Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
The cybersecurity landscape continues to shift rapidly, with fresh threats and high-profile incidents making headlines worldwide. This week’s roundup covers everything from a zero-click exploit patched in WhatsApp and a suspected espionage campaign tied to US-China trade talks, to ransomware hitting Brazil’s healthcare sector and a new backdoor targeting enterprise and government systems. We also take a closer look at Jaguar Land Rover’s recent cyberattack – and the lessons other organizations can learn to avoid a similar fate.
- WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices
WhatsApp has rolled out critical updates for its iOS and macOS apps to patch a recently discovered security flaw that may have been actively exploited in the wild, in tandem with a previously reported Apple vulnerability.
Tracked as CVE-2025-55177 and assigned a CVSS score of 5.4, the issue stems from improper authorization during linked device synchronization. This loophole potentially enabled malicious actors to force a target’s device to process content from any chosen URL – even without interaction from the user.
The vulnerability was identified by WhatsApp’s internal security team and has since been addressed in the following versions:
- WhatsApp for iOS: Fixed in version 2.25.21.73 (released July 28, 2025)
- WhatsApp Business for iOS: Patched in 2.25.21.78 (released August 4, 2025)
- WhatsApp for Mac: Updated in version 2.25.21.78 (also August 4, 2025)
Meta, WhatsApp’s parent company, noted that this flaw may have been exploited in combination with another critical Apple bug, CVE-2025-43300, which impacts iOS, iPadOS, and macOS. Apple flagged that vulnerability just last week, highlighting its use in advanced attacks targeting specific individuals.
CVE-2025-43300 is described as an out-of-bounds write issue within Apple’s ImageIO framework – a problem that could lead to memory corruption when a device encounters a specially crafted image file.
According to the Head of Amnesty International’s Security Lab, WhatsApp has reached out to several users believed to have been targeted in a spyware campaign over the past three months. The messaging platform advised affected individuals to perform a factory reset and ensure both their system and app remain updated to reduce risk. The attack is a zero-click exploit, meaning no user interaction, such as tapping links or downloading files, is required for the compromise to occur. Preliminary findings suggest that both Android and iPhone users may be affected. Spyware continues to be a serious threat, especially for journalists and human rights advocates.”
As of now, the actors behind this exploit chain remain unknown, as does the specific spyware vendor responsible for the campaign.
- US Probes Malware Email Targeting Trade Talks with China, WSJ Reports
U.S. cybersecurity authorities are probing a suspected cyber-espionage campaign involving a fake email, allegedly sent in July under the name of Representative John Moolenaar, a Republican lawmaker known for his tough stance on China. The message, embedded with malware, appears to have targeted U.S. trade associations, law firms, and government agencies, reportedly in an effort to gain intelligence on U.S.-China trade negotiations.
According to a Wall Street Journal report, cybersecurity researchers have linked the attack to APT41, a sophisticated hacking group believed to operate on behalf of Chinese state interests. The group has been previously tied to numerous high-profile cyber intrusions targeting U.S. infrastructure and private sector entities.
The spoofed email was crafted to look like an official communication from Moolenaar, who chairs a congressional committee overseeing U.S.-China strategic competition. The message urged recipients to review an attached legislative proposal, opening the file would have activated malware capable of granting unauthorized access to internal systems.
The timing of the phishing campaign was notable: it coincided with U.S.-China trade discussions in Sweden, which resulted in a temporary tariff truce set to last until early November. This timeline has raised concerns that the hackers were attempting to gather strategic intelligence ahead of a potential meeting between President Donald Trump and Chinese President Xi Jinping at an international economic summit.
While the extent of any data compromise remains unclear, the U.S. Capitol Police have launched an investigation. The FBI also acknowledged the incident, stating that it is actively working with partners to track down those responsible.
In a statement, Rep. Moolenaar condemned the attack as part of a broader pattern of cyber intrusions attributed to China. “We will not be intimidated,” he said, calling the attempted breach another example of Chinese efforts to steal sensitive U.S. policy information.
The incident was uncovered after Moolenaar’s congressional staff began receiving inquiries about the suspicious email, which they had never actually sent. That discrepancy prompted further scrutiny and a subsequent referral to cybersecurity experts.
