Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts
Microsoft has dismantled a long-running malicious extension operation it calls StegoAd, tied to a single threat actor active since at least 2021, after 119 Edge add-ons with up to 2.6 million combined installs were found hiding payloads inside PNG icons, WebP images, and WOFF2 font files using steganography. The extensions — ad blockers, VPNs, translators, and video downloaders — stayed dormant until passing multi-layered evasion checks, including a developer tools detection gate and server-side fingerprinting that served decoy responses to researchers probing it directly. Once active, the payloads ran a remote code execution backdoor, stole Google and WordPress credentials, harvested session cookies, and ran ad fraud across Amazon, eBay, and AliExpress; Microsoft has suspended the 90-plus developer accounts behind them and published a full list of extension IDs along with indicators of compromise for defenders using Chrome, Firefox, and other Chromium-based browsers.
Poland Busts SIM-Swapping Gang Tied to Millions in Crypto Theft
Polish authorities arrested four members of an organized cybercrime group accused of breaching telecom partner infrastructure and hijacking email accounts to enable SIM-swapping attacks, in an operation run by Poland’s Cybercrime Bureau with support from the FBI and Homeland Security Investigations. The suspects gained unauthorized access to systems at companies cooperating with Polish telecommunications operators, using specialized software and social engineering to obtain the data needed to illegally clone victims’ phone numbers, intercept calls and SMS messages, and take over cryptocurrency exchange accounts. Total losses are estimated to exceed several tens of millions of Polish złoty — at least $5 million at current exchange rates — with proceeds laundered through distributed networks of bank accounts and digital wallets; blockchain investigator ZachXBT has publicly identified one of the four arrested individuals as Wojtek Kulisz, known online as “Merry.”
Amazon Q Flaw Let Malicious Code Repos Silently Steal Developer Cloud Credentials
Researchers at Wiz disclosed a high-severity vulnerability in the Amazon Q Developer extension for Visual Studio Code, tracked as CVE-2026-12957, where the extension would automatically execute configuration files embedded in any opened workspace without requesting user permission, allowing a malicious repository to run attacker-controlled commands and capture whatever AWS or cloud API credentials were loaded in the developer’s environment. Attack paths include fake coding interview tests — a well-known North Korean recruitment lure — typosquatted open source packages, and malicious pull requests to popular projects, all of which would silently exfiltrate cloud credentials and potentially give attackers access to the victim’s entire cloud infrastructure. AWS was notified in April and patched the issue in May with fixes covering VS Code, JetBrains, Eclipse, and Visual Studio; the language server updates automatically in most environments, though customers in restricted network configurations should manually upgrade to ensure they’re running the patched version.
Operation Endgame — the largest international law enforcement action ever aimed at ransomware and cybercrime infrastructure — claimed its latest targets on June 24 as agencies from the Netherlands, Canada, the United States, and Germany, coordinated through Europol and Eurojust, seized 326 servers and 142 domains tied to the Amadey and StealC malware families, recovering nearly 27 million stolen login credentials in the process. The two tools operate in tandem: Amadey is a loader that gains initial access to devices, while StealC — a malware-as-a-service infostealer active since January 2023 — harvests browser passwords, cookies, credit card details, crypto wallet data, and credentials from Telegram, Discord, Outlook, and VPN clients, with researchers from Proofpoint and IBM X-Force exploiting a vulnerability in StealC’s C2 panel to support the disruption. Microsoft’s Digital Crimes Unit used RICO statutes to sue multiple alleged operators and affiliates simultaneously — treating the two separate malware families as a single criminal conspiracy after AI-assisted analysis revealed they shared infrastructure — and has severed criminal control of more than 18,000 victim computers; over €41 million (approximately $47 million) in related crypto assets have been identified and frozen.
Russia’s Gamaredon APT Adopts Cloud Storage, Cloudflare Tunnels to Conceal C2 Infrastructure
ESET tracked 35 Gamaredon spear-phishing campaigns against Ukrainian government and military targets across 2025, finding the FSB-linked group spent the first half of the year quietly rebuilding its toolset — developing five new PowerShell downloaders — before using the upgraded arsenal to run significantly larger attacks in the second half, including joint operations with fellow Russian APT Turla that used Gamaredon’s loaders to deliver Turla’s heavier Kazuar exploitation framework. A new tool called PteroPaste continuously monitors compromised systems for connected USB drives and covertly copies a disguised malicious loader onto them — naming the file after a randomly selected Word document from the infected machine to evade casual inspection — while updated variants of Gamaredon’s primary stealers now exfiltrate stolen files directly to Amazon S3 and Dropbox rather than attacker-controlled servers. To hide its command-and-control infrastructure, the group is now combining two techniques simultaneously: using Microsoft and Cloudflare tunneling services to route traffic through legitimate domains, and pointing its malware to public dead-drop sites to retrieve its real C2 addresses, making network-based detection and blocklisting significantly more difficult.
