Category: Cybersecurity

Cybersecurity researchers have flagged a supply chain attack targeting a Microsoft Visual Studio Code (VS Code) extension called Ethcode that has been installed a little over 6,000 times.

The compromise, per ReversingLabs, occurred via a GitHub pull request that was opened by a user named Airez299 on June 17, 2025.

First released by 7finney in 2022, Ethcode is a VS Code extension that’s used to deploy and execute solidity smart contracts in Ethereum Virtual Machine (EVM)-based blockchains. An EVM is a decentralized computation engine that’s designed to run smart contracts on the Ethereum network.

According to the supply chain security company, the GitHub project received its last non-malicious update on September 6, 2024. That changed last month when Airez299 opened a pull request with the message “Modernize codebase with viem integration and testing framework.”

The user claimed to have added a new testing framework with Mocha integration and contract testing features, as well as made a number of changes, including removing old configurations and updating the dependencies to the latest version.

While that may seem like a useful update for a project that lay dormant for over nine months, ReversingLabs said the unknown threat actor behind the attack managed to sneak in two lines of code as part of 43 commits and roughly 4,000 lines changes that compromised the entire extension.

This included the addition of an npm dependency in the form of the “keythereum-utils” in the project’s package.json file and importing it in the TypeScript file linked to the VS Code extension (“src/extension.ts”).

The JavaScript library, now taken down from the npm registry, has been found to be heavily obfuscated and contains code to download an unknown second-stage payload. The package has been downloaded 495 times.

“Ethcode package has been unpublished by Microsoft,” 0mkara, a project maintainer for the tool, said in a pull request submitted on June 28. “They detected a malicious dependency in Ethcode. This PR removes potential malicious repository keythereum from the package.”

Ethcode is the latest example of a broader and escalating trend of software supply chain attacks, where attackers weaponize public repositories like PyPI and npm to deliver malware directly into developer environments.

“The GitHub account Airez299 that initiated the Ethcode pull request was created on the same day as the PR request was opened,” ReversingLabs said. “Accordingly, the Airez299 account does not have any previous history or activity associated with it. This strongly indicates that this is a throwaway account that was created solely for the purpose of infecting this repo — a goal in which they were successful.”

According to data compiled by Sonatype, 16,279 pieces of open-source malware have been discovered in the second quarter of 2025, a 188% jump year-over-year. In comparison, 17,954 pieces of open-source malware were uncovered in Q1 2025.

Of these, more than 4,400 malicious packages were engineered to harvest and exfiltrate sensitive information, such as credentials, and API tokens.

“Malware targeting data corruption doubled in frequency, making up 3% of total malicious packages — more than 400 unique instances,” Sonatype said. “These packages aim to damage files, inject malicious code, or otherwise sabotage applications and infrastructure.”

The North Korea-linked Lazarus Group has been attributed to 107 malicious packages, which were collectively downloaded over 30,000 times. Another set of more than 90 npm packages has been associated with a Chinese threat cluster dubbed Yeshen-Asia that has been active since at least December 2024 to harvest system information and the list of running processes.

These numbers underscore the growing sophistication of attacks targeting developer pipelines, with attackers increasingly exploiting the trust in open-source ecosystems to carry out supply chain compromises.

“Each was published from a distinct author account, each hosted just one malicious component, and all communicated with infrastructure behind Cloudflare-protected yeshen.asia domains,” the company said.

“Although no novel techniques were observed in this second wave, the level of automation and infrastructure reuse reflect a deliberate, persistent campaign focused on credential theft and secret exfiltration.”

The development comes as Socket identified eight fake gaming-related extensions in the Mozilla Firefox Add-ons store that harbored varying levels of malicious functionality, ranging from adware to Google OAuth token theft.

Specifically, some of these extensions have also been found to redirect to gambling sites, serve bogus Apple virus alerts, and stealthily route shopping sessions through affiliate tracking links to earn commissions, and even track users by injecting invisible tracking iframes containing unique identifiers.

The names of the add-ons, all published by a threat actor with the username “mre1903,” are below –

• CalSyncMaster
• VPN – Grab a Proxy – Free
• GimmeGimme
• Five Nights at Freddy’s
• Little Alchemy 2
• Bubble Spinner
• 1v1.LOL
• Krunker io Game

“Browser extensions remain a favored attack vector due to their trusted status, extensive permissions, and ability to execute within the browser’s security context,” Socket researcher Kush Pandya said. “The progression from simple redirect scams to OAuth credential theft demonstrates how quickly these threats evolve and scale.”

“More concerning, the redirect infrastructure could easily be repurposed for more intrusive behavior such as comprehensive tracking, credential harvesting, or malware distribution.”

A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries.

These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial brands, all claiming to back new ways to earn passive income. The goal? Build trust quickly and steer readers toward professional-looking scam platforms like Trap10, Solara Vynex, or Eclipse Earn.

Scammers use sponsored ads on Google, Meta, and blog networks to push traffic to these sites. Ads often carry clickbait headlines—“You won’t believe what a prominent public figure just revealed”—paired with official photos or national flags to make them feel legit. Clicking the ad directs users to a fake article, which then redirects them to a fraudulent trading platform.

Many of these scams follow a two-phase structure. The first phase focuses on luring victims through ads and fake articles; the second phase kicks in once the victim engages, starting with a call from a so-called advisor, followed by requests for ID documents, crypto deposits, and ongoing “account verifications” designed to delay withdrawals. This layered setup helps scammers build false trust, stall suspicion, and extract maximum value before the victim realizes it’s a trap.

CTM360’s Webhunt platform has tracked over 17,000 of these sites so far. Many are hosted on cheap top-level domains like .xyz, .click, or .shop. In some cases, attackers compromise real websites to host BNS content inside subfolders, making takedowns harder. The pages are often customized per region—using local languages, familiar media logos, regional influencers, and banks to increase believability.

Most users encounter these scams while searching for ways to invest online or earn passive income, often clicking on sponsored headlines that mimic legitimate financial advice. The content is designed to match those high-intent searches—phrases like “automated crypto trading” or “celebrity-backed investment” are common bait, tailored to match what people are already looking for.

Once on the fake platform, victims are asked to register with their name, phone number, and email. Soon after, an “investment agent” follows up via phone, sounding professional and persuasive. Victims are urged to make a small deposit—usually around $240—to activate their account. From there, fake dashboards simulate profits, showing earnings that don’t exist. The longer the victim stays engaged, the more they’re pressured to invest again.

These schemes don’t just exploit trust—they also collect sensitive data for reuse in phishing, identity theft, and secondary fraud. That makes Baiting News Sites a crossover threat: part investment scam, part brand impersonation, part data harvesting. It’s a pattern increasingly seen in pig butchering scams, fake KYC platforms, and affiliate fraud networks—topics that deserve closer tracking as the ecosystem evolves.

CTM360’s Scam Navigator tool, modeled on the MITRE framework, maps out how these scams work step-by-step: from resource setup and ad creation to victim interaction, data theft, and monetization. BNS plays a key role in the distribution phase, acting as the entry point for a much larger fraud pipeline.

CTM360 continues to track these campaigns and provide takedown support, threat intelligence, and risk protection to governments and organizations across targeted regions.

Read the full report here.

About CTM360 – CTM360 is a unified external security platform that integrates External Attack Surface Management, Digital Risk Protection, Cyber Threat Intelligence, Brand Protection & Anti-phishing, Surface, Deep & Dark Web Monitoring, Security Ratings, Third Party Risk Management and Unlimited Takedowns. Seamless and turn-key, CTM360 requires no configurations, installations or inputs from the end-user, with all data pre-populated and specific to your organization. All aspects are managed by CTM360.

For more, visit www.ctm360.com.

Cybersecurity researchers are calling attention to a malware campaign that’s targeting security flaws in TBK digital video recorders (DVRs) and Four-Faith routers to rope the devices into a new botnet called RondoDox.

The vulnerabilities in question include CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRs, and CVE-2024-12856, an operating system (OS) command injection bug affecting Four-Faith router models F3x24 and F3x36.

Many of these devices are installed in critical environments like retail stores, warehouses, and small offices, where they often go unmonitored for years. That makes them ideal targets—easy to exploit, hard to detect, and usually exposed directly to the internet through outdated firmware or misconfigured ports.

It’s worth noting that all three security defects have been repeatedly weaponized by threat actors to deploy different Mirai botnet variants in recent months.

