Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Software
Chinese Actors Chinese Hackers Cyber Attacks IPv4 vs IPv6 IPv6 Software

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

Chinese Hackers Exploit IPv6 Network Features to Hack Software Updates

China-linked group attacks

ESET discovered both SpellBinder and WizardNet, tools used by Chinese hackers. A China-based APT group, “The Wizards,” has been linked to a lateral movement tool, Spellbinder, which allows adversary-in-the-middle (AitM) attacks.  It does so via IPv6 stateless address autoconfiguration (SLAAC) spoofing, to roam laterally in the compromised network, blocking packets and redirecting the traffic of legal Chinese software to download malicious updates from a server controlled by threat actors, ESET researchers said to The Hacker News

About malware WizardNet

The attack creates a path for a malicious downloader which is delivered by hacking the software update mechanism linked with Sogou Pinyin. Later, the downloader imitates a conduit to deploy a modular backdoor called WizardNet. 

In the past, Chinese hackers have abused Sogou Pinyin’s software update process to install malware. Last year, ESET reported a hacking group called Blackwood that delivered an implant called NSPX30 by abusing the update process of the Chinese input method software app. 

This year, the Slovak cybersecurity company found another threat actor called PlushDaemon that exploited the same process to deploy a custom downloader called LittleDaemon. 

The scale of the attack

The Wizards APT has targeted both individuals and the gambling industry in Hong Kong, Mainland China, Cambodia, the United Arab Emirates, and the Phillippines. 

Findings highlight that the Spellbinder IPv6 AitM tool has been active since 2022. A successful attack is followed by the delivery of a ZIP archive which includes four separate files. 

After this, the threat actors install “wincap.exe” and perform "AVGApplicationFrameHost.exe," to sideload the DLL. The DLL file then reads shellcode from “log.dat” and runs it in memory, resulting in the launch of Spellbinder. 

Not the first time

In a 2024 attack incident, the hackers utilized this technique to hack the software update process for Tencent QQ at the DNS level to help a trojanized version deploy WizardNet; a modular backdoor that can receive and run .NET payloads on the victim host. Spellbinder does this by blocking the DNS query for the software update domain ("update.browser.qq[.]com") and releasing a DNS response 

“The list of targeted domains belongs to several popular Chinese platforms, such as Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi and Xioami's Miui, PPLive, Meitu, Quihoo 360, and Baofeng,” reports The Hacker News. 

Read more »
Push Bombing
Cyber Attacks Cybersecurity MFA MFA bombing MFA Fatigue Attacks Multi-Factor Authentication (MFA) Push Bombing

Push-Bombing: The Silent Threat Undermining Multi-Factor Authentication

 


In the ever-evolving landscape of cybersecurity, Multi-Factor Authentication (MFA) has emerged as a robust defense mechanism, adding layers of security beyond traditional passwords. However, a deceptive tactic known as “push-bombing” is undermining this very safeguard, posing significant risks to individuals and organisations alike. 

Understanding Push-bombing, also referred to as MFA fatigue or MFA spamming, is a social engineering attack that targets the human element of security systems. Attackers initiate this method by obtaining a user’s login credentials, often through phishing or data breaches. Subsequently, they attempt to access the account, triggering a barrage of authentication prompts sent to the user’s device. The relentless stream of notifications aims to confuse or frustrate the user into inadvertently approving one, thereby granting unauthorised access to the attacker.  

Real-World Implications 


The consequences of successful push-bombing attacks are far-reaching. Once inside a system, attackers can exfiltrate sensitive data, deploy malware, or move laterally within networks to compromise additional systems. Such breaches not only result in financial losses but also damage an organisation’s reputation and can lead to regulatory penalties. 

Several high-profile organisations have fallen victim to push-bombing attacks. In September 2022, Uber experienced a breach when attackers used stolen credentials to flood an employee with MFA requests. Overwhelmed, the employee eventually approved one, granting the attackers access to internal systems. Similarly, in May 2022, Cisco faced a breach where attackers combined MFA fatigue with voice phishing to compromise an employee’s account. These incidents underscore the effectiveness of push-bombing tactics and the need for heightened vigilance.  


Mitigation Strategies 


To combat push-bombing, a multifaceted approach is essential: 

• User Education: Informing users about the nature of push-bombing attacks is crucial. Training should emphasise the importance of scrutinising authentication prompts and reporting suspicious activity promptly. 

• Phishing-Resistant MFA: Transitioning to authentication methods that do not rely on push notifications, such as hardware security keys or biometric verification, can eliminate the risk associated with push-bombing. 

• Adaptive Authentication: Implementing systems that assess contextual factors, such as login location, device type, and time of access, can help identify and block anomalous login attempts. 

• Rate Limiting: Configuring MFA systems to limit the number of authentication attempts within a specific timeframe can prevent attackers from overwhelming users with prompts. 

