Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Ransomwares
Cyber Attacks cybercrime group cybercriminals data security Data Theft DOGE Dogecoin Elon Musk Ransom Demand Ransomware attack Ransomwares

Cybercriminals Behind DOGE Big Balls Ransomware Demand $1 Trillion, Troll Elon Musk

 

A cybercrime group notorious for its outrageous tactics has resurfaced with a ransomware attack demanding an unbelievable $1 trillion from its victims. The group, responsible for the DOGE Big Balls ransomware campaign, has updated its ransom demands with bizarre references to Elon Musk and the Dogecoin meme culture, blending humor with a highly dangerous threat.  

According to a report by Trend Micro researchers Nathaniel Morales and Sarah Pearl Camiling, the attackers are leveraging a modified form of the FOG ransomware to carry out these intrusions. The malware exploits a long-known Windows vulnerability (CVE-2015-2291) through a multi-step PowerShell script that allows deep access into infected systems. Delivered via deceptive shortcut files inside ZIP folders, the malware initiates a chain reaction to execute its payload. Though the ransom note may appear comical—mocking Musk’s past corporate directives and making false claims about stealing “trilatitude and trilongitude” coordinates—the security community warns against taking this threat lightly. 

The ransomware performs environment checks to avoid detection, analyzing machine specs, RAM, and registry entries to detect if it’s being run in a sandbox. If any signs of monitoring are detected, the malware will exit silently. The FBI, in its April 2025 Internet Crime Report, highlighted ransomware—particularly FOG variants—as a dominant threat, impacting critical infrastructure and organizations across the U.S. The report revealed over 100 known FOG ransomware infections between January and March 2025, making it the most reported strain of the year thus far. Beyond encryption, the malware also exfiltrates sensitive data and pressures victims to communicate via the Tor network for instructions. 

The attackers claim stolen files and urge victims not to involve law enforcement, adding a “don’t snitch now” line in their taunting ransom message. Despite its absurd tone, security leaders emphasize the seriousness of the attack. Dr. Ilia Kolochenko, CEO of ImmuniWeb, cautions that many victims discreetly pay ransoms to groups known for not leaking data—urging companies to seek legal and cybersecurity advice before making decisions. 

Although the group hides behind memes and internet jokes, their ability to cause significant operational and financial disruption is very real. Their humor might distract, but the threat demands urgent attention.
Read more »
US President
Chat Leak Cyber Security Signal Signalgate US President

Trump Claims Administration Learnt to Avoid Signal After Group Chat Leak

 

President Donald Trump stated that his administration has learnt from Signalgate. "I think we learnt: Maybe don't use Signal, okay?" Trump spoke about the messaging app in an interview with The Atlantic published Monday.

"If you want to know the truth. I would frankly tell these people not to use Signal, although it's been used by a lot of people," US president added. "But, whatever it is, whoever has it, whoever owns it, I wouldn't want to use it.”

Last month, The Atlantic's editor in chief, Jeffrey Goldberg, revealed that he had been inadvertently included in a Signal group discussion by White House national security adviser Mike Waltz. Goldberg stated that the group chat was called "Houthi PC small group" and included other officials such as Defence Secretary Pete Hegseth, Director of National Intelligence Tulsi Gabbard, and Secretary of State Marco Rubio. "PC" stood for "principals committee." 

"In the chat, Waltz and the other Trump officials were talking about specifics of a planned U.S. strike on Houthi rebels," Goldberg claimed. The authenticity of the group discussion was later verified by the National Security Council to Business Insider. At first, Trump denied knowing about the security failure. After the incident, he defended Waltz and Hegseth, stating that he would not fire them. 

Signal, which was first launched in 2014, is a non-profit, open-source encrypted messaging application. Last month, Signal stated in an X post that misinformation was "flying around that might drive people away from Signal and private communications.”

"One piece of misinformation we need to address is the claim that there are 'vulnerabilities' in Signal," it stated on March 25, citing an NPR report that quoted a Pentagon memo it received, alerting staff of a possible vulnerability in the messaging app. 

“The memo used the term 'vulnerability' in relation to Signal — but it had nothing to do with Signal's core tech. It was warning against phishing scams targeting Signal users,” Signal wrote in its post.
Read more »
zero Day vulnerability
Cyber intrusion Cyber Security CyberThreat DDoS FortiGate IoT IP Address Networkk Infrastructure ransomware-as-a-service (RaaS) VPN Vulnerabilities Firewalls zero Day vulnerability

Firewalls and VPNs Under Siege as Businesses Report Growing Cyber Intrusions

 


A security researcher has discovered an ongoing cyberattack that is active, exploiting a newly discovered vulnerability in Fortinet's FortiGate Firewalls to infiltrate corporate and enterprise networks and has been conducting this activity for some time. A security advisory published on Tuesday by Fortinet confirmed the existence of the critical security flaw known as CVE-2024-55591 and indicated that the vulnerability is currently being exploited in the wild. 

Nevertheless, cybersecurity experts are voicing their concerns over the possibility that malicious actors are exploiting this flaw as a zero-day vulnerability - a term that refers to a software vulnerability exploited before the vendor is made aware of or has issued a patch for it. According to a report by Fortinet, attackers may have actively targeted this vulnerability since at least December, many months before it was publicly disclosed and patched. 

In particular, organisations that heavily rely on FortiGate Firewalls for perimeter defence face a significant threat when the vulnerability is exploited by exploiting CVE-2024-55591. As a result of the vulnerability's criticality, enterprises should apply security updates as soon as possible and examine their systems for any indications of unauthorized access as soon as possible. Even though zero-day exploits remain a threat, this development highlights the fact that cybercriminals are increasingly focusing on foundational network infrastructure to gain a foothold in high-value environments. 

The use of virtual private networks (VPNs) as a critical defence mechanism against a variety of cyber threats has long been regarded as a crucial aspect of protecting digital communications from a wide range of threats. VPNs are effective in neutralising the risks associated with man-in-the-middle attacks, which involve unauthorised parties trying to intercept or manipulate data while it is in transit by encrypting the data transmissions. Through this layer of encryption, sensitive data remains secure, even across unsecured networks. 

One of the most prominent use cases for VPNs is that they serve the purpose of protecting people using public Wi-Fi networks, which are often vulnerable to unauthorised access. It has been shown that VPNs are significantly less likely to expose or compromise data in such situations because they route traffic through secure tunnels. Additionally, VPNs hide the IP addresses of users, thereby providing greater anonymity to users and reducing the possibility of malicious actors tracking or monitoring them. 

As a result of this concealment, network resources are also protected against distributed denial-of-service (DDoS) attacks, which often use IP addresses as a method of overloading network resources. Even though VPNs have been around for decades, their use today does not suffice as a standalone solution due to the increasingly complex threat landscape that exists in today's society. To ensure comprehensive protection against increasingly sophisticated attack vectors, it is important to integrate their capabilities with more advanced, adaptive cybersecurity measures. 

It seems that conventional security frameworks, such as Firewalls and VPN,s are becoming increasingly outpaced as the cybersecurity landscape continues to evolve due to the sophistication and frequency of modern threats, which have increased significantly over the past few years. Businesses across many industries are experiencing an increasing number of breaches and vulnerabilities, and traditional methods of addressing these vulnerabilities are no longer capable of doing so. 

