Category: Cybersecurity

Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader.

Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829. The latter is also known by the names CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu.

The company said it discovered UNK_GreenSec as part of its investigation into TA829, describing it as using an “unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes.”

TA829 is something of an unusual hacking group in the threat landscape given its ability to conduct both espionage as well as financially motivated attacks. The Russia-aligned hybrid group has also been linked to the zero-day exploitation of security flaws in Mozilla Firefox and Microsoft Windows to deliver RomCom RAT in attacks aimed at global targets.

Earlier this year, PRODAFT detailed the threat actors’ use of bulletproof hosting providers, living-off-the-land (LOTL) tactics, and encrypted command-and-control (C2) communications to sidestep detection.

TransferLoader, on the other hand, was first documented by Zscaler ThreatLabz in connection with a February 2025 campaign that delivered the Morpheus ransomware against an unnamed American law firm.

Proofpoint noted that campaigns undertaken by both TA829 and UNK_GreenSec rely on REM Proxy services that are deployed on compromised MikroTik routers for their upstream infrastructure. That said, the exact method used to breach these devices is not known.

“REM Proxy devices are likely rented to users to relay traffic,” the Proofpoint threat research team said. “In observed campaigns, both TA829 and UNK_GreenSec use the service to relay traffic to new accounts at freemail providers to then send to targets. REM Proxy services have also been used by TA829 to initiate similar campaigns via compromised email accounts.”

Given that the format of the sender addresses are similar — e.g., ximajazehox333@gmail.com and hannahsilva1978@ukr.net — it’s believed that the threat actors are likely using some sort of an email builder utility that facilitates the en masse creation and sending of phishing emails via REM Proxy nodes.

The messages act as a conduit to deliver a link, which is either directly embedded in the body or within a PDF attachment. Clicking on the link initiates a series of redirections via Rebrandly that ultimately take the victim to a fake Google Drive or Microsoft OneDrive page, while filtering out machines that have been flagged as sandboxes or deemed not of interest to the attackers.

It’s at this stage that the attack chains splinter into two, as the adversary infrastructure to which the targets are redirected is different, ultimately paving the way for TransferLoader in the case of UNK_GreenSec and a malware strain called SlipScreen in the case of TA829.

“TA829 and UNK_GreenSec have both deployed Putty’s PLINK utility to set up SSH tunnels, and both used IPFS services to host those utilities in follow-on activity,” Proofpoint noted.

SlipScreen is a first-stage loader that’s designed to decrypt and load shellcode directly into memory and initiate communications with a remote server, but only after a Windows Registry check to ensure the targeted computer has at least 55 recent documents based on the “HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerRecentDocs” key.

The infection sequence is then used to deploy a downloader named MeltingClaw (aka DAMASCENED PEACOCK) or RustyClaw, which is then used to drop backdoors like ShadyHammock or DustyHammock, with the former being used to launch SingleCamper (aka SnipBot), an updated version of RomCom RAT.

DustyHammock, besides running reconnaissance commands on an infected system, comes fitted with the ability to download additional payloads hosted on the InterPlanetary File System (IPFS) network.

Campaigns propagating TransferLoader have been found to leverage job opportunity-themed messages to trick victims into clicking on a link that ostensibly leads to a PDF resume, but, in reality, results in the download of TransferLoader from an IPFS webshare.

TransferLoader’s primary objective is to fly under the radar and serve more malware, such as Metasploit and Morpheus ransomware, a rebranded version of HellCat ransomware.

“Unlike the TA829 campaigns, the TransferLoader campaigns’ JavaScript components redirected users to a different PHP endpoint on the same server, which allows the operator to conduct further server-side filtering,” Proofpoint said. “UNK_GreenSec used a dynamic landing page, often irrelevant to the OneDrive spoof, and redirected users to the final payload that was stored on an IPFS webshare.”

The overlapping tradecraft between TA829 and UNK_GreenSec raises one of the four possibilities –

• The threat actors are procuring distribution and infrastructure from the same third-party provider
• TA829 acquires and distributes infrastructure on its own, and has provided these services to UNK_GreenSec
• UNK_GreenSec is the infrastructure provider that typically offers its warez to TA829, but decided to temporarily use it to deliver its own malware, TransferLoader
• TA829 and UNK_GreenSec are one and the same, and TransferLoader is a new addition to their malware arsenal

“In the current threat landscape, the points at which cybercrime and espionage activity overlap continue to increase, removing the distinctive barriers that separate criminal and state actors,” Proofpoint said. “Campaigns, indicators, and threat actor behaviors have converged, making attribution and clustering within the ecosystem more challenging.”

“While there is not sufficient evidence to substantiate the exact nature of the relationship between TA829 and UNK_GreenSec, there is very likely a link between the groups.”

Jul 01, 2025Ravie LakshmananDeveloper Security / Software Development

A new study of integrated development environments (IDEs) like Microsoft Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor has revealed weaknesses in how they handle the extension verification process, ultimately enabling attackers to execute malicious code on developer machines.

“We discovered that flawed verification checks in Visual Studio Code allow publishers to add functionality to extensions while maintaining the verified icon,” OX Security researchers Nir Zadok and Moshe Siman Tov Bustan said in a report shared with The Hacker News. “This results in the potential for malicious extensions to appear verified and approved, creating a false sense of trust.”

Specifically, the analysis found that Visual Studio Code sends an HTTP POST request to the domain “marketplace.visualstudio[.]com” to determine if an extension is verified or otherwise.

The exploitation method essentially involves creating a malicious extension with the same verifiable values as an already verified extension, such as that of Microsoft, and bypassing trust checks.

As a result, it allows rogue extensions to appear verified to unsuspecting developers, while also containing code capable of executing operating system commands.

From a security standpoint, this is a classic case of extension sideloading abuse, where bad actors distribute plugins outside the official marketplace. Without proper code signing enforcement or trusted publisher verification, even legitimate-looking extensions can hide dangerous scripts.

For attackers, this opens up a low-barrier entry point to achieve remote code execution—a risk that’s especially serious in development environments where sensitive credentials and source code are often accessible.

In a proof-of-concept (PoC) demonstrated by the cybersecurity company, the extension was configured to open the Calculator app on a Windows machine, thereby highlighting its ability to execute commands on the underlying host.

By identifying the values used in verification requests and modifying them, it was found that it’s possible to create a VSIX package file such that it causes the malicious extension to appear legitimate.

OX Security said it was able to reproduce the flaw across other IDEs like IntelliJ IDEA and Cursor by modifying the values used for verification without making them lose their verified status.

In response to responsible disclosures, Microsoft said the behavior is by design and that the changes will prevent the VSIX extension from being published to the Marketplace owing to extension signature verification that’s enabled by default across all platforms.

However, the cybersecurity company found the flaw to be exploitable as recently as June 29, 2025. The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back.

The findings once again show that relying solely on the verified symbol of extensions can be risky, as attackers can trick developers into running malicious code without their knowledge. To mitigate such risks, it’s advised to install extensions directly from official marketplaces as opposed to using VSIX extension files shared online.

“The ability to inject malicious code into extensions, package them as VSIX/ZIP files, and install them while maintaining the verified symbols across multiple major development platforms poses a serious risk,” the researchers said. “This vulnerability particularly impacts developers who install extensions from online resources such as GitHub.”

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors.

“Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events,” the agencies said.

“These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.”

There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted.

Emphasizing the need for “increased vigilance,” the agencies singled out Defense Industrial Base (DIB) companies, specifically those with ties to Israeli research and defense firms, as being at an elevated risk. U.S. and Israeli entities may also be exposed to distributed denial-of-service (DDoS) attacks and ransomware campaigns, they added.

Attackers often start with reconnaissance tools like Shodan to find vulnerable internet-facing devices, especially in industrial control system (ICS) environments. Once inside, they can exploit weak segmentation or misconfigured firewalls to move laterally across networks. Iranian groups have previously used remote access tools (RATs), keyloggers, and even legitimate admin utilities like PsExec or Mimikatz to escalate access—all while evading basic endpoint defenses.

