2025-12-26 AI创业新闻

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use. This week’s findings show a pattern: precision, patience, and persuasion.

The newest campaigns don’t shout for attention — they whisper through familiar interfaces, fake updates, and polished code. The danger isn’t just in what’s being exploited, but in how ordinary it all looks. ThreatsDay pulls these threads together — from corporate networks to consumer tech — revealing how quiet manipulation and automation are reshaping the threat landscape. It’s a reminder that the future of cybersecurity won’t hinge on bigger walls, but on sharper awareness.

Open-source tool exploited Abuse of Nezha for Post-Exploitation Bad actors are leveraging an open-source monitoring tool named Nezha to gain remote access to compromised hosts. Its ability to allow administrators to view system health, execute commands, transfer files, and open interactive terminal sessions also makes it an attractive choice for threat actors. In one incident investigated by Ontinue, the tool was deployed as a post-exploitation remote access tool by means of a bash script, while pointing to a remote dashboard hosted on Alibaba Cloud infrastructure located in Japan. “The weaponization of Nezha reflects an emerging modern attack strategy where threat actors systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defenses,” said Mayuresh Dani, security research manager at Qualys.

The abuse of Nezha is part of broader efforts where attackers leverage legitimate tools to evade signature detection, blend with normal activity, and reduce development effort. Facial scans for SIMs South Korea to Require Face Scans to Buy a SIM South Korea will begin requiring people to submit to facial recognition when signing up for a new mobile phone number in a bid to tackle scams and identity theft, according to the Ministry of Science and ICT. “By comparing the photo on an identification card with the holder’s actual face on a real-time basis, we can fully prevent the activation of phones registered under a false name using stolen or fabricated IDs,” the ministry said . The new policy, which applies to SK Telecom, Korea Telecom, and LG Uplus, and other mobile virtual network operators, takes effect on March 23 after a pilot following a trial that began this week .

The science ministry has emphasized that no data will be stored as part of the new policy. “We are well aware that the public is concerned due to a series of hacking incidents at local mobile carriers,” the ministry said. “Contrary to concerns raised by some, no personal information is stored or saved, and it is immediately erased once identification is verified.” Android NFC threat spike NFC-Abusing Android Malware Surges in H2 2025 Data from ESET has revealed that detections of NFC-abusing Android malware grew by 87% between H1 and H2 2025. This increase has been coupled with the growing sophistication of NFC-based malware, such as the harvesting of victims’ contacts, disabling of biometric verification, and bringing together NFC attacks with remote access trojan (RAT) features and Automated Transfer System (ATS) capabilities.

In these campaigns, malicious apps distributing malware such as PhantomCard prompt victims to hold their payment card near the phone and enter their PIN for authentication. In the process, the captured information is relayed to the attackers. “Recent innovations in the NFC sphere demonstrate that threat actors no longer rely solely on relay attacks: they are blending NFC exploitation with advanced capabilities such as remote access and automated transfers,” ESET said . “The efficiency of the scams is further fueled by advanced social engineering and technologies that can bypass biometric verification.” Fake PoCs spread malware Fake PoCs Lead to WebRAT Threat actors are now targeting inexperienced professionals and students in the information security field with fake proof-of-concept (PoC) exploits for security flaws such as CVE-2025-59295, CVE-2025-10294, and CVE-2025-59230 to trick them into installing WebRAT using a ZIP archive hosted in the repositories.

“To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions,” Kaspersky said . The repositories include detailed sections with overviews of the vulnerability, system impact, install guides, usage steps, and even mitigation advice. The consistency of the format of a professional PoC write-up suggests the descriptions are machine-generated to avoid detection. Present within the ZIP file is an executable named “rasmanesc.exe,” that’s capable of escalating privileges, disabling Microsoft Defender, and fetching WebRAT from an external server.

Webrat is a backdoor that allows attackers to control the infected system, as well as steal data from cryptocurrency wallets, Telegram, Discord, and Steam accounts. It can also perform spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. WebRAT is sold by NyashTeam , which also advertises DCRat. GuLoader surge observed GuLoader Campaigns Spiked in Late 2025 Campaigns distributing GuLoader (aka CloudEyE) scaled a new high between September and November 2025, according to ESET , with the highest detection peak recorded in Poland on September 18.

“CloudEyE is multistage malware; the downloader is the initial stage and spreads via PowerShell scripts, JavaScript files, and NSIS executables,” the company said. “These then download the next stage, which contains the crypter component with the intended final payload packed within. All CloudEyE stages are heavily obfuscated, meaning that they are deliberately difficult to detect and analyze, with their contents being compressed, encrypted, encoded, or otherwise obscured.” Chatbot flaws exposed Flaws in Eurostar AI Chatbot Multiple vulnerabilities have been disclosed in Eurostar’s public artificial intelligence (AI) chatbot that could allow guardrail bypass by taking advantage of the fact that the frontend relays the entire chat history to the API while running checks only on the latest message to ensure it’s safe. This opens the door to a scenario where an attacker could tamper with earlier messages, which, when fed into the model’s API, causes it to return unintended responses via a prompt injection.

Other identified issues included the ability to modify message IDs to potentially lead to cross-user compromise and inject HTML code stemming from the lack of input validation. “An attacker could exfiltrate prompts, steer answers, and run scripts in the chat window,” Pen Test Partners said. “The core lesson is that old web and API weaknesses still apply even when an LLM is in the loop.” Some of these vulnerabilities have since been fixed, but not before a confusing disclosure process that saw the penetrating testing firm somehow being accused of blackmail by Eurostar’s head of security on LinkedIn after asking, “Maybe a simple acknowledgement of the original email report would have helped?” Critical flaws uncovered Several Flaws in Databases Discovered A hacking competition conducted by Wiz, zeroday.cloud, led to the discovery of 11 critical zero-day exploits affecting foundational open-source components used in critical cloud infrastructure, including container runtimes, AI infrastructure such as vLLM and Ollama, and databases like Redis, PostgreSQL, and MariaDB. The most severe of the flaws has been uncovered in Linux.

“The vulnerability allows for a Container Escape, often enabling attackers to break out of an isolated cloud service, dedicated to one specific user, and spread to the underlying infrastructure that manages all users,” Wiz said . “This breaks the core promise of cloud computing: the guarantee that different customers running on the same hardware remain separate and inaccessible to one another. This further reinforces that containers shouldn’t be the sole security barrier in multi-tenant environments.” Loader targets industries New Campaign Targets Manufacturing and Government Orgs Manufacturing and government organizations in Italy, Finland, and Saudi Arabia are the target of a new phishing campaign that uses a commodity loader to deliver a wide range of malware, such as PureLogs, XWorm, Katz Stealer , DCRat, and Remcos RAT. “This campaign utilizes advanced tradecraft, employing a diverse array of infection vectors including weaponized Office documents (exploiting CVE-2017-11882 ), malicious SVG files, and ZIP archives containing LNK shortcuts,” Cyble said .

