Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
North Korean Hackers
Amazon Security Cyber Attacks DPRK Infiltration Keystroke Latency North Korean Hackers

Amazon Busts DPRK Hacker on Tiny Typing Delay

 

Amazon recently uncovered a North Korean IT worker infiltrating its corporate network by tracking a tiny 110ms delay in keystrokes, highlighting a growing threat in remote hiring and cybersecurity. The anomaly, revealed by Amazon’s Chief Security Officer Stephen Schmidt, pointed to a worker supposedly based in the U.S. but actually operating from thousands of miles away.

The infiltration occurred when a contractor hired by Amazon shipped a company laptop to an individual later found to be a North Korean operative. Commands sent from the laptop to Amazon’s Seattle headquarters typically take less than 100 milliseconds, but these commands took over 110 milliseconds—a subtle clue that the user was located far from the U.S.. This delay signaled that the operator was likely in Asia, prompting further investigation.

Since April 2024, Amazon’s security team has blocked more than 1,800 attempts by North Korean workers to infiltrate its workforce, with attempts rising by 27% quarter-over-quarter in 2025. The North Korean operatives often use proxies and forged identities to access remote IT jobs, funneling earnings into the DPRK’s weapons programs and circumventing international sanctions.

Security monitoring revealed that the compromised laptop was being remotely controlled from China, though it did not have access to sensitive data. Investigators cross-referenced the suspect’s resume with system activity and identified a pattern consistent with previous North Korean fraud attempts. Schmidt noted that these operatives often fabricate employment histories tied to obscure consultancies, reuse the same feeder schools and firms, and display telltale signs such as mangled English idioms.

The front in this case was an Arizona woman who was sentenced to multiple years in prison for her role in a $1.7 million IT fraud ring that helped North Korean workers gain access to U.S. corporate networks. Schmidt emphasized that Amazon did not directly hire any North Koreans but warned that shipping company laptops to contractor proxies can create significant risks.

This incident underscores the importance of thorough background checks and advanced endpoint security for remote workers. Latency analysis, behavioral monitoring, and traffic forensics are now essential tools for detecting nation-state threats in the remote work era. Cybersecurity professionals are urged to go beyond basic vetting—such as LinkedIn scans—and adopt robust anomaly detection to protect against sophisticated grifters.As North Korean fraud tactics continue to evolve, companies must remain vigilant. Every lag, every odd behavior, and every unverified resume could be the first sign of a much larger threat hiding in plain sight.
Read more »
Romanian Waters
Bitlocker Cyber Attacks OT security Ransomware Romanian Waters

Romanian Water Authority Hit by BitLocker Ransomware, 1,000 Systems Disrupted

 

Romanian Waters, the country's national water management authority, was targeted by a significant ransomware attack over the weekend, affecting approximately 1,000 computer systems across its headquarters and 10 of its 11 regional offices. The breach disrupted servers running geographic information systems, databases, email, web services, Windows workstations, and domain name servers, but crucially, the operational technology (OT) systems controlling the actual water infrastructure were not impacted.

According to the National Cyber Security Directorate (DNSC), the attackers leveraged the built-in Windows BitLocker security feature to encrypt files on compromised systems and left a ransom note demanding contact within seven days. Despite the widespread disruption to IT infrastructure, the DNSC confirmed that the operation of hydrotechnical assets—such as dams and water treatment plants—remains unaffected, as these are managed through dispatch centers using voice communications and local personnel.

Investigators from multiple Romanian security agencies, including the Romanian Intelligence Service's National Cyberint Center, are actively working to identify the attack vector and contain the incident's fallout. Authorities have not yet attributed the attack to any specific ransomware group or state-backed actor. 

The DNSC also noted that the national cybersecurity system for critical IT infrastructure did not previously protect the water authority's systems, but efforts are underway to integrate them into broader protective measures. The incident follows recent warnings from international agencies, including the FBI, NSA, and CISA, about increased targeting of critical infrastructure by pro-Russia hacktivist groups such as Z-Pentest, Sector16, NoName, and CARR. 

This attack marks another major ransomware event in Romania, following previous breaches at Electrica Group and over 100 hospitals due to similar threats in recent years. Romanian authorities continue to stress that water supply and flood protection activities remain fully operational, and no disruption to public services has occurred as a result of the cyberattack.
Read more »
Social Engineering
AI Cyber Attacks Data Microsoft phishing Russia Scams Social Engineering

2FA Fail: Hackers Exploit Microsoft 365 to Launch Code Phishing Attacks


Two-factor authentication (2FA) has been one of the most secure ways to protect online accounts. It requires a secondary code besides a password. However, in recent times, 2FA has not been a reliable method anymore, as hackers have started exploiting it easily. 

Experts advise users to use passkeys instead of 2FA these days, as they are more secure and less prone to hack attempts. Recent reports have shown that 2FA as a security method is undermined. 

Russian-linked state sponsored threat actors are now abusing flaws in Microsoft’s 365. Experts from Proofpoint have noticed a surge in Microsoft 365 account takeover cyberattacks, threat actors are exploiting authentication code phishing to compromise Microsoft’s device authorization flow.

They are also launching advanced phishing campaigns that escape 2FA and hack sensitive accounts. 

About the attack

The recent series of cyberattacks use device code phishing where hackers lure victims into giving their authentication codes on fake websites that look real. When the code is entered, hackers gain entry to the victim's Microsoft 365 account, escaping the safety of 2FA. 

The campaigns started in early 2025. In the beginning, hackers relied primarily on code phishing. By March, they increased their tactics to exploit Oauth authentication workflows, which are largely used for signing into apps and services. The development shows how fast threat actors adapt when security experts find their tricks.

Who is the victim? 

The attacks are particularly targeted against high-value sectors that include:

Universities and research institutes 

Defense contractors

Energy providers

Government agencies 

Telecommunication companies 

By targeting these sectors, hackers increase the impact of their attacks for purposes such as disruption, espionage, and financial motives. 

The impact 

The surge in 2FA code attacks exposes a major gap, no security measure is foolproof. While 2FA is still far stronger than relying on passwords alone, it can be undermined if users are deceived into handing over their codes. This is not a failure of the technology itself, but of human trust and awareness.  

A single compromised account can expose sensitive emails, documents, and internal systems. Users are at risk of losing their personal data, financial information, and even identity in these cases.

How to Stay Safe

Verify URLs carefully. Never enter authentication codes on unfamiliar or suspicious websites.  

Use phishing-resistant authentication. Hardware security keys (like YubiKeys) or biometric logins are harder to trick.  

Enable conditional access policies. Organizations can restrict logins based on location, device, or risk level.  

Monitor OAuth activity. Be cautious of unexpected consent requests from apps or services.  

Educate users. Awareness training is often the most effective defense against social engineering.  


Read more »
State sponsored groups
cyber attack Cyber Attacks data security State sponsored groups

Chinese-linked Browser Extensions Linked to Corporate Espionage Hit Millions of Users

 

A Chinese-linked threat actor has been tied to a third large-scale malicious browser extension campaign that has compromised data from millions of users across major web browsers, according to new findings by cybersecurity firm Koi Security. 

