Digital Forensics Magazine — 48-Hour Global Cyber News Roundup

Window: 2025-08-30 00:00 UTC → 2025-09-01 23:59 UTC

Unknown actors abused the open-source DFIR tool Velociraptor inside victim environments to fetch and run Visual Studio Code for tunneling, highlighting post-compromise “dual-use tool” risks (published 2025-08-30). Defenders should update egress controls and detections for legitimate admin tools used atypically, and verify Velociraptor artifacts in IR hunts. The Hacker News (EMEA), 2025-08-30.

Surat Police (India) arrested three suspects for trafficking more than 40 victims to Myanmar to work in cyber-fraud “scam centers,” dismantling part of a regional pipeline (reported 2025-09-01). The case underscores the nexus between human trafficking and cybercrime operations, relevant for DFIR teams triaging victim infrastructure and cash-out flows. Times of India (APAC), 2025-09-01.

Patna Cyber Police (India) arrested three individuals who ran a fake shopping-portal phishing ring; devices, 61 ATM cards, and ledgers were seized (reported 2025-09-01). Evidence points to organized acquisition of mule accounts and phishing infrastructure—useful IOCs and TTPs for e-commerce fraud investigations. Times of India (APAC), 2025-09-01.

Ransomware at Swedish IT provider Miljödata disrupted services for ~200 municipalities and regional agencies; Sweden’s NCSC and CERT-SE are coordinating response and disclosure (reported 2025-09-01; incident first detected 2025-08-23). Municipal HR dependencies illustrate third-party concentration risk and the need to pre-stage vendor IR access, backups, and tabletop exercises. ITPro (EMEA), 2025-09-01.

The Pennsylvania Office of Attorney General confirmed a ransomware attack that impaired access to archived emails, files, and internal systems; no ransom has been paid and investigation continues (reported 2025-09-01). Legal-sector disruption shows justice workflows’ sensitivity to legacy repositories—IR plans should prioritize email archive continuity and matter-management failovers. Sun-Gazette via Spotlight PA (AMER), 2025-09-01.

WhatsApp patched a zero-click vulnerability reportedly exploited in the wild; admins should push latest builds across managed fleets immediately (published 2025-09-01). Messaging-app attack surface remains a common initial access vector on mobile endpoints—consider MDM enforcement and hardened update SLAs. Computing (EMEA), 2025-09-01.

Malvertising pushed a fake “AppSuite PDF Editor” that later activated the TamperedChef infostealer; researchers noted >50 domains and multiple revoked code-signing certs (published 2025-08-30). The staged “benign first, weaponize later” model complicates trust—monitor for DPAPI access, browser DB queries, and unusual proxy enrollment prompts. BleepingComputer (AMER), 2025-08-30.

Threat actors are distributing Brokewell Android malware via fake TradingView ads, abusing finance-app trust to steal credentials and device data (published 2025-08-31). Mobile app-store bypass via ad networks reinforces the need for allow-lists and user training on “sideloading” risks in BYOD estates. BleepingComputer (AMER), 2025-08-31.

North Korea-linked ScarCruft (APT37) ran “HanKook Phantom” spear-phishing against South Korean academics delivering RokRAT for espionage (published 2025-09-01). RokRAT’s cloud-storage C2 and anti-VM checks demand network-layer detections for Box/Dropbox/Yandex anomalies and sandbox-evasion countermeasures. The Hacker News (APAC), 2025-09-01.

Indian cyber police in Patna arrested three suspects tied to an online shopping fraud ring, seizing laptops, 61 ATM cards, and multiple phones (reported 2025-09-01). The takedown highlights mule-account ecosystems and artifact types DFIR teams can expect when supporting financial-fraud cases. Times of India (APAC), 2025-09-01.