#NSBCS.100 - 100 Signals Strong: NSB’s Chronicles of Cyber
Action and consistency wins every day of the week
This week marks our 100th Signal in a row. That is 100 weeks of showing up, sharing insights and staying connected. Bringing insights every week to a community that until 100 weeks ago, never existed. It’s a community that we have all created together, and that is something pretty special!
Now 100 Signals is a great milestone, but we’re not pausing to look back. Just like our clients, we measure success through action and consistency of effort. It is the very ethos by which we operate, and the foundation of our no steps backward mantra.
Our weekly NSB Cyber Signal has always been about more than just a Friday newsletter. To us it’s a rhythm, the heartbeat of a business that moves fast, stays sharp, and values consistency as much as creativity. Every edition represents a week of momentum: learning, delivering, adapting, and advancing our mission of building cyber resilience across Australia and beyond.
Momentum at NSB Cyber, much the same as for our clients, isn’t about speed for the sake of it. It’s about intent. It’s about clarity, discipline, and the trust we build through doing what we say we’ll do every single time. It’s powered by our people, who bring the same focus to our weekly Signals that they bring to every single client assignment: detail, quality, and a shared drive to make a difference when it matters most.
Or as we like to say around here - one team, one mission.
The next 100 Signals will demand even more from us. The cyber landscape is shifting fast, and so are we. Sharper insight. Deeper collaboration. Sharing smarter ways to build Resilience and Defend, Respond and Recover with confidence to cyber threats. We’ll keep raising the bar, because that’s what our clients, our community, and our culture expect of us.
So thank you to everyone that has subscribed to be part of our mission to-date.
Signal 100 isn’t our destination, it’s the drumbeat. And as long as we keep that rhythm, our momentum will keep driving us forward.
No Steps Backward!
What we read this week
Google Sues Chinese Hackers Behind Lighthouse Phishing-as-a-Service - Google has launched a civil lawsuit in the U.S. District Court for the Southern District of New York against China-based hackers operating Lighthouse, a large-scale Phishing-as-a-Service (PhaaS) platform that has targeted over one million users in 120 countries. The platform, linked to the Smishing Triad syndicate, facilitated mass SMS phishing campaigns impersonating brands such as E-ZPass and USPS to steal financial data. Researchers estimate Lighthouse and associated kits generated over USD 1 billion through subscription-based phishing tools. Google’s lawsuit, filed under the RICO and Lanham Acts, aims to dismantle Lighthouse’s infrastructure, marking a major escalation in efforts to curb China-linked smishing operations.
Rhadamanthys Infostealer Disrupted, Likely by Law Enforcement - The Rhadamanthys infostealer-as-a-service operation appears to have been disrupted, with multiple criminal “customers” reporting they can no longer access their web panels. Rhadamanthys, sold on a subscription model and commonly delivered via fake cracks, YouTube lures, and malvertising, is used to steal credentials and authentication cookies from browsers and applications. Operators on hacking forums say SSH access to their panels was silently switched to certificate-only logins, with German IPs observed accessing EU-hosted servers before access was lost. Researchers suspect a coordinated law-enforcement action, potentially linked to Operation Endgame, which has already targeted multiple malware-as-a-service ecosystems.
Global Travel-Themed Phishing Campaign Uses 4,300 Domains to Steal Card Data - Researchers have uncovered a large, Russian-speaking phishing operation targeting travellers worldwide using more than 4,300 fake domains since February 2025. The campaign sends fake booking-confirmation emails impersonating major travel brands such as Airbnb, Booking.com, Expedia, and Agoda, pressuring recipients to “confirm” reservations within 24 hours. Links route victims through an old benign domain and Blogspot before landing on convincing spoofed hotel pages with fake Cloudflare CAPTCHAs. The kit, which supports 43 languages, captures full payment card details and even polls keystrokes in near real time, while SMS fraud alerts are framed as routine verification.
Wiz Finds Widespread Secret Leaks at Leading AI Firms - Cloud security firm Wiz analysed GitHub footprints for companies on the Forbes AI 50 and found that 65% had leaked verified secrets, despite many already using standard secret-scanning tools. By scanning full commit histories, forks (including deleted ones), workflow logs, gists, and personal repos of organisation members, Wiz identified exposed API keys, tokens, and credentials for services such as Google APIs, Hugging Face, ElevenLabs, Weights & Biases, and Infura. Some leaks could have exposed private models, training data, or internal structures across firms collectively valued at over $400 billion. Wiz reported that many vendors lacked clear disclosure channels or failed to respond to notifications, while a minority demonstrated strong secrets management with no exposed credentials despite extensive public repositories.
Triofox Zero-Auth Vulnerability Exploited for Full System Compromise - Mandiant has identified active exploitation of CVE-2025-12480, an unauthenticated access flaw in Gladinet’s Triofox file-sharing platform, enabling attackers to bypass authentication and access configuration pages. Threat cluster UNC6485 abused this vulnerability as early as August 2025, using a modified Host header to emulate localhost and trigger the initial setup workflow, creating a rogue admin account. The actor then leveraged Triofox’s built-in anti-virus feature to execute arbitrary payloads with SYSTEM privileges, ultimately deploying Zoho UEMS, Anydesk, and SSH tunnelling tools for persistence, reconnaissance, and remote access. Gladinet has patched the flaw in version 16.7.10368.56560.
Referenceshttps://thehackernews.com/2025/11/google-sues-china-based-hackers-behind.htmlhttps://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-disrupted-as-cybercriminals-lose-server-access/https://cybersecuritynews.com/massive-phishing-attack-impersonate-as-travel-brands/https://www.securityweek.com/many-forbes-ai-50-companies-leak-secrets-on-github/https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations