DAILY WORKFLOW ARCHIVE

2026-07-05 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-07-05 AI创业新闻

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

A U.S. government entity paid about $1 million to keep stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC , built on a leaked negotiation chat and the blockchain trail the payment left. The odd part: the group that took the money calls itself Kairos , but it may not be a ransomware gang at all. Krishnan found no sign that it ever locked a single machine: no encryptor, no locker, no demand for a decryption key.

The threat was simpler. Steal the files, then charge the victim not to publish them. Krishnan does not name the victim, but the chat points to Union County, Ohio. The proof-of-theft files carry names like Union.xlsx, 1 union co psi template.doc, and a final archive called union.rar.

The victim calls itself a small county with limited resources. The attacker leans on one folder in particular, marked “prosecutors office,” warning that leaking it would help criminals dodge charges. The clues fit a real case. In May 2025, Union County, Ohio, said it detected ransomware on its network and later notified 45,487 residents and staff that their data had been taken, affecting most of the county of roughly 70,000.

The stolen records ran from Social Security and financial details to fingerprints and passport numbers. Neither the county nor Kairos has confirmed the connection. But if it holds, a county government paid about $1 million it never publicly disclosed. The Hacker News has contacted the Union County Commissioners’ Office for comment.

This story will be updated with any response. The negotiation ran for about a month. Kairos opened at $3 million and claimed it was holding more than 2 terabytes of data, some 1.6 million files. The county started at $100,000, crept up to $255,000, then $430,000.

Kairos dropped to $2 million, then set a hard final number: $1 million, pay by Friday, or the files go public. The payment on-chain: about 9.44 BTC lands in the Kairos-linked wallet. It used the usual levers: a countdown timer, tight deadlines, and threats to dump the most sensitive folders first. The county paid on June 13, 2025, ten times its first offer.

The payment was roughly 9.44 bitcoin, worth about $1 million at the time. Krishnan traced the money from there. Within hours, it was split in two and pushed through a chain of wallets toward deposit addresses tied to the crypto exchanges Bybit, OKX, and a Russian service called BELQI. That kind of tracing hands investigators leads, not names.

And the money bought nothing solid. Kairos sent over a “proof of deletion” file, but a list of file names shows only that the attacker once had the files, not that the originals were wiped. Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief. Union County called what happened to it ransomware, the word everyone reaches for, but in the Kairos case, nothing was locked.

That is the real shift: much of what still gets called ransomware now skips encryption and uses the stolen data itself as the pressure point. Sophos reported in 2025 that only about half of ransomware attacks still involve any encryption, the lowest rate in six years. Some crews have dropped it entirely. Silent Ransom Group , a Conti offshoot, has spent years running pure data-theft extortion against U.S.

law and finance firms with no encryptor at all. The Kairos chat fits a familiar negotiation pattern, too. When Black Basta’s internal chats leaked in February 2025, an analysis of the messages turned up a deal that ran from a $1.5 million demand to a $100,000 counter to a $1 million payment, almost the same arc. Those chats, and the Conti leaks before them in 2022, are how researchers now reconstruct the way these bargains actually get struck.

Kairos itself has gone quiet. The leak site is down, and its last known victim showed up in June 2026. But a wallet tied to the operation was still moving money as recently as May 2026, a reminder that a dark leak site is not the same as a dead crew. For anyone running a small government network, the lessons are dull and familiar, which is rather the point.

Turn on multi-factor authentication, since Kairos claimed it got in by simply guessing a password. Watch for repeated failed logins, large outbound data transfers, and burner file-sharing links like the temp.sh addresses Kairos used to move the files. Keep legal, HR, and citizen records walled off from the rest of the network. Have a public statement plan ready before you need one.

And treat any promise to delete stolen data as worth exactly nothing. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider . “The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access,” Socket security researcher Karlo Zanki said in an analysis published this week. The 162 malicious release artifacts span multiple release versions corresponding to 108 unique packages and extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. Contagious Interview is the moniker assigned to a North Korea-aligned campaign that weaponizes job recruitment to target software developers and individuals working in the cryptocurrency sectors, using persuasive job interviews and assessments to trick them into executing malicious code.

The activity is known to be active since at least 2023. Attackers masquerade as recruiters or collaborators on platforms like LinkedIn, GitHub, or freelance websites, often setting up elaborate front companies and AI-generated employee profiles to build trust and ultimately deliver malware. PolinRider was first flagged by the OpenSourceMalware team in March 2026, describing it as involving the threat actors implanting malicious obfuscated JavaScript payloads in hundreds of public GitHub repositories belonging to several unique owners to deliver a new variant of BeaverTail, a known JavaScript malware associated with Contagious Interview. As of April 11, 2026, the activity has compromised 1,951 public GitHub repositories associated with 1,047 unique owners, while also merging with another cluster called TaskJacker that drops malicious VS Code task files into GitHub users’ existing repositories.

The VS Code tasks include the “runOn: ‘folderOpen’” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor. “The threat actor is not using stolen GitHub credentials,” OpenSourceMalware said. “Instead, the victims have been compromised via a malicious VS Code extension or npm package.” It’s believed that the attackers are taking over maintainer accounts, likely through expired domain takeover or another account recovery path, to pull off the scheme. Once executed, the malware searches the infected computer for certain files like “postcss.config.mjs,” “tailwind.config.js,” “eslint.config.mjs,” next.config.mjs,” babel.config.js,” and “app.js,” and, if found, appends malicious JavaScript code to them.

It also makes use of a Windows batch script to stealthily modify the last commit, while making it appear as if they were made by the original author. It’s suspected that similar tools are being utilized to rewrite Git history for other operating systems like Linux and macOS. “The core tradecraft remains consistent across the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, conceal the code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as VS Code task files,” Socket said. In the latest wave, the payload functions as a JavaScript malware loader that reaches out to blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to fetch an encrypted second-stage payload that unpacks to DEV#POPPER RAT and OmniStealer.

This attack chain was detailed by eSentire in March 2026. “The threat actors use Git history rewriting, including force pushes and anti-dated commits to make malicious changes appear older and less suspicious,” Zanki said. “This makes the GitHub landing page and visible commit history unreliable indicators of compromise; defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files.” The development comes as JFrog uncovered a cluster of npm packages linked to Contagious Interview, some of which masqueraded as Rollup polyfill tools to enable remote access and data theft. Earlier this week, another set of npm packages and Go packages was identified as incorporating VS Code auto-run tasks to run JavaScript payloads disguised as fake font files, indicating tactical overlaps between Fake Font, TaskJacker, and PolinRider.

Users who have installed these packages should treat the environment as compromised, rotate exposed secrets from a clean machine, remove affected versions and rebuild from a known good lockfile, and audit developer workstations and repositories for hidden execution paths or suspicious commits that have modified “.vscode/tasks.json,” “config.js,” “vite.config.js,” and “eslint.config.js” files. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Security firm runZero has disclosed seven vulnerabilities in FatFs , a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on real-time operating systems. On the worst-affected systems, an attacker who gets a booby-trapped USB drive, SD card, or update file onto a device can corrupt its memory and run their own code.

Many embedded devices lack the memory protections found on phones and desktops, which is why runZero says “any physical access leads to a jailbreak.” A public kiosk, a camera with an SD slot, an ATM, or a voting machine with a USB port should not hand over full control after a moment of physical access, but here it can. All seven bugs work the same basic way. The device tries to read a storage volume or firmware image that has been deliberately malformed, and FatFs mishandles the bad data. runZero rated the set CVSS Medium to High, with no Criticals.

The headline bug is CVE-2026-6682 (CVSS 7.6), an integer overflow in the code that mounts a FAT32 volume. Bad math can produce a false file size, which later code treats as a real read length. On real hardware, that can become memory corruption and code execution. Here are all seven, worst first by runZero’s ranking: CVE-2026-6682 (7.6, High): FAT32 mount integer overflow leading to memory corruption and possible code execution.

Reachable through some firmware updates, not just physical media. CVE-2026-6687 (7.6, High): an exFAT volume-label field overflows a small buffer, giving an attacker a clean memory-corruption foothold. CVE-2026-6688 (7.6, High): long filenames overflow the wrapper code many projects put around FatFs, such as a strcpy of fno.fname into a fixed buffer. Hard to fix inside FatFs alone.