While MFA remains a cornerstone of cybersecurity, awareness of its potential vulnerabilities, like push-bombing, is vital. By adopting advanced authentication methods, educating users, and implementing intelligent security measures, organisations can fortify their defenses against this subtle yet potent threat.
Read more »
Sensitive data
Cyber Attacks Data Leak data security Data Theft Hacker attack Indian Cyber Security Pakistan Hacker Personal Data Sensitive data

Pakistan-Based Hackers Launch Cyber Attack on Indian Defence Websites, Claim Access to Sensitive Data

 

In a concerning escalation of cyber hostilities, a Pakistan-based threat group known as the Pakistan Cyber Force launched a coordinated cyber offensive on multiple Indian defence-related websites on Monday. The group claimed responsibility for defacing the official site of a Ministry of Defence public sector undertaking (PSU) and asserted that it had gained unauthorized access to sensitive information belonging to Indian defence personnel. According to reports, the targeted websites included those of the Military Engineering Service (MES) and the Manohar Parrikar Institute of Defence Studies and Analyses (MP-IDSA), both critical components in India’s defence research and infrastructure network. 

The group’s social media posts alleged that it had exfiltrated login credentials and personal data associated with defence personnel. One particularly alarming development was the defacement of the official website of Armoured Vehicle Nigam Limited (AVNL), a key PSU under the Ministry of Defence. The hackers replaced the homepage with the Pakistani flag and an image of the Al Khalid tank, a symbol of Pakistan’s military capabilities. A message reportedly posted on social platform X read, “Hacked. Your security is illusion. MES data owned,” followed by a list of names allegedly linked to Indian defence staff. 

Sources quoted by ANI indicated that there is a credible concern that personal data of military personnel may have been compromised during the breach. In response, authorities promptly took the AVNL website offline to prevent further exploitation and launched a full-scale forensic audit to assess the scope of the intrusion and restore digital integrity. Cybersecurity experts are currently monitoring for further signs of intrusion, especially in light of repeated cyber threats and defacement attempts linked to Pakistani-sponsored groups. 

The ongoing tensions between the two countries have only heightened the frequency and severity of such state-aligned cyber operations. This latest attack follows a pattern of provocative cyber incidents, with Pakistani hacker groups increasingly targeting sensitive Indian assets in attempts to undermine national security and sow discord. Intelligence sources are treating the incident as part of a broader information warfare campaign and have emphasized the need for heightened vigilance and improved cyber defense strategies. 

Authorities continue to investigate the breach while urging government departments and defense agencies to reinforce their cybersecurity posture amid rising digital threats in the region.
Read more »
zero data
Backup commvault Cyber Attacks Data Microsoft zero data

Commvault Confirms Cyberattack, Says Customer Backup Data Remains Secure


Commvault, a well-known company that helps other businesses protect and manage their digital data, recently shared that it had experienced a cyberattack. However, the company clarified that none of the backup data it stores for customers was accessed or harmed during the incident.

The breach was discovered in February 2025 after Microsoft alerted Commvault about suspicious activity taking place in its Azure cloud services. After being notified, the company began investigating the issue and found that a very small group of customers had been affected. Importantly, Commvault stated that its systems remained up and running, and there was no major impact on its day-to-day operations.

Danielle Sheer, Commvault’s Chief Trust Officer, said the company is confident that hackers were not able to view or steal customer backup data. She also confirmed that Commvault is cooperating with government cybersecurity teams, including the FBI and CISA, and is receiving support from two independent cybersecurity firms.


Details About the Vulnerability

It was discovered that the attackers gained access by using a weakness in Commvault’s web server software. This flaw, now fixed, allowed hackers with limited permissions to install harmful software on affected systems. The vulnerability, known by the code CVE-2025-3928, had not been known or patched before the breach, making it what experts call a “zero-day” issue.

Because of the seriousness of this bug, CISA (Cybersecurity and Infrastructure Security Agency) added it to a list of known risks that hackers are actively exploiting. U.S. federal agencies have been instructed to update their Commvault software and fix the issue by May 19, 2025.


Steps Recommended to Stay Safe

To help customers stay protected, Commvault suggested the following steps:

• Use conditional access controls for all cloud-based apps linked to Microsoft services.

• Check sign-in logs often to see if anyone is trying to log in from suspicious locations.

• Update secret access credentials between Commvault and Azure every three months.


The company urged users to report any strange behavior right away so its support team can act quickly to reduce any damage.

Although this was a serious incident, Commvault’s response was quick and effective. No backup data was stolen, and the affected software has been patched. This event is a reminder to all businesses to regularly check for vulnerabilities and keep their systems up to date to prevent future attacks.

Read more »
Threat Landscape
Critical Infrastructure Cyber Attacks Iran Nation-State Attack Threat Landscape

Iran Claims it Thwarted Sophisticated Cyberattack on its Infrastructure

 

Iran thwarted a “widespread and complex” cyberattack on Sunday that targeted the nation’s infrastructure, a senior official told Tasnim News Agency, which is affiliated with the Islamic Revolutionary Guard Corps. 

Behzad Akbari, the head of the government's Telecommunications Infrastructure Company (TIC), revealed the occurrence, which was not explained in detail. "One of the most widespread and complex cyber attacks against the country's infrastructure was identified and preventive measures were taken," Akbari noted. 

The cyber incident occurred a day after a huge explosion at Shahid Rajaei, the country's busiest commercial port, which killed at least 28 people and injured 800 more, according to police. The cause has not been determined. There is no indication that it was related to any cyber activity. 

Ambrey Intelligence, a maritime risk consultant, claims the explosion was caused by "improper handling of a shipment of solid fuel intended for use in Iranian ballistic missiles" imported from China, while Iran's defence ministry denies this. 