Due to the widespread transition from on-premises infrastructure to remote and digitally distributed work environments, legacy security architectures have become increasingly vulnerable, forcing enterprises to reassess and update their defence strategies. Firewalls and VPNs were once considered to be the cornerstones of enterprise network security; however, in today's increasingly complex threat environment, they are having trouble meeting the demands. 

In the past, these technologies have played an important role in securing organisational boundaries, but today, the limitations of those technologies are becoming increasingly apparent as organisations transition to a cloud-based environment and undergo rapid digital transformation. In the year 2025, technological advances are expected to change the way industry operations are conducted—for instance, the adoption of generative artificial intelligence, automation, and the proliferation of Iot and OT systems. 

Despite these innovations, there are also unprecedented risks associated with them. For example, malicious actors use artificial intelligence to automate spear-phishing efforts, craft highly evasive malware, and exploit vulnerabilities more quickly and accurately than they could previously. In addition, as Ransomware-as-a-Service (Raas) is on the rise, the barrier to entry for hackers is dropping, enabling a broader set of threat actors to conduct sophisticated, scalable attacks on businesses. To respond effectively to the complexities of a digitally driven world, organisations must adopt proactive, adaptive cybersecurity models that are capable of responding to the challenges of this dynamic threat environment and moving beyond legacy security tools.

There has been a significant shift in cybersecurity dynamics that has led to a worrying trend: malicious actors are increasingly exploiting Virtual Private Networks (VPNs) as a strategy to gain an advantage over their adversaries. Since VPNs were originally developed as a way to enhance privacy and protect data, they are increasingly being repurposed by cybercriminals to facilitate complex attacks while masking their identity digitally. Because VPNs are dual-purpose devices, they have become instruments of exploitation, which poses a significant challenge for cybersecurity professionals as well as digital forensics teams to deal with. 

There is one particularly alarming technique for using VPN software to exploit vulnerabilities, which involves deliberately exploiting these vulnerabilities to bypass perimeter defences, infiltrate secure systems, and deploy malware without being it. When attackers identify and target these vulnerabilities, they can easily bypass perimeter defences, infiltrate secure systems, and deploy malware without being detected. 

Frequently, such breaches act as entry points into larger campaigns, such as coordinated phishing campaigns that attempt to trick individuals into revealing confidential information. Further, VPNs are known for the ability to mask the actual IP addresses of threat actors, a technique known as IP address masquerading, which enables them to evade geographical restrictions, mislead investigators, and remain anonymous when they launch cyberattacks.

In addition to enabling adversaries to circumvent Firewalls, VPNs also offer the option of encrypting and tunnelling, thus enabling them to penetrate networks that would otherwise be resistant to unauthorised access with greater ease. As a matter of fact, VPNs are often used as a means of spreading malicious software across unreliable networks. By using an encrypted VPN traffic, malware can be able to bypass traditional detection methods, thereby circumventing traditional detection methods. The shield of anonymity provided by VPNs can also be used by threat actors to impersonate legitimate organisations and initiate phishing campaigns, compromising the privacy and integrity of users. 

VPNs can also facilitate the spreading of Distributed Denial-of-Service (DDoS) attacks, which is equally troubling. As these networks are anonymised, it makes it difficult to trace the origin of such attacks, which hinders the development of appropriate response strategies and mitigation strategies. This paradox underscores the complexity of modern cybersecurity, since one security tool can serve both as a tool for cybercrime and a tool for security. 

Even though VPNs remain an important tool to keep users safe and anonymous, their misuse requires a proactive and multifaceted response. To combat this misuse, people need robust technological defences combined with ongoing awareness and education initiatives, which will help us address this misuse effectively. Only through such comprehensive measures can organisations ensure the integrity of VPN technology and ensure trust in the digital privacy infrastructure as long as the technology remains intact. 

Check Point has issued a formal warning regarding the active targeting of its VPN devices as part of an ongoing increase in cyber threats against enterprise infrastructure. As a result of this disclosure, people have been reminded again that there is a sustained campaign aimed at compromising remote access technologies and critical network defences. It is the second time in recent months that a major cybersecurity vendor has released such an alert in the past couple of months. 

According to Cisco, in April 2024, organisations are being warned about a widespread wave of brute-force attacks against VPNs and Secure Shell (SSH) services that are likely to impact several devices from Cisco, Check Point, SonicWall, Fortinet, and Ubiquiti, among others. In the first observed attack around March 18, attackers used anonymised tools, such as TOR exit nodes, proxy networks, and other techniques to obfuscate and avoid detection and block lists, to launch the attacks. 

In March of this year, Cisco had also noticed that passwords were being sprayed at their Secure Firewall appliances that were running Remote Access VPN (RAVPN) services. According to analysts, this is a reconnaissance phase, likely intended to lay the groundwork for more advanced intrusions to follow. Following a subsequent analysis by cybersecurity researcher Aaron Martin, these incidents were linked to a malware botnet dubbed "Brutus", which was previously undocumented. 

Over 20,000 IP addresses were found to be associated with this botnet that was deployed from both residential and cloud-hosted environments, which greatly complicated the process of attribution and mitigation. The threat landscape has only been compounded by Cisco's announcement that a state-sponsored hacker group, also known as UAT4356, has been utilising zero-day vulnerabilities found within its Firepower Threat Defence (FTD) and Adaptive Security Appliances to exploit zero-day vulnerabilities. 

Known by the codename ArcaneDoor, the cyber-espionage campaign has been ongoing since November 2023, targeting critical infrastructure networks as well as governments around the world as part of a broader cyber-espionage campaign. As the frequency and complexity of cyber attacks continue to increase, it is apparent that legacy perimeter defences are no longer adequate in terms of security. 

A layered, intelligence-driven approach to security includes detecting threats in real time, hardening systems continuously, and responding to incidents in a proactive manner. As well as strengthening cybersecurity resilience, fostering collaboration between public and private sectors, sharing threat intelligence, and providing ongoing training to employees can make sure that they remain ahead of their adversaries. There is no doubt that the future of secure enterprise operations is going to be determined by the ability to anticipate, adapt, and remain vigilant in this rapidly evolving digital age.
Read more »
Hacking
Crypto Cyber Attacks Cybersecurity Hacking

‘Elusive Comet’ Hackers Exploit Zoom to Target Crypto Users in Sophisticated Scam

 

A newly identified hacking group known as Elusive Comet is targeting cryptocurrency users through a deceptive campaign that leverages Zoom’s remote control feature to gain unauthorized access to victims' systems.

The remote control tool, built into Zoom, enables meeting participants to take control of another person's computer — a capability now being manipulated by cybercriminals to bypass technical defenses through social engineering rather than traditional code exploitation.

According to a report from cybersecurity firm Trail of Bits, the group’s tactics closely resemble those used in the $1.5 billion Bybit crypto heist believed to be linked to the Lazarus group.

"The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," explains the Trail of Bits report.

Trail of Bits uncovered the campaign when attackers attempted to target their CEO via a direct message on X (formerly Twitter), posing as representatives of Bloomberg Crypto.

The ruse begins with a fraudulent invitation to a "Bloomberg Crypto" interview, sent to high-profile individuals either through email (bloombergconferences[@]gmail.com) or social media. The attackers use sock-puppet accounts, mimicking journalists or crypto media outlets, and send Calendly links to schedule the meeting.

Because both Calendly and Zoom links are genuine, the setup appears trustworthy to the victims. During the meeting, the attackers launch a screen-sharing session and issue a remote control request — with a crucial twist: their Zoom display name is changed to “Zoom.”