“Both [the security flaws] have been publicly disclosed and are actively being targeted, posing serious risks to device security and overall network integrity,” Fortinet FortiGuard Labs researcher Vincent Li said.

The cybersecurity company said it first identified an ELF binary for RondoDox in September 2024, with the malware capable of mimicking traffic from gaming platforms or VPN servers flying under the radar.

What makes RondoDox especially dangerous isn’t just the device takeover—it’s how the attackers repurpose that access. Instead of using infected devices as typical botnet nodes, they weaponize them as stealth proxies to hide command-and-control traffic, carry out layered scams, or amplify DDoS-for-hire campaigns that blend financial fraud with infrastructure disruption.

Analysis of RondoDox artifacts indicates that it was initially distributed to target Linux-based operating systems running on ARM and MIPS architectures, before being distributed via a shell script downloader that can target other Linux architectures like Intel 80386, MC68000, MIPS R3000, PowerPC, SuperH, ARCompact, x86-64, and AArch64.

The shell script, once launched, instructs the victim host to ignore SIGINT, SIGQUIT, and SIGTERM signals that are used to terminate processes in Unix-like operating systems, and checks for writable paths across various paths such as /dev, /dev/shm, the victim user’s home directory, /mnt, /run/user/0, /var/log, /var/run, /var/tmp, and /data/local/tmp.

In the final step, the RondoDox malware is downloaded and executed onto the host, and clears the command execution history to clear traces of the malicious activity. The botnet payload, for its part, proceeds to set up persistence on the machine to ensure that it’s automatically launched following a system reboot.

It’s also designed to scan the list of running processes and terminate any process related to network utilities (e.g., wget and curl), system analysis tools (e.g., Wireshark and gdb), or other malware (e.g., cryptominers or Redtail variants) so as to maintain operational stealth.

This approach reflects a growing trend in botnet design—using multi-architecture droppers, DoH-based C2 resolution, and XOR-encrypted payloads to bypass legacy IDS rules. As part of a broader category of evasive Linux malware, RondoDox sits alongside threats like RustoBot and Mozi, forming a new wave of adaptable botnets built to exploit poor IoT hygiene and weak router hardening.

Furthermore, RondoDox scans several common Linux executable directories, such as /usr/sbin, /usr/bin, /usr/local/bin, and /usr/local/sbin, and renames legitimate executables with random characters with an intent to inhibit recovery efforts. The modified file names are listed below –

• iptables – jsuJpf
• ufw – nqqbsc
• passwd – ahwdze
• chpasswd – ereghx
• shutdown – hhrqwk
• poweroff – dcwkkb
• halt – cjtzgw
• reboot – gaajct

Once the setup process is complete, the malware contacts an external server (83.150.218[.]93) to receive commands to perform distributed denial-of-service (DDoS) attacks against specific targets using HTTP, UDP, and TCP protocols.

“To evade detection, it disguises malicious traffic by emulating popular games and platforms such as Valve, Minecraft, Dark and Darker, Roblox, DayZ, Fortnite, GTA, as well as tools like Discord, OpenVPN, WireGuard, and RakNet,” Fortinet said.

“Beyond gaming and chat protocols, RondoDox can also mimic custom traffic from tunneling and real-time communication services, including WireGuard, OpenVPN variants (e.g., openvpnauth, openvpncrypt, openvpntcp), STUN, DTLS, and RTC.”

In impersonating traffic associated with legitimate tools, the idea is to blend in with normal activity and make it challenging for defenders to detect and block it.

“RondoDox is a sophisticated and emerging malware threat that employs advanced evasion techniques, including anti-analysis measures, XOR-encoded configuration data, custom-built libraries, and a robust persistence mechanism,” Li said. “These capabilities allow it to remain undetected and maintain long-term access on compromised systems.”

From overprivileged admin roles to long-forgotten vendor tokens, these attackers are slipping through the cracks of trust and access. Here’s how five retail breaches unfolded, and what they reveal about…

In recent months, major retailers like Adidas, The North Face, Dior, Victoria’s Secret, Cartier, Marks & Spencer, and Co‑op have all been breached. These attacks weren’t sophisticated malware or zero-day exploits. They were identity-driven, exploiting overprivileged access and unmonitored service accounts, and used the human layer through tactics like social engineering.

Attackers didn’t need to break in. They logged in. They moved through SaaS apps unnoticed, often using real credentials and legitimate sessions.

And while most retailers didn’t share all the technical details, the patterns are clear and recurring.

Here’s a breakdown of the five recent high-profile breaches in retail:

1. Adidas: Exploiting third-party trust

Adidas confirmed a data breach caused by an attack on a third-party customer service provider. The company said customer data was exposed, including names, email addresses, and order details. No malware. No breach on their side. Just the blast radius of a vendor they trusted.

How these attacks unfold in SaaS identities:

SaaS tokens and service accounts granted to vendors often don’t require MFA, don’t expire, and fly under the radar. Once access is no longer needed but never revoked, they become silent entry points, perfect for supply chain compromises that map to tactics like T1195.002, giving attackers a way in without setting off alarms.

Security takeaway:

You’re not just securing your users. You’re securing the access that vendors leave behind, too. SaaS integrations stick around longer than the actual contracts, and attackers know exactly where to look.

2. The North Face: From password reuse to privilege abuse

The North Face confirmed a credential stuffing attack (MITRE T1110.004) where threat actors used leaked credentials (usernames and passwords) to access customer accounts. No malware, no phishing, just weak identity hygiene and no MFA. Once inside, they exfiltrated personal data, exposing a major gap in basic identity controls.

How these attacks unfold in SaaS identities:

SaaS logins without MFA are still everywhere. Once attackers get valid credentials, they can access accounts directly and quietly, no need triggering endpoint protections or raising alerts.

Security takeaway:

Credential stuffing is nothing new. It was the fourth credential-based breach for The North Face since 2020. Each one is a reminder that password reuse without MFA is a wide-open door. And while plenty of orgs enforce MFA for employees, service accounts, and privileged roles, many times they go unprotected. Attackers know it, and they go where the gaps are.

Want to go deeper? Download the ‘SaaS Identity Security Guide‘ to learn how to proactively secure every identity, human or non-human, across your SaaS stack.

3. M&S & Co-op: Breached by borrowed trust

UK retailers Marks & Spencer and Co-op were reportedly targeted by the threat group Scattered Spider, known for identity-based attacks. According to reports, they used SIM swapping and social engineering to impersonate employees and trick IT help desks into resetting passwords and MFA, effectively bypassing MFA, all without malware or phishing.

How these attacks unfold in SaaS identities:

Once attackers bypass MFA, they target overprivileged SaaS roles or dormant service accounts to move laterally within the organization’s systems, harvesting sensitive data or disrupting operations along the way. Their actions blend in with legitimate user behavior (T1078), and with password resets driven by help desk impersonation (T1556.003), they quietly gain persistence and control without raising any alarms.

Security takeaway:

There’s a reason identity-first attacks are spreading. They exploit what’s already trusted, and often leave no malware footprint. To reduce risk, track SaaS identity behavior, including both human and non-human activity, and limit help desk privileges through isolation and escalation policies. Targeted training for support staff can also block social engineering before it happens.

4. Victoria’s Secret: When SaaS admins go unchecked

Victoria’s Secret delayed its earnings release after a cyber incident disrupted both e-commerce and in-store systems. While few details were disclosed, the impact aligns with scenarios involving internal disruption through SaaS systems that manage retail operations, like inventory, order processing, or analytics tools.

How these attacks unfold in SaaS identities:

The real risk isn’t just compromised credentials. It’s the unchecked power of overprivileged SaaS roles. When a misconfigured admin or stale token gets hijacked (T1078.004), attackers don’t need malware. They can disrupt core operations, from inventory management to order processing, all within the SaaS layer. No endpoints. Just destruction (T1485) at scale.

Security takeaway:

SaaS roles are powerful and often forgotten. A single overprivileged identity with access to critical business applications can trigger chaos, making it crucial to apply stringent access controls and continuous monitoring to these high-impact identities before it’s too late.

5. Cartier & Dior: The hidden cost of customer support

Cartier and Dior disclosed that attackers accessed customer information via third-party platforms used for CRM or customer service functions. These weren’t infrastructure hacks; they were breaches through platforms meant to help customers, not expose them.

How these attacks unfold in SaaS identities:

Customer support platforms are often SaaS-based, with persistent tokens and API keys quietly connecting them to internal systems. These non-human identities (T1550.003) rarely rotate, often escape centralized IAM, and become easy wins for attackers targeting customer data at scale.