The latest campaign, dubbed DarkSpectre, has affected about 2.2 million users of Google Chrome, Microsoft Edge and Mozilla Firefox, the researchers said. 

DarkSpectre has now been linked to two earlier campaigns known as ShadyPanda and GhostPoster, bringing the total number of impacted users across all three operations to more than 8.8 million over a period exceeding seven years. 

Koi Security said the activity appears to be the work of a single Chinese threat actor that it tracks under the name DarkSpectre. The campaigns relied on seemingly legitimate browser extensions that were used to steal data, hijack search queries, manipulate affiliate links and conduct advertising fraud. 

ShadyPanda, which Koi disclosed earlier this month, was found to have affected about 5.6 million users through more than 100 malicious or compromised extensions across Chrome, Edge and Firefox. Some of these extensions remained benign for years before being weaponised through updates. 

One Edge extension waited three days after installation before activating its malicious code, a tactic designed to evade store review processes. The second campaign, GhostPoster, primarily targeted Firefox users with utilities and VPN-style add-ons that injected malicious JavaScript to hijack affiliate traffic and carry out click fraud. 

Investigators also identified related extensions on other browsers, including an Opera add-on masquerading as a Google Translate tool that had close to one million installs. The newly attributed DarkSpectre campaign, also referred to by researchers as the Zoom Stealer operation, involved at least 18 extensions designed to collect sensitive data from online meetings. 

These extensions harvested meeting links, embedded passwords, meeting IDs, topics, schedules and participant details from platforms such as Zoom, Google Meet, Microsoft Teams, Cisco WebEx and GoTo Webinar. 

Researchers said the extensions posed as tools for recording or managing video meetings but quietly exfiltrated corporate meeting intelligence in real time using WebSocket connections. 

The stolen data also included details about webinar hosts and speakers, such as names, job titles, company affiliations and promotional materials. 

“This isn’t consumer fraud, this is corporate espionage infrastructure,” Koi Security researchers Tuval Admoni and Gal Hachamov said in media. They warned that the information could be sold to other threat actors or used for targeted social engineering and impersonation campaigns. 

Koi Security said indicators linking the activity to China included the use of command and control servers hosted on Alibaba Cloud, Chinese-language artifacts in the code, and registrations tied to Chinese provinces. 

Some fraud activity was also aimed at Chinese e-commerce platforms. The researchers cautioned that additional extensions linked to the same actor may still be active but dormant, building trust and user bases before being turned malicious through future updates.
Read more »
Unleash Protocol hack
crypto security breach Cyber Attacks smart contract upgrade attack Unleash Protocol exploit Unleash Protocol hack

Unleash Protocol Suffers $3.9M Crypto Loss After Unauthorized Smart Contract Upgrade

 

Decentralized intellectual property platform Unleash Protocol has reported a loss of approximately $3.9 million in digital assets following an unauthorized upgrade to its smart contracts that enabled illicit withdrawals.

The Unleash team stated that the attacker managed to gain sufficient signing authority to function as an administrator within the project’s multisig governance framework.

"Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade," the company says in a public announcement.

"This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures."

Unleash Protocol positions itself as a blockchain-based operating system for intellectual property management, transforming IP into tokenized on-chain assets. These assets can be used within decentralized finance (DeFi) applications, while smart contracts automate licensing, monetization, and royalty distribution among predefined stakeholders.

By exploiting the unauthorized contract upgrade, the attacker unlocked withdrawal functionality and siphoned multiple assets, including WIP (wrapped IP), USDC, WETH (wrapped Ether), stIP (staked IP), and vIP (voting-escrowed IP).

Blockchain security firm PeckShieldAlert estimates the total losses at roughly $3.9 million.

Following the withdrawals, the stolen funds were bridged using third-party services and sent to external wallets to obscure their movement. PeckShieldAlert further noted that the attacker deposited the funds into the Tornado Cash mixing service, totaling 1,337 ETH.

Tornado Cash, which was sanctioned by the United States in 2022 and later delisted in 2025 for its involvement in laundering funds linked to North Korean hacking groups, allows users to obscure transaction trails before moving funds to new wallets. Although intended to enhance privacy on public blockchains, the service has frequently been misused by cybercriminals to evade tracking and asset recovery.

In response to the breach, Unleash Protocol has halted all platform operations and initiated a comprehensive investigation with external security specialists to identify the root cause. The team is also assessing possible remediation and recovery strategies.

Until further notice, users have been urged to avoid interacting with Unleash Protocol smart contracts and to rely solely on official communication channels for updates regarding platform safety.
Read more »
MgBot malware
China-linked APT Cyber Attacks Cyber Espionage Campaign DNS poisoning attack Evasive Panda MgBot malware

Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Long-Running Espionage Campaign

 

Security researchers at Kaspersky have uncovered a sophisticated cyber-espionage operation attributed to the China-linked advanced persistent threat (APT) group known as Evasive Panda, also tracked as Daggerfly, Bronze Highland, and StormBamboo. The campaign leveraged DNS poisoning techniques to distribute the MgBot backdoor, targeting select victims across Türkiye, China, and India.

Active for over a decade, Evasive Panda is widely recognized for developing and deploying the custom MgBot malware framework. In 2023, Symantec previously linked the group to an intrusion at an African telecommunications provider, where new MgBot plugins were observed—demonstrating the group’s continued refinement of its cyber-espionage toolkit.

According to Kaspersky, the latest campaign was highly selective in nature and operated for nearly two years, beginning in November 2022 and continuing through November 2024.

The attackers employed adversary-in-the-middle (AiTM) techniques, delivering encrypted malware components through manipulated DNS responses. Each target received a tailored implant designed to evade detection. The MgBot backdoor was injected directly into legitimate processes in memory, frequently using DLL sideloading, allowing the malware to remain concealed for extended periods.

Initial compromise was achieved through fake software updates masquerading as legitimate applications. In one observed case, threat actors distributed a malicious executable posing as a SohuVA update, likely delivered through DNS poisoning that redirected update requests to infrastructure under attacker control.

“The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware from the following resource”

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package.”

Beyond SohuVA, similar trojanized updaters were observed targeting widely used applications such as iQIYI Video, IObit Smart Defrag, and Tencent QQ, often launched by legitimate system services to reinforce trust and avoid suspicion.

The initial malware loader, written in C++ and built using the Windows Template Library, was disguised as a harmless sample project. Once executed, it decrypted and decompressed its configuration data, revealing installation directories, command-and-control domains, and encrypted MgBot parameters. The malware dynamically altered its behavior based on the active user context, decrypted strings only at runtime, and used XOR and LZMA obfuscation to hinder analysis. Ultimately, it executed shellcode directly in memory after modifying memory permissions, enabling covert deployment without leaving obvious forensic traces.

The infection chain followed a multi-stage execution model. The first-stage loader launched shellcode that concealed API usage by resolving Windows functions via hashing. This shellcode searched for a specific DAT file within the installation directory. If found, the file was decrypted using Windows CryptUnprotectData, ensuring it could only be accessed on the infected system, before being deleted to erase evidence.

