Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Tata Electronics Confirms Cybersecurity Incident, Says Business Operations Remain Unaffected

  Tata Electronics has acknowledged that it recently experienced a cybersecurity incident affecting certain parts of its IT infrastructure....

All the recent news you need to know
stolen information
Bitcoin Cloud Computing Cyber Fraud DOJ scams stolen information

US Authorities Seize Infrastructure Tied to Huione Fraud Network




The U.S. government has taken another step in its ongoing campaign against large-scale cyber fraud operations, announcing the seizure of online infrastructure allegedly used to support one of the world's most active criminal marketplaces while simultaneously expanding financial restrictions against the network behind it.

On Tuesday, the Department of Justice (DOJ) revealed that it had seized a cloud computing account connected to Cambodia-based Huione Group and its subsidiaries. According to federal investigators, the account hosted backend systems used to operate Huione Guarantee, also known as Haowang Guarantee, a platform that authorities say enabled a broad range of illicit activities spanning cybercrime, fraud, money laundering, and other criminal services.

The enforcement action coincided with a series of measures from the U.S. Department of the Treasury, which announced additional sanctions targeting Huione-linked entities and individuals associated with the Prince Group network. The latest moves build upon actions taken by U.S. authorities last year as part of a wider effort to disrupt transnational criminal organizations operating across Southeast Asia.

Federal officials described the seized infrastructure as a key component of a marketplace that allegedly served cybercriminals and fraud operators on a global scale. Rather than functioning as a conventional online marketplace, investigators say the platform acted as an ecosystem where illicit services, stolen information, and financial laundering tools could be accessed by criminal actors.

According to the DOJ, the cloud-based infrastructure provided technical support for operations conducted through Huione Guarantee. Authorities allege that the platform relied heavily on Telegram channels to facilitate communications and transactions involving illegal products and services.

Investigators claim those channels were used to advertise and trade stolen credit card information, sensitive personal data, and services linked to malware-enabled theft. The platform is also accused of facilitating money laundering activities and supporting schemes connected to human trafficking operations. In addition, authorities allege that proceeds generated through romance scams and fraudulent investment schemes were moved through the network.

The DOJ further alleges that Huione Guarantee offered escrow services designed for cryptocurrency transactions. Such services act as intermediaries between parties involved in a transaction, holding digital assets until agreed conditions are met. While escrow systems are commonly used in legitimate commerce, investigators contend that the service was leveraged by criminal actors seeking a trusted mechanism for conducting illicit transactions and laundering funds.

Officials believe the infrastructure played an important role in moving and concealing criminal proceeds. According to the Justice Department, billions of dollars in fraud-related funds were transferred through systems supported by the seized account. Authorities further stated that a massive portion of those proceeds originated from scam compounds operating throughout Southeast Asia, where organized criminal groups have increasingly adopted digital platforms and cryptocurrency networks to scale their operations.

The Treasury Department's actions were designed to expand existing restrictions against the Huione network. One measure formally added H-Pay Service as a successor entity under Treasury's existing rule targeting Huione Group. Treasury also imposed sanctions on nine individuals and 26 entities linked to Prince Group, broadening the scope of enforcement against organizations allegedly connected to the movement of illicit funds.

According to Treasury officials, Huione served as an important financial conduit for proceeds generated through cyber-enabled theft, virtual currency investment fraud, and other criminal schemes. Authorities further allege that the network was used by Prince Group to transfer, consolidate, and manage assets derived from fraudulent operations.

The latest actions follow a series of previous enforcement efforts directed at the same ecosystem. Last October, Treasury moved to further isolate Huione Group from the U.S. financial system, reflecting growing concerns over the company's alleged role in facilitating illicit financial activity.

Federal agencies have increasingly focused on scam networks operating across Southeast Asia as losses linked to online fraud continue to rise. Criminal organizations in the region have become known for running large-scale investment scams, romance fraud operations, and cryptocurrency-related schemes that target victims worldwide. Many of these operations rely on complex laundering networks and digital payment channels to obscure the origin and movement of stolen funds.

The investigation also intersects with earlier actions involving Prince Group chairman Chen Zhi. In October, the DOJ announced the seizure of bitcoin connected to investigations involving Chen and alleged cryptocurrency-related offenses, alongside accusations involving additional criminal schemes. Authorities have also reported that an individual identified as a significant participant in Chen's network was arrested in Cambodia before being extradited to China.

The coordinated actions by the DOJ and Treasury illustrate an emphasis on targeting the infrastructure that enables cyber-enabled fraud rather than focusing solely on individual perpetrators. By disrupting cloud services, financial channels, and marketplace operations that allegedly support criminal activity, U.S. authorities are seeking to make it more difficult for transnational fraud networks to move money, coordinate operations, and reach potential victims.

