2026-01-03 AI创业新闻
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia
The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts. “The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion,” CYFIRMA said in a technical report. Transparent Tribe, also called APT36, is a hacking group that’s known for mounting cyber espionage campaigns against Indian organizations. Assessed to be of Indian origin, the state-sponsored adversary has been active since at least 2013.
The threat actor boasts of an ever-evolving arsenal of RATs to realize its goals. Some of the trojans put to use by Transparent Tribe in recent years include CapraRAT , Crimson RAT , ElizaRAT , and DeskRAT . The latest set of attacks began with a spear-phishing email containing a ZIP archive with a LNK file disguised as a PDF. Opening the file triggers the execution of a remote HTML Application (HTA) script using “mshta.exe” that decrypts and loads the final RAT payload directly in memory.
In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users’ suspicion. “After decoding logic is established, the HTA leverages ActiveX objects, particularly WScript.Shell, to interact with the Windows environment,” CYFIRMA noted. “This behavior demonstrates environment profiling and runtime manipulation, ensuring compatibility with the target system and increasing execution reliability techniques commonly observed in malware abusing ‘mshta.exe.’” A noteworthy aspect of the malware is its ability to adapt its persistence method based on the antivirus solutions installed on the infected machine - If Kapsersky is detected, it creates a working directory under “C:\Users\Public\core\,” writes an obfuscated HTA payload to disk, and establishes persistence by dropping a LNK file in the Windows Startup folder that, in turn, launches the HTA script using “mshta.exe” If Quick Heal is detected, it establishes persistence by creating a batch file and a malicious LNK file in the Windows Startup folder, writing the HTA payload to disk, and then calling it using the batch script If Avast, AVG, or Avira are detected, it works by directly copying the payload into the Startup directory and executing it If no recognized antivirus solution is detected, it falls back to a combination of batch file execution, registry based persistence, and payload deployment prior to launching the batch script The second HTA file includes a DLL named “iinneldc.dll” that functions as a fully-featured RAT, supporting remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control. “APT36 (Transparent Tribe) remains a highly persistent and strategically driven cyber-espionage threat, with a sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors,” the cybersecurity company said.
In recent weeks, APT36 has also been linked to another campaign that leverages a malicious shortcut file disguised as a government advisory PDF (“NCERT-Whatsapp-Advisory.pdf.lnk”) to deliver a .NET-based loader, which then drops additional executables and malicious DLLs to establish remote command execution, system reconnaissance, and long-term access. The shortcut is designed to execute an obfuscated command using cmd.exe to retrieve an MSI installer (“nikmights.msi”) from a remote server (“aeroclubofindia.co[.]in”), which is responsible for initiating a series of actions - Extract and display a decoy PDF document to the victim Decode and write DLL files to “C:\ProgramData\PcDirvs\pdf.dll” and “C:\ProgramData\PcDirvs\wininet.dll” Drop “PcDirvs.exe” to the same the same location and execute it after a delay of 10 seconds Establish persistence by creating “PcDirvs.hta” that contains Visual Basic Script to make Registry modifications to launch “PcDirvs.exe” every time after system startup It’s worth pointing out that the lure PDF displayed is a legitimate advisory issued by the National Cyber Emergency Response Team of Pakistan (PKCERT) in 2024 about a fraudulent WhatsApp message campaign targeting government entities in Pakistan with a malicious WinRAR file that infects systems with malware. The DLL “wininet.dll” connects to a hard-coded command-and-control (C2) infrastructure hosted at dns.wmiprovider[.]com. It was registered in mid-April 2025.
The C2 associated with the activity is currently inactive, but the Windows Registry-based persistence ensures that the threat can be resurrected at any time in the future. “The DLL implements multiple HTTP GET–based endpoints to establish communication with the C2 server, perform updates, and retrieve attacker-issued commands,” CYFIRMA said . “To evade static string detection, the endpoint characters are intentionally stored in reversed order.” The list of endpoints is as follows - /retsiger (register), to register the infected system with the C2 server /taebtraeh (heartbeat), to beacon its presence to the C2 server /dnammoc_teg (get_command), to run arbitrary commands via “cmd.exe” /dnammocmvitna (antivmcommand), to query or set an anti-VM status and likely adjust behavior The DLL also queries installed antivirus products on the victim system, turning it into a potent tool capable of conducting reconnaissance and gathering sensitive information. Patchwork Linked to New StreamSpy Trojan The disclosure comes weeks after Patchwork (aka Dropping Elephant or Maha Grass ), a hacking group believed to be of Indian origin, was linked to attacks targeting Pakistan’s defense sector with a Python-based backdoor that’s distributed via phishing emails containing ZIP files, according to security researcher Idan Tarab.
Present within the archive is an MSBuild project that, when executed via “msbuild.exe,” deploys a dropper to ultimately install and launch the Python RAT. The malware is equipped to contact a C2 server and run remote Python modules, execute commands, and upload/download files. “This campaign represents a modernized, highly obfuscated Patchwork APT toolkit blending MSBuild LOLBin loaders, PyInstaller‑modified Python runtimes, marshalled bytecode implants, geofencing, randomized PHP C2 endpoints, [and] realistic persistence mechanisms,” Tarab said. As of December 2025, Patchwork has also been associated with a previously undocumented trojan named StreamSpy, which uses WebSocket and HTTP protocols for C2 communication.
While the WebSocket channel is used to receive instructions and transmit the execution results, HTTP is leveraged for file transfers. StreamSpy’s links to Patchwork, per QiAnXin, stem from its similarities to Spyder , a variant of another backdoor named WarHawk that’s attributed to SideWinder . Patchwork’s use of Spider dates all the way back to 2023. Distributed via ZIP archives (“OPS-VII-SIR.zip”) hosted on “firebasescloudemail[.]com,” the malware (“ Annexure.exe “) can harvest system information, establish persistence via Windows Registry, scheduled task, or via a LNK file in the Startup folder, communicate with the C2 server using HTTP and WebSocket.
The list of support commands is below - F1A5C3, to download a file and open it using ShellExecuteExW B8C1D2, to set the shell for command execution to cmd E4F5A6, to set the shell for command execution to PowerShell FL_SH1, to close all shells C9E3D4, E7F8A9, H1K4R8, C0V3RT, to download encrypted zip files from the C2 server, extract them, and open them using ShellExecuteExW F2B3C4, to gather information about the file system and all disks connected to the device D5E6F7, to perform file upload and download A8B9C0, to perform file upload D1E2F3, to delete a file A4B5C6, to rename a file D7E8F9, to enumerate a specific folder QinAnXin said the StreamSpy download site also hosts Spyder variants with extensive data collection features, adding the malware’s digital signature exhibits correlations with a different Windows RAT called ShadowAgent attributed to the DoNot Team (aka Brainworm). Interestingly, 360 Threat Intelligence Center flagged the same “Annexure.exe” executable as ShadowAgent in November 2025. “The emergence of the StreamSpy Trojan and Spyder variants from the Maha Grass group indicates that the group is continuously iterating its arsenal of attack tools,” the Chinese security vendor said. “In the StreamSpy trojan, attackers attempt to use WebSocket channels for command issuance and result feedback to evade detection and censorship of HTTP traffic.
Additionally, the correlated samples further confirm that the Maha Grass and DoNot attack groups have some connections in terms of resource sharing.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The ROI Problem in Attack Surface Management
Attack Surface Management (ASM) tools promise reduced risk. What they usually deliver is more information. Security teams deploy ASM, asset inventories grow, alerts start flowing, and dashboards fill up. There is visible activity and measurable output.
But when leadership asks a simple question, “ Is this reducing incidents? “ the answer is often unclear. This gap between effort and outcome is the core ROI problem in attack surface management, especially when ROI is measured primarily through asset counts instead of risk reduction. The Promise vs.
