From robotic dogs to phishing kits, the cybersecurity landscape this autumn has been anything but quiet. A backdoor discovered in a Chinese-made robot at the University of Otago raised serious concerns about IoT surveillance risks, while advanced phishing toolkits like Tycoon 2FA are now bypassing MFA using stealthy obfuscation and malicious SVG files. Meanwhile, insider threats made headlines as a cybersecurity CEO was arrested for planting malware in a hospital, and Te Whatu Ora confirmed a sensitive staff data breach affecting multiple New Zealand health districts.
Techniques
Otago’s University – Robotic Dog Exposes IoT Risks
A cybersecurity scare at the University of Otago demonstrated the risks of IoT devices — in this case, a robotic dog. Researchers discovered that the Chinese manufactured Unitree Go1 robot dog used by the university contained an undocumented remote access backdoor. The robot’s control computer was preloaded with a tunnel client (called CloudSail) that automatically connects to a manufacturer’s server whenever the device is online. With the proper API keys, an external party could leverage this tunnel to remotely access the robot — viewing live video through its cameras, controlling its movements, or even logging into its internal computer (a Raspberry Pi unit). In essence, the robot could be turned into a spy device or a bridge into the university’s network without the knowledge of its operators, leading to international allegations that it might “sniff out” sensitive information for its Chinese makers.
University of Otago officials have downplayed the immediate threat, clarifying that the robot dog, nicknamed Scary Maclary, was used strictly in a segregated research environment and was never connected to core university networks or data. The University has investigated the device and found no signs of unauthorised access or data leakage from the device. The researchers who uncovered the backdoor advised any organisations using Unitree robots to remove these devices from enterprise networks and check logs for any unusual connections.
Phishing Toolkits Defeat MFA
Tycoon 2FA, a phishing kit first identified in late 2023, has recently been updated with new stealth features that make phishing pages harder to detect. Analysts report that the creators of the kit have begun hiding malicious code in HTML and JavaScript by using invisible Unicode characters — an obfuscation tactic that lets the code execute normally in browsers while appearing harmless to some scanners or human code reviewers. Tycoon 2FA now employs anti-analysis scripts that detect when automated security tools or debuggers are probing the phishing site, with the kit able to display a benign decoy page or redirect the tool to another site, thereby concealing the malicious content from investigators. These technical tricks enable the phishing scheme to evade many common email filters and security products, increasing the chances that an unsuspecting user will actually see the fake login page and enter their credentials and 2FA code.
In a related trend we are seeing a surge in phishing emails carrying malicious SVG file attachments as lures, that are often tied to the same PhaaS (Phishing-as-a-Service) operations. Scalable Vector Graphics (SVG) files are images with the ability to contain embedded scripts, which attackers are abusing by sending phishing emails that include attachments which when opened runs hidden JavaScript in the victim’s browser. The script will typically redirect users to a fraudulent login page to steal their credentials, and generate an MFA authentication token for the attacker. Security researchers have seen (up a whopping 1800% from March 2024 to March 2025) in phishing attempts using SVG files, driven by kits like Tycoon 2FA, Mamba 2FA and Sneaky 2FA. To defend against these tactics, organisations should consider blocking or flagging SVG attachments in emails since legitimate business emails rarely use SVG format.
Happenings
[US] Cybersecurity CEO Busted for Cybercrime
The CEO of a small cybersecurity company, Veritaco, was recently arrested and charged with carrying out cybercrimes. Jeffrey Bowie was taken into custody in Oklahoma after evidence emerged that he personally planted malware on hospital computers. The incident occurred in August 2024 at SSM Health St. Anthony Hospital in Oklahoma City. Bowie allegedly entered the hospital under false pretences and gained physical access to at least two staff workstations, where he installed a custom malicious program intended to secretly capture screenshots and sent the images to an external server, allowing him to spy on hospital operations. The unauthorised access was noticed when a hospital employee found Bowie in an area reserved for staff and grew suspicious. Security camera footage later confirmed that he wandered through multiple offices interacting with the computers. The hospital’s IT team quickly performed a forensic analysis on the affected devices, uncovering the spyware. The prompt response and existing security measures meant that no patient data was compromised, and the malware was isolated to the two employee devices.
