Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Ukraine Joins EU Cybersecurity Reserve to Strengthen Cyber Resilience and Emergency Response

  Now able to tap into the EU’s emergency cyber network, Ukraine joins a support framework cleared by the Council of the European Union. Whe...

All the recent news you need to know
Telegram Ban
Mobile Security NEET UG NTA Paper Leak Telegram Ban

India Temporarily Bans Telegram Ahead of NEET UG 2026 Re-Exam to Curb Fraud

 

India has temporarily restricted Telegram ahead of the NEET UG 2026 re-examination, as authorities move to curb exam fraud and protect the integrity of one of the country’s most important medical entrance tests. The decision has drawn attention because Telegram is widely used for communication, study groups, and information sharing, making the restriction both significant and controversial. 

The action was taken after the National Testing Agency recommended stronger controls amid concerns that organized cheating groups were exploiting the app to circulate question papers and misleading claims. Officials said the temporary ban is intended to stop candidates from being targeted by fraud networks that can spread manipulated content quickly during a high-stakes exam period. 

Under the order, access to Telegram in India is restricted until June 22, 2026, covering the exam day and the immediate aftermath. Authorities also directed the company to disable its message-editing feature in India until June 30, 2026, saying that feature had allegedly been misused to make old posts look like proof of a paper leak. 

The measure has sparked debate because Telegram is used not only for illicit activity but also for legitimate education, work, and community communication. Telegram has reportedly challenged the decision in court, while the Delhi High Court upheld the government’s temporary block on June 19, citing emergency grounds and compliance with the law. 

The broader issue goes beyond one app: exam leaks and digital fraud are becoming harder to control as messaging platforms, edited content, and anonymous groups make false claims easier to spread. For students, the immediate focus is on the re-exam schedule, but for policymakers, the case is a reminder that future exam security may require faster monitoring, tighter platform cooperation, and clearer digital enforcement rules.
Read more »
spear phishing
BYOVD Attack Inc ransomware LockBit malware Ransomware spear phishing

INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims

 



The ransomware operation known as INC has grown into one of the most active cybercrime groups of 2026, with security researchers linking it to more than 830 victims since it first appeared in August 2023.

According to researchers at Acronis, the group's rise coincided with disruptions affecting major ransomware brands such as LockBit and BlackCat. As affiliates sought alternative platforms, INC appears to have benefited from that shift. More than 65% of the victims listed by the group are based in the United States, with legal firms, healthcare providers, manufacturers, construction companies, and technology organizations among the most frequently targeted sectors.

Researchers also observed major changes to the ransomware itself. INC's malware for Windows and Linux/VMware ESXi systems has been rewritten in Rust, a programming language increasingly adopted by malware developers because it supports multiple operating systems and can complicate reverse-engineering efforts.

The group's toolkit has expanded as well. Recent attacks have involved a credential-stealing utility capable of extracting authentication data from newer Veeam backup deployments that use salted DPAPI encryption. Access to backup infrastructure can give attackers valuable credentials while also making recovery efforts more difficult for victims.

Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi. Researchers identified significant code similarities between the groups.

Investigators found that INC affiliates rely on several entry points to compromise networks, including spear-phishing campaigns, credentials purchased from Initial Access Brokers (IABs), and the exploitation of publicly exposed systems running vulnerable versions of Citrix NetScaler, Fortinet EMS, and SimpleHelp software.

Once inside a network, attackers harvest credentials, move between systems using legitimate administrative tools such as RDP and PsExec, and attempt to weaken security controls through a technique known as Bring Your Own Vulnerable Driver (BYOVD). Researchers observed the use of vulnerable drivers including filwfp.sys, filnk.sys, and fildds.sys. The group also deploys tools such as Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer to maintain access and control compromised environments.

Before encryption begins, stolen files are collected and transferred using Rclone, often after being packaged into password-protected archives. The ransomware then encrypts systems using multithreading and partial-encryption techniques to speed up the process. When launched against VMware ESXi environments, the malware can also attempt to shut down virtual machines.

Data from ZeroFox ranked INC as the fourth most active ransomware operation during the first quarter of 2026, recording more than 120 incidents. Researchers said the group's growth demonstrates how ransomware operators can build large-scale campaigns using widely available tools, stolen credentials, and unpatched systems rather than relying on highly specialized malware.

