Author: Mark

Nov 04, 2025Ravie LakshmananCybercrime / Money Laundering

Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million).

According to a statement released by Eurojust today, the action took place between October 27 and 29 across Cyprus, Spain, and Germany, with the suspects arrested on charges of involvement in money laundering from fraudulent activities.

In addition to the arrests of the individuals from their homes, authorities conducted searches that led to the seizure of €800,000 ($918,000) in bank accounts, €415,000 ($476,000) in cryptocurrencies, and €300,000 ($344,000) in cash.

Participating nations in the “synchronized” effort alongside Eurojust were agencies from France, Belgium, Cyprus, Germany, and Spain.

“The members of the network created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns,” Eurojust said. “They recruited their victims using a variety of methods such as social media advertising, cold calling, fake news articles, and fake testimonials from celebrities or successful investors.”

Once victims invested their funds in the bogus platforms, the crypto assets were laundered using blockchain, netting them about €600 million in illicit revenue.

Eurojust said an investigation into the money laundering and scam network was initiated after victims complained of not being able to recover their investments, eventually culminating in the raids that occurred last week.

The disclosure comes as Europol revealed that the criminal use of cryptocurrency and blockchain is becoming increasingly professionalized, sophisticated, and organized, and that countering the “borderless nature” of the threat requires a similar response.

“Law enforcement, private sector partners, and academia are rapidly advancing their ability to counter the threats posed by sophisticated crypto-related crimes and money laundering,” the agency said. “Advanced tools are reducing reliance on manual tracing, while a host of successful cross-border operations show the power of collaboration.”

Nov 04, 2025Ravie LakshmananVulnerability / Supply Chain Security

Details have emerged about a now-patched critical security flaw in the popular “@react-native-community/cli” npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions.

“The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to developers,” JFrog Senior Security Researcher Or Peles said in a report shared with The Hacker News.

The vulnerability, tracked as CVE-2025-11953, carries a CVSS score of 9.8 out of a maximum of 10.0, indicating critical severity. It also affects the “@react-native-community/cli-server-api” package versions 4.8.0 through 20.0.0-alpha.2, and has been patched in version 20.0.0 released early last month.

The command-line tools package, which is maintained by Meta, enables developers to build React Native mobile applications. It receives approximately 1.5 million to 2 million downloads per week.

According to the software supply chain security firm, the vulnerability arises from the fact that the Metro development server used by React Native to build JavaScript code and assets binds to external interfaces by default (instead of localhost) and exposes an “/open-url” endpoint that is susceptible to OS command injection.

“The server’s ‘/open-url’ endpoint handles a POST request that includes a user-input value that is passed to the unsafe open() function provided by the open NPM package, which will cause OS command execution,” Peles said.

As a result, an unauthenticated network attacker could weaponize the flaw to send a specially crafted POST request to the server and run arbitrary commands. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be abused to execute arbitrary binaries with limited parameter control.

While the issue has since been addressed, developers who use React Native with a framework that doesn’t rely on Metro as the development server are not impacted.

“This zero day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface,” Peles said. “It also exposes the critical risks hidden in third-party code.”

“For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact your organization.”

Nov 04, 2025Ravie Lakshmanan

Cybersecurity researchers have disclosed details of four security flaws in Microsoft Teams that could have exposed users to serious impersonation and social engineering attacks.

The vulnerabilities “allowed attackers to manipulate conversations, impersonate colleagues, and exploit notifications,” Check Point said in a report shared with The Hacker News.

Following responsible disclosure in March 2024, some of the issues were addressed by Microsoft in August 2024 under the CVE CVE-2024-38197, with subsequent patches rolled out in September 2024 and October 2025.

In a nutshell, these shortcomings make it possible to alter message content without leaving the “Edited” label and sender identity and modify incoming notifications to change the apparent sender of the message, thereby allowing an attacker to trick victims into opening malicious messages by making them appear as if they are coming from a trusted source, including high-profile C-suite executives.