Security takeaway:

If your SaaS platforms touch customer data, they’re part of your attack surface. And if you’re not tracking how machine identities access them, you’re not protecting the frontlines.

Final Thought: Your SaaS identities aren’t invisible. They’re just unmonitored.

Your SaaS identities aren’t invisible; they’re just unmonitored. These breaches didn’t need fancy exploits. They just needed a misplaced trust, a reused credential, an unchecked integration, or an account no one reviewed.

While security teams have locked down endpoints and hardened SaaS logins, the real gaps lie in those hidden SaaS roles, dormant tokens, and overlooked help desk overrides. If these are still flying under the radar, the breach already has a head start.

Wing Security was built for this.

Wing’s multi-layered platform continuously protects your SaaS stack, discovering blind spots, hardening configurations, and detecting SaaS identity threats before they escalate.

It’s one source of truth that connects the dots across apps, identities, and risks, so you can cut through the noise and stop breaches before they start.

👉 Get a demo of Wing Security to see what’s hiding in your SaaS identity layer.

Jul 08, 2025Ravie LakshmananCyber Espionage / Threat Intelligence

Russian organizations have been targeted as part of an ongoing campaign that delivers a previously undocumented Windows spyware called Batavia.

The activity, per cybersecurity vendor Kaspersky, has been active since July 2024.

“The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract,” the Russian company said. “The main goal of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents.”

The email messages are sent from the domain “oblast-ru[.]com,” which is said to be owned by the attackers themselves. The links embedded within the digital missives lead to the download of an archive file containing a Visual Basic Encoded script (.VBE) file.

When executed, the script profiles the compromised host and exfiltrates the system information to the remote server. This is followed by the retrieval of a next-stage payload from the same server, an executable written in Delphi.

The malware likely displays a fake contract to the victim as a distraction while collecting system logs, office documents (*.doc, *.docx, *.ods, *.odt, *.pdf, *.xls, and *.xlsx), and screenshots in the background. The data gathering also extends to removable devices attached to the host.

Another capability of the Delphi malware is to download a binary of its own from the server, which targets a broader set of file extensions for subsequent collection. This includes images, emails, Microsoft PowerPoint presentations, archive files, and text documents (*.jpeg, *.jpg, *.cdr, *.csv, *.eml, *.ppt, *.pptx, *.odp, *.rar, *.zip, *.rtf, and *.txt).

The newly collected data is then transmitted to a different domain (“ru-exchange[.]com”), from where an unknown executable is downloaded as a fourth-stage for continuing the attack chain further.

Telemetry data from Kaspersky shows that more than 100 users across several dozen organizations received phishing emails over the past year.

“As a result of the attack, Batavia exfiltrates the victim’s documents, as well as information such as a list of installed programs, drivers, and operating system components,” the company said.

The disclosure comes as Fortinet FortiGuard Labs detailed a malicious campaign that delivers a Windows stealer malware codenamed NordDragonScan. While the exact initial access vector is not clear, it’s believed to be a phishing email that propagates a link to trigger the download of an RAR archive.

“Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots,” security researcher Cara Lin said.

Present within the archive is a Windows shortcut (LNK) file that stealthily makes use of “mshta.exe” to execute a remotely hosted HTML Application (HTA). This step results in the retrieval of a benign decoy document, while a nefarious .NET payload is quietly dropped onto the system.

NordDragonScan, as the stealer malware is called, establishes connections with a remote server (“kpuszkiev[.]com”), sets up persistence via Windows Registry changes, and conducts extensive reconnaissance of the compromised machine to collect sensitive data and exfiltrate the information back to the server via an HTTP POST request.

“The RAR file contains LNK calls that invoke mshta.exe to execute a malicious HTA script, displaying a decoy document in Ukrainian, Lin said. “Finally, it quietly installs its payload in the background. NordDragonScan is capable of scanning the host, capturing a screenshot, extracting documents and PDFs, and sniffing Chrome and Firefox profiles.”

Jul 08, 2025Ravie LakshmananCyber Attacks / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The list of flaws is as follows –

• CVE-2014-3931 (CVSS score: 9.8) – A buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) that could allow remote attackers to cause an arbitrary memory write and memory corruption
• CVE-2016-10033 (CVSS score: 9.8) – A command injection vulnerability in PHPMailer that could allow an attacker to execute arbitrary code within the context of the application or result in a denial-of-service (DoS) condition
• CVE-2019-5418 (CVSS score: 7.5) – A path traversal vulnerability in Ruby on Rails’ Action View that could cause contents of arbitrary files on the target system’s file system to be exposed
• CVE-2019-9621 (CVSS score: 7.5) – A Server-Side Request Forgery (SSRF) vulnerability in the Zimbra Collaboration Suite that could result in unauthorized access to internal resources and remote code execution

There are currently no public reports on how the first three vulnerabilities are being exploited in real-world attacks. The abuse of CVE-2019-9621, on the other hand, was attributed by Trend Micro to a China-linked threat actor known as Earth Lusca in September 2023 to drop web shells and Cobalt Strike.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary updates by July 28, 2025, to secure their networks.

Technical Details of Citrix Bleed 2 Out

The development comes as watchTowr Labs and Horizon3.ai have released technical analyses for a critical security flaw in Citrix NetScaler ADC (CVE-2025-5777 aka Citrix Bleed 2), which is assessed to have come under active exploitation.

“We’re seeing active exploitation of both CVE-2025-5777 and CVE-2025-6543 in the wild,” watchTowr CEO Benjamin Harris told The Hacker News. “This vulnerability allows reading of memory, which we believe attackers are using to read sensitive information (for example, information sent within HTTP requests that are then processed in-memory), credentials, valid Citrix session tokens, and more.”

The findings show that it’s possible to send a login request to the “/p/u/doAuthentication.do” endpoint and cause it (and other endpoints susceptible to the flaw) to reflect the user-supplied login value in the response, regardless of success or failure.

Horizon3.ai noted that the vulnerability could be used to leak approximately 127 bytes of data via a specially crafted HTTP request with a modified “login=” without an equal sign or value, thereby making it possible to extract session tokens or other sensitive information.

The shortcoming, watchTowr explained, stems from the use of the snprintf function along with a format string containing the “%.*s” format.

“The %.*s format tells snprintf: ‘Print up to N characters, or stop at the first null byte (\0) – whichever comes first.’ That null byte eventually appears somewhere in memory, so while the leak doesn’t run indefinitely, you still get a handful of bytes with each invocation,” the company said.

“So, every time you hit that endpoint without the =, you pull more uninitialized stack data into the response. Repeat it enough times, and eventually, you might land on something valuable.”

Cybersecurity researchers have disclosed a malicious campaign that leverages search engine optimization (SEO) poisoning techniques to deliver a known malware loader called Oyster (aka Broomstick or CleanUpLoader).

The malvertising activity, per Arctic Wolf, promotes fake websites hosting trojanized versions of legitimate tools like PuTTY and WinSCP, aiming to trick software professionals searching for these programs into installing them instead.

“Upon execution, a backdoor known as Oyster/Broomstick is installed,” the company said in a brief published last week.

“Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism.”

The names of some of the bogus websites are listed below –

• updaterputty[.]com
• zephyrhype[.]com
• putty[.]run
• putty[.]bet, and
• puttyy[.]org

It’s suspected that the threat actors behind the campaign may also be targeting other IT tools to deliver the malware, making it imperative that users stick to trusted sources and official vendor sites to download the necessary software.

The disclosure comes as black hat SEO poisoning techniques are being used to game search results associated with artificial intelligence (AI)-related keywords to spread Vidar, Lumma, and Legion Loader.

These websites come fitted with JavaScript code that checks for the presence of ad blockers and gathers information from the victim’s browser, before initiating a redirection chain that ultimately takes the victim to a phishing page hosting a ZIP archive.

“The final download pages in this campaign deliver Vidar Stealer and Lumma Stealer as password-protected ZIP archives, with the password provided on the final downloading page,” Zscaler ThreatLabz said. “Once extracted, they contain an 800MB NSIS installer, a deceptively large size intended to appear legitimate and bypass detection systems with file size limitations.”

A similar SEO poisoning campaign has been observed to elevate phishing pages when users search for the names of popular web applications to direct users to fake Cloudflare CAPTCHA check pages that make use of the infamous ClickFix strategy to drop RedLine Stealer via Hijack Loader.

