Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Hackers
Cloning cyber attack Cyber Attacks Cybersecurity Hackers

Cyberattacks Shift Tactics as Hackers Exploit User Behavior and AI, Experts Warn

 

Cybersecurity threats are evolving rapidly, forcing businesses to rethink how they approach digital security. Experts say modern cyberattacks are no longer focused solely on breaking technical defenses but are increasingly designed to exploit everyday user behavior. 
 
According to industry observers, files downloaded by employees have become a common entry point for cybercriminals. Items such as invoices, installers, documents, and productivity tools are often downloaded without careful verification, creating opportunities for attackers. 

“The Downloads folder has quietly become one of the hottest pieces of real estate for cybercriminals,” said Sanket Atal, senior vice president of engineering and country head at OpenText India. 

“Attackers are not trying to break cryptography anymore. They’re hijacking habits.” Research cited by the company indicates that more than one third of consumer malware infections are first detected in the Downloads directory. 

Security specialists say this reflects a broader shift in how cyberattacks are designed, with attackers relying more on social engineering and multi-stage malware. Atal said malicious files frequently appear harmless when first opened. “These files often look completely harmless at first,” he said. 

“They only later pull in ransomware components or credential-stealing payloads. It is a multi-stage approach that is very difficult to catch with signature-based tools.” Experts say the rise in such attacks is also linked to the growing industrialization of cybercrime. 

Modern ransomware groups and information-stealing operations increasingly operate like structured businesses that continuously test and refine their methods. “Ransomware-as-a-service groups and info-stealer operators are constantly refining their lures,” Atal said. 

“They are comfortable using SEO-poisoned websites, fake update prompts, and even ‘productivity tools’ to get users to download something that looks normal.” India’s rapidly expanding digital ecosystem has made it an attractive target for attackers. 

The combination of millions of new internet users, the widespread use of personal devices for work, and the overlap between personal and professional computing environments increases exposure to risk. 

“When a poisoned file lands in a Downloads folder on a personal device, it can easily become an entry point into enterprise systems,” Atal said. “Especially when that same device is used for banking, office work, and email.” Artificial intelligence is further changing the threat landscape. 

Generative AI tools can now produce convincing phishing messages that mimic corporate communication styles and reference real projects. “AI has removed the traditional visual cues people relied on to spot scams,” Atal said. 

“Generative models now write in perfect business language, reuse an organisation’s tone, and reference real projects scraped from public sources.” Security analysts say deepfake technology is also being used to manipulate business processes. 

Synthetic video calls and cloned voices have been used to approve financial transactions in some cases. Another emerging pattern is the rise of malware-free intrusions, where attackers rely on stolen credentials or legitimate remote access tools instead of traditional malicious software. 

“We’re also seeing a rise in malware-free intrusions,” Atal said. “Attackers use stolen credentials and legitimate remote access tools. Nothing matches a known signature, yet the breach is very real.” Experts say these developments are forcing organizations to shift their security strategies. 

Instead of focusing solely on scanning files and attachments, security teams are increasingly monitoring behavior patterns across users, devices, and systems. “The first shift is moving from content to behaviour,” Atal said. 

“Instead of just scanning attachments, organisations need to focus on whether a user or service account is behaving consistently with historical and peer norms.” Security specialists also emphasize the importance of integrating identity verification with threat detection systems. 

When phishing messages become difficult to distinguish from legitimate communication, identity context becomes a key factor in identifying suspicious activity. In addition, companies are beginning to rely on artificial intelligence for defensive purposes. 

Automated systems can help security teams manage the growing volume of alerts by identifying patterns and highlighting potential threats more quickly. “Security teams are overwhelmed by alerts,” Atal said. 

“AI-based triage is essential to reduce noise, correlate weak signals, and generate plain-language narratives so analysts can act faster.” Despite increased awareness of cybersecurity threats, several misconceptions persist. 

Many organizations assume that the most serious cyberattacks originate from sophisticated state-backed actors. “One big myth is that serious attacks only come from exotic nation-state actors,” Atal said. “The truth is, most breaches begin with everyday issues such as phishing, malicious downloads, weak passwords, or cloud misconfigurations.” 

Another misconception is that smaller organizations are less likely to be targeted. However, experts say attackers often focus on industries with weaker security controls, including healthcare providers, hospitality companies, and smaller financial institutions. 

Cybersecurity specialists also warn that many attacks no longer rely on traditional malware. Techniques such as identity-based attacks, business email compromise, and misuse of legitimate administrative tools often bypass standard antivirus defenses. “Identity-based attacks, business email compromise, and abuse of legitimate tools often never trigger traditional antivirus,” Atal said. 

“The starting point can be any user, device, or partner that has access to data.” Industry leaders say the challenge is compounded by the fact that many cybersecurity systems were designed for a different technological environment. 

Vinayak Godse, chief executive of the Data Security Council of India, said existing security frameworks were built before the widespread adoption of digital services and artificial intelligence. 

“In the digitalisation space, we are creating tremendous experiences, productivity gains, and new possibilities,” Godse said. “But the security frameworks we have in place were designed for an older paradigm.” He added that attackers today are capable of identifying and exploiting even a single vulnerability in complex digital systems. 

“The current attack ecosystem can identify and exploit even one vulnerability out of millions, or even billions,” Godse said. Experts say the erosion of traditional network boundaries has further complicated security efforts. Remote work, cloud computing, software-as-a-service platforms, and third-party integrations mean that sensitive systems can now be accessed from a wide range of devices and locations. 

“A user on a personal phone, accessing a SaaS application from home Wi-Fi, is still inside your risk perimeter,” Atal said. As a result, organizations are increasingly focusing on continuous verification and context-aware monitoring rather than relying solely on perimeter defenses. 

According to Atal, the effectiveness of AI-driven security tools ultimately depends on the quality of underlying data. If data sources are fragmented or poorly labeled, even advanced analytics systems may struggle to detect threats. 
 
“Every advanced AI-driven security use case boils down to whether you can see your data and whether you can trust it,” he said. Security experts say that integrating identity signals, access patterns, and data sensitivity into unified monitoring systems can help organizations identify suspicious activity more effectively. 

“When data, identity, and threat signals are unified, security teams can see a connected narrative,” Atal said. “A login, a download, and a data access event stop being isolated alerts and start telling a story.” 

 
Despite advances in technology, experts say human behavior remains a critical factor in cybersecurity. 

“In today’s cyber landscape, the front line is no longer the firewall,” Atal said. “It is the file you choose to open and the behaviour that follows.”
Read more »
Malware attacks
Airport WiFi Security Cyber Attacks cybersecurity threats FBI FBI FBI warning Hacker attack Internet Routers Malware attacks

FBI Warns Outdated Wi-Fi Routers Are Being Targeted in Malware and Botnet Attacks

 

Cybersecurity risks could rise when outdated home routers stop getting manufacturer support, federal agents say. Devices from the late 2000s into the early 2010s often fall out of update cycles, leaving networks open. Without patches, vulnerabilities stay unaddressed - making intrusion more likely over time. Older models reaching end-of-life lack protection upgrades once available. This gap draws attention from officials tracking digital threats to household systems. 