The attack, which covers both external guest users and internal malicious actors, poses grave risks, as it undermines security boundaries and enables prospective targets to perform unintended actions, such as clicking on malicious links sent in the messages or sharing sensitive data.

On top of that, the flaws also made it possible to change the display names in private chat conversations by modifying the conversation topic, as well as arbitrarily modify display names used in call notifications and during the call, permitting an attacker to forge caller identities in the process.

“Together, these vulnerabilities show how attackers can erode the fundamental trust that makes collaboration workspace tools effective, turning Teams from a business enabler into a vector for deception,” the cybersecurity company said.

Microsoft has described CVE-2024-38197 (CVSS score: 6.5) as a medium-severity spoofing issue impacting Teams for iOS, which could allow an attacker to alter the sender’s name of a Teams message and potentially trick them into disclosing sensitive information through social engineering ploys.

The findings come as threat actors are abusing Microsoft’s enterprise communication platform in various ways, including approaching targets and persuading them to grant remote access or run a malicious payload under the guise of support personnel.

Microsoft, in an advisory released last month, said the “extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors” and that its messaging (chat), calls, and meetings, and video-based screen-sharing features are weaponized at different stages of the attack chain.

“These vulnerabilities hit at the heart of digital trust,” Oded Vanunu, head of product vulnerability research at Check Point, told The Hacker News in a statement. “Collaboration platforms like Teams are now as critical as email and just as exposed.”

“Our research shows that threat actors don’t need to break in anymore; they just need to bend trust. Organizations must now secure what people believe, not just what systems process. Seeing isn’t believing anymore, verification is.”

Nov 04, 2025Ravie LakshmananMalware / Cyber Espionage

Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus.

According to multiple reports from Cyble and Seqrite Labs, the campaign is designed to deploy a persistent backdoor on compromised hosts that uses OpenSSH in conjunction with a customized Tor hidden service that employs obfs4 for traffic obfuscation.

The activity has been codenamed Operation SkyCloak by Seqrite, stating the phishing emails utilize lures related to military documents to convince recipients into opening a ZIP file containing a hidden folder with a second archive file, along with a Windows shortcut (LNK) file, which, when opened, triggers the multi-step infection chain.

“They trigger PowerShell commands which act as the initial dropper stage where another archive file besides the LNK is used to set up the entire chain,” security researchers Sathwik Ram Prakki and Kartikkumar Jivani said, adding the archive files were uploaded from Belarus to the VirusTotal platform in October 2025.

One such intermediate module is a PowerShell stager that’s responsible for running anti-analysis checks to evade sandbox environments, as well as writing a Tor onion address (“yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd[.]onion” to a file named “hostname” in the “C:Users<Username>AppDataRoaminglogicprosocketExecutingLoggingIncrementalCompiler” location.

As part of its analysis checks, the malware confirms that the number of recent LNK files present on the system is greater than or equal to 10 and verifies that the current process count exceeds or equals 50. If either of the conditions is not met, the PowerShell abruptly ceases execution.

“These checks serve as environmental awareness mechanisms, as sandbox environments typically exhibit fewer user-generated shortcuts and reduced process activity compared to genuine user workstations,” Cyble said.

Once these environmental checks are satisfied, the script proceeds to display a PDF decoy document stored in the aforementioned “logicpro” folder, while setting up persistence on the machine using a scheduled task under the name “githubdesktopMaintenance” that runs automatically after user logon and runs at regular intervals every day at 10:21 a.m. UTC.

The scheduled task is designed to launch “logicpro/githubdesktop.exe,” which is nothing but a renamed version of “sshd.exe,” a legitimate executable associated with OpenSSH for Windows,” allowing the threat actor to establish an SSH service that restricts communications to pre-deployed authorized keys stored in the same “logicpro” folder.

