Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

VS Code malware
BeaverTail malware Contagious Interview campaign malicious GitHub repository malware North Korea Hackers VS Code malware

North Korean Hackers Abuse VS Code Projects in Contagious Interview Campaign to Deploy Backdoors

 

North Korea–linked threat actors behind the long-running Contagious Interview campaign have been seen leveraging weaponized Microsoft Visual Studio Code (VS Code) projects to trick victims into installing a backdoor on their systems.

According to Jamf Threat Labs, this activity reflects a steady refinement of a technique that first came to light in December 2025. The attackers continue to adapt their methods to blend seamlessly into legitimate developer workflows.

"This activity involved the deployment of a backdoor implant that provides remote code execution capabilities on the victim system," security researcher Thijs Xhaflaire said in a report shared with The Hacker News.

Initially revealed by OpenSourceMalware last month, the attack relies on social engineering job seekers. Targets are instructed to clone a repository hosted on platforms such as GitHub, GitLab, or Bitbucket and open it in VS Code as part of an alleged hiring assessment.

Once opened, the malicious repository abuses VS Code task configuration files to run harmful payloads hosted on Vercel infrastructure, with execution tailored to the victim’s operating system. By configuring tasks with the "runOn: folderOpen" option, the malware automatically runs whenever the project or any file within it is opened in VS Code. This process ultimately results in the deployment of BeaverTail and InvisibleFerret.

Later versions of the campaign have introduced more complex, multi-stage droppers concealed within task configuration files. These droppers masquerade as benign spell-check dictionaries, serving as a fallback if the malware cannot retrieve its payload from the Vercel-hosted domain.

As with earlier iterations, the obfuscated JavaScript embedded in these files executes immediately when the project is opened in the integrated development environment (IDE). It connects to a remote server ("ip-regions-check.vercel[.]app") and runs any JavaScript code sent back. The final payload stage consists of yet another heavily obfuscated JavaScript component.

Jamf also identified a newly observed infection method that had not been documented previously. While the initial lure remains the same—cloning and opening a malicious Git repository in VS Code—the execution path changes once the repository is trusted.

"When the project is opened, Visual Studio Code prompts the user to trust the repository author," Xhaflaire explained. "If that trust is granted, the application automatically processes the repository's tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system."
"On macOS systems, this results in the execution of a background shell command that uses nohup bash -c in combination with curl -s to retrieve a JavaScript payload remotely and pipe it directly into the Node.js runtime. This allows execution to continue independently if the Visual Studio Code process is terminated, while suppressing all command output."

The JavaScript payload, delivered from Vercel, contains the core backdoor logic. It establishes persistence, gathers basic system information, and maintains communication with a command-and-control server to enable remote code execution and system profiling.

In at least one observed incident, Jamf noted additional JavaScript being executed approximately eight minutes after the initial compromise. This secondary payload beacons to the server every five seconds, executes further JavaScript instructions, and can delete traces of its activity upon command. Researchers suspect the code may have been generated with the help of artificial intelligence (AI), based on the language and inline comments found in the source.

Actors linked to the Democratic People's Republic of Korea (DPRK) are known to aggressively target software developers, especially those working in cryptocurrency, blockchain, and fintech environments. These individuals often possess elevated access to financial systems, wallets, and proprietary infrastructure.

By compromising developer accounts and machines, attackers could gain access to sensitive source code, internal platforms, intellectual property, and digital assets. The frequent tactical changes observed in this campaign suggest an effort to improve success rates and further the regime’s cyber espionage and revenue-generation objectives.

The disclosure coincides with findings from Red Asgard, which investigated a malicious repository abusing VS Code tasks to install a full-featured backdoor known as Tsunami (also called TsunamiKit), along with the XMRig cryptocurrency miner. Separately, Security Alliance reported on a similar attack where a victim was contacted on LinkedIn by actors posing as the CTO of a project named Meta2140. The attackers shared a Notion[.]so page containing a technical test and a Bitbucket link hosting the malicious code.

Notably, the attack framework includes multiple fallback mechanisms. These include installing a rogue npm package called "grayavatar" or executing JavaScript that downloads an advanced Node.js controller. This controller runs five modules designed to log keystrokes, capture screenshots, scan the home directory for sensitive data, replace clipboard wallet addresses, steal browser credentials, and maintain persistent communication with a remote server.

The malware further establishes a parallel Python environment using a stager script that supports data exfiltration, cryptocurrency mining via XMRig, keylogging, and the installation of AnyDesk for remote access. The Node.js and Python components are tracked as BeaverTail and InvisibleFerret, respectively.

Collectively, these observations show that the state-sponsored group is testing several delivery mechanisms simultaneously to maximize the chances of successful compromise.

"While monitoring, we've seen the malware that is being delivered change very quickly over a short amount of time," Jaron Bradley, director of Jamf Threat Labs, told The Hacker News. It's worth noting that the payload we observed for macOS was written purely in JavaScript and had many signs of being AI assisted. It's difficult to know exactly how quickly attackers are changing their workflows, but this particular threat actor has a reputation for adapting quickly."

To reduce exposure, developers are urged to remain cautious when handling third-party repositories—particularly those shared during hiring exercises—carefully review source code before opening it in VS Code, and limit npm installations to trusted, well-vetted packages.

"This activity highlights the continued evolution of DPRK-linked threat actors, who consistently adapt their tooling and delivery mechanisms to integrate with legitimate developer workflows," Jamf said. "The abuse of Visual Studio Code task configuration files and Node.js execution demonstrates how these techniques continue to evolve alongside commonly used development tools."
Read more »
Technology
Asia Cloud Services Cybersecurity Data protection data sovereignty Europe Geopolitical Cyber Risk Government organisations Technology

Geopolitical Conflict Is Increasing the Risk of Cyber Disruption




Cybersecurity is increasingly shaped by global politics. Armed conflicts, economic sanctions, trade restrictions, and competition over advanced technologies are pushing countries to use digital operations as tools of state power. Cyber activity allows governments to disrupt rivals quietly, without deploying traditional military force, making it an attractive option during periods of heightened tension.

This development has raised serious concerns about infrastructure safety. A large share of technology leaders fear that advanced cyber capabilities developed by governments could escalate into wider cyber conflict. If that happens, systems that support everyday life, such as electricity, water supply, and transport networks, are expected to face the greatest exposure.

Recent events have shown how damaging infrastructure failures can be. A widespread power outage across parts of the Iberian Peninsula was not caused by a cyber incident, but it demonstrated how quickly modern societies are affected when essential services fail. Similar disruptions caused deliberately through cyber means could have even more severe consequences.

There have also been rare public references to cyber tools being used during political or military operations. In one instance, U.S. leadership suggested that cyber capabilities were involved in disrupting electricity in Caracas during an operation targeting Venezuela’s leadership. Such actions raise concerns because disabling utilities affects civilians as much as strategic targets.

Across Europe, multiple incidents have reinforced these fears. Security agencies have reported attempts to interfere with energy infrastructure, including dams and national power grids. In one case, unauthorized control of a water facility allowed water to flow unchecked for several hours before detection. In another, a country narrowly avoided a major blackout after suspicious activity targeted its electricity network. Analysts often view these incidents against the backdrop of Europe’s political and military support for Ukraine, which has been followed by increased tension with Moscow and a rise in hybrid tactics, including cyber activity and disinformation.

Experts remain uncertain about the readiness of smart infrastructure to withstand complex cyber operations. Past attacks on power grids, particularly in Eastern Europe, are frequently cited as warnings. Those incidents showed how coordinated intrusions could interrupt electricity for millions of people within a short period.

Beyond physical systems, the information space has also become a battleground. Disinformation campaigns are evolving rapidly, with artificial intelligence enabling the fast creation of convincing false images and videos. During politically sensitive moments, misleading content can spread online within hours, shaping public perception before facts are confirmed.

Such tactics are used by states, political groups, and other actors to influence opinion, create confusion, and deepen social divisions. From Eastern Europe to East Asia, information manipulation has become a routine feature of modern conflict.