CVE-2026-6685 (6.1, Medium): a math wrap in cache handling on fragmented volumes that can silently corrupt data. CVE-2026-6683 (4.6, Medium): an exFAT divide-by-zero that crashes the device. In an update flow, it can brick hardware. Also reachable through some firmware updates.

CVE-2026-6686 (4.6, Medium): a file extended past its end can leak leftover data from previously deleted files. CVE-2026-6684 (4.6, Medium): a malformed GPT partition table (the disk’s map) can hang the device during mount. It is the only one of the seven fixed upstream, in FatFs R0.16. Here is the hard part.

FatFs is maintained by one developer in a small corner of the internet, and runZero says it tried repeatedly to reach the maintainer and looped in Japan’s JPCERT/CC coordination center, with no response. By runZero’s account, there is no upstream fix for the memory-corruption bugs, no security mailing list, and no way for the many products that bundle FatFs to learn they are affected. Updating helps with the GPT hang, since the current release blocks it, but the rest fall to downstream vendors to patch on their own. runZero names affected platforms, including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate updater.

That pushes the problem downstream into consumer IoT, industrial gear, drones, and crypto wallets. As of runZero’s July 1 disclosure, no attacks using these bugs had been reported, and none have surfaced since. But the exploit material is already public: runZero shipped proof-of-concept disk images, a test harness, and a working QEMU-based exploit example in a companion repository . If you build firmware that touches FAT or exFAT media, the advice is direct.

Find the copy of FatFs in your product, audit the wrapper code around it, look hard at how you handle filenames and file sizes, and plan to patch. If you run affected devices, treat physical ports and update channels as an attack surface: limit who can plug in media, and watch for vendor firmware updates. Why this keeps happening runZero first audited FatFs by hand in 2017 and found little worth reporting. Returning in March 2026, the team pointed an off-the-shelf setup at the same code: Visual Studio Code, GitHub Copilot in “auto” mode, and a few plain prompts.

The LLM built a fuzzer, a tool that feeds malformed data into code until something breaks. That surfaced bugs the manual audit had missed and helped confirm they were exploitable. That fits a growing pattern. In late 2024, Google’s Big Sleep agent found a real, exploitable memory bug in SQLite that ordinary fuzzing had missed.

Just last month, an autonomous AI agent surfaced 21 memory-safety bugs in FFmpeg , another widely embedded C library. runZero’s point is blunt: if a mostly off-the-shelf AI pipeline can find these, so can anyone, so sitting on them quietly protects no one. The patching problem is familiar. runZero expects downstream fixes to take years, not days, and PixieFail is the precedent: a 2024 batch of nine bugs in the network-boot code of EDK II , the firmware behind many PC and server brands, that vendors were slow to patch.

FatFs has the same shape and a weaker fix pipeline, because there is no responsive upstream at all. Watch for two things: whether the FatFs maintainer resurfaces with a patch, and how the big platform vendors that bundle it respond. Until they do, assume that plenty of shipping devices read untrusted storage with code that has no fix behind it. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New “Bad Epoll” Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic’s most powerful AI model, Mythos , recently found a different bug. The AI caught one flaw and missed this one.

A researcher, Jaeyoung Chung, found it and built a working attack. How the Bug Works Epoll is a standard Linux feature that lets a program watch many files or network connections at once. Servers, network services, and web browsers all lean on it. You cannot simply switch it off.

Bad Epoll is a “use-after-free” bug. Two parts of the kernel try to clean up the same internal object at the same time. One frees the memory while the other is still writing into it. That brief collision lets an attacker corrupt kernel memory, then climb from a normal account up to root.

The catch is timing. The window where the two paths collide is only about six machine instructions wide, so a random attempt almost never lands in it. Chung’s exploit widens that window and retries without crashing, reaching root about 99% of the time on tested systems. Two things make it more dangerous: by his account, it can be triggered from inside Chrome’s renderer sandbox, which blocks almost every other kernel bug, and it can reach Android, which most Linux privilege bugs cannot.

Chung submitted the flaw as a zero-day to Google’s kernelCTF program, and full technical details are in his public writeup . There is no sign it has been used in real attacks: as of this writing, it is not on CISA’s Known Exploited Vulnerabilities list, and the only working code is that kernelCTF proof of concept. An Android version of the exploit is still in progress. Both bugs trace back to a single 2023 change to the epoll code.

Chung says Mythos found the first of the two, now tracked as CVE-2026-43074, with a fix landing earlier in 2026. Anthropic has separately said Mythos found Linux kernel privilege-escalation bugs , though it has not publicly linked that work to Bad Epoll. Finding the first one was a real result, because race-condition bugs are notoriously hard to spot. So why did the same AI miss the sibling flaw?

Chung offers two likely reasons and is careful to say no one can be sure. First, the timing window is tiny, so the exact sequence of events is hard to picture even while staring at the code. Second, there is little evidence at runtime. Once the first bug is patched, Bad Epoll’s memory error usually does not trip KASAN, the kernel’s main bug detector, so nothing flags that something is wrong.

Epoll cannot be turned off, so there is no workaround. Apply upstream commit a6dc643c6931 , or install your distribution’s backport when it lands. Kernels built on 6.4 or newer are affected unless they already have the fix. Older 6.1-based kernels, including some Android phones such as the Pixel 8, are not, because the bug arrived in 6.4.

A Bad Year for the Linux Kernel Bad Epoll joins a well-known family of kernel bugs used to root Android, following earlier entries called Bad Binder , Bad IO_uring , and Bad Spin. It also lands in a busy stretch for Linux privilege flaws, though most of the recent ones work differently. Copy Fail (CVE-2026-31431) landed in April and is now on CISA’s Known Exploited Vulnerabilities list. The Dirty Frag chain , Fragnesia , DirtyClone , pedit COW came after it.

Both are deterministic page-cache-write bugs, like Dirty Pipe (2022), with no race to win, which makes them far more reliable to run. Bad Epoll is the older, harder kind: a race you have to win, like Dirty Cow (2016). A public proof-of-concept has also appeared for CVE-2026-31694 , a separate flaw in the kernel’s FUSE filesystem code, found by the AI-driven research firm Bynario. A local user with FUSE access can feed the kernel a malicious filesystem and corrupt memory.

Depending on the setup, that can mean root access, data leaks, or a crash. Because that access is common in containers and user namespaces, it lands more as a server and container risk than a phone one. Bynario is not the only one. Mythos also found and exploited a 17-year-old remote code execution bug in FreeBSD’s NFS server ( CVE-2026-4747 ), and Anthropic researchers have used its models to surface other kernel flaws .

Bad Epoll is a useful counterpoint. It shows that race conditions are hard at every stage: hard to find, even for a leading AI; hard to fix, since the first patch fell short and a correct one took about two months; and hard to exploit, through a window only six instructions wide. For now, the bug an AI walks past is still the one a person has to catch. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Avalon Malware Framework Packs CrownX Ransomware Capabilities

Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that’s distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls. Avalon combines credential collection, lateral movement, remote access, recovery disruption, and ransomware execution, bringing together diverse functions under one umbrella. The ransomware component has been internally named CrownX. “The attack began with a spoofed legal document email directing recipients to a password protected archive on Proton Drive,” Blackpoint Cyber researchers Nevan Beal and Sam Decker said .

“Malicious content was embedded inside an ISO image rather than attached directly, reducing the likelihood of detection at the email layer.” Should the email recipient interact with a document-themed Windows Shortcut (“Secure Document CA-283505.pdf.lnk”) inside the mounted image, it triggers a staged malware sequence that culminates in the deployment of Avalon. Specifically, the shortcut runs a command to launch an MSBuild project located in the ISO image. The MSBuild project, for its part, loads an embedded .NET assembly, which then interferes with the regular functioning of Event Tracing for Windows (ETW) to reduce forensic visibility and download a next-stage payload over HTTPS responsible for launching Avalon. The malware framework boasts of an extensive defense evasion subsystem that aims to evade detection, while incorporating specific methods to conceal execution from security tools associated with Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender.

“These capabilities give the framework a multitude of ways to reduce telemetry, bypass user mode monitoring, and adjust its execution depending on the defensive controls present on the host,” the researchers said. The complete set of features built into Avalon is as follows - Harvest credentials, cookies, history, and bookmarks from Chromium-based browsers and Mozilla Firefox. Gather data from cryptocurrency wallet apps like MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core, along with Discord, Slack, Teams, OpenVPN, WireGuard, and Windows Credential Manager. Collect details about SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts.