Read more »
TinyPulse breach
Data Breach employee data leak Nintendo Nintendo of America ransomware attack Shadowbyt3$ TinyPulse breach

Nintendo Confirms Third-Party Survey Data Breach, Says Customer Information Remains Secure

 


 Nintendo of America has acknowledged that employee survey data was exposed through a security incident involving TinyPulse, a third-party platform used for internal feedback and engagement surveys. The company emphasized that its own systems were not compromised and that no customer or financial information was affected.

The confirmation follows claims made by the Shadowbyt3$ cybercrime group, which alleged that it had obtained sensitive information linked to Nintendo of America employees.

“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” stated Nintendo.

“Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed."

"The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years,” the company told BleepingComputer.

Nintendo of America, which oversees operations across the United States, Canada, and parts of Latin America, explained that the affected information was restricted to internal survey content collected through TinyPulse.

TinyPulse is a workplace engagement platform that enables organizations to conduct anonymous employee surveys, gather feedback, analyze workforce sentiment, and assess company culture.

Nintendo added that it is “working with the service provider to address the issue.”

Meanwhile, BleepingComputer reached out to WebMD Health Services, the owner of TinyPulse, seeking additional details about the incident and its potential impact. However, no response had been received at the time of publication.

Despite Nintendo’s statement that only survey-related information was exposed, the Shadowbyt3$ group claims the stolen data includes more extensive employee records.

The threat actor initially alleged that nearly 1GB of data had been taken from Nintendo and gave the company 48 hours to begin negotiations before the information would be released publicly.

According to the group, the dataset contains employee names, email addresses, survey and analytics information, bank statements, W-9 forms, employee identification details, progress plans, and reports spanning from 2016 to 2026.

"If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars," reads the Shadowbyt3$ post.

In a follow-up statement, the group claimed that the incident did not impact Nintendo’s gaming operations and instead affected “a small amount of employees that work for nintendo and have used tinypulse.”

The attackers later published another message suggesting additional organizations could be targeted and shared a link to what they claimed was leaked employee communications. The post implied that Nintendo declined to meet the ransom demand.

BleepingComputer stated that it did not download or verify the authenticity of the allegedly leaked files. Regardless of the claims, Nintendo has maintained that customer information was not involved in the incident and that users do not need to take any action.

Shadowbyt3$ is a relatively new cybercriminal operation that describes itself as an “extortion as a service” group and claims to have been active since October 2025. The group says it publishes stolen information from organizations that refuse to pay ransom demands and promises that data “will be Deleted Permanently and you will not hear from us again” if a payment agreement is reached.

Cybersecurity experts and law enforcement agencies continue to advise organizations against paying ransom demands, noting that doing so can encourage future attacks. They also warn that there is no assurance stolen information will not be retained or sold even after a payment is made.

Read more »
Windows Clipper Malware
Clipboard hijacking cryptocurrency theft malware Microsoft security Remote Code Execution Tor-Based C2 USB LNK Worm Windows Clipper Malware

Microsoft Exposes Malware Operation Combining USB LNK Worms and Tor-Based C2 Servers

 


A threat actor will benefit from combining cryptocurrency theft, covert communications, and remote access into a single malware framework in order to increase stealth and persistence. Microsoft has revealed the existence of a Windows-based clipper campaign active since February 2026. The clipper campaign uses a portable Tor client, Windows Script Host, and ActiveX components to communicate with a hidden command-and-control server. 

Besides intercepting and replacing cryptocurrency wallet addresses, the malware also performs continuous clipboard monitoring, captures screenshots, exfiltrates stolen data, and executes remote commands. 

A key characteristic of the operation is that it does not utilize traditional installer mechanisms or publicly exposed C2 servers and instead utilizes Tor-routed traffic as a means of concealing its activity and extends its capabilities to lightweight backdoor functions as well as financial theft. USB-Borne Infection Chain Drives Initial Compromise Upon further investigation, it was revealed that the operation is characterized by a multi-stage infection chain combining removable media propagation with credential and asset theft. 

In Microsoft's opinion, the campaign originated through malicious Windows shortcut (.LNK) files distributed through USB storage devices, enabling the malware to spread without relying on online delivery mechanisms. An infection after being executed deploys two components: a worm that propagates throughout additional removable drives, and a clipper module designed to obtain information about cryptocurrency seed phrases, private keys, and wallets. 

Obfuscation and Persistence Mechanisms Enhance Stealth As part of its propagation mechanism, the worm exploits the trust of users in familiar file formats. When it scans USB devices for commonly accessed document formats like Microsoft Word, Excel, and PDF, it conceals the original filenames and replaces them with malicious shortcuts named identically. 