It comes amid ongoing talks between Iran and the United States over the Islamic Republic's contentious nuclear program, amid concerns that the nation will aim to enrich uranium to the point where it could build a nuclear bomb. Iran has had many noteworthy cyberattacks in recent years, including those against the country's fuel system in 2021 and a steel mill in June 2022, both claimed by a group calling itself Predatory Sparrow, which stated that its attacks were "carried out carefully to protect innocent individuals.” 

While the Predatory Sparrow group claims to be made up of dissidents, the attack on the steel mill appeared to be carried out with sophisticated operational planning to avoid casualties, raising the possibility that it was sponsored by a foreign state agency with a risk management process. Iranian officials blamed the United States and Israel for the 2021 cyberattack on Iran's gasoline systems, but provided no evidence. 

At the time, Gholamreza Jalali, the country's civil defence chief, told state television: "We are still unable to say forensically, but analytically, I believe it was carried out by the Zionist Regime, the Americans, and their agents.” 

Jalili claimed that the United States and Israel were responsible for a cyberattack on the Shahid Rajaei port authority's technological infrastructure in 2020, but he did not provide any evidence. The United States and Israel are thought to have worked on the Stuxnet worm, which was discovered in 2010 and was aimed to destroy Iran's nuclear program.
Read more »
Ransomwares
Cyber Attacks data security Data Theft Hacker attack Pharmaceutical Firms Ransom Demand Ransomware attack Ransomwares

Pune-Based Biopharma Company Hit by Ransomware Attack, Hackers Demand $80,000

 

A multinational biopharmaceutical company based in Pune has fallen victim to a sophisticated ransomware attack, with cybercriminals encrypting vital data and demanding $80,000 (over Rs 68 lakh) for its release. The attackers have also threatened to leak the stolen proprietary data on the dark web if the ransom is not paid, according to local police authorities. 

The incident came to light when a senior executive from the company’s Pune office lodged a complaint at the Cyber Crime Police Station of Pimpri Chinchwad on Monday evening. The attack was first identified on Sunday afternoon, prompting immediate concern due to the sensitivity of the data involved. According to initial investigations by cybercrime officials, the breach is believed to have occurred through a compromised endpoint device—most likely via a phishing email containing a malicious link. 

Once the attackers gained access to the internal network, they deployed ransomware to the company’s main server and extended it to more than a dozen connected servers. Sensitive data, including proprietary pharmaceutical formulations, manufacturing protocols, and confidential business documents, was then encrypted and locked. 

“A preliminary probe suggests that vulnerabilities in the company’s cybersecurity setup allowed the attackers to infiltrate its systems,” an officer from the Cyber Police Station said. “Unfortunately, a significant portion of the critical data was not backed up offline, leaving the organization exposed to potential data loss if the ransom is not paid.” The hackers have made it clear that if their ransom demand of $80,000 is not met, the stolen data will be sold on the dark web. 

So far, the company has not paid the ransom, and authorities are currently analyzing IP logs and other digital evidence to trace the origin of the attack. Cybercrime investigators have urged all businesses to strengthen their cybersecurity measures, including regularly backing up data offline, updating firewall configurations, and educating employees about phishing threats. “This incident is a wake-up call for organizations to prioritize robust digital security,” the officer added.  

Deputy Commissioner of Police (Crime) Sandeep Doiphode emphasized the growing need for enterprises to invest in both technology and skilled cybersecurity personnel. “This case underlines the urgent necessity for companies to stay ahead of evolving threats through both infrastructure and human resource development,” he said. Police also noted that ransomware attacks typically use phishing emails and exploit weak security protocols. Payments are often demanded in cryptocurrency, making the attackers harder to trace. 

The investigation remains ongoing.
Read more »
Pakistan
Cyber Attacks Cyber Warfare Hacking India Internet Pakistan

Pakistan State-sponsored Hackers Attack Indian Websites, Attempts Blocked

Pakistan State-sponsored Hackers Attack Indian Websites, Attempts Blocked

Pakistan's cyber warfare against India

Recently, Pakistan state-sponsored hacker groups launched multiple failed hacking attempts to hack Indian websites amid continuous cyber offensives against India after the Pahalgam terror attack. These breach attempts were promptly identified and blocked by the Indian cybersecurity agencies. 

In one incident, the hacking group “Cyber Group HOAX1337” and “National Cyber Crew” attacked the websites of the Army Public School in Jammu (a union territory in India), trying to loiter on the site with messages mocking the recent victims of the Pahalgam terror attack.

State-sponsored attacks against Indian websites

In another cyberattack, hackers defaced the website of healthcare services for ex-servicemen, the sites of Indian Air Force veterans and Army Institute of Hotel Management were also attacked. 

Besides Army-related websites, Pakistan-sponsored hackers have repeatedly tried to trespass websites associated with veterans, children, and civilians, officials said.

Additionally, the Maharashtra Cyber Department defected more than 10 lakh cyberattacks on Indian systems by hacking gangs from various countries after the April 22 terror attack on tourists in Pahalgam. 

Rise of targeted cyberattacks against India

A Maharashtra Cyber senior police official said that the state’s police cybercrime detection wing has noticed a sudden rise in digital attacks after the Kashmir terror strike.

Experts suspect these cyber attacks are part of a deliberate campaign to intensify tensions on digital platforms. These attempts are seen as part of Pakistan’s broader hybrid warfare plan, which has a history of using terrorism and information warfare against India. 