In Iran, ongoing protests have been accompanied by tighter control over internet access. Authorities have restricted connectivity and filtered traffic, limiting access to independent information. While official channels remain active, these measures create conditions where manipulated narratives can circulate more easily. Reports of satellite internet shutdowns were later contradicted by evidence that some services remained available.

Different countries engage in cyber activity in distinct ways. Russia is frequently associated with ransomware ecosystems, though direct state involvement is difficult to prove. Iran has used cyber operations alongside political pressure, targeting institutions and infrastructure. North Korea combines cyber espionage with financially motivated attacks, including cryptocurrency theft. China is most often linked to long-term intelligence gathering and access to sensitive data rather than immediate disruption.

As these threats manifest into serious matters of concern, cybersecurity is increasingly viewed as an issue of national control. Governments and organizations are reassessing reliance on foreign technology and cloud services due to legal, data protection, and supply chain concerns. This shift is already influencing infrastructure decisions and is expected to play a central role in security planning as global instability continues into 2026.

Read more »
Google security
AI tools Data Breach Data Leak Digital Personal Data Protection Gemini AI Gemini Flaw Gemini vulnerability Google Gemini Google security

Google Gemini Calendar Flaw Allows Meeting Invites to Leak Private Data

 

Though built to make life easier, artificial intelligence helpers sometimes carry hidden risks. A recent study reveals that everyday features - such as scheduling meetings - can become pathways for privacy breaches. Instead of protecting data, certain functions may unknowingly expose it. Experts from Miggo Security identified a flaw in Google Gemini’s connection to Google Calendar. Their findings show how an ordinary invite might secretly gather private details. What looks innocent on the surface could serve another purpose beneath. 

A fresh look at Gemini shows it helps people by understanding everyday speech and pulling details from tools like calendars. Because the system responds to words instead of rigid programming rules, security experts from Miggo discovered a gap in its design. Using just text that seems normal, hackers might steer the AI off course. These insights, delivered openly to Hackread.com, reveal subtle risks hidden in seemingly harmless interactions. 

A single calendar entry is enough to trigger the exploit - no clicking, no downloads, no obvious red flags. Hidden inside what looks like normal event details sits coded directions meant for machines, not people. Rather than arriving through email attachments or shady websites, the payload comes disguised as routine scheduling data. The wording blends in visually, yet when processed by Gemini, it shifts into operational mode. Instructions buried in plain sight tell the system to act without signaling intent to the recipient. 

A single harmful invitation sits quietly once added to the calendar. Only after the user poses a routine inquiry - like asking about free time on Saturday - is anything set in motion. When Gemini checks the agenda, it reads the tainted event along with everything else. Within that entry lies a concealed instruction: gather sensitive calendar data and compile a report. Using built-in features of Google Calendar, the system generates a fresh event containing those extracted details. 

Without any sign, personal timing information ends up embedded within a new appointment. What makes the threat hard to spot is its invisible nature. Though responses appear normal, hidden processes run without alerting the person using the system. Instead of bugs in software, experts point to how artificial intelligence understands words as the real weak point. The concern grows as behavior - rather than broken code - becomes the source of danger. Not seeing anything wrong does not mean everything is fine. 

Back in December 2025, problems weren’t new for Google’s AI tools when it came to handling sneaky language tricks. A team at Noma Security found a gap called GeminiJack around that time. Hidden directions inside files and messages could trigger leaks of company secrets through the system. Experts pointed out flaws deep within how these smart tools interpret context across linked platforms. The design itself seemed to play a role in the vulnerability. Following the discovery by Miggo Security, Google fixed the reported flaw. 

Still, specialists note similar dangers remain possible. Most current protection systems look for suspicious code or URLs - rarely do they catch damaging word patterns hidden within regular messages. When AI helpers get built into daily software and given freedom to respond independently, some fear misuse may grow. Unexpected uses of helpful features could lead to serious consequences, researchers say.
Read more »
Third Party Risk
Cybercrime Groups Data Breach Employee Data Exposure enterprise cybersecurity Incident response Ransomware As A Service Ransomware attack supply chain security Third Party Risk

Ingram Micro Reveals Impact of Ransomware Attack on Employee Records


 

Ingram Micro quietly divulged all the personal details of their employees and job applicants last summer after a ransomware attack at the height of the summer turned into a far-reaching data exposure, exposing sensitive information about their employees and job applicants and illustrating the growing threat of cybercrime. 

A significant breach at one of the world's most influential technology supply-chain providers has been revealed in the July 2025 attack, in which the company confirms that records linked to more than 42,000 people were compromised, marking the most significant breach of the company's history. It is evident that in the wake of the disruptions caused by older, high-profile cybercriminals, emerging ransomware groups are swiftly targeting even the most established businesses. 

These groups are capitalizing on disrupting these older, high-profile cyber criminal operations by swiftly attacking even the most established businesses. It is a stark reminder to manufacturers, distributors, and mid-market companies that depend on Ingram Micro for global logistics, cloud platforms, and managed services to stay protected from cybersecurity risks, and the breach serves as a warning that cybersecurity risk does not end within an organization's boundaries, as third-party cyber-incidents are becoming increasingly serious and problematic. 

The largest distributor of business-to-business technology, Ingram Micro, operates on a global scale. The company employs more than 23,500 associates, serves more than 161,000 customers, and reported net sales of $48 billion in 2024, which was much greater than the previous year's gross sales of $6 billion. 

As stated in the notification letters to the Maine Attorney General and distributed to affected individuals, the attackers obtained documents containing extensive information, including Social Security numbers, that they had stolen. 

There was a security incident involving the company on July 3rd, 2025, and, in its disclosure, the company indicated that an internal investigation was immediately launched, which determined that an unauthorized third party had access to and removed files from internal repositories between July 2 and July 3rd, 2025. 

In addition to the information contained in the compromised records, there were also information regarding current and former employees and potential job applicants, including names, contact details, birthdates, and government-issued identification numbers such as Social Security numbers, driver's license numbers, and passport numbers, as well as employment records in certain cases. 

A major attack on Ingram Micro's infrastructure may also have caused widespread disruptions to internal operations, as well as taking the company's website offline for a period of time, forcing the company to instruct its employees to work remotely as remediation efforts were underway. 

In spite of the fact that the company does not claim the breach was the result of a particular threat actor, it confirms that ransomware was deployed during the incident, in line with earlier reports linking the incident with the SafePay ransomware group, which later claimed responsibility and claimed to have stolen about 3.5 terabytes of data, and then published the name of the company on its dark web leaks.

In addition to drawing renewed attention to the systemic threat posed by attacks on central technology distributors, the incident also shed light on the risk that a single compromise can have a ripple effect across the entire digital supply chain as well. 

Analysts who examined the Ingram Micro intrusion claim that the ransomware was designed to be sophisticated, modular, and was modeled after modern malware campaigns that are operated by operators. The malicious code unfolded in carefully sequenced stages, with the lightweight loader establishing persistence and neutralizing baseline security controls before the primary payload was delivered.

The attackers subsequently developed components that enabled them to move laterally through internal networks by exploiting cached authentication data and directory services in order to gain access to additional privileges and harvest credentials. The attackers also employed components designed to escalate privileges and harvest credentials. 

The spread across accessible systems was then automated using a dedicated propagation engine, while at the same time manual intervention was still allowed to prioritize high-value targets using a dedicated propagation engine. As part of the attack, the encryption engine used a combination of industry-grade symmetric cryptography and asymmetric key protection to secure critical data, effectively locking that data beyond recovery without the cooperation of the attackers. 

As an extension of the encryption process, a parallel exfiltration process used encrypted web traffic to evade detection to quietly transfer sensitive files to external command-and-control infrastructure. Ultimately, ransom notes were released in order to exert pressure through both operational disruptions as well as the threat of public data exposure, which culminated in the deployment of ransom notes. 