“Despite the variety of delivery methods, all vectors leverage a unified commodity loader.” The use of the loader to distribute a variety of malware indicates that the loader is likely shared or sold across different threat actor groups. A notable aspect of the campaign is the use of steganographic techniques to host image files on legitimate delivery platforms, thereby allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic. The commodity loader is assessed to be Caminho based on similar campaigns detailed by Nextron Systems and Zscaler . Teams gets safer defaults Microsoft Bolsters Teams Security Microsoft has announced that Teams will automatically enable messaging safety features by default, including weaponizable file type protection, malicious URL protection, and reporting incorrect detections.

The change will roll out starting January 12, 2026, to tenants that have not previously modified messaging safety settings and are still using the default configuration. “We’re improving messaging security in Microsoft Teams by enabling key safety protections by default,” Microsoft said in a Microsoft 365 message center update. “This update helps safeguard users from malicious content and provides options to report incorrect detections.” In addition, the Windows maker said security administrators will be able to block external users in Microsoft Teams via the Tenant Allow/Block List in the Microsoft Defender portal. The feature is expected to roll out in early January 2026 and be completed by mid-January.

“This centralized approach enhances security and compliance by enabling organizations to control external user access across Microsoft 365 services,” the company said . AI assistant hijack risk Docker Patches Prompt Injection in Ask Gordon Docker has patched a vulnerability in Ask Gordon , its AI assistant embedded in Docker Desktop and the Docker CLI. The flaw, discovered by Pillar Security in the beta version, is a case of prompt injection that enables attackers to hijack the assistant and exfiltrate sensitive data by poisoning Docker Hub repository metadata with malicious instructions. An attacker could have created a malicious Docker Hub repository that contained crafted instructions for the AI to exfiltrate sensitive data when unsuspecting developers ask the chatbot to describe the repository.

“By exploiting Gordon’s inherent trust in Docker Hub content, threat actors can embed instructions that trigger automatic tool execution – fetching additional payloads from attacker-controlled servers, all without user consent or awareness,” security researcher Eilon Cohen said . The issue was addressed in version 4.50.0 released on November 6, 2025. Firewall bypass threat IoT Devices Facing Silent Takeover Researchers have demonstrated how to breach Internet of Things (IoT) devices through firewalls, without the need for any kind of software vulnerability. “We present a new attack technique that allows attackers anywhere in the world to impersonate target intranet devices, hijack cloud communication channels, spoof the cloud, and bypass companion app authentication, and ultimately achieve Remote Code Execution (RCE) with root privileges,” researchers Jincheng Wang and Nik Xe said .

“Our research exposes flaws in existing cloud-device authentication mechanisms, and a widespread absence of proper channel verification mechanisms.” Faster BitLocker encryption Microsoft Announces Hardware-Accelerated BitLocker in Windows 11 Microsoft said it’s rolling out hardware-accelerated BitLocker in Windows 11 to balance robust security with minimal performance impact. “Starting with the September 2025 Windows update for Windows 11 24H2 and the release of Windows 11 25H2, in addition to existing support for UFS (Universal Flash Storage) Inline Crypto Engine technology, BitLocker will take advantage of upcoming system on chip (SoC) and central processing unit (CPU) capabilities to achieve better performance and security for current and future NVMe drives,” the company said . As part of this effort, BitLocker will hardware wrap BitLocker bulk encryption keys and offload bulk cryptographic operations from the main CPU to a dedicated crypto engine. “When enabling BitLocker, supported devices with NVMe drives, along with one of the new crypto offload capable SoCs, will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default,” the tech giant added.

Israel-targeted phishing Israeli Entities Targeted by UNG0801 Information Technology (IT), Managed Service Providers (MSPs), human resources, and software development companies in Israel have become the target of a threat cluster likely originating from Western Asia that has used phishing lures written in Hebrew and designed to resemble routine internal communications to infect their systems with a Python- and Rust-based implants tracked as PYTRIC and RUSTRIC. The activity has been tracked by Seqrite Labs under the monikers UNG0801 and Operation IconCat. “A recurring pattern across the observed campaigns is the actor’s heavy reliance on antivirus icon spoofing,” the company said . “Branding from well-known security vendors, most notably SentinelOne and Check Point, is abused to create a false sense of legitimacy.” The PDF attachment in the email messages instructs recipients to download a security scanner by clicking on a Dropbox link that delivers the malware.

PYTRIC is equipped to scan the file system and perform a system-wide wipe. Attack chains distribute RUSTRIC leverage Microsoft Word documents with a malicious macro, which then extracts and launches the malware. Besides enumerating the antivirus programs installed on the infected host, it gathers basic system information and contacts an external server. EDR killer tool sold NtKiller Advertised on Cybercrime Forums A threat actor known as AlphaGhoul is promoting a tool called NtKiller that they claim can stealthily terminate antivirus and security solutions, such as Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro.

The core functionality, per Outpost24 , is available for $500, with a rootkit add-on and a UAC Bypass add-on costing $300 each. The disclosure comes weeks after a security researcher, who goes by the name Zero Salarium, demonstrated how Endpoint Detection and Response (EDR) programs can be undermined on Windows by exploiting the Bind Filter driver (“bindflt.sys”). In recent months, the security community has also identified ways to bypass web application firewalls (WAFs) by abusing ASP.NET’s parameter pollution, subvert EDRs using an in-memory Portable Executable (PE) loader, and even manipulate Microsoft Defender Antivirus to sideload DLLs and delete executable files to prevent the service from running by exploiting its update mechanism to hijack its execution folder. AI exploits blockchain AI Agents Find $4.6M in Blockchain Smart Contract Exploits AI company Anthropic said Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 developed exploits in blockchain smart contracts that would have allowed the theft of $4.6 million worth of digital assets.

“Both agents uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476,” Anthropic’s Frontier Red Team said . “This demonstrates as a proof-of-concept that profitable, real-world autonomous exploitation is technically feasible, a finding that underscores the need for proactive adoption of AI for defense.” North Korea’s new lure ScarCruft Behind New Operation Artemis Campaign The North Korean threat actor known as ScarCruft has been linked to a new campaign dubbed Artemis that involves the adversary posing as a writer for Korean TV programs to reach out to targets for casting or interview arrangements. “A short self-introduction and legitimate-looking instructions are used to build trust,” Genians said . “The attacker distributes a malicious HWP file disguised as a pre-interview questionnaire or event guide document.” The end goal of these attacks is to trigger the sideloading of a rogue DLL that ultimately delivers RokRAT, which uses Yandex Cloud for command-and-control (C2).