Older network equipment often loses support as makers discontinue update releases. Once patching ends, weaknesses found earlier stay open indefinitely. Such gaps let hackers break in more easily. Devices like obsolete routers now attract criminals who deploy malicious code. Access at admin level gets seized without owners noticing. Infected machines may join hidden networks controlled remotely. Evidence shows law enforcement warning about these risks repeatedly. 

Built from hijacked devices, botnets answer to remote operators. These collections of infected machines frequently enable massive digital assaults. Instead of serving legitimate users, they route harmful data across the web. Criminals rely on them to mask where attacks originate. Through hidden channels, wrongdoers stay anonymous during operations. 

Back in 2011, Linksys made several routers later flagged as weak by the FBI. Devices like the E1200, E2500, and E4200 came under scrutiny due to security flaws. Earlier models also appear on the list - take the WRT320N, launched in 2009. Then there is the M10, hitting shelves a year after that one. Some routers come equipped with remote setup options, letting people adjust settings using web-connected interfaces. 

Though useful, such access may lead to problems if flaws are left unfixed. Hackers regularly search online for devices running open management ports, particularly ones stuck on old software versions. Hackers start by spotting weak routers, then slip through software gaps to plant harmful programs straight onto the machine. Once inside, that hidden code opens the door wide - giving intruders complete control while setting up secret talks with remote hubs. 

Sometimes, these taken devices ping those distant centers each minute, just to say they’re still online and waiting. Opened network ports on routers might let malware turn devices into proxies. With such access, attackers send harmful data across infected networks instead of launching attacks directly. Some even trade entry rights to third parties wanting to mask where they operate from. What makes router-based infections tricky is how hard they are to spot for most people. 

Since standard antivirus tools target laptops and phones, routers often fall outside their scope. Running within the router's own software, the malware stays hidden even when everything seems to work fine. The network keeps running smoothly, masking the presence of harmful code tucked deep inside. Older routers without regular updates become weak spots over time. 

Because of this, specialists suggest swapping them out. A modern replacement brings continued protection through active maintenance. This shift lowers chances of intrusions via obsolete equipment found in personal setups.
Read more »
San Francisco
cyber attack Cyber Attacks Cybersecurity San Francisco

San Francisco Children’s Council Breach Exposes SSNs of 12,000+ People

 

The Children’s Council of San Francisco has notified more than 12,000 individuals that their personal information was compromised in a cyberattack discovered last year. 

According to breach notification letters, the incident occurred on August 3, 2025, when the organization experienced what it described as a network disruption. An investigation later found that an unauthorized actor had accessed and obtained certain data. 

“On August 3, 2025, ChCo experienced a network disruption,” the Council said in its notice to affected individuals. 

“The investigation determined that an unknown actor accessed and acquired certain data without authorization.” 

The compromised information includes names and Social Security numbers belonging to 12,655 people. 

The notice did not specify whether the affected data included information related to children served by the organization. About two weeks after the breach occurred, a ransomware group known as SafePay claimed responsibility for the attack on its data leak website. 

The group reportedly demanded payment within 24 hours in exchange for deleting the stolen data. The Children’s Council has not confirmed the claim made by SafePay, and it remains unclear how attackers gained access to the organization’s systems. 

The nonprofit has not disclosed whether a ransom demand was paid. The organization said it is offering individuals affected by the breach free identity protection services. 

Victims can enroll in 12 months of credit monitoring and receive identity theft insurance coverage of up to one million dollars through TransUnion. The offer is available for 90 days from the date of the notification letter. 

SafePay is a ransomware operation that began publicly listing its victims on a leak site in November 2024. The group uses ransomware based on the LockBit strain and typically employs a double extortion strategy, demanding payment both to restore encrypted systems and to prevent the release of stolen data. 

In 2025, SafePay claimed responsibility for 374 ransomware attacks. Of those, 46 organizations confirmed the incidents and reported data breaches affecting about 17 million people. One of the largest involved Conduent Business Services, which notified approximately 16.7 million individuals that their data had been exposed. 

 
The group continues to be active in 2026 and has already taken credit for more than a dozen additional attacks, although only one of those has been confirmed so far. Ransomware incidents targeting organizations in the United States remain widespread. 

Researchers tracked 653 confirmed ransomware attacks against U.S. organizations in 2025, exposing roughly 43.3 million personal records. 

Several nonprofit and social service organizations have been among the victims. Recent incidents have affected groups such as Bucks County Opportunity Council in Pennsylvania, Catholic Charities of the Diocese of Albany in New York, North American Family Institute in Massachusetts, Elmcrest Children’s Center in New York and Family and Community Services in Ohio.

The Children’s Council of San Francisco is a nonprofit that works with government agencies to support childcare and early education services. The organization helps families locate and pay for childcare while distributing public funding to childcare providers that serve infants and children up to age 13. 

According to its website, the nonprofit administers an annual budget of nearly 250 million dollars and partners with the California Department of Social Services as well as local government agencies in San Francisco.
Read more »
cybersecurity threat
BYOVD Attack cyber attack Cyber Attacks cybersecurity threat

BYOVD Attacks Turn Trusted Windows Drivers Into Security Threats

 

Cybersecurity researchers are warning about a growing wave of attacks that exploit legitimate Windows drivers to bypass security protections and gain deep control over targeted systems. 

The technique, known as Bring Your Own Vulnerable Driver or BYOVD, involves attackers loading digitally signed but flawed drivers onto a compromised machine. Once active, the vulnerable driver can be exploited to gain kernel level privileges, the highest level of access in the Windows operating system. 

Researchers from Picus Security said the method allows threat actors to “load a legitimate, digitally signed, but vulnerable driver onto a target system” and then exploit weaknesses in that driver to gain arbitrary kernel mode execution. 

With this level of access, attackers can disable endpoint security tools, manipulate operating system processes and carry out further malicious activity without interference. 

How the attack works 

BYOVD attacks do not provide the initial entry point into a system. Instead, attackers use the technique after gaining administrative access through other methods such as phishing campaigns, stolen credentials, exploitation of exposed services or purchasing access from an initial access broker. 

Once administrative privileges are obtained, attackers introduce a vulnerable driver file into the system. The driver, typically a .sys file, is often placed in directories that allow easy writing access such as temporary Windows folders or public user directories. 

Many of these drivers are taken directly from legitimate vendor software packages, including hardware utilities, monitoring tools or gaming applications. Because the drivers are officially signed and appear legitimate, they can pass Windows trust checks. Attackers then load the driver into the Windows kernel. 

This is commonly done through the Windows Service Control Manager using commands such as sc.exe create and sc.exe start, or by calling system level APIs like NtLoadDriver. 

Since the driver carries a valid digital signature, Windows allows it to run in kernel space without immediately triggering alerts. 

