Good morning, Cyber Security enthusiast.

A new breed of AI-powered 'cloaking' services is emerging, designed to trick automated security scanners. These platforms cleverly present a clean webpage to bots while delivering malicious content directly to human visitors.

This development marks a major shift in the ongoing battle against phishing and malware delivery. As these cloaking services become more common, will traditional link-scanning defenses become obsolete?

In today’s Cyber Security recap:

• AI 'cloaking' services outsmart security scanners

• Scattered Spider's on-prem-to-cloud attacks

• China's espionage campaign on Taiwan's chip firms

• The data security risks of using Chinese GenAI tools

AI Cloaking-as-a-Service

The Recap: Cybercriminals are deploying AI-powered "cloaking-as-a-service" platforms to outsmart security tools. These services show benign content to scanners while serving malicious pages to actual users, according to new research.

Unpacked:

• Services like Hoax Tech use AI and advanced fingerprinting to analyze hundreds of data points in real-time, redirecting suspicious traffic.

• Commercial platforms like JS Click Cloaker are now readily available, evaluating over 900 signals per click to determine if a visitor is a real person or a bot.

• To counter this, experts recommend adopting multi-layered defenses, including behavioral analysis tools and zero-trust frameworks.

Bottom line: This marks a significant evolution in the cat-and-mouse game of cybersecurity, making traditional link scanning less reliable. Security teams must now shift focus towards adaptive, behavior-aware technologies to effectively detect these dynamic threats.

Scattered Spider's New Playbook

The Recap: The notorious Scattered Spider hacking group has flipped its script, now attacking on-premises systems first to pivot into cloud environments. In a new report, Microsoft details how the group also deploys new ransomware, marking a significant evolution in its strategy.

Unpacked:

• The group now deploys DragonForce ransomware with a specific focus on VMWare ESX hypervisor environments, aiming to disrupt core virtual infrastructure.

• Aggressive social engineering remains a core tactic, with attackers manipulating service desk staff and using SMS phishing to gain initial access.

• In response, Microsoft Defender’s attack disruption feature can automatically disable compromised accounts and revoke all active user sessions to contain intrusions.

Bottom line: This on-prem-to-cloud pivot shows that attackers are adapting to exploit hybrid environments where security boundaries are often blurred. Proactive defense, including strict identity controls and continuous security monitoring, is more critical than ever to counter these blended threats.

Taiwan's Chip War

The Recap: Chinese state-sponsored groups have launched a widespread, coordinated espionage campaign targeting Taiwan's entire semiconductor industry. The operation aims to steal critical intellectual property amid escalating tech tensions with the U.S.

Unpacked:

• The attackers are targeting the entire value chain, from chip designers and testing firms to supply chain partners and even financial analysts who cover the industry.

• Attack methods include creative social engineering, such as posing as job-seeking students, and deploying tools like Cobalt Strike alongside custom backdoors.

• This campaign is directly fueled by geopolitical tech rivalry, as China seeks self-sufficiency in response to U.S. semiconductor export controls.

Bottom line: These attacks show cyber operations are now a core part of national economic strategy, used to bypass R&D and disrupt competitors. For companies, this means shifting from compliance-based security to a proactive, intelligence-led defense posture..

The Chinese AI Data Risk

The Recap: A new study reveals that one in 12 employees in the US and UK use Chinese generative AI tools, creating significant data security and compliance risks by sending sensitive corporate data to servers in China.

Unpacked:

• The exposed data is often highly sensitive, with 33% of incidents involving software code, proprietary logic, or access credentials.

• The free tool DeepSeek was the primary channel for these data leaks, accounting for 85% of exposures and having a history of security flaws, including an accidental database leak.

• Security experts advise against simply blocking these tools, as users often find workarounds, and instead recommend educating employees and providing secure, company-approved alternatives.

Bottom line: Using free, powerful AI tools from China creates a serious blind spot for corporate data security and legal compliance. Organizations must now balance the drive for innovation with the critical need to protect their intellectual property from state-level access.

The Shortlist

Europol disrupted the pro-Russian hacktivist group NoName057(16), which has been linked to a broad campaign of DDoS attacks targeting organizations and infrastructure in Ukraine and allied nations.

Organizations must now prepare for drastically shorter TLS certificate lifecycles, as the CA/Browser Forum approved a plan to reduce validity to just 47 days by 2029, making monthly renewal automation essential.

Noyb filed GDPR complaints against TikTok, AliExpress, and WeChat, alleging the companies fail to provide users with complete and understandable access to their own data as required by EU law.

Cisco unveiled a new 400G bidirectional optical transceiver to boost throughput for AI and data center infrastructure, allowing upgrades to be deployed over existing single-fiber strands.

Feedback?

That’s a wrap for today!

Before you head out, let me know your thoughts! I’d love to hear any feedback on areas where it could be improved.

Thanks for reading,

David H.