The campaign gets its name from the fact that one of the identified HWP documents has its Last Saved By field set to the value “Artemis.” AI-fueled disinfo surge CopyCop Scales AI-Driven Influence Ops The Russian influence operation CopyCop (aka Storm-1516) is using AI tools to scale its efforts to a global reach, quietly deploying more than 300 inauthentic websites disguised as local news outlets, political parties, and even fact-checking organizations targeting audiences across North America, Europe, and other regions, including Armenia, Moldova, and parts of Africa. The primary objective is to further Russia’s geopolitical goals and erode Western support for Ukraine. “What sets CopyCop apart from earlier influence operations is its large-scale use of artificial intelligence,” Recorded Future said . “The network relies on self-hosted LLMs, specifically uncensored versions of a popular open-source model, to generate and rewrite content at scale.

Thousands of fake news stories and ‘investigations’ are produced and published daily, blending factual fragments with deliberate falsehoods to create the illusion of credible journalism.” RomCom-themed phishing SHADOW-VOID-042 Behind Trend Micro-Themed Phishing Campaign A threat cluster dubbed SHADOW-VOID-042 has been linked to a November 2025 spear-phishing campaign featuring a Trend Micro-themed social engineering lure to trick victims in the defense, energy, chemical, cybersecurity (including Trend and a subsidiary), and ICT sectors with messages instructing them to install a fake update for alleged security issues in Trend Micro Apex One. The activity, Trend Micro said, shares overlaps with prior campaigns attributed to RomCom (aka Void Rabisu), a threat actor with both financial and espionage motivations that aligned with Russian interests. However, in the absence of a definitive connection, the latter attack waves are being tracked under a separate temporary intrusion set. What’s more, the November 2025 campaign shares tactical and infrastructure overlaps with another campaign in October 2025, which used alleged harassment complaints and research participation as social engineering lures.

“The campaign utilized a multi-stage approach, tailoring every stage to the specific target machine and delivering intermediate payloads to a select number of targets,” Trend Micro said . The URLs embedded in the emails redirect victims to a fake landing page impersonating Cloudflare, while, in the background, attempts are made to exploit a now-patched Google Chrome security flaw (CVE-2018-6065) using a JavaScript file. In the event exploitation fails, they are taken to a decoy site named TDMSec, impersonating Trend Micro. The JavaScript file also contains shellcode responsible for gathering system information and contacting an external server to fetch a second-stage payload, which acts as a loader for an encrypted component that then proceeds to contact a server to obtain an unspecified next-stage malware.

While Void Rabisu has exploited zero-days in the past, the new findings raise the possibility that it could be undergoing several changes. The stories this week aren’t just about new attacks — they’re a snapshot of how the digital world is maturing under pressure. Every exploit, fake lure, or AI twist is a sign of systems being tested in real time. The takeaway isn’t panic; it’s awareness.

The more we understand how these tactics evolve, the less power they hold. Cybersecurity now sits at the crossroads of trust and automation. As AI learns to defend, it’s also learning how to deceive. That tension will define the next chapter — and how ready we are to face it depends on what we choose to notice today.

Stay curious, stay skeptical, and read between the lines. The biggest threats often hide in what feels most routine — and that’s exactly where the next breakthrough in defense will begin. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs. The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. This assessment is “based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps ,” it added. LastPass suffered a major hack in 2022 that enabled attackers to access personal information belonging to its customers, including their encrypted password vaults containing credentials, such as cryptocurrency private keys and seed phrases.

Earlier this month, the password management service was fined $1.6 million by the U.K. Information Commissioner’s Office (ICO) for failing to implement sufficiently robust technical and security measures to prevent the incident. The breach also prompted the company to issue a warning at the time, stating bad actors may use brute-force techniques to guess the master passwords and decrypt the stolen vault data. The latest findings from TRM Labs show that the cybercriminals have done just that.

“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” the company said. “As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025.” The Russian links to the stolen cryptocurrency from the 2022 LastPass breach stem from two primary factors: The use of exchanges commonly associated with the Russian cybercriminal ecosystem in the laundering pipeline and operational connections gleaned from wallets interacting with mixers both before and after the mixing and laundering process. More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.

The stolen funds have been found to be routed through Cryptomixer.io and off-ramped via Cryptex and Audia6, two Russian exchanges associated with illicit activity. It’s worth mentioning here that Cryptex was sanctioned by the U.S. Treasury Department in September 2024 for receiving over $51.2 million in illicit funds derived from ransomware attacks. TRM Labs said it was able to demix the activity despite the use of CoinJoin techniques to make it harder to trace the flow of funds to external observers, uncovering clustered withdrawals and peeling chains that funneled mixed Bitcoin into the two exchanges.

“This is a clear example of how a single breach can evolve into a multi-year theft campaign,” said Ari Redbord, global head of policy at TRM Labs. “Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who’s really behind the activity.” “Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability

Fortinet on Wednesday said it observed “recent abuse” of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations. The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username was changed. “This happens when two-factor authentication is enabled in the ‘user local’ setting, and that user authentication type is set to a remote authentication method (eg, LDAP),” Fortinet noted in July 2020. “The issue exists because of inconsistent case-sensitive matching among the local and remote authentication.” The vulnerability has since come under active exploitation in the wild by multiple threat actors , with the U.S.

government also listing it as one of the many weaknesses that were weaponized in attacks targeting perimeter-type devices in 2021. In a fresh advisory issued December 24, 2025, Fortinet noted that successfully triggering CVE-2020-12812 requires the following configuration to be present - Local user entries on the FortiGate with 2FA, referencing back to LDAP The same users need to be members of a group on the LDAP server At least one LDAP group the two-factor users are a member of needs to be configured on FortiGate, and the group needs to be used in an authentication policy which could include for example administrative users, SSL, or IPSEC VPN If these prerequisites are satisfied, the vulnerability causes LDAP users with 2FA configured to bypass the security layer and instead authenticate against LDAP directly, which, in turn, is the result of FortiGate treating usernames as case-sensitive, whereas the LDAP Directory does not. “If the user logs in with ‘Jsmith’, or ‘jSmith’, or ‘JSmith’, or ‘jsmiTh’ or anything that is NOT an exact case match to ‘jsmith,’ the FortiGate will not match the login against the local user,” Fortinet explained. “This configuration causes FortiGate to consider other authentication options.