Besides Pakistan, cyberattacks have also surfaced from Indonesia, Morocco, and the Middle East. A lot of hacker groups have claimed links to Islamist ideologies, suggesting a coordinated cyber warfare operation, according to the police official. 

Read more »
Website Hack
Cyber Attacks Indo-Pak Pahalgam Attack Rajasthan Education Website Hack

Hacker Calls Pahalgam Incident "Inside Job" on Rajasthan Education Department Website

 

Earlier this week, the Rajasthan education department's official website was hacked, with a statement ridiculing the Indian government over Pakistan's detention of Indian Air Force commander Abhinandan Varthaman in 2019. The hackers attacked the homepage with a provocative message and added objectionable content regarding the recent Pahalgam terror attack. 

As soon as the breach was discovered, Rajasthan Education Minister Madan Dilawar directed the department's IT team to promptly restore the website. The site has since been temporarily taken offline to allow for a full restoration to its original state. 

“The department has alerted cyber security agencies, and a detailed investigation has begun to identify the perpetrators behind the cyber attack and assess the extent of the potential data compromise," stated Dilawar. 

He went on to say that no proof of sensitive data leakage had been discovered thus far. However, the entire system is currently undergoing an extensive test to verify security and integrity. Earlier in the day, the hijacked site's homepage had the message "Fantastic Tea Club Pakistan Cyber Force," as well as alarming content regarding the April 22 terror incident in Pahalgam, which killed 26 people, the majority of whom were tourists.

The message's reference to the 2019 incident with Wing Commander Abhinandan Varthaman seems to be an intentional attempt to mock India. Varthaman's MiG-21 Bison was shot down by Pakistan during a dogfight in February 2019 when it attempted to attack military sites in Jammu and Kashmir by breaching Indian airspace. This action was taken in response to India's airstrike on the largest terror training centre of Jaish-e-Mohammed at Balakot, Pakistan.

The IAF officer was apprehended and detained in Pakistan for more than two days before being repatriated to India. The Pakistani military has released many videos of him in captivity. In one of the videos, the cop was seen calmly sipping tea and replying politely to questions, including one about the tea, to which he famously remarked, "The tea is fantastic." Authorities continue to investigate the intrusion, and efforts to properly restore and safeguard the education department's website are ongoing.
Read more »
Ransomwares
Cyber Attacks cybercrime group cybercriminals data security Data Theft DOGE Dogecoin Elon Musk Ransom Demand Ransomware attack Ransomwares

Cybercriminals Behind DOGE Big Balls Ransomware Demand $1 Trillion, Troll Elon Musk

 

A cybercrime group notorious for its outrageous tactics has resurfaced with a ransomware attack demanding an unbelievable $1 trillion from its victims. The group, responsible for the DOGE Big Balls ransomware campaign, has updated its ransom demands with bizarre references to Elon Musk and the Dogecoin meme culture, blending humor with a highly dangerous threat.  

According to a report by Trend Micro researchers Nathaniel Morales and Sarah Pearl Camiling, the attackers are leveraging a modified form of the FOG ransomware to carry out these intrusions. The malware exploits a long-known Windows vulnerability (CVE-2015-2291) through a multi-step PowerShell script that allows deep access into infected systems. Delivered via deceptive shortcut files inside ZIP folders, the malware initiates a chain reaction to execute its payload. Though the ransom note may appear comical—mocking Musk’s past corporate directives and making false claims about stealing “trilatitude and trilongitude” coordinates—the security community warns against taking this threat lightly. 

The ransomware performs environment checks to avoid detection, analyzing machine specs, RAM, and registry entries to detect if it’s being run in a sandbox. If any signs of monitoring are detected, the malware will exit silently. The FBI, in its April 2025 Internet Crime Report, highlighted ransomware—particularly FOG variants—as a dominant threat, impacting critical infrastructure and organizations across the U.S. The report revealed over 100 known FOG ransomware infections between January and March 2025, making it the most reported strain of the year thus far. Beyond encryption, the malware also exfiltrates sensitive data and pressures victims to communicate via the Tor network for instructions. 

The attackers claim stolen files and urge victims not to involve law enforcement, adding a “don’t snitch now” line in their taunting ransom message. Despite its absurd tone, security leaders emphasize the seriousness of the attack. Dr. Ilia Kolochenko, CEO of ImmuniWeb, cautions that many victims discreetly pay ransoms to groups known for not leaking data—urging companies to seek legal and cybersecurity advice before making decisions. 

Although the group hides behind memes and internet jokes, their ability to cause significant operational and financial disruption is very real. Their humor might distract, but the threat demands urgent attention.
Read more »
Hacking
Crypto Cyber Attacks Cybersecurity Hacking

‘Elusive Comet’ Hackers Exploit Zoom to Target Crypto Users in Sophisticated Scam

 

A newly identified hacking group known as Elusive Comet is targeting cryptocurrency users through a deceptive campaign that leverages Zoom’s remote control feature to gain unauthorized access to victims' systems.

The remote control tool, built into Zoom, enables meeting participants to take control of another person's computer — a capability now being manipulated by cybercriminals to bypass technical defenses through social engineering rather than traditional code exploitation.