The combination of these elements illustrates exactly how contemporary ransomware has evolved into a hybrid threat model-a model that combines automation, stealth, and human oversight-and why breaches at key nodes within the technology ecosystem can have a far-reaching impact well beyond the implications of one organization. 

When Ingram Micro discovered that its data had been compromised, the company took a variety of standard incident response measures to address it, including launching a forensic investigation with the help of an external cybersecurity firm, notifying law enforcement and relevant regulators, and notifying those individuals whose personal information may have been compromised. 

Additionally, the company offered two years of free credit monitoring and identity theft protection to all customers for two years. It has been unclear who the attackers are, but the SafePay ransomware group later claimed responsibility, alleging in its dark web leak site that the group had stolen 3.5 terabytes of sensitive data. Those claims, however, are not independently verified, nor is there any information as to what ransom demands have been made.

The attack has the hallmarks of a modern ransomware-as-a-service attack, with a custom malware being deployed through a well-established framework that streamlines intrusion, privilege escalation, lateral movement, data exfiltration, and data encryption while streamlining intrusion, privilege escalation, lateral movement, and data encryption techniques.

As such, these campaigns usually take advantage of compromised credentials, phishing schemes, and unpatched vulnerabilities to gain access to the victim. They then combine double-extortion tactics—locking down systems while siphoning sensitive data—with the goal of putting maximum pressure on them. 

During the event, Ingram Micro's own networks were disrupted, which caused delays across global supply chains that depended on Ingram Micro's platforms, causing disruptions as well as disruptions to transactions. There is an opportunity for customers, partners, and the wider IT industry to gain a better understanding of the risks associated with concentration of risk in critical vendors as well as the potentially catastrophic consequences of a relatively small breach at a central node.

A number of immediate actions were taken by Ingram Micro in the aftermath of the attack, including implementing the necessary measures to contain the threat, taking all affected systems offline to prevent further spread of the attack, and engaging external cybersecurity specialists as well as law enforcement to support the investigation and remediation process. 

As quickly as possible, the company restored access to critical platforms, gradually restoring core services, and maintained ongoing forensic analysis throughout the day to assess the full extent of the intrusion, as well as to assure its customers and partners that the company was stable. It is not only the operational response that has been triggered by the incident, but the industry has largely reflected on the lessons learned from a similar attack. 

It is apparent that security experts are advocating resilience-driven strategies such as zero trust access models, network microsegmentation, immutable backup architectures, and continuous threat monitoring in order to limit breaches' blast radius. 

It is also evident from the episode that the technology industry is becoming increasingly dependent on third-party providers, which is why it has reinforced the importance of regular incident response simulations and robust vendor risk management strategies. This ransomware attack from Ingram Micro illustrates the importance of modern cyber operations beyond encrypting data. 

It also illustrates how modern cyber operations are also designed to disrupt interconnected ecosystems, in addition to exerting pressure through theft of data and a systemic impact. As a result of this incident, it was once again reinforced that enterprise security requires preparation, layers of defenses, and supply chain awareness. 

A response of Ingram Micro was to isolate the affected servers and segments of the network in order to contain the intrusion. During this time, the Security Operations Center activated a team within its organization to coordinate remediation and forensic analysis as part of its response. This action corresponds with established incident handling standards, which include the NIST Cybersecurity Framework and ISO 27035 guidelines. 

Currently, investigators are conducting forensic examinations of the ransomware strain, tracking the initial access vectors, and determining whether data has been exfiltrating in order to determine if it was malicious or not. Federal agencies including the FBI Internet Crime Complaint Center and the Cybersecurity and Infrastructure Security Agency have been informed about the investigation. 

In the recovery process, critical systems are restored from verified backups, compromised infrastructure is rebuilt, and before the environment can be returned to production, it is verified that a restored environment does not contain any malicious artifacts.

It is no surprise to security specialists that incidents of this scale are increasingly causing large companies to reevaluate their core controls, such as identity and access management, which includes stronger authentication, tighter access governance, and continuous monitoring.

It is believed that these actions will decrease the risk of unauthorized access and limit the impact of future breaches to a great extent. This Ingram Micro incident is an excellent example of how ransomware has evolved into a technical and systemic threat as well, one that increasingly targets the connective tissue of the global technology economy, rather than isolated enterprises, to increasingly target. 

A breach like the one in question has demonstrated the way that attacks on highly integrated distributors can cascade across industries, exposing information, disrupting operations, and amplifying risks that extend far beyond the initial point of compromise. It is likely that the episode will serve as a benchmark for regulators, enterprises, and security leaders to evaluate resilience within complex supply chains as investigations continue and recovery efforts mature. 

During a period of time when the industry relies heavily on scale, speed, and trust, the attack serves as a strong warning that cybersecurity readiness cannot be judged solely by its internal defenses, but also by its ability to anticipate, absorb, and recover from shocks originating anywhere within the interconnected digital ecosystem as well as to measure its readiness for cybersecurity.
Read more »
User Privacy
Data Breach Honeypot Resecurity SLH Group User Privacy

Resecurity Breach Claims Exposed as Honeypot Deception

 

The hackers, who claimed to represent the “Scattered Lapsus$ Hunters” (SLH) group, believed they successfully compromised Resecurity, a cybersecurity firm based in the United States, by exfiltrating their data. Resecurity disputed this by saying they were only able to gain access to their honeypot, which was set up to provide fake data to potential attackers. Such differing accounts of an incident show not only the brazenness of financially driven attackers but also the increasing use of deception techniques by attackers to gain intelligence.

The SLH members propagated their allegations through Telegram, claiming “full access” to the Resecurity systems and the theft of all internal conversations and logs, employee data, threat intelligence reports, and an extensive list of clients and their information. In an attempt to prove the validity of these allegations, the SLH members shared screenshots of Resecurity’s internal “Mattermost” environment, where conversations between the company employees and Pastebin representatives about malicious data on the Pastebin platform were shown. The SLH members described the attack as retaliation against Resecurity, which they believed was trying to socially engineer them by impersonating the buyers of the stolen Vietnamese financial database in order to receive complimentary samples and more information about their activities. 

Adding to this complexity, the renowned threat actor group known as ShinyHunters, known to have been part of the Scattered Lapsus$ Hunters umbrella, later disclaimed their involvement in this incident. This was revealed when a representative of ShinyHunters told a local media outlet that, although they have long claimed to be part of SLH, they did not have any involvement in this incident against Resecurity. This has left many questions regarding how these overlapping groups coordinate their efforts or if SLH uses its association with ShinyHunters to magnify its efforts. 

Resecurity firmly disputes any compromise of its production environment, asserting that the attackers never touched live systems or genuine client data but instead interacted with a purpose-built honeypot. According to a report filed on December 24, it was determined that the initial recon in the vulnerable environment was first spotted on November 21, 2025, with subsequent scanning activities originating from Egyptian IP addresses and utilizing Mullvad VPN. In this regard, in order to monitor the tactics, techniques, and procedures of the attacker, the Digital Forensics and Incident Response (DFIR) team set up an isolated “honeypot” account. 

To make the bait more convincing, Resecurity claims the creation of more than 28,000 fake consumer records and over 190,000 fake payment transactions modeled after the official API structures defined by Stripe. Later in December, the attacker reportedly began automated data exfiltration attacks with more than 188,000 requests made between December 12th and December 24th using a wide range of residential proxy IP addresses. During this period, Resecurity claims that sporadic proxy issues temporarily revealed actual IP addresses, helping analysts identify the attacker’s back-end servers, whose details were later shared with a foreign law enforcement agency that subsequently issued a subpoena against the attacker.

