Author: Mark

Jul 01, 2025Ravie LakshmananVulnerability / Browser Security

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.

The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.

“Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,” according to a description of the bug on the NIST’s National Vulnerability Database (NVD).

Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025, signaling that it may have been weaponized in highly targeted attacks — possibly involving nation-state actors or surveillance operations. TAG typically detects and investigates serious threats like government-backed attacks.

The tech giant also noted that the issue was mitigated the next day by means of a configuration change that was pushed out to the Stable channel across all platforms. For everyday users, that means the threat may not be widespread yet, but it’s still urgent to patch — especially if you’re in roles handling sensitive or high-value data.

Google has not released any additional details about the vulnerability and who may have exploited it, but acknowledged that “an exploit for CVE-2025-6554 exists in the wild.”

CVE-2025-6554 is the fourth zero-day vulnerability in Chrome to be addressed by Google since the start of the year after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. However, it bears noting that there is no clarity on whether CVE-2025-4664 has been abused in a malicious context.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.

If you’re unsure whether your browser is up to date, go to Settings > Help > About Google Chrome — it should trigger the latest update automatically. For businesses and IT teams managing multiple endpoints, enabling automatic patch management and monitoring browser version compliance is critical.

Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Despite years of investment in Zero Trust, SSE, and endpoint protection, many enterprises are still leaving one critical layer exposed: the browser.

It’s where 85% of modern work now happens. It’s also where copy/paste actions, unsanctioned GenAI usage, rogue extensions, and personal devices create a risk surface that most security stacks weren’t designed to handle. For security leaders who know this blind spot exists but lack a roadmap to fix it, a new framework may help.

The Secure Enterprise Browser Maturity Guide: Safeguarding the Last Mile of Enterprise Risk, authored by cybersecurity researcher Francis Odum, offers a pragmatic model to help CISOs and security teams assess, prioritize, and operationalize browser-layer security. It introduces a clear progression from basic visibility to real-time enforcement and ecosystem integration, built around real-world threats, organizational realities, and evolving user behavior.

Why the Browser Has Become the Security Blind Spot

Over the past three years, the browser has quietly evolved into the new endpoint of the enterprise. Cloud-first architectures, hybrid work, and the explosive growth of SaaS apps have made it the primary interface between users and data.

• 85% of the workday now happens inside the browser
• 90% of companies allow access to corporate apps from BYOD devices
• 95% report experiencing browser-based cyber incidents
• 98% have seen BYOD policy violations

And while most security programs have hardened identity layers, firewalls, and email defenses, the browser remains largely ungoverned. It’s where sensitive data is copied, uploaded, pasted, and sometimes leaked, with little or no monitoring.

Traditional Tools Weren’t Built for This Layer

The guide breaks down why existing controls struggle to close the gap:

• DLP scans files and email, but misses in-browser copy/paste and form inputs.
• CASB protects sanctioned apps, but not unsanctioned GenAI tools or personal cloud drives.
• SWGs block known bad domains, but not dynamic, legitimate sites running malicious scripts.
• EDR watches the OS, not the browser’s DOM.

This reflects what is described as the “last mile” of enterprise IT, the final stretch of the data path where users interact with content and attackers exploit the seams.

GenAI Changed the Game

A core theme of the guide is how browser-based GenAI usage has exposed a new class of invisible risk. Users routinely paste proprietary code, business plans, and customer records into LLMs with no audit trail.

• 65% of enterprises admit they have no control over what data goes into GenAI tools
• Prompts are effectively unsanctioned API calls
• Traditional DLP, CASB, and EDR tools offer no insight into these flows

The browser is often the only enforcement point that sees the prompt before it leaves the user’s screen.

The Secure Enterprise Browser Maturity Model

To move from reactive response to structured control, the guide introduces a three-stage maturity model for browser-layer security:

Stage 1: Visibility

“You can’t protect what you can’t see.”

Organizations at this stage begin by illuminating browser usage across devices, especially unmanaged ones.

• Inventory browsers and versions across endpoints
• Capture telemetry: uploads, downloads, extension installs, session times
• Detect anomalies (e.g., off-hours SharePoint access, unusual copy/paste behavior)
• Identify shadow SaaS and GenAI usage without blocking it yet

Quick wins here include audit-mode browser extensions, logging from SWGs, and flagging outdated or unmanaged browsers.