Besides enabling file transfer capabilities using SFTP, the malware also creates a second scheduled task that’s configured to execute “logicpro/pinterest.exe,” a customized Tor binary used to create a hidden service that communicates with the attacker’s .onion address by obfuscating the network traffic using obfs4. Furthermore, it implements port forwarding for multiple critical Windows services such as RDP, SSH, and SMB to facilitate access to system resources through the Tor network.

Once the connection is successfully established, the malware exfiltrates system information, in addition to a unique .onion URL hostname identifying the compromised system by means of a curl command. The threat actor ultimately gains remote access capabilities to the compromised system upon receipt of the victim’s .onion URL through the command-and-control channel.

While it’s currently not clear who is behind the campaign, both security vendors said it’s consistent with Eastern European-linked espionage activity targeting defense and government sectors. Cyble has assessed with medium confidence that the attack shares tactical overlaps with a prior campaign mounted by a threat actor tracked by CERT-UA under the moniker UAC-0125.

“Attackers access SSH, RDP, SFTP, and SMB via concealed Tor services, enabling full system control while preserving anonymity,” the company added. “All communications are directed through anonymous addresses using pre-installed cryptographic keys.”

Ransomware is malicious software designed to block access to a computer system or encrypt data until a ransom is paid. This cyberattack is one of the most prevalent and damaging threats in the digital landscape, affecting individuals, businesses, and critical infrastructure worldwide.

A ransomware attack typically begins when the malware infiltrates a system through various vectors such as phishing emails, malicious downloads, or exploiting software vulnerabilities. Once activated, the malware encrypts files using strong cryptographic algorithms, rendering them inaccessible to the legitimate owner. The attackers then demand payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key.

Modern ransomware variants have evolved beyond simple file encryption. Some employ double extortion tactics, where attackers encrypt data, exfiltrate sensitive information, and threaten to publish it publicly if the ransom is not paid. This puts pressure on victims, particularly organizations handling confidential customer data or proprietary business information.

Ransomware development and propagation

Understanding ransomware creation and distribution is essential for developing effective defense strategies. The ransomware lifecycle involves sophisticated development processes and diverse propagation methods that exploit technical vulnerabilities and human behavior.

Ransomware development

Ransomware is typically developed by cybercriminal organizations or individual threat actors with programming expertise. The creation process involves:

• Malware coding: Developers write malicious code using various programming languages, incorporating encryption algorithms and command-and-control communication protocols.
• Ransomware-as-a-Service (RaaS): Some criminal groups operate subscription-based models that provide ransomware tools to affiliates in exchange for a percentage of ransom payments.
• Customization and testing: Attackers test their malware against security solutions to ensure it can evade detection.

Propagation methods

Ransomware spreads through multiple attack vectors:

• Phishing emails: Malicious attachments or links that appear legitimate trick users into downloading ransomware.
• Exploit kits: Automated tools that scan for and exploit known vulnerabilities in applications and operating systems.
• Remote Desktop Protocol (RDP) attacks: Attackers gain unauthorized access through weak or compromised RDP credentials.
• Malicious websites and downloads: Downloads from compromised or malicious websites install ransomware with or without the user’s knowledge.
• Supply chain attacks: Compromised trusted software or service providers can distribute ransomware to customers.
• Removable media: Infected USB drives and external storage devices can spread ransomware when connected to computer systems.

Wazuh is a free and open source security platform that provides comprehensive capabilities for detecting, preventing, and responding to ransomware threats. It is a unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) platform. Wazuh helps organizations build resilience against ransomware attacks through its out-of-the-box capabilities and integration with other security platforms.

