Last Week’s Quote was: “Some things have to be believed to be seen,” was by  Ralph Hodgson.  No one got it.

This Week’s Quote:   “We do not see people as they are, but as they appear to us. And these appearances are usually misleading.”  By ???

THE RULES:  No searching up the answer, must be posted at the bottom of the blog post, in the comments section.

The Prize:  First person to post the correct answer gets their next domain or hosting renewal on us.

Marks & Spencer Hit by Easter Cyberattack Disrupting In-Store Services

Over the Easter holiday, iconic British retailer Marks & Spencer (M&S) experienced a cybersecurity incident that disrupted in-store operations while online services remained unaffected. In a filing with the London Stock Exchange, the company described implementing “minor, temporary changes” to safeguard customers and business continuity. Although M&S has not disclosed the nature of the attack, the broad disruption—impacting click-and-collect, gift card transactions, and contactless payments—hints at ransomware. A representative on X confirmed lingering technical issues with in-store click-and-collect services, advising customers not to travel without confirmation emails. Another post cited technical difficulties affecting gift card payments, while contactless options were also reportedly down.

M&S stated it had engaged cybersecurity experts and notified relevant authorities, though it remains unclear whether customer data was compromised. The company emphasized ongoing efforts to secure its network and maintain service standards. While systems have largely returned to normal, select functions remain impaired. The incident occurred during a major UK holiday, amplifying customer frustration amid delays. The retailer’s communications reflect a strategy of public transparency paired with operational discretion—acknowledging impact while withholding technical specifics. The London Stock Exchange filing served both regulatory compliance and reputational signaling, aiming to assure stakeholders of M&S’s containment measures amid the broader fallout.

Read: https://www.securityweek.com/cyberattack-hits-british-retailer-marks-spencer/

Spyware-Laced Alpine Quest App Targets Russian Military via Fake Telegram Channel

A fake version of Alpine Quest, a legitimate Android navigation app popular among outdoor enthusiasts and Russian military personnel for its offline maps, was repackaged with spyware and distributed via a counterfeit Telegram channel. The doctored app, masquerading as a free “pro” version, was hosted on an unofficial app store targeting Russian users. Security firm Doctor Web discovered that the modified software contained the spyware strain Android.Spy.1292.origin, which exfiltrated phone numbers, account data, contacts, file lists, and geolocation upon each use, transmitting the data to a remote server and a Telegram bot controlled by the attackers.

The spyware exhibits a modular architecture, enabling remote installation of new components tailored to extract specific content, particularly documents shared over Telegram and WhatsApp. It also searches for locLog, a file generated by Alpine Quest that logs detailed user movements. By bundling the spyware with a functioning app, attackers ensured operational normalcy, delaying detection. The campaign’s origin remains unknown; attribution is unconfirmed, though similar past operations—like the 2023 targeting of Russian military spouses—have been linked to Ukrainian hacktivist group Cyber Resistance, part of the Ukrainian Cyber Alliance. Doctor Web warns users against downloading apps from unofficial sources, as even official stores like Google Play and App Store have seen malicious apps bypass reviews.

Read: https://hackread.com/fake-alpine-quest-mapping-app-spying-russian-military/

Russia-Linked Hackers Exploit Microsoft OAuth to Target Ukraine-Aligned Accounts

Since March 2025, Russia-linked threat actors—primarily UTA0352 and UTA0355, possibly connected to APT29, UTA0304, and UTA0307—have aggressively targeted Ukraine- and human rights–affiliated individuals and organizations. Their goal: unauthorized access to Microsoft 365 accounts via highly personalized social engineering. These actors exploit Microsoft’s OAuth 2.0 authentication, not via malicious infrastructure but exclusively through legitimate Microsoft domains and first-party applications—thus evading standard detection.

Attackers contact victims via Signal or WhatsApp, impersonating European political figures and using compromised Ukrainian government email accounts. Victims are invited to fake meetings about justice efforts or geopolitical events. Once engaged, victims receive Microsoft-hosted links, redirecting them to the official login portal, then to insiders.vscode[.]dev or vscode-redirect.azurewebsites[.]net. The aim is to expose Microsoft-generated OAuth codes either in-browser or embedded in URLs. Victims are coaxed into sending these codes back, enabling attackers to mint access tokens or register devices to the victim’s Microsoft Entra ID (formerly Azure AD).

UTA0355 elevates this by orchestrating 2FA prompts disguised as SharePoint access requests. Attacker traffic is routed through geo-aligned proxies to avoid suspicion. Organizations are advised to monitor device registrations, train users on unsolicited messaging risks, and enforce conditional access policies—detection remains hard when all interactions occur within Microsoft’s trusted infrastructure.

Read: https://thehackernews.com/2025/04/russian-hackers-exploit-microsoft-oauth.html

Cryptojackers Exploit Docker and Web3 Platform in Stealthy Token Mining Campaign

A novel cryptojacking campaign uncovered by Darktrace and Cado Security Labs targets Docker environments using a mining method that exploits legitimate Web3 infrastructure. Instead of deploying noisy miners like XMRig—which trigger alarms—attackers connect to teneo.pro, a decentralized platform offering private crypto tokens in exchange for running nodes that scrape distributed social media data. The malware script, embedded in a Docker container via Docker Hub, runs ten.py, which opens a websocket to teneo.pro, fakes node activity by sending periodic ‘keep alive’ pings and accrues tokens without performing any real scraping.

This strategy isn’t new for the attacker. Their Docker Hub profile also hosts a container running the Nexus Network client, part of a distributed zero-knowledge compute project rewarding crypto for computational work. Earnings from teneo.pro remain unknown due to the opaque nature of its private tokens.

The payload behind this campaign is heavily obfuscated, launching through a series of decoding layers and string manipulations meant to evade signature-based detection and slow reverse engineering. Researchers stress the importance of deobfuscation skills in this landscape.

Read: https://www.infosecurity-magazine.com/news/cryptojacking-malware-docker-novel/

Elsewhere online: