This week in cybersecurity, significant developments included targeted attacks on the Web3 sector by the Lazarus Group, the disclosure of critical vulnerabilities in Intel and AMD’s trusted execution environments, and the emergence of a new tool on the dark web for searching leaked data.

Security researchers have detailed ongoing campaigns by the North Korea-affiliated Lazarus Group, which is actively targeting engineers, developers, and system administrators within the cryptocurrency and Web3 industries. The threat actor was observed using social engineering tactics, primarily through platforms like LinkedIn, to approach potential victims with fake job offers. These offers were used as a lure to deliver malicious files, ultimately aiming to compromise organizational networks and steal digital assets.

Intel and AMD Security Environments Compromised

Researchers have successfully demonstrated new side-channel attacks capable of breaching the security guarantees of Trusted Execution Environments (TEEs). One such attack, named AEPIC Leak, was shown to leak sensitive data from Intel’s Software Guard Extensions (SGX) enclaves. The vulnerability resides in the Advanced Programmable Interrupt Controller (APIC) and allows an attacker with privileged access to read data from the protected memory regions. Similarly, a vulnerability affecting AMD’s Secure Encrypted Virtualization (SEV) and Firmware Trusted Platform Module (fTPM) was also disclosed. This flaw enables attackers to recover cryptographic keys from protected virtual machines, undermining the data-in-use protection offered by the TEE.

Dark Web Tool for Leaked Credentials

A new service has appeared on dark web forums that provides cybercriminals with a searchable database of leaked credentials and personally identifiable information (PII). The tool aggregates data from numerous past security breaches, allowing threat actors to query for specific email addresses, usernames, or domains. This service streamlines the process for attackers to acquire credentials for use in account takeover, credential stuffing, and phishing campaigns by consolidating vast amounts of breached data into a single, accessible interface. Security analysts confirmed the tool’s existence and its function as a repository for compromised information.

Source: https://thehackernews.com/2025/11/weekly-recap-lazarus-hits-web3-intelamd.html