The Proof Most ASM programs are built around a reasonable idea: you can’t protect what you don’t know exists. As a result, teams focus on discovery: domains and subdomains, IPs and cloud resources, third-party infrastructure, and transient or short-lived assets. Over time, counts increase. Dashboards are trending upward.
Coverage improves. But none of those metrics directly answer whether the organization is actually safer. In many cases, teams end up busier without feeling less exposed. Why ASM Feels Busy but Not Effective ASM tends to optimize for coverage because coverage is easy to measure: more assets discovered, more changes detected, and more alerts generated.
Each of those feels like progress. But they mostly measure inputs, not outcomes. In practice, teams experience: Alert fatigue Long backlogs of “known but unresolved” assets Repeated ownership confusion Exposure that lingers for months The work is real. The risk reduction is harder to see.
The Measurement Gap One reason ASM ROI is hard to prove is that most attack surface metrics focus on what the system can see, not what the organization actually improves. Common attack surface management metrics include: Number of assets Number of changes More meaningful attack surface metrics are rarely tracked: How fast risky assets get owned How long dangerous exposure persists Whether attack paths actually shrink over time Asset inventory remains foundational to measuring the external attack surface. Without broad discovery, it’s impossible to understand exposure at all. The gap appears when discovery metrics aren’t paired with measurements that show whether risk is actually being reduced.
Without outcome-oriented measurements, ASM becomes difficult to defend during budget reviews, even when everyone agrees that asset visibility is necessary. What Would Meaningful ROI Look Like? Instead of asking, “ How many assets did we discover? “ a more useful question is, “ How much faster and safer did we get at handling exposure?
” That reframing shifts ROI from visibility to response quality and exposure duration. Things that correlate much more closely with real-world risk. Three Outcome Metrics That Actually Matter
- Mean Time to Asset Ownership How long does it take to answer the basic question: “ Who owns this?
” Assets without clear ownership: Linger longer Get patched later Are more likely to be forgotten entirely Reducing time-to-ownership shortens the window where exposure exists without accountability. It’s one of the clearest signals that ASM findings are turning into action. 2. Reduction in Unauthenticated, State-Changing Endpoints Not all assets matter equally.
Tracking how many external endpoints can change state, how many require authentication, and how those numbers change over time provides a much stronger signal of whether the attack surface is shrinking where it counts. An environment with thousands of static assets but few unauthenticated, state-changing paths is meaningfully safer than one with fewer assets but many risky entry points. 3. Time to Decommission After Ownership Loss Exposure often persists after: Team changes Application deprecation Vendor migrations Reorgs Measuring how quickly assets are retired once ownership disappears is one of the strongest indicators of long-term hygiene and one of the least commonly tracked.
If abandoned assets stick around indefinitely, discovery alone isn’t reducing risk. What This Looks Like in Practice Abstract metrics are easy to agree with and hard to operationalize. The goal isn’t a new dashboard or a different set of alerts, but a shift in what’s made visible: ownership gaps, exposure duration, and unresolved risk that would otherwise blend into asset counts. Rather than emphasizing total asset count, this view surfaces: Which assets are owned Which are unresolved How long ownership has been unclear The goal isn’t more alerts but faster resolution.
Turning ASM into a Control ASM doesn’t struggle because teams aren’t working hard enough. It struggles because effort isn’t consistently tied to outcomes that leadership cares about. Reframing ROI around speed, ownership, and exposure duration makes it possible to show real progress. Even if the raw asset count never changes.
In many cases, the most meaningful wins come from making the attack surface boring again. A Concrete Starting Point One way to pressure-test outcome-based ASM metrics is to make asset visibility broadly accessible across teams, not gated behind tooling silos. We’ve found that when engineering, security, and infrastructure teams can all see ownership gaps and exposure duration, resolution speeds up without adding more alerts. That thinking led us to release a community edition of our ASM platform that exposes asset discovery and ownership visibility without cost or limits.
The goal isn’t to replace existing tools, but to give teams a way to measure whether exposure is actually shrinking over time. If you want to pressure-test the ROI of your ASM program, try this: Ignore how many assets you have. Instead, ask: How long do risky assets stay unowned? How many unauthenticated, state-changing paths exist today vs last quarter?
How quickly do abandoned assets disappear? If those answers aren’t improving, more discovery won’t change the outcome. Conclusion: Measure What Actually Changes Risk Attack surface management becomes defensible when it’s measured by what changes, not just what accumulates. Discovery will always matter.
Visibility will always matter when measuring the attack surface. But neither guarantees that exposure is being reduced, only that it’s being observed. Attack surface management ROI shows up when risky assets get confirmed as owned faster, when dangerous paths disappear sooner, and when abandoned infrastructure doesn’t linger indefinitely. Asset inventory provides the necessary breadth; outcome-oriented metrics provide the depth needed to understand real risk reduction.
At Sprocket Security, we try to think about attack surface management not only in terms of how many assets exist, but also how long meaningful exposure persists and how quickly it gets resolved. What matters most is that attack surface metrics make progress visible, not just inventory growth. If an attack surface management program can’t answer whether exposure is shrinking over time, it’s hard to argue that it’s doing more than reporting the problem. Note: This article was expertly written and contributed by Topher Lyons, Solutions Engineer at Sprocket Security.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign
Cybersecurity researchers have disclosed details of a phishing campaign that involves the attackers impersonating legitimate Google-generated messages by abusing Google Cloud’s Application Integration service to distribute emails. The activity, Check Point said, takes advantage of the trust associated with Google Cloud infrastructure to send the messages from a legitimate email address (“noreply-application-integration@google[.]com”) so that they can bypass traditional email security filters and have a better chance of landing in users’ inboxes. “The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients,” the cybersecurity company said . Attackers have been observed sending 9,394 phishing emails targeting approximately 3,200 customers over a 14-day period observed in December 2025, with the affected organizations located in the U.S., Asia-Pacific, Europe, Canada, and Latin America.
At the heart of the campaign is the abuse of Application Integration’s “ Send Email “ task, which allows users to send custom email notifications from an integration. Google notes in its support documentation that only a maximum of 30 recipients can be added to the task. The fact that these emails can be configured to be sent to any arbitrary email addresses demonstrates the threat actor’s ability to misuse a legitimate automation capability to their advantage and send emails from Google-owned domains, effectively bypassing DMARC and SPF checks . “To further increase trust, the emails closely followed Google notification style and structure, including familiar formatting and language,” Check Point said.
“The lures commonly referenced voicemail messages or claims that the recipient had been granted access to a shared file or document, such as access to a ‘Q4’ file, prompting recipients to click embedded links and take immediate action.” The attack chain is a multi-stage redirection flow that commences when an email recipient clicks on a link hosted on storage.cloud.google[.]com, another trusted Google Cloud service. The effort is seen as another effort to lower user suspicion and give it a veneer of legitimacy. The link then redirects the user to content served from googleusercontent[.]com, presenting them with a fake CAPTCHA or image-based verification that acts as a barrier by blocking automated scanners and security tools from scrutinizing the attack infrastructure, while allowing real users to pass through. Once the validation phase is complete, the user is taken to a fake Microsoft login page that’s hosted on a non-Microsoft domain, ultimately stealing any credentials entered by the victims.