After the initial coverage, the attackers contacted Dissent Doe of DataBreaches.net and provided samples of what they claimed was stolen data, seeking to reinforce their narrative. However, an independent review by DataBreaches concluded there was no evidence that SLH obtained information from any real Resecurity clients, aligning with the company’s assertion that only synthetic records were exposed. Meanwhile, the Telegram channel that originally hosted SLH’s breach claims has since been suspended for violating the platform’s policies, limiting the group’s ability to continue publishing its version of events.
Read more »
XSS Vulnerability
CyberArk research dark web cybercrime info-stealer malware malware Malware-as-a-Service StealC malware XSS Vulnerability

StealC Malware Operators Exposed After XSS Bug Leaks Session and Hardware Data

 

A cross-site scripting (XSS) vulnerability in the web-based management panel used by StealC information-stealing malware operators enabled security researchers to monitor live activity and collect intelligence about the attackers’ systems.

First appearing in early 2023, StealC quickly gained traction on dark web forums due to aggressive promotion and its ability to evade detection while harvesting large volumes of sensitive data. Over time, the malware continued to evolve, with its developer rolling out several upgrades to expand functionality and appeal among cybercriminals.

A major update arrived in April last year with the launch of StealC version 2.0. This release introduced Telegram bot integration for real-time notifications, along with a revamped builder capable of creating customized malware samples based on templates and tailored data-exfiltration rules. Around the same period, the source code for StealC’s administrative panel was leaked, allowing researchers deeper insight into its internal workings.

CyberArk analysts later identified an XSS flaw within the panel that proved particularly revealing. By abusing this weakness, the team was able to gather browser and hardware fingerprints of StealC operators, monitor ongoing sessions, extract session cookies, and remotely take over active panel logins.

“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers say.

“Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”

To avoid tipping off attackers and enabling a rapid fix, CyberArk chose not to publish technical specifics about the XSS issue.

The research also details a StealC user tracked as ‘YouTubeTA’, who reportedly took over dormant but legitimate YouTube channels—likely through stolen credentials—and used them to distribute malicious links. Throughout 2025, this actor conducted sustained malware campaigns, amassing more than 5,000 victim logs, roughly 390,000 passwords, and around 30 million cookies, the majority of which were non-sensitive.

Screenshots from the attacker’s control panel suggest that infections largely occurred when victims searched online for pirated versions of Adobe Photoshop and Adobe After Effects. Exploiting the XSS flaw further allowed researchers to profile the attacker’s setup, revealing the use of an Apple M3-based machine configured with English and Russian language settings, operating in an Eastern European time zone, and connecting from Ukraine.

The individual’s real location was exposed after they accessed the StealC panel without a VPN, revealing an IP address tied to Ukrainian internet provider TRK Cable TV.

CyberArk emphasized that while malware-as-a-service (MaaS) platforms allow threat actors to scale operations quickly, they also introduce significant risks by increasing the chances of operational exposure.

BleepingComputer reached out to CyberArk to understand the timing behind the disclosure. Researcher Ari Novick explained that the decision was driven by a recent surge in StealC activity, possibly linked to upheaval surrounding the Lumma malware ecosystem.

"By posting the existence of the XSS we hope to cause at least some disruption in the use of the StealC malware, as operators re-evaluate using it. Since there are now relatively many operators, it seemed like a prime opportunity to potentially cause a fairly significant disruption in the MaaS market."
Read more »
StealC
Cybersecurity information stealer MaaS malware StealC

Researchers Exploit Flaw in StealC Malware Panel to Monitor Cybercriminals




Security researchers have identified a weakness in the web-based dashboard used by operators of the StealC information-stealing malware, allowing them to turn the malware infrastructure against its own users. The flaw made it possible to observe attacker activity and gather technical details about the systems being used by cybercriminals.

StealC first surfaced in early 2023 and was heavily promoted across underground cybercrime forums. It gained traction quickly because of its ability to bypass detection tools and extract a wide range of sensitive data from infected devices, including credentials and browser-stored information.

As adoption increased, the malware’s developer continued to expand its capabilities. By April 2024, a major update labeled version 2.0 introduced automated alerting through messaging services and a redesigned malware builder. This allowed customers to generate customized versions of StealC based on predefined templates and specific data theft requirements.

Around the same time, the source code for StealC’s administration panel was leaked online. This leak enabled researchers to study how the control system functioned and identify potential security gaps within the malware’s own ecosystem.

During this analysis, researchers discovered a cross-site scripting vulnerability within the panel. By exploiting this weakness, they were able to view live operator sessions, collect browser-level fingerprints, and extract session cookies. This access allowed them to remotely take control of active sessions from their own systems.

Using this method, the researchers gathered information such as approximate location indicators, device configurations, and hardware details of StealC users. In some cases, they were able to directly access the panel as if they were the attacker themselves.

To prevent rapid remediation by cybercriminals, the researchers chose not to publish technical specifics about the vulnerability.

The investigation also provided insight into how StealC was being actively deployed. One customer, tracked under an alias, had taken control of previously legitimate video-sharing accounts and used them to distribute malicious links. These campaigns remained active throughout 2025.

Data visible within the control panel showed that more than 5,000 victim systems were compromised during this period. The operation resulted in the theft of roughly 390,000 passwords and tens of millions of browser cookies, although most of the cookies did not contain sensitive information.

Panel screenshots further indicated that many infections occurred when users searched online for pirated versions of widely used creative software. This reinforces the continued risk associated with downloading cracked applications from untrusted sources.

The researchers were also able to identify technical details about the attacker’s setup. Evidence suggested the use of an Apple device powered by an M3 processor, with both English and Russian language configurations enabled, and activity aligned with an Eastern European time zone.

The attacker’s real network location was exposed when they accessed the panel without a privacy tool. This mistake revealed an IP address associated with a Ukrainian internet service provider.

Researchers noted that while malware-as-a-service platforms allow criminals to scale attacks efficiently, they also increase the likelihood of operational mistakes that can expose threat actors.

The decision to disclose the existence of the vulnerability was driven by a recent increase in StealC usage. By publicizing the risk, the researchers aim to disrupt ongoing operations and force attackers to reconsider relying on the malware, potentially weakening activity across the broader cybercrime market.

Read more »
User Privacy
Biometric Authentication Cyber Fraud OTP Scam UAE Banks User Privacy

UAE Banks Ditch SMS OTPs for Biometric App Authentication

 

UAE banks have discontinued SMS-based one-time passwords (OTPs) for online transactions from January 6, 2026, moving customers to app-based and biometric authentication as part of a wider security overhaul led by the Central Bank of the UAE. This marks a significant shift in how digital payments are approved, aiming to curb SIM-swap and phishing-related fraud while streamlining user experience for cardholders across the country.

Since January 6, customers making online card payments are no longer receiving OTP codes via SMS or email to complete their purchases. Instead, banks will push transaction-approval requests directly to their official mobile applications, where users must confirm the payment using in-app prompts.Major UAE lenders, including names like Emirates NBD and others, have started sending alerts to customers, warning that online payments may fail if the banking app is not installed and activated before the deadline.

Role of biometrics and app authentication

The new model relies heavily on biometric verification such as fingerprint and facial recognition, along with secure app PINs or Smart Pass-style codes built into mobile banking platforms. When a customer attempts an online transaction, a notification appears inside the bank’s app, and the user authorises it with their registered biometric data or a secure PIN rather than typing in a texted code.Banks and regulators describe this as “strong customer authentication,” aligning local practices with international standards similar to Europe’s PSD2 framework for secure digital payments.

Authorities and banks point to rising fraud that targets SMS OTPs, especially SIM-swap scams, phishing schemes and interception of text messages over insecure channels. By tying approvals to registered devices and biometrics inside the banking app, the sector aims to sharply reduce the chance that criminals can hijack authentication codes and authorise fraudulent payments in a victim’s name. The Central Bank’s notice (2025/3057) set March 2026 as the outer deadline to phase out SMS and email OTPs entirely, but most major banks accelerated implementation after seeing a spike in such fraud cases last year.

Impact on customers and preparations

Customers are being urged to update their bank apps to the latest version, register biometrics where available, and enable push notifications so they do not miss approval requests during online shopping or money transfers.Those who do not complete these steps risk declined payments or delays, particularly for e-commerce and international transactions that now depend entirely on in-app verification rather than text messages. Employers and community groups in the UAE have been encouraged to educate less tech-savvy users, including blue-collar workers who rely on digital wallets and remittances, to avoid disruption during the transition period.

The move positions the UAE as one of the early markets to rely almost exclusively on biometric and app-based approvals for everyday retail payments, ahead of many more mature banking jurisdictions. Industry analysts see this shift as part of a broader digital transformation strategy in the country’s financial sector, combining enhanced security with faster, more convenient user journeys for online transactions.For customers, the change may require short-term adaptation, but it is expected to deliver stronger protection and a smoother checkout flow once app-based and biometric authentication becomes routine.
Read more »
EU
Black Basta Black Basta Ransomware Black Basta Ransomware gang Cyber Security Cyber Security Ransomware Attacks cybercrime group EU

European Authorities Identify Black Basta Suspects as Ransomware Group Collapses

 

Two Ukrainians are now under suspicion of aiding Black Basta, a ransomware network tied to Russia, after joint work by police units in Ukraine and Germany - this step adds pressure on the hacking group’s operations. The man believed to lead the gang, Oleg Evgenievich Nefedov, aged thirty-five and holding Russian citizenship, appears on key global alerts: one issued by the EU, another by INTERPOL. Though named, he remains at large. 

A Ukrainian cybercrime unit identified two people who handled technical tasks for a ransomware network, focusing on breaking into secured systems. These individuals worked by uncovering encrypted passwords through dedicated tools. Their job was to unlock access codes so others could move deeper. With those login details, associates entered company servers without permission. They installed malicious encryption programs afterward. Victims then faced demands for money before files would be released. 

Finding hidden data drives inside apartments across Ivano-Frankivsk and Lviv opened a path toward tracking illegal transactions. Though police stayed silent on custody details, they emphasized digital trails now feed directly into active probes. 

Emerging in April 2022, Black Basta quickly rose as a leading ransomware force worldwide. Over 500 businesses in North America, Europe, and Australia faced its attacks, bringing in hundreds of millions through crypto ransoms. Instead of acting alone, the group used a service-based approach, pulling in partners who received profit cuts for launching assaults on their behalf. 

Early in 2025, internal chat records from Black Basta were made public, showing how the group operated and naming those involved. Nefedov emerged as the central figure behind the network; his known aliases included Tramp, Trump, GG, and AA. Evidence within the files suggested ties between him and high-level individuals in Russian politics. Links to state security bodies like the FSB and GRU appeared in some messages. 

Such affiliations might explain why legal action against him never moved forward. The disclosure offered rare insight into an otherwise hidden criminal ecosystem. A report from June 2024 noted a short detention of Nefedov in Yerevan, Armenia; authorities let him go afterward. Although listed internationally as a fugitive, where he is now has not been confirmed - evidence suggests Russia may be harboring him. 

Some researchers connect Nefedov to Conti, a well-known ransomware outfit that ended in 2022. When Conti broke apart, new groups appeared - Black Basta, BlackByte, and KaraKurt among them. Following the split, ex-Conti members moved into different ransomware efforts, though certain ones eventually stopped operating. A different analysis by Analyst1 showed Black Basta made frequent use of Media Land - an internet host blacklisted by U.S., British, and Australian governments in late 2025 due to its resistance to takedown requests. 

According to officials in Germany, Nefedov was responsible for choosing victims, bringing in new people, handling payment talks after attacks, then splitting the money taken with others involved. After the leaks, activity from Black Basta's systems stopped. Its public leak page vanished by February. 

Still, security analysts note such criminal networks frequently reappear under different names or combine forces elsewhere. Data collected by ReliaQuest together with Trend Micro points toward ex-members possibly joining CACTUS. A sharp increase in victims claimed by CACTUS emerged right when Black Basta faded.
Read more »
Transparent Tribe
Advanced Persistent Threat APT36 Command And Control cyber espionage Indian Government Cyber Attacks malware Remote Access Trojan Spear Phishing Transparent Tribe

Transparent Tribe Targets Indian Public Sector and Academic Networks


Several recent cyber espionage campaigns have drawn attention to Transparent Tribe, a long-standing advanced persistent threat group associated with a new wave of intrusions targeting Indian government bodies, academic institutions, and strategically sensitive organizations, which have re-opened the issue of Transparent Tribe. 


According to security researchers, the activity has been attributed to the deployment of a sophisticated remote access trojan that is designed to establish a persistent, covert control over the compromised system, allowing the monitoring and access of data over a period of time. 

In the process of carrying out this operation, it is evident that the execution was carried out with a high degree of social engineering finesse, as it used carefully crafted delivery mechanisms, including a weaponized Windows shortcut file disguised as a legitimate PDF document, filled with authentic-looking content, which reduced suspicion and increased execution rates, according to the technical analysis carried out by CYFIRMA.

APT36 is a name that has been associated with Transparent Tribe in the security community for more than a decade. Transparent Tribe has maintained a consistent focus on Indian targets since the beginning of the 20th century, refining tradecraft and tooling to support the group's goals. In the past few years, the group has steadily added malware to its malware portfolio. 

To adapt to changing defenses while maintaining access to high-value networks, the group has deployed a suite of custom remote access trojans like CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. As the investigation has found, the intrusion chain was initiated by a targeted spear-phishing email that delivered a compressed ZIP archive that contained a Windows shortcut file, crafted to look like a benign PDF document. 

Upon execution, the file silently invokes a remote HTML Application using the native Windows component called mshta.exe, which has been abused numerous times over the years to circumvent security checks. 

To maintain the illusion of legitimacy, a PDF decoy file is also downloaded and opened while the HTA script is decrypted and loaded entirely in memory, minimizing its footprint on the disk. This decoy PDF can be downloaded and opened without triggering the HTA script. 

It has been reported by CYFIRMA that when the malware is able to decode the data, it will make extensive use of ActiveX objects, particularly WScript.Shell, to profile the host environment and manipulate runtime behavior. As a result of this technique, execution reliability and compatibility with the victim system will be improved. 

Furthermore, this campaign's adaptive persistence strategy differs from the rest in that it dynamically adjusts itself in accordance with the endpoint security software detecting the compromised machine on the runtime. 

Depending on the software people are running, Kaspersky, Quick Heal, Avast, AVG, or Avira have a tailor-made persistence mechanism that includes obfuscated HTA payloads, batch scripts, registry modifications, and malicious shortcut files placed in the Windows Startup directory to encrypt data. 

As for systems lacking recognizable antivirus protection, a broader combination of these strategies can be used. This operation is anchored on a secondary HTA component which delivers a malicious DLL — known as iinneldc.dll — that performs the function of a fully featured RAT capable of allowing attackers to remotely administer a host, execute file operations, exfiltrate data, capture screenshots, monitor clipboards and control processes, allowing them to take complete control of infected systems. 

In terms of operations, this campaign underscores Transparent Tribe's reliance on deceiving its adversaries as a central pillar of its intrusion strategy, emphasizing the importance of adaptability and deception. 

The researchers found that attackers intentionally embedded complete, legitimate-looking PDF documents as shortcut files, presenting them as regular correspondence while hiding executable logic under the surface so that they would appear to be routine correspondence. 

When this is done, it greatly increases the chances that the user will interact with the malware before it becomes apparent that any warning signs have been raised. Once access is gained, the malware doesn't need to rely on a single, static method to maintain its position. 

Instead, it actively evaluates the compromised system's security posture and dynamically selects persistence mechanisms based on the installed endpoint protection, with a degree of conditional logic that is a reflection of careful planning and familiarity with common defensive environments in an attempt to meet their needs. 

Using encrypted command-and-control channels, the remote access trojan can communicate with attacker-controlled infrastructure, enabling it to receive instructions and exfiltrate sensitive data all while blending into the normal traffic stream on the network, reducing the chances it will be detected. 

According to security analysts, this operation has far broader implications than just a routine malware incident and has a lot to do with the overall threat landscape. It is clear from the campaign that it is an operation of cyber-espionage carried out by a cyber-espionage group with a long history of targeting the Indian government, defense and research institutions as a target for their attacks. 