Exfiltrate data to a remote server (“helloxcherry[.]com”) and poll the server for receiving tasking commands. Perform reconnaissance and prioritize systems that can expand the scope of the compromise. Encrypt files associated with business operations, software development, engineering, data storage, and virtual infrastructure using Windows Cryptography API and deliver a ransom note containing payment instructions and deadline timers that show how much time is left before the ransom amount is increased. Inhibit system recovery by terminating the Volume Shadow Copy Service and deleting shadow copies.

Remove traces of artifacts using an anti-forensic cleanup subsystem to complicate incident response efforts. Directly interact with disk structures likely in an effort to damage partition information, boot records, or other critical areas of the drive, effectively rendering the system unusable. “CrownX represented the final extortion stage, but the damage extended well beyond the encryption itself,” the company said. “By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options.” Another important detail is that Avalon shows signs of artificial intelligence (AI)-assisted development, one that has assembled multiple components with scant regard for sophisticated tradecraft or operational security, something that requires significant expertise to build.

The findings are yet another sign of how AI can lower the barrier to entry, making malware development more accessible with little time and effort, and even allowing actors with little technical expertise and resources to come up with tools that may require extensive development effort. In other words, the presence of a certain capability is no longer a reliable indicator of a threat actor’s sophistication or operational maturity. “The kill chain illustrates how a familiar business lure can progress into a reusable, multi-capability framework designed to harvest credentials, retrieve subsequent payloads entirely in memory, and stage multiple follow-on actions from a single compromised endpoint,” Blackpoint Cyber said. LLM Behind an Agentic Ransomware Attack The disclosure comes as Sysdig detailed what it said was the first publicly documented agentic ransomware infection driven by a large language model from start to finish, while retrying and tweaking its actions in real-time to complete tasks.

The agentic threat actor (ATA) behind the operation has been codenamed JADEPUFFER. The operator “gained initial access to an internet-facing Langflow instance through CVE-2025-3248 and ran an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim’s production database server,” Sysdig’s Michael Clark said. “The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking , the cost to an attacker is close to zero.” AI Malware That Uses LLM in a Codeless Attack The findings also follow the discovery of an AI malware that brings together a Telegram bot with a public LLM API to devise a codeless attack. Once launched, the implant transmits basic details about the compromised system to the attacker’s Telegram bot and enters into a command-and-control (C2) loop that polls the bot API every 5 seconds for new messages.

The results of the command execution are exfiltrated back using the same channel. The speciality of this malware is that each operator message is forwarded to a public LLM API endpoint (“api.groq[.]com/openai/v1/chat/completions”), which then translates the natural language instructions provided by the attacker into its equivalent shell command. The artifact was uploaded to the VirusTotal platform on March 11, 2026, and has zero detections across all engines to date. “This work introduces an LLM translation layer that replaces shell syntax with plain text.

The attacker types plaintext instructions in Telegram,” Palo Alto Networks Unit 42 said . “The LLM translates the instructions into shell commands. And the victim executes the shell commands. No command-line knowledge is required.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages “rollup-packages-polyfill-core” and “rollup-runtime-polyfill-core” mimic the legitimate “ rollup-plugin-polyfill-node “ project, down to the description, repository metadata, and package shape. “The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review,” JFrog said in a technical write-up of the campaign. The campaign also involves four other packages, all of which have since been removed from the npm registry - quirky-token react-icon-svgs rollup-plugin-polyfill-connect swift-parse-stream What’s noteworthy here is that “rollup-packages-polyfill-core” installs and loads “swift-parse-stream,” while “rollup-runtime-polyfill-core” installs and “quirky-token.” In a similar fashion, “react-icon-svgs” has been found to install “rollup-plugin-polyfill-connect” as a second stage.

“The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field,” the cybersecurity company said. “This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns.” It’s worth emphasizing here that this is not the first time North Korean threat actors have uploaded npm packages impersonating Rollup polyfill tools. In April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview. Among those packages was “rollup-plugin-polyfill-route,” which was published on March 20, 2026.

The starting point of the attack is a Base64-encoded npm install command for “swift-parse-stream” (or “quirky-token”) that’s concealed within “rollup-packages-polyfill-core” (or “rollup-runtime-polyfill-core”). The two second-stage packages are dressed up as SVG sanitization utilities, while reaching out to a JSON Keeper URL to retrieve and execute a JavaScript malware. The JavaScript code runs checks to avoid execution within cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure. Past this gate, the malware installs the necessary dependencies and reaches out to an external server (“216.126.236[.]244”) to fetch an encrypted JavaScript payload.

The decrypted payload then acts as a loader for additional scripts responsible for enabling remote access to the compromised host to support interactive terminal sessions, command execution, screenshot capture, process termination, Windows-only mouse movement, clicks, scrolling, keyboard presses, and hotkeys using the “@nut-tree-fork/nut-js” package, as well as steal data from web browsers and cryptocurrency wallets, collect files matching specific extensions, and periodically capture clipboard content. The features overlap with those of OtterCookie, with the use of “@nut-tree-fork/nut-js” for remote mouse and keyboard control also observed in a package named “express-session-js” that was detailed by SafeDep in April 2026. The file collector component has been found to specifically look for editor history associated with Microsoft Visual Studio Code, Windsurf, and Cursor, along with developer and AI tool configurations, such as AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Z shell (Zsh). “Rollup plugins are commonly loaded from local configuration files, developer workstations, and CI jobs,” JFrog said.

“These environments often have access to sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets.” “The payload is also broader than a simple downloader. Once the later stages run, the attacker gains both collection and control capabilities. This makes the payload relevant to developer workstations and build machines, where API keys, SSH keys, wallet material, cloud credentials, and project secrets are often present.” The disclosure coincides with the discovery of multiple software supply chain attacks by Checkmarx, SafeDep, and AWS security researcher Chi Tran aimed at poisoning open-source package repositories and stealing valuable data - A cluster of at least eight trojanized “pyrogram” forks published by a threat actor operating under multiple identities between November 2025 and June 2026, including a hidden backdoor that grants them full remote control over any server running the infected PyPI package by running arbitrary Python code or shell commands sent by the attacker. The results of the command execution are exfiltrated via Telegram.

The activity has been codenamed Operation Navy Ghost by Checkmarx. A cluster of 30 npm packages mimicking Polymarket tooling and general mathematics libraries published by 10 npm maintainer accounts that targeted DeFi developers to deliver a JavaScript infostealer that reads crypto wallet vaults, browser credentials, SSH keys, AWS credentials, npm tokens, Docker configurations, shell history, and password manager databases. A cluster of 25 npm packages published under the @marketfront scope by an npm account named “marketfront” that contains a postinstall credential harvester that reads 20 credential and secret files, including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, and shell history, and exfiltrates the data. A Python package named “ security-alerts-sdk “ that claims to be a data breach-monitoring tool but harbors code to launch a backdoor that periodically polls an external server (“142.93.211[.]30:5000”) for commands and exfiltrates SSH private keys, AWS credentials, Docker/npm/PyPI/git tokens, .env files, and browser credential databases to the same server.

A cluster of 15 npm packages published by a single threat actor operating under 13 npm scopes that triggers a postinstall JavaScript payload responsible for downloading and executing a Rust-compiled ELF binary hosted on GitHub, which then harvests a wide range of data from cryptocurrency wallets, web browsers, and other applications, including cloud provider tokens, SSH keys, messaging platform sessions, database client configurations, and developer credentials. An npm package named “ events-runtime “ that typosquats the “ events “ package and conditionally spawns a cryptocurrency wallet stealer, exfiltrates host reconnaissance data over Slack and Telegram, opens a bidirectional Slack command channel, and reads configuration and payload chunks from an Ethereum smart contract used as a dead drop resolver. The malicious logic is fired only when the event ID is “eventId0.” An npm package named “ o3forms “ that steals cloud service provider credentials, scans developer secrets and CI/CD environments, performs internal network reconnaissance, and exfiltrates the data to an attacker-controlled Cloudflare Workers endpoint. “The attacker split the attack into a deliberately benign, registry-published package and a GitHub-pinned *-utils sub-dependency that carries both the install hooks and the actual malware,” Tran said.