If the DAT file was absent, the shellcode retrieved the next stage from the internet. Through DNS poisoning, victims were redirected to attacker-controlled servers while believing they were accessing legitimate domains such as dictionary.com. System details, including the Windows version, were transmitted via HTTP headers, allowing attackers to tailor payloads accordingly. The downloaded data was decrypted using XOR, memory permissions were altered, and the payload was executed. The malware later re-encrypted the payload and stored it in a newly created DAT file, often unique to each victim.

Researchers also identified a secondary loader named libpython2.4.dll, which masqueraded as a legitimate Windows library. This component was loaded through a signed executable, evteng.exe—an outdated Python binary—to further mask malicious activity. The loader recorded its file path in status.dat, likely to support future updates, and decrypted additional payloads from perf.dat, which were also delivered via DNS poisoning. Throughout this process, the attackers repeatedly renamed and relocated the payloads, decrypting them with XOR and re-encrypting them using a customized combination of DPAPI and RC5, effectively binding the malware to the infected host and complicating analysis.

Kaspersky telemetry indicates confirmed victims in Türkiye, China, and India, with some systems remaining compromised for more than a year. The prolonged duration of the operation highlights the attackers’ persistence, operational maturity, and access to substantial resources.

The observed tactics, techniques, and procedures (TTPs) strongly align with previous Evasive Panda operations. While a new loader was introduced, the attackers continued to rely on the long-established MgBot implant, albeit with updated configuration elements. As seen in earlier campaigns, Evasive Panda favored stealthy propagation methods such as supply-chain compromise, adversary-in-the-middle attacks, and watering-hole techniques to avoid detection.

“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems.”

“Our investigation suggests that the attackers are continually improving their tactics, and it is likely that other ongoing campaigns exist. The introduction of new loaders may precede further updates to their arsenal.”
Read more »
Russia
Amazon AWS Cloud Security Credential Theft Cyber Attacks GRU Russia

Amazon Says It Has Disrupted GRU-Linked Cyber Operations Targeting Cloud Customers

 



Amazon has announced that its threat intelligence division has intervened in ongoing cyber operations attributed to hackers associated with Russia’s foreign military intelligence service, the GRU. The activity targeted organizations using Amazon’s cloud infrastructure, with attackers attempting to gain unauthorized access to customer-managed systems.

The company reported that the malicious campaign dates back to 2021 and largely concentrated on Western critical infrastructure. Within this scope, energy-related organizations were among the most frequently targeted sectors, indicating a strategic focus on high-impact industries.

Amazon’s investigation shows that the attackers initially relied on exploiting security weaknesses to break into networks. Over multiple years, they used a combination of newly discovered flaws and already known vulnerabilities in enterprise technologies, including security appliances, collaboration software, and data protection platforms. These weaknesses served as their primary entry points.

As the campaign progressed, the attackers adjusted their approach. By 2025, Amazon observed a reduced reliance on vulnerability exploitation. Instead, the group increasingly targeted customer network edge devices that were incorrectly configured. These included enterprise routers, VPN gateways, network management systems, collaboration tools, and cloud-based project management platforms.

Devices with exposed administrative interfaces or weak security controls became easy targets. By exploiting configuration errors rather than software flaws, the attackers achieved the same long-term goals: maintaining persistent access to critical networks and collecting login credentials for later use.

Amazon noted that this shift reflects a change in operational focus rather than intent. While misconfiguration abuse has been observed since at least 2022, the sustained emphasis on this tactic in 2025 suggests the attackers deliberately scaled back efforts to exploit zero-day and known vulnerabilities. Despite this evolution, their core objectives remained unchanged: credential theft and quiet movement within victim environments using minimal resources and low visibility.

Based on overlapping infrastructure and targeting similarities with previously identified threat groups, Amazon assessed with high confidence that the activity is linked to GRU-associated hackers. The company believes one subgroup, previously identified by external researchers, may be responsible for actions taken after initial compromise as part of a broader, multi-unit campaign.

Although Amazon did not directly observe how data was extracted, forensic evidence suggests passive network monitoring techniques were used. Indicators included delays between initial device compromise and credential usage, as well as unauthorized reuse of legitimate organizational credentials.

The compromised systems were customer-controlled network appliances running on Amazon EC2 instances. Amazon emphasized that no vulnerabilities in AWS services themselves were exploited during these attacks.

Once the activity was detected, Amazon moved to secure affected instances, alerted impacted customers, and shared intelligence with relevant vendors and industry partners. The company stated that coordinated action helped disrupt the attackers’ operations and limit further exposure.

Amazon also released a list of internet addresses linked to the activity but cautioned organizations against blocking them without proper analysis, as they belong to legitimate systems that had been hijacked.

To mitigate similar threats, Amazon recommended immediate steps such as auditing network device configurations, monitoring for credential replay, and closely tracking access to administrative portals. For AWS users, additional measures include isolating management interfaces, tightening security group rules, and enabling monitoring tools like CloudTrail, GuardDuty, and VPC Flow Logs.

Read more »
Infrastructure Security
Critical Infrastructure Security Cyber Attacks Cyber Security Ransomware Attacks Cyber Threats Hypervisor Infrastructure Security

Hypervisor Ransomware Attacks Surge as Threat Actors Shift Focus to Virtual Infrastructure

 

Hypervisors have emerged as a highly important, yet insecure, component in modern infrastructural networks, and attackers have understood this to expand the reach of their ransomware attacks. It has been observed by the security community that the modes of attack have changed, where attackers have abandoned heavily fortified devices in favor of the hypervisor, the platform through which they have the capability to regulate hundreds of devices at one time. In other words, a compromised hypervisor forms a force multiplier in a ransomware attack. 

Data from Huntress on threat hunting indicates the speed at which this trend is gathering pace. Initially in the early part of 2025, hypervisors were involved in just a few percent of ransomware attacks. However, towards the latter part of the year, this number had risen substantially, with hypervisor-level encryption now contributing towards a quarter of these attacks. This is largely because the Akira ransomware group is specifically leveraging vulnerabilities within virtualized infrastructure.  

Hypervisors provide attackers the opportunity by typically residing outside the sight of traditional security software. For this reason, bare-metal hypervisors are of particular interest to attackers since traditional security software cannot be set up on these environments. Attacks begin after gaining root access, and the attackers will be able to encrypt the disks on the virtual machines. Furthermore, attackers will be able to use the built-in functions to execute the encryption process without necessarily setting up the ransomware. 

In this case, security software would be rendered unable to detect the attacks. These attacks often begin with loopholes in credentials and network segmentation. With the availability of Hypervisor Management Interfaces on the larger internets inside organizations, attackers can launch lateral attacks when they gain entry and gain control of the virtualization layer. Misuse of native management tools has also been discovered by Huntress for adjusting Machine Settings, degrading defenses, and preparing the environment for massive Ransomware attacks. 

Additionally, the increased interest in hypervisors has emphasized that this layer must be afforded the equivalent security emphasis on it as for servers and end-points. Refined access controls and proper segmentation of management networks are required to remediate this. So too is having current and properly maintained patches on this infrastructure, as it has been shown to have regularly exploited vulnerabilities for full administrative control and rapid encryption of virtualized environments. While having comprehensive methods in place for prevention, recovery planning is essential in this scenario as well. 

A hypervisor-based ransomware is meant for environments, which could very well go down, hence the need for reliable backups, ideally immutables. This is especially true for organizations that do not have a recovery plan in place. As ransomware threats continue to evolve and become more sophisticated, the role of hypervisors has stepped up to become a focal point on the battlefield of business security. 

This is because by not securing and protecting the hypervisor level against cyber threats, what a business will essentially present to the cyber attackers is what they have always wanted: control of their whole operation with a mere click of their fingers.
Read more »
personal data leak
Cyber Attacks Data Leak data security Data Theft employee data exposed Jaguar Jaguar Land Rover cyberattack payroll security breach personal data leak

Jaguar Land Rover Confirms Employee Data Theft After August 2025 Cyberattack

 

British luxury carmaker Jaguar Land Rover has confirmed that a cyberattack uncovered in August 2025 led to the theft of payroll and personal data of thousands of current and former employees. After this disclosure, the company asked the affected people to remain alert about identity theft, phishing attempts, and financial fraud. 

The breach represents the first official acknowledgement from JLR that employee personal information was compromised during the incident. Earlier statements had focused largely on the operational disruption caused by the attack, which forced the temporary shutdown of vehicle production across several manufacturing facilities for several weeks. The company employs more than 38,000 people worldwide. Records pertaining to former employees and contractors were also affected. 

Internal communications shared with staff revealed that forensic investigations determined attackers took unauthorized access to payroll administration systems. These systems would include sensitive employment-related records, including data associated with salaries, pension contributions, employee benefits, and information about dependents. While JLR has stated that there is currently no evidence that the stolen information has been publicly leaked or actively misused, the nature of the exposed data creates a heightened risk profile.  

Cybersecurity experts point out that payroll systems usually host very sensitive identifiers such as bank account details, national insurance numbers, tax information, residential addresses, and compensation records. Even partial data exposure could increase the chances of identity fraud, account takeover attempts, and targeted social engineering attacks by a great degree. In response, JLR has recommended that the affected keep themselves aware of unsolicited communications and enhance passwords related to personal and professional accounts. 

For the sake of mitigation, the company has declared two years of free credit and identity monitoring services for its current and former affected employees. A dedicated helpline is also established for phone support, to assist with queries, advise on protective measures, and take reports of suspected fraudulent activity. This decision by JLR comes after forensic analysis had continued post-restoration of safe production operations. 

The breach has been formally reported to the UK's Information Commissioner's Office (ICO), which has confirmed it is conducting enquiries into the incident. The regulator has asked for more information about the extent of the breach, what security controls were in place at the time of the attack, and what remedial action has been taken since the intrusion was detected. The after-effects of the cyberattack spilled over beyond JLR's workforce. 

The disruption reportedly affected almost 5,000 supplier and partner organizations, reflecting the interconnected nature of modern manufacturing supply chains. Estimates place the overall economic impact of the incident at roughly ₹20,000 crore. Official figures suggest the disruption contributed to a measurable contraction in the UK economy during September 2025. JLR also announced that the attack resulted in the quarterly sales decline of an estimated ₹15,750 crore, along with a one-time recovery and remediation cost of around ₹2,060 crore. 

The costs comprised restoration of systems, security controls enhancement, and incident response. The intrusion, which was earlier claimed by a hacking group named "Scattered Lapsus Hunters" that had earlier been involved with attacks on major retail organizations, has alleged that the organization also accessed customer data. 
However, Jaguar Land Rover claims that evidence supporting those claims has not been found. Investigations are ongoing, and the firm has announced that it will keep informing employees, regulators, and other stakeholders as more information becomes available.
Read more »
Voice Cloning
AI Impersonation Cyber Attacks Encrypted Messaging Abuse FBI Government Cyber Threats Signal Exploits Smishing Attacks Social Engineering Vishing Scams Voice Cloning

Cyber Threat Actors Escalate Impersonation of Senior US Government Officials


Federal law enforcement officials are raising a lot of concern about an ongoing cybercrime operation involving threat actors impersonating senior figures across the American political landscape, including state government leaders, White House officials, Cabinet members, and congressional members. 

These threat actors continue to impersonate senior figures in the American political landscape. Based on information provided by the FBI, the social engineering campaign has been operating since at least 2023. 

The campaign relies on a calculated mix of both text-based and voice-based social engineering techniques, with attackers using smishing and increasingly sophisticated artificial intelligence-generated voice messages to bolster their legitimacy. 

There have been no shortages of victims in this operation, not only government officials, but also their family members and personal contacts, demonstrating the breadth of the operation and its persistence. 

Often when fraudsters initiate contact, they reference familiar or contextually relevant topics in order to elude detection while moving the fraud forward with the threat of taking down the target on encrypted messaging platforms. This tactic is often used to evade detection and further advance the fraud.

Several federal law enforcement agencies have identified this activity as part of a widespread espionage operation developed by a group of individuals who are impersonating United States government officials to obtain potentially sensitive information, as well as to perpetrate financial and influence-driven scams. 

In May, the bureau updated its report on the campaign, which indicated that it had been active since at least April 2025. However, in a follow-up update from Friday, it revised that assessment, adding that there is evidence that the impersonation campaign goes back to 2023, as well as the previous year. 

An FBI public service announcement revealed that malicious actors have posed as government officials and cabinet members of the White House, members of Congress and high-level officials of state governments in order to engage targets that have apparently included the officials' family members and personal acquaintances as targets. 

During the Trump administration, the government used encryption-enhanced messaging platforms, such as Signal, along with voice cloning technology that is designed to replicate the sounds of senior officials to convincingly mimic senior officials in government—taking advantage of the platform’s legitimate use during the administration as a way to communicate with government officials. 

It appears that the activity may have persisted across multiple administrations, including the Biden presidency, based on the expanded timeline, even though there has been no indication of how many individuals, groups, or distinct threat actors may have been involved during the period of the campaign. 

During the ongoing campaign, the FBI has published detailed guidelines that can assist individuals in recognizing and responding to suspicious communications in order to counter the ongoing campaign. In addition, the bureau advises consumers to do independent research before engaging anyone claiming to be a government official, such as researching the number, organization, or person from which the contact is coming, and verifying the legitimacy of that contact by using an independent contact method obtained separately. 

The importance of paying attention to subtle variations in email addresses, phone numbers, URLs, and spelling must be stressed above all else, since attackers often rely on subtle differences in order to make their attacks appear legitimized. 

As part of the guidance, people also highlight the telltale signs of manipulated or artificially generated content, including visual irregularities, unnatural movements, distorted features, and discrepancies in light and shadow, as well as audio cues such as call lag, mismatched speech patterns, or unnatural sound. 

Since artificial intelligence-driven impersonation tools have become increasingly sophisticated, the FBI cautions that the message may not be easily distinguishable from a genuine communication if it is not carefully examined. Anyone who has any doubts is encouraged to contact their organization's security teams or report the activity to the FBI. 

According to CSIA, the activity is primarily aimed at targets in the United States, the Middle East, and Europe that are high-value targets, including current and former senior government officials, military personnel, and political officials, along with civil society organizations, and other at-risk individuals. 

There are three dominant techniques that are used by the group to conduct this operation: phishing campaigns and malicious QR codes that are used to link a malicious computer to a victim’s account, zero-click exploits, which do not require interaction from the victim, and impersonating widely trusted messaging platforms such as Signal and WhatsApp to persuade targets to install spyware or provide information. 

In a recent study published by Google, CISA cited how multiple Russian-aligned espionage groups have abused Signal's "linked devices" feature by causing victims to scan weaponized QR codes, which has allowed attackers to silently pair their own infrastructure with the victim's account and receive messages simultaneously without completely compromising the victim's device. 

Additionally, the advisory noted that there is a growing trend among threat actors that they use completely counterfeit messaging applications instead of phishing pages to deceive their targets. This tactic has been recently shown in the findings of Android spyware masquerading as Signal that was targeting individuals in the United Arab Emirates and siphoning their backups of chats, documents, media, and contacts. 

A warning has been issued following an intensified international crackdown on commercial spyware, including a landmark ruling from a federal court in October which permanently barred NSO Group from targeting WhatsApp. Meta previously referred to that ruling as being a significant step forward in user privacy. 

In total, these disclosures demonstrate the rapid evolution of impersonation techniques that are changing the threat landscape for both public institutions and individuals. As a result, traditional trust signals are eroded by the convergence of encrypted communications, artificial intelligence-enabled voice synthesis, and social engineering. This has forced both governments and businesses to rethink the way sensitive interactions are initiated and verified in the future. 

Experts in the field of cybersecurity are increasingly emphasizing the importance of stricter authentication protocols, routine cybersecurity training for high-risk individuals, and clearer guidelines on how encrypted platforms should be used in official business. 

The campaign, which has been widely seen in government circles, also serves as a warning to businesses, civil society groups, and individuals that proximity to famous figures can themselves pose a risk to hackers. 

In the process of investigating and refining their response to these threats, federal agencies will have to find ways to strike a balance between the legitimate benefits of modern communication tools and measures that protect them from being exploited by others. For such campaigns to be limited in effect and for trust to be preserved in both digital communications and democratic institutions, sustained vigilance, cross-agency coordination, and public awareness will be critical.
Read more »
Microsoft Defender
Cyber Attacks Cyber Defender cybersecurity risks Malware Attack Malware Service Microsoft Defender

CountLoader and GachiLoader Malware Campaigns Target Cracked Software Users

 

Cybersecurity analysts have uncovered a new malware campaign that relies on cracked software download platforms to distribute an updated variant of a stealthy and modular loader known as CountLoader. According to researchers from the Cyderes Howler Cell Threat Intelligence team, the operation uses CountLoader as the entry point in a layered attack designed to establish access, evade defenses, and deploy additional malicious payloads. 

CountLoader has been observed in real-world attacks since at least June 2025 and was previously analyzed by Fortinet and Silent Push. Earlier investigations documented its role in delivering widely used malicious tools such as Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and cryptomining malware. The latest iteration demonstrates further refinement, with attackers leveraging familiar piracy tactics to lure victims. 

The infection process begins when users attempt to download unauthorized copies of legitimate software, including productivity applications. Victims are redirected to file-hosting platforms where they retrieve a compressed archive containing a password-protected file and a document that supplies the password. Once extracted, the archive reveals a renamed but legitimate Python interpreter configured to run malicious commands. This component uses the Windows utility mshta.exe to fetch the latest version of CountLoader from a remote server.  

To maintain long-term access, the malware establishes persistence through a scheduled task designed to resemble a legitimate Google system process. This task is set to execute every 30 minutes over an extended period and relies on mshta.exe to communicate with fallback domains. CountLoader also checks for the presence of endpoint protection software, specifically CrowdStrike Falcon, adjusting its execution method to reduce the risk of detection if security tools are identified. 

Once active, CountLoader profiles the infected system and retrieves follow-on payloads. The newest version introduces additional capabilities, including spreading through removable USB drives and executing malicious code entirely in memory using mshta.exe or PowerShell. These enhancements allow attackers to minimize their on-disk footprint while increasing lateral movement opportunities. In incidents examined by Cyderes, the final payload delivered was ACR Stealer, a data-harvesting malware designed to extract sensitive information from compromised machines. 

Researchers noted that the campaign reflects a broader shift toward fileless execution and the abuse of trusted, signed binaries. This approach complicates detection and underscores the need for layered defenses and proactive threat monitoring as malware loaders continue to evolve.  

Alongside this activity, Check Point researchers revealed details of another emerging loader named GachiLoader, a heavily obfuscated JavaScript-based malware written in Node.js. This threat is distributed through the so-called YouTube Ghost Network, which consists of hijacked YouTube accounts used to promote malicious downloads. The campaign has been linked to dozens of compromised accounts and hundreds of thousands of video views before takedowns occurred. 

In some cases, GachiLoader has been used to deploy second-stage malware through advanced techniques involving Portable Executable injection and Vectored Exception Handling. The loader performs multiple anti-analysis checks, attempts to gain elevated privileges, and disables key Microsoft Defender components to avoid detection. Security experts say the sophistication displayed in these campaigns highlights the growing technical expertise of threat actors and reinforces the importance of continuously adapting defensive strategies.
Read more »
Russia Linked Hackers
Account Takeover Threats Cyber Attacks Device Code Phishing Entra ID Security Microsoft 365 Security Nation State Cyber Attacks OAuth Authentication Abuse Russia Linked Hackers

Microsoft 365 Users Targeted by Russia-Linked Device Code Phishing Operations


The global network infrastructure is experiencing a wave of sophisticated cyber intrusions as states-sponsored and financially motivated hackers are increasingly exploiting a legitimate Microsoft authentication mechanism to seize control of enterprise accounts in a broad range of sectors. 

There has been a recent investigation which uncovered attackers with ties to both Russian and Chinese interests have been exploiting Microsoft's OAuth 2.0 device authorization grant flow in an effort to deceive users into unknowingly granting them access to their Microsoft 365 environments through this feature designed to simplify secure logins. 

Through the use of fraudulently masquerading institutions and convincing targets to authenticate using authentic Microsoft services, attackers are able to obtain valid access tokens that enable persistent account compromises without requiring the compromise of the target's password. The Russian-linked threat actor Storm-2372 has been targeting government bodies and private organizations since August 2024 and has been one of the most active groups in this regard. 

In order to get the highest level of effectiveness from the device code phishing tactics, it has been proven to be more effective than conventional spear-phishing tactics. It has been conducted throughout Africa, Europe, the Middle East, and North America. Government, defence, healthcare, telecommunications, education, energy, and non-government organizations have been included in the campaign. 

It has been determined that the scale, targeting patterns, and operational discipline of the activity strongly point towards a coordinated nation-state effort aligned with Russian strategic objectives, as confirmed by Microsoft's Threat Intelligence Center. 

The campaign is now more clearly connected to an organization believed to be aligned with the Russian government. It has been a sustained phishing operation that leveraged Microsoft's device code authentication workflow to compromise Microsoft 365 accounts by using a sustained phishing operation. Under the designation UNK_AcademicFlare, Proofpoint has tracked this activity since September 2025 under the designation UNK_AcademicFlare. 

Investigators believe the attackers used email accounts that had previously been compromised from government and military organizations so that they could lend legitimacy to their outreach efforts. In both the United States and Europe, the messages were targeted at individuals and organizations within government agencies, policy think tanks, higher education institutions, and transportation-related organizations. 

There are deliberate steps involved in the approach. It begins with seemingly innocuous correspondence tailored to the recipient’s professional background, usually framed as preparations for an interview or collaboration. In order for victims to be informed, the sender will offer a document purported to outline discussion topics. The document will be hosted at a link that appears to be a Microsoft OneDrive account impersonating the sender.

There is a link within the email that actually redirects users to a Cloudflare Worker, which redirects the user to Microsoft's legitimate account lock page, during which the user enters the provided authentication code, which unwittingly authorizes access and generates a valid token that enables full account hijacking. 

Researchers in the field of cybersecurity note that this technique has gained traction, having been extensively documented earlier this year by Microsoft and Volexity and linked to clusters that are associated with Russia, such as Storm-2372 and APT29. 

Recent warnings from Amazon Threat Intelligence and Volexity have shown that it is still being used by Russian attackers. According to the latest technical details published by Microsoft and independent researchers, there have been several mechanisms behind the campaign that can shed light on the mechanisms that operate behind it. 

A Microsoft disclosure dated February 14, 2025 confirmed that Storm-2372 had begun authenticating through a specific Microsoft Authentication Broker client ID while using the device code sign-in method, which in turn allowed attackers to get refresh access tokens with the new Authentication Broker client ID. 

A device registration token can be exchanged into credentials linked to the device registration service after it has been acquired by an adversary, which makes it possible for that adversary to enroll attacker-controlled systems into Microsoft Entra ID and maintain persistent access for massive email harvesting operations. 

As a result of investigations, high-profile institutions such as the United States Department of State, the Ukrainian Ministry of Defense, the European Parliament, and prominent research organizations have been impersonated in the activities. Researchers have concluded that APT29, a group of malicious actors also known as Cozy Bear, Midnight Blizzard, Cloaked Ursa, and The Dukes, may be the cluster that is driving this activity. 

According to Volexity's case studies, operators are exploiting real-time communication channels as a means of accelerating victim compliance through real-time communication channels. In one incident, UTA0304 contacted a victim via Signal before moving the conversation to Element, and ultimately directed the target to a legitimate Microsoft page asking for an account code, pretending to be a secure chat service provider. 

A malicious attacker might use immediacy and context to convince the victims to act quickly, a tactic similar to those employed by marketing groups to promote Microsoft Teams meetings held by groups related to the phishing attack. 

A response from Microsoft has been to disable the device code flow whenever possible, restrict Entra ID access to trusted networks and devices via Conditional Access, and actively monitor sign-in logs for anomaly activity related to device code, including rapid authentication attempts and logins that originate from unknown locations, in order to prevent this from happening.

It is highly likely that organisations will have to implement layered technical controls in order to reduce exposure to this evolving threat in light of the fact that employee awareness alone cannot counter this evolving threat. In its recommendation to enterprises, Proofpoint recommends explicitly limiting the use of device code authentication. This can be described as the most effective way to prevent misuse of the OAuth device flow by enterprises. 

The adoption of such control systems begins with auditing or report-only deployments, which allows security teams to evaluate potential operational impacts by analyzing historical sign-in data before implementing them in their entirety. 

Providing a more granular, allow-list-based approach where a complete block is not feasible, researchers recommend that device code authentication be limited to narrowly defined and approved scenarios, for example, specific users, operating systems that are trusted, or network locations that are well known.

In addition to these safeguards, additional safeguards can also be implemented by requiring Microsoft 365 sign-ins to originate from compliant or registered devices, particularly in environments that use device registration or Microsoft Intune as authentication methods. Proofpoint warns, however, that misuse of OAuth authentication mechanisms is likely to increase as organizations begin adopting FIDO-compliant multifactor authentication, thus highlighting the need to implement proactive policies and continuous monitoring of these systems. 

Furthermore, researchers have also discovered a broader ecosystem of infrastructure and social engineering techniques that are being used to maintain and expand the campaign, which is ongoing. During the analysis of the phishing URLs, researchers noted that some of them were temporarily inactive. However, the accompanying emails instructed recipients to copy and share the full URL of the browser in case of an error, which is consistent with the tactics used for OAuth device code phishing to extract usable authentication data.

Among the domains involved, ustrs[.]com, seems to have been purchased as a result of a domain auction or resale service. Though the domain was originally registered in early 2020, WHOIS records indicate that it was updated in late 2025, a strategy that has long been used as a way of evading reputation-based security controls that rely heavily on domain age as a signal of trustworthiness.

It was Volexity that observed the same sender approach additional organizations in November 2025, promoting a conference registration link on brussels-indo-pacific-forum[.]org, which has been created to mimic the Brussels Indo-Pacific Dialogue, in an attempt to fool the target audience.

As soon as the victims attempted to sign up for the site, they were presented with a Microsoft 365 authentication process disguised as a legitimate signup process, which then sent them to a benign confirmation page. According to research conducted in connection with Belgrade Security Conference earlier campaigns, subsequent access to compromised accounts was routed through proxy network infrastructures to conceal the attackers' origin, as seen in earlier campaigns. 

Further research has demonstrated that by exploiting standard professional courtesies, operators were systematically extending their reach. When targets declined event invitations, multiple times, as tracked as activity associated with UTA0355, they were urged to register for updates, to share contact details with colleagues who might be interested, and to share contact information with other colleagues who may have been interested as well. 

At least one example involved an unwitting intermediary introducing a new target to the threat actor through an unwitting intermediary, which enabled the attackers to gather new leads organically. In addition, domain registration data related to impersonated events revealed other infrastructure that may have been associated with the same cluster, according to WHOIS data for bsc2025[.]org, a domain resembling Belgrade Security Conference, which was registered using the address mailum[.]com, a relatively unknown e-mail service. 

The Volexity investigation was expanded to identify other domains masquerading as the World Nuclear Exhibition scheduled for November 2025, including world-nuclear-exhibition-paris[.]com, wne-2025[.]com, and confirmyourflight-parisaeroport[.]com, that gave the impression that the World Nuclear Exhibition was being held in Paris. In spite of the fact that researchers do not believe their domains were specifically utilized in confirmed attacks, they can assess that they might have assisted the campaign in its early stages. 

Overall, these findings illustrate a shift in how advanced threat actors are increasingly relying on trusted identity frameworks in place of traditional malware and credential theft in order to carry out their attacks. It has been demonstrated that these campaigns reduce the likelihood of detection, increase user compliance, and decrease the likelihood of detection by weaponizing legitimate authentication flows and embedding them within credible professional interactions.

Organisations may have to deal with longer-term risks associated with persistent access in addition to immediate account compromise, data exposure, internal reconnaissance, and follow-up attacks resulting from persistent access. As a result, security teams are urged to revisit assumptions regarding "trusted" login mechanisms, to improve identity governance, and to ensure visibility into events that do not involve interactive interaction and that are based on a device. 