This results in a misleading prompt that reads:
"Zoom is requesting remote control of your screen,"
— tricking the target into thinking the request is from the app itself.

Granting access allows the attacker full remote control, enabling data theft, malware installation, unauthorized file access, or even the initiation of crypto transactions. In some cases, attackers establish persistence through hidden backdoors, remaining unnoticed even after disconnecting.

"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," says Trail of Bits.
"Users habituated to clicking 'Approve' on Zoom prompts may grant complete control of their computer without realizing the implications."

To guard against such threats, Trail of Bits recommends the use of Privacy Preferences Policy Control (PPPC) profiles to restrict system accessibility permissions. For highly sensitive environments — particularly those handling digital assets or crypto transactions — the firm advises removing the Zoom desktop client entirely.

"For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives," explains Trail of Bits.
Read more »
storage
Avast Email Scams Gmail malware Spam storage

Don’t Delete Spam Emails Too Quickly — Here’s Why


 

Most of us delete spam emails as soon as they land in our inbox. They’re irritating, unwanted, and often contain suspicious content. But what many people don’t know is that keeping them, at least briefly can actually help improve your email security in the long run.


How Spam Helps Train Your Email Filter

Email services like Gmail, Outlook, and others have systems that learn to detect unwanted emails over time. But for these systems to improve, they need to be shown which emails are spam. That’s why it’s better to mark suspicious messages as spam instead of just deleting them.

If you’re using a desktop email app like Outlook or Thunderbird, flagging such emails as “junk” helps the program recognize future threats better. If you're reading emails through a browser, you can select the unwanted message and use the “Spam” or “Move to Junk” option to send it to the right folder.

Doing this regularly not only protects your own inbox but can also help your co-workers if you’re using a shared office mail system. The more spam messages you report, the faster the system learns to block similar ones.


No Need to Worry About Storage

Spam folders usually empty themselves after 30 days. So you don’t have to worry about them piling up unless you want to manually clear them every month.


Never Click 'Unsubscribe' on Random Emails

Some emails, especially promotional ones, come with an unsubscribe button. While this can work with genuine newsletters, using it on spam emails is risky. Clicking “unsubscribe” tells scammers that your email address is real and active. This can lead to more dangerous emails or even malware attacks.


How to Stay Safe from Email Scams

1. Be alert. If something feels off, don’t open it.

2. Avoid acting quickly. Scammers often try to pressure you.

3. Don’t click on unknown links. Instead, visit websites directly.

4. Never open files from unknown sources. They can hide harmful programs.

5. Use security tools. Good antivirus software can detect harmful links and block spam automatically.


Helpful Software You Can Use

Programs like Bitdefender offer full protection from online threats. They can block viruses, dangerous attachments, and suspicious websites. Bitdefender also includes a chatbot where you can send messages to check if they’re scams. Another option is Avast One, which keeps your devices safe from fake websites and spam, even on your phone. Both are easy to use and budget-friendly.

While it may seem odd, keeping spam emails for a short time and using them to train your inbox filter can actually make your online experience safer. Just remember — never click links or download files from unknown senders. Taking small steps can protect you from big problems.

Read more »
Sandboxing
Cookies data security Google Google Chrome Google Chrome browser Google Chrome security Privacy Privacy Sandbox Sandboxing

Google Ends Privacy Sandbox, Keeps Third-Party Cookies in Chrome

 

Google has officially halted its years-long effort to eliminate third-party cookies from Chrome, marking the end of its once-ambitious Privacy Sandbox project. In a recent announcement, Anthony Chavez, VP of Privacy Sandbox, confirmed that the browser will continue offering users the choice to allow or block third-party cookies—abandoning its previous commitment to remove them entirely. 

Launched in 2020, Privacy Sandbox aimed to overhaul the way user data is collected and used for digital advertising. Instead of tracking individuals through cookies, Google proposed tools like the Topics API, which categorized users based on web behavior while promising stronger privacy protections. Despite this, critics claimed the project would ultimately serve Google’s interests more than users’ privacy or industry fairness. Privacy groups like the Electronic Frontier Foundation (EFF) warned users that the Sandbox still enabled behavioral tracking, and urged them to opt out. Meanwhile, regulators on both sides of the Atlantic scrutinized the initiative. 

In the UK, the Competition and Markets Authority (CMA) investigated the plan over concerns it would restrict competition by limiting how advertisers access user data. In the US, a federal judge recently ruled that Google engaged in deliberate anticompetitive conduct in the ad tech space—adding further pressure on the company. Originally intended to bring Chrome in line with browsers like Safari and Firefox, which block third-party cookies by default, the Sandbox effort repeatedly missed deadlines. In 2023, Google shifted its approach, saying users would be given the option to opt in rather than being automatically transitioned to the new system. Now, it appears the initiative has quietly folded. 

In his statement, Chavez acknowledged ongoing disagreements among advertisers, developers, regulators, and publishers about how to balance privacy with web functionality. As a result, Google will no longer introduce a standalone prompt to disable cookies and will instead continue with its current model of user control. The Movement for an Open Web (MOW), a vocal opponent of the Privacy Sandbox, described Google’s reversal as a victory. “This marks the end of their attempt to monopolize digital advertising by removing shared standards,” said MOW co-founder James Rosewell. “They’ve recognized the regulatory roadblocks are too great to continue.” 

With Privacy Sandbox effectively shelved, Chrome users will retain the ability to manage cookie preferences—but the web tracking status quo remains firmly in place.
Read more »
User Privacy
Biosecurity Cyber Security DNA Sequencing Health Security User Privacy

Scientists Warn of Cybersecurity Threats in Next-Gen DNA Sequencing

 

Next-generation DNA sequencing (NGS) is under increasing criticism for its cyber risks. While NGS has transformed disciplines ranging from cancer diagnosis to infectious disease tracking, a recent study warns that the platforms that enable these advancements could also be used as a gateway by hackers and bad actors.

The study, published in IEEE Access and headed by Dr. Nasreen Anjum of the University of Portsmouth's School of Computing, is the first to systematically map cyber-biosecurity vulnerabilities throughout the NGS workflow. 

NGS technology, which enables rapid and cost-effective DNA and RNA sequencing, supports not only cancer research and medicine development, but also agricultural innovation and forensic science. Its ability to process millions to billions of DNA fragments at once has significantly reduced the cost and enhanced the speed of genome analysis, making it a standard in labs around the world. 

However, the study focuses on a less-discussed aspect of this technological advancement: the increasing number of vulnerabilities at each stage of the NGS pipeline. From sample preparation to sequencing and data processing, each stage requires specialised instruments, complicated software, and networked systems. 

According to Dr. Anjum, these interrelated processes generate several points where security might be compromised. As large genetic databases are being stored and shared online, cybercriminals are more likely to access and misuse this sensitive information. The report cautions that such breaches might lead to not only privacy violations or identity tracing, but potentially more serious possibilities like data manipulation or the fabrication of synthetic DNA-encoded malware. 

Experts from Anglia Ruskin University, the University of Gloucestershire, Najran University, and Shaheed Benazir Bhutto Women's University contributed to the research. The researchers discovered multiple emerging threats including AI-powered genomic data manipulation and improved re-identification techniques that could jeopardise individual privacy. These concerns, they suggest, transcend beyond the person and endanger scientific integrity and possibly national security. 