Based on prior campaigns, attacks mounted by Iranian threat actors leverage techniques like automated password guessing, password hash cracking, and default manufacturer passwords to gain access to internet-exposed devices. They have also been found to employ system engineering and diagnostic tools to breach operational technology (OT) networks.

The development comes days after the Department of Homeland Security (DHS) released a bulletin, urging U.S. organizations to be on the lookout for possible “low-level cyber attacks” by pro-Iranian hacktivists amid the ongoing geopolitical tensions between Iran and Israel.

Last week, Check Point revealed that the Iranian nation-state hacking group tracked as APT35 targeted journalists, high-profile cyber security experts, and computer science professors in Israel as part of a spear-phishing campaign designed to capture their Google account credentials using bogus Gmail login pages or Google Meet invitations.

As mitigations, organizations are advised to follow the below steps –

• Identify and disconnect OT and ICS assets from the public internet
• Ensure devices and accounts are protected with strong, unique passwords, replace weak or default passwords, and enforce multi-factor authentication (MFA)
• Implement phishing-resistant MFA for accessing OT networks from any other network
• Ensure systems are running the latest software patches to protect against known security vulnerabilities
• Monitor user access logs for remote access to the OT network
• Establish OT processes that prevent unauthorized changes, loss of view, or loss of control
• Adopt full system and data backups to facilitate recovery

“Despite a declared ceasefire and ongoing negotiations towards a permanent solution, Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity,” the agencies said.

Update

In a new report, Censys said it uncovered 43,167 internet-exposed devices from Tridium Niagara, 2,639 from Red Lion, 1,697 from Unitronics, and 123 from Orpak SiteOmat as of June 2025. A majority of the increased exposures associated with Tridium Niagara appear to be in Germany, Sweden, and Japan.

It also noted that default passwords continue to provide an easy pathway for threat actors to access critical systems, urging manufacturers to avoid shipping devices or software with default credentials, and instead require strong, unique passwords as well as offer ways to prevent exposing their systems directly to the internet.

“Apart from Unitronics, which is most commonly observed in Australia, the highest numbers of these devices are observed in the U.S.,” the company said. “Though Tridium Niagara boasts the highest exposure numbers, it’s building automation software. Depending on a threat actor’s objective, these systems, though plentiful, may not be the most valuable targets.”

SOCRadar said the Iran-Israel conflict of 2025 has led to a spike in cyber activity, with more than 600 cyber attack claims reported across more than 100 Telegram channels between June 12 and 27, 2025. Israel emerged as the most targeted country with 441 attack claims, followed by the U.S. (69), India (34), and Middle Eastern nations like Jordan (33) and Saudi Arabia (13).

The top hacktivist groups during the time period included Mr Hamza, Keymous, Mysterious Team, Team Fearless, GARUDA_ERROR_SYSTEM, Dark Storm Team, Arabian Ghosts, Cyber Fattah, CYBER U.N.I.T.Y, and NoName057(16). Governments, defense, telecom, financial services, and technology sectors were among the most targeted industries.

“Since the war began, state-sponsored hackers, hacktivists from both countries, and cyber actors from non-participant nations ranging from South Asia to Russia to across the Middle East have become active,” the threat intelligence firm said. “Israel was the main target of DDoS attacks, with 357 claims, making up 74% of all DDoS activity.”

Jul 01, 2025Ravie LakshmananVulnerability / Browser Security

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.

The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.

“Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,” according to a description of the bug on the NIST’s National Vulnerability Database (NVD).

Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025, signaling that it may have been weaponized in highly targeted attacks — possibly involving nation-state actors or surveillance operations. TAG typically detects and investigates serious threats like government-backed attacks.

The tech giant also noted that the issue was mitigated the next day by means of a configuration change that was pushed out to the Stable channel across all platforms. For everyday users, that means the threat may not be widespread yet, but it’s still urgent to patch — especially if you’re in roles handling sensitive or high-value data.

