Coverage: Last 24 hours

Today’s Highlights

Major vulnerabilities and malware campaigns this week reveal widening attack surfaces: from supply-chain threats in gaming and developer ecosystems to a surge in sophisticated Android financial malware and public proof-of-concept releases that demand rapid patching. Key themes include malware supply chain exposures, authentication bypass exploits, AI and SaaS ecosystem threats, growing abuse of digital identities, and advanced social engineering.

Table of Contents

1. New Rokarolla Android malware targets 217 banking, crypto apps
2. Steam Workshop abused to spread malware via Wallpaper Engine app
3. UK to require ID or face scan before you can make social media accounts
4. GhostTree Attack Abused Recursive Windows Junctions to Hide Malware
5. FTC warns of record $3.5 billion losses to imposter scams in 2025
6. Microsoft working on Defender patch for RoguePlanet zero-day
7. Kodak confirms data breach claimed by ShinyHunters extortion gang
8. Malicious JetBrains Marketplace plugins steal AI API keys from developers

Top Stories

New Rokarolla Android malware targets 217 banking, crypto apps

Source: BleepingComputer | Risk: Critical | Impacted: Android users of banking or crypto apps, Banking and fintech IT, Mobile EDR and SOC teams

Summary: A new Android banking trojan named Rokarolla is targeting 217 banking and cryptocurrency applications using an extensive set of 137 commands.

Why it matters: Credential theft and remote control over financial apps expose both organizations and individuals to large-scale account takeovers and direct financial fraud.

Practitioner Perspective

Android fleets in banking, fintech, and high-risk industries are now top targets for increasingly capable malware like Rokarolla. This malware leverages a massive command catalogue to bypass user controls, harvest credentials, and transfer funds. Bring Your Own Device (BYOD) and poorly managed endpoints are the most exposed, particularly where MDM enforcement is inconsistent. Defenders must harden app stores, push detections down to device level, and proactively educate at-risk users. The key operational priority: close gaps between EDR/malware telemetry and mobile user populations, as mobile malware is now an enterprise risk, not just a consumer one.

Recommended Actions

• Block installation of unauthorized APKs and restrict mobile app stores for company-managed Android devices
• Deploy mobile EDR signatures for Rokarolla, focusing on the 137 command behaviors described

Steam Workshop abused to spread malware via Wallpaper Engine app

Source: BleepingComputer | Risk: High | Impacted: Organizations with unmanaged or BYOD Windows devices, Staff using Steam Workshop or Wallpaper Engine, IT with relaxed software policies

Summary: Threat actors are abusing Steam Workshop, Valve’s community hub for downloading game-related content, to push various malware hidden in wallpaper packages.

Why it matters: Malware delivered through trusted gamer content channels bypasses endpoint controls, turning entertainment and side-loaded assets into organizational footholds for further attacks.

Practitioner Perspective

Steam Workshop and similar digital asset platforms are now active vectors for financially motivated malware, including ransomware and info-stealers. Any enterprise allowing installation of such applications increases exposure from both home and managed endpoints. This attack path is not limited to ‘gaming sector’, malware in wallpaper or game asset packages may move laterally if employees sync or Shadow IT these tools across networks. Cyber teams must aggressively block gaming-related executables and hunt for unauthorized Steam installations or associated processes on their estate. Threats are not contained to gaming PCs and bleed into enterprise networks easily.

Recommended Actions

• Block Steam, Wallpaper Engine, and related content downloaders via application control solutions
• Scan endpoints for known malware-laden steam workshop packages detailed in recent threat reports

UK to require ID or face scan before you can make social media accounts

Source: BleepingComputer | Risk: High | Impacted: UK social media providers, Consumer identity data processors, Third-party KYC/identity platforms

Summary: Opening a new social media account in the UK will soon mean proving you’re over 16 with an ID upload or a facial age scan, under a government ban on under-16s taking effect in spring 2027. Security experts warn the age checks are easy to circumvent and create new data-breach risks.