According to a report from cybersecurity firm Trail of Bits, the group’s tactics closely resemble those used in the $1.5 billion Bybit crypto heist believed to be linked to the Lazarus group.

"The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," explains the Trail of Bits report.

Trail of Bits uncovered the campaign when attackers attempted to target their CEO via a direct message on X (formerly Twitter), posing as representatives of Bloomberg Crypto.

The ruse begins with a fraudulent invitation to a "Bloomberg Crypto" interview, sent to high-profile individuals either through email (bloombergconferences[@]gmail.com) or social media. The attackers use sock-puppet accounts, mimicking journalists or crypto media outlets, and send Calendly links to schedule the meeting.

Because both Calendly and Zoom links are genuine, the setup appears trustworthy to the victims. During the meeting, the attackers launch a screen-sharing session and issue a remote control request — with a crucial twist: their Zoom display name is changed to “Zoom.”

This results in a misleading prompt that reads:
"Zoom is requesting remote control of your screen,"
— tricking the target into thinking the request is from the app itself.

Granting access allows the attacker full remote control, enabling data theft, malware installation, unauthorized file access, or even the initiation of crypto transactions. In some cases, attackers establish persistence through hidden backdoors, remaining unnoticed even after disconnecting.

"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," says Trail of Bits.
"Users habituated to clicking 'Approve' on Zoom prompts may grant complete control of their computer without realizing the implications."

To guard against such threats, Trail of Bits recommends the use of Privacy Preferences Policy Control (PPPC) profiles to restrict system accessibility permissions. For highly sensitive environments — particularly those handling digital assets or crypto transactions — the firm advises removing the Zoom desktop client entirely.

"For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives," explains Trail of Bits.
Read more »
python
Blockchain cryptocurrency Cyber Attacks Cybersecurity GitHub Hacker JavaScript Linkedin malware python

North Korean Hacker Group Targets Cryptocurrency Developers via LinkedIn

 

A North Korean threat group known as Slow Pisces has launched a sophisticated cyberattack campaign, focusing on developers in the cryptocurrency industry through LinkedIn. Also referred to as TraderTraitor or Jade Sleet, the group impersonates recruiters offering legitimate job opportunities and coding challenges to deceive their targets. In reality, they deliver malicious Python and JavaScript code designed to compromise victims' systems.

This ongoing operation has led to massive cryptocurrency thefts. In 2023 alone, Slow Pisces was tied to cyber heists exceeding $1 billion. Notable incidents include a $1.5 billion breach at a Dubai exchange and a $308 million theft from a Japanese firm. The attackers typically initiate contact by sending PDFs containing job descriptions and later provide coding tasks hosted on GitHub. Although these repositories mimic authentic open-source projects, they are secretly altered to carry hidden malware.

As victims work on these assignments, they unknowingly execute malicious programs like RN Loader and RN Stealer on their devices. These infected projects resemble legitimate developer tools—for instance, Python repositories that claim to analyze stock market data but are actually designed to communicate with attacker-controlled servers.

The malware cleverly evades detection by using YAML deserialization techniques instead of commonly flagged functions like eval or exec. Once triggered, the loader fetches and runs additional malicious payloads directly in memory, making the infection harder to detect and eliminate.

One key malware component, RN Stealer, is built to extract sensitive information, including credentials, cloud configuration files, and SSH keys, especially from macOS systems. JavaScript-based versions of the malware behave similarly, leveraging the Embedded JavaScript templating engine to conceal harmful code. This code activates selectively based on IP addresses or browser signatures, targeting specific victims.

Forensic investigations revealed that the malware stores its code in hidden folders and uses HTTPS channels secured with custom tokens to communicate. However, experts were unable to fully recover the malicious JavaScript payload.

Both GitHub and LinkedIn have taken action against the threat.

"GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity," the companies said in a joint statement.

Given the increasing sophistication of these attacks, developers are urged to exercise caution when approached with remote job offers or coding tests. It is recommended to use robust antivirus solutions and execute unknown code within secure, sandboxed environments, particularly when working in the high-risk cryptocurrency sector.

Security experts advise using trusted integrated development environments (IDEs) equipped with built-in security features. Maintaining a vigilant and secure working setup can significantly lower the chances of falling victim to these state-sponsored cyberattacks.
Read more »
Mobile Cyber Attacks
Cyber Attacks Data Safety User Data data security Information Security Malware Attack Malwares Mobile Cyber Attacks

SK Telecom Malware Attack Exposes USIM Data in South Korea

 

SK Telecom, South Korea’s top mobile carrier, has disclosed a security incident involving a malware infection that exposed sensitive information tied to users’ Universal Subscriber Identity Modules (USIMs). The breach was detected on the night of April 19, 2025, during the weekend when many companies operate with reduced cybersecurity staffing. 

With nearly half of South Korea’s mobile market share and around 34 million subscribers, SK Telecom holds a crucial position in the country’s telecommunications sector. In an official statement, the company explained that malware had infiltrated parts of its network, prompting immediate action to contain the threat. 

The affected systems were isolated swiftly, and the malicious software was removed. So far, SK Telecom has stated there is no confirmed misuse of customer data linked to this breach. This was reported to the Korea Internet & Security Agency (KISA) on April 20, and to the Personal Information Protection Commission. 
Investigations are ongoing to determine how the attackers gained access and the extent of the data exposed. USIM cards store essential data such as International Mobile Subscriber Identity (IMSI) numbers, phone numbers (MSISDN), encryption keys for network authentication, and sometimes even stored contacts or text messages. Unauthorized access to this information could enable cybercriminals to conduct targeted surveillance, track users’ locations, or perform SIM-swapping attacks that could compromise online accounts and digital assets. 