Google has not released any additional details about the vulnerability and who may have exploited it, but acknowledged that “an exploit for CVE-2025-6554 exists in the wild.”

CVE-2025-6554 is the fourth zero-day vulnerability in Chrome to be addressed by Google since the start of the year after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. However, it bears noting that there is no clarity on whether CVE-2025-4664 has been abused in a malicious context.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.

If you’re unsure whether your browser is up to date, go to Settings > Help > About Google Chrome — it should trigger the latest update automatically. For businesses and IT teams managing multiple endpoints, enabling automatic patch management and monitoring browser version compliance is critical.

Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Despite years of investment in Zero Trust, SSE, and endpoint protection, many enterprises are still leaving one critical layer exposed: the browser.

It’s where 85% of modern work now happens. It’s also where copy/paste actions, unsanctioned GenAI usage, rogue extensions, and personal devices create a risk surface that most security stacks weren’t designed to handle. For security leaders who know this blind spot exists but lack a roadmap to fix it, a new framework may help.

The Secure Enterprise Browser Maturity Guide: Safeguarding the Last Mile of Enterprise Risk, authored by cybersecurity researcher Francis Odum, offers a pragmatic model to help CISOs and security teams assess, prioritize, and operationalize browser-layer security. It introduces a clear progression from basic visibility to real-time enforcement and ecosystem integration, built around real-world threats, organizational realities, and evolving user behavior.

Why the Browser Has Become the Security Blind Spot

Over the past three years, the browser has quietly evolved into the new endpoint of the enterprise. Cloud-first architectures, hybrid work, and the explosive growth of SaaS apps have made it the primary interface between users and data.

• 85% of the workday now happens inside the browser
• 90% of companies allow access to corporate apps from BYOD devices
• 95% report experiencing browser-based cyber incidents
• 98% have seen BYOD policy violations

And while most security programs have hardened identity layers, firewalls, and email defenses, the browser remains largely ungoverned. It’s where sensitive data is copied, uploaded, pasted, and sometimes leaked, with little or no monitoring.

Traditional Tools Weren’t Built for This Layer

The guide breaks down why existing controls struggle to close the gap:

• DLP scans files and email, but misses in-browser copy/paste and form inputs.
• CASB protects sanctioned apps, but not unsanctioned GenAI tools or personal cloud drives.
• SWGs block known bad domains, but not dynamic, legitimate sites running malicious scripts.
• EDR watches the OS, not the browser’s DOM.

This reflects what is described as the “last mile” of enterprise IT, the final stretch of the data path where users interact with content and attackers exploit the seams.

GenAI Changed the Game

A core theme of the guide is how browser-based GenAI usage has exposed a new class of invisible risk. Users routinely paste proprietary code, business plans, and customer records into LLMs with no audit trail.

• 65% of enterprises admit they have no control over what data goes into GenAI tools
• Prompts are effectively unsanctioned API calls
• Traditional DLP, CASB, and EDR tools offer no insight into these flows

The browser is often the only enforcement point that sees the prompt before it leaves the user’s screen.

The Secure Enterprise Browser Maturity Model

To move from reactive response to structured control, the guide introduces a three-stage maturity model for browser-layer security:

Stage 1: Visibility

“You can’t protect what you can’t see.”

Organizations at this stage begin by illuminating browser usage across devices, especially unmanaged ones.

• Inventory browsers and versions across endpoints
• Capture telemetry: uploads, downloads, extension installs, session times
• Detect anomalies (e.g., off-hours SharePoint access, unusual copy/paste behavior)
• Identify shadow SaaS and GenAI usage without blocking it yet

Quick wins here include audit-mode browser extensions, logging from SWGs, and flagging outdated or unmanaged browsers.