Read more »
VPN Credential Theft
credential harvesting Cyber Threats enterprise cybersecurity FortiBleed Campaign FortiGate Firewall Security FortigateSniffer Initial Access Broker Network Security Breach VPN Credential Theft

FortigateSniffer Malware Harvests User Credentials From Infected Firewalls


The perimeter firewall has been used as a primary line of defense against external intrusions for years, but the newly uncovered campaign illustrates how these same security appliances can be weaponized against the organizations they are intended to safeguard. 

Researchers have discovered a large-scale attack involving a custom Golang-based tool known as FortigateSniffer that has been deployed systematically on compromised FortiGate firewalls since February 2026. Over 430,000 internet-facing devices have been impacted by the campaign, which is linked to an initial access broker (IAB) believed to be operating as a financial motivation threat actor. 

Over 110 million credentials have been collected under covert measures by the attackers. As trusted network gateways were transformed into silent credential-harvesting platforms, the operation illustrates one of the most significant paradigm shifts in attacker tradecraft, where compromised security infrastructures themselves serve as sources of intelligence and access. 

The scale, persistence, and operational sophistication observed throughout the campaign-tracked as FortiBleed-have raised concerns across the cybersecurity community. Particularly after evidence of the exfiltration of sensitive data by a NATO-aligned defense contractor, as well as the potential use of stolen credentials for ransomware, espionage, and post-compromise activities, are emerging. 

It is evident from a further analysis of the operation that it extends well beyond credential theft from FortiGate appliances, and demonstrates a highly automated initial-access ecosystem that can be scaled across multiple technological platforms.

CyberStrike, an open-source, artificial intelligence-native offensive security framework, could have been utilized by the threat actors to streamline portions of the attack workflow, emphasizing how automation has become increasingly important in large-scale intrusion campaigns. As part of the activity, a substantial emphasis was placed on small and medium-sized businesses, especially companies with fewer than 200 employees, with the United States and India emerging as the most heavily targeted regions. 

The potential for IT service providers to serve as entry points into broader customer networks likely prompted particular attention for them. Moreover, researchers observed parallel brute-force attacks on NAS systems, firewalls from Sophos, portals for RDWeb, SSL VPN gateways for Citrix, and Microsoft SQL servers, which suggests that the campaign was designed to acquire access opportunities across diverse enterprise environments. 

On May 31 and June 15, 2026 alone, the operators executed at least 659 automated credential-harvesting pipelines, which resulted in the discovery of more than 110 million authentication items. A total of 14.8 million RADIUS credentials were recovered, along with approximately 924,000 NTLM password hashes, 130,000 Kerberos hashes, and approximately 89 million MySQL authentication tokens, indicating the scale of the operation and the significant downstream risks associated with the reuse and monetization of stolen enterprise credentials. 

FortigateSniffer is a purpose-built credential intercept utility that is suited for Linux and Windows environments and was designed to leverage legitimate FortiOS functionality rather than rely on conventional malware. It has been demonstrated that using FortiGate appliances' native packet diagnostic capabilities, researchers are able to passively monitor authentication traffic moving through compromised devices to collect credentials and authentication artifacts across a wide range of enterprise protocols via the tool. 

The captured traffic is then converted into a packet-capture format and processed by a specially designed analysis framework which extracts cleartext usernames, passwords, NTLMv2 hashes, Kerberos tickets, and session cookies in addition to other authentication data. A structured, multi-stage attack chain is employed in the attack chain, beginning with large-scale internet reconnaissance, which involves the use of scanning utilities and customized filtering tools for the detection and categorization of FortiGate systems by location. 

In order to obtain privileged access to administrative interfaces and SSL-VPN services, attackers use credential validation, password spraying, and credential stuffing techniques. Using persistent SSH access, FortigateSniffer harvests authentication data while recovering hashed passwords are transferred to a dedicated cracking platform using distributed processing and automated task orchestration. 

Once successful credentials are recovered, they can be weaponized for lateral movement, Active Directory reconnaissance, Kerberos verification, SMB authentication, and further network expansion, as well as obtaining sensitive information from file shares accessible to the attacker and maintaining authenticated sessions using stolen cookies. 

A number of significant operational security measures, such as geofencing controls and time-based execution windows aligned with standard Moscow business hours, were incorporated to reduce detection risk, which appear highly deliberate, with targets prioritized based on perceived economic value before operational resources are committed. 