Threat detection and prevention

Wazuh employs multiple detection mechanisms to identify ransomware activities. These include:

• Malware detection: Wazuh integrates with threat intelligence feeds and utilizes signature-based and anomaly-based detection methods to identify known ransomware variants.
• Vulnerability detection: This Wazuh capability scans systems for known vulnerabilities that ransomware commonly exploits, enabling proactive patching and reducing the likelihood of successful compromise.
• Log data analysis: This Wazuh capability analyzes security events collected from user endpoints, servers, cloud workloads, and network devices to detect ransomware indicators.
• Security configuration monitoring (SCA): The Wazuh SCA evaluates system configurations against security best practices and compliance frameworks.
• File integrity monitoring (FIM): This Wazuh capability monitors critical files and directories, detecting unauthorized modifications that may indicate ransomware encryption activity.
• Regulatory compliance monitoring: This Wazuh capability helps organizations maintain security standards and regulatory compliance requirements that deter ransomware attacks.

Incident response capabilities

• Active response: The Wazuh Active Response capability automatically executes predefined actions when threats are detected, such as isolating infected systems, blocking malicious processes, or quarantining files.
• Integration with external solutions: Wazuh integrates with other security tools and platforms to improve organizations’ security posture.

Use cases

The following sections show some use cases of Wazuh detection and response to ransomware.

Detecting and responding to DOGE Big Balls ransomware with Wazuh

The DOGE Big Balls ransomware, a modified version of the FOG ransomware, combines technical exploits with psychological manipulation targeting enterprise environments. This malware variant delivers its payload through phishing campaigns or unpatched vulnerabilities. It then performs privilege escalation, reconnaissance, file encryption, and note creation on the victim’s endpoint.

Detection

Wazuh detects the DOGE Big Balls ransomware using threat detection rules and a Wazuh Custom Database (CBD) list to match its specific pattern.

• CBD list containing DOGE Big Balls reconnaissance commands.

net  config Workstation:
systeminfo:
hostname:
net  users:
ipconfig  /all:
route  print:
arp  -A:
netstat  -ano:
netsh firewall show state:
netsh firewall show config:
schtasks  /query /fo LIST /v:
tasklist  /SVC:
net  start:
DRIVERQUERY:

<group name="doge_big_ball,ransomware,">

  <rule id="100020" level="10">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\.*.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\DbgLog.sys</field>
    <description>A log file $(win.eventdata.targetFilename) was created to log the output of the reconnaissance activities of the DOGE Big Balls ransomware. Suspicious activity detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>

  <rule id="100021" level="8" timeframe="300" frequency="2">  
    <if_sid>61603</if_sid>  
    <list field="win.eventdata.commandLine" lookup="match_key">etc/lists/doge-big-balls-ransomware</list>  
    <description>The command $(win.eventdata.commandLine) is executed for reconnaissance activities. Suspicious activity detected.</description>  
    <options>no_full_log</options>  
  </rule>

<!-- Ransom note file creation -->
  <rule id="100022" level="15" timeframe="300" frequency="2">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\.*.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\readme.txt</field>
    <description>DOGE Big Balls ransom note $(win.eventdata.targetFilename) has been created in multiple directories. Possible DOGE Big Balls ransomware detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>

  
  <rule id="100023" level="15" timeframe="300" frequency="2" ignore="100">
    <if_matched_sid>100020</if_matched_sid>
    <if_sid>100021</if_sid>
    <description>Possible DOGE Big Balls ransomware detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule> 

</group>

These rules flag the execution of known reconnaissance commands and detect when multiple ransom notes appear across directories. These are DOGE Big Balls ransomware IOCs that indicate file encryption and other ransomware activities.

Automated response

Wazuh enables ransomware detection and removal using its File Integrity Monitoring (FIM) capability and integration with YARA. In this use case, Wazuh monitors the Downloads directory in real-time. When a new or modified file appears, it triggers the active response capability to execute a YARA scan. If a file matches known YARA ransomware signatures like DOGE Big Balls, the custom active response script deletes it automatically and logs the action. Custom decoders and rules on the Wazuh server parse those logs to generate alerts showing whether the file was detected and successfully removed.