In response, SK Telecom has strengthened security around USIM card management, increasing checks on SIM card replacement activities and monitoring authentication processes for suspicious behavior. Accounts showing irregular activities could face automatic suspension to prevent potential fraud. Additionally, the carrier is advising customers to activate their USIM protection service, a preventive measure that restricts unauthorized SIM swaps, adding extra protection to user accounts. 

A hacking group is yet to claim responsibility for the breach. SK Telecom emphasized that while the malware was neutralized quickly, they remain vigilant and are working closely with cybersecurity authorities to uncover more details about the intrusion and enhance future protections. 

This breach highlights ongoing risks faced by large mobile operators, especially during periods when cyber defenses might be less robust. It also underscores the critical need for mobile carriers to adopt continuous security monitoring and proactive measures to protect customer data from emerging threats. 

As investigations continue, SK Telecom has committed to updating customers and regulators about any new findings or developments related to the incident.
Read more »
User Security
Cyber Attacks DOGE Fog Hackers Ransomware attack User Security

'Fog' Attackers Mock Victims With DOGE Ransom Notes

 

Fog ransomware assaults over the last month have included a new ransom note mentioning the US Department of Government Efficiency (DOGE) and enticing victims to propagate the malware to other PCs, Trend Micro said earlier this week. 

Analysis of the latest samples of Fog ransomware, which were published to VirusTotal between March 27 and April 2, 2025, found that they propagated via the transfer of a ZIP file containing an LNK file disguised as a PDF called "Pay Adjustment." This shows that attacks were carried out via phishing emails to employees.

Once the "Pay Adjustment" LNK file is clicked, a PowerShell script named stage1.ps1 is executed, which retrieves multiple payloads from a hacker-controlled domain. These include the ransomware loader cwiper.exe, a bring-your-own-vulnerable-driver (BYOVD) privilege escalation tool named Ktool.exe, a QR code image directing to a Monero wallet, a ransom letter called RANSOMNOTE.txt, and more malicious PowerShell scripts. 

Ktool.exe extracts the vulnerable Intel Network Adapter Diagnostic Driver iQVW64.sys to the %TEMP% folder, passing the target process ID (PID) and a hardcoded key as arguments. Lootsubmit.ps1 and Trackerjacker.ps1 are PowerShell scripts that collect and exfiltrate system information such IP addresses, CPU configurations, MAC addresses, and system geolocations. 

Before dropping the Fog ransomware, the ransomware loader checks to ensure it is not in a sandbox environment. It also drops dbgLog.sys, which tracks encryption-related activities, and readme.txt, an additional ransom note. This ransom note is identical to those found in past Fog ransomware assaults. 

Odd political references

While the final ransom note, readme.txt, is identical to prior attacks, the initial ransom note, RANSOMNOTE.txt, refers to DOGE and includes the names of specific individuals involved with the department. 

The note reads, "Give me five bullet points on what you accomplished for work last week," and refers to emails sent to federal employees in February as part of a DOGE campaign. The note further offers to decrypt the user's data for free if they deliver the malicious files to another person or manually execute the malicious PowerShell commands on someone else's PC. 

Earlier this year, the DoNex ransomware group followed a similar tactic, promising payment to targets in exchange for sharing sensitive company data or spreading the malware throughout their organisation. The PowerShell script also contains bizarre political references, such as the statement "The CIA didn't kill Kennedy, you idiot." The script also launched several politically orientated YouTube videos, including an episode of "Last Week Tonight with John Oliver.”
Read more »
PowerShell
Advanced persistent threat (APT) Advanced Social Engineering Cyber Attacks cyber espionage espionage Fake Website Phishing emails PowerShell

ClickFix Attacks: North Korea, Iran, Russia APT Groups Exploit Social Engineering for Espionage

ClickFix attacks are rapidly becoming a favored tactic among advanced persistent threat (APT) groups from North Korea, Iran, and Russia, particularly in recent cyber-espionage operations. This technique involves malicious websites posing as legitimate software or document-sharing platforms. Targets are enticed through phishing emails or malicious advertising and then confronted with fake error messages claiming a failed document download or access issue. 


To resolve the supposed problem, users are instructed to click a “Fix” button that directs them to run a PowerShell or command-line script. Executing this script allows malware to infiltrate their systems. Microsoft’s Threat Intelligence division highlighted earlier this year that the North Korean group ‘Kimsuky’ utilized a similar approach through a fake “device registration” page. 

A new report from Proofpoint now confirms that Kimsuky, along with Iran’s MuddyWater, Russia’s APT28, and the UNK_RemoteRogue group, deployed ClickFix techniques between late 2024 and early 2025. Kimsuky’s campaign, conducted between January and February 2025, specifically targeted think tanks involved in North Korean policy research. The attackers initially contacted victims using spoofed emails designed to appear as if they were sent by Japanese diplomats. After gaining trust, they provided malicious PDF attachments leading to a counterfeit secure drive. Victims were then asked to manually run a PowerShell command, which triggered the download of a second script that established persistence with scheduled tasks and installed QuasarRAT, all while distracting the victim with a harmless-looking PDF. 