Separate telemetry also revealed an automated validation pipeline that is deployed in recurring five-hour cycles with up to 1,000 simultaneous verification threads, leading to exceptionally high early-stage success rates. Researchers also observed identical usernames and passwords recurring across thousands of different IP addresses, a phenomenon that has raised concerns about the possibility of some credentials being strategically seeded for covert re-entry into compromised environments. 

Throughout the course of the investigation, researchers began to gain a deeper understanding of the extent of credential exploitation enabled by the campaign. Analysis showed that once FortiGate appliances were compromised, attackers deployed FortigateSniffer to covertly collect authentication traffic traversing the devices, allowing them to acquire both cleartext credentials and password hashes that were subsequently cracked, validated, and reused against Active Directory environments, VPN gateways, and other externally accessible enterprise services. 

As a result of reviewing intelligence data collected by Hunt Intelligence on June 12, 2026, cybersecurity researcher Volodymyr "Bob" Diachenko identified indicators of this activity, which immediately sparked widespread interest in the operation. Upon examination of the stolen dataset, it was found that credentials were associated with approximately 74,000 firewall URLs covering 194 countries and impacting over 21,000 unique domains. 

In response, data from the incident was shared with national computer emergency response teams to facilitate coordination and dedicated exposure-checking portals were launched to assist organizations in determining whether their Fortinet infrastructure had been compromised. According to researchers, by mid-June, the attackers' database had grown to contain more than 86,000 authenticated and active credentials related to corporate firewalls and VPN services worldwide.

The largest concentration of exposed organizations is found in India and the United States. These findings are of significance not only due to the high volume of compromised accounts, but also due to their validity; investigators noted that the credentials were systematically tested and verified through an automated validation infrastructure rather than speculative password guessing. 

The information gathered from underground marketplaces confirmed suspicions that the campaign is linked to an initial access brokering operation, as the same threat actor previously advertised network access on darknet forums for substantial sums to organizations across a variety of industries, including healthcare, technology, and telecommunications. 

Even though it is not yet confirmed that these sales are directly related to the FortiGate harvesting campaign, the overlap indicates that access being collected has potential commercial value.  In response, Fortinet has initiated outreach to potentially affected customers and advised organizations to immediately terminate active administrative and VPN sessions, rotate credentials, enforcing multifactor authentication, and reviewing logs and configuration changes in detail. It has also encouraged customers to upgrade FortiOS to the latest versions of FortiOS, which are replacing legacy SHA256-based password storage with Password-Based Key Derivation Function 2 (PBKDF2). 

Security teams, however, are cautioned that firmware upgrades alone cannot eliminate this risk, as legacy SHA256 password entries must be manually removed from the system. After modernization efforts have been completed, attackers may still be able to recover administrative passwords through offline cracking techniques if credentials or configuration files were previously exposed, preserving an opportunity for unauthorized access even after modernization efforts have been completed. 

An increasingly common practice in cyber operations is to harvest access information from security infrastructure and gather credential information in large quantities. The FortiBleed campaign highlights this reality. In addition to the immediate impact on affected organizations, the operation illustrates the capability of combining automated tools, credential validation pipelines, and access brokerage activities in a highly efficient ecosystem to prevent downstream intrusions. 

It is important to remind defenders that perimeter devices require the same level of continuous monitoring, credential hygiene, and security review as any other critical asset for a defender. When organizations rely on internet-facing authentication services, this campaign is an excellent opportunity to reevaluate access control measures, identify security weaknesses, and investigate unauthorized activity proactively before harvested credentials are used to compromise a broader organization.
Read more »
Ransomware
Crypto Laundering Cyber Crime Bitcoin Fraud Europol Ransomware

Europol Dismantles AudiA6 Crypto Laundering Network Used by Ransomware Gangs

 

Europol has disrupted a major cryptocurrency laundering operation known as AudiA6, which investigators say acted as a financial backbone for ransomware gangs and other cybercriminal networks. According to the agency, the service laundered more than EUR 336 million between 2022 and 2025 by helping criminals hide stolen digital assets and break the money trail. The takedown is significant because it targets not just attackers, but the payment infrastructure that allows cybercrime to stay profitable. 

The operation was carried out by law enforcement partners including the United States Secret Service, IRS Criminal Investigation, Polish Police, Europol, Eurojust, and other international agencies. During the coordinated action on 10 June, authorities arrested two alleged administrators in Georgia, searched three properties, seized more than 30 servers, and took down 25 domains connected to the laundering network. Investigators also froze EUR 692,000 in cryptocurrency and seized more than EUR 86,000, while Telegram accounts used by the group were blocked. 