Despite these risks, Dr Anjum observes that cyber-biosecurity remains a neglected field, with fragmented safeguards and little collaboration between computer science, bioinformatics, biotechnology, and security. To address these challenges, the research suggests a number of feasible options, including secure sequencing procedures, secured data storage, and AI-powered anomaly detection systems. The authors recommend governments, regulatory agencies, and academic institutions to prioritise research, education, and policy development in order to close biosecurity gaps.
Read more »
Twitter
Cyberattacks Cybersecurity CyberThreat DarkStorm DDoS Elon Musk malware Meta Twitter

Investigating the Role of DarkStorm Team in the Recent X Outage

 


It has been reported that Elon Musk’s social media platform, X, formerly known as Twitter, was severely disrupted on Monday after a widespread cyberattack that has caused multiple service disruptions. Data from outage monitoring service Downdetector indicates that at least three significant disruptions were experienced by the platform throughout the day, affecting millions of users around the world. During this time, over 41,000 people around the world, including Europe, North America, the Middle East, and Asia, reported outages. 
 
The most common technical difficulties encountered by users were prolonged connection failures and a lack of ability to fully load the platform. According to a preliminary assessment, it is possible that the disruptions were caused by a coordinated and large-scale cyber attack. While cybersecurity experts are still investigating the extent and origin of the incident, they have pointed to the growing trend of organised cyber-attacks targeting high-profile digital infrastructures, which is of concern. A number of concerns have been raised regarding the security framework of X following the incident, especially since the platform plays a prominent role in global communications and information dissemination. Authorities and independent cybersecurity analysts continue to analyze data logs and attack signatures to identify the perpetrators and to gain a deeper understanding of the attack methodology. An Israeli hacktivist collective known as the Dark Storm Team, a collective of pro-Palestinian hacktivists, has emerged as an important player in the cyberwarfare landscape. Since February 2010, the group has been orchestrating targeted cyberattacks against Israeli entities that are perceived as supportive of Israel. 
 
In addition to being motivated by a combination of political ideology and financial gain, this group is also well known for using aggressive tactics in the form of Distributed Denial-of-Service (DDoS) attacks, database intrusions, and other disruptive cyber attacks on government agencies, public infrastructure, and organizations perceived to be aligned with Israeli interests that have gained widespread attention. 
 
It has been reported that this group is more than just an ideological movement. It is also a cybercrime organization that advertises itself openly through encrypted messaging platforms like Telegram, offering its services to a variety of clients. It is rumored that it sells coordinated DDoS attacks, data breaches, and hacking tools to a wide range of clients as part of its offerings. It is apparent that their operations are sophisticated and resourceful, as they are targeting both vulnerable and well-protected targets. A recent activity on the part of the group suggests that it has escalated both in scale and ambition in the past few months. In February 2024, the Dark Storm Team warned that a cyberattack was imminent, and threatened NATO member states, Israel, as well as countries providing support for Israel. This warning was followed by documented incidents that disrupted critical government and digital infrastructure, which reinforced the capability of the group to address its threats. 
 
According to intelligence reports, Dark Storm has also built ties with pro-Russian cyber collectives, which broadens the scope of its operations and provides it with access to advanced hacking tools. In addition to enhancing their technical reach, this collaboration also signals an alignment of geopolitical interests. 

Among the most prominent incidents attributed to the group include the October 2024 DDoS attack against the John F Kennedy International Airport's online systems, which was a high-profile incident. As part of their wider agenda, the group justified the attack based on the airport's perceived support for Israeli policies, showing that they were willing to target essential infrastructure as part of their agenda. Dark Storm, according to analysts, combines ideological motivations with profit-driven cybercrime, making it an extremely potent threat in today's cyber environment, as well as being a unique threat to the world's cybersecurity environment. 
 
An investigation is currently underway to determine whether or not the group may have been involved in any of the recent service disruptions of platform X which occured. In order to achieve its objectives, the DarkStorm Team utilizes a range of sophisticated cyber tactics that combine ideological activism with financial motives in cybercrime. They use many of their main methods, including Distributed Denial-of-Service (DDoS) platforms, ransomware campaigns, and leaking sensitive information for a variety of reasons. In addition to disrupting the operations of their targeted targets, these activities are also designed to advance specific political narratives and generate illicit revenue in exchange for the disruption of their operations. In order to coordinate internally, recruit new members, and inform the group of operating updates, the group heavily relies on encrypted communication channels, particularly Telegram. Having these secure platforms allows them to operate with a degree of anonymity, which complicates the efforts of law enforcement and cybersecurity firms to track and dismantle their networks. 

Along with the direct cyberattacks that DarkStorm launches, the company is actively involved in the monetization of stolen data through the sale of compromised databases, personal information, and hacking tools on the darknet, where it is commonly sold. Even though DarkStorm claims to be an organization that consists of grassroots hackers, cybersecurity analysts are increasingly suspecting the group may have covert support from nation-state actors, particularly Russia, despite its public position as a grassroots hacktivist organization. Many factors are driving this suspicion, including the complexity and scale of their operations, the strategic choice of their targets, and the degree of technical sophistication evident in their attacks, among others. A number of patterns of activity suggest the groups are coordinated and well resourced, which suggests that they may be playing a role as proxy groups in broader geopolitical conflicts, which raises concerns about their possible use as proxies. 
 
It is evident from the rising threat posed by groups like DarkStorm that the cyber warfare landscape is evolving, and that ideological, financial, and geopolitical motivations are increasingly intertwined. Thus, it has become significantly more challenging for targeted organisations and governments to attribute attacks and defend themselves, as Elon Musk has become increasingly involved in geopolitical affairs, adding an even greater degree of complexity to the recent disruption of platform X cyberattack narrative. When Russian troops invaded Ukraine in February 2022, Musk has been criticized for publicly mocking Ukrainian President Volodymyr Zelensky, and for making remarks considered dismissive of Ukraine's plight. Musk was the first to do this in the current political environment. The President of the Department of Government Efficiency (DOGE), created under the Trump administration, is the head of the DOGE, an entity created under Trump’s administration that has been reducing U.S. federal employment in an unprecedented way since Trump returned to office. There is a marked change in the administration's foreign policy stance, signaling a shift away from longstanding US support for Ukraine, and means that the administration is increasingly conciliatory with Russia. Musk has a geopolitical entanglement that extends beyond his role at X as well. 
 
A significant portion of Ukraine's digital communication has been maintained during the recent wartime thanks to the Starlink satellite internet network, which he operates through his aerospace company SpaceX. It has been brought to the attention of the public that these intersecting spheres of influence – spanning national security, communication infrastructure, and social media – have received heightened scrutiny, particularly as X continues to be a central node in global politics. According to cybersecurity firms delving into the technical aspects of the Distributed Denial-of-Service (DDoS) attack, little evidence suggests that Ukrainian involvement may have been involved in the attack. 
 
It is believed that a senior analyst at a leading cybersecurity firm spoke on the condition of anonymity because he was not allowed to comment on X publicly because of restrictions on discussing X publicly. This analyst reported that no significant traffic was originating from Ukraine and that it was absent from the top 20 sources of malicious IPs linked to the attack. Despite the fact that Ukrainian IP addresses are rarely spotted in such data due to the widespread practice of IP spoofing and the widespread distribution of compromised devices throughout the world, the absence of Ukrainian IP addresses is significant since it allows attention to be directed to more likely sources, such as organized cybercrime groups and state-related organizations. 
 