Exploiting driver weaknesses 

After the vulnerable driver is loaded, attackers exploit unsafe input and output control functions exposed by the driver. These functions can allow direct reading and writing of system memory. 

By sending specially crafted requests, attackers can gain access to protected kernel memory regions. This effectively provides full control over the operating system’s most privileged layer. 

With kernel read and write capabilities, attackers can disable security protections in several ways. They may remove endpoint detection and response callbacks from kernel structures, patch tamper protection routines in memory, terminate antivirus processes or manipulate system process objects to conceal malicious activity. 

Even though security software may still appear installed, the endpoint may effectively be left unprotected. 

Example of driver abuse 

One attack analyzed by Picus researchers involved ransomware actors exploiting the mhyprot2.sys anti cheat driver used by the popular video game Genshin Impact. 

In that case, attackers installed the legitimate driver and then used a separate executable to send a specific command instructing the driver to terminate antivirus processes. Because the driver operated with kernel level privileges, it successfully executed system level commands to kill security services. 

Once defenses were disabled, ransomware encryption was deployed without resistance.

Structural weaknesses in driver trust 

The effectiveness of BYOVD attacks stems partly from how Windows manages driver trust. Since Windows 10, most new kernel drivers must be signed through Microsoft’s developer portal. 

However, compatibility requirements allow certain older cross signed drivers to still load under specific conditions. 

These conditions include systems where Secure Boot is disabled or devices that were upgraded from older Windows installations rather than freshly installed. 

Such compatibility allowances create gaps that attackers can exploit by loading vulnerable legacy drivers that remain trusted by the system. 

Microsoft also maintains a vulnerable driver blocklist, but this list is updated only after vulnerabilities are discovered and reported. Updates often coincide with major Windows releases, meaning newly identified vulnerable drivers may remain usable for extended periods. 

As a result, BYOVD attacks do not technically bypass Windows security mechanisms. Instead, they take advantage of drivers that the operating system still considers trustworthy. 

Defending against BYOVD 

Security experts say defending against this technique requires layered protections rather than a single configuration change. 

Organizations are advised to enable hypervisor protected code integrity and the broader virtualization based security framework to prevent unauthorized kernel memory changes. 

Controls such as Windows Defender Application Control and Microsoft’s vulnerable driver blocklist can restrict which drivers are allowed to run. Limiting administrative privileges is another critical step. 

Companies should remove unnecessary local administrator rights, enforce least privilege policies and require multi factor authentication for privileged accounts. Monitoring for suspicious activity is also essential. 

Security teams should watch for unusual driver loading events or new kernel service creation logs. Maintaining Secure Boot and restricting driver installation through group policy can further reduce the risk of unauthorized or legacy drivers being loaded. 

Regular auditing of third party drivers installed on systems can help reduce the overall kernel attack surface. 

Security analysts say BYOVD reflects a broader change in attacker strategy. Instead of relying only on new vulnerabilities or zero day exploits, threat actors increasingly use trusted components that already exist within systems. 

Read more »
US
Cyber Attacks Data Internet Iran Israel US

Threat Actors Hit Iranian Sites and Apps After the US-Israel Strike


A series of cyber attacks happened last week during the U.S- Israel attack on targets throughout Iran. 

The cyberattacks included hijacking the various news sites to show messages and also hacking BadeSaba, a religious calendar application over 5 million downloads, which showed messages warning users “It’s time for reckoning” and telling armed forces to give up and quit. 

The U.S Cyber Command spokesperson didn't comment on the issue. 

Internet connectivity in Iran has dropped significantly at 0706 GMT, with minimum connectivity remaining, according to Kentik’s director of internet analysis. It was a smart move to launch a cyberattack on BadeSaba as pro-government people use it and are more religious, said Hamid Kashfi, a security expert and founder of DarkCell, a cybersecurity firm. 

Cyberattacks also hit various Iranian military targets and government services to restrict a coordinated Iranian response, according to the Jerusalem Post. Reuters hasn't verified the claims yet. Sophos director of threat intelligence said that “As Iran considers its options, ‌the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and U.S.-affiliated military, commercial, or civilian targets,” said Rafe Pilling, the director of threat intelligence with cybersecurity firm.”

These cyber operations may include old data breaches reported as new, vain efforts to breach interne-exposed industrial systems, and may also redirect offensive cyber operations. 

Cynthia Kaiser, a senior vice president at the anti-ransomware company Halcyon and a former top FBI cyber official, stated that activity has escalated in the Middle East. 

According to Kaiser, the company has also received calls to action from well-known pro-Iranian cyber personalities who have previously carried out ransomware attacks, hack-and-leak operations, and distributed denial-of-service (DDoS) attacks, which overload internet services and make them unavailable. He stated, "CrowdStrike is already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks.”

Experts also believe that state-sponsored Iranian hacking gangs already launched “wiper “ attacks that remove data on Israeli targets before the strikes. 

Apart from a brief disruption of services in Tirana, the capital of Albania, there was little indication of the disruptive cyberattacks frequently mentioned during discussions about Iran's digital capabilities in June following the U.S. strike on Iranian nuclear targets, according to media sources.

Read more »
cybersecurity risk
corporate cyber attacks Corporate Data Breach Cyber Attacks Cyber Gangs Cyber Security Ransomware Attacks cybersecurity risk

Crazy Ransomware Gang Abuses Net Monitor and SimpleHelp for Stealthy Network Persistence

 

Not long ago, security analysts from Huntress spotted someone tied to the Crazy ransomware group using standard employee surveillance and remote assistance programs. This person used common system tools - not custom malware - to stay hidden within company networks. Instead of flashy attacks, they moved quietly through digital environments already familiar to IT teams. What stands out is how ordinary software became part of a stealthy buildup toward data encryption. Behind the scenes, attackers mimic regular maintenance tasks to avoid suspicion. Their method skips complex hacking tricks in favor of blending in. Over time, such tactics make detection harder since alerts resemble routine actions. Rather than breaking in, they act like insiders who belong. Recently, this approach has become more frequent across different cybercrime efforts. Normal-looking tool usage now masks malicious goals deep inside infrastructure.

Throughout several cases reviewed by Huntress, Net Monitor for Employees Professional appeared next to SimpleHelp’s remote access software. Using both together let attackers maintain ongoing, hands-on access to affected machines. This pairing lowered their chances of setting off detection mechanisms. Each tool played a role in staying under the radar. 

A single instance involved deployment of surveillance software through Windows Installer by running msiexec.exe, enabling adversaries to pull the agent straight from the official provider site. With it active, complete remote screen access emerged alongside command launching, data movement, and live observation of machine activity - delivering control similar to admin privileges on compromised devices. 

To tighten their hold, the hackers tried turning on the default admin account via "net user administrator /active:yes." Another layer came when they pulled down SimpleHelp using PowerShell scripts. Files were hidden under names that looked real - some copied Visual Studio’s vshost.exe pattern. Others posed as OneDrive components, tucked inside folders like ProgramData. Despite detection of a single remote component, operations persisted due to multiple deployment layers. 

