Threat Briefing: July 11, 2025

The U.S. government dealt a blow to North Korea’s IT worker fraud scheme this week by imposing sanctions on several individuals and entities involved. These measures aim to disrupt a network that has targeted hundreds of companies globally and funneled millions of dollars to support the North Korean regime.

• Employee Compromises Bank Systems for $920 in $140M Cyber Heist – Cybercriminals stole nearly $140 million from six Brazilian banks by exploiting insider access at C&M, a financial connectivity firm. João Nazareno Roque, a C&M employee, allegedly accepted a $920 bribe to grant attackers access to sensitive systems linked to Brazil’s Central Bank and execute commands on their behalf. Although he attempted to cover his tracks, Roque was arrested on July 3 in São Paulo. Brazilian authorities are continuing to investigate the breach, which underscores the growing risk of insider threats in the financial sector. A blockchain analyst revealed that $30–40 million of the stolen funds have already been laundered through cryptocurrency. C&M stated that the compromise stemmed from social engineering—not a failure in their technical defenses. Bleeping Computer
• U.S. Sanctions North Korean Official Behind IT Worker Fraud Scheme – The U.S. Treasury has sanctioned Song Kum Hyok, a senior North Korean intelligence official, for running a scheme that placed North Korean IT workers in U.S. companies using stolen American identities. Operating from China and Russia, these workers generated millions for North Korea’s regime and, in some cases, deployed malware into corporate networks. Russian national Gayk Asatryan and four companies tied to the operation were also sanctioned. The action follows recent indictments and highlights the scheme as a key funding source for North Korea’s weapons programs. The Record
• Iranian Ransomware Group Boosts Payouts for Attacks on U.S. and Israel – The ransomware group Pay2Key.I2P has increased affiliate payouts from 70% to 80% for targeting U.S. and Israeli entities, amid escalating regional tensions. Believed to be linked to Iran’s state-backed Fox Kitten group, Pay2Key.I2P operates under a ransomware-as-a-service model and has reportedly earned over $4 million in four months, according to Morphisec. The group is actively recruiting on Russian-language forums. U.S. officials warn of potential Iranian cyber retaliation following recent strikes on Iran’s nuclear infrastructure. The Record
• SEO Poisoning Campaign Hits 8,500+ SMBs with Malware Disguised as AI Tools – A recent cybersecurity report has uncovered a widespread SEO poisoning campaign targeting over 8,500 small and mid-sized business users. Attackers created fake websites offering trojanized versions of popular tools like PuTTY and WinSCP, which install a backdoor called Oyster. The campaign also uses JavaScript redirects to phishing sites that distribute malware such as Vidar and Lumma Stealer. Notably, malicious files impersonating ChatGPT have surged by 115% in early 2025. Experts warn users to download software only from trusted sources to avoid these evolving threats. The Hacker News
• SatanLock Ransomware Group Shuts Down After Brief Surge – The ransomware group SatanLock has announced its shutdown via Telegram and its Dark Web leak site. Victim listings on its .onion page were wiped, replaced with a message warning that all stolen files will be leaked. Active since April, SatanLock quickly gained attention by breaching 67 organizations. Security researchers note overlaps between its victims and those of other ransomware groups, hinting at possible affiliations. The reason for the abrupt shutdown—and what comes next—remains unclear. Dark Reading