- CYBERDEFENSE.NET
- Posts
- THEY ANNOUNCE THEIR RETIREMENT. THEY HACK A BANK.
THEY ANNOUNCE THEIR RETIREMENT. THEY HACK A BANK.
SMBs are falling one after another. Artificial intelligences are turning against their creators.Criminals no longer flee: they organize. And servers, they talk... far too much.
Johnny Rico
September 25, 2025
In partnership with
π€ Dear internet users and fellow Cyberdefenders,
Cyberfront 2025: the enemy never sleeps. And you ?
SMBs are falling. One after another.
Not under bombs. Not in the newspapers.
But under silent lines of code, credible fake emails, and "too" well-phrased AI suggestions.
While leaders are still wondering about their GDPR compliance, groups like Scattered Spider are infiltrating bank VPNs and resetting your access as if they were at home.
And as you're analyzing your KPIs, ChatGPT is leaking your data without a click.
And while your teams are clicking on images, the malware is already executing.
The cyber war is no longer a hypothesis. It's a fact.
It's no longer spectacular. It's integrated.
And above all, it no longer targets the powerful.
It targets you. Your SMBs. Your tools. Your habits. Your trust.
The enemies no longer wear helmets. They wear Discord IDs, API tokens, Python plugins.
Their weapons don't shoot. They install. They simulate. They wait.
But the resistance is organizing. Analysts, researchers, leaders.
Minds that refuse blindness, algorithmic dependence, and the toxic promise of flawless automated cybersecurity.
They read. They cross-reference. They verify.
π― This newsletter is their voice. Their field report.
ποΈ You are the commander of your own defense. But to decide, you need to know.
π‘ So, do you want to know more?
Click. Download. Deploy. The Federation is counting on you.
Highlights :
π SMBs: the great cybersecurity illusion π€―
π Scattered Spider fakes its retirement to rob a bank π¦
π ChatGPT spied on via a zero-click attack π±
π Images and .SVG files to bypass your antivirus πΌοΈ
π Villager: the Chinese AI intrusion tool worrying experts π€
If this letter was forwarded to you, subscribe by clicking this link
ποΈβ Guess what ?
French SMBs are still on shaky ground : 80% do not comply with GDPR, and 86% are unaware of the NIS 2 directive. One in four has already paid a ransom.
Scattered Spider makes a stunning comeback, infiltrating a bank via a compromised executive account. Despite their "retirement," they are adapting their TTPs to the financial sector.
ShadowLeak is an innovative attack that targets ChatGPT on the server side. No user action is required : the data leaks directly from OpenAI's cloud.
LOTL attacks are evolving. Now, hackers are exploiting SVG images and PowerShell scripts executed via MSBuild to install undetectable RATs.
Villager, an AI intrusion tool distributed via PyPI, is raising alarm. It automates penetration testing campaigns, but can easily be diverted for malicious purposes.
Become An AI Expert In Just 5 Minutes
If youβre a decision maker at your company, you need to be on the bleeding edge of, well, everything. But before you go signing up for seminars, conferences, lunch βn learns, and all that jazz, just know thereβs a far better (and simpler) way: Subscribing to The Deep View.
This daily newsletter condenses everything you need to know about the latest and greatest AI developments into a 5-minute read. Squeeze it into your morning coffee break and before you know it, youβll be an expert too.
Subscribe right here. Itβs totally free, wildly informative, and trusted by 600,000+ readers at Google, Meta, Microsoft, and beyond.
π€β Would you like to know more?
1οΈβ£β SMBs : the great cybersecurity illusion
Summary : French small and medium-sized enterprises are more vulnerable than ever. A study conducted by WatchGuard among 123 managed service providers reveals an alarming gap : while they represent 99% of the economic fabric, SMBs are lagging behind on all cybersecurity indicators. Ransomware remains the main threat, and despite regulations like GDPR or the NIS 2 directive, the majority remain non-compliant. Worse still, 25% of them have already given in to digital blackmail. The lack of budget, skills, and awareness creates an explosive cocktail.
Details :
Dominant Threats : Ransomware remains the number one cyber threat, followed by data leaks and identity theft, primarily targeting unprepared organizations.
Lack of Compliance : 80% of the SMBs surveyed do not meet GDPR requirements, while 86% are unaware of the existence of the NIS 2 directive.
Reactions to Attacks : One in four SMBs has paid a ransom.
This highlights a lack of incident response strategy and poor risk assessment.