Detecting Gunra ransomware with Wazuh

The Gunra ransomware is typically used by private cybercriminals to extort money from its victims. It utilizes a double-extortion model that encrypts files and exfiltrates data for publication should its victim fail to pay the ransom. The Gunra ransomware spreads through Windows systems by encrypting files, appending the .ENCRT extension, and leaving ransom notes named R3ADM3.txt. It deletes shadow copies, disables backup and antivirus services to block recovery, and uses Tor networks to hide its operators. These actions make data restoration difficult and help the attackers maintain anonymity during ransom negotiations.

Detection

The following Wazuh rules alert when ransom notes named R3ADM3.txt appear, system components like VSS or amsi.dll are tampered with, or suspicious modules such as urlmon.dll are loaded for network activity. The rules also track attempts to delete shadow copies or disable backup and admin functions, indicating behavior typical of ransomware preparing for file encryption.

<group name="gunra,ransomware,">

  <!--Ransom note file creation-->
  <rule frequency="2" id="100601" ignore="100" level="15" timeframe="100">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.Image" type="pcre2">[^"]+.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">[^"]*R3ADM3.txt</field>
    <description>Possible Gunra ransomware activity detected: Multiple ransom notes dropped in $(win.eventdata.targetFilename)</description>
    <mitre>
      <id>T1543.003</id>
      <id>T1486</id> 
    </mitre>
  </rule>

  <!--Antimalware Scan Interface Access Modification-->
  <rule id="100602" level="7">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\Windows\\System32\\amsi.dll</field>
    <description>Possible ransomware activity detected: Suspicious Volume Shadow copy Service (VSS) loaded amsi.dll for tampering and evasion attempt.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.001</id>
    </mitre>
  </rule>

  <rule id="100603" level="7">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.Image" type="pcre2">(C:\\Windows\\SystemApps\\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\\CHXSmartScreen.exe)</field>
    <field name="win.eventdata.ImageLoaded" type="pcre2">C:\\Windows\\System32\\urlmon.dll</field>
    <description>Possible ransomware activity detected: Urlmon.dll was loaded, indicating network reconnaissance.</description>
    <mitre>
      <id>T1562.001</id>
    </mitre>
  </rule>

  <!--Volume Shadow copy Service (VSS) deletion-->
  <rule id="100604" level="7">
    <if_sid>60103</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">Backup Operators</field>
    <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-551</field>
    <field name="win.eventdata.callerProcessName" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
    <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion attempts, gearing up to disable backups.</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

  <rule id="100605" level="7">
    <if_sid>60103</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">Administrators</field>
    <field name="win.eventdata.targetSid" type="pcre2">S-1-5-32-544</field>
    <field name="win.eventdata.callerProcessName" type="pcre2">C:\\Windows\\System32\\VSSVC.exe</field>
    <description>Possible Gunra ransomware activity detected: Volume Shadow copy Service (VSS) deletion shadow attempts, gearing to disable local admin accounts</description>
    <mitre>
      <id>T1562</id>
      <id>T1562.002</id>
    </mitre>
  </rule>

</group>

Automated response

Wazuh performs automated responses to Gunra ransomware malicious file activities using its FIM capability and integration with VirusTotal. In this use case, the Wazuh File Integrity Monitoring (FIM) module monitors the Downloads folder in real-time, triggering scans whenever files are added or changed. A custom active response executable, then securely deletes any file that VirusTotal flags as a threat.

Ransomware protection on Windows with Wazuh

Wazuh provides ransomware protection and file recovery on monitored Windows endpoints using its command module and the Windows Volume Shadow Copy Service (VSS). This integration allows administrators to automatically take snapshots of monitored endpoints to recover files to a state before they are encrypted by malware.

The following image shows successful Wazuh Active Response file recovery alerts.

Conclusion

Ransomware attacks pose significant financial, operational, and reputational damage. They require multi-layered defenses that combine early detection with incident response. Organizations that invest in these practices are better equipped to withstand and recover from such attacks.