In addition to increasing user interaction, this strategy masks the infection process by enabling additional payloads to be unpacked into randomly generated directories within the Public Documents path upon execution, and thereafter persistence can be established by scheduling tasks. In order to minimize the possibility of detection, the malware attempts to modify local defenses by creating antivirus exclusions for its staging locations and executable components in order to avoid detection. 

According to Microsoft, extensive efforts have been made to obstruct the process of forensic analysis, such as packaging the installer with PyInstaller and obfuscation with PyArmor, and using JavaScript-based modules with layered encryption as well as runtime decryption. This malware performs an anti-analysis check by searching for Windows Task Manager processes and terminating execution if monitoring is detected, underscoring the operator's emphasis on long-term stealth and evasion. 

Tor-Based Communications Power Clipboard Hijacking Operations Upon clearing the anti-analysis checks and activating the stealer module, the malware enters into a highly automated surveillance phase designed to detect and intercept cryptocurrency-related activity in near real-time. Microsoft observed that a Tor executable named ugate.exe is used by the component to communicate with its hidden command and control infrastructure, enabling all traffic to be routed through anonymized channels as well.

Once the malware has been installed, it periodically checks the system clipboard for a specific set of highly valuable cryptocurrency artifacts, searching for these artifacts every 500 milliseconds. Among these include 12-word and 24-word recovery phrases for Bitcoin, Ethereum private keys, Bitcoin wallet import format keys (WIF), as well as wallet addresses for Tron and Monero in addition to Bitcoin legacy, P2SH, Bech32, and Taproot formats. 

Upon detection of an identical entry, the malware silently replaces it with the address of an attacker's wallet. By carefully selecting substituted addresses to share similar leading characters or numeric patterns with the original destination, the likelihood of detection during visual verification is reduced. During the final stage of the infection, the malware emphasizes the importance of operating concealment and attacker control. 

By launching a renamed Tor executable in the background, the malware is able to identify the compromised host and register it with an external infrastructure without exposing direct network communications to the outside world. 

Upon enrollment, the infected system begins a continuous operational cycle, polling the command-and-control environment for instructions while simultaneously inspecting the clipboard contents at approximately half-second intervals to identify cryptocurrency seed phrases, private keys, and wallets. 

Also, command responses containing the EVAL directive enable the operators to execute attacker-supplied code in real-time, allowing them to expand functionality or take subsequent actions after a compromise. 

The mixture of scripting abuse, removable media propagation, and Tor-based communications indicates Microsoft's recommendation that behavioral detection strategies should be prioritized. These strategies include monitoring PowerShell-driven screen capture activity, suspicious use of WScript and CScript, and script-engine processes spawning unexpected executables, including curl, cmd.exe, PowerShell, or other unexpected executables.

Besides disabling AutoRun and AutoPlay for removable media, Group Policy controls can also be used to restrict the execution of LNK from USB devices, limiting unnecessary access to scripting engines, and monitoring clipboard monitoring and screen capture behavior on systems involving cryptocurrency or other sensitive financial transactions closely. 

Remote Code Execution Expands Malware Capabilities Researchers discovered that the campaign's data collection capabilities go beyond clipboard manipulation. A number of screenshots were taken and transferred to the command-and-control server through the native curl utility, providing operators with continuous insight into the activity of the victims. 

Furthermore, it integrates remote code execution functionality, thereby extending the framework's operational scope beyond a conventional cryptocurrency clipper. By using the EVAL command, operators can instruct the malware to retrieve additional JavaScript payloads, save them locally as cfile files, and execute them directly on the compromised host by instructing the malware to do so. 

Essentially, this capability allows the infection to become an on-demand access platform that is capable of deploying new functionality after initial compromise. Because the malware is highly obfuscated and continuously evolving, Microsoft noted that behavioral indicators offer a more reliable detection opportunity than static signatures. There are several indications that security teams should monitor suspicious activity associated with wscript.exe and cscript.exe, unexpected executions of curl, PowerShell, and cmd.exe, as well as anomalous child process chains. 

Additionally, connections directed to localhost:9050 and other indications of Tor proxy usage may provide valuable indications that this campaign was compromised. Microsoft's campaign illustrates how traditional malware techniques can be combined with anonymous infrastructure and scripting-based execution to create threats that are not only difficult to detect but also highly adaptable as cybercriminal operations continue to evolve. 