Stage 2: Control & Enforcement

Once visibility is in place, teams begin actively managing risk within the browser:

• Enforce identity-bound sessions (e.g., block personal Gmail login from corp session)
• Control uploads/downloads to/from sanctioned apps
• Block or restrict unvetted browser extensions
• Inspect browser copy/paste actions using DLP classifiers
• Display just-in-time warnings (e.g., “You’re about to paste PII into ChatGPT”)

This stage is about precision: applying the right policies in real-time, without breaking user workflows.

Stage 3: Integration & Usability

At full maturity, browser-layer telemetry becomes part of the larger security ecosystem:

• Events stream into SIEM/XDR alongside network and endpoint data
• Risk scores influence IAM and ZTNA decisions
• Browser posture is integrated with DLP classifications and compliance workflows
• Dual browsing modes (work vs. personal) preserve privacy while enforcing policy
• Controls extend to contractors, third parties, and BYOD—at scale

In this phase, security becomes invisible but impactful, reducing friction for users and mean-time-to-response for the SOC.

A Strategic Roadmap, Not Just a Diagnosis

The guide doesn’t just diagnose the problem, it helps security leaders build an actionable plan:

• Use the browser security checklist to benchmark current maturity
• Identify fast, low-friction wins in Stage 1 (e.g., telemetry, extension audits)
• Define a control policy roadmap (start with GenAI usage and risky extensions)
• Align telemetry and risk scoring with existing detection and response pipelines
• Educate users with inline guidance instead of blanket blocks

It also includes practical insights on governance, change management, and rollout sequencing for global teams.

Why This Guide Matters

What makes this model especially timely is that it doesn’t call for a rip-and-replace of existing tools. Instead, it complements Zero Trust and SSE strategies by closing the final gap where humans interact with data.

Security architecture has evolved to protect where data lives. But to protect where data moves, copy, paste, prompt, upload, we need to rethink the last mile.

The Secure Enterprise Browser Maturity Guide is available now for security leaders ready to take structured, actionable steps to protect their most overlooked layer. Download the full guide and benchmark your browser-layer maturity.

Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft’s ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors.

“The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious,” Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc said in a technical write-up.

“Its methods reflect a broader shift toward ‘living-off-the-land’ tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.”

The phishing attacks, in a nutshell, make use of a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon that’s designed to communicate with attacker-controlled infrastructure that’s obscured using Amazon Web Services (AWS) cloud services.

ClickOnce is offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction. It was introduced in .NET Framework 2.0. However, the technology can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags.

As noted in the MITRE ATT&CK framework, ClickOnce applications can be used to run malicious code through a trusted Windows binary, “dfsvc.exe,” that’s responsible for installing, launching, and updating the apps. The apps are launched as a child process of “dfsvc.exe.”

“Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install,” MITRE explains. “As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.”

Trellix said the attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application, which, in turn, runs an executable using dfsvc.exe.

The binary is a ClickOnce loader that’s launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.

The Golang implant can communicate with a command-and-control (C2) server over HTTP(s), WebSockets, raw TCP, and SMB named pipes, allowing it to perform file operations, enumerate and terminate running processes, execute shell commands, escalate privileges using token theft and impersonation, and achieve lateral movement.

Additionally, the backdoor incorporates anti-analysis features to evade detection, and supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features.

“RunnerBeacon’s design closely parallels known Go-based Cobalt Strike beacons (e.g. the Geacon/Geacon plus/Geacon Pro family),” the researchers said.

“Like Geacon, the set of commands (shell, process enumeration, file I/O, proxying, etc.) and use of cross-protocol C2 are very similar. These structural and functional similarities suggest RunnerBeacon may be an evolved fork or a privately modified variant of Geacon, tailored for stealthier, and cloud-friendly operations.”

Three different variants of OneClick have been observed in March 2025 alone: v1a, BPI-MDM, and v1d, with each iteration demonstrating progressively improved capabilities to fly under the radar. That said, a variant of RunnerBeacon was identified in September 2023 at a company in the Middle East in the oil and gas sector.