Europol describes AudiA6 as an industrial-scale laundering service built around thousands of fraudulent exchange accounts created with stolen or purchased identities. The platform allegedly offered criminals fast “cleaning” of stolen crypto, returning funds in about an hour after charging commissions of 3% to 10%. The network was also linked to the dark web forum Dark2Web, which prosecutors say was used to advertise illegal services and connect cybercriminals worldwide. 

One of the most important findings in the investigation was the scale of identity abuse behind the scheme. Europol says more than 6,000 Know Your Customer records tied to money-mule accounts were identified, showing how criminals exploited exchange verification systems to move funds across borders. Many of those accounts were reportedly linked to Russian-speaking intermediaries recruited specifically to move proceeds through cryptocurrency exchanges. Europol also linked the service to more than 15 investigations worldwide involving ransomware attacks and major crypto thefts. 

The AudiA6 case highlights how professionalized crypto laundering has become a core part of the cybercrime economy. Europol warns that criminal groups increasingly rely on mixing services, chain-hopping, and mule networks to move money quickly and avoid detection. By striking this service, law enforcement has not ended ransomware, but it has made it harder for criminals to turn stolen data and extortion into usable cash.
Read more »
Job Security
AI automation threats AI Jobs AI technology AI Threat AI workplace automation Cyber Security job displacement Job Security

Opendoor Shuts India Operations as AI Reshapes Offshore Work Economics

 

Surprisingly quiet since its launch, Opendoor's Indian venture now halts - barely twenty-four months after setting up hubs in Bengaluru and Chennai. Though framed as a digital frontier play, the retreat fuels debate: could smarter machines quietly reshape rules once favorable to offshoring? While cost gaps drove past expansions, algorithmic progress may erode those advantages faster than expected. Some argue efficiency gains from automation make remote labor pools less compelling over time. 

Notably, this shift does not unfold through sudden rupture - but by gradual recalibration behind corporate doors. Outlining the move, CEO Kaz Nejajtian explained efforts to align operations more closely with customers across the United States - using compact teams powered by artificial intelligence. While details remain limited on staff numbers or exactly how AI influenced choices, reactions followed fast from tech executives and investors alike. 

Seen by some as hinting at wider shifts, the news sparked discussion despite minimal data being shared. Nowhere else on Earth does such scale of operational support unfold quite like it does across India. Starting as a hub for routine administrative work, its role gradually shifted toward something far broader. 

Today, sprawling networks of Global Capability Centers operate within its cities, serving international firms through tech solutions, financial oversight, product innovation, while also shaping career paths for countless professionals. Revenue streams run deep each year, woven into the fabric of worldwide service delivery. Far from just an outsourcing destination, the nation holds a central position in how modern enterprises function abroad. 

Early in 2024, Opendoor moved into India by forming groups focused on handling daily operations through various platforms. Around then, close to 250 workers were on payroll at its local offices there. Despite that early growth, pulling out of India aligns with wider job cuts happening throughout the business. Records show a sharp drop in staff worldwide during the last twelve months, along with a steep decline in employees outside the home market. 

Even with broad internal reductions, experts warn it might be misleading to see the shutdown just as a move tied to shifting work overseas. Facing strain from downturns in American real estate - hit hard those who buy houses digitally - Opendoor needed ways to spend less. Still, its push toward artificial intelligence for smoother operations has sparked questions about what comes next for jobs handled abroad. 

One reason some investors saw it was because artificial intelligence might lower the need for jobs requiring heavy human effort. As machines take on repetitive tasks, companies could downsize - not due to location but ability. The shift suggests staffing needs may shrink when automation steps in. What stands out now isn’t a shift of roles from India to the U.S., yet a broader drop in workforce needs across operations. 

Because intelligent systems blend deeper into daily workflows, firms often rely on tighter groups supported by tools instead of people. Efficiency reshapes staffing - software handles tasks once managed by many. Structures shrink not due to location changes, but because technology reduces demand. Outcomes stay steady while headcount falls, driven by smart integration behind the scenes. 

Some researchers view this new framework as movement into "services-as-software," where firms lean on AI-driven processes rather than growing teams indefinitely. In practice, results follow more from blending tools with niche skills than cutting costs through workforce choices. Though Opendoor shut down operations in India, drawing attention amid talks on AI and jobs, experts stress it's not a straightforward story. 

Long before smart algorithms gained ground, job cuts were already underway at the firm. Market forces beyond technology played a role too. Still, the move sparked sharper conversation - what part might automation play in moving service tasks overseas? Could entire sectors shift as machines learn faster?
Read more »
WhatsApp
Cyberattack malware ManageEngine Endpoint Central remote access malware VBScript attack WhatsApp

WhatsApp Malware Campaign Targets Global Users Through Fake Financial Documents and Remote Access Tools

 

A widespread malware campaign is targeting WhatsApp users across several countries by sending deceptive messages containing malicious VBScript files that can ultimately grant attackers remote access to victims' systems.