Occasionally, the SimpleHelp executable appeared under altered names, mimicking standard corporate software files. Observed by analysts, these changes helped it evade immediate recognition. At times, Huntress noticed efforts aimed at weakening Microsoft Defender - achieved by halting and removing related system services - to limit detection on infected devices. One breach showed attackers setting up alert triggers inside SimpleHelp, activated whenever machines reached sites tied to digital currency storage or trading. 

These triggers watched for terms linked to wallet providers, exchange portals, blockchain lookup tools, and online payment systems. Elsewhere, the surveillance tool logged mentions of remote access software like RDP, AnyDesk, TeamViewer, UltraViewer, and VNC, possibly to spot signs of IT staff or security teams logging into affected endpoints. Despite just a single confirmed instance leading to Crazy ransomware activation, Huntress identified shared command servers and repeated file names like “vhost.exe.” These similarities point toward one actor behind both breaches. 

Notably, infrastructure links emerged across incidents. One attack stood out in impact. Yet patterns in execution imply coordination. File artifacts matched closely. Operation methods showed consistency. The evidence ties the events together indirectly. Reuse of tools strengthens that view. Infrastructure overlap was clear. Execution timing varied. Still, the digital fingerprints align. Not just one but two security incidents traced back to stolen SSL VPN login details, showing how shaky remote entry points can open doors. 

Instead of assuming safety, watch for odd patterns - like when trusted remote management software shows up without warning, used now more often by attackers who twist normal tools into stealthy weapons. Despite growing reliance on standard tools by attackers, requiring extra verification steps for every remote login helps block stolen passwords from being useful. Because hackers now blend in using common management programs, watching network behavior closely while limiting who can enter key systems stays essential for company security.
Read more »
Group IB
Credential Theft Cyber Attacks Cyberbreaches Cybercrime Ecosystem Digital Supply Chain Risk Global Supply-Chain Attack Group IB

Group-IB Warns Supply Chain Attacks Are Becoming a Self-Reinforcing Cybercrime Ecosystem

 

Cybercrime outfits now reshape supply chain intrusions into sprawling, linked assaults - spinning out data leaks, stolen login details, and ransomware in relentless loops, says fresh research by Group-IB. With each trend report, the security group highlights how standalone hacks have evolved: today’s strikes follow blueprints meant to ripple through corporate systems, setting off chains of further break-ins. 

Instead of going after one company just to make money fast, hackers now aim at suppliers, support services, or common software tools - gaining trust-based entry to many users at once. Cases highlighted in recent reports - the Shai-Hulud NPM worm, the break-in at Salesloft, and the corrupted OpenClaw package - all show how problems upstream spread quickly across systems. Not limited to isolated targets, these attacks ripple outward when shared platforms get hit. 

Modern supply chain attacks unfold in linked phases, says Group-IB. One stage might begin with a tainted open-source component spreading malicious code while quietly collecting login details. Following that, attackers may launch phishing efforts - alongside misuse of OAuth tokens - to seize user identities, opening doors to cloud services and development pipelines. Breached data feeds these steps, supplying access keys, corporate connections, and situational awareness required to move sideways across systems. Later comes ransomware, sometimes followed by threats - built on insights gathered during earlier stages of breach. One step enables another, creating loops experts call self-sustaining networks of attack. 

Soon, Group-IB expects artificial intelligence to push this shift further. Because of AI-powered tools, scanning for flaws in vendor networks, software workflows, or browser add-on stores happens almost instantly. These systems let hackers find gaps faster - operating at speeds humans cannot match. 

Expectations point to declining reliance on classic malware, favoring tactics centered on stolen identities. Rather than using obvious harmful software, attackers now mimic authorized personnel, slipping into everyday operational processes. Moving quietly through standard behaviors allows them to stay hidden longer, gradually reaching linked environments. Because they handle sensitive operations like human resources, customer data, enterprise planning, or outsourced IT support, certain platforms draw strong interest from threat actors. 

When a compromise occurs at that level, it opens doors not just to one company but potentially hundreds connected through shared services - multiplying consequences far beyond the initial point of failure. Cases like Salesloft and the breach tied to Oracle in March 2025 show shifts in how data intrusions unfold. Rather than seeking quick payouts, hackers often collect OAuth credentials first. Missteps in third-party connections give them room to move inward. 

Once inside client systems, fresh opportunities open up. Data copying follows naturally. Trust-based communication chains become tools for disguise later. Infected updates spread quietly through established channels. Fraud grows without drawing early attention. Fault lines in digital confidence now shape modern cyber threats, according to Dmitry Volkov, who leads Group-IB. Rather than one-off breaches, what unfolds are ripple effects across systems. Because outside providers act like open doors, companies should treat them as part of their own risk landscape. 

Instead of reacting late, they build models for supply chain risks early. Automated scans track software links continuously. Insight into how information moves becomes essential - without it, gaps stay hidden until exploited. With breaches in supply chains turning into routine operations, protecting confidence among users, collaborations, and code links has shifted from being a backup measure to a core part of today’s security planning. 

What once seemed secondary now shapes the foundation. Trust must hold firm where systems connect - because failure at one point pulls down many. Security can no longer treat relationships as external risks; they are built-in conditions. When components rely on each other, weakness spreads fast. The report frames this shift clearly: resilience lives not just in tools but in verified connections. Not adding layers matters most - it is about strengthening what already ties everything together.
Read more »
Data Exfilteration
APT28 APT28 Cyber Espionage Cyber Attacks Cyber Phishing cybersecurity threat Data Exfilteration

APT28’s Operation MacroMaze Targets Western Europe With Stealthy Macro-Based Attacks

 

A fresh wave of digital intrusions, tied to Russian operatives known as APT28, emerges through findings uncovered by S2 Grupo’s LAB52 analysts. Throughout late 2025 into early 2026, these efforts quietly unfolded across Western and Central European institutions. Dubbed Operation MacroMaze, the pattern reveals reliance on minimalistic yet precisely timed actions. Instead of complex tools, attackers favored subtle coordination - bypassing alarms by design. Each phase unfolded with restraint, avoiding flashiness while maintaining persistence behind the scenes. 

Starting the operation, cyber actors send targeted emails with harmful attachments designed to trick users. Instead of using typical methods, these documents include an XML feature named “INCLUDEPICTURE.” That field points to a JPG stored on webhook[.]site, acting as a hidden reference. As soon as someone views the file, the system pulls the image from that external address. Unlike passive downloads, this transfer initiates a background connection outward. Midway through loading, the request exposes details about the user’s environment automatically. So, without visible signs, attackers receive confirmation plus technical footprints tied to the access event. 

Over time, different versions of the documents appeared, spotted by analysts during an extended review period. Each one carried small changes in macro design, though the core behavior stayed largely unchanged. Instead of sticking with automated browser launching, newer samples began mimicking keystrokes through SendKeys functions. This shift may have aimed at dodging detection mechanisms while keeping interactions less obvious to people opening files. 