The FortiGate will check through other configured firewall authentication policies.” “After failing to match jsmith, FortiGate finds the secondary configured group ‘Auth-Group’, and from it the LDAP server, and provided the credentials are correct, authentication will be successful regardless of any settings within the local user policy (2FA and disabled accounts).” As a result, the vulnerability can authenticate admin or VPN users without 2FA. Fortinet released FortiOS 6.0.10, 6.2.4, and 6.4.1 to address the behavior in July 2020. Organizations that have not deployed these versions can run the below command for all local accounts to prevent the authentication bypass issue - set username-case-sensitivity disable Customers who are on FortiOS versions 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later are advised to run the following command - set username-sensitivity disable “With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH, and all possible combinations as identical and therefore prevent failover to any other misconfigured LDAP group setting,” the company said. As additional mitigation, it’s worth considering removing the secondary LDAP Group if it’s not required, as this eliminates the entire line of attack since no authentication via LDAP group will be possible, and the user will fail authentication if the username is not a match to a local entry.

However, the newly issued guidance does not give any specifics on the nature of the attacks exploiting the flaw, nor whether any of those incidents were successful. Fortinet has also advised impacted customers to contact its support team and reset all credentials if they find evidence of admin or VPN users being authenticated without 2FA. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code execution. “Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi,” CISA said.

The addition of CVE-2023-52163 to the KEV catalog comes in the multiple reports from Akamai and Fortinet about the exploitation of the flaw by threat actors to deliver botnets like Mirai and ShadowV2 . According to TXOne Research security researcher Ta-Lun Yen, the vulnerability, alongside an arbitrary file read bug (CVE-2023-52164, CVSS score: 5.1), remains unpatched due to the device reaching end-of-life (EoL) status. Successful exploitation requires an attacker to be logged into the device and perform a crafted request. In the absence of a patch, it’s advised that users avoid exposing the device to the internet and change the default username and password.

CISA is also recommending that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations or discontinue use of the product by January 12, 2025, to secure their network from active threats. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that’s delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks. “Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix -style techniques, this sample adopts a more deceptive, hands-off approach,” Jamf researcher Thijs Xhaflaire said . The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named “zk-call-messenger-installer-3.9.2-lts.dmg” that’s hosted on “zkcall[.]net/download.” The fact that it’s signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructions prompting users to right-click and open the app – a common tactic used to sidestep such safeguards.

Apple has since revoked the code signing certificate. The Swift-based dropper then performs a series of checks before downloading and executing an encoded script through a helper component. This includes verifying internet connectivity, enforcing a minimum execution interval of around 3600 seconds to enforce a rate limit, and removing quarantine attributes and validating the file prior to execution. “Notably, the curl command used to retrieve the payload shows clear deviations from earlier variants,” Xhaflaire explained.

“Rather than using the commonly seen -fsSL combination, the flags have been split into -fL and -sS, and additional options like –noproxy have been introduced.” “These changes, along with the use of dynamically populated variables, point to a deliberate shift in how the payload is fetched and validated, likely aimed at improving reliability or evading detection.” Another evasion mechanism used in the campaign is the use of an unusually large DMG file, inflating its size to 25.5 MB by embedding unrelated PDF documents. The Base64-encoded payload, once parsed, corresponds to MacSync , a rebranded version of Mac.c that first emerged in April 2025. MacSync, per MacPaw’s Moonlock Lab, comes fitted with a fully-featured Go-based agent that goes beyond simple data theft and enables remote command and control capabilities. It’s worth noting that code-signed versions of malicious DMG files mimicking Google Meet have also been observed in attacks propagating other macOS stealers like Odyssey .

That said, threat actors have continued to rely on unsigned disk images to deliver DigitStealer as recently as last month. “This shift in distribution reflects a broader trend across the macOS malware landscape, where attackers increasingly attempt to sneak their malware into executables that are signed and notarized, allowing them to look more like legitimate applications,” Jamf said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators

JavaScript must be enabled in order to register for webinar. Yes, I’d like to register for the webinar and agree to the handling of my information as explained in thePrivacy Policy. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them:“Living off the Land” Attacks:Today’s attackers use a combination of malware and legitimate system tools like PowerShell, WMI, or RDP.

File-based detection alone misses threats that blend in with trusted processes. Learn how and why gaining endpoint visibility into file-based threats, apps, and process behaviors is essential.Fileless “Last Mile” Reassembly Attacks:Legacy security tools are ineffective against fileless attacks, including those using only obfuscated HTML and JavaScript. Learn how a cloud-native antimalware engine that emulates malicious scripting and reassembles an executable binary in isolation can stop malicious files from being delivered to an endpoint.Securing Developer Environments:Developers are building and deploying applications faster than ever before. But third-party repositories and other open-source CI/CD tools can contain malicious code and vulnerabilities that can compromise your organization’s security.

Inspecting encrypted traffic in developer environments can identify and defeat would-be threats. Learn how to secure development workflows with automated TLS/SSL inspection and code sandboxing.You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.

In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them: You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. By clicking “Register Now,” you agree to permit The Hacker News and its partners to process your contact details, which may include The Hacker News reaching out to you and sharing your contact information with its webinar partners.

The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube. The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from Czechia, Japan, Slovakia, Spain, and Poland. Nomani was first documented by ESET in December 2024 as leveraging social media malvertising, company-branded posts, and artificial intelligence (AI)-powered video testimonials to deceive users into investing their funds in non-existent investment products that falsely claim significant returns.

When victims request payout of the promised profits, they are asked to pay additional fees or provide additional personal information, such as ID and credit card information. As is typical of investment scams of this kind, the end goal is financial loss. It doesn’t end there, for the fraudsters attempt to scam them again by making use of Europol- and INTERPOL-related lures on social media that promise assistance with getting their stolen funds back – only to lose more money in the process. ESET said the scam has since received some notable upgrades, including making their AI-generated videos more realistic in an effort to make it harder for prospective targets to spot the deception.

“Deepfakes of popular personalities, used as initial hooks for phishing forms or websites, now use higher resolution, have significantly reduced unnatural movements and breathing, and have also improved their A/V sync,” the company noted. The fabricated content has been found to often leverage topical events or personalities who are more widely seen in the public discourse to lend more credibility to the scheme. In one case observed in Czechia, a bogus news article falsely claimed the government was investing through one of its scam cryptocurrency platforms and generating substantial returns. To ensure that their malicious ads are not caught by the platform’s systems, the threat actors make sure that the campaigns are run only for a few hours.