Major Obstacles : MSPs point to a lack of funding, internal skills, and cyber culture as the main barriers to investment.
Systemic Danger : This widespread weakness creates a risk of a domino effect on supply chains and the national economy in general.
What should be remembered ?
The inadequate preparation of SMBs for cyber threats constitutes a critical breach for the entire economic ecosystem. If urgent measures are not taken, they will become the weak links through which the next cyber-pandemics will pass.
βββββββββββββββββββββββββ
2οΈβ£ Scattered Spider fakes its retirement to rob a bank
Summary : Despite a supposed "retirement," the Scattered Spider group has resurfaced by hitting a U.S. bank. The use of social engineering allowed them to bypass authentication via Microsoft Entra ID and infiltrate the IT environment, including Citrix, VPN, VMware, and Snowflake. The criminals targeted critical data and used tools like Veeam to elevate their privileges. This operation confirms that their collaboration with ShinyHunters remains active. The "post-retirement" camouflage appears to be a tactic to divert attention while simultaneously adapting their TTPs to the financial sector.
Details :
Modus Operandi : Use of social engineering to take control of an executive's account, followed by escalation via Microsoft Entra ID.
Lateral Movement : Infiltration of Citrix, VPN, VMware ESXi systems, and exfiltration to Snowflake and AWS.
Privilege Escalation : Resetting critical service accounts to obtain global Azure rights and manipulate virtual machines.
Strategic Resurgence : After the attacks on casinos in 2023 and the arrest of members, the group is adapting its target to the banking sector.
Mafia-like Collaboration : Persistent connections with ShinyHunters illustrate a consolidation of financially motivated cyber groups.
What should be remembered?
The Scattered Spider case proves that APT groups can feign their dissolution to reappear more discreetly and better armed. The banking sector must expect a resurgence of sophisticated intrusions, often disguised as simple phishing attacks.
ββββββββββββββββββββββ
3οΈβ£β ChatGPT spied on via a zero-click attack
Summary : Researchers at Radware have discovered a formidable attack named ShadowLeak, which exploits ChatGPT's "Deep Research" feature. The attack requires no user interaction : a simple email is enough to trigger data exfiltration directly from OpenAI's servers. By bypassing traditional protections, ShadowLeak ushers in a new era of server-side attacks, invisible to victims. OpenAI has since patched the flaw, but the incident reveals the growing threat surface in AI-driven systems.
Details:
Zero-Click : The attack works without any action from the user, via an email containing camouflaged instructions.
Server-Side : Unlike most AI attacks, here it is the OpenAI backend that exfiltrates the data, leaving no trace on the client side.
Advanced Camouflage : The instructions convince the model that the target URL is legitimate and that the data to be extracted is public.
Multiple Targets : ShadowLeak could have potentially reached Gmail, Drive, Outlook, Notion, GitHub, Teams⦠via the Deep Research agent.
Rapid Response : OpenAI fixed the flaw in August 2025, but researchers warn about the still unknown extent of this type of threat.
What should be remembered ?
AI agents connected to third-party systems must be subject to continuous behavioral monitoring. The future of cybersecurity lies in analyzing algorithmic intent, not just code.
ββββββββββββββββββββ-
4οΈβ£β Images and .SVG files to bypass your antivirus
Summary : HP Wolf Security is warning of a new wave of Living off the Land (LOTL) attacks using legitimate Windows binaries and harmless-looking files like SVG, PNG images, or IMG archives. Cybercriminals are notably exploiting MSBuild, PowerShell, or embedded JavaScript to discreetly spread malware such as XWorm or Lumma Stealer. By concealing payloads in images or spoofing interfaces, these techniques can effectively bypass the majority of EDR and antivirus tools.
Details:
Advanced LOTL Techniques : Use of system binaries (extrac32, MSBuild, cscript) to execute malicious code without external tools.
Camouflaged Payloads : Data injected into images or SVG files, then decoded via PowerShell or VBScript.
Interactive Decoys : Fake Adobe Reader interface in an SVG, fake loading animations, and clicks that trigger a malicious download.
Resilient Lumma Stealer : Despite the dismantling of its infrastructure, it continues to spread via disguised IMG and HTA files.
Difficult Forensic Analysis : Obfuscated scripts, ephemeral containers, geofencing, and log tampering complicate investigations.
What should be remembered?
LOTL tactics show that the line between a system tool and a cyber weapon is increasingly thin. Only behavioral and contextual detection can make a difference today.