Stage 2: Control & Enforcement

Once visibility is in place, teams begin actively managing risk within the browser:

• Enforce identity-bound sessions (e.g., block personal Gmail login from corp session)
• Control uploads/downloads to/from sanctioned apps
• Block or restrict unvetted browser extensions
• Inspect browser copy/paste actions using DLP classifiers
• Display just-in-time warnings (e.g., “You’re about to paste PII into ChatGPT”)

This stage is about precision: applying the right policies in real-time, without breaking user workflows.

Stage 3: Integration & Usability

At full maturity, browser-layer telemetry becomes part of the larger security ecosystem:

• Events stream into SIEM/XDR alongside network and endpoint data
• Risk scores influence IAM and ZTNA decisions
• Browser posture is integrated with DLP classifications and compliance workflows
• Dual browsing modes (work vs. personal) preserve privacy while enforcing policy
• Controls extend to contractors, third parties, and BYOD—at scale

In this phase, security becomes invisible but impactful, reducing friction for users and mean-time-to-response for the SOC.

A Strategic Roadmap, Not Just a Diagnosis

The guide doesn’t just diagnose the problem, it helps security leaders build an actionable plan:

• Use the browser security checklist to benchmark current maturity
• Identify fast, low-friction wins in Stage 1 (e.g., telemetry, extension audits)
• Define a control policy roadmap (start with GenAI usage and risky extensions)
• Align telemetry and risk scoring with existing detection and response pipelines
• Educate users with inline guidance instead of blanket blocks

It also includes practical insights on governance, change management, and rollout sequencing for global teams.

Why This Guide Matters

What makes this model especially timely is that it doesn’t call for a rip-and-replace of existing tools. Instead, it complements Zero Trust and SSE strategies by closing the final gap where humans interact with data.

Security architecture has evolved to protect where data lives. But to protect where data moves, copy, paste, prompt, upload, we need to rethink the last mile.

The Secure Enterprise Browser Maturity Guide is available now for security leaders ready to take structured, actionable steps to protect their most overlooked layer. Download the full guide and benchmark your browser-layer maturity.

Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsoft’s ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas sectors.

“The campaign exhibits characteristics aligned with Chinese-affiliated threat actors, though attribution remains cautious,” Trellix researchers Nico Paulo Yturriaga and Pham Duy Phuc said in a technical write-up.

“Its methods reflect a broader shift toward ‘living-off-the-land’ tactics, blending malicious operations within cloud and enterprise tooling to evade traditional detection mechanisms.”

The phishing attacks, in a nutshell, make use of a .NET-based loader called OneClikNet to deploy a sophisticated Go-based backdoor codenamed RunnerBeacon that’s designed to communicate with attacker-controlled infrastructure that’s obscured using Amazon Web Services (AWS) cloud services.

ClickOnce is offered by Microsoft as a way to install and update Windows-based applications with minimal user interaction. It was introduced in .NET Framework 2.0. However, the technology can be an attractive means for threat actors looking to execute their malicious payloads without raising any red flags.

As noted in the MITRE ATT&CK framework, ClickOnce applications can be used to run malicious code through a trusted Windows binary, “dfsvc.exe,” that’s responsible for installing, launching, and updating the apps. The apps are launched as a child process of “dfsvc.exe.”

“Because ClickOnce applications receive only limited permissions, they do not require administrative permissions to install,” MITRE explains. “As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.”

Trellix said the attack chains begin with phishing emails containing a link to a fake hardware analysis website that serves as a conduit for delivering a ClickOnce application, which, in turn, runs an executable using dfsvc.exe.

The binary is a ClickOnce loader that’s launched by injecting the malicious code via another technique known as AppDomainManager injection, ultimately resulting in the execution of an encrypted shellcode in memory to load the RunnerBeacon backdoor.

The Golang implant can communicate with a command-and-control (C2) server over HTTP(s), WebSockets, raw TCP, and SMB named pipes, allowing it to perform file operations, enumerate and terminate running processes, execute shell commands, escalate privileges using token theft and impersonation, and achieve lateral movement.

Additionally, the backdoor incorporates anti-analysis features to evade detection, and supports network operations like port scanning, port forwarding, and SOCKS5 protocol to facilitate proxy and routing features.