Another important change involves redirecting users to benign cloaking pages instead of external phishing forms in case they don’t meet the targeting criteria. “To further lower their footprint, attackers increasingly abuse legitimate tools offered by the social media ad framework, such as forms and surveys instead of external webpages, to harvest victims’ information,” ESET said. Improvements have also been observed in the templates used to generate phishing pages, with signs pointing to the use of AI tools to write the HTML code. This assessment is based on the presence of checkboxes in source code comments.

Furthermore, GitHub repositories hosting such templates for investment scams have come from Russian and/or Ukrainian users. Despite these changes, the number of detections for Nomani in the second half of 2025 dropped, an indication that the attackers are likely being forced to revamp their tactics in the face of increased law enforcement efforts to combat such scams. “On the bright side, although overall detections are up compared to 2024, there’s a hint of improvement, as H2 2025 detections have declined by 37% compared to H1 2025,” ESET said. The disclosure coincides with a new investigation from Reuters that found 19% of Meta’s $18 billion in ad sales in China last year came from ads for scams, illegal gambling, pornography, and other banned content that are run by the company’s ad agency partners in the country.

Some of these agencies allow businesses to run banned advertisements. Following the report, Meta is said to have put the program under review. The latest report comes on the heels of another Reuters report that revealed the company projected earning 10% of Meta’s global revenue for 2024 – or about $16 billion – from such ads, including those run by threat actors behind Nomani, quantifying the humongous scale of the problem. Found this article interesting?

Attacks are Evolving: 3 Ways to Protect Your Business in 2026

Every year, cybercriminals find new ways to steal money and data from businesses. Breaching a business network, extracting sensitive data, and selling it on the dark web has become a reliable payday. But in 2025, the data breaches that affected small and medium-sized businesses (SMBs) challenged our perceived wisdom about exactly which types of businesses cybercriminals are targeting. This article will outline the learnings from key data breaches in 2025 as well as the most effective ways for SMBs to protect themselves in the coming year.

Examining the 2025 data breaches Prior to 2025, large businesses were popular targets for hackers because of their large pools of resources. It was assumed that smaller businesses simply weren’t as vulnerable to cyberattacks because there was less value in attacking them. But new security research from the Data Breach Observatory shows that’s changing: Small- and medium-sized businesses (SMBs) are now more likely to become a target. This change in tactic has been caused by large businesses investing in their cybersecurity and also refusing to pay ransoms.

Cybercriminals are less likely to extract anything of value by attacking these businesses, so instead they’re turning to attacking smaller businesses. While the payday may be smaller when attacking SMBs, by increasing the volume of attacks, cybercriminals can make up the shortfall. Smaller businesses have fewer resources to protect their networks and thus have become more reliable targets. Four in five small businesses have suffered a recent data breach.

By examining some of these data breaches and the companies they affected, a pattern emerges, and failings can be identified. Here are three key SMB data breaches from 2025: Tracelo — More than 1.4 million records stolen from this American mobile geolocating business appeared on the dark web following an attack from a hacker known as Satanic. Customer names, addresses, phone numbers, email addresses, and passwords were all made available for sale. PhoneMondo — This German telecommunications company was infiltrated by hackers and had more than 10.5+ million records stolen and posted online.

Customer names, dates of birth, addresses, phone numbers, email addresses, usernames, passwords, and IBANs all made it onto the dark work. SkilloVilla — The 60-person team behind this Indian edtech platform wasn’t able to protect the extensive customer data collected by the platform, and more than 33 million records were leaked on the dark web. Customer names, addresses, phone numbers, and email addresses have all been spotted online. What can we learn?

Looking at these particular breaches and taking into account the wider data breach landscape, we can identify trends that shaped 2025: SMBs were the number one target for hackers in 2025, accounting for 70.5% of the data breaches identified in the Data Breach Observatory . This means that companies between 1 and 249 employees were the most vulnerable to cybersecurity breaches throughout the year. Retail, tech, and media/entertainment businesses were targeted most frequently. Names and contact information are the most common records to appear on the dark web, increasing the risk of phishing attacks targeting workers.

Names and emails appeared in 9 out of 10 data breaches. With these trends in mind, it’s likely that hackers will continue targeting SMBs in the new year. If your organization falls into this category, your risk of a data breach could be higher. It’s not inevitable, however.

By considering your business’s sensitive data, how it’s stored, and what you use to protect it, you can secure your organization. How to avoid data breaches in 2026 Avoiding a data breach doesn’t have to be costly or complicated, as long as your business takes the right approach and finds the right tools. Employ two-factor authentication If all it takes to gain access to one of your business tools is a username and a password, your network is significantly easier to breach. Two-factor authentication (2FA) makes it harder for unauthorized individuals to gain access.

By introducing a secondary authentication method, such as an OTP code, security key, or biometric login, authentication and authorization take less time for your system, as well as increasing the barrier to entry. Secure access control to your network The principle of least privilege is a method used to decide who has access to what business tools and data. It dictates that any given team member should have access to strictly the necessary information they need to perform their role and nothing else. This approach to access control protects your organization by reducing the number of entry points into your network.

When access has been granted to strictly necessary team members, that access needs to be secured with good password hygiene. This includes creating strong passwords, not reusing passwords for multiple accounts, and ensuring that your business is notified if any of your data appears on the dark web. Strong and enforceable password policies support good password hygiene, and you can ensure that the dark web is regularly scanned for business data with a tool or service such as a password manager. Store sensitive data securely Leaked passwords and email addresses contribute to the risk that your employees will be targeted by phishing attacks or have their accounts compromised.

Even a single compromised account can lead to a data breach. Create a single, secure repository for every business credential by adopting a secure business password manager . With a password manager, every team member can safely generate strong passwords that meet your business’s password policy, autofill them on frequently visited websites and apps, and securely share credentials when needed. This secures all of these vital entry points into your business network.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tips

The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane Wealth Inc., AI Investment Education Foundation (AIIEF) Ltd., and Zenith Asset Tech Foundation, in connection with the operation. The SEC said the scam unfolded as a multi-step fraud that enticed unsuspecting users with ads on social media and built trust with them through group chats in which the scammers posed as financial professionals and promised returns from artificial intelligence (AI)-generated investment tips.

The fraudsters then convinced the victims to invest their funds into fake cryptocurrency asset trading platforms, only to defraud them later. According to the SEC, AI Wealth, Lane Wealth, AIIEF, and Zenith operated investment clubs on messaging apps like WhatsApp to which retail investors were lured into joining via ads on social media. While AI Wealth and Lane Wealth operated their WhatsApp groups from at least January 2024 to June 2024, AIIEF and Zenith ran from at least July 2024 to January 2025. The complaint alleges an unnamed individual based in Beijing, China, paid for the registrations of AI Wealth, Lane Wealth, and Zenith.

