VM#020

Author

Alicja Pawlowska
June 01, 2025

Hi Everyone,

🗳️ Election Day in Poland 🇵🇱

When you receive this issue, it’s a important day for us in Poland—we are heading into the final round of the election.

Last week, I had the opportunity to take part in a Mastercourse hosted by Tactical Tech on analyzing the Influence Industry in the context of elections. It was a deep dive into the topic with presenters mostly from Southern Europe, sharing their experiences monitoring recent elections. I also explored new tools like Who Targets Me (you will find below), gained a better understanding of FIMI, and learned how Alliance4Europe is working—an organization whose their custom reports we sometimes use. The course was excellent.

Cybersecurity News

  • Hackers linked to Spanish Government target Cuban Institutions: Spyware was planted in Cuban entities as part of a suspected state-backed operation. Find out more.

  • Switzerland Joins EU’s Cyber Ranges Federation (CRF): The membership enhances Switzerland’s collaboration in cybersecurity training, exercises, and research across Europe. Find out more.

  • Russian hacker group behind major European attacks unveiled: Dutch intelligence agencies have uncovered that a previously unknown Russian hacking group, named Laundry Bear, was behind cyberattacks targeting Dutch police, NATO, and several European countries in 2024. Find out more.

Vulnerabilities & Exploits & Hacks

  • Victoria's Secret website taken offline following Security Incident: The lingerie retailer shut down its U.S. website and limited some in-store services after detecting a security breach. Marks & Spencer experienced a similar issue earlier this month. Find out more.

  • Adidas Data Breach: Adidas confirmed a third-party service provider was compromised, exposing customer data. Find out more.

Threat Hunting & Malware

  • Lumma stealer still active?

    [21.05.2025] Despite a coordinated takedown by Microsoft, the FBI, Europol, and Japan’s JC3, which seized 2,300 domains and disrupted the infrastructure of Lumma (also known as LummaC2), the most rapidly evolving Malware-as-a-Service that has dominated as the top threat for over a year. The Lumma Stealer malware remains a persistent threat, having infected over 394,000 Windows computers globally, with significant impact in Brazil, Europe, and the United States. Distributed through pirated games and cracked apps, Lumma steals sensitive data like logins, passwords, credit card details, and cryptocurrency wallets, which are sold on criminal markets, and can serve as a backdoor for deploying ransomware. The Justice Department’s seizure of five key domains and Microsoft’s civil suit targeting additional infrastructure highlight the tech industry and government’s collaborative efforts to combat this Malware-as-a-Service threat, with the FBI linking Lumma to 1.7 million instances of data theft. Technical Insights on Lumma.

source: Microsoft

However, according to an investigation by The Raven File, Lumma Stealer remains active post-crackdown, as new domains registered between May 21 and May 23, 2025, were identified as active Lumma Stealer panel login portals. These domains, discovered through HTTP fingerprinting and other techniques, indicate that the malware’s operators quickly reestablished infrastructure, with leaked data including passwords and cookies still being shared on Lumma’s operational Telegram shop on May 22, 2025, demonstrating the resilience of its underground network.

In response to such persistent threats, a reward of up to $10 million is being offered for information on foreign individuals involved in cyberattacks targeting U.S. critical infrastructure.

Industry feedback: They’re difficult to reach and haven’t responded to inquiries, which raises doubts about how accessible or effective the reward process is. So far, there’s no public evidence of payouts.

📰 Reports

  • Google Mandiant's M-Trends 2025. Report

  • 2025 Worldwide Threat Assessment, Defense Intelligence Agency (DIA)- State-level adversaries, namely Russia, China, North Korea, and Iran continue to conduct sophisticated cyber espionage campaigns targeting U.S. critical infrastructure. Report.

Espionage & Counterintelligence

  • India Tightens CCTV Surveillance Regulations: India now mandates that CCTV manufacturers submit their hardware, software, and source code for government evaluation, aiming to mitigate espionage risks, particularly from Chinese-made devices. Find out more. 

  • US Issues Travel Advisory for Italy: The U.S. State Department has issued a Level 2 travel advisory for Italy, urging increased caution due to potential terrorist violence in popular tourist areas. Find out more.

  • US Plans centralized Platform for Intelligence Data Purchases: The U.S. government is developing a centralized platform to facilitate intelligence agencies' purchase of private data. Find out more.

  • Belgian Security intercepts Huawei Conversations at Football Stadium: Belgian agents intercepted conversations within a corporate box at RSC Anderlecht stadium, where Chinese tech giant Huawei engaged with European Parliament members, underscoring espionage concerns. Find out more.

  • UK Alleges Russian Intelligence accessed Surveillance Cameras: The UK claims Russian military intelligence accessed surveillance cameras near border crossings, military facilities, and train stations in Ukraine, Romania, Poland, Hungary, and Slovakia, highlighting ongoing cyber threats. Find out more.

AI

People living in the United Arab Emirates (UAE) will soon be able to use ChatGPT Plus for free. This makes the UAE the first country in the world to give free access to the premium version of ChatGPT to its entire population.