“This structure is designed specifically to defeat the static and lifecycle-script scanning that most registry-side and CI-side tooling relies on.” Users who have installed any of the aforementioned packages are advised to remove them from their workstations, assume compromise and rotate credentials, block the malicious egress channels, and enable dependency scanning in CI/CD pipelines to flag newly published or suspicious packages. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. “Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations,” Kaspersky said in a technical analysis published today. “Their toolkit features obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis.” The attacks are also characterized by the use of tools like Go2Tunnel for remote access and network tunneling. The wide variety of tools in its arsenal allows the threat actor to maintain persistent access to compromised hosts, steal credentials and sensitive data, and dynamically deliver modules tailored to the victim’s profile.

The Russian cybersecurity vendor said Armored Likho shares possible overlaps with a threat cluster tracked by BI.ZONE under the moniker Eagle Werewolf, which has been active since May 2023. The hacking group has a track record of targeting government and defense organizations, specifically those involved in UAV development and manufacturing, using droppers, remote access trojans (RATs), and utilities for establishing SSH tunnels. “Threat actors may use compromised Telegram channels to distribute the malware,” BI.ZONE notes in its description of the threat actor. “While the group’s primary motivation is cyber espionage, campaigns aimed at stealing funds from victims have also been recorded.” Back in February 2026, Eagle Werewolf was observed compromising a drone‑focused Telegram channel to distribute AquilaRAT via a Rust dropper that masquerades as a checklist for Starlink device activation.

Also put to use in its attacks is a tool referred to as Go2Tunnel to establish a reverse SSH tunnel to a command-and-control (C2) server using a private key. The latest findings show that the threat actor has also employed a previously unreported Python-based information stealer named BusySnake Stealer targeting Windows systems, one version of which includes a module for stealing cookies from web browsers. The exact origins of Armored Likho remain unknown. The starting point of the attack chain is a spear-phishing email that uses lures related to official government notices or social programs to distribute a RAR archive containing EXE binaries that serve as droppers for additional payloads retrieved from a GitHub repository, including the stealer payload.

The dropper malware also creates two Visual Basic Script (VBScript) files that are responsible for erasing traces of the initial execution as well as launching the stealer by means of a scheduled task. Alternate chains utilize Windows shortcuts (LNK) instead of EXE payloads that weaponize a now-patched vulnerability related to how Windows handles such files, resulting in remote code execution. The flaw, tracked as CVE-2025-9491 (aka ZDI-CAN-25373), was addressed by Microsoft as part of its Patch Tuesday updates for November 2025. Evidence unearthed by Trend Micro last year revealed that the shortcoming had been weaponized by a dozen hacking groups since 2017.

In the attack chain documented by Kaspersky, the shortcut vulnerability is abused to trigger the execution of an obfuscated PowerShell command that launches a loader responsible for displaying a decoy document, while preparing the environment for the execution of the Python stealer. The malware then establishes persistence through a combination of a VBScript file and a scheduled task, as before. The stealer, called BusySnake, implements multiple evasion techniques to complicate static analysis and sidestep detection. Its primary goal is to establish communication with a C2 server and then await incoming instructions.

It also supports the following functionality - Steal data from the system clipboard. Enumerate files across the system and log their metadata in a local database. Upload user documents to the C2 server. Capture screenshots and stage them in a local directory.

Archive captured screenshots and remove previously created archives from the disk. Prevent multiple instances of the stealer from running concurrently on the infected host. Ensure persistence by checking if the scheduled task exists, and if not, drop a VBScript to register a new scheduled task. Furthermore, the commands issued by the C2 server allow it to take screenshots at a designated interval, log keystroke data, gather cryptocurrency wallet files with a JSON extension, collect Telegram session and credential data, establish a reverse SSH tunnel using Go2Tunnel, install RustDesk, and extract cookies from Mozilla Firefox and Chromium-based browsers, along with passwords.

If RustDesk is already installed on the machine, the open-source remote desktop software is started, and the victim is prompted to enter their credentials, following which the stealer grabs a screenshot of the credentials and exfiltrates it to the C2 server. “The malware dynamically decrypts its bytecode only at the exact moment a function is called, re-encrypting the data immediately afterward,” Kaspersky said. “Additionally, the malware runs in the background without spawning a console window, as indicated by its PYW file extension.” Kaspersky said it also identified a newer version of BusySnake that iterates upon the predecessor’s architectural design to include a new task-management framework to handle incoming C2 commands and dynamically assign them operational statuses, such as SCHEDULED, IN_PROGRESS, SUCCEEDED, or FAILED, for improved reporting back to the server. The threat actor’s ties to Eagle Werewolf also stem from overlaps between AquilaRAT and BusySnake Stealer, particularly in the manner both malware families receive tasks from the C2 server, register persistence via scheduled tasks, and utilize similar endpoints for C2 communications.

There are also signs that the first-stage payloads comprising loaders and stagers were likely generated with assistance from artificial intelligence (AI) tools, given the presence of redundant comments and code blocks. “This campaign highlights several concurrent trends: the growing technical maturity of Armored Likho, tool polymorphism, and a shift toward more complex schemes aimed at bypassing security solutions – ranging from Python source code obfuscation to embedding network mechanisms directly into the malware code,” Kaspersky said. “In parallel, the group is aggressively refining and modifying its core toolkit. While Go2Tunnel previously operated as a standalone utility, its reverse-tunneling functionality has now been integrated directly into the stealer as a built-in feature that ingests parameters from the C2 server.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

European Parliament Member Investigating Spyware Was Hacked With Pegasus

A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial surveillance tools in the bloc. “Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations,” the Citizen Lab researchers John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Kate Pundyk, Siena Anstis, and Ron Deibert said . The infections have not been attributed to a particular government at this time, and there is no evidence that the Greek government is behind the activity. However, the Canadian interdisciplinary research laboratory noted that it identified an overlap between the first infection and a previous campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe.

This indicates that a Pegasus customer with authorization to spy in multiple European countries is likely responsible for the effort, the Citizen Lab added. Kouloglou was a member of the European Parliament’s “Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware” from March 24, 2022, to July 18, 2023. The PEGA Committee was set up on March 10, 2022, to probe alleged misuses of commercial spyware offerings under E.U. law, specifically focusing on gathering information on the extent to which member states and other countries are using such tools in contravention of the region’s rights and freedoms.

The Citizen Lab said that a forensic analysis of artifacts collected from his iPhone in May 2026 has found that it was compromised with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023. “On 2022-10-21 10:16, there was a lookup for a HomeKit email address rauharepo888[@]gmail.com. Two minutes later, a Pegasus process used mobile data,” the researchers explained. It’s assessed that a zero-click exploit in Apple’s smart home software, codenamed PWNYOURHOME , was used to deliver the spyware.

The issue was addressed by Apple in iOS 16.3.1. The subsequent Pegasus activity observed in March 2023 is also said to have weaponized the same exploit. At both times, Kouloglou’s device was running iOS 15.5. Further analysis of the phone has revealed that Kouloglou received Apple threat notifications about being targeted with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024.

Interestingly, during the first time Kouloglou’s phone was hacked, he was admitted to a hospital for elective surgery and had been visited by Greek investigative journalist Thanasis Koukakis, who had his own phone compromised with Intellexa’s Predator spyware and had testified before the PEGA Committee a month before. The timing of the second infection in March 2023 is also significant, as it coincided with the intense discussions related to the final drafting process, followed by a series of PEGA hearings . The incident took place two months before the adoption of the first PEGA Committee report . The development marks the first time a member of the PEGA Committee has been publicly identified as a victim of Pegasus spyware while serving on the committee.

The connection between Kouloglou’s case and the campaign targeting Russian and Belarusian-speaking independent journalists and opposition activists based in Europe is based on the use of the same email address “rauharepo888[@]gmail.com.” “In our understanding of Pegasus infection infrastructure during this period, we believe that these emails are unique to specific operators,” the Citizen Lab said. “We are unable to say whether the second infection in 2023 is similarly connected to this operator, or a different operator.” “Based on what we know of NSO Group’s licensing, this would likely indicate that the customer had a license that enabled infections in multiple E.U. jurisdictions, narrowing the list of potential Pegasus operators that could be responsible for this case.” The findings raise fresh concerns about how governments leverage spyware ostensibly marketed for combating serious crimes, such as terrorism and child sexual abuse, for spying on the communications of journalists, lawmakers, dissidents, and critics. The development comes days after the Citizen Lab revealed that Russian authorities used Cellebrite’s UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite announced it would stop offering its tools and services to Russia and Belarus.