Why it matters: Mandatory ID and facial data collection introduces new concentrations of sensitive personally identifiable information that adversaries may target for large-scale identity theft or surveillance abuse.

Practitioner Perspective

These regulatory changes will force service providers and partners to handle age-verification data at scale. Centralized biometric and ID repositories are high-value targets, especially given predictions of circumvention attempts and weak controls. Defenders in organizations with UK consumer exposure, or those handling similar PII, must revisit how identity data inflow is segmented, monitored, and disposed of. For risk managers, the operational posture should shift toward breach-ready readiness: assume compromise of ID/biometric stores and plan coordinated detection and response accordingly.

Recommended Actions

• Review contracts and incident response runbooks to ensure robust response to PII/biometric breach scenarios post-UK ID law
• Validate strong encryption, retention, and segmentation for any collected facial scans or IDs

GhostTree Attack Abused Recursive Windows Junctions to Hide Malware

Source: BleepingComputer | Risk: High | Impacted: Windows environments with Microsoft Defender, SOC teams prioritizing file scanning, Organizations with extensive file sharing or NTFS manipulation

Summary: GhostTree uses recursive NTFS junctions to generate vast numbers of valid Windows file paths. Varonis explains how the technique could cause Microsoft Defender folder scans to never complete, leaving malware undetected.

Why it matters: NTFS abuse that blocks Defender scans undermines endpoint hygiene, enabling persistent attacker footholds inside trusted environments without triggering expected alerts.

Practitioner Perspective

Attackers leveraging recursive NTFS junctions can intentionally brick antivirus scanning, creating permanent hiding spots for malware. Such abuses are now being publicly documented, which increases risk of rapid copycat adoption. Standard tools and playbooks relying on Microsoft Defender scanning will not surface these payloads, defenders need layered scanning and process monitoring. File system monitoring for unusual recursive reference chains is essential. The operational takeaway: don’t assume endpoint ‘clean’ status when dealing with advanced attacker tradecraft around junction abuse.

Recommended Actions

• Hunt for and inventory NTFS junctions with deep recursion across organizational assets
• Test Microsoft Defender responsiveness and scan completion rates on systems with complex NTFS structures

FTC warns of record $3.5 billion losses to imposter scams in 2025

Source: BleepingComputer | Risk: High | Impacted: Finance and HR business units, Executives and high-profile staff, Organizations lacking business process segmentation

Summary: The U.S. Federal Trade Commission (FTC) warned that Americans lost $3.5 billion to imposter scams in 2025, with reported losses nearly tripling since 2020.

Why it matters: Business email compromise and imposter scams routinely drive major financial losses with little technical sophistication, threatening both individuals and organizations due to incomplete user vigilance and procedural blind spots.

Practitioner Perspective

Imposter scams have grown in sophistication, losses are now driven by effective social engineering, not technical compromise. Executive, payroll, and vendor fraud attacks should be assumed persistent threats. The growth trajectory means prior user training approaches are failing: attackers pivot quickly to new lures and business process weaknesses. Security controls around financial workflows and multi-party verification are more important than ever. If you haven’t run simulated business email compromise drills this quarter, you’re behind.

Recommended Actions

• Mandate dual authorization for all significant outgoing payments above set thresholds
• Run regular simulated BEC/imposter scams targeting payroll and executive assistant workflows

Emerging Signals

No high-confidence stories for this section today.

Exploits & CVEs

Microsoft working on Defender patch for RoguePlanet zero-day

Source: BleepingComputer | Risk: High | Impacted: Windows endpoints with Defender, Organizations with default endpoint protection, SOC teams relying on Defender alerts

Summary: Microsoft confirmed that it’s working on a security patch for a Defender zero-day vulnerability named “RoguePlanet,” disclosed one week ago.

Why it matters: Endpoint protection bypass exposes organizations to novel threats, increasing the risk of successful malware deployment before security tools can react.