There is an intentional effort to avoid traditional signature-based defenses with this attack by focusing on in-memory execution and fileless techniques, while the use of socially engineered, document-based lures indicates that an understanding is in place of how trust and familiarity can be exploited within targeted organizations in order to achieve a successful attack. 

The combination of these elements suggests that a persistent and mature adversary has been refining its tradecraft for years, reinforcing concerns about the sustained cyber threat facing critical sectors in India. Additionally, the malware deployed in this campaign functions as a remote access trojan that allows attackers to control infected systems in a persistent and covert manner. Based on this analysis, it can be concluded that this malware is a highly sophisticated remote access trojan. 

In addition to the use of trusted Windows binaries such as mshta.exe, PowerShell, and cmd.exe, researchers discovered the toolset focuses heavily on stealth, utilizing in-memory execution as well, which minimizes the on-disk footprint, as well as evading traditional detection methods. 

In addition to setting up an encrypted command-and-control channel, the RAT also provides operators with the ability to issue commands, collect detailed system information, and exfiltrate sensitive information without being noticed. 

By exploiting the exploits of the malware, operators are able to create a profile of compromised hosts by gathering information such as the operating system’s details, usernames, installed software, and active antivirus software, enabling them to implement follow-up actions tailored to their needs. 

This software enables remote command execution, comprehensive file management, targeted document theft, screenshot capture, clipboard monitoring and manipulation, granular process control, as well as the ability to execute commands remotely. This software is supported by persistence mechanisms that are adjusted according to the victim's security environment. 

Collectively, these capabilities strengthen the perception that the malware has been designed to support long-term surveillance and data collection rather than short-term disruption, thus confirming that it was built specifically for espionage. Typically, the infection lifecycle begins with a carefully constructed social engineering lure that appears to be legitimate and routine. 

As the payload in this case was framed as an examination-related document, it was used to target victims and spread the word that they would be able to receive a ZIP archive titled "Online JLPT Exam Dec 2025.zip." The archive reveals a shortcut file whose extension is .pdf.lnk when extracted, which is a tactic that exploits Windows’ way of handling shortcut files, where it conceals the executable nature of the payload even though the file extensions can be seen on the file.

This shortcut, which is unusually large—measuring over 2 megabytes instead of the usual 10 to 12 megabytes—prompted closer examination to reveal that the file was deliberately inflated in order to closely resemble a legitimate PDF file. 

It was discovered that the shortcut contained multiple markers associated with embedded image objects, indicating that it contained a complete PDF structure as opposed to serving simply as a pointer. This design choice was made so the shortcut would appear in line with user expectations, as well as fit the file size within the archive. 

In addition to this, a multi-stage design can be observed in the archive as well. An investigation revealed that there is a hidden directory labelled “usb” containing a file titled usbsyn.pim in it, which was unable to be decoded conclusively during analysis, but which researchers believe to contain encrypted data or code that will be used later on in the execution process. 

As a result of activating the shortcut, a legitimate Windows application called MSSHTA.exe is invoked, passing a remote URL to a malicious HTML application hosted on attacker-controlled infrastructure in order to retrieve and execute this malicious HTML application. 

It is evident from file metadata that the shortcut was created in late March 2025, a timeframe which provides some insight into the campaign's timeline. It is the intent of the HTA loader, to create the illusion of legitimacy, to retrieve and open a legitimate PDF document simultaneously, so the victim perceives the activity as harmless and expected. 

Moreover, the HTA loader itself is the basis of the execution chain, which has been designed to operate with the least amount of user visibility possible. 

A script launching at zero dimensions hides the activity of its execution by resizing its window to zero dimensions. The script then initializes a series of custom functions that perform Base64 decoding and XOR-based decryption routines, in order to gradually reconstruct the malicious payload in memory. This is all accomplished by the loader exploiting ActiveX components, such as WScript.Shell, in order to interact with the underlying Windows environment during this process.

Through the querying of registry keys to determine which .NET runtimes are available and the dynamic adjustment of environment variables such as COMPLUS_Version, the malware ensures that the malware is compatible with different systems. 

It is clear that Transparent Tribe's campaign has been highly calculated and methodical in its approach to environment profiling, runtime manipulation, and abuse of legitimate system components, demonstrating a mature tradecraft that is reflected in the campaign's methodical approach. 

Researchers report that, beyond the activities linked to Transparent Tribe, there are growing threats that are being targeted at Indian institutions, and tools and infrastructure that overlap are increasingly blurring the lines between various regional espionage groups who are using overlapping tools and infrastructure. 

A former hacker named Patchwork has also been identified as the perpetrator of an assault program dubbed StreamSpy, which introduces a dual-channel command-and-control model that utilizes WebSocket and HTTP protocols to deliver distinct operational benefits, as of December 2025. 

Using WebSocket connections for executing commands and returning execution results, as opposed to the traditional HTTP connections for transferring files, displays the analysis by QiAnXin, indicating a design choice intended to reduce visibility and evade routine network inspection by the company. 

By using ZIP archive delivery services hosted on attacker-controlled domains, the malware has delivered a payload capable of harvesting information about a system, establishing persistence through multiple mechanisms, including registry modifications, scheduled tasks, and startup shortcuts, and providing an array of commands for remote file manipulation, execution, and file retrieval. 

Furthermore, investigators have identified code-level similarities between StreamSpy and Spyder, a backdoor variant previously attributed to SideWinder and historically used by Patchwork, as well as digital signatures reminiscent of ShadowAgent, a Windows RAT associated with the DoNot Team, that are similar to ShadowAgent. 

According to the convergence of these technical indicators, coupled with independent detections by several security firms in late 2025, it appears that regional threat actors continue to integrate tooling and cross-pollinate among themselves. 

Analysts are stating that the emergence of StreamSpy and its variants reflects a sustained effort among these groups to refine the arsenals they possess, experiment with alternative communication channels, and maintain operational relevance while the defensive capabilities of these groups improve. Taking all of the findings presented in this investigation together, people are able to identify a cyber-espionage ecosystem that is more widespread and more entrenched against Indian institutions. 

It is characterized by patience, technical depth, and convergence between multiple threat actors in terms of tools and techniques. This campaign provides an example of how mature adversaries continue to improve their social engineering skills, take advantage of trusted components of systems and customize persistence mechanisms in order to maintain long-term access to high-value networks through social engineering and system abuse.

StreamSpy, for instance, illustrates a parallel trend in which regional espionage groups iterate on one another's malware frameworks, while experimenting with alternative command-and-control systems to evade detection, a trend that has been accelerating since the advent of related toolsets. 

Defendants should be aware that the significance of these campaigns lies not in any particular exploit or payload, but rather in the cumulative messages that they send, demonstrating that state-aligned threat actors are still deeply involved in collecting persistent intelligence and that the threat to government institutions, educational institutions, and strategic sectors is evolving rather than receding in sophistication.
Read more »
medical systems shutdown
Antwerp hospital attack AZ Monica ransomware Belgian hospital cyberattack Cyber Attacks Healthcare cybersecurity hospital IT outage medical systems shutdown

Cyberattack Disrupts Belgian Hospital AZ Monica, Forces Server Shutdown and Patient Transfers

 

A cyber incident disrupted operations at Belgian hospital network AZ Monica, prompting the organization to shut down all servers, cancel planned medical procedures, and relocate critically ill patients. AZ Monica operates as a general hospital network with two campuses in Antwerp and Deurne, delivering acute, outpatient, and specialized healthcare services to the surrounding community.

The hospital took its systems offline at 6:32 a.m. on 13th January 2025 after identifying the cyberattack. While urgent care services remain active and current inpatients continue to receive treatment, non-essential consultations have been deferred because staff are unable to access electronic medical records.