“The authorities searched Pivovarov’s devices for key organizations and contacts, as well as high-profile opposition figures,” the Citizen Lab said. “Search terms included Mikhail Khodorkovsky, who founded Open Russia, Anastasiya Burakova, who was at the time a human rights lawyer at Open Russia and currently leads a prominent anti-war group, and Open Russia’s former coordinator and Pivovarov’s partner, Tatiana Usmanova.” Some of these individuals, including Burakova, were later targeted in a phishing campaign orchestrated by a Russian hacking group known as COLDRIVER , raising the possibility that the use of Cellebrite’s tools may have helped facilitate reconnaissance and enable further targeting and surveillance of other regime opponents abroad. Back in April, the Citizen Lab also uncovered two distinct, long-running spying campaigns that are abusing well-known weaknesses in the global telecoms infrastructure to track people’s locations. Notably, these attacks do not necessitate malware deployment, making them stealthy and harder to detect.

One of two campaigns worked by sending a special type of text message with malicious hidden SMS commands to targets in an effort to “turn the device into a covert tracking beacon,” the report said. The second campaign relied on weaknesses in Signaling System No. 7 ( SS7 ) and Diameter signaling protocols to track an individual’s whereabouts without requiring access to their devices. The two campaigns are said to have abused three specific telecom providers, namely 019Mobile, Airtel Jersey (part of Sure Group), and Tango Networks U.K., that act as “surveillance entry and transit points within the telecommunications ecosystem” and “allow traffic to move through trusted signalling interconnections while granting access to threat actors that hide behind their infrastructure.” “Both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution,” the digital rights organization said.

“The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data. The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to validate the victim’s login password through the macOS Pluggable Authentication Modules ( PAM ) before capturing it. The malware is delivered in two stages: A compiled AppleScript distributed inside a disk image that’s designed to download and stage a follow-on payload.

The secondary artifact is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration. The initial access vector for the malware is a lookalike site (“maccyapp[.]com”) that mimics Maccy (“maccy[.]app”). The AppleScript (“Maccy.scpt”) present within the disk image executes a self-contained JavaScript for Automation (JXA) downloader that fetches and stages the stealer payload using native Objective-C APIs. What’s notable here is that the script, once launched via the Script Editor, displays instructions to run it using the “⌘ + R” keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed.

“Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal,” security researcher Thijs Xhaflaire said . “Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers.” The AppleScript dropper incorporates environment-aware features that allow the execution to continue only after fingerprinting the host and determining it’s running on Apple Silicon. It does this by deriving a key based on the fingerprint, which includes details like the CPU architecture, locale, keyboard layout, and the time zone, and then using it to unlock an encrypted configuration that contains the payload URL and install path. On Intel-based Macs, the derived decryption key differs and fails to decode the configuration, resulting in the termination of the dropper.

The script also avoids execution within sandboxed or analysis environments, as well as systems whose time zone, system locale, and keyboard input resolve to countries located in Eastern Europe, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia. Once the checks pass, the script reaches out to the external server and downloads a Mach-O binary written in Rust that masquerades as the Finder app and is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exfiltrated to attacker-controlled infrastructure (“avenger-sync[.]live”) over an outbound HTTP request. Besides coercing the user into granting it full file system access, the stealer serves a native password prompt that collects the victim’s system password, and then validates the entered password by cross-checking it via the PAM API.

If the validation fails, it asks the user to re-enter the password, and repeats the loop until the correct password is supplied. “Once a valid password is captured, the stealer shows a second, counterfeit alert: ‘Maccy is damaged and can’t be opened. You should move it to the Trash,’ a close copy of the genuine Gatekeeper message,” Jamf said. “This is a decoy.

By the time it appears, the payload has already run, captured the password and registered for persistence, so the message serves only to make the victim discard the lure and assume the download was broken.” Also built into the Rust binary is a small arm64 Mach-O that impersonates macOS System Settings and is used for setting up persistence. The development has prompted Alex Rodionov, the developer of Maccy, to include a warning on their website and the GitHub repository, urging users to stay away from fake websites mimicking the tool. “Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy.

Maccy[.]app is the only official website,” Rodionov said. “Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features,” Jamf said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

Google has significantly degraded NetNut , one of the biggest networks that turns home devices into rented relays for other people’s traffic. Working with the FBI, Lumen, and others, Google’s Threat Intelligence Group (GTIG) said this week it had reduced the network’s pool of usable devices by millions. Google identifies NetNut, also tracked as Popa , as a network spread across home devices worldwide, including smart TVs and streaming boxes , and GTIG estimates the network holds at least 2 million devices. If one of those devices is in your home, strangers can route their own traffic through your internet connection, and your address gets the blame for whatever they do with it.

How It Works A residential proxy network sells access to real home internet addresses. Attackers pay to route their traffic through your connection so it looks like ordinary home browsing, not the datacenter traffic that security tools tend to block. To build that pool, operators need their code running on home devices. Some devices ship with it pre-installed on cheap off-brand hardware; others pick it up when someone installs a free app that hides it.

Once it is running, the device becomes an “exit node,” a doorway that other people’s traffic flows through. Google says an exit node brings outside traffic inside the home network, giving attackers a foothold to reach other devices on it. Some of these home gadgets have also been pulled into large attack botnets such as Mirai and Badbox 2.0 . In a single week in June, GTIG counted 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups, to hide their real location and run password-guessing attacks .

The Company Behind It Unlike most proxy botnets , NetNut traces back to a public company. In June, researchers at Qurium, Synthient, Nokia Deepfield, and Spur tied Popa to NetNut. NetNut is a proxy provider owned by publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). In a controlled test, Synthient said traffic it sent into NetNut’s commercial gateway came out through a device it had enrolled in Popa.

Synthient framed that as evidence of the traffic path, not proof of what NetNut knew or intended. Google’s own intelligence aligns: it treats NetNut and Popa as the same network, and says the public reporting matches its view of how NetNut builds its botnet. The Hacker News covered the researchers’ findings when they were published. Alarum rejects the “botnet” label.

It calls the research “demonstrably inaccurate assertions and flawed deductions rather than verified facts,” and says its software is for consented bandwidth-sharing that does not compromise the devices it runs on. The researchers’ testing complicates that defense: Synthient reported that none of the more than 20 apps it examined actually showed users a consent prompt. Why One Takedown Isn’t Enough Cutting off NetNut is messy by design. NetNut runs a reseller program that lets other companies sell its network under their own brand names.

Google says it has high confidence that many popular, seemingly separate proxy brands are really reselling the same NetNut pool. So a single takedown ripples across a lot of brands that look independent but are not. That is also why Google calls this degradation, not a kill. It says its earlier action against a similar IPIDEA network showed these networks can look resilient: operators start buying capacity from rivals, in effect becoming resellers themselves.

Real, lasting damage, Google says, means going after several connected providers at once. In January, Google and partners disrupted IPIDEA , a China-based network that at its peak was one of the largest of its kind. In July 2025, Google took the operators of Badbox 2.0 to court , the botnet of hijacked Android TV devices whose components overlap with Popa. Each time, the networks proved stubborn.

What Consumers Should Do The single clearest warning sign is an app that offers to pay you for your “unused bandwidth” or for “sharing your internet.” That is one of the main ways these networks grow. Beyond that: Stick to official app stores, and check what permissions a VPN or proxy app is asking for. Keep built-in protections like Google Play Protect switched on. Buy streaming boxes and smart TV hardware from known manufacturers, not no-name brands.

The demand for these home addresses does not disappear when a network goes down; it just moves. For defenders and platforms, the next signal to watch is whether NetNut-linked traffic resurfaces under reseller brands. UPDATE Alarum has since responded on the record to the takedown. Omer Weiss, corporate legal counsel for Alarum, says the company and NetNut were made aware of the FBI’s seizure of some of its domains on July 2, 2026.