Following an investigation involving local police and the FBI, Bowie was arrested in April 2025 and now faces charges for violating the state’s Computer Crimes Act with prosecutors alleging that his actions were deliberate and malicious — an extreme example of an insider threat, made more alarming given his role as a security professional.
[Global] Oracle Data Breach
Oracle Corporation has quietly acknowledged a cybersecurity incident in its cloud environment after customer reports of data theft linked back to the platform. Oracle informed impacted clients that an attacker breached a legacy Oracle Cloud system (not in active use since 2017) and accessed a large database of user credentials. Using a known Java vulnerability, the hacker planted a web shell in January 2025 and, by late February had exfiltrated identity records including usernames, emails, and hashed passwords from Oracle’s Identity Manager. The breach came to light in March when a threat actor named “rose87168” attempted to sell a cache of 6 million Oracle-related records on a hacker forum, even posting samples of a database and login credentials as proof. Oracle initially claimed the exposed data was from an old archive and that it wasn’t sensitive, but evidence from the hacker (including some 2024–2025 entries) and third-party analysis contradicts the downplaying of the breach’s severity.
A small number of Oracle Cloud customers have since confirmed that their information was indeed in the leaked dataset, validating the claims. In early April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the incident, warning that exposed credentials — even if from legacy systems — pose a risk if users reused passwords or tokens elsewhere. Oracle has involved the FBI and engaged cybersecurity firm Crowdstrike to assist with the investigation into the intrusion and the attempted extortion that followed. As a precaution, organisations using Oracle services (especially those on older cloud platforms) are advised to reset passwords, rotate keys, review authentication logs for unusual access, and ensure multi-factor authentication is enabled.
[NZ] Te Whatu Ora Breach
Te Whatu Ora (Health New Zealand) has confirmed a data breach involving internal staff information. A malicious actor gained unauthorised access to occupational health and safety records for some current and former employees in the central region, covering Capital & Coast, the Hutt Valley, and Wairarapa districts from 2020 to 2024. Discovered during an IT security incident in October 2024, the breach exposed personal details ranging from routine health and safety records to sensitive medical assessments and correspondence. The investigation has so far found no evidence that the stolen staff data has been shared publicly or posted online by the attacker.
In response, Te Whatu Ora immediately secured its systems, notified the Privacy Commissioner, and alerted police who are actively investigating – with criminal charges expected against the individual involved. The agency has apologised to affected staff and is offering support services. Officials emphasised that patient records were not impacted, as this breach was limited to employee data. They also urged staff to remain vigilant for any suspicious emails or scams that could arise using the stolen information. This incident highlights the importance of robust internal security controls and timely breach disclosure, especially when insiders or privileged data stores are targeted.
[Global] Microsoft Server Hotpatching – Subscription Required
Microsoft has announced that a paid subscription model will be used for their new Windows Server 2025 hotpatching service, which will enable administrators to install security updates without requiring a server restart. The service will become generally available on July 1st and will extend what was previous an Azure only capability to Windows Server machines outside of Azure through Azure Arc – the extensibility platform that allows for the central management of on-premise machines through Azure.
On top of any Azure Arc or other charges, Microsoft have indicated that the service will cost $1.5 USD per core per month – which unlike some other Microsoft enterprise services is manageable for small and medium sized organisations. Although kernel security hotpatching has been available on various Linux distributions for some time, the Microsoft service will also allow devices to receive critical driver and system service security updates – providing support to organisations that cannot afford downtime.
[Ireland] TikTok fined €530 Million over User Data sent to China
TikTok has received a €530 million dollar fine from the Irish Data Protection Commission (DPC) for the illegal transfer of personal user data of users in the European Economic Area to China, violating the GDPR data regulations. The Irish watchdog imposed fines for the infringement of two articles, Article 46(1) regarding the legality of transferring data to China, and Article 13(1)(f) regarding the lack of transparency around data transfers. The DPC has given Tiktok a window of six months to update their policies and practices to comply with the regulations, before data transfers to China will be completely blocked. The DPC made it clear that they are concerned about the accessibility of the data by Chinese authorities, and that the protection afforded to this data needed to be equivalent to that guaranteed in the EU. TikTok have released a statement indicating that they disagree with the decision, and plan to submit an appeal.
This fine follows a (as of yet, unpaid) fine TikTok received from the DPC in 2023 of €345 million for improperly protecting the privacy of data for children (13 – 17) who use the application – an eye watering total of €875 million.