In environments characterized by removable media and digital asset transactions, the findings underscore the importance of monitoring behavioral indicators in conjunction with conventional security controls. In order to identify attacks that prioritize stealth over scale, defenders must continue to have access to unusual script activity, Tor-related communications, and clipboard manipulation.
Read more »
vulnerability exploitation
cybercrime forums Cybersecurity hacking tutorial Nuclei framework threat actors Vulnerabilities and Exploits vulnerability disclosure vulnerability exploitation

Underground Forum Tutorial Reveals How Cybercriminal Communities Teach Vulnerability Exploitation and Profit-Making

 

A forum discussion titled “Hacking for Profit. Working method” has provided cybersecurity researchers with a unique look into how underground communities educate aspiring hackers on vulnerability exploitation and monetization. While the original post is neither highly technical nor extensive, its significance lies in presenting a structured, easy-to-follow roadmap that simplifies a complex process.

The post, authored by a threat actor operating under the alias "Hercules," outlines the stages of identifying, assessing, exploiting, and ultimately profiting from vulnerabilities. Researchers from Flare examined both the original content and the subsequent discussions over several months, finding that the thread sparked considerable engagement among forum members.

The discussion attracted numerous responses from users who expressed appreciation for the guidance, sought private communication with "Hercules," and identified themselves as beginners hoping to transition from theoretical cybersecurity knowledge to practical application. According to researchers, the thread appeared to serve as more than just an instructional post, functioning as a source of motivation and mentorship for inexperienced individuals.

The popularity of the tutorial extended beyond its original platform, with the same methodology being reposted and debated across four additional underground forums. Through the post, "Hercules" presents a straightforward framework that helps novice threat actors understand vulnerability exploitation and methods of generating revenue from discovered flaws.

The guide begins by advising readers on how to monitor newly disclosed vulnerabilities, particularly high-impact categories such as remote code execution (RCE), authentication bypass, account takeover, insecure direct object references (IDOR), and data exposure vulnerabilities. It then explains how to locate potentially vulnerable systems, verify exposure, and determine whether findings should be reported, sold, or exploited.

Researchers identified three particularly notable aspects of the tutorial. First, it highlights the use of the Nuclei framework developed by ProjectDiscovery, a widely adopted tool among offensive security professionals. Second, it demonstrates an understanding of the difficulties organizations face when patching newly disclosed vulnerabilities. Third, the tutorial is deliberately separated into “legal” and “illegal” paths, allowing readers to choose at which stage they transition from vulnerability disclosure activities into malicious actions.

One of the tutorial’s most effective features is its approachable tone. Rather than relying on technical jargon, "Hercules" explains concepts in simple language and portrays hacking as a skill that can be learned through practical experience.

He argues that many educational resources focus excessively on subjects such as operating systems, programming languages, scanner configurations, and computer science fundamentals, while many newcomers simply want to "hack," "break in," and "gain access."

The author further suggests that aspiring hackers do not need advanced software development expertise to get started. Publicly available tools, community-created templates, automation, and artificial intelligence are presented as resources that lower the entry barrier, while programming knowledge is described as beneficial but not essential.

This message resonated strongly with forum members. One participant noted that despite completing numerous hacking courses, they struggled to apply their knowledge in real-world scenarios. Another admitted having no programming experience and questioned whether that would prevent them from succeeding.

Many respondents praised the post for its clarity and organization, while others requested direct mentorship or private communication with "Hercules."

A key element of the tutorial is its focus on turning vulnerability discoveries into financial opportunities. According to "Hercules," individuals who uncover vulnerabilities have several options available.

One approach involves contacting the owner of the affected website, server, or hosting provider and offering vulnerability details in exchange for compensation. As the author explains, some organizations are willing to reward responsible disclosure efforts, adding that “…you can take your money home and be proud of yourself”.

The tutorial also discusses selling discovered vulnerabilities through underground marketplaces. In some cases, "Hercules" suggests that actors may simultaneously approach the victim while marketing the same information elsewhere.

Additionally, the guide encourages exploiting vulnerabilities to determine what assets or information reside on compromised systems. Remote code execution vulnerabilities are described as opportunities that can be sold to botnet operators, abused for unauthorized resource usage, or leveraged for data theft. Similarly, account takeover, IDOR, and data leakage vulnerabilities are portrayed as valuable commodities that can be quickly monetized.

"Hercules" characterizes himself as a hacker rather than a fraudster, claiming a preference for rapid sales of access or information rather than engaging in subsequent fraudulent activities.

The forum responses indicate that the thread's influence stemmed from the confidence and practical direction it provided rather than from groundbreaking technical information.

Many users requested additional mentorship, private conversations, and more detailed follow-up material. Others expressed frustration with the limitations of theoretical learning and viewed the tutorial as a useful bridge toward hands-on experience.