In response to the findings, Google has blocked the phishing efforts that abuse the email notification feature within Google Cloud Application Integration, adding that it’s taking more steps to prevent further misuse. Check Point’s analysis has revealed that the campaign has primarily targeted manufacturing, technology, financial, professional services, and retail sectors, although other industry verticals, including media, education, healthcare, energy, government, travel, and transportation, have been singled out. “These sectors commonly rely on automated notifications, shared documents, and permission-based workflows, making Google-branded alerts especially convincing,” it added. “This campaign highlights how attackers can misuse legitimate cloud automation and workflow features to distribute phishing at scale without traditional spoofing.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories
The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it’s that threat actors don’t pause for holidays or resolutions. They just evolve faster. This week’s round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what “cybercrime” looks like in practice.
Across the landscape, big players are being tested, familiar threats are mutating, and smaller stories are quietly signaling bigger patterns ahead. The trend isn’t about one big breach anymore; it’s about many small openings that attackers exploit with precision. The pace of exploitation, deception, and persistence hasn’t slowed; it’s only become more calculated. Each update in this edition highlights how the line between normal operations and compromise is getting thinner by the week.
Here’s a sharp look at what’s moving beneath the surface of the cybersecurity world as 2026 begins. KMSAuto malware scam busted Lithuanian National Extradited to S. Korea for Allegedly Distributing Malware A Lithuanian national has been arrested for his alleged involvement in infecting 2.8 million systems with clipboard-stealing malware disguised as the KMSAuto tool for illegally activating Windows and Office software. The 29-year-old man has been extradited from Georgia to South Korea.
“From April 2020 to January 2023, the hacker distributed 2.8 million copies worldwide of malware disguised as an illegal Windows license activation program (KMSAuto),” South Korean authorities said . “Through this malware, the hacker stole virtual assets worth approximately KRW 1.7 billion ($1.2 million) in 8,400 transactions from users of 3,100 virtual asset addresses.” The suspect is alleged to have used KMSAuto as a lure to trick victims into downloading a malicious executable that functioned as a clipper malware. Holiday ColdFusion exploit spree Coordinated Campaign Targets Adobe ColdFusion A new “coordinated exploitation” campaign has been observed targeting Adobe ColdFusion servers over the Christmas 2025 holiday period. “The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited),” GreyNoise said .
“This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024.” The activity originated from 8 unique IP addresses and leveraged over 10 different CVEs (CVE-2023-26359, CVE-2023-38205, CVE-2023-44353, CVE-2023-38203, CVE-2023-38204, CVE-2023-29298, CVE-2023-29300, CVE-2023-26347, CVE-2024-20767, and CVE-2023-44352) to target the U.S., Spain, India, Canada, Chile, Germany, Pakistan, Cambodia, Ecuador, and France. Some of the payloads deployed following the exploitation enable direct code execution, credential harvesting (by accessing “/etc/passwd”), and JNDI lookups. Android tablets backdoored Kaspersky Discovers New Keenadu Pre-Installed Malware Kaspersky said it discovered pre-installed malware on certain models of tablets running Android. The malware has been codenamed Keenadu.
“It’s a backdoor in libandroid_runtime.so,” the Russian cybersecurity company said . While the company has yet to provide additional details, backdoors of this kind can allow remote access for data exfiltration, command execution, and other forms of post-exploitation. AI jailbreak hub shut down r/ChatGPTjailbreak Subreddit Banned Reddit has taken the step of banning r/ChatGPTJailbreak, a community of over 229,000 users dedicated to finding workarounds and jailbreaks for safety filters and guardrails erected by developers of large language models (LLMs). Reddit said the “community was banned for violating Rule 8 ,” which refers to any effort that could break the site or interfere with its normal use.
“Do not interrupt the serving of Reddit, introduce malicious code onto Reddit, make it difficult for anyone else to use Reddit due to your actions, block sponsored headlines, create programs that violate any of our other API rules, or assist anyone in misusing Reddit in any way,” the rule states . The move follows a WIRED report about how some chatbot users were sharing instructions on generating non-consensual deepfakes using photos of fully clothed women. Following the ban, the community has resurfaced at chatgptjailbreak.tech on a federated alternative called Lemmy. While the subreddit sprang forth as a red teaming hub for discussing AI jailbreaks, it goes without saying that content shared on the forum had the potential to trigger indirect prompt injections, given that the data (along with everything else posed on the platform) powers Reddit Answers, and serves as a real-time dataset for other models that leverage retrieval-augmented generation (RAG) techniques to incorporate new information.
The development comes as prompt injections and jailbreaks continue to plague artificial intelligence (AI) systems, with actors, both good and bad, continuously exploring ways to circumvent protections put in place to prevent misuse. Indeed, a new study from Italy’s Icaro Lab, Sapienza University of Rome, and Sant’Anna School of Advanced Studies found that adversarial poetic prompts have a higher attack-success rate (ASR) against LLMs and cause them to skirt contemporary safety mechanisms designed to block production of explicit or harmful content like child sex abuse material, hate speech, and instructions on how to make chemical and nuclear weapons. “When prompts with identical task intent were presented in poetic rather than prose form, the Attack Success Rate (ASR) increased from 8.08% to 43.07%, on average – a fivefold increase,” researchers said. Macs join GlassWorm hitlist GlassWorm Shows Up Again, This Time Targeting Macs The supply chain campaign known as GlassWorm has resurfaced a fourth time with three suspicious extensions on the Open VSX marketplace that are designed to exclusively target macOS users.
These extensions attracted 50,000 downloads. The primary objective of these extensions is to target over 50 browser extension wallets and steal funds. The names of the extensions are: studio-velte-distributor.pro-svelte-extension, cudra-production.vsce-prettier-pro, and Puccin-development.full-access-catppuccin-pro-extension. Conspicuously absent are the invisible Unicode techniques and the Rust binaries.
“This time, the payload is wrapped in AES-256-CBC encryption and embedded in compiled JavaScript – but the core mechanism remains the same: fetch the current C2 endpoint from Solana, execute what it returns,” Koi said . “What’s new is the target: code designed to replace hardware wallet applications with trojanized versions.” As of December 29, 2025, the C2 server endpoints for the trojanized wallets are returning empty files, suggesting that the campaign is still under development. The targeting of Macs is intentional, as the devices are prevalent in cryptocurrency, Web3, and startup environments. The shift is complemented by the use of AppleScript for stealth execution instead of PowerShell and LaunchAgents for persistence.
The malware, besides waiting for 15 minutes before activating its malicious behavior, is designed to facilitate the theft of iCloud Keychain database and developer credentials, such as GitHub tokens, npm tokens, and the contents of the ~/.ssh directory. Regulators misled by cleanup tactic Meta Drafted “Playbook” to Stall Efforts to Tackle Scammers With Meta attracting scrutiny for allowing scammers to advertise through its platform, a new report from Reuters found that the company attempted to fend off pressure from regulators to crack down on the threat by make scam ads and problematic content “not findable” when authorities search for them through its Ad Library , at the same time it launched an “enforcement blitz” to reduce the volume of offending ads. “To perform better on that test, Meta staffers found a way to manage what they called the ‘prevalence perception’ of scam ads returned by Ad Library searches, the documents show. First, they identified the top keywords and celebrity names that Japanese Ad Library users employed to find the fraudulent ads.
Then they ran identical searches repeatedly, deleting ads that appeared fraudulent from the library and Meta’s platforms,” Reuters reported . “The tactic successfully removed some fraudulent advertising of the sort that regulators would want to weed out. But it also served to make the search results that Meta believed regulators were viewing appear cleaner than they otherwise would have.” The search result cleanup effort was so successful that Japanese regulators did not enforce rules that would have otherwise required it to verify the identity of all its advertisers. The tactic was then added to its “general global playbook” to avoid regulatory scrutiny in other markets, including the U.S., Europe, India, Australia, Brazil, and Thailand, according to leaked internal documents.