Although techniques like AppDomainManager injection have been used by China– and North Korea-linked threat actors in the past, the activity has not been formally attributed to any known threat actor or group. Trellix told The Hacker News that it did not have any more details to share on the scale of these attacks and the regions that have been targeted.

The development comes as QiAnXin detailed a campaign mounted by a threat actor it tracks as APT-Q-14 that has also employed ClickOnce apps to propagate malware by exploiting a zero-day cross-site scripting (XSS) flaw in the web version of an unnamed email platform. The vulnerability, it said, has since been patched.

The XSS flaw is automatically triggered when a victim opens a phishing email, causing the download of the ClickOne app. “The body of the phishing email comes from Yahoo News, which coincides with the victim industry,” QiAnXin noted.

The intrusion sequence serves a mailbox instruction manual as a decoy, while a malicious trojan is stealthily installed on the Windows host to collect and exfiltrate system information to a C2 server and receive unknown next-stage payloads.

The Chinese cybersecurity company said APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform.

APT-Q-14 has been described by QiAnXin as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15, which are assessed to be sub-groups within a South Korea-aligned threat group known as DarkHotel (aka APT-C-06).

Earlier this week, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel’s use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025.

The malware is engineered to establish communication with a remote server to download, decrypt, and execute unspecified shellcode.

“In general, the [hacking group’s] tactics have tended to be ‘simple’ in recent years: Different from the previous use of heavy-weight vulnerabilities, it has adopted flexible and novel delivery methods and attack techniques,” the company said. “In terms of attack targets, APT-C-06 still focuses on North Korean-related traders, and the number of targets attacked in the same period is greater.”

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

The coordinated action saw searches of 21 known or suspected “laptop farms” between June 10 and 17, 2025 across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.

“The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies,” the DoJ said.

The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People’s Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities.

Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.

North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through “legitimate” work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data.

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.

Last month, the DoJ said it had filed a civil forfeiture complaint in the U.S. District Court for the District of Columbia that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme.

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”

Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue.

To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for “keyboard-video-mouse”) switches like PiKVM or TinyPilot.

“Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses,” the DoJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators.”

In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers.

Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta.

Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il.

After Kim Kwang Jin and Jong Pong Ju gained their employers’ trust and were assigned projects that granted them access to the firm’s virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company’s smart contracts.

The stolen proceeds were then laundered using a cryptocurrency mixer service known as Tornado Cash and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents.

“These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. “Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide.”

“The U.S. government’s actions […] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are.”

Microsoft Suspends 3,000 Email Accounts Tied to IT Workers

Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267.

The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy.

The tech giant called out the IT workers’ exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs.

“These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities,” the Microsoft Threat Intelligence team said.

Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards.

Furthermore, the witting accomplices are responsible for validating the IT workers’ bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards.

As a way to counter the threat, Microsoft said it has developed a custom machine learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions.

“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” Redmond said. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”

Jul 01, 2025Ravie LakshmananVulnerability / Browser Security

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.

The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.

“Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,” according to a description of the bug on the NIST’s National Vulnerability Database (NVD).

Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025, indicating that it may have been weaponized in highly targeted attacks.

The involvement of Google’s Threat Analysis Group often signals that an exploit may be linked to targeted attacks — possibly involving nation-state actors or surveillance operations. TAG typically investigates serious threats like phishing campaigns, zero-click exploits, or attempts to bypass browser sandboxing.

The tech giant also noted that the issue was mitigated the next day by means of a configuration change that was pushed out to the Stable channel across all platforms. For everyday users, that means the threat may not be widespread yet, but it’s still urgent to patch — especially if you’re in roles handling sensitive or high-value data.

Google has not released any additional details about the vulnerability and who may have exploited it, but acknowledged that “an exploit for CVE-2025-6554 exists in the wild.”

CVE-2025-6554 is the fourth zero-day vulnerability in Chrome to be addressed by Google since the start of the year after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. However, it bears noting that there is no clarity on whether CVE-2025-4664 has been abused in a malicious context.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.

