Top Global Cybersecurity News of the Week: Major APT Activity and Worldwide Law-Enforcement Takedowns

This week’s updates reflect a shifting cybersecurity landscape shaped by major law enforcement actions and AI-enabled attacks. While insider threats continue to undercut defensive progress by exposing organizations to risks from within, the dismantling of the Rhadamanthys infostealer network demonstrated a commendable victory, striking at the root of cybercrime infrastructure.
These incidents reflect how fast-moving the threat landscape has become.

xHunt APT Group Spies on Kuwait, Leveraging Microsoft Exchange, IIS, and Custom Backdoors 

The xHunt APT group is conducting espionage campaigns against Kuwait’s shipping, transportation, and government sectors. The group exploits Microsoft Exchange and IIS servers using custom PowerShell backdoors like Hisoka, TriFive, and Snugy for persistence and C2 via email drafts. It also employs brute-force logins, and SSH tunneling to steal credentials and maintain access.

Danabot Resurfaces as Version 669 with New IP and Tor C2 Endpoints 

The Danabot banking malware resurfaced with version 669 after its May 2025 takedown, rebuilding its infrastructure with new IP and Tor C2 endpoints and backconnect servers. Zscaler observed wallet addresses for Bitcoin, Ethereum, Litecoin, and TRON used in cryptocurrency-theft operations. The renewed activity confirms the operators have reestablished their campaigns following Operation Endgame.

Two-Thirds of Top AI 50 Companies Leaked Sensitive Data on GitHub, Including API Keys and Tokens 

Wiz discovered that 65% of Forbes AI 50 companies with GitHub activity exposed data including API keys and tokens. The exposed credentials, tied to platforms like Hugging Face, ElevenLabs, and LangChain, could reveal private models and internal systems. The firms were collectively valued at over $400 billion, with many lacking proper disclosure channels or secret-scanning practices.

AI-Native App Boom Creates Security Blind Spots and Major Security Risks, New Report Finds

A Harness report warns that rapid AI adoption is outpacing enterprise security. Shadow AI and poor collaboration between teams are creating major visibility gaps. Most firms have already faced incidents stemming from LLM vulnerabilities and prompt injection.

Rhadamanthys Infostealer Infrastructure Disrupted in Apparent Law Enforcement Takedown

The Rhadamanthys infostealer network has gone offline amid signs of a coordinated disruption; while internal logs and operator messages point to EU law-enforcement activity, no official agency confirmation has been published.

APT Exploits Cisco and Citrix Zero-Day Vulnerabilities in Coordinated Attack 

A coordinated APT campaign is exploiting zero-day vulnerabilities in Cisco ISE and Citrix systems, Amazon researchers report. The attackers used a custom in-memory web shell after breaching an undocumented Cisco endpoint with pre-auth RCE. The group also leveraged the Citrix Bleed Two flaw before its public disclosure.

ChatGPT Fights for User Privacy

OpenAI says the New York Times has asked a court to force it to hand over 20 million private ChatGPT conversations as part of their lawsuit. The company argues this demand threatens user privacy. The company had previously pushed back on a request for 1.4 billion chats, restoring user rights to delete conversations. OpenAI says it is enhancing client-side encryption.

State-Sponsored Group Leverages Claude AI for Cyberespionage

A Chinese state-sponsored group used Anthropic’s Claude to autonomously perform 80–90% of multi-stage cyberattacks on about 30 high-value targets. Claude handled reconnaissance, exploitation, lateral movement, and data analysis after the hackers tricked it into believing the activity was defensive testing. Anthropic blocked the accounts and warned that AI now enables sophisticated intrusions that once required full teams of human operators.

Operation Endgame: Europol and Global Partners Bulldoze Rhadamanthys, VenomRAT, Elysium

Soon after news of a major crackdown surfaced, Europol and global partners confirmed they had dismantled the infrastructure behind the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet. Authorities took down over 1,025 servers and seized 20 domains linked to credential theft and malware. The main VenomRAT suspect was arrested in Greece and millions of stolen credentials were traced.

Holiday Mobile Threats Surge During Shopping Season, Report Finds Phishing and Malware Risks Escalate

Zimperium’s new report warns that mobile malware now targets shopping and payment apps, stealing credit card data and intercepting one-time passwords. The research also finds that legitimate retail apps introduce enterprise risks through misconfigured SDKs and vulnerable third-party components. Attackers are also expanding their campaigns to exploit employees shopping from work devices, bringing risks into corporate networks.

Multiple US Citizens Plead Guilty to Helping North Korean IT Workers Earn $2 Million

North Korean IT workers used stolen and in some cases, borrowed U.S. identities to get remote jobs at 136 companies, earning $2.2 million. Several Americans and one Ukrainian helped by running laptop farms and passing company checks for them. The DOJ also seized over $15 million in crypto tied to major hacks by North Korea’s APT38 group.

Why These Developments Matter Moving Forward

With emerging investigations, organizations will have to adjust their monitoring to match the transitioning threat landscape. The coming weeks will unfold which of these developments persist and shape the following phase of cyber defense.

Calling the Anthropic operation, the creation of ‘AI Spy,’ Ambuj Kumar, CEO at Simbian, says,” We’ve long heard that LLM adoption would drive an unprecedented rise in malicious actor activity. That moment has arrived. Anthropic has revealed the first documented case of an AI-orchestrated espionage operation.”

“The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies (thirty global targets),” Kumar further explained.

“Anthropic’s own technologies were misused to create this first publicly reported AI Spy,” Kumar added, turning to what defenders must do in response, “Because attackers relied heavily on Claude Code’s autonomy, the operation created substantial environmental noise. Attacker will always be in an unfavorable position regarding the environment awareness, compared to the defender. 

This is if the defender continuously updates every relevant security information about the current and historical state of the environment, the tribal knowledge, past investigations, analysts feedback, etc.

Following the Anthropic findings, Adam Arellano, Field CTO at Traceable by Harness, addressed the offensive side of AI saying, “The hackers are using AI to do what any good hacker would do (looking for weakness, pivoting once inside, changing attack patterns, etc.), but the speed and automation provided by the AI is what is a bit scary.”

Arellano further warned, “As big sophisticated hacking groups prove that LLMs can be effective in hacking, more and more of the smaller groups and even individuals will start to figure out how to use them as well, increasing access to these types of attacks”.

On the brighter side, CrowdStrike, Europol, the FBI, and multiple global partners contributed vital intelligence to Operation Endgame 3.0, helping disrupt the Rhadamanthys, VenomRAT, and Elysium networks.

As Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, said,“Operation Endgame 3.0 shows what’s possible when law enforcement and the private sector work together. By targeting the infrastructure that fuels ransomware, this operation struck the ransomware economy at its source.”

Meyers cautioned, “But disruption isn’t eradication. Defenders should use this window to harden their environments, close visibility gaps, and hunt for the next wave of tools these adversaries will deploy.”