In mid-November 2024, Iran’s MuddyWater launched its campaign, targeting 39 organizations across the Middle East. Victims received phishing emails disguised as urgent Microsoft security alerts, prompting them to run PowerShell scripts with administrative rights. This led to the deployment of ‘Level,’ a remote monitoring and management (RMM) tool used to conduct espionage activities. Meanwhile, Russian group UNK_RemoteRogue focused on two organizations tied to a leading arms manufacturer in December 2024. Attackers used compromised Zimbra servers to send fake Microsoft Office messages. Clicking the embedded links directed victims to fraudulent Microsoft Word pages featuring Russian-language instructions and a video tutorial. 

Victims executing the provided script unknowingly triggered JavaScript that ran PowerShell commands, connecting their systems to a server managed through the Empire C2 framework. Proofpoint also found that APT28, an infamous Russian cyber-espionage unit, used ClickFix tactics as early as October 2024. In that instance, phishing emails mimicked Google Spreadsheet notifications, including a fake reCAPTCHA and a prompt to execute PowerShell commands. Running these commands enabled attackers to create an SSH tunnel and activate Metasploit, providing them with covert access to compromised machines. 

The growing use of ClickFix attacks by multiple state-sponsored groups underscores the method’s effectiveness, primarily due to the widespread lack of caution when executing unfamiliar commands. To avoid falling victim, users should be extremely wary of running scripts or commands they do not recognize, particularly when asked to use elevated privileges.
Read more »
Ransomwares
Cyber Attacks Cyber Researchers Dark Web data security Interlock Interlock ransomware Malware Attack Ransomware attack Ransomwares

Interlock Ransomware Gang Deploys ClickFix Attacks to Breach Corporate Networks

 

Cybersecurity researchers have revealed that the Interlock ransomware gang has adopted a deceptive social engineering technique called ClickFix to infiltrate corporate networks. This method involves tricking users into executing malicious PowerShell commands under the guise of resolving system errors or completing identity verification steps, leading to the deployment of file-encrypting malware. 

While ClickFix attacks have previously been associated with ransomware campaigns, this marks the first confirmed use by Interlock, a ransomware operation that surfaced in late September 2024. The group targets both Windows systems and FreeBSD servers and maintains a dark web leak portal to pressure victims into paying ransoms that can reach millions of dollars. Interlock does not seem to operate as a ransomware-as-a-service (RaaS) model. 

According to Sekoia researchers, Interlock began using ClickFix tactics in January 2025. Attackers set up fake websites mimicking legitimate IT tools—such as Microsoft Teams and Advanced IP Scanner—to lure victims. These fake sites prompt users to click a “Fix it” button, which silently copies a malicious PowerShell script to the user’s clipboard. If run, the command downloads a 36MB PyInstaller payload that installs malware under the guise of a legitimate tool. 

Researchers found the malicious campaign hosted on spoofed domains like microsoft-msteams[.]com, microstteams[.]com, ecologilives[.]com, and advanceipscaner[.]com. Only the last domain led to the actual malware dropper disguised as Advanced IP Scanner. When users unknowingly run the script, a hidden PowerShell window executes actions such as system reconnaissance, persistence via Windows Registry, and data exfiltration. The attackers deploy a range of malware via command-and-control (C2) servers, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT—a basic remote access trojan capable of dynamic configuration, file exfiltration, shell command execution, and DLL injection. 

Post-compromise, Interlock operators use stolen credentials to move laterally through networks via RDP, leveraging remote access tools like PuTTY, AnyDesk, and LogMeIn. Data is exfiltrated to Azure Blob Storage, after which the Windows variant of Interlock ransomware is scheduled to run daily at 8:00 PM—a redundancy tactic to ensure encryption if the initial payload fails. The gang’s ransom notes have also evolved, now placing emphasis on the legal and regulatory consequences of leaked data. 

ClickFix attacks are gaining popularity among various cybercriminal groups, with recent reports also linking them to North Korean state-sponsored actors like the Lazarus Group, who use similar tactics to target job seekers in the cryptocurrency sector.
Read more »
Symbolic
Backdoor Cyber Attacks FortiGate devices Security Patch Symbolic

Over 16,000 Fortinet Devices Infected With the Symlink Backdoor

 

Over 16,000 internet-connected Fortinet devices have been identified as having a new symlink backdoor that permits read-only access to sensitive data on previously compromised systems. 

The Shadowserver Foundation, a threat monitoring platform, has stated that 14,000 machines were exposed. Earlier this week, Shadowserver's Piotr Kijewski told a local media source that the cybersecurity firm now recognises 16,620 devices affected by the newly discovered persistence method. 

Last week, Fortinet notified customers that they had found a new persistence mechanism employed by a threat actor to maintain read-only remote access to files in the root filesystem of previously hacked but now patched FortiGate devices. 

Fortinet stated that this was not due to the exploitation of new vulnerabilities, but rather to attacks beginning in 2023 and continuing into 2024, in which a threat actor used zero days to compromise FortiOS devices. 

After gaining access to the devices, they made symbolic connections to the root file system on SSL-VPN-enabled devices in the language files folder. Even after the initial vulnerabilities were fixed, the threat actor could still access the root file system by browsing to the language files, which are publically available on FortiGate devices with SSL-VPN enabled. 