When turned on, it runs a Visual Basic Script pushing the attack forward. A CMD file gets started by the script, setting up ongoing access using timed system jobs before releasing a batch routine. Out of nowhere, a tiny HTML segment encoded in Base64 appears inside Edge running without display. That fragment pulls directives from one online trigger point, carries out those steps on the machine, gathers what happens, then sends everything back - packed into an HTML document - to another web destination. 

A different version of the batch script skips headless browsing by shifting the browser window beyond the visible screen area. Following that shift, any active Edge instances are closed - this isolates the runtime setting. Once the created HTML document opens, form submission begins on its own, sending captured command results to a server managed by the attacker, all without engaging the user. 

LAB52 points out that the attack shows hackers using ordinary tools - batch scripts, minimal VBS launchers, basic HTML forms - to form a working breach system. Hidden browser tabs become operational zones, letting intrusions unfold without obvious footprints. Webhook platforms, meant for routine tasks, carry commands one way and stolen information the other. Instead of loud breaches, quiet integration with standard processes helps evade detection. The method thrives not on complexity, but on repurposing everyday components in stealthy ways. 

What stands out in Operation MacroMaze is how basic tools, when timed precisely, achieve advanced results. Not complexity - but clever order - defines its success. Common programs, used one after another in quiet succession, form an invisible path through defenses. Trusted system features play a central role, slipping past alarms. Persistence emerges not from novelty, but repetition masked as routine. Across several European organizations, the method survives simply by avoiding attention.
Read more »
XFS API exploitation
ATM jackpotting ATM malware attacks Cyber Attacks cyber physical crime FBI security alert Ploutus malware XFS API exploitation

FBI Warns of Surge in ATM Jackpotting Attacks After $20 Million Stolen in 2025

 

More than $20 million was stolen from compromised ATMs across the United States last year through a growing malware-driven scheme, according to a recent alert from the Federal Bureau of Investigation (FBI). Authorities say the tactic, known as ATM jackpotting, has seen a sharp rise in activity.

ATM jackpotting is a cyber-physical attack in which criminals manipulate both hardware and software weaknesses in ATMs to install malicious programs. Once deployed, the malware forces the machine to release cash on command without approval from the bank. Since 2020, nearly 1,900 such incidents have been recorded, with over 700 reported in 2025 alone, as detailed in a Thursday security advisory.

Attackers typically begin by using universal or generic keys to unlock the ATM cabinet. After gaining access, they either remove the machine’s hard drive to load malware onto it before reinstalling it, or swap it entirely with a pre-infected drive containing jackpotting software.

One of the most frequently used tools in these operations is Ploutus malware. This malicious program targets eXtensions for Financial Services (XFS), an open-standard API that enables ATMs and point-of-sale systems to communicate with banking applications across different hardware providers. 

Under normal conditions, XFS allows banking software to process transactions and authorize cash withdrawals. However, the malware manipulates this system, letting attackers send unauthorized commands that trigger the ATM to dispense money instantly.

Unlike card skimming schemes that compromise customer data and PIN numbers, jackpotting attacks primarily impact financial institutions. Banks and ATM operators bear the financial losses, which total tens of millions of dollars annually. These incidents are also challenging to detect in real time, often only becoming apparent after funds have already been removed.

In its latest advisory, the FBI outlined several warning signs for ATMs operating on Windows systems. These include suspicious executable files and scripts, unusual system event IDs linked to USB device insertions, missing hard drives, unauthorized hardware connected to the machine, and unexpected “out of cash” notifications. Financial institutions are urged to review these indicators closely to prevent further exploitation
Read more »
Supply Chain Attack
Crypto Exchange Cyber Attacks dYdX PyPI Package Supply Chain Attack

Malicious dYdX Packages Drain User Wallets in Supply Chain Attack

 

Malicious open-source packages targeting the dYdX cryptocurrency exchange have enabled attackers to drain user wallets, exposing once again how fragile software supply chains can be in the crypto ecosystem. Researchers found that legitimate-looking libraries on popular repositories were quietly stealing seed phrases and other sensitive data from both developers and end users, turning everyday development workflows into vectors for wallet compromise. The incident shows that even reputable projects using standard tooling are not immune when upstream dependencies are poisoned.

The attack focused on npm and PyPI packages associated with dYdX’s v4 trading stack, specifically the JavaScript package @dydxprotocol/v4-client-js and the Python package dydx-v4-client in certain versions. These libraries are widely used to build trading bots, automated strategies, and backend services that interact with the exchange and therefore routinely handle mnemonics and private keys needed to sign transactions. By compromising such central components, attackers gained access not just to individual wallets but to any application that pulled in the tainted releases.

Inside the malicious npm package, attackers added a surreptitious function that executed whenever a wallet seed phrase was processed, quietly exfiltrating it along with a fingerprint of the device running the code. The fingerprinting allowed the threat actors to correlate stolen credentials across multiple compromises and track victims over time. Stolen data was sent to a typosquatted domain crafted to resemble legitimate dYdX infrastructure, increasing the chances that network defenders would overlook the outbound connections.

The PyPI package carried similar credential-stealing behavior but escalated the threat by bundling a remote access Trojan capable of executing arbitrary Python code on infected systems. Running as a background daemon, this RAT regularly contacted a command‑and‑control server, fetched attacker-supplied code, and executed it in an isolated subprocess using a hard-coded authorization token. With this access, adversaries could steal keys and source code, plant persistent backdoors, and broadly surveil developer environments beyond just wallet data.

This is not the first time dYdX has faced targeted abuse of its ecosystem, following prior incidents involving malicious npm uploads and website hijacking campaigns aimed at draining user funds. For the broader industry, the episode underlines how high‑value crypto platforms and their developer tooling have become prime targets for supply-chain attacks. Developers are urged to rigorously audit dependencies, verify package integrity and publishers, and avoid using real wallet credentials in testing environments, while users should quickly review any apps or bots that rely on the affected dYdX client libraries.
Read more »
social engineering attacks
Cryptographic Credential Theft Cyber Attacks Device Linking Exploitation QR Code Phishing Secure Messaging Security Signal Account Hijacking social engineering attacks

German Authorities Alert Public to Signal Account Takeover Campaign

 

The use of secure messaging applications has long been seen as the final line of defense against persistent digital surveillance in an era of widespread digital surveillance. This assumption is now being challenged by Germany's domestic intelligence service, the Federal Office for the Protection of the Constitution, which, in conjunction with the Federal Office for Information Security, has jointly issued a rare advisory detailing a calculated cyberattack attributed to a state-backed adversary. 

It is clear that the warning highlights a deliberate strategy to infiltrate private communications through deception, rather than technical exploits, targeting individuals who rely heavily on them. The agencies report that the operation targets high-ranking political decision-makers, senior military personnel, diplomatic representatives, and investigative journalists in Germany and across Europe. Its implications go beyond the compromise of individual accounts to include high-ranking officials and foreign diplomats. 