According to data compiled by Kaspersky, small- and medium-sized businesses (SMBs) are being increasingly targeted by cyber attacks that deliver malware disguised as popular AI and collaboration tools like OpenAI ChatGPT, DeepSeek, Cisco AnyConnect, Google Drive, Microsoft Office, Microsoft Teams, Salesforce, and Zoom.

“Between January and April 2025 alone, around 8,500 small and medium-sized business users were targeted by cyberattacks in which malware or potentially unwanted software was disguised as these popular tools,” the Russian cybersecurity company said.

Zoom accounted for about 41% of the total number of unique files, followed by Outlook and PowerPoint at 16% each, Excel at 12%, Word at 9%, and Teams at 5%. The number of unique malicious files mimicking ChatGPT increased by 115% to 177 in the first four months of 2025.

While the trend of abusing fake search engine listings to take advantage of users’ implicit in popular brands is a well-known tactic, recent campaigns have hijacked searches for tech support pages linked to Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal to serve legitimate pages through sponsored results in Google – but with an ingenious twist.

“Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead,” Malwarebytes said.

This is achieved by means of a technique called search parameter injection to show within a search bar a number that’s under the attacker’s control in order to give the impression that it’s an official search result within the help center pages and deceive unsuspecting users into calling them.

What makes the attack particularly insidious is that the parameters added to the right of the actual help center domain (e.g., “Call us 1-***-***-**** for free”) are not visible in the sponsored search result, thereby giving no reason for users to suspect anything is amiss.

It’s not just Google’s advertising platform. Threat actors have also been caught serving fake ads on Facebook to phish for cryptocurrency wallet recovery phrases and spreading malware in conjunction with Pi2Day, a yearly event linked to the Pi Network community.

The malware, spread via ads urging users to install a new version of the Pi Network desktop app for Windows, comes with capabilities to steal saved credentials and crypto wallet keys, log user input, and download additional payloads, all the while evading detection.

Romanian cybersecurity company Bitdefender said the activity is possibly the work of a single threat actor that’s “running parallel fraud schemes on Meta to maximize reach, financial gain, and targeting efficiency.”

It doesn’t end here, for phony websites impersonating AI, VPN services, and other well-known software brands have been found to deliver Poseidon Stealer on macOS systems and a loader dubbed PayDay Loader, which then acts as a conduit for Lumma Stealer on Windows machines. The activity has been codenamed Dark Partners by security researcher g0njxa.

PayDay Loader relies on Google Calendar links as a dead drop resolver to extract the command-and-control (C2) server and obtain obfuscated JavaScript code engineered to load the Lumma Stealer payload and siphon sensitive data.

Interestingly, the email address used to create the Google Calendar events (“echeverridelfin@gmail[.]com”) was also spotted in connection with a malicious npm package called “os-info-checker-es6.” This indicates that the Dark Partners actors have likely experimented with different delivery mechanisms.

“The PayDay Loader has a Node.js stealer module to exfiltrate cryptocurrencies wallet data to an external C2,” g0njxa said. “Using the ADM-ZIP library for Node.js , the PayDay Loader is able to find, pack, and send wallet information to a hard-coded C2 host.”

These campaigns go hand in hand with an ongoing phenomenon where scammers and cybercriminals set up sprawling networks comprising thousands of websites to spoof popular brands and commit financial fraud by advertising real products that are never delivered. One such network, dubbed GhostVendors by Silent Push, buys Facebook ads space to promote over 4,000 sketchy sites.

The malicious Facebook Marketplace ads are run for a few days, after which they are stopped, effectively deleting all traces of them from the Meta Ad Library. It’s worth pointing out that Meta has only retained ads on social issues, elections, and politics for the past seven years.

“This helped to confirm a known Meta ad library policy existed, and highlighted that potentially these threat actors were taking advantage of this by rapidly launching and stopping ads for similar products on different pages,” Silent Push researchers said.

Another network spotted by the company, targeting English and Spanish language shoppers with fake marketplace ads, is assessed to be the work of Chinese threat actors. These websites are mainly designed to steal credit card information entered on payment pages, while claiming to process the orders. Some of the bogus sites also include Google Pay purchase widgets to enable payments.

“This fake marketplace campaign primarily targets consumers with a phishing threat that exploits major brands, well-known organizations, and the fame of some political figures,” Silent Push said.

Jul 07, 2025The Hacker NewsIoT Security / Cyber Resilience

If you didn’t hear about Iranian hackers breaching US water facilities, it’s because they only managed to control a single pressure station serving 7,000 people. What made this attack noteworthy wasn’t its scale, but how easily the hackers gained access — by simply using the manufacturer’s default password “1111.” This narrow escape prompted CISA to urge manufacturers to eliminate default credentials entirely, citing “years of evidence” that these preset passwords remain one of the most exploited weaknesses.

While we wait for manufacturers to implement better security practices, the responsibility falls on IT teams. Whether you manage critical infrastructure or a standard business network, allowing unchanged manufacturer passwords in your environment is like rolling out the red carpet for attackers. Here’s what you need to know about default passwords — why they persist, their business and technical consequences, and how manufacturers can implement secure-by-design best practices.

The pervasive threat of default passwords

Default passwords — the standardized credentials like “admin/admin” or “1234” shipped with countless devices and software systems — represent a glaring security gap that attackers love to exploit. Even though their risks are well-documented, they persist in production environments for numerous reasons:

• They simplify initial setup and configuration
• They streamline bulk device provisioning
• They support legacy systems with limited security options
• Manufacturers lack a secure-by-design mindset

The consequences of using default passwords include:

• Botnet recruitment: Attackers scan for vulnerable devices to build massive networks aimed at compromising other devices
• Ransomware entry points: Hackers use default password access to establish footholds for deploying ransomware
• Supply-chain compromises: One vulnerable device can provide access to entire networks or partner systems
• Complete security bypass: Even robust security measures become ineffective when default credentials remain active

Real-world consequences of default password attacks

Default passwords have facilitated some of the most destructive cyberattacks in recent history. For example, attackers created the Mirai botnet by trying factory default passwords on thousands of IoT devices. Using a list of 61 common username/password combinations, the hackers compromised more than 600,000 connected devices. The resulting botnet launched devastating DDoS attacks that reached an unprecedented 1 Tbps, temporarily disabling internet services including Twitter and Netflix, and causing millions in damages.

Supply chains are also vulnerable to default password attacks, with hackers targeting OEM devices with unchanged default credentials as beachheads in multi-stage attacks. Once inside, they install backdoors that keep their access open, then gradually move through connected systems until they reach your valuable data and critical infrastructure. These default passwords effectively undermine all other security controls, providing attackers with legitimate access that bypasses even advanced threat detection systems. The UK has recently moved to ban IoT devices shipping with default passwords.

The high cost of default password negligence

Failing to change default passwords can create consequences that go far beyond the initial security breach, including:

• Brand damage: Publicized breaches erode customer trust and trigger costly recalls, crisis management campaigns, and litigation that can continue for years, with expenses easily reaching millions of dollars.
• Regulatory penalties: New legislation like the EU’s Cyber Resilience Act and US state IoT security laws (like California’s) specifically target default password vulnerabilities, imposing significant fines for non-compliance.
• Operational burden: Implementing proper password policies up front is much more resourceful and cost-effective than emergency incident response, forensic analysis, and recovery efforts.
• Ecosystem vulnerability: A single compromised device can undermine interconnected environments — halting production in smart factories, jeopardizing patient care in healthcare settings, or creating cascading failures across partner networks.

Five secure-by-design best practices for manufacturers

Manufacturers must shift from passing security burdens to customers and instead build security into their products from inception:

• Unique credentials per unit: Embed randomized passwords at the factory, printed on each device’s label to eliminate shared default credentials across product lines.
• Password-rotation API: Allow customers to rotate or revoke credentials automatically on the first boot, making credential changes part of the standard setup process.
• Zero-trust onboarding: Require out-of-band authentication (e.g., QR-code scanning tied to user account) to verify legitimate device setup before granting system access.
• Firmware integrity checks: Sign and verify login modules to prevent unauthorized credential resets that could bypass security measures.
• Developer training and audit: Enforce secure-development lifecycles and run default-password scans pre-ship to catch vulnerabilities before products reach customers.

Protecting your organization today

Until manufacturers fully embrace secure-by-design principles, IT professionals must immediately act against default password risks. And one of the best ways to do that is by implementing rigorous password policies that include regular device inventories and immediate credential changes during deployment.