Meta has pushed back against the claims, stating the cleaning effort also helps to remove the ads from its systems as well. Smart contract upgrade exploited Unleash Protocol Loses $3.9M in Crypto Following Hack The decentralized intellectual property platform Unleash Protocol said it “detected unauthorized activity” involving its smart contracts that led to the withdrawal and transfer of user funds worth approximately $3.9 million, per blockchain security company PeckShield . “Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade,” it said . “This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures.” Once they were withdrawn, the assets were bridged using third-party infrastructure and transferred to external addresses.
The incident originated within Unleash Protocol’s governance and permission framework, the company added. The stolen funds have been deposited into the Tornado Cash cryptocurrency mixing service in the form of 1,337.1 ETH. Users are advised to refrain from interacting with Unleash Protocol contracts until further notice. FTC fines Disney over COPPA Disney to Pay $10M to Settle Children Privacy Violations in the U.S.
The U.S. Justice Department (DoJ) said Disney has agreed to pay a $10 million civil penalty as part of a settlement to resolve Federal Trade Commission (FTC) allegations that the entertainment giant violated children’s privacy laws in connection with its YouTube video content. The FTC had argued that Disney failed to correctly designate YouTube video content as directed toward children, allowing the company to serve targeted ads on the platform and unlawfully collect their information without parental notice and consent. The order also bars Disney from operating on YouTube in a manner that violates child privacy laws in the U.S.
and requires it to create a program that will ensure it properly complies with COPPA on YouTube going forward. Fake glitch scam toolkit exposed New ErrTraffic Service Enables ClickFix Attacks via Fake Browser Glitches A new cybercrime tool called ErrTraffic allows threat actors to automate ClickFix attacks by generating fake glitches on compromised websites to induce a false sense of urgency and deceive users into following malicious instructions. Hudson Rock, which detailed the toolkit, said the “comprehensive software suite industrializes the deployment of ClickFix lures.” The service, advertised by a threat actor named “LenAI,” is a cross-platform threat capable of targeting Windows, macOS, Linux, and Android to deliver tailored payloads. The ErrTraffic control panel is a self-hosted PHP application that incorporates hard-coded exclusions for Commonwealth of Independent States (CIS) countries.
Once set up, an attacker can connect the panel to compromised websites via a single line of HTML injection. This allows them to serve information stealers and Android banking trojans via ClickFix-style instructions that claim to fix the issue by installing a browser update, downloading a system font, or pasting something in the command prompt. Magecart evolves into ID theft New Magecart Campaign Discovered Source Defense Research has flagged a new global Magecart campaign that hijacks checkout and account creation flows. The activity leverages modular, localized payloads targeting services like Stripe, Mollie, PagSeguro, OnePay, and PayPal.
It “uses fake payment forms, phishing iframes, and silent skimming, plus anti-forensics tricks (hidden inputs, Luhn-valid junk cards).” The activity is also designed to steal credentials and personal information, enabling account takeovers and long-term persistence via rogue admin access. “This is Magecart evolving into [a] full identity compromise,” it said . Deniable cyber activism detailed How Hacktivist Proxies Offer Plausible Deniability Hacktivist proxy operations refer to activities in which ideologically aligned, non-state cyber groups conduct disruptive operations that align with state geopolitical interests without requiring formal sponsorship, command-and-control, or direct tasking. These activities primarily rely on public claims, volunteer participation, and low-complexity techniques to impose psychological, political, and operational costs on adversaries while allowing the benefiting state to enjoy plausible deniability.
“The model follows a consistent activation sequence: geopolitical trigger events such as sanctions, military assistance announcements, or diplomatic escalations are followed by rapid narrative mobilization in hacktivist communication channels, volunteer coordination, targeted disruptive activity (primarily DDoS attacks, defacement, and symbolic intrusions), and public amplification of claimed impact,” CYFIRMA said . “Activity typically de-escalates once signalling objectives are achieved, distinguishing these operations from sustained cybercrime or espionage campaigns.” The development comes as cyber operations have become an integral component to pursuing strategic geopolitical objectives. Under the Hacktivist Proxy Operations model, ideologically aligned cyber groups function as deniable instruments of pressure without direct control from the state. This allows hacktivist groups to apply disruptive force or shape narratives in a manner that gives the state a strategic advantage without assuming explicit responsibility.
OceanLotus adapts to Xinchuang OceanLotus Targets China’s Xinchuang Initiative In 2022, the Chinese government ramped up a major initiative called Xinchuang that aims for technological self-reliance by replacing foreign hardware and software with domestic alternatives in key sectors like government and finance, with an aim to build an independent IT ecosystem and mitigate geopolitical risks. According to a new report from QiAnXin, the OceanLotus group has been targeting such domestic information innovation platforms and Windows systems using phishing lures containing desktop files, PDF documents, and Java Archive (JAR) files to download next-stage payloads. As of mid-2025, the threat actor was observed exploiting CVE-2023-52076 (CVSS score: 8.5), a remote code execution flaw impacting the Atril document viewer, to launch a desktop file that ultimately executes a Python downloader. “The ELF Trojan released by the OceanLotus group on indigenous innovation platforms has slight differences from traditional Linux ELF files,” QiAnXin said.
“This indigenous innovation Trojan achieves a precise compatibility attack by zeroing out the three bytes following the ELF file Magic Number (used to identify bitness, endianness, and version). This results in traditional Linux systems refusing to execute the file due to format errors, while the indigenous innovation platform can parse and run it normally. This carefully designed detail fully demonstrates OceanLotus’s in-depth understanding of the underlying operation mechanism of domestic indigenous innovation systems.” Also deployed by OceanLotus is a passive backdoor targeting IoT devices such as routers. AWS key deletion delay risk Exploiting AWS IAM Eventual Consistency for Persistence Researchers have found that AWS IAM eventual consistency creates a 4-second window that attackers can exploit, allowing them to leverage deleted AWS access keys.
“The cause is eventual consistency in AWS Identity and Access Management and, if improperly handled, can be exploited by attackers to have access in your AWS environment, even after defenders believe credentials are revoked,” OFFENSAI said . “The distributed nature of AWS infrastructure means that credential validation, caching layers, and edge services may create brief windows where revoked access keys remain temporarily valid. In short, the attacker can use a deleted set of access keys to create a new one, achieving persistence this way.” To mitigate any potential security risks, AWS customers are advised to avoid long-term IAM access keys and instead use temporary credentials or leverage IAM roles and federation for programmatic access to AWS services. New global proxy botnet uncovered New IPCola Proxy Network Emerges A new proxy network called IPCola (“ipcola[.]com”) has claimed to offer more than 1.6 million unique IP addresses comprising IoT, desktop, and mobile devices from over 100 countries for sale.
A majority of the infected devices are located in India, Brazil, Mexico, and the U.S. “IPCola is a non-KYC proxy provider, allowing anyone to sign up on the platform, deposit crypto, and […] start using the proxies without restriction,” Synthient said . “Like most platforms, IPCola allows users to purchase residential, datacenter, and ISP proxies, each with its own drawbacks and advantages.” Further infrastructure analysis has revealed that the service is powered by GaGaNode , a decentralized bandwidth monetization service that enables users and publishers to earn cryptocurrency for their bandwidth or monetize other people’s bandwidth. Users either have an option to run the standalone GaGaNode application or integrate into their apps a software development kit (SDK) that implements the proxy functionality.
More significantly, the SDK facilitates remote code execution (RCE) on any device running the SDK, representing a major escalation of the threat. It’s believed that a Chinese company named NuoChen is behind IPCola and its Chinese-only version, InstaIP. Hidden ad fraud drains devices GhostAd and SkyWalk Adware Targets Android, iOS A large-scale Android adware campaign has been observed silently draining resources and interfering with normal phone use through persistent background activity. The campaign, dubbed GhostAd, leverages a network of at least 15 Android applications on Google Play masquerading as harmless utility and emoji-editing tools.