The Chinese Embassy in Washington, responding to the allegations, denied knowledge of the incident and reiterated its standard position: that China opposes all forms of cybercrime and condemns accusations made without concrete evidence.
- KillSec Ransomware Is Attacking Healthcare Institutions in Brazil
The ransomware group KillSec has claimed responsibility for a significant cyberattack on Brazil’s healthcare sector, threatening to leak highly sensitive patient data unless negotiations begin immediately. According to Resecurity, the breach was traced back to an unsecured Amazon S3 storage bucket, which attackers exploited to exfiltrate over 34 GB of confidential information.
Cybersecurity analysts estimate that the exposure window lasted for several months before discovery, raising concerns about the ongoing security posture within Brazil’s healthcare supply chain. Experts believe this may be one of the first large-scale supply chain breaches in the Brazilian medical sector.
This is not KillSec’s first targeting of Brazilian entities. In prior attacks, the group leaked personal and financial records from government databases, including CNPJ and CPF identifiers, bank details, and transaction data. While past disclosures were sometimes vague or speculative, this latest attack shows a more deliberate and damaging approach.
KillSec appears to be focusing efforts on the healthcare vertical across Latin America and beyond, knowing the critical nature and sensitivity of the data stored. This time, the stolen records reportedly include: medical evaluations and diagnostics, laboratory test results, uncensored patient photos, and medical records of minors. Despite the severity of the breach, none of the impacted patients were informed, highlighting a troubling gap in breach notification protocols.
In the days surrounding the Brazilian breach, KillSec also claimed intrusions into healthcare organizations in Colombia, Peru, and the United States, suggesting a coordinated campaign targeting medical institutions.
Just weeks earlier, KillSec leaked data from Doctocliq, a leading Peruvian healthcare software provider supporting over 3,500 physicians across 20+ countries. Beyond the healthcare sector, the group has previously breached entities like the Royal Saudi Air Force, Nathan and Nathan (a UAE-based HR firm), and Ava Senior Connect (USA), a communications platform for senior care facilities.
Healthcare organizations remain prime targets for ransomware groups due to the high value of health records, which often contain a combination of personal identifiers, medical histories, insurance details, and billing data. These records are difficult to reset, unlike passwords, and can be weaponized for identity theft, fraud, and blackmail. KillSec seems to have zeroed in on this “sweet spot,” where the pressure to pay a ransom is amplified by both regulatory risk and public trust considerations.
The breach also places renewed focus on compliance with Brazil’s Lei Geral de Proteção de Dados (LGPD), the country’s data protection law that classifies health information as sensitive personal data and enforces strict standards around its use and security.
Brazil’s national data watchdog, the Autoridade Nacional de Proteção de Dados (ANPD), has stepped up enforcement over the past year. Following a 2024 sector-wide audit, the ANPD fined 15 healthcare institutions a total of BRL 12 million (~$2.4M USD) for failures in encryption and incident response preparedness. The agency also mandated penetration testing and staff training as part of corrective measures.
- New Buterat Backdoor Malware Found in Enterprise and Government Networks
A stealthy new backdoor malware dubbed “Buterat” has been uncovered by the Lat61 Threat Intelligence Team at cybersecurity firm Point Wild. The threat, formally identified as Backdoor.Win32.Buterat, is spreading via phishing campaigns and trojanized software downloads, granting attackers persistent, long-term access to infected systems.
According to researchers, Buterat is engineered to infiltrate government agencies and enterprise networks, where it burrows deep into the operating system to evade detection and maintain control. The malware manipulates registry keys and blends into legitimate system processes, allowing it to survive system reboots and operate covertly.
Buterat uses advanced thread and process manipulation techniques, including SetThreadContext and ResumeThread, to hijack legitimate threads in Windows. These tactics allow the malware to silently inject itself into system operations without triggering typical antivirus or endpoint detection alerts.
Once embedded, it initiates communication with a command-and-control (C2) server, identified as ginomp3.mooo.com, using encrypted and obfuscated traffic. This makes detection through conventional network monitoring tools significantly more difficult.
During dynamic analysis, researchers observed the malware dropping a set of malicious payloads named amhost.exe and bmhost.exe within the Windows user directory. Each component is designed to extend the backdoor’s functionality, from persistence mechanisms to expanded data exfiltration capabilities.