Friendly remainder: Turn off the “Improve the model for everyone” setting, which is enabled by default. Go to Settings → Data Controls to disable it.

SOCMINT

  • A new tool: Faceseek is a freemium facial recognition and reverse image search tool.

    • I tried the free version — looks promising.

  • Telegram to Raise $1.5 Billion Through Bond Offering
    Telegram is set to issue at least $1.5 billion in bonds on May 28, offering a 9% yield over five years to repay $2.4 billion in 2021 debt. Investors include BlackRock, Mubadala, and Citadel. Ahead of the offering, Telegram reported its first-ever profit, though The Bell questions the transparency of its blockchain-based revenue model.

    • Telegram CEO Pavel Durov announced a forthcoming AI integration with xAI’s Grok, claiming a one-year partnership that would reach over a billion users and include $300 million in funding plus 50% of AI subscription revenue — but on May 28, Elon Musk clarified that no deal had been officially signed.

  • YouTube is testing a new feature that lets you search for things you see in Shorts using Google Lens technology — it can scan Shorts videos for objects, people, translatable text etc.

OSINT

Tools

  • Distributed Denial of Secrets (DDOS) - A hacktivist group shares multiple leaked datasets on its website, but many of them aren’t in easily searchable formats, tech skills will be needed.

    • I thought everyone knew about this site, but it turns out they don’t 👀 so I’m sharing it. The Polish database isn’t listed there yet.

    • eg. Library of Leaks (which looks like Aleph but isn’t) is one of its projects. The database is hosted and operated by FlokiNET & DARC.

  • WhoTargetsMe: A browser extension that lets users track political ads (Google & META) online, gather data on their content and targeting, and contribute to research on their impact.

  • Junkipedia: A journalist-only tool, serving as an alternative to Crowdtangle, for monitoring content on social media platforms.

    • I heard about this tool at every session at the Dataharvest this year.

Google Updates

  • The last major Google conference was Google I/O 2025 (Google I/O is an annual developer conference held by Google, where the company announces new products, features, and updates to its platforms and services), which took place on May 14, 2025. The primary focus of the conference was on Artificial Intelligence (AI) and its integration across Google's products and services. The 100 things were announced at I/O. What I think is cool:

    • Google Meet now features near real-time speech translation using AI that maintains voice quality, tone, and expressiveness.

    • Project Astra updates include more natural voice output, improved memory, and enhanced computer control, with plans to extend these to Gemini Live, Search, Live API, and new devices like Android XR glasses.

      In partnership with Aira, Project Astra developed a prototype to assist blind and low-vision users with everyday tasks.

    • New generative AI tools introduced: Veo 3 (video creation), Imagen 4 (image generation), and Flow (AI-powered filmmaking).

    • Chrome will soon add an automated password change feature for compromised passwords.

Darknet

  • Tor has released 🧅 Oniux, an experimental tool that routes any Linux application’s traffic through Tor with kernel-level isolation using Linux namespaces, offering stronger anonymity and leak protection than Torsocks. Still experimental — but a big step toward hardened anonymity.

Upcoming CyberSec / OSINT Events

Free

  • Rooftop Social | Cyb3r Operations | InfoSec 2025, 4 June 2025 | 18:00–23:00 BST | RSVP
    Evening networking event on cyber operations and InfoSec, hosted in London.

  • Ofcom: The Online Safety Act explained - How to comply with the rules to protect children, 4 June | 10:00 – 17:30 BST
    Join this event to learn about the new legal duties under the Online Safety Act, including how to assess risks of harm to under-18s and the practical steps you need to take to keep children safe online.

  • "Ticket to Bandera”: Russian Extremist Disinformation Operations in Europe, 6 June 2025 | 11:00–12:00 CET
    Webinar co-hosted with International Centre for Counter-Terrorism and FRONTSTORY.PL as part of the ANTIDOX project.

    • This is the first of two webinars in June as part of our project related to the upcoming publications.

  • 🕵️‍♂️ #OSINTVillage at leHACK is back on June 27–28, 2025!
    Join the community in Paris for workshops, talks, and hands-on OSINT practice.
    While we wait for this year’s agenda, catch last year’s talks on YouTube: Watch here. Follow Sylvan for updates.

    • An in-person Trace Labs Search Party will also take place during the event.

  • Layer 8 June 14, 2025.

    Conference Social Engineering and Intelligence Gathering - Boston, MA. More info here. 

  • DW Global Media Forum 2025 July 7–8, 2025
    The Global Media Forum is an annual gathering of journalists and media experts from around the world, held in Bonn, Germany.

  • BornHack 2025 July 16–23, 2025
    BornHack is a 7-day outdoor tent camp where hackers, makers, and anyone interested in technology or security come together to celebrate tech, socialize, learn, and have fun — all at our venue on the Danish island of Funen.

🙃Bonus

Missed A Walk on the Wild Side OSINT CTF by OSINT Combine? No worries — Part 1 of their walkthrough is live! 🐾
It covers the first 10 challenges, including geolocation, environmental OSINT, digital trace analysis — and even a shadow fleet task. Link to walkthrough