These apps were cumulatively downloaded millions of times, with one of the apps reaching the #2 spot in Google Play’s “Top Free Tools” category. The names of some of the apps are Vivid Clean and GenMoji Studio. All these apps have since been removed from Google Play. “Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data,” Check Point said .
Besides enabling persistent execution via a foreground service, the malware uses a JobScheduler to trigger ad-loading tasks every time it’s terminated. The attacks appear to be concentrated around the Philippines, Pakistan, and Malaysia. “GhostAd integrates multiple legitimate advertising software development kits (SDKs), including Pangle, Vungle, MBridge, AppLovin, and BIGO, but uses them in a way that violates fair-use policies,” the company said. “Instead of waiting for user interaction, the apps continuously load, queue, and refresh ads in the background, using Kotlin coroutines to sustain the cycle.
This design quietly generates ad impressions and revenue, all while draining device resources.” In a related development, DoubleVerify revealed details of a fraud scheme codenamed SkyWalk that uses innocent-seeming iOS gaming apps to charge advertisers for phony ad impressions. The operation uses a set of iOS games that serve ads inside invisible browser windows using the UniSkyWalking iOS mobile framework. “But when a user opens one, the app also secretly launches hidden websites on the user’s iOS device,” DoubleVerify said . “As the user plays ‘Sushi Party’ or ‘Bicycle Race’ in the app, the hidden sites run in the background, undetected, serving ads no one sees.
Impressions are reported. Advertisers get billed. Not a single ad is viewed by a human.” Amazon thwarts DPRK job infiltration Amazon Blocks N. Korea IT Worker Scheme Hackers affiliated with North Korea (aka DPRK) stole more than $2 billion worth of cryptocurrency in 2025, a significant increase from the roughly $1.3 billion recorded in 2024.
This includes the record-breaking $1.5 billion Bybit heist in February 2025. Despite the overall jump in stolen cryptocurrency in 2025, the actual frequency of attacks conducted by North Korean hackers has declined. This drop in operational tempo in the wake of the Bybit hack is likely an attempt to focus on laundering the stolen cryptocurrency. At the same time, Pyongyang’s crypto theft operations are increasingly relying on its IT workers to land jobs at cryptocurrency exchanges, custodians, and Web3 companies.
While North Korea’s effort to infiltrate Western companies with fake IT workers is well-known, 2025 may have been the first time the IT army has shifted from securing positions to posing as recruiters for crypto and other types of Web3 businesses. As part of these efforts, the threat actors run fake technical assessments that grant them unauthorized access to developer machines and ultimately steal credentials and source code, giving them remote access to target networks. The pervasive threat posed by the IT worker threat was exemplified recently by Amazon, which stopped more than 1,800 suspected North Korea operatives from joining its workforce since April 2024. “We’ve detected 27% more DPRK-affiliated applications quarter over quarter this year,” the tech giant’s chief security officer, Stephen Schmidt, said last month.
In one case, Amazon said it caught an IT worker by identifying an “infinitesimal delay in the typed commands.” The IT worker was hired by an Amazon contractor and was subsequently ousted from their systems within days. “For years, the regime has weaponized crypto theft as a revenue engine for weapons proliferation, sanctions evasion, and destabilizing activity,” TRM Labs said . “What the last three years make unmistakably clear is that North Korea is the most sophisticated, financially motivated cyber operator in the crypto theft ecosystem.” The year starts with no pause, just new tricks and quieter attacks. Hackers are getting smarter, not louder.
Each story here connects to a bigger shift: less noise, more precision. 2026 is already testing how alert we really are. The threats that matter now don’t shout. They blend in — until they don’t.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers
Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an analysis. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 90,300 instances that remain susceptible to the vulnerability as of December 31, 2025, out of which 68,400 instances are located in the U.S., followed by Germany (4,300), France (2,800), and India (1,500).
RondoDox, which emerged in early 2025, has broadened its scale by adding new N-day security vulnerabilities to its arsenal, including CVE-2023-1389 and CVE-2025-24893 . It’s worth noting that the abuse of React2Shell to spread the botnet was previously highlighted by Darktrace , Kaspersky , and VulnCheck . The RondoDox botnet campaign is assessed to have gone through three distinct phases prior to the exploitation of CVE-2025-55182 - March - April 2025 - Initial reconnaissance and manual vulnerability scanning April - June 2025 - Daily mass vulnerability probing of web applications like WordPress, Drupal, and Struts2, and IoT devices like Wavlink routers July - early December 2025 - Hourly automated deployment on a large-scale In the attacks detected in December 2025, the threat actors are said to have initiated scans to identify vulnerable Next.js servers, followed by attempts to drop cryptocurrency miners (“/nuts/poop”), a botnet loader and health checker (“/nuts/bolts”), and a Mirai botnet variant (“/nuts/x86”) on infected devices. “/nuts/bolts” is designed to terminate competing malware and coin miners before downloading the main bot binary from its command-and-control (C2) server.
One variant of the tool has been found to remove known botnets, Docker-based payloads, artifacts left from prior campaigns, and associated cron jobs, while also setting up persistence using “/etc/crontab.” “It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors,” CloudSEK said. To mitigate the risk posed by this threat, organizations are advised to update Next.js to a patched version as soon as possible, segment all IoT devices into dedicated VLANs, deploy Web Application Firewalls (WAFs), monitor for suspicious process execution, and block known C2 infrastructure. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How AI and Zero Trust Work Together to Catch Attacks With No Files or Indicators
JavaScript must be enabled in order to register for webinar. Yes, I’d like to register for the webinar and agree to the handling of my information as explained in thePrivacy Policy. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them:“Living off the Land” Attacks:Today’s attackers use a combination of malware and legitimate system tools like PowerShell, WMI, or RDP.
File-based detection alone misses threats that blend in with trusted processes. Learn how and why gaining endpoint visibility into file-based threats, apps, and process behaviors is essential.Fileless “Last Mile” Reassembly Attacks:Legacy security tools are ineffective against fileless attacks, including those using only obfuscated HTML and JavaScript. Learn how a cloud-native antimalware engine that emulates malicious scripting and reassembles an executable binary in isolation can stop malicious files from being delivered to an endpoint.Securing Developer Environments:Developers are building and deploying applications faster than ever before. But third-party repositories and other open-source CI/CD tools can contain malicious code and vulnerabilities that can compromise your organization’s security.
Inspecting encrypted traffic in developer environments can identify and defeat would-be threats. Learn how to secure development workflows with automated TLS/SSL inspection and code sandboxing.You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. There’s one constant in cybersecurity: the threat landscape continues to rapidly evolve. To bolster their organizations’ resilience, defenders need proactive visibility and tooling across their endpoints, developer environments, and crypto stack to stay several steps ahead of attackers.
In this webinar, join experts from the Zscaler Internet Access product team as they cover the next major security challenges and how enterprises can best respond to them: You’ll see howZscaler Internet Access’s capabilities, built on a foundation of zero trust and AI-powered protection, provide SOC and IT teams with the preventative tooling and visibility necessary to effectively defend against emerging threats so you can proactively fortify your security posture to protect your users, devices, and data. By clicking “Register Now,” you agree to permit The Hacker News and its partners to process your contact details, which may include The Hacker News reaching out to you and sharing your contact information with its webinar partners.
How To Browse Faster and Get More Done Using Adapt Browser
As web browsers evolve into all-purpose platforms, performance and productivity often suffer. Feature overload, excessive background processes, and fragmented workflows can slow down browsing sessions and introduce unnecessary friction, especially for users who rely on the browser as a primary work environment. This article explores how adopting a lightweight, task-focused browser, like Adapt Browser , can help users browse faster, reduce distractions, and complete everyday tasks more efficiently, without relying on heavy extensions or complex configurations. The Productivity Problem With Modern Browsing For many professionals, the browser functions as a central hub for research, communication, content consumption, and operational work.