The attack pattern points to highly targeted operations with espionage-like intent, focusing on sensitive environments where prolonged access can yield valuable data and pave the way for future intrusions.
To defend against Buterat and similar threats, experts advise a multi-layered security approach:
- Endpoint detection & response (EDR) solutions with behavioral analysis capabilities
- Network monitoring tools configured to flag suspicious traffic and domain activity
- Regularly updated anti-malware signatures and threat intelligence feeds
- Blocking known malicious domains, such as ginomp3.mooo.com
Given that phishing remains a key infection vector, employee cybersecurity awareness training is critical. Staff should be trained to identify suspicious emails and avoid downloading software from unverified sources.
- Cybercrooks Ripped the Wheels off at Jaguar Land Rover
Jaguar Land Rover (JLR) has become the latest major UK brand to experience a large-scale cyber incident. The company’s IT infrastructure has been disrupted for over a week following what it described as a “severe disruption,” halting operations at multiple sites worldwide.
The attack, which struck on August 31st, forced production to stop at JLR’s Solihull facility and left UK dealerships unable to register vehicles or supply parts. According to reports, several factories will remain offline until at least midweek, impacting operations across the global supply chain.
A hacking collective calling itself Scattered Lapsus$ Hunters has claimed responsibility. The group, which has also linked itself to the recent Marks & Spencer breach, has been sharing screenshots on Telegram, claiming access to JLR’s internal systems.
Unlike many victims that hesitate in the early stages of an attack, JLR took swift action to shut down its systems across different regions. While the move was disruptive, it likely contained the damage and prevented attackers from moving laterally through its networks. Quick isolation is often the difference between a controlled incident and a full-blown crisis.
This isn’t the first time manufacturing has been hit hard. In 2023, US-based Clorox saw production halted after a cyberattack traced back to a third-party IT provider. Similarly, Microsoft’s recent battle with the Russian-linked Midnight Blizzard hackers demonstrated how one neglected legacy system can open the door to sensitive data, executive inboxes, and even source code.
The lesson is clear: no business is immune, and preparedness is everything.
JLR’s quick isolation of systems likely prevented greater damage. Too often, companies delay action for fear of disrupting operations, but hesitation can make recovery exponentially harder. Clear authority and predefined procedures for shutting down access during an active attack are essential.
Many businesses build their entire IT stack around Microsoft. While the integration is convenient, it creates a “monoculture” risk. A single exploited account or vulnerability can spread rapidly across the ecosystem. Vendor lock-in also limits flexibility, making diversification costly, something regulators like the UK’s CMA are increasingly scrutinizing.
Identity platforms, especially Active Directory, remain prime targets. The Marks & Spencer breach reportedly involved stolen Active Directory data, essentially handing attackers a master key. Microsoft’s own breach began with a basic password spray against an old, unprotected test account. Eliminating weak authentication and adopting phishing-resistant MFA (such as FIDO2 keys) should be non-negotiable.
Attackers are increasingly exploiting trust relationships between connected applications. OAuth tokens, which can grant long-term access, need to be tightly controlled, rotated regularly, and continuously monitored. Businesses should always know which apps have access to their data, and why.
The Zero Trust model assumes no user or device is inherently trustworthy. Access is only granted after verifying identity, device security, and context. For organizations with sprawling legacy systems, this shift won’t be quick, but it is crucial in reducing attack surfaces.
JLR’s rapid containment decision was disruptive but necessary, and may have prevented far more serious consequences. Their response offers a valuable lesson: in cybersecurity, speed matters.
But isolation alone won’t protect businesses from future threats. As the Midnight Blizzard case highlighted, even a single overlooked system can give adversaries a foothold. To stay ahead, companies must harden their identity infrastructure, secure integrations, and reduce dependence on single vendors.
In today’s landscape, the question is not if attackers will strike, but when. Preparation, diversification, and decisiveness remain the strongest defenses.
References:
https://thehackernews.com/2025/08/whatsapp-issues-emergency-update-for.html
https://hackread.com/buterat-backdoor-malware-enterprise-govt-networks/
https://www.theregister.com/2025/09/10/jaguar_key_lessons/