Wazuh provides capabilities that enable early detection and rapid response to contain ransomware attacks. It offers out-of-the-box capabilities for vulnerability detection, file integrity monitoring, log data analysis, and automated responses to prevent ransomware-caused data loss and downtime.

Nov 04, 2025Ravie LakshmananArtificial Intelligence / Vulnerability

Google’s artificial intelligence (AI)-powered cybersecurity agent called Big Sleep has been credited by Apple for discovering as many as five different security flaws in the WebKit component used in its Safari web browser that, if successfully exploited, could result in a browser crash or memory corruption.

The list of vulnerabilities is as follows –

• CVE-2025-43429 – A buffer overflow vulnerability that may lead to an unexpected process crash when processing maliciously crafted web content (addressed through improved bounds checking)
• CVE-2025-43430 – An unspecified vulnerability that could result in an unexpected process crash when processing maliciously crafted web content (addressed through improved state management)
• CVE-2025-43431 & CVE-2025-43433 – Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling)
• CVE-2025-43434 – A use-after-free vulnerability that may lead to an unexpected Safari crash when processing maliciously crafted web content (addressed through improved state management)

Patches for the shortcomings have been released by Apple on Monday as part of iOS 26.1, iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1, and Safari 26.1. The updates are available for the following devices and operating systems –

• iOS 26.1 and iPadOS 26.1 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.1 – Macs running macOS Tahoe
• tvOS 26.1 – Apple TV 4K (2nd generation and later)
• visionOS 26.1 – Apple Vision Pro (all models)
• watchOS 26.1 – Apple Watch Series 6 and later
• Safari 26.1 – Macs running macOS Sonoma and macOS Sequoia

Big Sleep, formerly called Project Naptime, is an AI agent launched by Google last year as part of a collaboration between DeepMind and Google Project Zero to enable automated vulnerability discovery.

Earlier this year, Google said the large language model (LLM)-assisted framework identified a security flaw in SQLite (CVE-2025-6965, CVSS score: 7.2) that it said was at “risk of being exploited” by malicious actors.

While none of the vulnerabilities listed in Monday’s security bulletins have been flagged as exploited in the wild, it’s always a good practice to keep devices updated to the latest version for optimal protection.

Nov 04, 2025Ravie LakshmananRansomware / Cybercrime

Federal prosecutors in the U.S. have accused a trio of allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.

Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co–conspirator (aka “Co-Conspirator 1”) based in Florida, all U.S. nationals, are said to have used the ransomware strain against a medical device company based in Tampa, Florida, a pharmaceutical company based in Maryland, a doctor’s office based in California, an engineering company based in California, and a drone manufacturer based in Virginia.

The Chicago Sun-Times first reported the indictment over the weekend, stating Martin and Co-Conspirator 1 were employed as ransomware threat negotiators for a company named DigitalMint at the time when these incidents took place. Goldberg was an incident response manager for cybersecurity company Sygnia.

All three individuals are no longer working at the respective firms, with both DigitalMint and Sygnia stating they have cooperated with law enforcement on the matter. In July 2025, Bloomberg reported that the U.S. Federal Bureau of Investigation (FBI) was looking into a former employee of DigitalMint for supposedly taking a cut from ransomware payments.

According to the indictment document, Goldberg, Martin, and the co-conspirator have been accused of wilfully engaging in a conspiracy to “enrich” themselves by accessing victims’ networks or computers in an unauthorized manner, stealing their data, installing the BlackCat ransomware on their systems in exchange for a cryptocurrency payment, and dividing the illicit proceeds amongst them –

• Around May 13, 2023, the defendants attacked the medical device firm and demanded an approximate $10,000,000 ransom payment. The company ended up paying virtual currency worth approximately $1,274,000 at the time of payment.
• Around May 2023, the defendants attacked the firm and demanded an unspecified amount as ransom.
• Around July 2023, the defendants attacked the doctor’s office and demanded an approximate $5,000,000 ransom payment.
• Around October 2023, the defendants attacked the engineering company and demanded an approximate $1,000,000 ransom payment.
• Around November 2023, the defendants attacked the drone manufacturer and demanded an approximate $300,000 ransom payment.