“RunnerBeacon’s design closely parallels known Go-based Cobalt Strike beacons (e.g. the Geacon/Geacon plus/Geacon Pro family),” the researchers said.

“Like Geacon, the set of commands (shell, process enumeration, file I/O, proxying, etc.) and use of cross-protocol C2 are very similar. These structural and functional similarities suggest RunnerBeacon may be an evolved fork or a privately modified variant of Geacon, tailored for stealthier, and cloud-friendly operations.”

Three different variants of OneClick have been observed in March 2025 alone: v1a, BPI-MDM, and v1d, with each iteration demonstrating progressively improved capabilities to fly under the radar. That said, a variant of RunnerBeacon was identified in September 2023 at a company in the Middle East in the oil and gas sector.

Although techniques like AppDomainManager injection have been used by China– and North Korea-linked threat actors in the past, the activity has not been formally attributed to any known threat actor or group. Trellix told The Hacker News that it did not have any more details to share on the scale of these attacks and the regions that have been targeted.

The development comes as QiAnXin detailed a campaign mounted by a threat actor it tracks as APT-Q-14 that has also employed ClickOnce apps to propagate malware by exploiting a zero-day cross-site scripting (XSS) flaw in the web version of an unnamed email platform. The vulnerability, it said, has since been patched.

The XSS flaw is automatically triggered when a victim opens a phishing email, causing the download of the ClickOne app. “The body of the phishing email comes from Yahoo News, which coincides with the victim industry,” QiAnXin noted.

The intrusion sequence serves a mailbox instruction manual as a decoy, while a malicious trojan is stealthily installed on the Windows host to collect and exfiltrate system information to a C2 server and receive unknown next-stage payloads.

The Chinese cybersecurity company said APT-Q-14 also focuses on zero-day vulnerabilities in email software for the Android platform.

APT-Q-14 has been described by QiAnXin as originating from Northeast Asia and having overlaps with other clusters dubbed APT-Q-12 (aka Pseudo Hunter) and APT-Q-15, which are assessed to be sub-groups within a South Korea-aligned threat group known as DarkHotel (aka APT-C-06).

Earlier this week, Beijing-based 360 Threat Intelligence Center disclosed DarkHotel’s use of the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate Microsoft Defender Antivirus and deploy malware as part of a phishing attack that delivered fake MSI installation packages in February 2025.

The malware is engineered to establish communication with a remote server to download, decrypt, and execute unspecified shellcode.

“In general, the [hacking group’s] tactics have tended to be ‘simple’ in recent years: Different from the previous use of heavy-weight vulnerabilities, it has adopted flexible and novel delivery methods and attack techniques,” the company said. “In terms of attack targets, APT-C-06 still focuses on North Korean-related traders, and the number of targets attacked in the same period is greater.”

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

The coordinated action saw searches of 21 known or suspected “laptop farms” between June 10 and 17, 2025 across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.

“The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies,” the DoJ said.

The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People’s Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities.

Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.

North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through “legitimate” work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data.

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.

Last month, the DoJ said it had filed a civil forfeiture complaint in the U.S. District Court for the District of Columbia that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme.

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”

Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue.

To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for “keyboard-video-mouse”) switches like PiKVM or TinyPilot.

“Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses,” the DoJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators.”

In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers.

Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta.

Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il.

After Kim Kwang Jin and Jong Pong Ju gained their employers’ trust and were assigned projects that granted them access to the firm’s virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company’s smart contracts.

The stolen proceeds were then laundered using a cryptocurrency mixer service known as Tornado Cash and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents.

“These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. “Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide.”

“The U.S. government’s actions […] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are.”

Microsoft Suspends 3,000 Email Accounts Tied to IT Workers

Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267.

The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy.

The tech giant called out the IT workers’ exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs.

“These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities,” the Microsoft Threat Intelligence team said.

Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards.

Furthermore, the witting accomplices are responsible for validating the IT workers’ bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards.