There is no denying the fact that this incident reflects the fragile state of digital infrastructure in a politically polarized world where geopolitical tensions, corporate influence, and cyberwarfare are convergent, and as investigations continue, experts are concerned that actors such as DarkStorm Team's role and broader implications for global cybersecurity policy will continue to be a source of controversy.
Read more »
SuperCardX
Android Hacking malware NFC phishing Skimming SuperCardX

SuperCard X Malware Turns Android Phones into NFC Relay Hubs for Real-Time Payment Fraud

 

Hackers are exploiting a Chinese-language malware-as-a-service (MaaS) platform known as SuperCard X to conduct near-field communication (NFC) relay attacks, enabling the theft of payment card data and real-time fraudulent transactions at point-of-sale (PoS) systems and ATMs. According to mobile security firm Cleafy, SuperCard X diverges from traditional banking malware by weaponizing the contactless features of modern payment cards, transforming infected Android devices into relay tools for instant cash-outs.

“Effectively turning any infected Android handset into an NFC relay station,” said mobile security firm Cleafy.

Cybercriminals can access preconfigured Reader and Tapper apps—used to capture and relay NFC card data—via Telegram channels, offering low-barrier entry into NFC fraud without the need to build custom tools.

The attack typically begins with spoofed messages sent via SMS or WhatsApp, impersonating a bank and warning of suspicious activity. Victims are urged to call a provided number, where scammers—posing as bank representatives—manipulate them into disabling card security settings through social engineering. Eventually, victims are sent a link to download the SuperCard X Reader, disguised as a legitimate security utility.

Once installed, the Reader app requests minimal NFC and system permissions, allowing it to evade standard antivirus detection. Cleafy’s research identified that SuperCard X reuses code from NFCGate and NGate, open-source frameworks that facilitate NFC relay functionalities.

Victims are tricked into tapping their payment cards against the infected Android device. This initiates silent harvesting of sensitive NFC data—such as Answer To Reset (ATR) messages—which are then transmitted via a secure HTTP-based command-and-control (C2) infrastructure, protected through mutual TLS encryption.

On the attacker’s side, the Tapper app—running on a separate Android phone—emulates the victim’s card using Host-based Card Emulation (HCE) mode. This allows the attacker to make contactless transactions at PoS terminals and ATMs, treating the emulated card as legitimate, especially after the victim has removed spending limits.

“SuperCard X distinguishes itself from conventional Android banking Trojans by omitting complex features such as screen overlays, SMS interception or remote desktop controls. It instead focuses on an NFC relay and streamlined permission model, granting it a low fingerprinting profile and allowing it to remain undetected by the vast majority of antivirus engines and behavioral monitors.”

In certain campaigns targeting users in Italy, Cleafy observed customized app versions distributed by affiliates. These variants had stripped-down interfaces—removing sign-up screens and Telegram links—and replaced them with benign app icons and names. During calls, fraudsters provide victims with pre-set credentials, eliminating the need for registration and further reducing the chance of user suspicion.
Read more »
python
Blockchain cryptocurrency Cyber Attacks Cybersecurity GitHub Hacker JavaScript Linkedin malware python

North Korean Hacker Group Targets Cryptocurrency Developers via LinkedIn

 

A North Korean threat group known as Slow Pisces has launched a sophisticated cyberattack campaign, focusing on developers in the cryptocurrency industry through LinkedIn. Also referred to as TraderTraitor or Jade Sleet, the group impersonates recruiters offering legitimate job opportunities and coding challenges to deceive their targets. In reality, they deliver malicious Python and JavaScript code designed to compromise victims' systems.

This ongoing operation has led to massive cryptocurrency thefts. In 2023 alone, Slow Pisces was tied to cyber heists exceeding $1 billion. Notable incidents include a $1.5 billion breach at a Dubai exchange and a $308 million theft from a Japanese firm. The attackers typically initiate contact by sending PDFs containing job descriptions and later provide coding tasks hosted on GitHub. Although these repositories mimic authentic open-source projects, they are secretly altered to carry hidden malware.

As victims work on these assignments, they unknowingly execute malicious programs like RN Loader and RN Stealer on their devices. These infected projects resemble legitimate developer tools—for instance, Python repositories that claim to analyze stock market data but are actually designed to communicate with attacker-controlled servers.

The malware cleverly evades detection by using YAML deserialization techniques instead of commonly flagged functions like eval or exec. Once triggered, the loader fetches and runs additional malicious payloads directly in memory, making the infection harder to detect and eliminate.

One key malware component, RN Stealer, is built to extract sensitive information, including credentials, cloud configuration files, and SSH keys, especially from macOS systems. JavaScript-based versions of the malware behave similarly, leveraging the Embedded JavaScript templating engine to conceal harmful code. This code activates selectively based on IP addresses or browser signatures, targeting specific victims.

Forensic investigations revealed that the malware stores its code in hidden folders and uses HTTPS channels secured with custom tokens to communicate. However, experts were unable to fully recover the malicious JavaScript payload.

Both GitHub and LinkedIn have taken action against the threat.

"GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity," the companies said in a joint statement.

Given the increasing sophistication of these attacks, developers are urged to exercise caution when approached with remote job offers or coding tests. It is recommended to use robust antivirus solutions and execute unknown code within secure, sandboxed environments, particularly when working in the high-risk cryptocurrency sector.

Security experts advise using trusted integrated development environments (IDEs) equipped with built-in security features. Maintaining a vigilant and secure working setup can significantly lower the chances of falling victim to these state-sponsored cyberattacks.
Read more »
YouTube Account
Account Hack Cyber Fraud Malicious Campaign Online Creator Social Media YouTube Account

Millions at Risk as Malicious Actors Hijack Popular YouTube Accounts

 

At a startling rate, cybercriminals are taking over well-known YouTube channels, exposing viewers to malware, frauds, and data theft. With billions of views and millions of followers at risk, a single mistake can have disastrous results. 

According to new research from Bitdefender Labs, social media account takeovers increased in 2024 and persisted into early 2025. Content creators and influencers with large followings and views have become primary targets. 

Bitdefender discovered more than 9,000 fraudulent livestreams on YouTube in 2024. These are frequently presented on hacked channels that use trusted brands and public figures to propagate fraud and malware. 

One such hijacked account had 12.4 billion views; if even 1% of viewers were duped, 124 million users would be impacted. Attackers frequently imitate well-known brands such as Tesla, Ripple, and SpaceX, holding phoney livestreams with deepfakes of public people like Elon Musk and Donald Trump to push cryptocurrency frauds and phishing links. 

Beyond YouTube, Instagram has been a key target. Hackers send phishing emails impersonating Meta or Instagram Support, cloning login pages, and tricking creators into revealing SMS verification numbers. 

Malicious sponsorships are another form of infiltration. Cybercriminals trick creators into downloading malicious files disguised as promotional content. Malvertising, which includes adverts for bogus AI products or games like GTA VI that install info-stealers and remote access trojans on victims' gadgets, is also a prevalent strategy.

Events with enormous internet audiences, such as Apple keynotes, the XRP-SEC litigation, or CS2 tournaments, are regularly targeted. Attackers take advantage of these periods of high interest to run frauds disguised as official livestreams or contests.

Prevention tips 

To stay safe, creators should utilise the finest browsers with built-in security measures, enable multi-factor authentication (MFA), and regularly monitor account activity for any unusual changes. Unexpected sponsorship offers, particularly those related to trending issues, must also be carefully scrutinised.