“This morning (6:32 a.m.), AZ Monica experienced a serious disruption to its IT systems. As a precaution, all servers for the campuses in Deurne and Antwerp were proactively shut down.” reads a press statement published by the hospital. “Due to this situation, no scheduled surgeries are possible today . We have informed all patients. The Emergency Department is operating at reduced capacity . The MUG and PIT services are temporarily unavailable . Consultations continue. Visitors are always welcome.”

Following the incident, the healthcare organization initiated an internal investigation and informed law enforcement authorities, including police and prosecutors. With assistance from the Red Cross, AZ Monica safely transferred seven critical patients, while care for all remaining patients continues at the facility.

“Our emergency department is operating at low capacity. No patients are being transported to our emergency department by ambulance. Therefore, if you require urgent care, we ask that you contact your GP, a GP out-of-hours clinic, or another emergency service whenever possible.” reads a cyber incident update.

AZ Monica has not disclosed technical specifics about the attack. The Brussels Times cited unverified reports suggesting a ransom demand, though neither hospital officials nor authorities have confirmed these claims.

Hospital leadership reiterated that patient safety and the continuity of medical services remain their highest priorities. The situation is being closely monitored, and additional updates will be shared as more information becomes available.

Cyberattacks targeting hospitals pose severe risks, as they can interrupt essential medical operations and endanger patient lives. Modern healthcare facilities rely heavily on digital systems for diagnostics, records, and treatment coordination, and system outages can delay urgent care. Such incidents also raise concerns about the exposure of sensitive patient information and can strain the broader healthcare system when patients must be redirected elsewhere.
Read more »
Technology
AI vs humans Artificial Intelligence ChatGPT organizations Technology

AI Can Answer You, But Should You Trust It to Guide You?



Artificial intelligence tools are expanding faster than any digital product seen before, reaching hundreds of millions of users in a short period. Leading technology companies are investing heavily in making these systems sound approachable and emotionally responsive. The goal is not only efficiency, but trust. AI is increasingly positioned as something people can talk to, rely on, and feel understood by.

This strategy is working because users respond more positively to systems that feel conversational rather than technical. Developers have learned that people prefer AI that is carefully shaped for interaction over systems that are larger but less refined. To achieve this, companies rely on extensive human feedback to adjust how AI responds, prioritizing politeness, reassurance, and familiarity. As a result, many users now turn to AI for advice on careers, relationships, and business decisions, sometimes forming strong emotional attachments.

However, there is a fundamental limitation that is often overlooked. AI does not have personal experiences, beliefs, or independent judgment. It does not understand success, failure, or responsibility. Every response is generated by blending patterns from existing information. What feels like insight is often a safe and generalized summary of commonly repeated ideas.

This becomes a problem when people seek meaningful guidance. Individuals looking for direction usually want practical insight based on real outcomes. AI cannot provide that. It may offer comfort or validation, but it cannot draw from lived experience or take accountability for results. The reassurance feels real, while the limitations remain largely invisible.

In professional settings, this gap is especially clear. When asked about complex topics such as pricing or business strategy, AI typically suggests well-known concepts like research, analysis, or optimization. While technically sound, these suggestions rarely address the challenges that arise in specific situations. Professionals with real-world experience know which mistakes appear repeatedly, how people actually respond to change, and when established methods stop working. That depth cannot be replicated by generalized systems.

As AI becomes more accessible, some advisors and consultants are seeing clients rely on automated advice instead of expert guidance. This shift favors convenience over expertise. In response, some professionals are adapting by building AI tools trained on their own methods and frameworks. In these cases, AI supports ongoing engagement while allowing experts to focus on judgment, oversight, and complex decision-making.

Another overlooked issue is how information shared with generic AI systems is used. Personal concerns entered into such tools do not inform better guidance or future improvement by a human professional. Without accountability or follow-up, these interactions risk becoming repetitive rather than productive.

Artificial intelligence can assist with efficiency, organization, and idea generation. However, it cannot lead, mentor, or evaluate. It does not set standards or care about outcomes. Treating AI as a substitute for human expertise risks replacing growth with comfort. Its value lies in support, not authority, and its effectiveness depends on how responsibly it is used.

Read more »
malicious extensions
Chrome Extensions Cookies Cyber Security cybersecurity risks Google Chrome security malicious extensions

Malicious Chrome Extensions Target Enterprise HR and ERP Platforms to Steal Credentials

 

One after another, suspicious Chrome add-ons began appearing under false pretenses - each masquerading as helpful utilities. These were pulled from public view only after Socket, a cybersecurity group, traced them back to a single pattern of abuse. Instead of boosting efficiency, they harvested data from corporate systems like Workday, NetSuite, and SAP SuccessFactors. Installation counts climbed past 2,300 across five distinct apps before takedown. Behind the scenes, threat actors leveraged legitimate-looking interfaces to gain access where it mattered most. 

One investigation found that certain browser add-ons aimed to breach corporate systems, either by capturing login details or disrupting protective measures. Though appearing under distinct titles and author profiles, these tools carried matching coding patterns, operational frameworks, and selection methods - pointing to coordination behind their release. A person using the handle databycloud1104 was linked to four of them; another version emerged through a separate label called Software Access. 

Appearing alongside standard business applications, these extensions asked for permissions typical of corporate tools. One moment they promised better control over company accounts, the next they emphasized locking down admin functions. Positioned as productivity aids, several highlighted dashboard interfaces meant to streamline operations across teams. Instead of standing out, their behavior mirrored genuine enterprise solutions. Claiming to boost efficiency or tighten security, each framed its purpose around workplace demands. Not every feature list matched actual functionality, yet on the surface everything seemed aligned with professional needs. 

Yet the investigation revealed every extension hid its actual operations. Although privacy notices were present, they omitted details about gathering user data, retrieving login information, or tracking admin actions. Without visibility, these tools carried out harmful behaviors - such as stealing authentication cookies, altering webpage elements, or taking over active sessions - all while appearing legitimate. What seemed harmless operated differently beneath the surface. 

Repeated extraction of authentication cookies called "__session" occurred across multiple extensions. Despite user logout actions, those credentials kept reaching external servers controlled by attackers. Access to corporate systems remained uninterrupted due to timed transmissions. Traditional sign-in protections failed because live session data was continuously harvested elsewhere. 

Notably, two add-ons - Tool Access 11 and Data By Cloud 2 - took more aggressive steps. Instead of merely monitoring, they interfered directly with key security areas in Workday. Through recognition of page titles, these tools erased information or rerouted admins before reaching control panels. Pages related to login rules appeared blank or led elsewhere. Controls involving active sessions faced similar disruptions. Even IP-based safeguards vanished unexpectedly. Managing passwords became problematic under their influence. Deactivating compromised accounts grew harder. Audit trails for suspicious activity disappeared without notice. As a result, teams lost vital ground when trying to spot intrusions or contain damage. 

What stood out was the Software Access extension’s ability to handle cookies in both directions. Not only did it take cookies from users, but also inserted ones provided by attackers straight into browsers. Because of this, unauthorized individuals gained access to active sessions - no login details or extra verification steps required. The outcome? Full control over corporate accounts within moments. 

Even with few users impacted, Socket highlighted how compromised business logins might enable wider intrusions - such as spreading ransomware or extracting major datasets. After the discovery, the company alerted Google; soon after, the malicious add-ons vanished from the Chrome Web Store. Those who downloaded them should inform internal security staff while resetting access codes across exposed systems to reduce exposure. Though limited in reach, the breach carries serious downstream implications if left unchecked.
Read more »
Ransomware group
Black Basta Conti Ransomware Cyber Extortion Cybercrime Investigation Data Breach Interpol Red Notice Oleg Nefedov ransomware attacks Ransomware group

Black Basta Under Pressure After Ukraine Germany Enforcement Operation


 

Investigators say the Black Basta ransomware campaign left a trail of disruption that extended across Europe and beyond, impacting everything from hospital wards to industrial production lines that were abruptly halted, resulting in a temporary ban of internet and phone use.

