone numbers, emails, addresses, and order details of 33.7 million customers. The breach, discovered November 18, 2025, reportedly stemmed from a former employee exploiting unrevoked access tokens. No payment data was compromised.
Source: BleepingComputer

ShadyPanda Malware Campaign Infects 4.3M Browser Extensions

A long-running campaign (2018–2025) deployed 145 malicious Chrome/Edge extensions, including Clean Master (200K installs), with remote code execution (RCE) and data exfiltration capabilities. Recent variants evade detection via public services (Discord, Telegram) for C2 and target browsing history, keystrokes, and credentials.
Source: The HackerNews

Cryptomixer Takedown Seizes €25M in Bitcoin

Europol and German/Swiss authorities dismantled Cryptomixer, a hybrid crypto tumbler used to launder €1.3B in Bitcoin since 2016 by ransomware groups, dark markets, and fraudsters. The operation seized 12TB of data and servers, disrupting a key money-laundering hub.
Source: SecurityWeek

New Albiriox Android Malware Targets 400+ Banking Apps

Russian-speaking actors developed Albiriox, a MaaS Android trojan with VNC-based remote control and overlay attacks against banking/crypto apps. Distributed via fake Google Play landing pages (e.g., “PENNY Angebote”), it bypasses detection via Golden Crypt crypting service.
Source: SecurityWeek

Glassworm Malware Returns to VS Code Extensions

A third wave of 24 malicious VS Code extensions (e.g., “flutcode.flutter-extension”) impersonates legit tools, using Rust-based implants and invisible Unicode obfuscation to steal GitHub/npm credentials and deploy SOCKS proxies. Publishers artificially inflate downloads to appear trustworthy.
Source: BleepingComputer

Tomiris APT Shifts to Public Services for C2

The Kazakhstan-linked group now uses Discord/Telegram for command-and-control in attacks on Russian/Central Asian government targets. Tactics include multi-language implants (Rust, Go, Python) and spear-phishing with RAR archives delivering reverse shells (e.g., AdaptixC2).
Source: The HackerNews

SmartTube YouTube App Compromised via Signing Keys

Attackers injected libalphasdk.so into SmartTube’s Android TV app (v30.51), enabling silent device fingerprinting and encrypted C2 communication. The developer revoked old keys and urged users to migrate to a new app ID.
Source: BleepingComputer

ScadaBR Vulnerability Exploited in ICS Hacktivist Attack

Pro-Russia group TwoNet exploited CVE-2021-26829 (patched XSS in ScadaBR) to deface a water treatment HMI honeypot. The flaw allows arbitrary code execution via injected JavaScript in system settings.
Impact: Unauthenticated HMI manipulation.
Mitigation: Apply ScadaBR patches from June 2021.
Source: SecurityWeek

Australian Hacker Jailed for Evil Twin Wi-Fi Attacks

Michael Clapsis used a Wi-Fi Pineapple to spoof networks at airports/flights, stealing credentials via fake login pages. Police seized thousands of intimate images and personal data during the investigation.
Source: SecurityWeek

John P. Meehan Agency Breach Exposes 2,326 Customers

A compromised employee email account (July 2024) exposed SSNs, financial data, and medical records, with delayed notifications until November 2025—violating Pennsylvania’s breach laws.
Source: DataBreaches.net

New Horizons Medical Potentially Hit by DevMan Ransomware

The Massachusetts outpatient clinic was listed on DevMan’s leak site with claims of 90k records (236GB) exfiltrated. The same provider suffered a ransomware attack in 2023 impacting 12,317 patients.
Source: DataBreaches.net

Share this brief: https://svo.bz/3bO4