It is recommended that you use the best DDoS protection to avoid service disruptions caused by account takeovers, and that you use a reputable proxy service to offer an extra layer of anonymity and security when managing accounts across many platforms.
Read more »
Mobile Cyber Attacks
Cyber Attacks Data Safety User Data data security Information Security Malware Attack Malwares Mobile Cyber Attacks

SK Telecom Malware Attack Exposes USIM Data in South Korea

 

SK Telecom, South Korea’s top mobile carrier, has disclosed a security incident involving a malware infection that exposed sensitive information tied to users’ Universal Subscriber Identity Modules (USIMs). The breach was detected on the night of April 19, 2025, during the weekend when many companies operate with reduced cybersecurity staffing. 

With nearly half of South Korea’s mobile market share and around 34 million subscribers, SK Telecom holds a crucial position in the country’s telecommunications sector. In an official statement, the company explained that malware had infiltrated parts of its network, prompting immediate action to contain the threat. 

The affected systems were isolated swiftly, and the malicious software was removed. So far, SK Telecom has stated there is no confirmed misuse of customer data linked to this breach. This was reported to the Korea Internet & Security Agency (KISA) on April 20, and to the Personal Information Protection Commission. 
Investigations are ongoing to determine how the attackers gained access and the extent of the data exposed. USIM cards store essential data such as International Mobile Subscriber Identity (IMSI) numbers, phone numbers (MSISDN), encryption keys for network authentication, and sometimes even stored contacts or text messages. Unauthorized access to this information could enable cybercriminals to conduct targeted surveillance, track users’ locations, or perform SIM-swapping attacks that could compromise online accounts and digital assets. 

In response, SK Telecom has strengthened security around USIM card management, increasing checks on SIM card replacement activities and monitoring authentication processes for suspicious behavior. Accounts showing irregular activities could face automatic suspension to prevent potential fraud. Additionally, the carrier is advising customers to activate their USIM protection service, a preventive measure that restricts unauthorized SIM swaps, adding extra protection to user accounts. 

A hacking group is yet to claim responsibility for the breach. SK Telecom emphasized that while the malware was neutralized quickly, they remain vigilant and are working closely with cybersecurity authorities to uncover more details about the intrusion and enhance future protections. 

This breach highlights ongoing risks faced by large mobile operators, especially during periods when cyber defenses might be less robust. It also underscores the critical need for mobile carriers to adopt continuous security monitoring and proactive measures to protect customer data from emerging threats. 

As investigations continue, SK Telecom has committed to updating customers and regulators about any new findings or developments related to the incident.
Read more »
Sensitive data
Chinese Hackers CISA Cyber Security Ghost MFA Sensitive data

Chinese Ghost Hackers Focus on Profits, Attack Key Sectors in the US and UK


 

In the world of cybercrime, criminals usually fall into two groups. Some target individuals, tricking them for money. Others go after important organizations like hospitals and companies, hoping for bigger payouts. Although attacks on healthcare are less common, they cause major harm when they happen. Incidents like the New York Blood Center hack, where hackers stole a million patient records, show how serious the risk is. Now, a new report warns about Chinese cybercriminals, known as Ghost, who are attacking government offices, power companies, banks, factories, and hospitals. Most of their attacks have affected North America and the United Kingdom.


Ghost Hackers Active in Over 70 Countries

According to research shared by Rebecca Harpur from Blackfog, the Ghost hacking group is based in China and acts on its own without links to the government. Their main goal is to make money, not to steal secrets. Over time, this group has changed its identity multiple times, previously using names like Cring, Crypt3r, Hello, and Phantom. By rebranding, they make it harder for law enforcement agencies to track them as one single group.

Despite their tricks, agencies like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have raised alarms about the damage Ghost can cause. The Blackfog report explains that victims usually receive a message demanding money, threatening to either destroy stolen information or release it publicly if they refuse to pay.


How Ghost Carries Out Its Attacks

The way Ghost hackers break into systems usually follows the same pattern:

• They first find and exploit weaknesses in systems that are open to the internet, such as VPN devices, websites, and email servers.

• After getting inside, they install secret programs like Cobalt Strike and web shells to stay hidden. They often create fake accounts and disable security software once they have high-level access.

• With these privileges, they move across the network quietly and transfer sensitive data to their own servers.

• Once enough data is stolen, they release ransomware programs (often named Ghost.exe or Cring.exe) across the network. This encrypts files, destroys backup copies, and leaves a ransom note demanding payment.


Tips to Stay Protected

Although the FBI has provided detailed steps to defend against these attacks, Blackfog suggests a few important actions:

1. Keep backups of all important data and store them separately from your main network.

2. Always install the latest updates for your operating systems, applications, and firmware.

3. Use multi-factor authentication to add an extra layer of security to user accounts.

4. Divide your network into smaller parts to make it harder for hackers to move around freely if they break in.


The Ghost hacking group is not interested in spying — their focus is on making money. Organizations need to stay alert, strengthen their defenses, and act fast to prevent serious damage from these ongoing threats.






Read more »
Zoom
APTs cryptocurrency CyberCrime Cyberfraud Cyberhackers Cybersecurity CyberThreat Elusive lazarus Privacy Zoom

Zoom Platform Misused by Elusive Comet Attackers in Fraud Scheme

 


Recent reports suggest that North Korean threat actors are now employing an alarming evolution in the tactics they employ to launch a sophisticated cybercrime operation known as Elusive Comet, a sophisticated cybercrime operation. This newly uncovered campaign demonstrates a way of exploiting Zoom's remote control capabilities to gain unauthorised access to cryptocurrency industry users' systems. 

It is clear from this development that a significant trend is occurring in which widely trusted communication platforms are being exploited as tools to facilitate high-level cyber intrusions. Security Alliance, one of the most reputable cybersecurity research organisations, conducted the investigation and analysis that led to the discovery. Elusive Comet exhibited some significant operational similarities to activities previously associated with North Korea's notorious Lazarus Group, a group which has been linked to North Korea for some years. 

The findings suggest that definitive attribution is yet to be made. Due to the lack of conclusive evidence, attempts to link this campaign with any known state-sponsored entity have been complicated, further demonstrating how covert cyberattacks have become increasingly common in the financial sector. This campaign, according to security experts, marks a dramatic departure from the traditional methods of gaining access to cryptocurrency targets previously used to attack them. This is because the attackers can leverage legitimate features of mainstream platforms such as Zoom, which not only makes their operations more successful but also makes detection and prevention much more difficult. 

Using such ubiquitous communication tools emphasises the need for enhanced security protocols in industries that handle digital assets to stay on top of digital threats. With the emergence of Elusive Comet, the threat landscape continues to evolve, and adversaries are increasingly adopting innovative approaches to bypass traditional defences, a reminder that the threat landscape is constantly changing and that adversaries are continuously evolving. The threat actors behind Elusive Comet have invested considerable resources into establishing a convincing online persona to maintain an appearance of legitimacy. 

To reinforce their facade of authenticity, they operate credible websites and maintain active social media profiles. As one example of the fraudulent entities that are associated with the group, Aureon Capital, a fake venture capital company posing as a legitimate company, Aureon Press, and The OnChain Podcast have all been carefully designed to trick unsuspecting individuals and businesses. 

The attackers usually contact users by sending them direct messages via X (formerly Twitter), or by contacting them via email, or by offering invitations to appear on their fabricated podcast as a guest. In the study, researchers found that after initiating contact and establishing a certain level of trust, attackers then move swiftly to set up a Zoom meeting under the pretext of learning more about the target's professional activities. 