If you’re unsure whether your browser is up to date, go to Settings > Help > About Google Chrome — it should trigger the latest update automatically. For businesses and IT teams managing multiple endpoints, enabling automatic patch management and monitoring browser version compliance is critical.

Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

The coordinated action saw searches of 21 known or suspected “laptop farms” across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.

“The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies,” the DoJ said.

The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People’s Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities.

Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.

North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through “legitimate” work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data.

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.

Last month, the DoJ said it had filed a civil forfeiture complaint in federal court that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme.

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”

Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue.

To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for “keyboard-video-mouse”) switches like PiKVM or TinyPilot.

“Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses,” the DoJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators.”

In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers.

Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta.

Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il.

After Kim Kwang Jin and Jong Pong Ju gained their employers’ trust and were assigned projects that granted them access to the firm’s virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company’s smart contracts.

The stolen proceeds were then laundered using a cryptocurrency mixer and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents.

“These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. “Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide.”

“The U.S. government’s actions […] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are.”

Microsoft Suspends 3,000 Email Accounts Tied to IT Workers

Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267.

The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy.

The tech giant called out the IT workers’ exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs.

“These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities,” the Microsoft Threat Intelligence team said.

Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards.

Furthermore, the witting accomplices are responsible for validating the IT workers’ bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards.

As a way to counter the threat, Microsoft said it has developed a custom machine-learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions.

“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” Redmond said. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”

Jul 01, 2025Ravie LakshmananMobile Security / Privacy

Microsoft has said that it’s ending support for passwords in its Authenticator app starting August 1, 2025.

The changes, the company said, are part of its efforts to streamline autofill in the two-factor authentication (2FA) app.

“Starting July 2025, the autofill feature in Authenticator will stop working, and from August 2025, passwords will no longer be accessible in Authenticator,” Microsoft said in a support document for Microsoft Authenticator.

It’s worth noting that Microsoft has already removed the ability to add or import new passwords in the app of last month. However, the option to save passwords through autofill will continue to work in July.

That said, the feature isn’t being completely eliminated. Instead, the saved passwords and addresses will now be synced with users’ Microsoft accounts, allowing them to be accessed via the Edge web browser by setting it as the default autofill provider.

“After August 2025, your saved passwords will no longer be accessible in Authenticator and any generated passwords not saved will be deleted,” Redmond said.

Another key aspect to note is that the changes do not apply to passkeys. Users who have enabled passkeys for their Microsoft accounts are required to enable Authenticator as their passkey provider. Disabling Authenticator will also have the side effect of disabling passkeys.

Users who already use a different password manager solution such as Apple iCloud Keychain or Google Password Manager can set it as their default autofill provider on their mobile devices. Users can also export their passwords from the Authenticator app and then import them into their chosen service.

Jun 30, 2025Ravie LakshmananCyber Attack / Critical Infrastructure

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber-attacks from Iranian state-sponsored or affiliated threat actors.

“Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events,” the agencies said.

“These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.”

There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted.

Emphasizing the need for “increased vigilance,” the agencies singled out Defense Industrial Base (DIB) companies, specifically those with ties to Israeli research and defense firms, as being at an elevated risk. U.S. and Israeli entities may also be exposed to distributed denial-of-service (DDoS) attacks and ransomware campaigns, they added.

Attackers often start with reconnaissance tools like Shodan to find vulnerable internet-facing devices, especially in industrial control system (ICS) environments. Once inside, they can exploit weak segmentation or misconfigured firewalls to move laterally across networks. Iranian groups have previously used remote access tools (RATs), keyloggers, and even legitimate admin utilities like PsExec or Mimikatz to escalate access—all while evading basic endpoint defenses.

Based on prior campaigns, attacks mounted by Iranian threat actors leverage techniques like automated password guessing, password hash cracking, and default manufacturer passwords to gain access to internet-exposed devices. They have also been found to employ system engineering and diagnostic tools to breach operational technology (OT) networks.

The development comes days after the Department of Homeland Security (DHS) released a bulletin, urging U.S. organizations to be on the lookout for possible “low-level cyber attacks” by pro-Iranian hacktivists amid the ongoing geopolitical tensions between Iran and Israel.