An attack surface can be significantly reduced by taking proactive measures such as tightening OAuth permissions, auditing registered devices and applications, and stress testing Conditional Access policies. Moreover, leadership and security stakeholders need to be aware that modern phishing campaigns are increasingly modeled on legitimate business workflows, and that defense strategies must be complemented by context-aware user education in order to protect themselves. 

A number of low-friction, high-impact attack techniques are being refined by attackers to gain a higher degree of sophistication, which makes it more challenging for organisations that treat this aspect of their operations as a core operational priority to stop intrusions before they become systemic breaches.
Read more »
VolkLocker
Cryptographic Vulnerability Cyber Attacks Cyber Extortion CyberVolk Pro Russian Hacktivists Ransomware Ransomware As A Service Telegram Command And Control Threat Intelligence VolkLocker

CyberVolk Ransomware Fails to Gain Traction After Encryption Misstep


 

CyberVolk, a pro-Russian hacktivist collective, has intensified its campaign of ransomware-driven intimidation against entities perceived as hostile to Moscow in the past year, marking a notable change in both scale and presentation, marking a notable shift in its operations. 

In addition to its attacks, the group has become increasingly adept at constructing carefully constructed visual branding, including the release of stylized ransomware imagery to publicize successful intrusions in addition to attacking. It seems that these visuals, which were enhanced by deliberately inflammatory language and threatening tone, were not intended simply to announce breaches, but rather to amplify psychological pressure for victims and broader audiences alike. 

In October 2024, CyberVolk appeared to have a clear strategy in the ransoming of several Japanese organizations, including the Japan Oceanographic Data Center and the Japan Meteorological Agency, in which they claimed responsibility for the ransoming. CyberVolk has reportedly altered the desktop wallpapers of several victims prior to starting the encryption process, using the act itself as a signal of control and coercion to control and coerce them. 

CyberVolk's plans to venture into the ransomware-as-a-service ecosystem, however, seem to have been undermined by fundamental technical lapses that were clearly underhand. As part of its strategy to attract affiliates, this group has recently launched a new ransomware strain called VolkLocker, positioning it as a RaaS offering designed to expand its operational reach and attract affiliates. 

A SentinelOne research team has found that the malware has severe cryptographic and implementation weaknesses that greatly reduce its effectiveness, according to a study conducted by researchers. It is worth noting that the encryptor is specifically hardcoded directly into the ransomware binary as well as written in plaintext to a hidden file on compromised systems, compounding the error. 

VolkLocker's credibility and viability within the cybercrime market is severely undermined by the vulnerability of extracting and reusing the exposed key, which could possibly allow organizations to recover their data without having to pay a ransom. As a consequence, affected organizations could potentially recover their data without paying a ransom. 

It was last year when the Infosec Shop and other researchers first started documenting CyberVolk's activities that it caught the attention of the security community, and when it became known that the hacktivist collective was pro-Russian. CyberVolk appears to be operating in the same ideological space as outfits such as CyberArmyofRussia_Reborn and NoName057(16) — both of which have been linked to the Russian military intelligence apparatus and President Vladimir Putin by US authorities. 

However, CyberVolk has yet to be proven to maintain direct ties with the Russian governing authorities. Additionally, CyberVolk has a distinctive operational difference from many of its peers. Compared to comparable hacktivist teams, which tend to focus their efforts on disruption but low-impact distributed denial-of-service attacks, CyberVolk has consistently utilized ransomware as part of its campaigns. 

Researchers have noted that after repeated bans from Telegram in 2025, the group almost disappeared from public view for the first half of 2025, only to resurface in August with a revamped ransomware service based on VolkLocker. In analyzing the operations, it is evident that an uneven scaling attempt has taken place, combining fairly polished Telegram automation with malware payloads that retain signs of testing and incomplete hardening. 

VolkLocker is written in Go and designed to work across both Windows and Linux environments. In addition to enabling user communication, Telegram-based command-and-control functionality, it also handles system reconnaissance, decryption requests, and the decryption of sensitive data. In order to configure new payloads, affiliates must provide operational details such as Bitcoin payment addresses, Telegram bot credentials, encryption deadlines, file extensions, and self-destruct parameters. 

Among the backbones of this ecosystem is Telegram, which is responsible for providing communication, tool distribution, and customer support services. However, some operators have reported extending the default C2 framework to include keylogging and remote access capabilities. As of November, the group was advertising standalone remote access trojans and keyloggers in addition to its RaaS offerings, and these packages included tiered pricing options. 

The ransomware is capable of escalating privileges, bypassing Windows User Account Control, selectively encrypting files based on pre-defined exclusion rules, and applying AES-256 encryption in GCM mode, which emphasizes CyberVolk's ongoing attempts to mix ideological messaging with the increasingly commercialized nature of cybercrime. 

In the course of further technical analysis of VolkLocker, it has been revealed that the ransomware has been shaped by an aggressive design choice and critical implementation errors. One of the most notable features of the program is its integration of a timer function written in Go that can be configured to initiate a destructive wipe upon expiration of the countdown or upon entering an incorrect password into the ransom note in HTML.

Upon activation, the routine targets the most common user directories, such as Documents, Downloads, Pictures, and the Desktop, making the users vulnerable to permanent data loss. In order to access CyberVolk's ransomware-as-a-service platform, one must pay approximately $800 to $1,100 for an operating system that supports just one operating system, or $1,600 to $2,200 for a build that supports both Windows and Linux operating systems. 

In the early days of the group, affiliates obtained the malware by using Telegram-based builder bots that were able to customize encryption parameters and create customized payloads, indicating that the group relied heavily on Telegram as a delivery and coordination platform. 

As of November 2025, the same operators have expanded their commercial offerings, advertising standalone remote access trojans and keyloggers for $500 each, further signaling a desire to diversify their offerings from merely ransomware to a wide range of security technologies. Nevertheless, VolkLocker’s operations have a serious cryptographic weakness at the core of their operation that makes it difficult for them to be effective. 

As part of the encryption process, AES-256 is employed in Galois/Counter Mode and a random 12-byte nonce is generated for each file before it deletes the original and adds extensions such as .locked or .cvolk to the encrypted copies after destroying the original files. Although the system seems to be designed to be quite strong, researchers found that all files on a victim's system are encrypted using a single master key which is derived from a 64-character hexadecimal string embedded directly in the binary files. 

Additionally, the same key is stored in plaintext to a file named system_backup.key, which is never removed, compounding the problem. This backup appears to be a testing artifact that was inadvertently left in production builds, and SentinelOne suggests that it might be able to help victims recover their data without paying a ransom for it. 

While the flaw offers a rare advantage to those already affected, it is expected that when it is disclosed to the public, the threat actors will take immediate steps to remedy the issue. The majority of security experts advise that, generally, the best way to share such weaknesses with law enforcement and ransomware response specialists while an operation is ongoing, is by utilizing private channels. This is done in order to maximize victim assistance without accelerating adversary adaptation, thus maximizing victim assistance without accelerating adversary adaptation. 