For the greatest protection, consider a solution like the Specops Password Policy to automate enforcement. Specops Password Policy simplifies Active Directory password management, allowing you to implement security standards that ensure compliance while blocking more than 4 billion unique compromised passwords. By taking these proactive steps, you’ll reduce your attack surface and protect your organization from becoming the next default password hacking headline. Book a live demo of Specops Password Policy today.

Jul 07, 2025Ravie LakshmananCybersecurity / Hacking

Everything feels secure—until one small thing slips through. Even strong systems can break if a simple check is missed or a trusted tool is misused. Most threats don’t start with alarms—they sneak in through the little things we overlook. A tiny bug, a reused password, a quiet connection—that’s all it takes.

Staying safe isn’t just about reacting fast. It’s about catching these early signs before they blow up into real problems. That’s why this week’s updates matter. From stealthy tactics to unexpected entry points, the stories ahead reveal how quickly risk can spread—and what smart teams are doing to stay ahead. Dive in.

⚡ Threat of the Week

U.S. Disrupts N. Korea IT Worker Scheme — Prosecutors said they uncovered the North Korean IT staff working at over 100 U.S. companies using fictitious or stolen identities and not only drawing salaries, but also stealing secret data and plundering virtual currency more than $900,000 in one incident targeting an unnamed blockchain company in Atlanta. The actions are the latest steps to stop the scheme, which has seen North Korea earn millions through thousands of people who use fake identities to get hired as IT workers at companies based in the West and other parts of the world. Authorities conducted 21 searches across 14 states last month, adding to searches that were conducted at eight locations in October 2024 spanning three states. In at least one case, North Korean IT workers gained access to “sensitive employer data and source code, including International Traffic in Arms Regulations (ITAR) data,” after they were hired by a California-based defense contractor that develops artificial intelligence-powered equipment and technologies, the Justice Department said. In all, the coordinated action led to the arrest of one individual, and the seizure of 21 web domains, 29 financial accounts used to launder tens of thousands of dollars, and nearly 200 laptops and remote access devices, including KVMs. The U.S. State Department is offering rewards of up to $5 million for information leading to the “disruption of financial mechanisms of persons engaged in certain activities that support North Korea.” The actions reveal that North Koreans didn’t merely falsify IDs to insinuate themselves into Western tech firms, but also allegedly stole the identities of “more than 80 U.S. persons” to impersonate them in jobs at more than 100 U.S. companies and funnel money to the Kim regime.

• Chinese Threat Actor Targets French Orgs Using Ivanti Flaws — A China-linked intrusion set known as Houken targeted a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in France in early September 2024 using three vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices as zero-days. The attacks have been observed paving the way for PHP web shells, deploying a kernel rootkit, and even attempting to patch the vulnerabilities, likely to prevent exploitation by other unrelated actors. It’s suspected that Houken is an initial access broker that obtains a foothold into target networks, and passes on that access to other threat actors for follow-on post-exploitation activities.
• New Chrome 0-Day Exploited in the Wild — Google released security updates to address a type confusion flaw in its Chrome web browser that it said has been exploited in the wild. The exact nature of the attacks is presently not known, although it’s believed to have been deployed as part of highly-targeted attacks due to the fact that it was discovered by Google’s Threat Analysis Group (TAG), which specializes in detecting government-backed attacks. It has been patched in versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.
• U.S. Sanctions Russian Bulletproof Hosting Provider Aeza — The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Russia-based bulletproof hosting (BPH) service provider Aeza Group for providing the infrastructure that enabled threat actors to deliver stealer malware and ransomware like BianLian, RedLine, Meduza, and Lumma, as well as host illicit drugs marketplace on the dark web. In addition, three of the company’s subsidiaries and four main individuals linked to it have been sanctioned. This includes Aeza Group’s CEO Arsenii Aleksandrovich Penzev, general director Yurii Meruzhanovich Bozoyan, technical director Vladimir Vyacheslavovich Gast, and Igor Anatolyevich Knyazev.
• NightEagle Targets Chinese AI and Military Sectors — A previously undocumented threat actor known as NightEagle has been observed leveraging a zero-day exploit chain in Microsoft Exchange to deliver Go-based Chisel utility and steal mailbox data from compromised accounts. The threat actor, believed to be active since 2023, has targeted high-tech, chip semiconductors, quantum technology, artificial intelligence, and military verticals in China, QiAnXin’s RedDrip Team said. The disclosure comes close on the heels of another spear-phishing campaign dubbed DRAGONCLONE that has singled out Chinese telecom companies to propagate VELETRIX and VShell. The phishing emails, per Seqrite Labs, contain a malicious ZIP archive that includes legitimate binaries and malicious DLL files, which, in turn, is executed using DLL side-loading to launch the VELETRIX loader. The malware is designed to load shellcode, an adversary simulation framework called VShell, directly in memory. The use of VShell is notable as it has been widely adopted by various Chinese hacking groups to target organizations in the West. Seqrite Labs said the activity shares behavioral similarities with Earth Lamia and UNC5174, indicating that the campaign is likely the work of a China-nexus group.
• North Korea Targets Crypto Businesses with Nim Malware — North Korean threat actors tracked as BlueNoroff are deploying novel techniques to infect crypto businesses with macOS malware designed to steal credentials from web browsers, iCloud Keychain data, and Telegram application information. The attacks impersonate a victim’s trusted contact to invite them over Telegram and lure employees at Web3 and crypto-related organizations into installing Nim-compiled macOS malware via fake Zoom software updates under the pretext of setting up a meeting. The bogus updates are designed to run AppleScript payloads, which are then used to deliver two Mach-O binaries in order to set off two independent execution chains. One leads to the execution of scripts to harvest data, while the other, compiled from Nim source code, is used to set up persistence on the host. Together, the two components facilitate data exfiltration and persistence.

This week’s list includes — CVE-2025-32462, CVE-2025-32463 (Sudo), CVE-2025-20309 (Cisco Unified CM and Unified CM SME), CVE-2025-49596 (Anthropic MCP Inspector), CVE-2025-6554 (Google Chrome), CVE-2025-5622, CVE-2025-5623, CVE-2025-5624, CVE-2025-5630 (D-Link DIR-816 routers), CVE-2025-49151, CVE-2025-49152, CVE-2025-49153 (Microsens NMP Web+), CVE-2025-6463 (Forminator plugin), CVE-2025-36630 (Tenable Nessus), CVE-2025-52891 (ModSecurity Web Application Firewall), CVE-2025-48927, CVE-2025-48928 (TeleMessage TM SGNL), CVE-2024-58248 (nopCommerce), CVE-2025-32897 (Apache Seata), CVE-2025-47812 (Wing FTP), CVE-2025-4404 (FreeIPA), CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192 (Grafana), CVE-2025-34067 (Hikvision Integrated Security Management Platform), CVE-2025-1735, CVE-2025-6491 (PHP), CVE-2025-53367 (DjVuLibre), and CVE-2025-49826 (Next.js).