It is common for key meeting details to be withheld until very near the time of the scheduled meeting, a tactic employed by the organisation to create an impression of urgency and encourage compliance among participants. A common occurrence is that victims are often asked to share their screens during the call so that they can demonstrate their work, and in doing so, they unknowingly expose their sensitive systems and data to the attackers. As a result of the Elusive Comet operation, Jake Gallen, CEO of the cryptocurrency company Emblem Vault, lost over $100,000 of his digital assets, which included his company's cryptocurrency. As a result, he was targeted after agreeing to participate in a Zoom interview with someone who was posing as a media person. 

By manipulating Gallen during the session into granting remote access to his computer under the disguise of technical facilitation, the attacker succeeded in obtaining his permission to do so. The attackers were able to install a malicious payload, referred to by the attackers as "GOOPDATE," which allowed them to gain access to his cryptocurrency wallets and steal the funds that resulted from this attack. 

It is clear from this incident that cryptocurrencies are vulnerable, especially among executives and high-net-worth individuals who interact regularly with media outlets and investors, which makes them particularly susceptible to sophisticated social engineering schemes because of their high level of exposure to these media outlets. Additionally, the breach emphasises that professionals operating in high-value financial sectors should have heightened awareness of cybersecurity and adopt stricter digital hygiene policies. 

A leading cybersecurity research and advisory firm specialising in forensics and advanced persistent threats (APTS), Security Alliance, meticulously tracked and analysed the Elusive Comet campaign, a campaign that is highly likely to persist for many years to come. Security Alliance published a comprehensive report in March 2025 detailing the tactics, techniques, and procedures (TTPS) used by threat actors and presenting comprehensive insights into these tactics. In their research, the attackers were able to install malware on victims' systems based primarily on a combination of social engineering and using Zoom's remote control features to get their malicious code into the systems of their victims. 

Despite drawing parallels between the methods used to conduct this campaign and those of the notorious Lazarus Group of North Korea, Security Alliance exercised caution when attributions were made. It was noted in the research that the similarities in techniques and tools could indicate common origins or shared resources; however, the researchers stressed the difficulties associated with attribution in a cyber threat landscape where various actors tend to duplicate or repurpose the methodologies of each other. 

Taking into account the methods employed by the Elusive Comet campaign, cryptocurrency professionals are strongly advised to take a comprehensive and proactive security posture to reduce the risk of falling victim to the same types of sophisticated attacks again. First and foremost, companies and individuals should make sure that Zoom's remote control feature is disabled by default, and that it is only enabled when necessary by the organisation and the individual. This functionality can be significantly restricted by restricting the use of this feature, which reduces the chances of cybercriminals exploiting virtual engagements as well.

It is also important to exercise increased caution in responding to unsolicited meeting invitations. When invitations are sent by an unknown or unverified source, it is essential to verify the identity of the requester through independent channels. In order to increase account security in cryptocurrency-related platforms, including digital wallets and exchanges, it is imperative to implement multi-factor authentication (MFA) as a critical barrier. 

MFA serves as an additional layer of protection if credentials are compromised as well, providing an extra layer of defence. Further, it will be beneficial for organisations to deploy robust endpoint protection solutions as well as maintain all software, including communication platforms such as Zoom, consistently updated, to protect against the exploitation of known vulnerabilities. Additionally, regular cybersecurity education and training for employees, partners, and key stakeholders is also extremely important. 

An organisation can strengthen the security awareness of its teams through the development of a culture of security awareness, which will allow them to identify and resist threat actors' tactics, such as social engineering, phishing attacks, and other deceptive tactics. The Elusive Comet operation highlights a broader, more dangerous threat to the cryptocurrency industry as cybercriminals are increasingly manipulating trusted communication tools to launch highly targeted and covert attacks targeting the crypto market. 

There is a strong possibility that the attacker may have been part of the North Korean Lazarus Group, but an official attribution remains elusive, further illustrating the difficulty in identifying cyber threat actors, yet there are some clear lessons to be learned from this attack. 

As today's cybersecurity landscape becomes more volatile and more complex, it is more important than ever for organisations to maintain vigilance, implement rigorous security protocols, and continually adapt to emerging threats to survive. The adversaries are continually refining their tactics, so the only people who can successfully safeguard the assets and reputation of their organisations and businesses against evolving threats to their identity and reputation will be those who invest in resilient defence strategies.
Read more »
Ransomware
Credentialstealing Cyber Security Cybersecurity IdentityTheft infostealers phishing Ransomware

Cybercriminals Shift Tactics Towards Stealth and Identity Theft: IBM X-Force 2025 Report

 

iThe IBM X-Force 2025 Threat Intelligence Index highlights a growing trend of cybercriminals adopting more covert attack strategies. Drawing from analysis of over 150 billion security events daily across 130+ countries, the report notes an 84% spike in email-delivered infostealers in 2024 compared to the previous year. This surge signals a marked pivot towards credential theft, even as enterprise-targeted ransomware attacks show a notable decline.

“Cybercriminals are most often breaking in without breaking anything – capitalising on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said IBM cybersecurity services global managing partner Mark Hughes. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernising authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

The report found that critical infrastructure organisations bore the brunt of attacks, accounting for 70% of incidents handled by IBM X-Force last year. More than a quarter of these breaches exploited system vulnerabilities. Data theft (18%) overtook encryption-based attacks (11%) as the preferred method, reflecting improvements in detection tools and increased law enforcement pressure, which have forced threat actors to rethink their strategies.

Asia and North America emerged as the primary targets, together representing almost 60% of all global attacks. Asia faced 34% of the incidents, while North America encountered 24%. For the fourth consecutive year, the manufacturing industry remained the most impacted sector, attributed to its sensitivity to operational disruptions and susceptibility to ransomware.

Emerging AI-related threats also garnered attention. Although no major AI-focused attacks surfaced in 2024, security teams are racing to find and patch vulnerabilities before they are exploited. A critical remote code execution flaw within an AI development framework is expected to gain traction in 2025 as adoption grows. Experts warn that attackers may soon develop dedicated toolkits aimed specifically at AI systems, underlining the urgent need to secure AI infrastructure.Persistent challenges in critical infrastructure security largely stem from outdated technologies and delayed patch management. IBM X-Force revealed that vulnerabilities accounted for over 25% of exploited incidents. Analyzing discussions on dark web forums showed that four of the ten most talked-about CVEs were associated with advanced threat groups, including state-sponsored actors, escalating the risks of disruption and extortion.

Research in collaboration with Red Hat Insights found that over 50% of Red Hat Enterprise Linux users had not patched at least one critical vulnerability, with 18% leaving five or more critical CVEs unaddressed. Moreover, ransomware variants like Akira, Lockbit, Clop, and RansomHub have expanded their capabilities to affect both Windows and Linux systems.

A sharp rise in phishing campaigns distributing infostealers was another key finding, with a 180% jump compared to 2023. The use of credential phishing and infostealers enables hackers to swiftly exfiltrate sensitive information while maintaining a low profile.