5οΈβ£ Villager : the Chinese AI intrusion tool worrying experts
Summary : Villager is an AI intrusion framework developed by a Chinese company, Cyberspike, and downloaded over 11,000 times from PyPI. Although officially intended for security testing, it integrates components like AsyncRAT and Mimikatz, making it easily divertible for malicious uses. Using AI, Villager dynamically orchestrates attacks, exploits vulnerabilities, bypasses protections, and erases its tracks. Researchers are already comparing its potential to that of Cobalt Strike, but in a GenAI version.
Details:
Native AI Operation : Integrates DeepSeek, LangChain, and Pydantic to automate reasoning, attack choices, and technical commands.
Ephemeral Infrastructure : Temporary Kali Linux containers, randomized SSH ports, automatic trace removal.
At-Risk Components : Direct integration of RATs like AsyncRAT, tools like Mimikatz, and exfiltration via FastAPI.
Public Accessibility : Easily downloadable from PyPI, with simplified documentation and plug-and-play integration.
Systemic Risks : Lowering of the required technical skill level, potential proliferation among low-skilled actors.
What should be remembered?
Villager embodies the next generation of offensive AI tools. It makes what was once the domain of APTs possible at a low cost. SOCs will need to urgently adapt their detection strategies to automated and ephemeral behaviors.
βοΈβ Digital Combat Ops
AI-assisted cybersecurity: a lever⦠or a trap for your teams ?
The integration of LLMs (Large Language Models) into cybersecurity processes is progressing rapidly, especially for phishing detection, incident management, and automated analysis.
But a study reveals a worrying divide: while LLMs improve performance on simple tasks, they can harm decision-making in complex casesβespecially among less resilient profiles.
The result: excessive dependence on AI, a decrease in autonomy, and a risk of widespread bias.
Companies must therefore implement robust strategies: training on LLM flaws, deceptive simulations to develop critical thinking, complementary pairings, and human validation workflows.
Not all teams react to automation in the same wayβand ignoring this reality can worsen internal vulnerabilities.
Intelligent use of LLMs requires adapted governance, human-centered design, and a culture of methodical doubt.
LIEUTENANTβS REPORT π
Nebulock : What if your future SOC was an autonomous agent made in the USA ?
Based in the United States, Nebulock is a startup specializing in AI-assisted autonomous threat hunting. It raised $8.5 million in July 2025, in a funding round led by Bain Capital Ventures. Its technology, called agentic threat hunting, allows for the detection of threats in real-time across the entire attack surface (cloud, endpoints, identities). Nebulock targets organizations that lack the staff or analytical capacity to handle the growing complexity of weak signals.
Noteworthy :
What distinguishes Nebulock is not just its AI engine, but its radical approach to detection : no predefined rules, no dashboards to manipulate, just continuous monitoring, fed by telemetry from tools like Okta, CrowdStrike, or M365.
The startup offers proactive detection, which simulates the behavior of a level 3 analyst in real-time, without human intervention. For SMBs and mid-market companies, this means immediate access to a highly qualified virtual SOC without the associated costs.
This model is already attracting the attention of intelligence services (In-Q-Tel) and cybersecurity-focused funds (Zetta, Decibel VC).
The approach, according to founder Damien Lewke, aims to put the initiative back in the hands of defenders and rebalance the power dynamic in automated cybercrime.
CYBERTRIVIA - DID YOU KNOW ? π€
Ransomware is down⦠except for SMBs
According to Coveware's 2025 semi-annual report, average ransom payments have dropped by 32% compared to the previous year.
But this decline hides a darker reality: SMBs remain the primary target.
Why ? Because they pay faster, often have no backups, and lack the resources to negotiate.
Groups like LockBit or Black Basta now favor high-volume attacks against smaller targets, thus optimizing their profitability.
π By the numbers :
Average payment in 2025:
$376,000 (compared to $495,000 in 2024)70% of identified victims are organizations with fewer than 500 employees
1 in 4 SMBs pays without consulting an expert
Should we trust AI to make cybersecurity decisions ?
With the massive integration of LLMs into security tools, companies must choose between automated efficiency and human vigilance. Where do you stand ?
What role should AI play in cybersecurity decisions ? |
ποΈ Let me know if you need further adjustments !
Don't miss any crucial cybersecurity news! Subscribe now to our newsletter to receive in-depth analysis, expert advice, and stay informed about the latest threats and solutions to protect your business. 'This is for all the newcomers: I have only one rule. Everyone fights. No one quits.
