Random in Security is a summary of the cybersecurity news.
Interesting Reads#
The Smishing Deluge: China-Based Campaign Flooding Global Text Messages#
Unit 42 researchers uncovered a massive Smishing Triad operation that registered over 194,000 malicious domains since January 2024, impersonating banks, government agencies, and e-commerce sites globally. The campaign operates as a phishing-as-a-service ecosystem with specialized threat actors handling different attack stages, churning through domains at breakneck speed—71.3% stay active less than a week to dodge detection. Despite Chinese infrastructure (Hong Kong registrars, Chinese nameservers), they’re freeloading on U.S. cloud services to host their operation.
Gotta fly: Lazarus targets the UAV sector#
North Korea’s Lazarus group is apparently shopping for drone technology the old-fashioned way: by hacking European defense contractors. ESET spotted another DreamJob campaign using fake job offers and trojanized open-source apps to drop ScoringMathTea RAT on three UAV companies. Nothing says “reverse engineering” like stealing the actual blueprints instead of buying cheap drones on AliExpress.
AI and the Software Vulnerability Lifecycle#
Georgetown’s Center for Security and Emerging Technology explores how LLMs are automating vulnerability discovery, patching, and exploitation verification across the software development lifecycle. AI tools can now narrow searches to specific vulnerable components during fuzzing and generate patches autonomously, shifting remediation earlier before attackers strike. What could possibly go wrong with automating exploit development?
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns#
Trend Micro identified a new “Premier Pass-as-a-Service” model where China-aligned APT groups Earth Estries and Earth Naga are basically timesharing network access like a cybercrime co-working space. Earth Estries breaks in, then hands off the keys to Earth Naga who deploys CrowDoor, ShadowPad, and Cobalt Strike against government and telecom targets in APAC and NATO regions. This unprecedented level of APT collaboration means defenders can no longer rely on simple attribution—welcome to the threat actor alliance ecosystem.
Trap bots on your server#
Sick of AI scrapers ignoring robots.txt and hammering your server? Maurycy built a Markov chain-based crawler trap that generates infinite nonsensical content to exhaust bot resources, with each page linking to five more garbage pages for exponential queue growth. His follow-up post explains the economics: serving dynamically generated gibberish costs only ~60 CPU microseconds per request, making it cheaper than serving real content while the bots waste their bandwidth on procedurally generated nonsense. Pro tip: CPU and RAM are faster than network, so let’s feed the bots until they explode.
Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office#
Sam Curry and Shubs Shah found exposed credentials and source code in a publicly accessible .env file and .git repository on a Chinese development subdomain for ClubWPT Gold. They exploited a 2FA bypass to gain unauthenticated access to the production back office, exposing drivers licenses, passport numbers, IP addresses, transactions, and game history. All-in on security vulnerabilities—the house always loses when you leave your .git folder public.
Tools#
- davidljohnson/flowviz - React application that converts cybersecurity articles into interactive attack flow visualizations mapped to the MITRE ATT&CK framework
- evilsocket/legba - High-performance Rust-based credential testing utility supporting HTTP, DNS, SSH, FTP, SMTP, RDP, VNC, SQL, LDAP, Kerberos, and more with async/concurrent architecture
- Ragnt/AngryOxide - Rust-based 802.11 attack tool for WiFi security research featuring automated handshake/PMKID capture, deauth attacks, rogue M2, and GPS geofencing
- ZerBea/hcxtools - Utility suite for converting wireless packet captures (pcapng/pcap) into hash formats compatible with Hashcat and John the Ripper