The details of the cryptocurrency platforms are as follows - Morocoin Tech Corp. - Established around December 2023 and accessible at h5.morocoin[.]top (Currently delinquent) Berge Blockchain Technology Co., Ltd. - Established around June 2022 and accessible at www.bergev[.]org (Currently delinquent) Cirkor Inc. - Established around May 2024 and accessible at www.cirkortrading[.]com (Administratively dissolved in October 2025) Each of these clubs included a “professor” who sent updates to investors via WhatsApp on macroeconomic conditions or commentary on stocks and an “assistant” who handled day-to-day interactions with participants.

These personas also send trade recommendations that they falsely claimed were based on AI-generated “signals.” “The clubs gained investors’ confidence with supposedly AI-generated investment tips before luring investors to open and fund accounts on purported crypto asset trading platforms Morocoin, Berge, and Cirkor, which falsely claimed to have government licenses, as alleged,” the SEC said. “The investment clubs and platforms then allegedly offered ‘Security Token Offerings’ that were purportedly issued by legitimate businesses. In reality, no trading took place on the trading platforms, which were fake, and the Security Token Offerings and their purported issuing companies did not exist.” The AI Wealth and Lane Wealth WhatsApp groups are said to have promoted an STO of a cryptocurrency asset called SCT, purportedly issued by the company SatCommTech. Likewise, the AIIEF and Zenith WhatsApp groups advertised an STO of another crypto asset called HMB that was issued by HumanBlock.

Both SatCommTech and HumanBlock have been identified as fictitious. To make matters worse, when investors attempted to withdraw their funds, the bogus platforms defrauded them a second time by demanding that they pay advance fees to gain access to money in their accounts. In the end, the platforms cut off investors’ access to their services. The ill-gotten proceeds, totaling at least $14 million, were moved overseas through a web of bank accounts and crypto asset wallets, in some cases through accounts held by Chinese or Burmese individuals located in Southeast Asia.

Of the total misappropriated funds, cryptocurrency assets account for at least $7.4 million, and fiat currency accounts for $6.6 million. In one case, a Morocoin investor made seven separate wires amounting to more than $1 million to accounts in China and Hong Kong. In another, a Cirkor investor wired over $1.4 million to a bank in Indonesia. There have also been multiple reports on Reddit about individuals losing their money to the scam , with the AIIEF flagged for using names like “Richard Dill” and “Daisy Akemi” for professors and assistants.

The defendants have been charged with violating the anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. In addition, the SEC is seeking permanent injunctions and civil penalties, along with the repayment of the money with prejudgment interest. “This matter highlights an all-too-common form of investment scam that is being used to target U.S. retail investors with devastating consequences,” said Laura D’Allaird, Chief of the Cyber and Emerging Technologies Unit.

“Fraud is fraud, and we will vigorously pursue securities fraud that harms retail investors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Italy Fines Apple €98.6 Million Over ATT Rules Limiting App Store Competition

Apple has been fined €98.6 million ($116 million) by Italy’s antitrust authority after finding that the company’s App Tracking Transparency (ATT) privacy framework restricted App Store competition. The Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato, or AGCM) said the company’s “absolute dominant position” in app distribution allowed it to “unilaterally impose” the ATT rules on third-party app developers, without consulting with them beforehand. The investigation was launched in May 2023. The AGCM said it’s not calling into question Apple’s decision to adopt safeguards designed to enhance users’ privacy on iOS, but rather it’s taking issue with the consent requirements that are excessively burdensome for developers and “disproportionate” to the stated objectives of ATT.

Specifically, this requires developers to serve both ATT- and GDPR-related permission prompts in apps for iPhone and iPad users in the E.U. to seek user permission before processing their data for personalized ads. In contrast, Apple’s own apps and services can obtain this permission in a single tap. “In particular, third-party app developers are required to obtain specific consent for the collection and linking of data for advertising purposes through Apple’s ATT prompt,” AGCM said.

“However, such a prompt does not meet privacy legislation requirements, forcing developers to double the consent request for the same purpose.” The authority also said the double consent requirement that arises as a result of ATT harms third-party developers who rely on advertising, adding, “Apple should have ensured the same level of privacy protection for users by allowing developers to obtain consent to profiling in a single ‘Personalized Advertising’ prompt. In a statement shared with Reuters, Apple said it will appeal the regulator’s decision and reiterated its commitment “to defend strong privacy protections.” It also said the rules apply equally to all developers, including Apple. Apple introduced ATT in 2021 as a way for mobile apps to seek users’ explicit consent in order to access their device’s unique advertising identifier for tracking them across apps and websites for targeted advertising. This is not the first time the privacy framework has run at odds with competition authorities.

Back in March 2025, the company was also fined €150 million ($162 million) by France’s competition watchdog for using ATT to leverage its dominant market position in mobile app advertising. Apple is also facing similar probes in Poland and Romania . Earlier this month, Germany’s antitrust authority said it was testing Apple’s proposed changes to ATT, which included changes to the text and formatting of the consent prompt while maintaining “core user benefits.” The company is said to have agreed to introduce neutral consent prompts for both its own services and third-party apps, in addition to simplifying the consent process so that developers can obtain user permission in a manner that complies with data protection law. Found this article interesting?

Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites

Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials. The extensions are advertised as a “multi-location network speed test plug-in” for developers and foreign trade personnel. Both the browser add-ons are available for download as of writing. The details of the extensions are as follows - Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) - 2,000 users (Published on November 26, 2017) Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) - 180 users (Published on April 27, 2023) “Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they’re purchasing a legitimate VPN service, but both variants perform identical malicious operations,” Socket security researcher Kush Pandya said.

“Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor’s C2 [command-and-control] server.” Once unsuspecting users make the payment, they receive VIP status and the extensions auto-enable “smarty” proxy mode, which routes traffic from over 170 targeted domains through the C2 infrastructure. The extensions work as advertised to reinforce the illusion of a functional product. They perform actual latency tests on proxy servers and display connection status, while keeping users in the dark about their main goal, which is to intercept network traffic and steal credentials. This involves malicious modifications prepended to two JavaScript libraries, namely, jquery-1.12.2.min.js and scripts.js, that come bundled with the extensions.