The modern cyber-extortion economy is sustained by networks of hackers, affiliates, and facilitators that work together to run these campaigns. In order to understand this landscape effectively, open-source intelligence was gathered from social media activity and media reporting. These activities highlighted the existence of a broad range of actors operating within it. 

One such group is the Ukrainian-linked UA25 collective, whose actions retaliate against Russian infrastructure are often accompanied by substantial financial and operational damage, with a claim to responsibility publicly made in the media. In such cases, asymmetrical cyber conflict is being highlighted, where loosely organized non-state actors are able to cause outsized damage to much larger adversaries, underscoring the asymmetrical nature of contemporary cyber conflict. 

In this climate, Russian cybercriminal groups are often able to blur the line between ideological alignment and financial opportunism, pushing profit-driven schemes under the banner of political activism in an effort to achieve political goals. CyberVolk is an example of this hybrid model: CyberVolk aims to gain legitimacy through hacktivist rhetoric while also engaging in extortion and tool sales to monetize its ransomware activity. 

Security firms and independent researchers have been continuously scrutinizing the situation, which has led, in the past few years, to expose internal operational weaknesses, including flawed cryptographic practices, insecure key handling, which can be leveraged to disrupt campaigns and, in some cases, aid law enforcement and takedown efforts on a broader scale. This has been reported as well by publications such as The Register. 

In the near-term, analysts warn that ransomware operations will likely get more sophisticated and destructive - with future strains of ransomware increasingly incorporating elements commonly associated with wiper malware, which encrypts data rather than issuing ransoms. There have been several regulatory actions, sanctions, and government advisories issued throughout 2025 that have laid the foundation for a more coordinated international response to these threats. 

However, experts warn that meaningful progress will depend on a sustained cooperation between governments, technology companies, and private sector firms. In the case of CyberVolk, the technical ambition often outweighs the execution, yet even faulty operations demonstrate a persistent threat from Russian-linked actors, who continue to adapt despite mounting pressures from the West. 

In the wake of recent sanctions targeting key enablers, some parts of this ecosystem have been disrupted; however, new infrastructure and service providers are likely to fill these gaps as time goes on. Defensers should take note of the following lesson: continued vigilance, proactive threat hunting, as well as adopting advanced detection and response capabilities remain essential for preventing ransomware from spreading, as the broader contest against ransomware increasingly depends on converting adversaries' mistakes into durable security advantages to ensure the success of the attack. 

It should be noted that the rise and subsequent missteps of CyberVolk can be considered a timely reminder that the ransomware landscape is evolving in multiple ways, not only in terms of technical sophistication but also in terms of narrative strategy and operational ambition. 

Although advocates of groups may work to increase their impact by using political messaging, branding, and service models that are tailored for commercialization, long-term success remains dependent on disciplined engineering and operational security-areas in which even ideologically motivated actors continue to fail. 

Organizations should take this episode as an example of the importance of building multilayered defenses that go beyond perimeter security to include credential hygiene, behavioral monitoring, and rapid incident response planning in addition to regular patching, offline backups, and tabletop exercises. This episode emphasizes how vital it is to engage with threat intelligence providers in order to identify emerging patterns before they turn into operational disruptions. 

In the eyes of policymakers and industry leaders, the case highlights the benefits of coordinated disclosure practices and cross-border collaboration as means of weakening ransomware ecosystems without inadvertently making them more refined. 

Iterating and rebranding ransomware groups can be equally instructive as iterating and rebranding their malware, providing defenders with valuable opportunities to anticipate next moves and close gaps before they are exploited. The ability to survive in an environment characterized by both sides adapting will increasingly depend on turning visibility into action and learning from every flaw that has been exposed.
Read more »
DDOS Attack
Aisuru Botnet Cloudfare Cyber Attacks DDOS Attack

Aisuru Botnet Unleashes Record 29.7 Tbps DDoS Attack

 

A new record-breaking 29.7 Tbps distributed denial-of-service (DDoS) attack launched via the Aisuru botnet has set a new standard for internet disruption and reinforced that multi-terabit attacks are on track to soon be an everyday event for DDoS defenders. According to Cloudflare’s latest DDoS threats report, Aisuru launched an intense hyper-volumetric DDoS on a network layer with traffic that reached 29.7 Tbps and 14.1 billion packets per second, reaching new heights beyond previous records that topped 22 Tbps. 

The DDoS attack employed a UDP ‘carpet bombing’ technique that targeted 15,000 destination ports every second with random packet components constantly varying so as not to get filtered out at traditional scrubbing centers. Despite these efforts, Cloudflare reports that Aisuru traffic took mere seconds for an autonomous mitigation system to identify and remove. 

Behind the incident is a botnet Cloudflare now estimates at 1 million to 4 million compromised devices, making Aisuru the biggest DDoS botnet in active circulation. Since the start of 2025, Cloudflare has mitigated 2,867 Aisuru incidents, with 1,304 hyper-volumetric attacks in the third quarter alone - a 54% quarter-over-quarter increase that equates to about 14 mega-events a day. Segments of the botnet are openly leased as "chunks", allowing buyers to rent enough power to take down backbone connections or perhaps even national ISPs for mere hundreds or thousands of dollars apiece.

Cloudflare thwarted a total of 8.3 million DDoS attacks in the third quarter of 2025, a 15% increase from the prior quarter and 40% year-over-year, while marking the 2025 year-to-date total at 36.2 million - already 170% of all attacks recorded in 2024 and still one full quarter away. 

About 71% of Q3 attacks were network-layer traffic, which soared 87% QoQ and 95% YoY, while HTTP-layer events fell 41% QoQ and 17% YoY, indicating a strategic swing back to pure bandwidth and transport-layer exhaustion. The extremes are picked up the most: incidents over 100 Mpps jumped 189% QoQ, and those above 1 Tbps increased by 227%, though many ended within 10 minutes, too late for any effective intervention by manual actions or DDoS-on-demand mitigation programs.

Collateral damage continues to escalate as well. KrebsOnSecurity reports Aisuru-driven traffic has already caused severe outages at U.S. internet services not targeted as main victims. Cloudflare data shows Aisuru and actors like it have targeted telecoms, gaming, hosting, and financial services intensely. Information Technology and Services, telecoms, gambling and casinos are among the toughest hit sectors in Q3. 

Geopolitics and societal unrest are increasingly reflected in attack behavior. DDoS traffic against generative AI service providers jumped as high as 347% month-over-month in September, and DDoS attacks on mining, minerals and metals, and autos failed to lag as tensions escalated involving EV tariffs and China and the EU.

Indonesia continues as source number one for DDoS traffic, registering an astonishing 31,900% increase in HTTP DDoS requests since 2021, and there were sharp increases in Q3 2025 for the Maldives, France, and Belgium, reflecting massive protests and worker walkouts. China stayed the most‑targeted country, followed by Turkey and Germany, with the United States climbing to fifth and the Philippines showing the steepest rise within the top 10, underscoring how modern DDoS campaigns now track political flashpoints, public anger, and regulatory fights over AI and trade almost in real time.
Read more »
Subscribe to: Comments (Atom)