Weiss says Alarum “takes this matter seriously and will fully cooperate with law enforcement to ensure any misuse of its infrastructure is thoroughly investigated and those responsible are held to account.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. “Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Monitoring (RMM) tooling, credential access, and hands-on-keyboard procedures used for lateral movement,” Arctic Wolf said in a report published this week. “Anubis affiliates repeatedly abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity while maintaining control of victim systems.” Anubis is a ransomware-as-a-service (RaaS) group that first emerged in late 2024 as a rebrand of Sphinx ransomware. The ransomware operation was formally announced on the Ransomware and Advanced Malware Protection (RAMP) underground forum in February 2025.

According to data from Ransomware.Live, the cybercrime crew has claimed 91 victims on its data leak site, with 11 victims reported in June 2026 alone. Some of the prominent sectors targeted include healthcare, business services, manufacturing, technology, and financial services. More than 50% of the victims are located in the U.S., followed by the U.K., Australia, France, and Canada. In a report published in July 2025, Rubrik Zero Labs said Anubis advertises attractive profit splits, offering affiliates 80% of the ransom amounts paid, and pairs it with an irreversible data-wiping feature that ups the pressure on victims to pay up.

“When Anubis’s /WIPEMODE module is activated, files remain in directories but are reduced to a 0 KB size regardless of ransom payment,” Rubrik noted at the time. “Knowing threat actors can revert victims’ environments to this scorched-earth state with a single command significantly increases pressure on victims to pay before the wiper is fully activated.” The ransomware intrusions, observed this year, involve both valid VPN credential use and the exploitation of CVE-2025-5777 (CVSS score: 9.3), a critical flaw impacting Citrix NetScaler ADC and Gateway that could be abused by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server. The exact source of VPN credentials used in these intrusions is unknown. However, it’s possible they were procured following prior compromise, or through initial access brokers (IABs), credential stuffing, or information stealer activity.

“In addition to CitrixBleed 2 exploitation, valid Cisco AnyConnect VPN logins were observed from several hosting ASNs, including AS20473 — The Constant Company and AS55286 — ServerMania,” Arctic Wolf explained. “Malicious VPN authentication was then followed by login activity involving RDP and SMB, leading to credential access, PsExec service creation, RMM deployment, and ultimately invoking cloud-transfer tooling for exfiltration.” Lateral movement is facilitated via RDP and PsExec, which then leads to the deployment of various legitimate RMM tools for persistent access, granting the attackers the ability to transfer files and remotely execute code, while staying under the radar. Select intrusions also configure a Cloudflare Tunnel (aka cloudflared) to establish tunnels to victim environments. The next phase of the attacks involves gathering credentials to facilitate deeper access to the compromised environment, after which tools like S3 Browser, rclone, s5cmd, WinSCP, and PuTTY are installed for data transfer or exfiltration prior to ransomware deployment.

In parallel, steps are taken to impair system defenses and complicate post-incident analysis. “These techniques included Windows Defender real-time protection disablement, SophosUninstall activity, PCHunter-related artifacts, and log clearing or manipulation across multiple systems,” the cybersecurity company explained. “In at least one intrusion, an Anubis encryptor was deleted after execution, reducing the availability of on-disk payload artifacts for later analysis.” The Gentlemen’s Go Backdoor and BYOVD 0-Day Exploit The disclosure comes as Kaspersky detailed The Gentlemen RaaS group’s exploitation of known vulnerabilities and stolen or weak login credentials to breach targets and its use of a Go-based backdoor to enable remote command execution after reconnaissance, lateral movement through Group Policy or PsExec, and defense evasion using the bring your own vulnerable driver (BYOVD) technique. The implant is designed to collect system information, exfiltrate it to an external server (“81.177.215[.]15:9443”) over a bidirectional TCP connection, and await operator responses that are then executed on the host using “cmd.exe” if the response byte is “c.” If the byte is “s,” a SOCKS proxy connection is established.

“This functionality likely enables The Gentlemen’s red team to pivot within the target network and expand their scan coverage,” Kaspersky said . “Given the backdoor implant’s capabilities, such as establishing two-way communication, executing commands, setting up a SOCKS proxy, and gathering information, it’s clear that it can also be used to expand the attack chain as needed.” According to Expel, the RaaS group has also weaponized a zero-day vulnerability in a little-known third-party vendor driver as part of its BYOVD arsenal to obtain kernel-level access, bypass Windows security protections, and kill protected security processes associated with Microsoft, ESET, Palo Alto Networks, and SentinelOne. The driver in question is ktapi.sys , which is part of an API developed by Kontron. “It’s still unclear how the threat actors came into possession of the file or gained knowledge of its vulnerability,” Marcus Hutchins, principal threat researcher at Expel, said .

“BYOVD continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds. Even using the latest Windows version, with all exploit mitigations enabled, does not provide complete protection.” VECT and TeamPCP’s Ransomware Partnership The findings also follow an investigation from Sophos Counter Threat Unit into the partnership between VECT and TeamPCP that was announced in March 2026 to combine supply chain attack-driven credential theft with ransomware deployment. “The formal partnership between TeamPCP and VECT allows VECT to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply chain attacks,” Sophos said in a report shared with The Hacker News. “Prior to the VECT partnership, TeamPCP was running another ransomware operation under the CipherForce brand.

CipherForce listed six victims on its leak site in February 2026 and rebranded as a TeamPCP leak site in May.” Recent analyses from Check Point and JUMPSEC have found VECT to contain implementation flaws that cause any file larger than 128 KB to be permanently destroyed rather than encrypted, prompting TeamPCP to issue a statement stating they had never used VECT’s encryptor in attacks. “We own CipherForce, our own private locker,” the group claimed . “The VECT/TeamPCP alliance represents a meaningful shift in the ransomware threat landscape, even accounting for the technical shortcomings that undermine its operational effectiveness,” Sophos said . “The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime.” Over the past few months, TeamPCP has been linked to a string of large-scale software supply chain attacks targeting open-source ecosystems, injecting malicious code into widely-used packages and tools that are integrated into enterprise development pipelines with the goal of extracting sensitive data and propagating the malware to other libraries in a worm-like manner.

“TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, including publishing victim names on a public leak site and threatening disclosure of stolen data,” the U.S. Federal Bureau of Investigation (FBI) said in a flash alert issued Thursday. “Organizations impacted by this campaign should treat exfiltrated data and credentials as a persistent risk, as affiliated threat actors are likely to weaponize them long after the initial compromise.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This is not one big break.

It is small permissions, weak checks, open systems, and normal tools doing things they were allowed to do. That same pattern runs through the stories below. Ransomware phishing lure Fake INTERPOL Investigation Emails Lures Lead to Ransomware A phishing campaign is targeting small businesses across Europe, Asia, the Middle East, and the U.S. with fake investigation emails impersonating law enforcement officials.

“The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive,” Bitdefender said . “Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware. The ransomware appears to be a custom-built payload rather than a known ransomware family.” One interesting aspect of the campaign is the absence of a fixed ransom demand. Instead, victims are instructed to contact the attackers through a Tox chat channel.

It’s only when the victim contacts the attackers that ransom negotiations start. This also allows threat actors to tailor the final ransom amount based on the size of the organization, the perceived value of its data, and its ability to pay. Sandbox root escape Exploiting Root Execution in Claude Cowork Sandbox New research from Armadin has discovered an attack chain affecting Claude Cowork on Windows. The attack allows an attacker with local code execution to plant a malicious file in Claude Desktop’s application directory, hijacking a trusted process to communicate with Cowork’s underlying VM service.

“An attacker with local code execution could run arbitrary commands as root in Claude Cowork’s sandbox without network egress restrictions,” the company said . The exploit takes advantage of two unvalidated parameters in the service’s interface that allow the attacker to run commands as root and bypass network filtering entirely, thereby allowing sensitive data to be exfiltrated to attacker-controlled infrastructure. Following responsible disclosure on May 29, 2026, Anthropic said it does not consider it to be a security issue because exploitation requires pre-existing local code execution on the host. Email privacy flaw Flaw in Apple’s Hide My Email A vulnerability has been disclosed in Apple’s Hide My Email service that allows users’ real email addresses to be unmasked.

Tyler Murphy, the researcher who found the bug, said that he reported the issue to Apple over a year ago and that it continues to remain unpatched. “We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” Murphy told 404 Media. Exact details surrounding the vulnerability have been withheld to avoid potential exploitation concerns. China-linked RAT activity New BeepRAT Remote Access Trojan Discovered A customized version of the open-source DCRat framework dubbed BeepRAT has been identified as distributed via a Chinese phone number management utility packaged within a ZIP archive, per Rubrik Zero Labs.