The code is designed to automatically inject hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge across all websites by registering a listener on chrome.webRequest.onAuthRequired. “When any website or service requests HTTP authentication (Basic Auth, Digest Auth, or proxy authentication), this listener fires before the browser displays a credential prompt,” Pandya explained. “It immediately responds with the hardcoded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection, preventing any user interaction.” Once users authenticate to a proxy server, the extension configures Chrome’s proxy settings using a Proxy Auto-Configuration ( PAC ) script to implement three modes - close, which disables the proxy feature always, which routes all web traffic through the proxy smarty, which routes a hard-coded list of more than 170 high-value domains through the proxy The list of domains includes developer platforms (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Services, Digital Ocean, Microsoft Azure), enterprise solutions (Cisco, IBM, VMware), social media (Facebook, Instagram, Twitter), and adult content sites.

The inclusion of pornographic sites is likely an attempt to blackmail victims, Socket theorized. The net result of this behavior is that user web traffic is routed through threat actor-controlled proxies while the extension maintains a 60-second heartbeat to its C2 server at phantomshuttle[.]space, a domain that remains operational. It also grants the attacker a “man-in-the-middle” (MitM) position to capture traffic, manipulate responses, and inject arbitrary payloads. More importantly, the heartbeat message transmits a VIP user’s email, password in plaintext, and version number to an external server via an HTTP GET request every five minutes for continuous credential exfiltration and session monitoring.

“The combination of heartbeat exfiltration (credentials and metadata) plus proxy MitM (real-time traffic capture) provides comprehensive data theft capabilities operating continuously while the extension remains active,” Socket said. Put differently, the extension captures passwords, credit card numbers, authentication cookies, browsing history, form data, API keys, and access tokens from users accessing the targeted domains while VIP mode is active. What’s more, the theft of developer secrets could pave the way for supply chain attacks. It’s currently not known who is behind the eight-year-old operation, but the use of Chinese language in the extension description, the presence of Alipay/WeChat Pay integration to make payments, and the use of Alibaba Cloud to host the C2 domain points to a China-based operation.

“The subscription model creates victim retention while generating revenue, and the professional infrastructure with payment integration presents a facade of legitimacy,” Socket said. “Users believe they’re purchasing a VPN service while unknowingly enabling complete traffic compromise.” The findings highlight how browser-based extensions are becoming an unmanaged risk layer for enterprises. Users who have installed the extensions are advised to remove them as soon as possible. For security teams, it’s essential to deploy extension allowlisting, monitor for extensions with subscription payment systems combined with proxy permissions, and implement network monitoring for suspicious proxy authentication attempts.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty

A law enforcement operation coordinated by INTERPOL has led to the recovery of $3 million and the arrest of 574 suspects by authorities from 19 countries, amidst a continued crackdown on cybercrime networks in Africa. The coordinated effort, named Operation Sentinel, took place between October 27 and November 27, 2025, and mainly focused on business email compromise (BEC), digital extortion, and ransomware on the continent. Participating nations included Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe. Over the course of the initiative, more than 6,000 malicious links were taken down and six distinct ransomware variants were decrypted.

The names of the ransomware families were not disclosed. The investigated incidents were linked to estimated financial losses exceeding $21 million, INTERPOL added. Multiple suspects have been arrested in connection with a ransomware attack targeting an unnamed Ghanaian financial institution that encrypted 100 terabytes of data and stole about $120,000. In addition, Ghanaian authorities took down a cyber fraud network operating across Ghana and Nigeria that defrauded more than 200 victims of over $400,000 using well-designed websites and mobile apps, which impersonated popular fast-food brands to collect payments for fake orders.

As part of the effort, 10 individuals were apprehended, 100 digital devices were seized, and 30 fraudulent servers were taken offline. Law enforcement from Benin also dismantled 43 malicious domains and 4,318 social media accounts that were used to further extortion schemes and scams. The operation culminated in the arrest of 106 people. “The scale and sophistication of cyber attacks across Africa are accelerating, especially against critical sectors like finance and energy,” Neal Jetton, INTERPOL’s director of cybercrime, said.

Operation Sentinel is part of the African Joint Operation against Cybercrime ( AFJOC ), which aims to enhance the capabilities of national law enforcement agencies in Africa and better disrupt cybercriminal activity in the region. Ukrainian National Pleads Guilty to Nefilim Ransomware Attacks The disclosure comes as a 35-year-old from Ukraine pleaded guilty in the U.S. to using Nefilim ransomware to attack companies in the country and elsewhere in his capacity as an affiliate. Artem Aleksandrovych Stryzhak was arrested in Spain in June 2024 and extradited to the U.S.

earlier this April. In September, the Justice Department (DoJ) charged another Ukrainian national, Volodymyr Viktorovich Tymoshchuk, for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021. Tymoshchuk remains at large, although authorities have announced a $11 million reward for information leading to his arrest or conviction. Tymoshchuk is also on the most wanted lists of both the U.S.

Federal Bureau of Investigation ( FBI ) and the European Union ( E.U. ). Nefilim’s victims span the U.S., Germany, the Netherlands, Norway, and Switzerland. “In June 2021, Nefilim administrators gave Stryzhak access to the Nefilim ransomware code in exchange for 20 percent of his ransom proceeds,” the DoJ said.

“Stryzhak and others researched potential victims after gaining unauthorized access to their networks, including by using online databases to obtain information about the companies’ net worth, size, and contact information.” Around July 2021, a Nefilim administrator is said to have encouraged Stryzhak to target companies in the U.S., Canada, and Australia with more than $200 million dollars in annual revenue. Nefilim operated under a double extortion model, pressurizing victims to pay up or risk getting their stolen data published on a publicly accessible data leaks site known as Corporate Leaks that was maintained by the administrators. Stryzhak pleaded guilty to conspiracy to commit fraud related to computers in connection with his Nefilim ransomware activities. He is scheduled to be sentenced on May 6, 2026.

If found guilty, he faces a maximum penalty of 10 years in prison. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Passwd: A walkthrough of the Google Workspace Password Manager

Passwd is designed specifically for organizations operating within Google Workspace. Rather than competing as a general consumer password manager, its purpose is narrow, and business-focused: secure credential storage, controlled sharing, and seamless Workspace integration. The platform emphasizes practicality over feature overload, aiming to provide a reliable system for teams that already rely on Google’s tools. Security as the starting point Encryption and data protection are the basic building blocks of Passwd.

Every credential, file, or sensitive asset gets encrypted with AES-256, an extremely secure encryption standard that is widely recognized. Encryption happens before storage, keeping data protected throughout its lifecycle. Passwd is based on a zero-knowledge architecture; only the users, not Passwd, are able to access decrypted data. It does not have any visibility of the stored passwords or secrets.