📰 Around the Cyber World

• Apple and Google App Stores Offer China-linked VPN Apps — Both Apple’s and Google’s online stores offer free virtual private network (VPN) apps that have undisclosed ties to Chinese companies, likely posing a privacy risk. Thirteen virtual private network (VPN) apps on Apple’s App Store and 11 apps on Google’s Play Store (seven common to both) have ties to Chinese companies, the Tech Transparency Project said. “VPNs are of particular concern because anyone using a VPN has the entirety of their online activity routed through that application,” Katie Paul, the TTP’s director, told NBC News. “When it comes to Chinese-owned VPNs, that means this data can be turned over to the Chinese government based on China’s state laws.”
• Scattered Spider Uses Teleport for Persistence — The notorious cybercrime group known as Scattered Spider has leveraged a novel persistence mechanism that involves the use of Teleport, an infrastructure access platform not previously associated with the threat actor. The findings demonstrate how bad actors are weaponizing legitimate administrative tools to maintain persistent access to compromised networks. “After obtaining admin-level cloud access, the attacker installed a Teleport agent on compromised Amazon EC2 servers to establish a persistent remote command-and-control (C2) channel,” Rapid7 said. “Teleport is a legitimate open-source tool for managing remote infrastructure, but here it was co-opted for malicious purposes. This effectively gave the attacker persistent remote shell access to those cloud servers even if their initial user credentials or VPN access were revoked. The use of Teleport indicates Scattered Spider’s adaptability in using new tools for persistence and command-and-control. By using standard administrative software, they reduce the chance of detection by security tools that might flag custom malware.”
• Linux Servers Targeted by Crypto Miners — Improperly secured Linux servers, especially weak SSH credentials, are being targeted by threat actors to drop cryptocurrency miners and rope them into DDoS botnets. The attacks also lead to the deployment of proxy tools like TinyProxy or Sing-box, as well as allow a threat actor to establish persistence on the hosts. “Attackers can use the infected system as a proxy to conceal themselves in another attack case or sell access rights to the proxy node for criminal profit,” AhnLab said. Another set of attacks has singled out MySQL servers to deliver Gh0st RAT variants, and other payloads like AsyncRAT, Ddostf DDoS botnet, XWorm, HpLoader, and even the legitimate remote control tool Zoho ManageEngine. XWorm has emerged as one of the most versatile and widely distributed remote access trojans in the current threat landscape, exhibiting remarkable adaptability in its delivery mechanisms and establishing itself as a formidable tool in cybercriminals’ toolbox. Recent attacks mounted by a China-linked threat actor have employed trojanized MSI installers posing as WhatsApp to deliver the trojan in attacks targeting users in East and Southeast Asia. “The attack chain involves encrypted shellcode embedded in image files, PowerShell scripts for persistence via scheduled tasks and shellcode loaders,” Broadcom said. “The final payload is a modified XWorm RAT enhanced with functions to detect Telegram installations and report infected systems via Telegram-based mechanisms.”
• Iran IRGC’s Intelligence Group 13 Detailed — The DomainTools Investigations (DTI) team has shed light on a shadowy entity called Intelligence Group 13, a covert cyber strike unit that functions under Iran’s Islamic Revolutionary Guard Corps (IRGC) to facilitate cyber espionage, industrial sabotage, and psychological warfare. Embedded within the Shahid Kaveh Cyber Group, Intelligence Group 13 powers Cyber Av3ngers, a pro-Iranian group that has been attributed to attacks targeting water authorities and SCADA systems in Israel and the U.S. “Whether through direct disruption, pre-positioned malware activation, or narrative defacement and psychological intimidation, the group’s capabilities make it a prime tool for hybrid response, combining deniable technical aggression with symbolic messaging designed to project defiance and psychological impact,” DTI said.
• Open VSX Used to Distribute Malicious VS Code Extensions — Almost 200,000 developers have downloaded two malicious VSCode extensions from the Open VSX Registry. The extensions, both named Solidity Language, scan for existing ConnectWise ScreenConnect remote desktop software, and if present, download and install a malicious version from an attacker-controlled server. The extensions have since been removed from the marketplace. The findings once again illustrate that openness doesn’t necessarily equate to safety. “The very openness that makes Open VSX appealing also introduces risks that the more curated VS Code Marketplace helps mitigate,” Secure Annex’s John Tuckner said.
• New Campaign Distributes Masslogger Malware — Encoded Visual Basic Script (VBE) files likely distributed via phishing emails are being used to deliver a sophisticated variant of Masslogger, a stealer malware that can harvest login details from the Chrome browser, log keystrokes, capture clipboard content, and upload files to a remote server. “Initially, the variant appeared to be a typical script-based threat, but upon deeper analysis, it turned out to be a multi-stage fileless malware that heavily relies on Windows Registry to store and execute its malicious payload,” Seqrite Labs said.
• Western Companies Fail to Take Action on Funnull — Back in May 2025, the U.S. Treasury Department sanctioned Philippines-based Funnull for providing infrastructure to conduct romance baiting scams and for carrying out a supply chain attack on the widely-used Polyfill[.]io JavaScript library. However, a new analysis from Silent Push and cybersecurity journalist Brian Krebs found that many U.S. tech companies still host accounts associated with Funnull’s administrator Liu “Steve” Lizhi, including X, GitHub, LinkedIn, Facebook, Google Groups, Medium, PayPal, WordPress, Hugging Face, Gravatar, Vercel, and Flickr, among others. The Facebook, GitHub, LinkedIn, and PayPal profiles have been suspended or taken down.
• Russia Jails Man to 16 Years Over Pro-Ukrainian Cyber Attacks — Russia has sentenced a man to 16 years in a high-security prison for launching distributed denial-of-service (DDoS) attacks against critical infrastructure in the country. Andrei Smirnov was arrested in 2023 in the Siberian city of Belovo and charged with treason. Russian officials said Smirnov joined Ukraine’s “cyber troops” and launched the attacks at the behest of Ukrainian intelligence services.
• FileFix Gets an Upgrade — Security researcher mrd0x has detailed a variant of FileFix, itself a spin on the popular ClickFix social engineering tactic, that enables the execution of malicious scripts while bypassing the Mark-of-the-Web (MotW) protections in Windows by taking advantage of how web browsers handle saved HTML web pages. “When an HTML page is saved using Ctrl + S or Right-click > ‘Save as’ and either ‘Webpage, Single File’ or ‘Webpage, Complete’ types were selected, then the file downloaded does not have MotW,” the researcher said. “Furthermore, this behaviour only applies if the webpage being saved has a MIME type of text/html or application/xhtml+xml.” The new attack essentially seeks to trick users into saving an HTML page (using Ctrl+S) and renaming it to an HTML Application (HTA) file, causing it to auto-execute embedded commands within JavaScript when launched. In a possible attack scenario, an adversary could design a bogus web page that could prompt users to save backup multi-factor authentication (MFA) codes by pressing Ctrol + S and naming the file as “MfaBackupCodes2025.hta.” The victim is then instructed to open the HTA file to ensure that the codes are stored properly. “The easiest way to prevent this technique from working is to remove mshta.exe from being able to run HTA files,” the researcher pointed out. “This is a good solution unless someone is able to utilize this technique with other file types.”
• Keymous+, a Front for EliteStress? — A hacktivist group known as Keymous+ has emerged as a key player in the cyber landscape, claiming responsibility for over 700 Distributed Denial of Service (DDoS) attacks in 2025 alone. The group, according to Radware, claims it’s made up of “North African hackers,” and their victim list spans government websites, telecom providers in France and India, financial platforms in Morocco and the U.A.E., educational institutions in Denmark, and manufacturing infrastructure in Israel. This seemingly random selection of targets, devoid of a clear ideological agenda or enemies, sets it apart from traditional hacktivist groups. What’s more, the activity appears to be a marketing persona for a DDoS-for-hire service known as EliteStress. The discovery shows Keymous+ likely straddling the boundary between hacktivism and commercial aspirations. It also highlights a new breed of threat actors whose motives are opaque and increasingly driven by profit, offering tools of disruption at the click of a button. The development comes as Intel 471 said it identified two new pro-Kremlin hacktivist groups named TwoNet and the IT Army of Russia. Both are mainly involved in DDoS attacks and surfaced earlier this year, but the latter has also been found recruiting insiders in Ukrainian critical infrastructure organizations.
• Abuse of .es TLD Surges 19x Times — Malicious campaigns launched from .es domains have witnessed a 19x increase from Q4 2024 to Q1 2025, making it the third most common, behind .com and .ru. “This increase applies to both first-stage URLs (links embedded in emails or attachments) and second-stage URLs (sites visited after the embedded URLs),” Cofense said. “These second-stage URLs typically host credential phishing pages or exfiltrate information. It is these second-stage URLs that have seen the greatest increase in .es TLD abuse.” As of May, 1,373 sub-domains hosted malicious web pages on 447 .es base domains. An interesting finding is that 99 percent of them were hosted on Cloudflare, and most of the phishing pages used a Cloudflare Turnstile CAPTCHA. “While Cloudflare has recently made deploying a web page quick and easy via command line with pages hosted on [.]pages[.]dev, it is unclear whether their recent move to making domains hosted by them easy to deploy has attracted threat actors to their hosting services across different platforms or if there are other reasons, such as how strict or lenient Cloudflare is with abuse complaints,” the company said.
• Rise of Malicious LNK Files — The weaponization of Windows shortcut (LNK) files for malware distribution has increased by 50%, according to telemetry data gathered by Palo Alto Networks Unit 42, with malicious samples rising from 21,098 in 2023 to 68,392 in 2024. “The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware,” Unit 42 researchers said.