“The archive contained a .NET application named HFY.exe alongside several third-party libraries commonly associated with database-driven applications,” Rubrik said . “Although the application appeared to function as a telephone number management tool, further analysis revealed a sophisticated multi-stage infection chain that ultimately deployed the customized BeepRAT payload.” The malware establishes persistence on the host via scheduled tasks, and resolves the command-and-control infrastructure using DNS-over-HTTPS (DoH) requests. It then beacons a packet containing information about the compromised host, after which a persistent communication channel is opened to receive incoming commands that allow the malware to transfer files between the host and the server, launch interactive command prompt sessions, issue commands to it, launch PowerShell sessions, enumerate running processes and available storage drives, terminate a specified process, perform file system operations, record through webcam, log keystrokes, take screenshots, list active network connections, download and run .NET assemblies in memory, and launch a proxy. It’s assessed that BeepRAT operates within the China-nexus espionage ecosystem.

AI cyber benchmark Evaluation of OpenAI GPT-5.6 Sol An evaluation of OpenAI’s GPT-5.6 Sol on real-world offensive security benchmarks by AI security lab Irregular has found the model to perform slightly better than GPT-5.5, while continuing to struggle with well-defended targets and complete end-to-end attacks. “GPT-5.6 Sol demonstrated capabilities relevant to offensive cyber misuse, including finding and exploiting high-impact zero-day vulnerabilities across multiple real systems,” it said . “These capabilities were demonstrated on sensitive, widely used classes of systems, including mobile operating systems and database systems. Despite these capabilities, GPT-5.6 Sol continued to show clear limitations against hardened targets and in orchestration, operationalization, and operational security.

Performance also degrades when tasks require sustained logical coherence over long horizons or quick, time-sensitive decision-making.” Platform-aware phishing Phishing Campaigns Tailored to Targets’ Devices Cofense said it’s observing a “clear shift in phishing operations” where threat actors are moving beyond broad, one-size-fits-all campaigns to adopt platform-aware delivery that adapts to the victim’s device, browser, and environment. Phishing campaigns have been found to deliver Itarian RAT or the ConnectWise tool via Ninite Loader on Windows, while serving credential harvesting phishing pages when URLs are visited from macOS or Android. The operating system-specific payloads are delivered by fingerprinting victims through User-Agent data. “What began as simple Windows-focused malware distribution campaigns has evolved into more sophisticated campaigns that can selectively deliver credential phishing, remote access tools, or malware across Windows, MacOS, and Android,” it said .

“This trend reflects a broader strategic change in the threat landscape, one that is designed to increase the likelihood of compromise, expand target coverage, and improve threat actor return on investment.” Russian hacker reward U.S. Offers $10M for Info on UNC5792 The U.S. State Department is offering a reward of up to $10 million for information leading to the identification or location of threat actors associated with UNC5792 , a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services. UNC5792 has been linked to widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S.

government officials, military leadership, and allied personnel with an aim to gain unauthorized access. “Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,” the State Department said . LLM role confusion Prompt Injection as Role Confusion New research from a group of academics has revealed that machine learning models cannot reliably distinguish between authorized and unauthorized input, leaving them susceptible to a persistent problem called prompt injection. “LLMs see the world as a single stream of text, partitioned into roles like or ," the researchers said.

“We trace prompt injection to role confusion: models perceive the source of text from how it sounds, not its labeled role. A command hidden in a web page hijacks an agent simply because it sounds like text, despite its label." The attack, dubbed CoT Forgery, involves injecting fabricated reasoning into user prompts and tool outputs, causing the models to mistake the forgery for their own thoughts and act on them, yielding 60% attack success against frontier models. The attack essentially exploits the trust a model places in its own thinking. Covert tracking rollback Anthropic Says it's Removing Covert Code Tracking Feature Anthropic said it plans to remove the hidden code it added to Claude Code several months ago to detect unauthorized distillation efforts.

The relevant code checks Claude Code’s base URL environment variable that’s used to route API requests to a proxy or gateway. If the base URL has been overridden, the code snippet checks the system time zone and whether the hostname matches any entry in a list of known Chinese companies, account resellers, and gateway domains. “This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation,” Anthropic’s Thariq Shihipar said . “The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while.” Clipboard attack defense Opera Takes on ClickFix with Paste Protect Opera has introduced Paste Protect, a new security feature designed to block ClickFix -style attacks that deceive users into executing malicious commands through social engineering techniques.

“Paste Protect helps identify situations where malicious websites attempt to either replace something you copied with a malicious version or place potentially harmful commands on your clipboard and later trick you into pasting them onto a terminal,” the browser maker said . “When any kind of suspicious clipboard activity is detected, Opera’s Paste Protect warns users before dangerous content can be executed.” The development comes as ClickFix continues to be a popular initial access vector for threat actors. According to Huntress, ClickFix was responsible for over 53% of all malware loader activity in 2025. Data from ReliaQuest for the period between March 1 and May 31, 2026, ClickFix remained the dominant delivery method during this period and targeted both Windows and macOS systems.

One notable trend observed during the period was that ClickFix activity appeared to shift from delivery via compromised websites to emailed links. “ClickFix demonstrates that the human element remains one of the most effective attack vectors, especially when combined with legitimate system functionality and trusted binaries,” security researcher Bert-Jan Pals said . Gmail phishing operation UNC1151 Phishing Campaign Analyzed A spear-phishing attack orchestrated by UNC1151 (aka Ghostwriter) targeting Belarusian pro-democracy politician Yury Hubarevich has been assessed to be part of a much broader credential phishing operation. The activity involved sending emails from Gmail accounts claiming to have detected suspicious activity on targets’ Google accounts, urging them to click on a link to verify their account.

The catch here was that entering the credentials on the phishing page harvested the victim’s login information and exfiltrated it to the attacker-controlled infrastructure. Attack surface management platform Censys has since uncovered additional domains impersonating the I.UA email portal, suggesting the activity also likely targeted Ukrainians. FTC enforcement action FTC Fines Amazon $2.25N for Failing to Help Identity Theft Victims The U.S. Federal Trade Commission has fined Amazon $2.25 million to settle claims that the company failed to help customers who fell victim to identity theft.

Consumers who contacted Amazon to report fraud were told by its customer service agents that they could not provide the application and business transaction records about fraudulent transactions made in their names for “security” or “privacy” reasons. “Amazon often puts identity theft victims through a Kafkaesque ordeal by demanding they identify the thief who stole their information before Amazon would release the records the law entitles them to – records that could help victims protect themselves and recover from the fraudulent conduct,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. Telegram RAT surge Telegram-Based Millenium RAT Infects 60,000 Devices A remote access trojan (RAT) named Millennium RAT has undergone an architectural shift from .NET to native C++, while still relying on the Telegram Bot API for command-and-control (C2). The malware is attributed to a developer named ShinyEnigma, who is also behind DotStealer and was first seen in September 2023.

It is offered as malware-as-a-service (MaaS) for $50 for the first month, $10 for subsequent months, or a one-time $90 lifetime purchase. “As a full-featured remote access trojan, Millenium RAT 4.* is designed to compromise Windows machines,” Group-IB said . “It enables threat actors to exfiltrate sensitive browser and system data, capture screenshots and audio, perform keylogging, and download and run arbitrary executables.” Exploitation campaigns involving the malware are carried out by a threat actor cluster codenamed Y2K Operators. The threat actor has been active since May 2025, using social engineering as a way to trick users into executing malicious payloads by masquerading them as legitimate software or cracked applications.

As of writing, 62,289 devices have been infected with the Millenium RAT 4.* versions, with more than 16,000 infections reported in the month of March 2026 alone. In an interesting twist, the attackers even target other cybercriminals. “They take popular RATs, builders, and exploit kits, add a backdoor, and redistribute them — so the would-be attacker downloads a working tool and gets infected at the same time,” Group-IB said. Search hijack extension Chromium Extension Uses AI Branding to Redirect Browser Search Microsoft said it discovered a malicious Chromium-based extension that impersonates the AI-powered answer engine Perplexity AI to trick unsuspecting users into installing it.