Practitioner Perspective

Enterprises relying on Windows Defender for frontline endpoint security face an elevated risk while a zero-day vulnerability remains unpatched. Attackers may target this gap to deploy malware, ransomware, or establish persistence. Monitoring for Defender service anomalies and layered controls is critical since attackers often exploit unpatched Defender flaws as part of broader intrusion playbooks. Immediate detection engineering around Defender process integrity and suspicious exclusions is warranted. Prioritize communication with IT about the attack surface until a vendor fix lands.

Recommended Actions

• Increase scrutiny for Defender service status and process anomalies via EDR
• Hunt for unauthorized Defender exclusion or tampering attempts in event logs

Defensive Actions

• Block installation of unauthorized APKs and restrict mobile app stores for company-managed Android devices
• Deploy mobile EDR signatures for Rokarolla, focusing on the 137 command behaviors described
• Block Steam, Wallpaper Engine, and related content downloaders via application control solutions
• Scan endpoints for known malware-laden steam workshop packages detailed in recent threat reports
• Review contracts and incident response runbooks to ensure robust response to PII/biometric breach scenarios post-UK ID law
• Validate strong encryption, retention, and segmentation for any collected facial scans or IDs
• Hunt for and inventory NTFS junctions with deep recursion across organizational assets
• Test Microsoft Defender responsiveness and scan completion rates on systems with complex NTFS structures
• Mandate dual authorization for all significant outgoing payments above set thresholds
• Run regular simulated BEC/imposter scams targeting payroll and executive assistant workflows

What We’re Watching

Kodak confirms data breach claimed by ShinyHunters extortion gang

Source: BleepingComputer | Risk: High | Impacted: Enterprises with valuable data stores, Organizations with weak segmentation or supply chain links, Staff and partners listed in breach data

Summary: Kodak has confirmed that it’s working with external cybersecurity experts to investigate a security breach after hackers gained access to some of the company’s data.

Why it matters: Attackers gaining access to sensitive data frequently resort to extortion, leading to business disruption, legal exposure, and reputational harm that can cascade across supply chains if partner or customer data is involved.

Practitioner Perspective

This incident illustrates that even established brands with public profiles remain top targets for criminal groups like ShinyHunters. Extortion actors increasingly combine data exfiltration and social pressure tactics, complicating response for internal and external cyber teams. Not knowing the exact nature of the stolen data raises stakes: defenders must consider both technical containment and external communications. Expect follow-on phishing or social engineering against staff and any data subjects referenced in leaks. Run a thorough risk assessment of potentially exfiltrated data to inform legal strategy and breach notification plans.

Recommended Actions

• Engage digital forensics for any systems accessed during the ShinyHunters breach
• Map the scope of data accessed or exfiltrated, focusing on business-critical and regulated assets

Malicious JetBrains Marketplace plugins steal AI API keys from developers

Source: BleepingComputer | Risk: High | Impacted: Developer workstations running JetBrains IDEs, Organizations with AI API dependency, DevOps and AppSec teams

Summary: At least 15 malicious plugins found on the JetBrains Marketplace were designed to steal AI API keys from developers.

Why it matters: Stolen AI API keys give attackers access to proprietary data, model configurations, and billing footprints, increasing risk of data leakage and financial abuse for organizations with poorly governed software supply chains.

Practitioner Perspective

Developer environments integrating JetBrains plugins are now an active malware distribution vector, targeting high-value AI credentials rather than just source code. Organizations building on AI APIs must realize plugin supply chain hygiene is as critical as managing third-party SaaS integrations. Once keys are exposed, attackers may siphon sensitive prompts, leak proprietary output, or create shadow AI workloads under organizational billing. Harden plugin approval and rotate compromised AI API keys immediately if JetBrains products are used. The developer ecosystem for AI tooling is especially poorly monitored, assume compromise if plugin inventories are not tightly controlled.

Recommended Actions

• Inventory and remove unapproved JetBrains Marketplace plugins, focusing on those cited in recent reports
• Force rotate credentials for all AI APIs potentially exposed by poisoned plugins on JetBrains platforms

Categories: Cybersecurity Blog, Cybersecurity News

Tags: cve, financial-fraud, Identity, Malware, mobile, Vulnerability