Cybersecurity activity observed over the past week highlights a consistent pattern in which attackers relied less on novel exploits and more on the misuse of trusted systems, routine services and everyday digital workflows. Rather than forcing entry, many of the incidents involved quietly exploiting design features and implicit trust relationships built into widely used platforms. From phishing campaigns and malicious advertisements to abuse of support systems and certificate infrastructure, threat actors demonstrated how ordinary tools can be repurposed to gain access, maintain persistence or scale operations with minimal friction. The incidents collectively point to a threat landscape where control is achieved through patience, reuse and reach, rather than speed or visibility.
Several campaigns focused on targeted intrusion and data theft. Government entities in Afghanistan were targeted in a spear phishing operation tracked as Operation Nomad Leopard, which used fake administrative documents to deliver a backdoor called FALSECUB via GitHub hosted ISO files. The campaign leveraged shortcut files to display decoy documents while executing a C plus plus based payload capable of remote command execution. Researchers assessed the activity as regionally focused with low to moderate sophistication. In parallel, Google owned VirusTotal disclosed an information stealer campaign abusing DLL side loading, where trusted executables were paired with malicious DLLs distributed through archives impersonating legitimate installers. Other threat actors exploited malicious advertising to distribute remote access trojans and information stealers disguised as file converter tools, which functioned as advertised while secretly establishing persistence and remote control. Additional phishing campaigns abused fake pharmaceutical invoices and loan offers to harvest banking credentials and deploy commodity malware such as PureLogs Stealer.
Infrastructure abuse and reconnaissance activity also featured prominently. The U.K. government warned of ongoing denial of service attacks by Russia aligned hacktivist groups targeting public sector and local government services, with the intent of disrupting access to essential systems. GreyNoise reported large scale reconnaissance against WordPress sites, with nearly one thousand IP addresses scanning hundreds of popular plugins over several months to identify vulnerable targets. Separately, Hunt.io analysis revealed more than 18,000 active command and control servers hosted within Chinese internet space, with major telecom and cloud providers accounting for a significant share. A large portion of these servers supported IoT botnets such as Mozi, as well as widely used offensive tools including Cobalt Strike and Mirai, highlighting the scale at which background infrastructure is leveraged for malicious operations.
The week also saw developments affecting software ecosystems and security operations. Let’s Encrypt announced general availability of six day TLS certificates as an opt in option for operators with fully automated renewal processes, aiming to reduce risk associated with long lived certificates. Zendesk warned that unsecured support systems were being abused to send relay spam by exploiting automated ticket confirmation emails, urging customers to restrict unverified submissions. The Rust project introduced a new security tab on Crates.io to surface known vulnerabilities in software dependencies, alongside tighter controls on trusted publishing to reduce supply chain risk. At the same time, SpecterOps released a Windows Subsystem for Linux beacon object file that allows post exploitation activity without spawning visible processes, demonstrating how legitimate platform features can be used to evade detection.
Financial crime and enforcement actions added further context to the broader threat environment. Chainalysis estimated that cryptocurrency scams generated at least fourteen billion dollars in illicit proceeds during 2025, with projections exceeding seventeen billion as more addresses are identified. Scammers increasingly relied on deepfakes, impersonation and industrial scale infrastructure. In the physical world, five Venezuelan nationals pleaded guilty or were sentenced for ATM jackpotting attacks across multiple U.S. states, while European authorities detained a former Swedish military IT consultant on suspicion of espionage. Together, these incidents underscore how exposure often accumulates quietly within trusted systems, only becoming visible once activity reaches scale.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