The extension, named “Search for Perplexity ai” (ID: flkebkiofojicogddingbdmcmkpbplcd), has since been taken down by Google, but not before it attracted 10,000 installs. “We assess its primary objective to be search traffic interception and data collection, which might enable downstream use cases such as profiling, targeted advertising, or other forms of misuse depending on operator intent,” the tech giant said . “However, unlike traditional search hijackers that rely primarily on aggressive monetization or visible redirection, this extension combines Manifest Version 3 (MV3) capabilities with intermediary infrastructure and declarativeNetRequest (DNR) rules to transparently intercept Omnibox queries while preserving the appearance of legitimate search results.” The attacks illustrate how threat actors continue to capitalize on the popularity of AI tools to abuse them as a social engineering vector. Meeting bot controls Bot Protection in Microsoft Teams Microsoft said it’s introducing “smarter bot protection” features to tackle scenarios where bots connected to a third-party service attend meetings as AI tools become more common in enterprise setups.

“Unexpected participants in a meeting can create security and privacy risks, particularly when sensitive information is being discussed,” it said . “That’s why we’re introducing a new Teams admin policy designed to give organizations more visibility and control over external bots in their meetings. This new experience helps organizers identify bots, and adds safeguards before they’re admitted, giving organizations greater confidence that only the intended participants and tools will be present.” As part of this effort, Microsoft intends to clearly distinguish between bots and human participants, give organizers more visibility when bots join a meeting, and issue warnings when organizers choose Admit all and bots are included. With these new safeguards rolling out, Microsoft plans to retire the existing CAPTCHA verification experience.

Defender zero-day abuse BlueHammer Exploited in Ransomware Attacks The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the now-patched Microsoft Defender vulnerability known as BlueHammer (aka CVE-2026-33825) was exploited in ransomware attacks. BlueHammer was first disclosed as a zero-day by an anonymous researcher named Chaotic Eclipse (aka Nightmare-Eclipse) in April 2026. It’s unclear which ransomware group has exploited the flaw.

Stolen AI compute abuse Using Stolen AI Compute to Build Offensive Agentic Tools Threat actors have been observed using a misconfigured Ollama model server as the reasoning engine for an automated, multi-stage offensive security tool called the VAPT framework, according to findings from Sysdig. The development marks a new evolution of LLMjacking , which refers to a form of resource hijacking attack in which malicious actors steal API keys, cloud credentials, or non-human identities to hijack an organization’s Large Language Model (LLM) resources. The unauthorized access is then abused to run heavy AI workloads or sell access to third-parties, leaving the legitimate account holder to pay the usage bills. “The actor was not chatting with the model or reselling access,” Sysdig’s Michael Clark said .

“Instead, they wired access to the AI tool into a software pipeline that scans a target, matches it to known vulnerabilities, writes proof-of-concept exploits, and attempts to break into a victim’s environment — with the model making the decisions at every step.” The lesson this week is simple: attackers do not need the front door when the side door is already open. A copied command, an exposed server, a trusted bot, a weak check. Small things become entry points when nobody treats them like one. So read the list with that in mind.

The loud part is the breach. The useful part is the quiet mistake that made it possible. Until next ThreatsDay. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that’s designed to gain surreptitious access to a victim’s email correspondence via the Google API. “In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs,” Kaspersky said in a detailed report published this week. “Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources.” The adversary is said to have developed Umbrij to acquire this token and use it to connect to the browser’s management console in headless mode via a remote debugging port. Subsequently, a series of requests was issued to obtain an OAuth authorization code, which was then exchanged for an access token to reach the target resources via the API.

The technique has been codenamed Shadow Token via Remote Debug (STRD) by the Russian cybersecurity vendor. What’s notable about the attack is that it’s viable on Chromium-based browsers and exploits an active Gmail session. In other words, the idea is to launch the browser in headless mode , connect via the remote debugging port to seize control, and leverage an already logged-in Gmail session to obtain access to the Google account resources. Three different versions of Umbrij have been uncovered, including versions that feature helper functions for debugging and for searching and selecting user accounts within the browser.

ToddyCat is the name assigned to an advanced persistent threat (APT) that has a history of targeting various organizations in Europe and Asia since at least 2020. In November 2025, Kaspersky detailed the hacking group’s use of a custom tool dubbed TCSectorCopy to lay their hands on Microsoft Outlook email data belonging to targeted companies. The cybersecurity company said it discovered Umbrij during what it described as a “threat hunting operation,” as part of which a scheduled task impersonating its software (“KasperskyEndpointSecurityEDRAvp”) was used to launch a digitally signed file. The signed file then employed DLL side-loading to launch Umbrij.

To accomplish this task, one of the three legitimate binaries susceptible to DLL side-loading were abused - BDSubWiz.exe , a component of the Submission Wizard in Bitdefender ConnectAgent VSTestVideoRecorder.exe , a component of the video-recording tool used for testing with Microsoft Visual Studio GoogleDesktop.exe , a discontinued Google Desktop Search application used for indexing files and performing quick searches on a local Windows computer Regardless of the executable used, the end result is the same: launching the rogue Umbrij DLL written in .NET and obfuscated with ConfuserEx, an open-source obfuscator. The tool can also be invoked along with command-line parameters that specify which browsers to target (Google Chrome or Microsoft Edge), instruct it to save a screenshot of the user profile as a PDF file, and provide the system username under which the tool will run. Umbrij workflow diagram Umbrij, once launched, performs a series of preparatory actions on a compromised Windows host to breach the Gmail account - Verify the availability of the port that will be designated for browser debugging. Retrieve the user context by searching for the “explorer.exe” process and duplicating the token of the first such process it encounters in order to retain all of that logged-in user’s privileges.

Alternatively, the -user switch can be used alongside the tool to specify the target user whose token needs to be duplicated. Construct the path to the web browser application folder within the user's local application data repository and then parse the Local State file corresponding to Chrome or Edge to gather information about stored browser user profiles. Enumerate all profiles and scan them for a field named "user_name" that includes an email address. It's worth noting that the presence of an email address signals that the user is authenticated to a Google service.

Create a directory called “BackupFiles” within “%LOCALAPPDATA%\Google\Chrome" and “%LOCALAPPDATA%\Microsoft\Edge.” Copy the following files and folders of each target user profile into them: IndexedDB, Local Storage, Network, Login Data, Login Data For Account, Preferences, Secure Preferences, and Web Data. Should these files be locked by other processes, the tool includes a force-copy mechanism. Search the “Program Files” and “Program Files (x86)” folders for the browser installation folder for Chrome and Edge. Launch the browsers in headless mode by using the user profile copied to the “BackupFiles” folder, causing the browser to apply all active user cookies, including the signed-in Google account, and skip authentication.

Use Puppeteer , a JavaScript library used for controlling Chromium-based browsers via the Chrome DevTools Protocol, to connect to the remote debugging port and send an authorization code request to direct the browser to a “accounts.google[.]com/o/oauth2/v2/auth/identifier” URL containing a “client_id” that corresponds to a migration tool used for importing local PST files and data from Microsoft Exchange accounts into a Google Workspace account. The HTTP GET request also specifies the set of permissions required by the application. Use JavaScript to emulate mouse click events to select the appropriate Google account after navigating to the URL and grant it the necessary permissions, including full access to Gmail, Drive, Contacts, Calendar, and Tasks. Redirect the browser session to a local address specified in the initial request and extract the OAuth authorization code from it.

“Umbrij, like most other tools in ToddyCat’s arsenal, logs its actions in detail and saves them to a file,” Kaspersky said. “It also saves the retrieved authorization code to this log file, which the operator subsequently exfiltrates from the compromised host.” “The acquired authorization code is then exchanged for an OAuth access token. The threat actors use that token to connect to the Gmail account through the API, thus compromising corporate email communications.” To counter the threat, it’s advised to review the authorization codes granted to applications by navigating to “myaccount.google[.]com/connections” and then looking for applications named “Google Workspace Migration for Microsoft Outlook” or “Google Workspace Sync for Microsoft Outlook.” If either of those applications is present and is not actually used within the organization, it’s essential to revoke their access to invalidate the OAuth tokens. “The ToddyCat APT group continues to search for ways of compromising corporate email communications,” Andrey Gunkin, senior malware analyst at Kaspersky, said.

“Their new tool, Umbrij, automates the attackers’ attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks but also demonstrates ToddyCat’s strong motivation and advanced technical skills.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.