Access to secure messenger profiles by unauthorized users could expose confidential information, sensitive professional networks, and trusted contact chains, which in turn could compromise entire institutional ecosystems. 

As a result, the campaign does not rely on malware deployment or the exploitation of Signal platform vulnerabilities. It attempts to manipulate the application's legitimate account recovery and verification features in order to achieve its objectives.

The attackers intend to quietly intercept private conversations and harvest contact information without triggering conventional security alarms by exploiting human trust rather than software vulnerabilities. The attack sequence reflects this strategy. The attackers are impersonating “Signal Support” or impersonating a fabricated assistance channel called a “Signal Security ChatBot” and contacting selected victims directly. 

Receivers are pressured to divulge verification codes or PINs sent via SMS as a precaution against data loss or account suspension, under the pretense that the adversary will be able to take control of the account upon surrendering these credentials. Based on the initial findings, the joint advisory clarifies that the attack is not a result of technical compromise of the platform's codebase or malicious payload deployment. 

By combining carefully staged social engineering with Signal's routine functionality, the operators are exploiting the trust users place in its privacy-centered design. By manipulating the standard account verification and recovery workflows, the attackers are able to induce their victims to divulge the very credentials that secure their communication. 

In one documented scenario, a person impersonating an official support channel is referred to as “Signal Support” or “Signal Security Chatbot.” The targeted organization receives messages alleging fabricated security irregularities and urges it to act immediately to prevent alleged data loss or account suspension. 

By engineering urgency, recipients are prompted to disclose their Signal PINs or SMS verification codes, overriding caution. When the adversary possesses these credentials, they may re-register the account on infrastructure under their control, effectively transferring ownership of the account. Such situations may result in the legitimate user being locked out and the intruder gaining unfettered access to message histories, active conversations, and stored contact information. 

A parallel technique utilizes Signal's multi-device linking capability, enabling seamless synchronization across mobile, tablet, and desktop clients. By causing victims to scan a malicious QR code, threat actors are able to inadvertently attach additional devices to their accounts by posing as a threat actor. With this method, one-on-one exchanges, group discussions, and associated metadata are persistently visible, almost real-time, without generating immediate suspicion.

Since the original device remains functional, the victims may not be aware that their communications are mirrored elsewhere. Authorities emphasize that the absence of malware is a defining characteristic of the campaign. In lieu of exploit chains or zero-day vulnerabilities, attackers rely solely on the voluntary disclosure of valid cryptographic credentials to gain access. 

Through the use of this approach, they are able to circumvent conventional endpoint security systems and network monitoring systems because the account access appears to be procedurally valid within the platform's security environment. 

Using trusted features inappropriately complicates the detection process as well as amplifies the potential intelligence value of the intrusion. It is further noted that individuals whose communications are sensitive from a diplomatic, military, political, or investigative perspective have been given priority in the targeting profile. 

By compromised such accounts, one can gain access to confidential discussions, gain insight into policy decisions and operational planning, and reconstruct professional networks to target subsequent targets. Furthermore, controlling trusted accounts provides an opportunity for impersonation, allowing misleading information to be distributed or sensitive exchanges to be manipulated.

It is reported that the activity was likely to be perpetrated by a state-sponsored actor, but officials caution that these techniques are neither technical complex nor exclusive to government-backed organizations. 

The use of social engineering rather than sophisticated exploitation reduces the barrier to replication, enhancing the likelihood that criminal enterprises or other hostile actors may use similar tactics with comparable impact in the future. The German authorities emphasize in their concluding guidance that the durability of encrypted communication ultimately depends on both informed user vigilance and cryptographic strength. 

Educating institutions and high profile individuals on how to respond to unsolicited account-related requests with heightened scrutiny, strengthening internal awareness of verification workflows, and integrating secure messaging hygiene into operational security procedures is recommended.

An audit of linked devices on a regular basis, strict control over authentication credentials, as well as the activation of additional account safeguards are not offered as optional enhancements, but as mandatory requirements in a threat environment where deception replaces exploitation. 

According to the agencies, resilience will depend more on disciplined user behavior and proactive defensive posture than on technological assurances alone, as adversaries continue to use legitimate platform features for covert access. 

s a result of the advisory, institutions will not be able to protect themselves from compromise when authentication workflows themselves become an attack surface for compromised platforms. 

It is recommended that organizations evaluate how secure messaging tools are integrated into executive and diplomatic communications, ensuring that account recovery procedures, device management policies, and identity verification protocols are governed by formal security controls as opposed to informal user discretion, according to German officials. 

An adversary who weaponizes legitimacy rather than exploiting flaws will need to cultivate procedural discipline, a continuous threat awareness, and a recognition that trust, once manipulated, can have the same impact as any technical vulnerability.
Read more »
Spanish government data breach
Cyber Attacks cybercrime surge 2025 GordonFreeman hacker IDOR vulnerability exploit Ministry of Science cyberattack Spain Spanish government data breach

Spain Ministry of Science Cyberattack Triggers IT Shutdown, Hacker Claims Data Breach

 

A cyberattack targeting the Ministry of Science, Innovation and Universities has led to a partial shutdown of government IT infrastructure, interrupting essential digital services relied upon by researchers, universities, students, and businesses nationwide.

Authorities initially referred to the disruption as a “technical incident,” but mounting evidence — alongside confirmations from Spanish media — now indicates the event was the result of a cyberattack that may have compromised sensitive academic, personal, and financial data.

The ministry is a key pillar of Spain’s higher education and research framework. Any outage affecting its digital systems carries significant operational and administrative consequences, elevating the seriousness of the breach beyond a routine technical malfunction.

In a statement posted on its electronic headquarters, the ministry acknowledged the disruption and announced the temporary closure of several digital services.

“As a result of a technical incident that is currently being assessed, the electronic headquarters of the Ministry of Science, Innovation and Universities has been partially closed.”

The notice further stated: “All ongoing administrative procedures are suspended, safeguarding the rights and legitimate interests of all persons affected by said temporary closure, resulting in an extension of all deadlines for the various procedures affected.”

Officials added that deadline extensions would remain active: "until the complete resolution of the aforementioned incident occurs," citing Article 32 of Law 39/2015.

While the extension of deadlines offers procedural protection to affected users, the absence of immediate clarity regarding the nature of the disruption sparked concern among stakeholders.

Hacker Claims Responsibility for Breach

Concerns escalated after a threat actor operating under the alias Gordon Freeman appeared on underground forums claiming responsibility for the attack. The individual alleged exploitation of a critical Insecure Direct Object Reference (IDOR) vulnerability, which reportedly granted “full-admin-level access” to internal systems.

The attacker published sample screenshots online — though their authenticity has not been independently confirmed — showing what appear to be official documents, email addresses, enrollment records, and internal communications.

Spanish outlet OKDIARIO reported that a ministry spokesperson acknowledged the IT disruption stemmed from a cyberattack and confirmed that the electronic headquarters had been taken offline to evaluate the potential scope of the breach.

