Cyber Security Headlines: PyPi backdoors, Project Sugarush, Redalpha phishing

PyPi packages turn installed apps to backdoors

Security researchers at Snyk discovered a dozen malicious packages in the Python Package Index that could turn a Discord client into a backdoor to steal data from browsers and other apps. The packages were uploaded on August 1st by a user named “scarycoder.” Rather than typical typo squatting, the packages appeared to be useful software tools. Once installed, the malicious packages could exfiltrate stored browser passwords, cookies, and search history. It would also modify the JavaScript used by Discord to inject a full backdoor. As of this writing, the packages are still available on PyPI. 

(Bleeping Computer)

Project Sugarush targets Israeli shipping

According to a new report from Mandiant, the Persian-speaking group UNC3890 currently operates a campaign using email-borne social-engineering lures. This leads victims to a watering hole at a login page of a legitimate Israeli shipping company. It’s also been seen targeting industries from healthcare to energy with this same approach, spoofing services from Office 365 to LinkedIn and Facebook. Once an organization is compromised, the group drops a backdoor called Sugarush that establishes a reverse shell over TCP to a hardcoded C2 server. A malware called Sugardump harvests browser credentials and email data. The group has been in operation since 2020. While the group almost certainly operates out of Iran, Mandiant lacks evidence to say its state-based. 

(Dark Reading)

RedAlpha ramps up phishing efforts

According to a new report from Recorded Future’s Insikt Group, the China-based APT RedAlpha specializes in mass credential-harvesting through phishing emails pointing to fake login pages. The group specializes in gathering intel of global humanitarian organizations, like Amnesty International, the International Federation for Human Rights, and the American Institute in Taiwan. Operations for the group began as far back as 2015. But 2021 saw a big spike for the group, operating at least 350 domains. The researchers further saw these efforts as targeting ethnic and religious minorities in China. While it maintains a large operational infrastructure, security experts say it uses a fairly standard phishing playbook. 

(Dark Reading)

Meta and TikTok prep for the midterm elections

Meta will disable new “political, electoral and social issue ads” during the week prior to the November 8th US midterm elections. Ads running prior to that week will continue to run, but Meta will disable most edits during that window. Meta will continue its policy of not allowing posts or ads that misrepresent details of the voting process or spreading misinformation on the “outcome of an election.” 

Meanwhile TikTok went live with its midterms Election Center in the US. It’s offered an Election Center in other countries in the past. This provides state-by-state voter registration information, vote by mail instructions, and polling place locations using information from the National Association of Secretaries of State. TikTok partnered with Ballotpedia to display candidates on local ballots. Election results will be displayed from the Associated Press. 

(TechCrunch [1][2])

Thanks to today’s episode sponsor, 6clicks

Manage the full assessment lifecycle and get your business audit-ready more easily than ever using 6clicks. Identify overlap from completed audits and assessments with other standards and frameworks using Hailey-AI to streamline compliance with multiple audit requirements. With built-in content, organizations can get started on their audit and assessments faster than ever before. For more information visit

North Korean hackers lure job seekers

Security researchers at ESET report that the Lazarus Group uses a signed malicious executable for macOS in an effort to impersonate Coinbase. The attackers send employees in financial services fake job offers, with a malicious PDF of claimed job offer details attached. The PDF loads a DLL to let the threat actors send commands to the device. Apple signed the malware on July 21st and did not revoke the certificate as of August 12th. However it appears the C2 server for the malware went dark. 

(Bleeping Computer)

Google to shutter IoT Core service 

Google abruptly shutting down consumer-focused services is nothing new, in fact it’s something of an internet meme unto itself, just go to But shutting down enterprise-focused services is still relatively novel for the company. This week, Google Cloud informed customers it will shut down its IoT Core service in August 2023. Customers have a year to transition, with Google saying it worked “extensively to provide customers with migration options.” Azure and AWS both maintain similar cloud services for managing and injecting IoT device data. 


Regulators investigating banks over encrypted messaging

Bloomberg’s sources say the Securities and Exchange Commission and the Commodity Futures Trading Commission found that investigations into the communications of banks around market manipulation were stymied by the use of encrypted communications outside of official channels. The SEC initially investigated the practice at JPMorgan Chase in April 2021, before expanding into an industrywide probe. JPMorgan Chase agreed in December it would pay $200 million in penalties to the two regulators. Goldman Sachs and Barclays are expected to be hit with similar fines, with 10 banks expected to pay about $2 billion combined. 


Microsoft Office Mail Scam

Cybersecurity consultant Martin Pitman received a call from his mother, letting him know that a neighbor had received what appeared to be an Office 365 product in the mail, with a USB stick to install the productivity suite. The  retired man didn’t seem to be a high value target. The stick included fairly high quality packaging. Plugging in the stick immediately showed a message that the computer had a virus, providing a toll-free number to call for supposed technical help. Once on the phone, the phony support person directed the victim to install TeamViewer. Microsoft told Sky News it launched an investigation into the package. While these types of support schemes are extremely common, it’s more than a little unusual for an attacker to go to the expense of mailing out USB sticks. 

(Sky News)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.