Percentages of system targets for malicious file execution

• FBI Investigates Ransomware Negotiator for Extortion Kickbacks — The U.S. Federal Bureau of Investigation (FBI) is probing a former employee of security firm DigitalMint for allegedly taking a cut from ransomware payments. According to Bloomberg, the employee is said to have assisted the company’s customers in negotiating ransoms during ransomware attacks. But unknown to them, the employee had secret deals with ransomware gangs to take a slice of the ransom the companies ended up paying. DigitalMint said it fired the employee as soon as it heard of the investigation and started notifying its customers.
• Cloudflare Open-Sources Orange Meets — Cloudflare has implemented end-to-end encryption (E2EE) to its video calling app Orange Meets and open-sourced the solution for transparency. The web infrastructure company said the solution is powered by Selective Forwarding Units (SFUs) and uses Messaging Layer Security (MLS) to establish end-to-end encryption for group communication. “To do so, we built a WASM (compiled from Rust) service worker that sets up an MLS group and does stream encryption and decryption, and designed a new joining protocol for groups, called the designated committer algorithm, and formally modeled it in TLA+,” Cloudflare said.
• Russia to Build Database of Known Scammers — The Russian government has announced plans to build a database of known telephone scammers that will include voice samples, phone numbers, and caller IDs. Once the service launches on April 1, 2026, mobile operators in the country are expected to show scam warnings on phone screens for calls coming from known scam numbers. The voice recordings will be shared with law enforcement for possible investigations.
• C4 Bomb to Bypass App-Bound Encryption in Google Chrome — Last year, Google introduced a new security measure called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems. While stealers have since found ways to defeat this guardrail, CyberArk has detailed another method dubbed C4 (short for Chrome Cookie Cipher Cracker) Attack, which makes it possible to decrypt the cookies as a low-privileged user. “Furthermore, this technique also allowed us to abuse Google’s new security feature to attack Windows machines and access data that should typically only be available to the privileged SYSTEM user,” security researcher Ari Novick said. The technique essentially employs a padding oracle attack to brute-force the encryption and bypass the SYSTEM-DPAPI, recovering the cookie key. Following responsible disclosure in December 2024, Google has put in place a “partial solution” to remediate the padding oracle attack. But it’s disabled by default.
• Exploit Attempts Target Apache Tomcat and Camel Flaws — Malicious actors are probing for servers running vulnerable versions of Apache Tomcat and Camel that are unpatched against CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891 to achieve remote code execution. Palo Alto Networks said it blocked 125,856 probes/scans/exploit attempts originating from more than 70 countries related to these vulnerabilities in March 2025.
• Let’s Encrypt Begins Issuing Certificates for IP Addresses — Let’s Encrypt has started this month issuing certificates for IP addresses. These certificates are short-lived and valid only for six days – a trend pointing to declining certificate lifespans. Potential scenarios where one might need an IP address certificate include use cases like serving a default page for hosting providers, accessing a website without a domain name, securing DNS over HTTPS (DoH) services, protecting network-attached storage servers, and safeguarding ephemeral connections within cloud hosting infrastructure.
• Google Open-Sources Privacy Tech for Age Verification — As online services increasingly introduce age verification barriers, Google has open-sourced its Zero-Knowledge Proof (ZKP) libraries to help people verify their age without giving up sensitive information. “In layperson’s terms, ZKP makes it possible for people to prove that something about them is true without exchanging any other data,” Google said. “So, for example, a person visiting a website can verifiably prove he or she is over 18, without sharing anything else at all.” The ZKP library, called Longfellow ZK, is currently being vetted by independent academic and industry experts. The results of the reviews are expected to be available by August 1, 2025.
• Apple Adds ML-KEM to iOS and macOS 26 — Speaking of cryptographic solutions, Apple is adding post-quantum cryptography support to its operating systems. The upcoming versions of iOS, iPadOS, macOS, and visionOS will support the FIPS 203 (aka ML-KEM) cryptography algorithm by means of a hybrid, quantum-secure key exchange. “The ClientHello message from iOS 26, iPadOS 26, macOS Tahoe 26 and visionOS 26 devices will include X25519MLKEM768 in the supported_groups extension, along with a corresponding key share in the key_share extension,” Apple said. “Servers can select X25519MLKEM768 if they support it, or use another group advertised in the ClientHello message.”
• Spain Arrests 2 for Leaking Personal Data of Government Officials — Spanish police arrested a 19-year-old computer science student and an accomplice for allegedly leaking the personal data of senior government officials and journalists. The main suspect, identified as Yoel OQ, was detained at his parents’ home on the island of Gran Canaria. His alleged accomplice, Cristian Ezequiel SM, was also arrested, according to local media citing law enforcement sources. The duo has been described as a “serious threat to national security.”
• AT&T Launches Wireless Account Lock to Prevent Sim Swapping Attacks — U.S. mobile carrier AT&T has launched a new feature to lock accounts and prevent SIM swapping attacks. Wireless Account Lock can be enabled exclusively via AT&T’s myAT&T app. Once enabled, it blocks any changes to a customer’s billing details or wireless number transfers until it’s disabled again. Similar features already exist on other carriers like T-Mobile, Verizon, and Google Fi. “The lock forces an extra step before important account changes can be made. It prevents anyone from buying a device on the account, for example, or conducting a SIM swap – moving a phone number to a SIM in a different device,” AT&T said.
• Pakistani Freelancers Behind Websites That Deploy Stealers — A group of Pakistani freelance web developers is behind a network of more than 300 websites advertising cracked software that infects users with information-stealing malware, per Intrinsec. It’s believed that these websites have been built for a third party and that the group incorporates search engine optimization techniques and Google Ads to maximize visibility and victim engagement. “Additionally, little can be done to prosecute Pakistani individuals behind these malicious activities as there is no extradition treaty between the US and Pakistan,” the company said. “Servers and domains can be seized but it is only a temporary measure until new ones are rebuilt.” The development coincides with the emergence of new stealer variants like Amatera Stealer (ACR Stealer) and Odyssey Stealer (Poseidon Stealer), becoming the latest entrants in a crowded field of infostealer malware.
• Spain Details 21 Suspects in Connection with Investment Scam — Spanish authorities have detained 21 suspects on charges of running an investment scam ring. The group operated call centers in Barcelona and used social media ads to promote fake investment platforms and trick hundreds of victims across the country into investing their funds in them, netting the gang over €10 million ($11.8 million). In late June 2025, U.S. authorities extradited a Ghanaian national, Joseph Kwadwo Badu Boateng, to face charges related to a romance and inheritance scheme targeting the elderly from 2013 through March 2023. Last week, a 41-year-old Nigerian man named Ehis Lawrence Akhimie pleaded guilty on similar charges in a separate case. “Akhimie admitted to defrauding over $6 million from more than 400 victims, many of whom were elderly or otherwise vulnerable,” the U.S. Justice Department said.
• Chinese Student Sentenced to Prison in U.K. for Smishing Campaign — Ruichen Xiong, a student from China, has been sentenced in a London court for operating an SMS Blaster to conduct a mass smishing campaign against victims with an aim to harvest their personal details between March 22 and 27, 2025. “The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organisations, such as government bodies, where the victim was encouraged to click a link,” British trade association UK Finance said. “The link would subsequently take them to a malicious site that was designed to harvest their personal details.”
• Microsoft Takes Steps Against Email Bombing and File System Redirection Attacks — Microsoft revealed that it’s rolling out an email bombing protection feature by default in Exchange Online Protection and Microsoft Defender for Office 365 plans to counter the risks posed by attacks that seek to flood target inboxes with thousands of messages by subscribing their email addresses to a large number of legitimate newsletter and subscription services. “By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook),” Microsoft said. Separately, the tech giant has also detailed a new mitigation called RedirectionGuard that it has put in place in Windows 11 to mitigate file system redirection attacks.
• Hunters International Shuts Down — In an unusual turn of events, the Hunters International ransomware operation has shut down and promised to release free decryption keys for all past victims. The group announced the shutdown in a message posted on its dark web leak site on July 3, 2025. “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the gang wrote on its darknet extortion site. It did not elaborate on what these “recent developments” were. The operation launched in November 2023 and was a rebrand of the Hive ransomware, which had its infrastructure seized earlier that year. The demise of Hunters International is not surprising, given that a report from Group-IB earlier this year found that the group had already rebranded again and launched an extortion-only operation known as World Leaks. Despite these claims, French security firm Lexfo said it identified World Leaks victims that had ransomware deployed on their network before being extorted. According to DataBreaches.net, World Leaks is operated by individuals previously associated with Hunters International. World Leaks has also claimed that they are no longer in touch with Hunters International. However, Group-IB said the shutdown is “designed to control the narrative and delay attribution.”