Researchers noted that unlike highly technical exploit analyses, which typically appeal to a specialized audience, simple and motivational workflows can attract a much broader group of aspiring participants. Because the methodology is not tied to any specific vulnerability, its relevance can persist for extended periods.

The tutorial promotes a repeatable process: monitor newly disclosed vulnerabilities, identify exposed systems, validate findings, monetize opportunities, and repeat the cycle. This mindset, researchers suggest, provides insight into how inexperienced actors are introduced to cybercrime and encouraged to prioritize certain categories of vulnerabilities.

The post also appears to function as an informal recruitment channel, as "Hercules" repeatedly encourages users to initiate private conversations.

The tutorial highlights several important considerations for organizations responsible for cybersecurity.

First, critical vulnerabilities that are easily reachable remain prime targets for attackers. While automated botnets often begin scanning for exploitable systems shortly after vulnerabilities and proof-of-concept exploits become public, the tutorial demonstrates that even novice threat actors are being encouraged to pursue these opportunities.

Second, older vulnerabilities continue to pose significant risks. Legacy systems running outdated versions of platforms such as Drupal or WordPress may remain attractive targets for less experienced attackers seeking accessible entry points.

Third, researchers emphasize the importance of maintaining effective vulnerability disclosure programs. Financial incentives can encourage security researchers to report vulnerabilities responsibly rather than seeking alternative methods of monetization. Even if information eventually reaches underground markets, early disclosure provides organizations with an opportunity to mitigate risk before widespread exploitation .

Researchers argue that the significance of the thread lies not in the introduction of a new exploitation technique but in its ability to simplify cybercrime into a repeatable business process.

By transforming a technically complex subject into an understandable workflow, "Hercules" makes vulnerability exploitation appear achievable to newcomers. The enthusiastic responses from inexperienced users suggest that this approach is effective.

The findings underscore a broader trend within the cybercrime ecosystem: malicious capabilities do not grow solely through advanced malware development or zero-day discoveries. They also expand through accessible tutorials, mentorship, publicly available tools, and online communities that lower barriers to entry and make illicit activity appear attainable.

Read more »
iOS security
Ad Blockers Ad Blocking Ads App security Apple Apple security features Cyber Security iOS iOS security

New Apple Ad Blocker Filtr Expands Protection Beyond Browsers on iPhone, iPad and Mac

 

Filtr, a fresh ad-blocking app, extends privacy for Apple device owners. Instead of limiting itself to web browsers, it stops advertisements inside mobile and desktop applications too. Created by Kaylee Serena Calderolla - known for developing Wipr, a tool that blocks ads in Safari - it taps into features unveiled in iOS 26 and macOS 26. Through these updates, the software intercepts ad-related data directly within the system’s network layer. Beyond the usual add-ons confined to Safari alone, Filtr taps into Apple’s updated method for handling web traffic. 

With that foundation, it intercepts connections aimed at known ad networks long before content appears - stopping trackers and pop-ups not just in browsers but throughout compatible apps. Blocking happens earlier, silently, cutting down unwanted surveillance along with cluttered visuals wherever digital activity occurs. Filtr comes as a premium feature inside Wipr, an often-used tool that stops ads in Safari. 

Its creator, Calderolla, claims it runs without gathering any personal details or needing entry to sensitive user content. Updates to a custom blocklist - kept current by the maker - allow the filter system to work effectively. Working begins with an initial screening done locally on the device. This step uses a built-in catalog of sites that often serve ads. When uncertainty remains, a follow-up check occurs using a fuller database kept by Calderolla. Communication moves through Apple’s infrastructure, which keeps individual users anonymous to service creators. 

Only matching results trigger deeper analysis, limiting exposure of personal activity. Some people trying the function notice fewer commercials when opening certain programs, though a few show blank spaces instead of promotions. Enabling the link blocker just one time lets the software manage changes on its own, making preparation straightforward. Not every application behaves the same way - some skip ads entirely, others leave gaps. Updates happen in the background after initial activation, reducing ongoing effort. Filtr cannot stop all ads - some slip through when they come straight from an app’s built-in servers. 

Since cutting those might break how the app works, certain promotions stay visible. So, while using platforms like Facebook, Google, or Reddit, users may still spot occasional banners. Even with its constraints, progress shows clearly in how Wipr tackles ads across Apple devices. Priced at five dollars, it works on any device, whereas Filtr adds yearly fees unless users opt to pay twenty-five upfront inside the app.
Read more »
Subscribe to: Posts (Atom)

Featured