Although the forum where the leak was allegedly posted has since gone offline and the data has not resurfaced elsewhere, early indicators suggest the materials could be genuine. If verified, the breach would represent a significant failure in access control safeguards.
According to the attacker’s claims, the compromised data may include:
  • Scanned identification documents, including NIEs and passports
  • Email addresses
  • Payment confirmations displaying IBAN numbers
  • Academic transcripts and apostilled degrees
  • Curricula containing private personal details
If confirmed, the breach could expose thousands of students and researchers to identity theft, financial fraud, and long-term privacy risks. Academic records, once leaked, are particularly difficult to revoke or replace.

The incident reflects a broader cybersecurity challenge in Spain. Cybercrime now represents more than one in six recorded criminal offenses nationwide. Authorities have reported a 35% increase in cyberattacks this year, with daily incidents exceeding 45,000. Between late February and early March, reported attacks surged by 750% compared to the same timeframe last year.

During the week of 5–11 March 2025, Spain ranked as the most targeted country globally, accounting for 22.6% of all recorded cyber incidents — surpassing even the United States.

Experts attribute the trend to two primary factors: rapid digital transformation — accelerated by EU-backed modernization initiatives — and insufficient investment in cybersecurity infrastructure. Ransomware incidents alone have climbed 120%, disproportionately affecting public institutions and small-to-medium enterprises.


Read more »
Technology
Chelsea Cyber Attacks data intrusion Kensington London Technology

London Boroughs Struggle to Restore Services After November Cyber Attack




A cyber intrusion identified on November 24, 2025 has disrupted essential local authority services in two central London boroughs, freezing parts of the property market and delaying administrative functions.

The Royal Borough of Kensington and Chelsea and Westminster City Council have both been unable to operate several core systems since the breach was detected. Although Kensington and Chelsea is internationally associated with high-value homes, luxury retail outlets and tree-lined residential streets, routine civic operations in the borough are currently under strain.

A notice published on the Kensington and Chelsea council website states that disruption is expected to continue for several more weeks and that restoring all services may take months.

According to HM Land Registry figures, approximately 2,000 property transactions occur annually within Kensington and Chelsea. Many of those transactions are now impacted because the councils cannot conduct local authority searches. These searches are mandatory checks that examine planning history, land charges, infrastructure proposals and regulatory constraints linked to a property.

Nick Gregori, Head of Research at property data platform LonRes, explained that local authority searches are fundamental to the conveyancing process. Buyers relying on mortgage financing cannot secure loans without completed searches. Even purchasers using cash are advised to obtain them to ensure proper due diligence.

Jo Eccles, founder of buying agency Eccord, said two of her clients purchasing in Westminster have had to obtain indemnity insurance because official searches are not expected to resume until April due to accumulated delays. She noted that private banks are sometimes willing to proceed with indemnity-backed transactions, whereas retail lenders are generally less accommodating.

Robert Green, Head of Sales at John D Wood & Co. in Chelsea Green, stated that indemnity policies do not eliminate the need for careful investigation. Solicitors are attempting to reconstruct due diligence by reviewing historical documentation held by sellers or from previous acquisition files. Buyers without access to private lending or substantial liquidity are finding transactions extremely difficult to complete.

Planning services have also stalled. Architect Emily Ceraudo has two projects paused: one involving listed building consent in South Kensington and another concerning a mansard roof extension in Mayfair. She said clients initially struggled to accept that the entire planning system could remain offline for this duration, prompting her to share official correspondence confirming the cause of delay. Councils have indicated that some applications may be processed offline, but no revised timeframe has been provided.

There are reports of contractors reconsidering site activity and some clients contemplating proceeding with works in anticipation of retrospective approval.

Housing benefit payments were also interrupted. Laurence Turner, who rents a studio flat in Chelsea to an elderly tenant with medical needs, said he only became aware of the issue after two missed payments. He emphasized that he has no contractual relationship with the council and that his tenant had consistently paid rent early for five years. His letting agent, Maskells, contacted the council for clarification. Payments due in mid-December and mid-January were missed, leaving £2,870 outstanding before funds were eventually received.

Turner observed that council service charges were skipped once in mid-December but resumed in mid-January, whereas housing benefit was missed twice. He acknowledged that municipal financial systems are complex and that he may not see the full administrative context.

Neither borough has provided a definitive restoration date. Kensington and Chelsea stated that systems are being reactivated gradually under guidance from NCC Group, the Metropolitan Police and the National Cyber Security Centre. Property searches are expected to return as soon as possible, with a limited search service available before full restoration.

Council Leader Cllr Elizabeth Campbell described the incident as a n intricate criminal cyber attack. She said prior investment in digital, data and technology infrastructure, including updated cyber defence systems, helped reduce overall damage. She confirmed that the planning system is undergoing checks, that new planning applications cannot progress beyond validation, and that local land charge searches remain unavailable. She added that £10 million in housing benefits has been issued since the incident and that recovery work continues with specialist partners to ensure systems are restored safely and with strengthened resilience. 

Read more »
Ransomware
Cloud Corporate Cyber Attacks Data Ransomware

Iron Man Data Breach Only Impacted Marketing Resources


Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries. 

About the breach 

The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials. 

Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials. 

The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks. 

History 

In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom. 

The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place.

If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents. 

What is the impact?

Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems. 

Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

Read more »
TGR-STA-1030
APT28 Cyber Espionage Chinese Hackers Cyber Attacks Palo Alto TGR-STA-1030

Palo Alto Softens China Hack Attribution Over Beijing Retaliation Fears

 

Palo Alto Networks is facing scrutiny after reports that it deliberately softened public attribution of a vast cyberespionage campaign that its researchers internally linked to China. According to people familiar with the matter, a draft from its Unit 42 threat intelligence team tied the prolific hacking group, dubbed “TGR-STA-1030,” directly to Beijing, but the final report described it only as a “state-aligned group that operates out of Asia.” The change has reignited debate over how commercial cybersecurity firms navigate geopolitical pressure while disclosing state-backed hacking operations. 

The underlying campaign, branded “The Shadow Campaigns,” involved years-long reconnaissance and intrusions spanning nearly every country, compromising government and critical infrastructure targets in at least 37 nations. Investigators noted telltale clues suggesting a Chinese nexus, including activity patterns aligned with the GMT+8 time zone and tasking that appeared to track diplomatic flashpoints involving Beijing, such as a focus on Czech government systems after a presidential meeting with the Dalai Lama. The operators also reportedly targeted Thailand shortly before a high‑profile state visit by the Thai king to China, hinting at classic intelligence collection around sensitive diplomatic events. 

According to sources cited in the report, Palo Alto executives ordered the language to be watered down after China moved to ban software from about 15 U.S. and Israeli cybersecurity vendors, including Palo Alto, on national security grounds. Leadership allegedly worried that an explicit attribution to China could trigger further retaliation, potentially putting staff in the country at risk and jeopardizing business with Chinese or China‑exposed customers worldwide. The episode illustrates the mounting commercial and personal-security stakes facing global security vendors that operate in markets where they may also be calling out state-backed hacking. 