However, common challenges persist: High CPU and memory usage caused by background services Excessive tab proliferation leading to loss of context Frequent switching between browser tabs and external applications Reliance on extensions that negatively impact performance and stability These issues are not always caused by the websites themselves, but by how browsers manage processes, interfaces, and workflows. This emphasizes the importance of using a fast, lightweight browser. Some fast browsing options include Adapt Browser, Opera, Edge, and Vivaldi. Step 1: Prioritize Performance by Reducing Browser Overhead One of the most effective ways to improve browsing speed is to minimize the browser’s baseline resource consumption.
Lightweight browsers take a different architectural approach by reducing background activity and avoiding unnecessary services that run regardless of user intent. This can result in: Faster page load times Improved responsiveness when switching tabs or windows Lower memory usage on systems running multiple applications By focusing on essential functionality rather than feature parity, Adapt Browser, a performance-oriented browser, can remain responsive even during extended work sessions. Step 2: Centralize Web-Based Workflows A major source of inefficiency in browsing comes from constantly switching between tabs, windows, and desktop applications. Centralizing commonly used web tools within the browser interface helps streamline daily workflows.
This approach allows users to: Access frequently used web applications without opening new tabs Maintain visibility into active tools while browsing or researching Reduce time spent navigating between disconnected contexts Adapt Browser achieves this by keeping work-critical tools accessible in one place, so that users can maintain momentum and reduce cognitive load. Step 3: Reduce Distractions Through Interface Simplicity Interface design plays a significant role in user focus. Excessive UI elements, notifications, and visual clutter can interrupt attention and slow task completion. A streamlined browser interface emphasizes: Clean layouts with minimal visual noise Clear separation between content and controls Reduced interruption during focused work Adapt Browser supports this design philosophy for sustained attention, particularly for tasks such as reading, writing, and analysis.
Step 4: Improve Task Management With Smarter Window Usage Opening multiple tabs is often a workaround for limited visibility. Instead of relying on dozens of tabs, modern browsers can optimize how content is displayed and managed. Effective strategies include: Viewing related content side-by-side without opening additional tabs Keeping search results visible while exploring linked pages Reducing duplicate browsing actions By improving how windows and views are handled, users can stay organized while maintaining browsing speed. Adapt Browser offers this exact functionality, empowering users to adapt the browser to fit their workflow.
Applying These Principles With Adapt Browser Adapt Browser follows a lightweight design philosophy centered on performance and task efficiency. Rather than attempting to replicate feature-heavy browser ecosystems, it focuses on optimizing core browsing behavior and integrated workflows. Key characteristics include: A lightweight architecture designed to reduce CPU and memory usage Integrated access to commonly used web applications and tools Interface elements designed to reduce distraction and tab clutter Adapt is built as a non-Chromium browser , allowing greater control over resource usage and core browser behavior compared to browsers that rely on Chromium-based architectures. It is also AppEsteem certified , indicating that the browser meets established security and transparency standards for consumer software.
This approach supports users who want faster browsing and a more focused work experience without complex setup or customization. Additional technical details and updates can be found in Adapt Browser’s official website. Browsing faster and getting more done is not solely about internet speed, it is largely influenced by how the browser manages resources, workflows, and user attention. By reducing overhead, simplifying interfaces, and centralizing essential tools, a lightweight browser can significantly improve productivity.
As web-based work continues to expand, browser design choices play an increasingly important role in daily efficiency. Adopting a task-focused browsing approach can help users spend less time navigating and more time completing meaningful work. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack
Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension , ultimately resulting in the theft of approximately $8.5 million in assets. “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a post-mortem published Tuesday. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.” Subsequently, the attacker is said to have registered the domain “metrics-trustwallet[.]com” and pushed a trojanized version of the extension with a backdoor that’s capable of harvesting users’ wallet mnemonic phrases to the sub-domain “api.metrics-trustwallet[.]com.” Cybersecurity company Koi said the malicious code triggers on every unlock and not just during seed phrase import, causing sensitive data to be exfiltrated regardless of whether victims used a password or biometrics, and whether the wallet extension had been used for months or just opened once after it was updated to version 2.68. “The code loops through every wallet in the user’s account, not just the active one.
If you had multiple wallets configured, all of them were compromised,” researchers Oren Yomtov and Yuval Ronen said . “Seed phrases are stuffed into a field called errorMessage inside what looks like standard unlock telemetry. A casual code review sees an analytics event tracking unlock success with some error metadata.” The domain “metrics-trustwallet[.]com,” for its part, resolves to “138.124.70.40,” which is hosted on Stark Industries Solutions, a bulletproof hosting service provider that was incorporated in the U.K. in February 2022, just two weeks prior to Russia’s full-scale invasion of Ukraine.
It has a history of enabling Russian state-sponsored cyber operations, as well as other cybercriminal activity . Interestingly, Koi’s analysis also found that querying the server directly returned the response “ He who controls the spice controls the universe ,” a Dune reference that echoes similar references observed in the Shai-Hulud npm incident. “The Last-Modified header reveals the infrastructure was staged by December 8 – over two weeks before the malicious update was pushed on December 24,” it added. “This wasn’t opportunistic.
It was planned.” The disclosure comes days after Trust Wallet urged about one million users of its Chrome extension to update to version 2.69 after a malicious update (version 2.68) was pushed by unknown threat actors on December 24, 2025, to the browser’s extension marketplace. The security incident ultimately led to $8.5 million in cryptocurrency assets being drained from 2,520 wallet addresses to no less than 17 wallet addresses controlled by the attacker. The first wallet-draining activity was publicly reported a day after the malicious update. Trust Wallet has since initiated a reimbursement claim process for impacted victims.
The company noted that reviews of submitted claims are ongoing and are being handled on a case-by-case basis. It also stressed that processing times may vary with each case due to the need to distinguish between victims and bad actors, and further protect against fraud. To prevent such breaches from occurring again, Trust Wallet said it has implemented additional monitoring capabilities and controls related to its release processes. “Sha1-Hulud was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto,” the company said.
“It involved malicious code being introduced and distributed through commonly-used developer tooling. This allowed attackers to gain access through trusted software dependencies rather than directly targeting individual organizations.” Trust Wallet’s disclosure coincides with the emergence of Shai-Hulud 3.0 with increased obfuscation and reliability improvements, while still remaining laser-focused on stealing secrets from developer machines. “The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said . Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide
The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster , has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre . In all, the campaigns have collectively affected over 8.8 million users spanning a period of more than seven years. ShadyPanda was first unmasked by the cybersecurity company earlier this month as targeting all three browser users to facilitate data theft, search query hijacking, and affiliate fraud.
It has been found to affect 5.6 million users, including 1.3 newly identified victims stemming from over 100 extensions flagged as connected to the same cluster. This also includes an Edge add-on named “New Tab - Customized Dashboard” that features a logic bomb that waits for three days prior to triggering its malicious behavior. The time-delayed activation is an attempt to give the impression that it’s legitimate during the review period and get it approved. Nine of these extensions are currently active, with an additional 85 “dormant sleepers” that are benign and meant to attract a user base before they are weaponized via malicious updates.
Koi said the updates were introduced after more than five years in some cases. The second campaign, GhostPoster, is mostly focused on Firefox users, targeting them with seemingly harmless utilities and VPN tools to serve malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. Further investigation into the activity has unearthed more browser add-ons, including a Google Translate (developer “charliesmithbons”) extension for Opera with nearly one million installs. The most recent discovery, The Zoom Stealer, is the third such campaign from DarkSpectre, employing a set of 18 extensions across Chrome, Edge, and Firefox for facilitating corporate intelligence by collecting online meeting-related data like meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status.