Last week, Check Point revealed that the Iranian nation-state hacking group tracked as APT35 targeted journalists, high-profile cyber security experts, and computer science professors in Israel as part of a spear-phishing campaign designed to capture their Google account credentials using bogus Gmail login pages or Google Meet invitations.

As mitigations, organizations are advised to follow the below steps –

• Identify and disconnect OT and ICS assets from the public internet
• Ensure devices and accounts are protected with strong, unique passwords, replace weak or default passwords, and enforce multi-factor authentication (MFA)
• Implement phishing-resistant MFA for accessing OT networks from any other network
• Ensure systems are running the latest software patches to protect against known security vulnerabilities
• Monitor user access logs for remote access to the OT network
• Establish OT processes that prevent unauthorized changes, loss of view, or loss of control
• Adopt full system and data backups to facilitate recovery

“Despite a declared ceasefire and ongoing negotiations towards a permanent solution, Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity,” the agencies said.

Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.

The operation, the agency said, was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. Europol said the investigation into the syndicate started in 2023.

In addition, the five alleged suspects behind the cryptocurrency scam were arrested on June 25, 2025. Three of the arrests took place in the Canary Islands, while two others were apprehended from Madrid.

“To carry out their fraudulent activities, the leaders of the criminal network allegedly used a net of associates spread around the world to raise funds through cash withdrawals, bank transfers, and crypto-transfers,” Europol said.

These types of scams often follow a pattern known as “pig butchering,” where scammers slowly build trust with victims over weeks or months—often through dating apps or friendly chats—before convincing them to invest in fake crypto platforms. Behind the scenes, fraudsters use social engineering tricks, like fake trading dashboards and scripted conversations, to keep the illusion going. Once money is deposited, it’s moved across multiple accounts in a process called layering, making it harder for authorities to trace.

The cybercriminals are believed to have set up a corporate and banking network based in Hong Kong, with the illicitly obtained funds routed through a maze of payment gateways and user accounts in the names of different people and in different exchanges.

The development comes shortly after the U.S. Department of Justice (DoJ) filed a civil forfeiture complaint seeking to recover over $225 million in cryptocurrency linked to cryptocurrency confidence (aka romance baiting) scams running out of Vietnam and the Philippines.

Europol described the “scale, variety, sophistication, and reach” of these online fraud schemes as “unprecedented,” and that they’re on track to surpass serious and organized crime, thanks to the increased adoption of artificial intelligence (AI) technologies.

“The integration of generative artificial intelligence by transnational criminal groups involved in cyber-enabled fraud is a complex and alarming trend observed in Southeast Asia, and one that represents a powerful force multiplier for criminal activities,” said UNODC Regional Analyst, John Wojcik, late last year.

According to a report from INTERPOL last week, cybercrime reports account for more than 30% of all reported crimes in Western and Eastern Africa. This included online scams, ransomware, business email compromise (BEC), and digital sextortion.

“Cybercrime continues to outpace the legal systems designed to stop it,” INTERPOL said, adding, “75% of countries surveyed said their legal frameworks and prosecution capacity needed improvement.”

Part of what makes this kind of fraud so hard to fight is how criminals exploit legal loopholes and fragmented international laws. Many scammers now use synthetic identities—fake personas built with stolen or AI-generated data—to register accounts or rent bank access. They also recruit financial mules to move money, often without them realizing they’re part of a crime.

To pull off such investment fraud schemes, unwitting people from Asia and Africa are lured into Southeast Asia with lucrative job opportunities, and forcefully detaining them inside “scam compounds” run by transnational organized crime groups originating from China.

As many as 53 scam compounds have been identified in Cambodia, per Amnesty International, where the non-profit said “human rights abuses have taken place or continue to occur, including human trafficking, torture and other ill-treatment, forced labour, child labour, deprivation of liberty and slavery.”

Many of the people forced into these scam compounds were originally promised tech or sales jobs abroad. Once they arrive, their passports are taken and they’re forced to scam others under threats of violence or debt.

Last year, the United States Institute of Peace revealed that the return on cyber scamming is estimated to exceed $12.5 billion annually in Cambodia, which amounts to half the country’s formal gross domestic product (GDP).