The researchers who reviewed Unit 42’s technical findings say they have observed similar tradecraft and infrastructure in activity they already attribute to Chinese state-sponsored espionage. U.S. officials and independent analysts have for years warned of increasingly aggressive Chinese cyber operations aimed at burrowing into critical infrastructure and sensitive government networks, a trend they see reflected in the Shadow Campaigns’ breadth and persistence. While Beijing consistently denies involvement in hacking, the indicators described by Palo Alto and others fit a pattern Western intelligence agencies have been tracking across multiple high‑impact intrusions. 

China’s embassy in Washington responded by reiterating that Beijing opposes “all forms of cyberattacks” and arguing that attribution is a complex technical issue that should rest on “sufficient evidence rather than unfounded speculation and accusations.” The controversy around Palo Alto’s edited report now sits at the intersection of that diplomatic line and the realities of commercial risk in authoritarian markets. For the wider cybersecurity industry, it underscores a hardening dilemma: how to speak plainly about state-backed intrusions while safeguarding employees, customers, and revenue in the very countries whose hackers they may be exposing.
Read more »
HoneyMyte
Chinese Hacker CoolClient Cyber Attacks Data Theft HoneyMyte

HoneyMyte Upgrades CoolClient: New Browser Stealers Target Asia, Europe

 

The HoneyMyte threat group, also known as Mustang Panda or Bronze President, has escalated its cyber espionage efforts by significantly upgrading its CoolClient backdoor malware. This China-linked advanced persistent threat (APT) actor, active since at least 2012, primarily targets government organizations in Asia and Europe to harvest sensitive geopolitical and economic intelligence.

In 2025, security researchers from Kaspersky identified enhanced versions of CoolClient deployed in campaigns hitting countries like Myanmar, Mongolia, Malaysia, Thailand, Russia, and Pakistan.These updates reflect HoneyMyte's ongoing adaptation to evade detection and maximize data theft from high-value targets. CoolClient now employs a multi-stage infection chain, often using DLL side-loading to hijack legitimate applications from vendors like BitDefender, VLC Media Player, and Sangfor. 

This technique allows the malware to masquerade as trusted software while executing malicious payloads for persistence and command-and-control communication. The backdoor supports extensible plugins, including new capabilities to extract HTTP proxy credentials from network traffic—a feature not previously observed in HoneyMyte's arsenal. Combined with tools like ToneShell rootkit, PlugX, and USB worms such as Tonedisk, these enhancements enable deeper system compromise and long-term surveillance.

A standout addition is HoneyMyte's browser credential stealer, available in at least three variants tailored to popular browsers. Variant A targets Google Chrome, Variant B focuses on Microsoft Edge, and Variant C handles multiple Chromium-based browsers like Brave and Opera. The stealer copies login databases to temporary folders, leverages Windows Data Protection API (DPAPI) to decrypt master keys and passwords, then reconstructs full credential sets for exfiltration. This shift toward active credential harvesting, alongside keylogging and clipboard monitoring, marks HoneyMyte's evolution from passive espionage to comprehensive victim surveillance.

Supporting these implants, HoneyMyte deploys scripts for reconnaissance, document exfiltration, and system profiling, often in tandem with CoolClient infections. These campaigns exploit spear-phishing lures mimicking government services in victims' native languages, exploiting regional events for credibility.Earlier variants of CoolClient were analyzed by Sophos in 2022 and Trend Micro in 2023, but 2025 iterations show marked improvements in stealth and modularity. The group's focus on Southeast Asian governments underscores its alignment with Chinese strategic interests.

Organizations face heightened risks from HoneyMyte's refined toolkit, demanding robust defenses like behavioral monitoring for DLL side-loading, browser credential anomalies, and anomalous network traffic. Government entities in targeted regions should prioritize endpoint detection, credential hygiene, and threat intelligence sharing to counter these persistent threats. As HoneyMyte continues innovating—potentially expanding to Europe—proactive measures remain essential against this adaptable adversary.
Read more »
Microsoft Outlook security
Customer Data Cyber Attacks Cyber Phishing Data Theft Hijacking Microsoft Microsoft Outlook Microsoft Outlook security

Malicious Outlook Add-In Hijack Steals 4,000 Microsoft Credentials

 

A breach transformed the AgreeTo plug-in for Microsoft Outlook - once meant for organizing meetings - into a weapon that harvested over four thousand login details. Though built by a third-party developer and offered through the official Office Add-in Store starting in late 2022, it turned against its intended purpose. Instead of simplifying calendars, it funneled user data to attackers. What began as a practical tool ended up exploited, quietly capturing credentials under false trust. 

Not every tool inside Office apps runs locally - some pull data straight from web addresses. For AgreeTo, its feature lived online through a link managed via Vercel. That address stopped receiving updates when the creator walked away, even though people kept using it. With no one fixing issues, the software faded into silence. Yet Microsoft still displayed it as available for download. Later, someone with harmful intent took control of the unused webpage. From there, they served malicious material under the app’s trusted name. A login screen mimicking Microsoft’s design appeared where the real one should have been, according to analysts at Koi Security. 

Instead of authentic access points, users faced a counterfeit form built to harvest credentials. Hidden scripts ran alongside, silently sending captured data elsewhere. After approval in Microsoft’s marketplace, the add-in escaped further checks. The company examines just the manifest when apps are submitted - nothing beyond that gets verified later. Interface components and features load externally, pulled from servers run by developers themselves. 

Since AgreeTo passed initial review, its updated files came straight from machines now under malicious control. Oversight ended once publication was complete. From inside the attacker’s data pipeline, Koi Security found over 4,000 Microsoft login details already taken. Alongside these, information such as credit card records and responses to bank verification questions had also been collected. While analyzing activity, experts noticed live attempts using the breached logins unfolding in real time. 

Opening the harmful AgreeTo add-on in Outlook displayed a counterfeit Microsoft login screen within the sidebar rather than the expected calendar tool. Resembling an authentic authentication portal, this imitation proved hard to recognize as fraudulent. Once victims submitted their details, those credentials got sent through a Telegram bot interface. Following that transfer, individuals saw the genuine Microsoft sign-in page appear - helping mask what had just occurred. Despite keeping ReadWriteItem access, which enables viewing and editing messages, there's no proof the tool tampered with any emails. 

Behind the campaign, investigators spotted a single actor running several phishing setups aimed at financial services, online connectivity firms, and email systems. Notable because it lives inside Microsoft’s official store, AgreeTo stands apart from past threats that spread via spam, phishing, or malvertising. This marks the first time a verified piece of malware has appeared on the Microsoft Marketplace, according to Oren Yomtov at Koi. He also notes it is the initial harmful Outlook extension spotted actively used outside test environments. 

A removal of AgreeTo from the store was carried out by Microsoft. Anyone keeping the add-in should uninstall it without delay, followed by a password change. Attempts to reach Microsoft for input have been made; no reply came so far.
Read more »
Subscribe to: Comments (Atom)