The list of identified extensions and their corresponding IDs is below - Google Chrome - Chrome Audio Capture (kfokdmfpdnokpmpbjhjbcabgligoelgp) ZED: Zoom Easy Downloader (pdadlkbckhinonakkfkdaadceojbekep) X (Twitter) Video Downloader (akmdionenlnfcipmdhbhcnkighafmdha) Google Meet Auto Admit (pabkjoplheapcclldpknfpcepheldbga) Zoom.us Always Show “Join From Web” (aedgpiecagcpmehhelbibfbgpfiafdkm) Timer for Google Meet (dpdgjbnanmmlikideilnpfjjdbmneanf) CVR: Chrome Video Recorder (kabbfhmcaaodobkfbnnehopcghicgffo) GoToWebinar & GoToMeeting Download Recordings (cphibdhgbdoekmkkcbbaoogedpfibeme) Meet auto admit (ceofheakaalaecnecdkdanhejojkpeai) Google Meet Tweak (Emojis, Text, Cam Effects) (dakebdbeofhmlnmjlmhjdmmjmfohiicn) Mute All on Meet (adjoknoacleghaejlggocbakidkoifle) Google Meet Push-To-Talk (pgpidfocdapogajplhjofamgeboonmmj) Photo Downloader for Facebook, Instagram, + (ifklcpoenaammhnoddgedlapnodfcjpn) Zoomcoder Extension (ebhomdageggjbmomenipfbhcjamfkmbl) Auto-join for Google Meet (ajfokipknlmjhcioemgnofkpmdnbaldi) Microsoft Edge - Edge Audio Capture (mhjdjckeljinofckdibjiojbdpapoecj) Mozilla Firefox - Twiter X Video Downloader ({7536027f-96fb-4762-9e02-fdfaedd3bfb5}, published by “invaliddejavu”) x-video-downloader (xtwitterdownloader@benimaddonum.com, published by “invaliddejavu”) As is evident by the names of the extensions, a majority of them are engineered to mimic tools for enterprise-oriented videoconferencing applications like Google Meet, Zoom, and GoTo Webinar to exfiltrate meeting links, credentials, and participant lists over a WebSocket connection in real-time. It’s also capable of harvesting details about webinar speakers and hosts, such as names, titles, bios, profile photos, and company affiliations, along with logos, promotional graphics, and session metadata, every time a user visits a webinar registration page via the browser with one of the extensions installed. These add-ons have been found to request access to more than 28 video conferencing platforms, including Cisco WebEx, Google Meet, GoTo Webinar, Microsoft Teams, and Zoom, among others, regardless of whether they required access to them in the first place. “This isn’t consumer fraud - this is corporate espionage infrastructure,” researchers Tuval Admoni and Gal Hachamov said.
“The Zoom Stealer represents something more targeted: systematic collection of corporate meeting intelligence. Users got what was advertised. The extensions earned trust and positive reviews. Meanwhile, surveillance ran silently in the background.” The cybersecurity company said the gathered information could be used to fuel corporate espionage by selling the data to other bad actors, and enable social engineering and large-scale impersonation operations.
The Chinese links to the operation are based on several clues: consistent use of command-and-control (C2) servers hosted on Alibaba Cloud, Internet Content Provider (ICP) registrations linked to Chinese provinces like Hubei, code artifacts containing Chinese-language strings and comments, and fraud schemes specifically aimed at Chinese e-commerce platforms such as JD.com and Taobao. “DarkSpectre likely has more infrastructure in place right now – extensions that look completely legitimate because they are legitimate, for now,” Koi said. “They’re still in the trust-building phase, accumulating users, earning badges, waiting.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Critical CVSS 9.8 Flaw Found in IBM API Connect Authentication System
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application. The vulnerability, tracked as CVE-2025-13915 , is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw. “IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application,” the tech giant said in a bulletin.
The shortcoming affects the following versions of IBM API Connect -
10.0.8.0 through 10.0.8.5
10.0.11.0
Customers are advised to
follow the steps
outlined below -
Download the fix from Fix Central
Extract the files: Readme.md and ibm-apiconnect-
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Researchers Spot Modified Shai-Hulud Worm Testing Payload on npm Registry
Cybersecurity researchers have disclosed details of what appears to be a new strain of Shai Hulud on the npm registry with slight modifications from the previous wave observed last month. The npm package that embeds the novel Shai Hulud strain is “ @vietmoney/react-big-calendar ,” which was uploaded to npm back in March 2021 by a user named “hoquocdat.” It was updated for the first time on December 28, 2025, to version 0.26.2. The package has been downloaded 698 times since its initial publication. The latest version has been downloaded 197 times.
Aikido, which spotted the package, said it has not spotted any major spread or infections following the release of the package. “This suggests we may have caught the attackers testing their payload,” security researcher Charlie Eriksen said . “The differences in the code suggests that this was obfuscated again from the original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm.” The Shai-Hulud attack first came to light in September 2025, when trojanized npm packages were found stealing sensitive data like API keys, cloud credentials, and npm and GitHub tokens, and exfiltrating them to GitHub repositories using the pilfered tokens.
In the second wave spotted in November 2025, the repositories contained the description “Sha1-Hulud: The Second Coming.” But the most important aspect of the campaign is its ability to weaponize the npm tokens to fetch 100 other most-downloaded packages associated with the developer, introduce the same malicious changes, and push them to npm, thereby expanding the scale of the supply chain compromise in a worm-like manner. The new strain comes with noticeable changes - The initial file is now called “bun_installer.js” and the main payload is referred to as “environment_source.js” The GitHub repositories to which the secrets are leaked feature the description “Goldox-T3chs: Only Happy Girl.” The names of files that contain the secrets are: 3nvir0nm3nt.json, cl0vd.json, c9nt3nts.json, pigS3cr3ts.json, and actionsSecrets.json The removal of “dead man switch” that resulted in the execution of a wiper if no GitHub or npm tokens were found to abuse for data exfiltration and self-replication Other important modifications include better error handling when TruffleHog’s credential scanner times out, improved operating system-based package publishing, and tweaks to the order in which data is collected and saved. Fake Jackson JSON Maven Package Drops Cobalt Strike Beacon The development comes as the supply chain security company said it identified a malicious package (“org.fasterxml.jackson.core/jackson-databind”) on Maven Central that poses as a legitimate Jackson JSON library extension (“com.fasterxml.jackson.core”), but incorporates a multi-stage attack chain that delivers platform-specific executables. The package has since been taken down.
Present within the Java Archive (JAR) file is heavily obfuscated code that kicks into action once an unsuspecting developer adds the malicious dependency to their “pom.xml” file. “When the Spring Boot application starts, Spring scans for @Configuration classes and finds JacksonSpringAutoConfiguration,” Eriksen said . “The @ConditionalOnClass({ApplicationRunner.class}) check passes (ApplicationRunner is always present in Spring Boot), so Spring registers the class as a bean. The malware’s ApplicationRunner is invoked automatically after the application context loads.
No explicit calls required.” The malware then looks for a file named “.idea.pid” in the working directory. The choice of the file name is intentional and is designed to blend in with IntelliJ IDEA project files. Should such a file exist, it’s a signal to the malware that an instance of itself is already running, causing it to silently exit. In the next step, the malware proceeds to check the operating system and contact an external server (“m.fasterxml[.]org:51211”) to fetch an encrypted response containing URLs to a payload to be downloaded based on the operating system.