While ransomware still accounted for 28% of malware attacks in 2024, its overall prevalence declined compared to previous years. Cybercriminals are increasingly shifting towards identity-based attacks, adapting to countermeasures that have made traditional ransomware operations more difficult.
Read more »
Privacy
Cyberhackers Cybersecurity CyberThreat Fake PDF FBI information stealer PDF Exploits Privacy

Cybersecurity Alert Says Fake PDF Converters Stealing Sensitive Information

 


Online PDF converters provide efficient conversions of documents from one file format to another, and millions of individuals and businesses use these services to do so. However, this free service also poses significant cybersecurity risks despite its convenience. According to the Federal Bureau of Investigation's (FBI) advisory issued a month ago, cybercriminals have been increasingly exploiting online file conversion platforms to spread malware to consumers and businesses. 

As a result of the threat actor's embedding of malware into seemingly legitimate file conversion processes, data, financial information, and system security are being put at serious risk as a result. As the popularity of these services grows, so does the potential for widespread cyberattacks. Thus, users must exercise heightened caution when choosing tools for managing digital assets online and adhere to best practices when protecting their digital assets when selecting online tools. 

Among the many concerns regarding cyber threats that have recently erupted in the form of a report by a cybersecurity firm, a sophisticated malware campaign has been discovered that takes advantage of counterfeit PDF-to-DOCX conversion platforms to compromise users and expose their data. 

Using highly capable malware, this campaign can steal a wide variety of sensitive data, such as passwords, cryptocurrency wallets, and other confidential personal data from websites. This threat emerged in a matter of time following a public advisory issued by the Denver division of the FBI, warning the public of the increase in malicious file conversion services being used to spread malware. As a result of the findings of cybersecurity firm, cybercriminals have meticulously developed deceptive websites like candyxpdf[.]com and candyconverterpdf[.]com, which imitate the appearance and functionality of the legitimate file conversion service pdfcandy.com, to exploit the public. 

PDFcandy.com's original platform, well-known for its comprehensive PDF management tools, is reportedly attracting approximately 2.8 million visitors per month, making it a prime target for threat actors seeking to exploit its user base as a means of gaining a competitive advantage. A significant aspect of the platform is the significant number of users based in India, where 19.07% of its total traffic comes from, equivalent to approximately 533,960 users per month. As a result of this concentration, cybercriminals operating fraudulent websites have an ample pool of potential victims to exploit. 

According to data collected in March of 2025, the impersonating sites fetched approximately 2,300 and 4,100 visitors from unsuspecting users, indicating an early but concerning growth among those unaware of the impersonating sites. A growing number of sophisticated threats are being employed by threat actors, as indicated by these developments. They emphasize the need for heightened user vigilance and strong cybersecurity measures at all levels. 

An FBI report has highlighted the growing threat posed by fraudulent online document conversion tools, which have been issued by the Federal Bureau of Investigation (FBI). This is in response to an alert recently issued by the FBI Denver Field Office, which warns of the increasing use of these seemingly benign services not just by cybercriminals to steal sensitive user information, but also to install ransomware on compromised devices, in more severe cases. As a result of an alarming rise in reports concerning these malicious platforms, the agency issued a statement in response. 

There has been an increase in the number of deceptive websites offering free document conversion, file merging, and download services by attackers, as indicated in the FBI's advisory. It is important to note that although these tools often perform the file conversions promised, such as converting a .DOC file into a. A PDF file or merging multiple .JPG files into one.PD, the FBI warns that the final downloaded files may contain malicious code. It can be used by cybercriminals to gain unauthorised access to the victim’s device, thereby putting the victim in an extremely dangerous position in terms of cybersecurity. 

The agency also warns that documents that are uploaded to these platforms may contain sensitive information such as names, Social Security numbers, cryptocurrency wallet seeds and addresses, passphrases, email credentials, passwords, and banking information, among others. In addition to identity theft, financial fraud, and subsequent cyberattacks, such information can be exploited to steal identities, commit financial fraud, or commit further cyberattacks. 

The FBI Denver Field Office confirmed in a report that complaints were on the rise, with even the public sector reporting incidents recently in the metro Denver area. During her remarks, Vicki Migoya, FBI Denver Public Affairs Officer, pointed out that malicious actors often use subtle methods to deceive users. For instance, malicious actors alter a single character in a website URL or substitute suffixes such as “INC” for “CO” to create a domain name that is very similar to legitimate ones. Additionally, as search engine algorithms continue to prioritise paid advertisements, some of which may lead to malicious sites, users searching for “free online file converters” should be aware of this warning, as they may be particularly vulnerable to threats. 

Despite the FBI's decision to withhold specific technical details so as not to alert threat actors, the agency confirmed that such fraudulent tools remain a preferred method for spreading malware and infecting unsuspecting computer users. Upon investigating the malware campaign further, the FBI discovered that the deceptive methods employed by the fraudulent websites to compromise users were deceptively deceptive. 

When a user visits such websites, he or she is required to upload a PDF document to convert it into Word format. It is then shown that the website has a loading sequence that simulates a typical conversion process, to give the impression that the website is legitimate. Additionally, the site presents users with a CAPTCHA verification prompt as well, a method of fostering trust and demonstrating that the website complies with common security practices seen on reputable websites. Nevertheless, as soon as the user completes the CAPTCHA, they are deceptively instructed to execute a PowerShell command on their system, which is crucial to begin the malware delivery process. 

After the user clicks on Adobe. A zip file is then installed on the user's device and contains a malware infection called ArechClient, a family of information-stealing malware which is associated with the Sectopratt malware family. Known to be active since 2019, this particular strain of malware is specifically designed to gather a wide range of sensitive data, including saved usernames and passwords, as well as cryptocurrency wallet information and other important digital assets. 

Some of these malicious websites have been taken offline by authorities in recent weeks, but a recent report by a known cybersecurity firm states that over 6,000 people have visited these websites during the past month alone. Clearly, cybercriminals are actively exploiting this vulnerability at scale and with a high degree of frequency. Users must verify the legitimacy of any online conversion service they use due to the increasing sophistication of such attacks. 

During the time of a web-based search, it is essential to make sure that the website is legitimate, not a phoney copy that is being manipulated by hackers. If an unknowing compromise has taken place on a device, action must be taken immediately, such as isolating it and resetting all the associated passwords, to minimise any damage done. For sensitive file conversions, cybersecurity experts recommend using trustworthy offline tools whenever possible to reduce their exposure to online attacks.

As cyber threats to online file conversion services have become increasingly sophisticated, users must be increasingly vigilant and security-conscious when conducting digital activities. For all individuals and organisations to feel comfortable uploading or downloading any files to a website, they are strongly encouraged to check for its authenticity before doing so. Among the things that users should do is carefully examine URLS for subtle anomalies, verify a secure connection (HTTPS), and favour trusted, well-established platforms over those that are less-known or unfamiliar. 

In addition, users should avoid executing any unsolicited commands or downloading unexpected files, even when the website seems to be a genuine one. It is crucial to prioritise the use of offline, standalone conversion tools whenever possible, especially when dealing with sensitive or confidential documents. If it is suspected that a compromised device or computer has been compromised, immediate steps should be taken to isolate the affected device, reset all relevant passwords, and contact cybersecurity professionals to prevent a potential breach from taking place. 

In the age of cybercriminals who are constantly enhancing their tactics, fostering a culture of proactive cyber awareness and resilience is no longer optional, but rather a necessity. To combat these evolving threats, it will be imperative for organisations to consistently train staff, update security protocols, and effectively use best practices. Users need to exercise greater caution and make informed decisions to prevent themselves as well as their organisations from the far-reaching consequences of cyberattacks in the future.
Read more »
Subscribe to: Posts (Atom)