In this episode of Cybersecurity Today, host David Shipley discusses several key cyber incidents affecting organizations and individuals. A new rust-based information stealer, known as Eddie Steeler, is being distributed via deceptive CAPTCHA verification pages. ConnectWise, a management software firm, has been breached in an attack suspected to be linked to a nation-state actor, affecting a limited number of its ScreenConnect customers. Additionally, threat actors are now abusing Google App Script to bypass phishing defenses, exploiting the trusted Google brand to trick users. Lastly, a significant data breach at Nova Scotia Power has exposed the social insurance numbers of up to 140,000 customers, making it one of the largest utility data breaches in North America.
00:00 Introduction to Today's Cybersecurity News
00:31 Eddie Steeler Malware Campaign
02:32 ConnectWise Cyber Attack
04:49 Google App Script Phishing Attacks
06:50 Nova Scotia Power Data Breach
08:02 Conclusion and Listener Engagement
Episode Transcript
New Eddie Steeler malware distributedvia click fix capture phishing.
ConnectWise breached in cyberattack linked to nation state threat
Actors now abusing Google App scriptin phishing attacks and thieves.
Gain access to about 140,000social insurance numbers in
(00:22):
the Nova Scotia Power breach.
This is cybersecurity today, andI'm your host, David Shipley.
Let's get started.
A new malware campaign is distributinga novel rust based information.
Steeler dubbed Eddie Steeler usingthe popular Clicks Fix social
engineering tactic initiated viafake capture verification pages.
(00:45):
The campaign leverages deceptive captureverification pages that trick users
into executing a malicious PowerShellscript, which ultimately deploys the
info stealer, harvesting sensitive datasuch as credentials, browser information,
and cryptocurrency wallet detailsaccording to Elastic Security Labs.
(01:05):
The attack chain begins with threat actorscompromising legitimate websites with
malicious JavaScript, pay payloads thatserve bogus capture check pages, which
prompt site visitors to prove you are nota robot by following a three-step process,
a prevalent tactic called click fix.
Click Fix involves instructing potentialvictims to open the Windows Run
(01:30):
dialogue, prompt paste an already copiedcommand into the verification window.
For example, the rundialogue and press enter.
This effectively causes theobfuscated PowerShell command
to be executed, resulting in theretrieval of the next stage of the
payload from an external server.
The JavaScript payload G VerifyGA js is subsequently saved to the
(01:55):
victim's download folder and executedusing CS script in a hidden window.
The main goal of this intermediatescript is to fetch the Eddie Steeler
binary from the same remote server andstore it in the Downloads folder with
the Cyto random 12 character file name.
Written in Rust.
Eddie Steeler is a commodity Steelermalware that can gather system metadata,
(02:17):
receive tasks from a command andcontrol or C two server, and siphon
data of interest from infected hosts.
The exfiltration targets includecryptocurrency, wallets, web
browsers, password managers,FTB clients and messaging apps.
IT management software firm ConnectWisesays, A suspected state-sponsored
cyber attack breached its environmentand impacted a limited number
(02:41):
of screen connect customers.
ConnectWise said that it recentlylearned of suspicious activity within
its environment that it believed wastied to a sophisticated nation state
actor, which they say affected avery small number of screen connect
customers in a brief advisory note.
We have launched an investigation with oneof the leading forensic experts, Mandiant.
(03:04):
We have contacted all theaffected customers and are now
coordinating with law enforcement.
End quote.
ConnectWise is a Florida based softwarecompany that provides IT management,
remote monitoring and management.
RMM, cybersecurity and AutomationSolutions for managed service
providers and IT departments.
One of its products is Screen Connect,a remote access and support tool that
(03:28):
allows technicians to securely connectto client systems for troubleshooting,
patching, and system maintenance.
As first reported by CRN, thecompany now says it is implemented in
enhanced monitoring and hardening ofsecurity access across its network.
They also state that they have notseen any further suspicious activity in
customer instances, ConnectWise did notanswer questions from bleeping computer
(03:53):
about how many customers were impactedwhen the breach occurred, or whether
any malicious activity was observedin customers screen connect instances.
However, a source told bleeping computerthat a breach occurred in August, 2024
that ConnectWise discovered this activityin May, 2025 and that it only impacted
(04:13):
cloud-based screen connect instances.
Bleeping computer says they havenot been able to independently
confirm those breach dates.
Jason Slagel, president of Managed Serviceprovider C-N-N-W-R, told Bleeping computer
that only a very small number of customerswere impacted, suggesting the threat actor
carried out a targeted attack againstspecific organizations in a Reddit threat.
(04:35):
Customers shared further detailsstating the incident is linked to a high
severity screen connect vulnerabilitytracked as CVE 20 25, 39 35, which
a patch was issued on April 24th.
Howard Solomon has a great storythat gives a Google twist to the
abuse of the Microsoft domain thatJim reported on earlier this week.
(04:58):
Threat actors have discovered away to abuse Google apps scripts
to sneak links into maliciouswebsites past phishing defenses.
According to new research from Cofense,this new attack has been discovered,
and if an employee clicks on a linkin a phishing email, they get taken
to a page on script.google.com.
Now, what is a Google app script?
(05:19):
App Script is a cloud-based JavaScriptplatform powered by Google Drive that lets
developers integrate with and automatetasks across different Google products.
With it, Google says developers can addcustom menus, dialogues, and sidebars
to Google Docs, sheets and forms.
Write custom functions and macros orGoogle sheets, publish web apps either
standalone or embedded in Google sites.
(05:40):
Interact with other Google services,including AdSense, analytics,
calendar drive, Gmail maps, and more.
The attacker is betting the userwill see and trust the Google brand,
and therefore trust the content.
By using a trusted platform to host thephishing page, the threat actor creates
the false sense of security, obscuringthe underlying threat with the goal of
(06:00):
getting the recipient to enter theiremail and password without thinking
about it, says the report from Cofense.
CISOs need to remind employees in regularsecurity awareness training sessions
to not let their guard down and to readevery email closely for scam clues.
they also need to be reminded thata caution popping up, that a message
(06:22):
is using a tool from a well-knownbrand like Google is no guarantee.
The message is safe.
And a reminder for all listeners.
Email filters are fallible.
If your team believes that nopossible phishes can get by your
email filter, they can actuallyclick 140% more on phishing scams.
(06:45):
So make sure they know theirvigilance can make all the difference.
Nova Scotia Power CEO says up to140,000 social insurance numbers could
have been stolen by cyber thieves, whorecently hacked into the utilities.
Customer records.
Peter Greg said in interview withthe Canadian Press Thursday that the
(07:05):
privately owned utility collected thenumbers from customers to authenticate
their identities, for example.
Greg said that they needed the socialinsurance numbers to differentiate
people who had the same name.
If there are a number of JohnMcDonald's in the province, the
social insurance number determineswhich one the utility was talking to.
(07:27):
On May 23rd, Greg said the data of about280,000 Nova Scotia Power customers
was breached in a ransomware attack.
More than half of the total askedThursday about how many of those
records contain the confidentialnine digit social insurance numbers.
Greg said approximately half.
(07:47):
This breach continues to be amongthe largest, at least in Canada,
but likely increasingly in NorthAmerica of a utility with highly
sensitive customer data exposed.
If you've enjoyed today's episode,please consider liking and sharing it.
We wanna help even more people stay ontop of the crazy world of cybersecurity.
(08:09):
We are always interested in youropinion, and you can contact us at
editorial@technewsday.ca or leavea comment under the YouTube video.
I've been your host, DavidShipley, sitting in for Jim Love,
who will be back on Wednesday.
Thanks for listening.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.