As a way to counter the threat, Microsoft said it has developed a custom machine learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions.

“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” Redmond said. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”

Jul 01, 2025Ravie LakshmananVulnerability / Browser Security

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.

The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.

“Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,” according to a description of the bug on the NIST’s National Vulnerability Database (NVD).

Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 25, 2025, indicating that it may have been weaponized in highly targeted attacks.

The involvement of Google’s Threat Analysis Group often signals that an exploit may be linked to targeted attacks — possibly involving nation-state actors or surveillance operations. TAG typically investigates serious threats like phishing campaigns, zero-click exploits, or attempts to bypass browser sandboxing.

The tech giant also noted that the issue was mitigated the next day by means of a configuration change that was pushed out to the Stable channel across all platforms. For everyday users, that means the threat may not be widespread yet, but it’s still urgent to patch — especially if you’re in roles handling sensitive or high-value data.

Google has not released any additional details about the vulnerability and who may have exploited it, but acknowledged that “an exploit for CVE-2025-6554 exists in the wild.”

CVE-2025-6554 is the fourth zero-day vulnerability in Chrome to be addressed by Google since the start of the year after CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419. However, it bears noting that there is no clarity on whether CVE-2025-4664 has been abused in a malicious context.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.

If you’re unsure whether your browser is up to date, go to Settings > Help > About Google Chrome — it should trigger the latest update automatically. For businesses and IT teams managing multiple endpoints, enabling automatic patch management and monitoring browser version compliance is critical.

Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

The U.S. Department of Justice (DoJ) on Monday announced sweeping actions targeting the North Korean information technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites, and nearly 200 computers.

The coordinated action saw searches of 21 known or suspected “laptop farms” across 14 states in the U.S. that were put to use by North Korean IT workers to remotely connect to victim networks via company-provided laptop computers.

“The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies,” the DoJ said.

The North Korean IT worker scheme has become one of the crucial cogs in the Democratic People’s Republic of North Korea (DPRK) revenue generation machine in a manner that bypasses international sanctions. The fraudulent operation, described by cybersecurity company DTEX as a state-sponsored crime syndicate, involves North Korean actors obtaining employment with U.S. companies as remote IT workers, using a mix of stolen and fictitious identities.

Once they land a job, the IT workers receive regular salary payments and gain access to proprietary employer information, including export controlled U.S. military technology and virtual currency. In one incident, the IT workers are alleged to have secured jobs at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.

North Korean IT workers are a serious threat because not only do they generate illegal revenues for the Hermit Kingdom through “legitimate” work, but they also weaponize their insider access to harvest sensitive data, steal funds, and even extort their employers in exchange for not publicly disclosing their data.

“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division.

Last month, the DoJ said it had filed a civil forfeiture complaint in federal court that targeted over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets linked to the global IT worker scheme.

“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime.”

Chief among the actions announced Monday includes the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey, who has been accused of perpetrating a multi-year fraud scheme in collusion with co-conspirators to get remote IT work with U.S. companies, ultimately generating more than $5 million in revenue.

To trick the companies into thinking that the remote workers are based in the U.S., Wang et al received and hosted the company-issued laptops at their residences, and enabled the North Korean threat actors to connect to these devices using KVM (short for “keyboard-video-mouse”) switches like PiKVM or TinyPilot.

“Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses,” the DoJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators.”

In return for providing these services, Wang and his co-conspirators are estimated to have received no less than $696,000 from the IT workers.

Separately, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주), and Chang Nam Il (창남일), with stealing more than $900,000 from the blockchain company located in Atlanta.

Court documents allege that the defendants traveled to the United Arab Emirates on North Korean documents in October 2019 and worked together as a team. Sometime between December 2020 and May 2021, Kim Kwang Jin and Jong Pong Ju were hired as developers by the blockchain company and a Serbian virtual token company, respectively. Then, acting on the recommendation of Jong Pong Ju, the Serbian company hired Chang Nam Il.