According to cybersecurity researchers at Kaspersky, the threat actors behind the campaign are disguising the malicious files as legitimate business and financial documents. These files are distributed through WhatsApp accounts that have already been compromised, making the messages appear trustworthy to recipients.

Once a victim downloads and executes the attachment, a multi-stage infection process begins. The attack eventually installs ManageEngine Endpoint Central, a legitimate system management tool commonly used by IT administrators to oversee devices from a centralized platform.

Kaspersky’s telemetry data indicates that the campaign has impacted users in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

The attack starts with WhatsApp messages sent from compromised accounts. These messages typically contain only a heavily obfuscated VBScript file designed to evade detection.

To increase the likelihood of users opening the attachment, the files are named to resemble invoices, financial reports, billing records, account notifications, and other business-related documents. Researchers also observed that the filenames are adapted to different languages, highlighting the global nature of the operation.

“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains.

“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”

If a Windows user opens the malicious file, the VBScript downloads two additional scripts from attacker-controlled servers. These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.

The software is then installed silently in the background and configured to connect with servers controlled by the attackers. This setup provides cybercriminals with remote administration capabilities over the compromised machine.

Researchers noted a difference in execution behavior depending on the WhatsApp platform being used. When the file is received through WhatsApp Web, it must first be downloaded before execution. However, in the WhatsApp Desktop application, the file can be launched directly through Windows Script Host (wscript.exe).

Although Kaspersky has not attributed the campaign to a specific threat actor, investigators identified indicators suggesting the use of the Chinese language and found overlaps between the campaign’s infrastructure and IP addresses previously linked to ValleyRAT and Gh0st RAT operations.

Despite these findings, researchers emphasized that the available evidence is not sufficient to confidently identify the group responsible for the attacks.

Security experts advise WhatsApp users to exercise caution when receiving files, even from known contacts, as compromised accounts can be used to spread malware.

Users should verify unexpected attachments through an alternative communication channel before opening them. Additionally, all downloaded files should be scanned with an updated antivirus solution to help detect and block potential threats before execution.

Read more »
malware
Crypto heist Cyber Scam Malicious Campaign malware

Crypto Heist Uses Fake Reputation Campaign to Spread Malware

 

Cybercriminals are increasingly borrowing the language and tactics of public relations, and a new campaign shows how effective that can be. According to researchers, attackers promoted malicious crypto-related tools by creating a polished online presence across GitHub, YouTube, VirusTotal, and other channels. The goal was not only to spread malware, but also to build an illusion of trust that would lower suspicion among users and researchers.

At the center of the operation was a Rust-based clipboard hijacker, a type of malware that watches for cryptocurrency wallet addresses copied into a victim’s clipboard. When it detects one, it swaps the address with one controlled by the attackers, causing funds to be sent to the wrong destination. This simple trick can be highly profitable because it targets users at the exact moment they think they are making a legitimate transfer. 

What makes the campaign notable is its layered distribution strategy. Researchers found dedicated phishing pages, fake GitHub and SourceForge projects, and even a YouTube channel designed to make the software look popular and credible. The channel reportedly used AI-generated narrators, suspicious view spikes, and enthusiastic comments that were likely coordinated to reinforce the appearance of real demand. Instead of relying on one channel, the attackers created a network of signals that seemed to validate one another. 

The operation also extended into reputation manipulation on security platforms. By using large numbers of fake accounts, sometimes described as “Ghost Networks,” the attackers attempted to influence systems such as VirusTotal and make their tools appear harmless or merely falsely flagged. That tactic matters because many users and even defenders glance at reputation data before deciding whether a file is safe. If the data is polluted, the warning signs become harder to trust. 

This campaign shows how malware distribution is evolving beyond obvious spam and sketchy downloads. Attackers now understand that credibility itself can be weaponized, especially when users rely on social proof, star ratings, comments, and public scans to judge safety. The result is a more convincing, more scalable deception that blends technical abuse with marketing-style manipulation. 

For users, the lesson is to treat polished packaging as a warning sign rather than reassurance. Check the source of any crypto tool carefully, verify wallet addresses before sending money, and avoid downloading software because it looks popular or well reviewed. For defenders, the case is a reminder that reputation systems can be gamed, so detection must look beyond surface-level trust signals.
Read more »
Subscribe to: Posts (Atom)

Featured