CyberBakery Chronicles (30 June 2025)

Your Weekly Cybersecurity Update (30 June 2025)

• FBI Warns of Urgent Threat of Scattered Spider's Social Engineering Tactic Targeting Airlines

• Over 1,000 SOHO Devices Compromised in China-Linked LapDogs Cyber Espionage Campaign

• Ahold Delhaize Confirms Data Breach Affecting Over 2.2 Million Individuals

• From Browser Stealer to Data Exfiltration Platform, GIFTEDCROOK’s strategic shift

• A serious flaw in Citrix NetScaler has been exploited as a zero-day vulnerability.

FBI Warns of Urgent Threat of Scattered Spider's Social Engineering Tactic Targeting Airlines

The FBI has issued a warning about the cybercriminal group Scattered Spider, which targets the aviation industry through sophisticated social engineering attacks. Known for high-profile breaches like those at MGM Resorts and Caesars Entertainment in 2023, Scattered Spider is now focusing on airlines and their third-party IT providers. Their tactics involve impersonating employees or contractors to deceive IT help desks into granting unauthorised access, often bypassing multi-factor authentication by convincing help desks to add illegitimate devices to accounts.

Recent incidents affecting airlines such as WestJet and Hawaiian Airlines have raised concerns, although no direct attribution to Scattered Spider has been confirmed. Cybersecurity firms like Mandiant and Unit 42 have observed multiple incidents in the aviation sector that resemble Scattered Spider’s methods. Experts recommend that the industry strengthen identity verification processes, particularly for help desk procedures, to mitigate these risks.

Scattered Spider, also known as UNC3944, has a history of targeting various sectors, including retail and insurance, using similar social engineering techniques. Their approach often involves detailed reconnaissance and exploiting human factors to gain access to sensitive systems.

Organisations are advised to review and enhance their security protocols, especially those related to help desk operations and multi-factor authentication, to defend against such sophisticated threats.

Over 1,000 SOHO Devices Compromised in China-Linked LapDogs Cyber Espionage Campaign

Security researchers have uncovered a covert cyber espionage campaign leveraging over 1,000 compromised small office/home office (SOHO) devices. Dubbed “LapDogs” by SecurityScorecard’s STRIKE team, this network—technically classified as an Operational Relay Box (ORB) infrastructure—has been linked to threat actors with ties to China.

Key Observations:

• Geographic Focus: The highest density of compromised devices is in the U.S. and Southeast Asia, with notable infections in Japan, South Korea, Hong Kong, and Taiwan.

• Target Sectors: Infiltrated organisations span IT, networking, real estate, and media.

• Device Brands Affected: Infections impact devices from various brands, including Ruckus Wireless, ASUS, Buffalo, Cisco-Linksys, D-Link, and Synology, among others.

Technical Details:

• At the core of LapDogs is a custom backdoor named ShortLeash, which turns infected devices into ORB nodes. It simulates a fake Nginx server and uses a TLS certificate falsely issued under “LAPD” to mask its operations.

• Initial access is gained through known vulnerabilities (e.g., CVE-2015-1548, CVE-2017-17663), primarily targeting Linux-based SOHO devices, although some Windows artifacts have been found.

• Campaign activity dates back to September 2023, with new infections deployed in controlled bursts—no more than 60 devices per wave. To date, 162 unique attack clusters have been tracked.

Connections & Attribution:

• LapDogs shows some operational resemblance to the “PolarEdge” campaign (documented by Sekoia), but the two are assessed as separate operations, based on divergence in methods and targets.

• LapDogs maintains persistence via system service files, in contrast to PolarEdge’s use of webshell replacements.

• Evidence links the China-nexus group UAT-5918 to at least one LapDogs operation targeting Taiwan. It’s unclear whether they are operators or clients.

Strategic Implications:

ORB networks, such as LapDogs, are increasingly adopted by state-aligned actors for stealth, staging, and command & control (C2) operations. Unlike standard botnets, ORBs serve multiple roles throughout the intrusion lifecycle, ranging from reconnaissance and traffic anonymisation to lateral movement and data exfiltration.

This discovery underscores the evolving sophistication of adversarial infrastructure and highlights the continued risk posed by unpatched or poorly secured edge devices.

Ahold Delhaize Confirms Data Breach Affecting Over 2.2 Million Individuals

Ahold Delhaize, the Dutch retail conglomerate behind major U.S. supermarket chains such as Food Lion, Giant Food, Hannaford, and Stop & Shop, has confirmed a significant data breach affecting more than 2.2 million people. The incident, which occurred in November 2024, disrupted online grocery ordering services and temporarily brought down several brand websites.

In regulatory filings submitted to the state of Maine, the company disclosed that attackers exfiltrated sensitive personal data, including Social Security numbers, passport information, bank account details, health records, and employment-related information.

The breach was initially detected on November 6; however, subsequent investigations revealed that threat actors had begun stealing data as early as November 5. The INC ransomware group later claimed responsibility for the attack, alleging that they had stolen six terabytes of data.