After Kim Kwang Jin and Jong Pong Ju gained their employers’ trust and were assigned projects that granted them access to the firm’s virtual currency assets, the threat actors proceeded to steal the assets in February and March 2022, in one case altering the source code associated with two of the company’s smart contracts.

The stolen proceeds were then laundered using a cryptocurrency mixer and eventually transferred to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il. These accounts, the DoJ said, were opened using fraudulent Malaysian identification documents.

“These arrests are a powerful reminder that the threats posed by DPRK IT workers extend beyond revenue generation,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News in a statement. “Once inside, they can conduct malicious activity from within trusted networks, posing serious risks to national security and companies worldwide.”

“The U.S. government’s actions […] are absolutely top notch and a critical step in disrupting this threat. DPRK actors are increasingly utilizing front companies and trusted third parties to slip past traditional hiring safeguards, including observed instances of those in sensitive sectors like government and the defense industrial base. Organizations must look beyond their applicant portals and reassess trust across their entire talent pipeline because the threat is adapting as we are.”

Microsoft Suspends 3,000 Email Accounts Tied to IT Workers

Microsoft, which has been tracking the IT worker threat under the moniker Jasper Sleet (previously Storm-0287) since 2020, said it has suspended 3,000 known Outlook/Hotmail accounts created by the threat actors as part of its broader efforts to disrupt North Korean cyber operations. The activity cluster is also tracked as Nickel Tapestry, Wagemole, and UNC5267.

The worker fraud scheme starts with setting up identities such that they match the geolocation of their target organizations, after which they are digitally fleshed out through social media profiles and fabricated portfolios on developer-oriented platforms like GitHub to give the personas a veneer of legitimacy.

The tech giant called out the IT workers’ exploitation of artificial intelligence (AI) tools to enhance images and change voices in order to boost the credibility of their job profiles and appear more authentic to employers. The IT workers have also been found to set up fake profiles on LinkedIn to communicate with recruiters and apply for jobs.

“These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities,” the Microsoft Threat Intelligence team said.

Another noteworthy tactic embraced by Jasper Sleet revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks, and work remotely. As the relationship with the facilitators grows, they may also be tasked with creating a bank account for the IT workers, or purchasing mobile phone numbers or SIM cards.

Furthermore, the witting accomplices are responsible for validating the IT workers’ bogus identities during the employment verification process using online background check service providers. The submitted documents include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards.

As a way to counter the threat, Microsoft said it has developed a custom machine-learning solution powered by proprietary threat intelligence that can surface suspicious accounts exhibiting behaviors that align with known DPRK tradecraft for follow-on actions.

“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” Redmond said. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”

Jul 01, 2025Ravie LakshmananMobile Security / Privacy

Microsoft has said that it’s ending support for passwords in its Authenticator app starting August 1, 2025.

The changes, the company said, are part of its efforts to streamline autofill in the two-factor authentication (2FA) app.

“Starting July 2025, the autofill feature in Authenticator will stop working, and from August 2025, passwords will no longer be accessible in Authenticator,” Microsoft said in a support document for Microsoft Authenticator.

It’s worth noting that Microsoft has already removed the ability to add or import new passwords in the app of last month. However, the option to save passwords through autofill will continue to work in July.

That said, the feature isn’t being completely eliminated. Instead, the saved passwords and addresses will now be synced with users’ Microsoft accounts, allowing them to be accessed via the Edge web browser by setting it as the default autofill provider.

“After August 2025, your saved passwords will no longer be accessible in Authenticator and any generated passwords not saved will be deleted,” Redmond said.

Another key aspect to note is that the changes do not apply to passkeys. Users who have enabled passkeys for their Microsoft accounts are required to enable Authenticator as their passkey provider. Disabling Authenticator will also have the side effect of disabling passkeys.

Users who already use a different password manager solution such as Apple iCloud Keychain or Google Password Manager can set it as their default autofill provider on their mobile devices. Users can also export their passwords from the Authenticator app and then import them into their chosen service.