🎥 Cybersecurity Webinars

• The Future of Logins: AI, Trust, and Privacy Collide – Users are rejecting creepy AI and demanding frictionless logins—and the stakes have never been higher. This webinar reveals exclusive findings from the Auth0 2025 Trends Report, exposing how identity threats are evolving and how leading teams are designing trust-first login flows that users love. If you’re still relying on outdated UX patterns or ignoring privacy shifts, you’re already falling behind.
• Your Pip Install Might Be Malware—Here’s How to Fix It – Pip install isn’t just risky—it’s dangerous. Repójacking, fake packages, and infected containers are quietly poisoning thousands of apps. This isn’t a theory—it’s happening right now. Join top security experts to uncover how the Python ecosystem is being attacked, what tools like Sigstore and SLSA actually do, and the real steps you need to secure your builds before it’s too late.

🔧 Cybersecurity Tools

• CloudFlare’s Orange Meets – It is a fully end-to-end encrypted video calling app that runs entirely on the client side—no changes needed to the server or SFU. Built with WebRTC, Rust, and Messaging Layer Security (MLS), it supports secure group calls with real-time key rotation and formally verified joining logic. It’s open source, scalable, and ready to use or customize.
• Octelium – It is a free, open source, self-hosted platform for secure, zero trust access to internal and cloud resources. It replaces VPNs, tunnels, and gateways with identity-based, secret-less access and fine-grained, policy-driven control. Built on Kubernetes, it supports both client and browser-based access, and works for apps, APIs, SSH, databases, and more—without exposing your infrastructure.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Shrink Your Attack Surface with Smart Defaults – Many cyberattacks begin by leveraging legitimate Windows features that are rarely needed by most users or environments. Office macros, Windows Script Host, legacy protocols like LLMNR and NetBIOS over TCP/IP, and background COM script interfaces are common culprits. But even more obscure surfaces—such as ActiveX controls, Component Object Model elevation paths, or exposed DCOM/RPC endpoints—can be entry points for lateral movement and privilege escalation.

Beyond basic hardening, consider advanced techniques like disabling Win32 optional features via “DISM /Online /Disable-Feature,” disabling legacy input/output subsystems (like 16-bit support via NtVDM), or auditing unexpected network listeners using “netstat -abno” and “Sysinternals TCPView.” Apply Software Restriction Policies (SRP) or AppLocker to block execution from temp directories, USB drives, and user profile folders. Harden PowerShell with Constrained Language Mode and enable AMSI logging to catch script obfuscation attempts.

For users who want safe defaults without diving into the registry or GPO, Hardentools offers a well-balanced baseline. It disables commonly exploited scripting engines, Office macro execution, and certain Windows Explorer behaviors with a single click. But to go further, pair it with community scripts like “Attack Surface Analyzer” (by Microsoft) or tools like O&O ShutUp10++ to disable telemetry and reduce exposure to cloud-connected attack vectors.

The more obscure the vector, the less likely defenders are monitoring it—but that’s exactly why attackers love it. Effective attack surface reduction is not just about minimizing visible services; it’s about knowing what’s silently enabled and ensuring it’s needed. This week, go beyond basic macro blocking—review what’s running under the hood and shut down the silent risks.

Conclusion

It’s one thing to defend against outside attackers—it’s another when the risk is already inside. This week’s revelations about stolen identities, fake hires, and silent access show how trust can be turned into a weapon.

The takeaway is clear: identity isn’t just a login—it’s a security boundary. And when that fails, everything behind it is at risk.

A hacking group with ties other than Pakistan has been found targeting Indian government organizations with a modified variant of a remote access trojan (RAT) called DRAT.

The activity has been attributed by Recorded Future’s Insikt Group to a threat actor tracked as TAG-140, which it said overlaps with SideCopy, an adversarial collective assessed to be an operational sub-cluster within Transparent Tribe (aka APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM).

“TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques,” the Mastercard-owned company said in an analysis published last month.

“This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality.”

The updated version of DRAT, called DRAT V2, is the latest addition to SideCopy’s RAT arsenal, which also comprises other tools like Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT to infect Windows and Linux systems.

The attack activity demonstrates the adversary’s evolving playbook, highlighting its ability to refine and diversify to an “interchangeable suite” of RAT malware to harvest sensitive data to complicate attribution, detection, and monitoring efforts.

Attacks orchestrated by the threat actor have broadened their targeting focus beyond government, defense, maritime, and academic sectors to encompass organizations affiliated with the country’s railway, oil and gas, and external affairs ministries. The group is known to be active since at least 2019.

The infection sequence documented by Recorded Future leverages a ClickFix-style approach that spoofs the Indian Ministry of Defence’s official press release portal to drop a .NET-based version of DRAT to a new Delphi-compiled variant.

The counterfeit website has one active link that, when clicked, initiates an infection sequence that surreptitiously copies a malicious command to the machine’s clipboard and urges the victim to paste and execute it by launching a command shell.

“These functions provide TAG-140 with persistent, flexible control over the infected system and allow for both automated and interactive post-exploitation activity without requiring the deployment of auxiliary malware tools,” the company said.

“DRAT V2 appears to be another modular addition rather than a definitive evolution, reinforcing the likelihood that TAG-140 will persist in rotating RATs across campaigns to obscure signatures and maintain operational flexibility.”

APT36 Campaigns Deliver Ares RAT and DISGOMOJI

State-sponsored threat activity and coordinated hacktivist operations from Pakistan flared up during the India-Pakistan conflict in May 2025, with APT36 capitalizing on the events to distribute Ares RAT in attacks targeting defense, government, IT, healthcare, education, and telecom sectors.

“With the deployment of tools like Ares RAT, attackers gained complete remote access to infected systems – opening the door to surveillance, data theft, and potential sabotage of critical services,” Seqrite Labs noted back in May 2025.

Recent APT36 campaigns have been found to disseminate carefully crafted phishing emails containing malicious PDF attachments to target Indian defense personnel.

The messages masquerade as purchase orders from the National Informatics Centre (NIC) and persuade the recipients to click on a button embedded within the PDF documents. Doing so results in the download of an executable that deceptively displays a PDF icon and employs the double extension format (i.e., *.pdf.exe) to appear legitimate to Windows users.

The binary, besides featuring anti-debugging and anti-VM features to sidestep analysis, is designed to launch a next-stage payload in memory that can enumerate files, log keystrokes, capture clipboard content, obtain browser credentials, and contact a C2 server for data exfiltration and remote access.

“APT36 poses a significant and ongoing cyber threat to national security, specifically targeting Indian defense infrastructure,” CYFIRMA said. “The group’s use of advanced phishing tactics and credential theft exemplifies the evolving sophistication of modern cyber espionage.”

Another campaign detailed by 360 Threat Intelligence Center has leveraged a new variant of a Go-based malware referred to as DISGOMOJI as part of booby-trapped ZIP files distributed via phishing attacks. The malware, the Beijing-based cybersecurity company said, is an ELF executable program written in Golang and uses Google Cloud for C2, marking a shift from Discord.

“In addition, browser theft plug-ins and remote management tools will be downloaded to achieve further theft operations and remote control,” it said. “The function of downloading the DISGOMOJI variant is similar to the load found before, but the previous DISGOMOJI used the Discord server, while this time it used Google Cloud Service for communication.”

Confucius Drops WooperStealer and Anondoor

The findings come as the cyber espionage actor known as Confucius has been linked to a new campaign that deploys an information stealer called WooperStealer and a previously undocumented modular backdoor Anondoor.

Confucius is assessed to be a threat group operating with objectives that align with India. It’s believed to be active since at least 2013, targeting government and military units in South Asia and East Asia.

According to Seebug’s KnownSec 404 Team, the multi-stage attacks employ Windows Shortcut (LNK) files as a starting point to deliver Anondoor using DLL side-loading techniques, following which system information is collected and WooperStealer is fetched from a remote server.

The backdoor is fully-featured, enabling an attacker to issue commands that can execute commands, take screenshots, download files, dump passwords from the Chrome browser, as well as list files and folders.

“It has evolved from the previously exposed single espionage trojan of downloading and executing to a modular backdoor, demonstrating a relatively high ability of technological iteration,” KnownSec 404 Team said. “Its backdoor component is encapsulated in a C# DLL file and evaded sandbox detection by loading the specified method through invoke.”