It’s said that they did not manage to extort a financial payment from the other victims. While Martin has pleaded not guilty, court records show that Goldberg allegedly confessed to being recruited by the unnamed co-conspirator to “try and ransom some companies” during an interview with the FBI and that he conducted the attacks to get out of debt. The third individual has not been indicted.

Both Goldberg and Martin have been charged with conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to a protected computer. These accusations could incur a maximum penalty up to 50 years in federal prison.

Nov 04, 2025Ravie LakshmananArtificial Intelligence / Malware

Microsoft has disclosed details of a novel backdoor dubbed SesameOp that uses OpenAI Assistants Application Programming Interface (API) for command-and-control (C2) communications.

“Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment,” the Detection and Response Team (DART) at Microsoft Incident Response said in a technical report published Monday.

“To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.”

The tech giant said it discovered the implant in July 2025 as part of a sophisticated security incident in which unknown threat actors had managed to maintain persistence within the target environment for several months. It did not name the impacted victim.

Further investigation into the intrusion activity has led to the discovery of what it described as a “complex arrangement” of internal web shells, which are designed to execute commands relayed from “persistent, strategically placed” malicious processes. These processes, in turn, leverage Microsoft Visual Studio utilities that were compromised with malicious libraries, an approach referred to as AppDomainManager injection.

SesameOp is a custom backdoor engineered to maintain persistence and allow a threat actor to covertly manage compromised devices, indicating that the attack’s overarching goal was to ensure long-term access for espionage efforts.

OpenAI Assistants API enables developers to integrate artificial intelligence (AI)-powered agents directly into their applications and workflows. The API is scheduled for deprecation by OpenAI in August 2026, with the company replacing it with a new Responses API.

The infection chain, per Microsoft, includes a loader component (“Netapi64.dll”) and a .NET-based backdoor (“OpenAIAgent.Netapi64”) that leverages the OpenAI API as a C2 channel to fetch encrypted commands, which are subsequently decoded and executed locally. The results of the execution are sent back to OpenAI as a message.

“The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API,” the company said. “Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.”

The message supports three types of values in the description field of the Assistants list retrieved from OpenAI –

• SLEEP, to allow the process thread to sleep for a specified duration
• Payload, to extract the contents of the message from the instructions field and invoke it in a separate thread for execution
• Result, to transmit the processed result to OpenAI as a new message in which the description field is set to “Result” to signal the threat actor that the output of the execution of the payload is available

It’s currently not clear who is behind the malware, but the development signals continued abuse of legitimate tools for malicious purposes to blend in with normal network activity and sidestep detection. Microsoft said it shared its findings with OpenAI, which identified and disabled an API key and associated account believed to have been used by the adversary.

Nov 03, 2025Ravie LakshmananCryptocurrency / Threat Intelligence

Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck.

According to Secure Annex’s John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to include new malicious capabilities after reaching 14,000 downloads.

“The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down,” Tuckner added.

Campaigns distributing rogue extensions targeting Solidity developers have been repeatedly detected across both the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky disclosed that a Russian developer lost $500,000 in cryptocurrency assets after installing one such extension through Cursor.

In the latest instance detected by the enterprise extension security firm, the malware is triggered when a new code editor window is opened or a .sol file is selected.

Specifically, it’s configured to find the fastest Ethereum Remote Procedure Call (RPC) provider to connect to in order to obtain access to the blockchain, initialize contact with a remote server at “sleepyduck[.]xyz” (hence the name) via the contract address “0xDAfb81732db454DA238e9cFC9A9Fe5fb8e34c465,” and kicks off a polling loop that checks for new commands to be executed on the host every 30 seconds.

