Welcome to your daily cybersecurity podcast.
Pornhub alerts Premium subscribers following data exposure on November 8, 2025, via analytics provider Mixpanel. Cybercriminals threaten to directly contact affected users by email. Mixpanel disputes that data originated from its November 8 security incident, stating no evidence of exfiltration from its systems. Pornhub confirms passwords, payment details, and financial information remain uncompromised, with exposure limited to a restricted set of analytics events. Attackers exploit this data for sextortion campaigns specifically targeting identified Premium users.
Intezer documents a Goffee group campaign targeting Russian military personnel and defense organizations. The initial attack identified in October uses a malicious XLL file uploaded from Ukraine then Russia to VirusTotal, titled “enemy’s planned targets”. The file deploys EchoGather backdoor to collect system information, execute commands, and exfiltrate files to a C2 server disguised as food delivery website. Phishing lures include fake concert invitation for senior military officers and letter impersonating Russia’s Ministry of Industry and Trade requesting pricing justification documents for defense contracts.
CISA and NIST release draft Interagency Report 8597 on protecting identity tokens and assertions against forgery, theft, and malicious use. The document addresses recent incidents at major cloud providers targeting theft, modification, or forgery of identity tokens to access protected resources. The report covers IAM controls for systems using digitally signed assertions and tokens in access decisions. NIST requests CSPs apply Secure by Design principles, prioritizing transparency, configurability, and interoperability. Federal agencies must understand architecture and deployment models of their CSPs to align risk posture and threat environment.
Check Point Research documented GachiLoader, a heavily obfuscated Node.js loader malware distributed through the YouTube Ghost Network. The campaign leverages 39 compromised accounts spreading over 100 videos targeting game cheat users, accumulating 220,000 views since December 2024. The malware implements anti-analysis checks including 4 GB minimum RAM, 2 CPU cores, and blacklists for usernames, hostnames, and running processes. GachiLoader disables Windows Defender and adds exclusions for C:\Users, C:\ProgramData, C:\Windows, and the .sys extension. Two variants have been observed: the first downloads Rhadamanthys from C2 servers, while the second deploys Kidkadi.node utilizing Vectored Overloading technique to intercept system calls and load malicious PE.
Sources:
- Pornhub sextortion: https://www.malwarebytes.com/blog/news/2025/12/pornhub-tells-users-to-expect-sextortion-emails-after-data-exposure
- Goffee APT: https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishing
- NIST/CISA tokens: https://www.cisa.gov/news-events/alerts/2025/12/22/nist-and-cisa-release-draft-interagency-report-protecting-tokens-and-assertions-tampering-theft-and
- GachiLoader: https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/
Don’t think, patch!
Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/