Ahold Delhaize stated that the compromised files primarily consisted of internal employment records associated with current and former employees across its U.S. business operations. Affected individuals are being offered two years of credit monitoring.

With over 2,000 stores nationwide, Ahold Delhaize USA reported $24 billion in net sales in 2023, making it one of the largest food retail groups globally.

This disclosure follows another high-impact cyber incident involving United Natural Foods, a distributor for Whole Foods and other grocery brands. That attack disrupted its digital distribution platform, leading to reduced sales and increased operational costs, according to recent SEC filings.

From Browser Stealer to Data Exfiltration Platform, GIFTEDCROOK’s strategic shift

The threat actor behind the GIFTEDCROOK malware has significantly upgraded the tool, transforming it from a rudimentary browser credential stealer into a powerful, targeted intelligence-gathering platform.

According to a recent report from Arctic Wolf Labs, campaigns observed in June 2025 show GIFTEDCROOK’s enhanced capabilities to exfiltrate a wide range of sensitive data, including proprietary documents and browser secrets from compromised systems. The campaign’s phishing lures and malware behaviour indicate a strategic targeting of Ukrainian military and governmental institutions.

Initially reported by CERT-UA in April 2025, the malware was deployed via phishing emails containing macro-laced Excel attachments. These decoy documents served as the entry point for deploying the malware, which has been linked to the threat group UAC-0226.

From Simple Stealer to Sophisticated Spyware

Early versions of GIFTEDCROOK focused on extracting browser data—cookies, history, and saved login credentials—from Chrome, Edge, and Firefox. But the malware rapidly evolved. Starting as a prototype in February 2025, subsequent versions 1.2 and 1.3 introduced advanced file-harvesting capabilities.

The latest variants now scan for documents under 7 MB, specifically those created or modified in the last 45 days, targeting file types such as: .doc, .pdf, .xlsx, .csv, .jpg, .png, .zip, .txt, .sqlite, .ovpn, and more.

In a typical campaign, victims are lured with military-themed PDFs linking to a macro-enabled Excel file hosted on Mega (“Список оповіщених військовозобов’язаних організації 609528.xlsm”). Once macros are enabled, the stealer is deployed silently.

Exfiltrated files are bundled into ZIP archives and sent to Telegram channels controlled by the attackers. If the archive exceeds 20 MB, it’s split into smaller chunks to bypass security filters. Finally, a batch script cleans the system to cover the malware’s tracks.

Strategic Objectives and Geopolitical Alignment

This is not generic cybercrime—it’s precision espionage. The malware’s ability to exfiltrate recent documents, VPN configs, and sensitive spreadsheets points to a broader intelligence collection objective. The risk extends beyond individual compromise to the networks and systems connected to targeted endpoints.

Arctic Wolf notes that the timing of these campaigns aligns closely with geopolitical developments, including recent diplomatic negotiations between Ukraine and Russia. The malware’s development arc—from credential theft to full-scale data exfiltration—reflects a coordinated effort to support broader strategic aims.

A serious flaw in Citrix NetScaler has been exploited as a zero-day vulnerability.

Citrix has issued critical patches for a high-severity zero-day vulnerability (CVE-2025-6543, CVSS 9.2) affecting NetScaler ADC and NetScaler Gateway. The flaw, discovered to be under active exploitation, impacts both currently supported and end-of-life versions of the popular application delivery and security platform.

The vulnerability stems from a memory overflow condition, which could lead to unintended control flow or denial-of-service (DoS) when successfully exploited. Citrix confirmed that only deployments configured as a Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or using AAA virtual servers are vulnerable.

Affected Versions and Patching Guidance

The fix has been released in the following NetScaler builds:

• NetScaler ADC and Gateway: 14.1-47.46 and 13.1-59.19

• NetScaler ADC FIPS/NDcPP: 13.1-37.236

End-of-life versions 12.1 and 13.0 are also affected but will not receive patches. Citrix urges customers on deprecated versions to immediately upgrade to supported builds. Additionally, Secure Private Access (SPA) and SPA Hybrid deployments relying on NetScaler are vulnerable and require similar updates.

CitrixBleed2? Another Zero-Day Emerges

This warning comes just a week after Citrix addressed another critical bug—CVE-2025-5777 (CVSS 9.3)—an out-of-bounds memory read vulnerability caused by insufficient input validation. That flaw, reminiscent of the notorious CitrixBleed, could allow attackers to bypass MFA and access session tokens directly from memory.

While no exploitation of CVE-2025-5777 has been confirmed, cybersecurity expert Kevin Beaumont has dubbed it CitrixBleed2 and warns organisations to act swiftly. His recommendations include:

• Apply patches immediately

• Terminate all active sessions

• Audit exposed NetScaler instances

Immediate Action Required

Organisations using NetScaler for remote access, authentication, or secure delivery should treat this as a priority-one issue. Failure to patch leaves systems exposed to active exploitation and the potential for service disruption or unauthorised access.