Cyber Brief: DeFi hack, Windows GDI RCE, HttpTroy backdoor

Today’s Cyber Brief highlights four major developments shaping the start of the week: a major decentralised-finance exploit, new remote-code vulnerabilities in Windows, a North Korean backdoor campaign, and the discovery of hundreds of millions of stolen credentials on the dark web. Each story shows how rapidly cyber-risk is evolving across financial, operational and identity layers.

Major DeFi exploit drains over US $110 million from Balancer

The decentralised-finance platform Balancer has suffered a significant exploit in which more than US $110 million worth of cryptocurrency was drained from its liquidity pools. Blockchain analysis shows large transfers of Ether and staking tokens into attacker-controlled wallets. The incident exploited weaknesses in Balancer V2 vault contracts and highlights the ongoing exposure of smart-contract platforms to logic-level vulnerabilities. Balancer has confirmed the breach and pledged to compensate users, but the reputational damage could be lasting across the DeFi sector.

Source: CoinDesk

Why it matters:
Even mature decentralised-finance ecosystems can contain exploitable code paths that result in catastrophic losses. For UK SMEs and regulated firms experimenting with blockchain or fintech integration, this serves as a reminder to perform independent code audits, risk assessments and third-party reviews. A single smart-contract flaw can cascade through partners and investors.

Microsoft warns of remote-code execution vulnerabilities in Windows GDI

Security researchers have identified critical flaws in Windows’ Graphics Device Interface (GDI) component that could allow remote attackers to execute arbitrary code. These vulnerabilities affect both desktop and server environments and may be triggered through malformed image or document files. Microsoft has issued emergency updates and is urging immediate patching, as attackers are reportedly testing exploitation in the wild.

Source: Cybersecurity News

Why it matters:
Windows GDI is a core subsystem used by nearly every application that renders graphics or text. A remote-code path at this level gives attackers broad access across enterprise networks. UK organisations should prioritise this update, verify patch deployment through endpoint-management tools and review lateral-movement monitoring to detect early compromise.

New HttpTroy backdoor used in targeted campaign

Researchers have uncovered a previously unseen backdoor named HttpTroy, deployed in a phishing campaign targeting a South Korean organisation. The malware disguises itself as an invoice attachment and, once executed, creates covert communication channels to extract sensitive data. Analysis links the campaign to the Kimsuky threat group, known for intelligence-gathering and supply-chain targeting.

Source: The Hacker News

Why it matters:
Although this campaign focused on South Korea, similar techniques are being adapted worldwide. For UK SMEs, particularly those in defence, manufacturing or research supply chains, the lesson is clear: spear-phishing remains one of the most effective entry points. Maintain strict attachment-filtering, restrict macro execution and ensure staff training remains current.

Proton warns of 300 million stolen credentials circulating online

Privacy-focused email provider Proton has warned that around 300 million login credentials have surfaced on the dark web, compiled from multiple breaches. The data is already being used in credential-stuffing campaigns targeting both business and consumer accounts. Proton stresses that while its own systems were not compromised, many leaked passwords overlap with corporate and personal logins reused across services.

Source: CyberPress

Why it matters:
Credential reuse continues to drive a large proportion of successful compromises. UK organisations should require multifactor authentication on all accounts, rotate service-account credentials, and monitor for leaked usernames in breach-notification feeds. Employee awareness and technical controls around identity hygiene remain the strongest defences.

🔍 Today’s Key Actions

1. Audit any direct or indirect DeFi exposure and review third-party fintech integrations.
2. Apply Microsoft’s latest Windows GDI patches and verify rollout completion.
3. Refresh phishing-awareness training and tighten attachment-scanning policies.
4. Enforce multifactor authentication and monitor for leaked credentials.

💬 Secarma Insight

This week opens with clear evidence that threat actors are broadening their scope—from financial smart contracts to low-level operating-system components and global credential markets. The message for UK organisations is simple: invest equally in proactive prevention and rapid detection. At Secarma, we help businesses strengthen resilience through independent testing, secure-development support and practical risk governance.

Get in touch with us to review today’s findings, prioritise actions, and strengthen your defences before the next exploit cycle begins.