The structure reflects an enterprise mindset: Centralized admin control Granular, role-based permissions Visibility into credential access and changes Clear organizational hierarchy Security assurance is further supported by SOC 2 and GDPR readiness , through documentation and controls for businesses that need to adhere to regulated compliance standards. Along with encryption and zero-knowledge design, these certifications reinforce the security posture of the platform. Audit logs and access tracking provide visibility into who has viewed, shared, or changed credentials in the system. This is helpful in a number of ways when it comes to compliance, internal audits, and security reviews.

From a reliability perspective, Passwd has minimal downtime. Though Google updates caused disruptions, they have only been short-lived. There have not been any data breaches to date. Integration designed for Google Workspace Where most password managers extend across multiple ecosystems, Passwd stays firmly within Google’s.

The platform connects directly to Google Workspace for identity management, making onboarding and administration easier. Because authentication is done via Google OAuth, users sign in with their existing Google accounts, with no new master passwords, credentials, or login systems to maintain. This reduces credential sprawl and eliminates separate password databases. For teams used to Gmail, Drive, Docs, or Google Admin Console, the setup feels intuitively familiar.

Deployments take mere minutes rather than requiring IT restructuring. This focus also creates clarity about the intended environment in which Passwd will operate: Passwd works only inside the Google Workspace ecosystem and cannot be used with external identity providers. Passwd includes Google SSO support, allowing for a passwordless login experience. The service also provides audit logging, which gives administrators insight into who has accessed credentials and when.

Reports indicate it scales effectively for several hundred employees, and its pricing model eliminates additional fees once a company has more than 301 users, making it appealing to larger teams. How teams use Passwd Day-to-Day When activated, Passwd turns into a shared storage system in which groups can securely organize: Passwords and logins SSH keys API credentials Database access Payment information Internal tools or system accounts Sharing can be temporary or permanent, by individuals or groups. Permissions control a user’s level of access to a record: whether they can view it, edit it, or manage it. Activity tracking enables a team to understand how its credentials are being accessed and by whom.

Role-based access, sharing links, and detailed audit trails support common workplace scenarios, new employee onboarding, transitions between departments, or restricted administrative access. Passwd’s Premium plans include unlimited records and users, designed to scale with an organization as it grows. The plan tier determines the features available, allowing businesses to adopt the level that fits their workflows. Cross-platform access and usage Passwd provides wide device compatibility with a lightweight footprint: Web access through any browser Chrome, Edge, and Firefox extensions Android and iOS mobile apps Browser extensions help autofill records and credential capture without requiring large desktop applications.

This cross-platform consistency allows users to transition easily from device to device without changing how they interact with stored data. Built-in tools and functionality Passwd contains the essential password-management utilities: A password generator able to create secure, random passwords Auditing tools for credentials that are weak, reused, or outdated Tags that give organization to records The interface is free of complicated add-ons, favoring a clean, straightforward layout: search, filtering, and record editing are easily located and used. Pricing structure and value The pricing of Passwd is designed for organizational usage, rather than individual licensing. The Workspace plan starts from $19 per month , including unlimited stored records.

A per-user pricing option is available for smaller teams or departments that aren’t using Workspace organization-wide, though the pay-per-workspace model may offer better overall efficiency. A free Starter Plan allows unlimited users and up to 15 stored records, so it is highly accessible for small teams or early testing. The Enterprise plan is ideal for organizations that require GDPR and SOC2 compliance, alongside advanced user monitoring. Its most exceptional benefit is that it lets you host the password manager inside your very own Google Cloud project, an uncommon capability and an important added value in comparison to other team password managers.

This puts Passwd in the position of being an entry-level enterprise product, but without the need for enterprise-level pricing. Customer feedback and observed reception Passwd maintains a 4.7-star rating across the third-party review platforms, including Trustpilot and G2. Feedback often points out that: Smooth integration with Google Workspace Fast onboarding through Google Identity Easier credential sharing across teams Clear access governance using Google Groups Smaller teams often mention that the free tier provides enough functionality for centralized storage and secure sharing, while larger organizations use Passwd for its onboarding and role transitions. Where Passwd fits and where it doesn’t Based on its structure and feature set, Passwd aligns most naturally with organizations that: Already use Google Workspace company-wide Prefer a unified identity and authentication system Share passwords or credentials across teams Want admin visibility, compliance support, and access logs Need a scalable approach without paying per-seat licensing However, Passwd is less applicable for organizations that: Require integrations beyond Google’s ecosystem Use multiple or diverse identity providers Operate outside Google Workspace environments Its design intentionally prioritizes Workspace compatibility over platform versatility.

Overview of closing walkthrough A walkthrough of Passwd shows a password manager featuring predictability, efficiency, and organizational alignment rather than feature saturation. Its role is clear: provide strong encryption, controlled collaboration, compliance-ready visibility, and seamless Google authentication. For teams already living inside Google Workspace, Passwd becomes an extension of the workflows that are already in place, not another tool to manage, and handles shared credentials, enforces access governance, and protects sensitive information in a safe, structured manner. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

U.S. DoJ Seizes Fraud Domain Behind $14.6 Million Bank Account Takeover Scheme

The U.S. Justice Department (DoJ) on Monday announced the seizure of a web domain and database that it said was used to further a criminal scheme designed to target and defraud Americans by means of a bank account takeover scheme. The domain in question, web3adspanels[.]org, was used as a backend web panel to host and manipulate illegally harvested bank login credentials. Users to the website are now greeted by a seizure banner that says the domain was taken down in an international law enforcement operation led by authorities from the U.S.

and Estonia. “The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing,” the DoJ said . “These fraudulent advertisements imitate the sponsored search engine advertisements used by legitimate banking entities.” The ads served as a conduit to redirect unsuspecting users to fake bank websites operated by the threat actors, who harvested login credentials entered by victims through an unspecified malicious software program built into the sites. The stolen credentials were then used by the criminals to sign into legitimate bank websites to take over victims’ accounts and drain their funds.

The scheme is estimated to have claimed 19 victims across the U.S. to date, including two companies in the Northern District of Georgia, leading to attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The DoJ said the confiscated domain stored the stolen login credentials of thousands of victims, in addition to hosting a backend server to facilitate takeover fraud as recently as last month. According to information shared by the U.S.

Federal Bureau of Investigation (FBI), the Internet Crime Complaint Center (IC3) has received more than 5,100 complaints related to bank account takeover fraud since January 2025, with reported losses upwards of $262 million. Users are advised to exercise caution when sharing about themselves online or on social media; regularly monitor accounts for any financial irregularities; use unique, complex passwords; ensure the correctness of banking website URLs before signing in; and stay vigilant against phishing attacks or suspicious callers. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.