The findings highlight the enormity and scale of the problem, which typically involves building trust with prospective victims on social media and online dating apps before coaxing them to invest their funds in a bogus cryptocurrency platform.

The illegal operation has had such an impact that the Indian Embassy in Cambodia has a prominent warning on its website urging citizens to be vigilant against falling into the hands of human traffickers under the pretext of high-paying jobs, stating job seekers are coerced to undertake online financial scams and other illegal activities.

Adding more context to the criminal activity is a recent report from ProPublica that Chinese-language Telegram channels and groups are advertising to scammers the ability to rent U.S. bank accounts at Bank of America, Chase, Citibank, and PNC, who then use these accounts to launder the proceeds. Telegram has begun to take action on some of these channels.

Meta is said to have detected and taken down no less than seven million Facebook accounts associated with scam centers in Asia and the Middle East since the start of 2024, per a statement shared by the company to the investigative journalism organization.

Jun 30, 2025Ravie LakshmananCybercrime / Vulnerability

The threat actor known as Blind Eagle has been attributed with high confidence to the use of the Russian bulletproof hosting service Proton66.

Trustwave SpiderLabs, in a report published last week, said it was able to make this connection by pivoting from Proton66-linked digital assets, leading to the discovery of an active threat cluster that leverages Visual Basic Script (VBS) files as its initial attack vector and installs off-the-shelf remote access trojans (RATS).

Many threat actors rely on bulletproof hosting providers like Proton66 because these services intentionally ignore abuse reports and legal takedown requests. This makes it easier for attackers to run phishing sites, command-and-control servers, and malware delivery systems without interruption.

The cybersecurity company said it identified a set of domains with a similar naming pattern (e.g., gfast.duckdns[.]org, njfast.duckdns[.]org) beginning in August 2024, all of which resolved to the same IP address (“45.135.232[.]38”) that’s associated with Proton66.

The use of dynamic DNS services like DuckDNS also plays a key role in these operations. Instead of registering new domains each time, attackers rotate subdomains tied to a single IP address — making detection harder for defenders.

“The domains in question were used to host a variety of malicious content, including phishing pages and VBS scripts that serve as the initial stage of malware deployment,” security researcher Serhii Melnyk said. “These scripts act as loaders for second-stage tools, which, in this campaign, are limited to publicly available and often open-source RATs.”

While Visual Basic Script (VBS) might seem outdated, it’s still a go-to tool for initial access due to its compatibility with Windows systems and ability to run silently in the background. Attackers use it to download malware loaders, bypass antivirus tools, and blend into normal user activity. These lightweight scripts are often the first step in multi-stage attacks, which later deploy remote access trojans (RATs), data stealers, or keyloggers.

The phishing pages have been found to legitimate Colombian banks and financial institutions, including Bancolombia, BBVA, Banco Caja Social, and Davivienda. Blind Eagle, also known as AguilaCiega, APT-C-36, and APT-Q-98, is known for its targeting of entities in South America, particularly Colombia and Ecuador.

The deceptive sites are engineered to harvest user credentials and other sensitive information. The VBS payloads hosted on the infrastructure come fitted with capabilities to retrieve encrypted executable files from a remote server, essentially acting as a loader for commodity RATS like AsyncRAT or Remcos RAT.

Furthermore, an analysis of the VBS codes has revealed overlaps with Vbs-Crypter, a tool linked to a subscription-based crypter service called Crypters and Tools that’s used to obfuscate and pack VBS payloads with an aim to avoid detection.

Trustwave said it also discovered a botnet panel that allows users to “control infected machines, retrieve exfiltrated data, and interact with infected endpoints through a broad set of capabilities typically found in commodity RAT management suites.”

The disclosure comes as Darktrace revealed details of a Blind Eagle campaign that has been targeting Colombian organizations since November 2024 by exploiting a now-patched Windows flaw (CVE-2024-43451) to download and execute the next-stage payload, a behavior that was first documented by Check Point in March 2025.

“The persistence of Blind Eagle and ability to adapt its tactics, even after patches were released, and the speed at which the group were able to continue using pre-established TTPs highlights that timely vulnerability management and patch application, while essential, is not a standalone defense,” the company said.