The payload is a Cobalt Strike beacon , a legitimate adversary simulation tool that can be abused for post-exploitation and command-and-control. On Windows, it’s configured to download and execute a file called “svchosts.exe” from “103.127.243[.]82:8000,” while a payload referred to as “update” is downloaded from the same server for Apple macOS systems. Further analysis has revealed that the typosquatted domain fasterxml[.]org was registered via GoDaddy on December 17, 2025, merely a week before the malicious Maven package was detected. “This attack exploited a specific blind spot: TLD-style prefix swaps in Java’s reverse-domain namespace convention,” Eriksen said.
“The legitimate Jackson library uses com.fasterxml.jackson.core, while the malicious package used org.fasterxml.jackson.core.” The problem, Aikido said, stems from Maven Central’s inability to detect copycat packages that employ similar prefixes as their legitimate counterparts to deceive developers into downloading them. It’s recommending that the package repository maintainers consider flagging such packages for review, and maintain a list of high-value namespaces and subject any package published under similar-looking namespaces to additional verification to ensure they are legitimate. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
U.S. Treasury Lifts Sanctions on Three Individuals Linked to Intellexa and Predator Spyware
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator , from the specially designated nationals list. The names of the individuals are as follows - Merom Harpaz Andrea Nicola Constantino Hermes Gambazzi Sara Aleksandra Fayssal Hamou Hamou was sanctioned by OFAC in March 2024, and Harpaz and Gambazzi were targeted in September 2024 in connection with developing, operating, and distributing Predator. The Treasury’s press release does not give any reason as to why they were removed from the list.
However, in a statement shared with Reuters, it said the removal “was done as part of the normal administrative process in response to a petition request for reconsideration.” The department added that the individuals had “demonstrated measures to separate themselves from the Intellexa Consortium.” Harpaz is said to be working as a manager of Intellexa S.A., while Gambazzi was identified as the owner of Thalestris Limited and Intellexa Limited. Thalestris, Treasury Department said, held the distribution rights to the spyware, and processed transactions on behalf of other entities within the Intellexa Consortium. It’s also the parent company to Intellexa S.A. Hamou was listed by the Treasury as one of the key enablers of the Intellexa Consortium, working as a corporate off-shoring specialist in charge of providing managerial services, including renting office space in Greece on behalf of Intellexa S.A.
It’s not known if these individuals are still holding the same positions. At that time, the agency said the proliferation of commercial spyware presents a growing security risk to the U.S. and its citizens. It called for the need to establish guardrails to ensure the responsible development and use of these technologies while balancing human rights and civil liberties of individuals.
“Any hasty decisions to remove sanctions from individuals involved in attacking U.S. persons and interests risk signaling to bad actors that this behavior may come with little consequences as long as you pay enough [money] for fancy lobbyists,” said Natalia Krapiva, senior tech legal counsel at Access Now. The development comes merely weeks after an Amnesty International report revealed that a human rights lawyer from Pakistan’s Balochistan province was targeted by a Predator attack attempt via a WhatsApp message. Active since at least 2019, Predator is designed for stealth, leaving little to no traces of compromise, while harvesting sensitive data from infected devices.
It’s typically delivered via 1-click or zero-click attack vectors. Similar to NSO Group’s Pegasus, the tool is officially marketed for counterterrorism and law enforcement use. But investigations have revealed a broader pattern of its deployment against civil society figures, including journalists, activists, and politicians. A Recorded Future analysis of Intellexa’s corporate web published this month found continued use of Predator despite increased public reporting and international measures.
“Several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight,” the Mastercard-owned company said. “Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves.” (The story was updated after publication to include additional information from Reuters.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691 , carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication. “Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution,” CSA said.
Vulnerabilities of this kind allow the upload of dangerous file types that are automatically processed within an application’s environment. This could pave the way for code execution if the uploaded file is interpreted and executed as code, as is the case with PHP files. In a hypothetical attack scenario, a bad actor could weaponize this vulnerability to place malicious binaries or web shells that could be executed with the same privileges as the SmarterMail service. SmarterMail is an alternative to enterprise collaboration solutions like Microsoft Exchange, offering features like secure email, shared calendars, and instant messaging.
According to information listed on the website , it’s used by web hosting providers like ASPnix Web Hosting, Hostek, and simplehosting.ch. CVE-2025-52691 impacts SmarterMail versions Build 9406 and earlier. It has been addressed in Build 9413 , which was released on October 9, 2025. CSA credited Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for discovering and reporting the vulnerability.
While the advisory makes no mention of the flaw being exploited in the wild, users are advised to update to the latest version (Build 9483, released on December 18, 2025) for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware
The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0). “This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week. Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name assigned to an aggressive cybercrime group from China that has been active since 2022. It has a track record of orchestrating a variety of campaigns whose motives range from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to their intrusion activity.
Primarily focused on Chinese-speaking individuals and organisations, Silver Fox’s victimology has broadened to include organizations operating in the public, financial, medical, and technology sectors. Attacks mounted by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of Gh0st RAT such as ValleyRAT , Gh0stCringe , and HoldingHands RAT (aka Gh0stBins). In the infection chain documented by CloudSEK, phishing emails containing decoy PDFs purported to be from India’s Income Tax Department are used to deploy ValleyRAT. Specifically, opening the PDF attachment takes the recipient to the “ggwk[.]cc” domain, from where a ZIP file (“tax affairs.zip”) is downloaded.
Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name (“tax affairs.exe”), which, in turn, leverages a legitimate executable associated with Thunder (“thunder.exe”), a download manager for Windows developed by Xunlei, and a rogue DLL (“libexpat.dll”) that’s sideloaded by the binary. The DLL, for its part, disables the Windows Update service and serves as a conduit for a Donut loader, but not before performing various anti-analysis and anti-sandbox checks to ensure that the malware can run unimpeded on the compromised host. The lander then injects the final ValleyRAT payload into a hollowed “explorer.exe” process. ValleyRAT is designed to communicate with an external server and await further commands.
It implements a plugin-oriented architecture to extend its functionality in an ad hoc manner, thereby allowing its operators to deploy specialized capabilities to facilitate keylogging, credential harvesting, and defense evasion. “Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise,” CloudSEK said. “On-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value.” The disclosure comes as NCC Group said it identified an exposed link management panel (“ssl3[.]space”) used by Silver Fox to track download activity related to malicious installers for popular applications, including Microsoft Teams, to deploy ValleyRAT. The service hosts information related to - Web pages hosting backdoor installer applications The number of clicks a download button on a phishing site receives per day Cumulative number of clicks a download button has received since launch The bogus sites created by Silver Fox have been found to impersonate CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, and Youdao, among others.
An analysis of the origin IP addresses that have clicked on the download links has revealed that at least 217 clicks originated from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7). “Silver Fox leveraged SEO poisoning to distribute backdoor installers of at least 20 widely used applications, including communication tools, VPNs, and productivity apps,” researchers Dillon Ashmore and Asher Glue said . “These primarily target Chinese-speaking individuals and organisations in China, with infections dating back to July 2025 and additional victims across Asia-Pacific, Europe, and North America.” Distributed via these sites is a ZIP archive that contains an NSIS-based installer that’s responsible for configuring Microsoft Defender Antivirus exclusions, establishing persistence using scheduled tasks, and then reaching out to a remote server to fetch the ValleyRAT payload.
The findings coincide with a recent report from ReliaQuest, which attributed the hacking group to a false flag operation mimicking a Russian threat actor in attacks targeting organizations in China using Teams-related lure sites in an attempt to complicate attribution efforts. “Data from this panel shows hundreds of clicks from mainland China and victims across Asia-Pacific, Europe, and North America, validating the campaign’s scope and strategic targeting of Chinese-speaking users,” NCC Group said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.