It’s also capable of gathering system information, such as hostname, username, MAC address, and timezone, and exfiltrating the details to the server. In the event the domain is seized or taken down, the malware has built-in fallback controls to reach out to a predefined list of Ethereum RPC addresses to extract the contract information that can hold the server details.

What’s more, the extension is equipped to reach a new configuration from the contract address to set a new server, as well as execute an emergency command to all endpoints in the event that something unexpected occurs. The contract was created on October 31, 2025, with the threat actor updating the server details from “localhost:8080” to “sleepyduck[.]xyz” over the course of four transactions.

It’s not clear if the download counts were artificially inflated by the threat actors to boost the relevance of the extension in search results – a tactic often adopted to increase the popularity so as to trick unsuspecting developers into installing a malicious library.

The development comes as the company also disclosed details of another set of five extensions, this time published to the VS Code Extension Marketplace by a user named “developmentinc,” including a Pokémon-themed library that downloads a batch script miner from an external server (“mock1[.]su:443”) as soon as it’s installed or enabled, and runs the miner using “cmd.exe.”

The script file, besides relaunching itself with administrator privileges using PowerShell and configuring Microsoft Defender Antivirus exclusions by adding every drive letter from C: through Z:, downloads a Monero mining executable from “mock1[.]su” and runs it.

The extensions uploaded by the threat actor, now no longer available for download, are listed below –

• developmentinc.cfx-lua-vs
• developmentinc.pokemon
• developmentinc.torizon-vs
• developmentinc.minecraftsnippets
• developmentinc.kombai-vs

Users are advised to exercise caution when it comes to downloading extensions, and make sure that they are from trusted publishers. Microsoft, for its part, announced back in June that it’s instituting periodic marketplace-wide scans to protect users against malware. Every removed extension from the official marketplace can be viewed from the RemovedPackages page on GitHub.

Nov 03, 2025Ravie LakshmananCybercrime / Supply Chain Attack

Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight.

The threat cluster, believed to be active since at least June 2025 according to Proofpoint, is said to be collaborating with organized crime groups to break into entities in the surface transportation industry with the end goal of plundering physical goods. The most targeted commodities of the cyber-enabled heists are food and beverage products.

“The stolen cargo most likely is sold online or shipped overseas,” researchers Ole Villadsen and Selena Larson said in a report shared with The Hacker News. “In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them.”

The campaigns share similarities with a previous set of attacks disclosed in September 2024 that involved targeting transportation and logistics companies in North America with information stealers and remote access trojans (RATs) such as Lumma Stealer, StealC, or NetSupport RAT. However, there is no evidence to suggest that they are the work of the same threat actor.

In the current intrusion wave detected by Proofpoint, the unknown attackers have leveraged multiple methods, including compromised email accounts to hijack existing conversations, targeting asset-based carriers, freight brokerage firms, and integrated supply chain providers with spear-phishing emails, and posting fraudulent freight listings using hacked accounts on load boards.

“The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads,” it said. “This tactic exploits the trust and urgency inherent in freight negotiations.”

Needless to say, the malicious URLs embedded within the messages lead to booby-trapped MSI installers or executables that deploy legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In select instances, several of these programs are used together, with PDQ Connect being used to drop and install ScreenConnect and SimpleHelp.

Once remote access is obtained, the attackers move to conduct system and network reconnaissance, followed by dropping credential harvesting tools such as WebBrowserPassView to capture additional credentials and burrow deeper into the corporate network.

In at least one case, the threat actor is believed to have weaponized the access to delete existing bookings and block dispatcher notifications, and then added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport.

The use of RMM software offers several advantages. First, it obviates the need for threat actors to devise bespoke malware. Second, it also allows them to fly under the radar, owing to the prevalence of such tools in enterprise environments, and are typically not flagged as malicious by security solutions.

“It’s fairly easy for threat actors to create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans,” Proofpoint noted back in March 2025. “Additionally, such tooling may evade anti-virus or network detection because the installers are often signed, legitimate payloads distributed maliciously.”