Prosecutors from the German Federal Ministry of Justice, along with international law enforcement partners, now believe that the trail of this extortion, the most damaging in recent years, can be traced back to one individual who they describe as the driving force behind one of these operations. 

There has been an investigation into whether Oleg Nefedov was the architect and operational leader of the Black Basta group. Authorities have identified him as a Russian national. 

Authorities accuse him of coordinating a massive ransomware campaign against companies and public institutions across multiple continents by forming and leading an overseas criminal organization.

There is a suspicion among investigators that Nefedov was responsible for leading the organization's core activities, including selecting targets, recruiting affiliates, orchestrating intrusions, and negotiating ransoms, while the proceeds of the transactions were laundered via cryptocurrency wallets and distributed among all participants in the scheme.

Black Basta was also analyzed from an online alias perspective and suspected ties to a now-defunct ransomware collective named Conti. This reinforces the assessment that Black Basta arose from an advanced and interconnected cybercrime ecosystem that has matured over many years. 

Officials from the Federal Republic of Germany have confirmed that Nefedov still resides in Russia and that he has been placed on Interpol's international wanted list, an indication that European authorities have intensified their efforts to identify and pursue the individuals behind cyber extortion committed in large scale industrial scales. 

The Federal Criminal Police Office of Germany has confirmed that Oleg Nefedov, a 36-year-old Russian national suspected of leading the Black Basta ransomware group, is one of the suspected leaders of the ransomware. He is charged with forming criminal organizations abroad, orchestrating large-scale extortion crimes, and committing related cyber crimes. 

A central coordinator was alleged by investigators to be Nefedov. During his time at the group, Nefedov selected targets, recruited and managed members, assigned operational roles, negotiated ransom demands, and distributed extorted proceeds, which were usually paid in cryptocurrency, according to the investigation. 

There were several aliases he operated under on the internet-including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi-and authorities say he may have maintained a connection to the now-defunct Conti ransomware group. 

According to German authorities, Nefedov is believed to be in Russia at the moment, though his exact location remains unclear. Interpol has also added him to a global wanted list. In recent months, the investigation has been further strengthened by numerous disclosures and enforcement actions that have heightened the investigation. 

A leaked internal chat log attributed to Black Basta, which gave rare insights into the group's organization, operations, and communications, as well as exposing identifying information about the individuals involved. This information provided an insight into the organization's inner workings and daily operations. 

According to cybersecurity researchers, many of the Black Basta members previously operated within criminal networks that were closely linked to the Conti and Ryuk ransomware strains, as well as the TrickBot banking trojan — operations that have led Western governments to identify and sanction more than a dozen individuals for their involvement in such attacks. 

According to researchers and investigators, Black Basta is the result of the collapse of Conti, a ransomware operation which fragmented into smaller, semi-autonomous cells after it shut down. In a recent study published by the International Security Agency, Black Basta has been widely interpreted as a rebranding of the former Conti infrastructure, with many of those splinter groups either embedding themselves into existing ransomware schemes or controlling existing operations. 

It has been demonstrated that this view has been reinforced by a review of leaked internal communications by Trellix researchers. According to those who reviewed the Black Basta chat logs, GG and Chuck were exchanging emails about a purported $10 million reward for information about an individual, referred to as “tr” or “-amp,” an individual which researchers believe corresponds to a bounty offered by the U.S. Government for information that will lead to the identification of key Conti figures, including Tramp, the hacker. 

Additionally, Trellix researchers found that within the leaked conversations, GG was identified as Tramp, who had been regarded as Conti's leader for some time, by a participant called "bio," sometimes known as "pumba," a figure who was previously connected to the Conti organization. 

These findings echo those released earlier in February 2022, when a researcher revealed Conti's internal chats in the aftermath of the Russian invasion of Ukraine, revealing internal dynamics and explicitly referring to Tramp as leader of the group. 

It is well-known that such leaks have long been a source of attribution efforts within the cybersecurity industry, but German authorities say that their current case rests on evidence gathered through intelligence and investigation on the German side. 

Oleg Nefedov has been identified formally as the head of the Black Basta ransomware group by Europol, and the Interpol red notice database has been updated with his name. This is a crucial step in the international effort to enquire about the group's activities, marking a decisive step in the effort to enshrine accountability for the group. 

The data breach is the result of an attack on more than 500 organizations across North America, Europe, and Australia by means of Black Basta's ransomware-as-a-service model, which was active since April 2022 and caused hundreds of millions of dollars in damage in the process.

Two suspects in western Ukraine, which were allegedly acting as hash crackers in order to help facilitate network intrusions, data theft, and ransomware deployment, were also announced by German authorities. The police seized digital devices and cryptocurrency during raids that are related to the incident, and are currently conducting forensic analysis of the evidence. 

Official figures underscore the scale of the damage attributed to the group. An official press release from the German authorities stated that documented Black Basta attacks have caused prolonged operational disruptions at over 100 companies in Germany, as well as over 700 organizations worldwide, including hospitals, public institutions, and government agencies. 

In Germany, it is estimated that losses will exceed 20 million euros in the next few years. Research conducted in December 2023 by blockchain analytics firm Elliptic and Corvus Insurance found that over the course of the past four years, the group accumulates at least $107 million in Bitcoin ransom payments, which has been determined to be paid by over 329 victims in 31 countries across the world. 

A detailed analysis of blockchain transactions also revealed a clear financial and operational link between Black Basta and Conti, which supported the conclusions of law enforcement that this syndicate grew out of a well-established, interconnected cybercrime ecosystem that was well-established and interconnected. 

In light of the scope and selectivity of Black Basta's operations, it is evident why it has been a top priority for law enforcement and security researchers to investigate. A number of victims have been confirmed, including Rheinmetall, Hyundai, BT Group, Ascension, ABB, the American Dental Association, U.K.-based outsourcing company Capita, the Toronto Public Library, the Yellow Pages Canada, and others. 

These victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group, as well as the United States healthcare provider Ascension. According to the researchers, the group did not operate in an indiscriminate manner, but applied a targeted strategy based on geography, industry, and organizational revenue, while also closely tracking geopolitical developments in order to reduce the likelihood of retaliation from law enforcement agencies. 

A ransomware operation known as Black Basta, which is characterized by a focus on large, high-revenue organizations with the ability to pay large ransoms, was known to be targeting large, high-revenue organizations. Based on internal communications, it appears that entities in both the United States and Germany were the most likely to pay a ransom. 

There are 57 percent of victims in the United States who had reported a leak between April 2022 and January 2025, with Germany accounting for 12 percent, while additional victims were observed throughout Europe, Asia Pacific and the Americas as well. 

Accordingly, that assessment is reflected in activity observed on the group's leak site. Several leaks of internal chats in the group have introduced rare insights into the group's internal structure, its financial management, and its extortion practices, which have strengthened efforts to identify key actors and disrupt their operations by exposing real-world names and financial transactions. 

Despite the fact that Black Basta’s data leak site is currently offline, analysts warn that the group still has the resources and incentives to re-emerge, either by adopting a new name or partnering with other ransomware crews, illustrating how authorities continue to face challenges in dismantling entrenched cybercrime networks rather than simply disrupting them, even when the site is offline. 

Together, these findings present a detailed portrayal of a ransomware operation that developed out of a fractured but resilient cybercrime ecosystem into a global enterprise that has far-reaching consequences. Having identified an alleged leader along with financial tracing, leaking internal communications, and coordinated international enforcement, German authorities state that the investigation has matured—with an emphasis not only on disruption, but also on attribution and accountability for ransomware. 

It should be noted that while law enforcement actions have slowed Black Basta's visible activities, experts and officials agree that dismantling such networks will take years, especially when key figures are believed to be operating in jurisdictions that are beyond the reach of law enforcement officials. 

In addition to demonstrating the extent of the harm caused by ransomware campaigns, the case also highlights the growing determination of governments to pursue those responsible, even through the broader cybercrime landscape continues to evolve, fragment, and resurface.
Read more »
Subscribe to: Comments (Atom)