"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection," Fortinet stated. 

"Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations.” 

Earlier this month, Fortinet began discreetly notifying customers via email about FortiGate devices that FortiGuard discovered as being infected with this symlink backdoor. In order to identify and eliminate this malicious symbolic link from compromised devices, Fortinet has released an improved AV/IPS signature.

Additionally, the firmware has been updated to the most recent version in order to detect and remove the link. The upgrade also stops the integrated web server from serving unrecognised files and folders. Finally, if a device was identified as hacked, it is probable that the threat actors had access to the latest configuration files, including credentials.
Read more »
Ransomwares
Backdoor Backdoor Attacks Critical Infrastructure Cyber Attacks Healthcare Malware Attack RansomHub Ransomware attack Ransomwares

Symantec Links Betruger Backdoor Malware to RansomHub Ransomware Attacks

 

A sophisticated custom backdoor malware called Betruger has been discovered in recent ransomware campaigns, with Symantec researchers linking its use to affiliates of the RansomHub ransomware-as-a-service (RaaS) group. The new malware is considered a rare and powerful tool designed to streamline ransomware deployment by minimizing the use of multiple hacking tools during attacks. 

Identified by Symantec’s Threat Hunter Team, Betruger is described as a “multi-function backdoor” built specifically to aid ransomware operations. Its functions go far beyond traditional malware. It is capable of keylogging, network scanning, privilege escalation, credential theft, taking screenshots, and uploading data to a command-and-control (C2) server—all typical actions carried out before a ransomware payload is executed. Symantec notes that while ransomware actors often rely on open-source or legitimate software like Mimikatz or Cobalt Strike to navigate compromised systems, Betruger marks a departure from this norm. 

The tool’s development suggests an effort to reduce detection risks by limiting the number of separate malicious components introduced during an attack. “The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks,” Symantec stated. “Betruger may have been developed to reduce the number of tools dropped on a network during the pre-encryption phase.” Threat actors are disguising the malware under file names like ‘mailer.exe’ and ‘turbomailer.exe’ to pose as legitimate mailing applications and evade suspicion. While custom malware isn’t new in ransomware operations, most existing tools focus on data exfiltration. 

Notable examples include BlackMatter’s Exmatter and BlackByte’s Exbyte, both created to steal data and upload it to cloud platforms like Mega.co.nz. However, Betruger represents a more all-in-one solution tailored for streamlined attack execution. The RansomHub RaaS operation, previously known as Cyclops and Knight, surfaced in early 2024 and has quickly become a major threat actor in the cybercrime world. Unlike traditional ransomware gangs, RansomHub has focused more on data theft and extortion rather than just data encryption. Since its emergence, RansomHub has claimed several high-profile victims including Halliburton, Christie’s auction house, Frontier Communications, Rite Aid, Kawasaki’s EU division, Planned Parenthood, and Bologna Football Club. 

The group also leaked Change Healthcare’s stolen data after the BlackCat/ALPHV ransomware group’s infamous $22 million exit scam. More recently, the gang claimed responsibility for breaching BayMark Health Services, North America’s largest addiction treatment provider. BayMark serves over 75,000 patients daily across more than 400 locations in the US and Canada. According to the FBI, as of August 2024, RansomHub affiliates have compromised over 200 organizations, many of which are part of critical infrastructure sectors such as government, healthcare, and energy. 

As ransomware groups evolve and adopt more custom-built malware like Betruger, cybersecurity experts warn that defenses must adapt to meet increasingly sophisticated threats.
Read more »
US
Cyber Attacks endue software Healthcare Illinois MedEx Sensitive Information US

Cyberattacks Hit U.S. Healthcare Firms, Exposing Data of Over 236,000 People

 


Two separate data breaches in the U.S. have exposed sensitive information of more than 236,000 people. These incidents involve two organizations: Endue Software in New York and Medical Express Ambulance (MedEx) in Illinois.

Endue Software creates software used by infusion centers, which help treat patients with medication delivered directly into their bloodstream. In February this year, the company found that hackers had broken into its system. This breach led to the exposure of personal details of around 118,000 individuals. The leaked information included full names, birth dates, Social Security numbers, and unique medical record identifiers. While there is currently no proof that the stolen data has been used illegally, the company isn’t taking any chances. It has added more safety tools and measures to its systems. It is also offering one year of free credit monitoring and identity protection to help affected people stay safe from fraud.

In a different case, MedEx, a private ambulance service provider based in Illinois, reported that it was also hit by a cyberattack. This breach happened last year, but the details have recently come to light. Information belonging to more than 118,000 people was accessed by attackers. The data included health records, insurance information, and even passport numbers in some cases.

These events are part of a larger pattern of cyberattacks targeting the healthcare industry in the U.S. In recent months, major organizations like UnitedHealth Group and Ascension Health have also suffered large-scale data breaches. Cybercriminals often go after hospitals and medical companies because the data they store is very valuable and can be used for scams or identity theft.

Both Endue and MedEx are working with cybersecurity experts to investigate the breaches and improve their systems. People affected by these incidents are being advised to be extra cautious. They should use the free protection services, monitor their bank and credit accounts, and immediately report anything unusual.



Read more »
OCC
Banks bloomberg Cyber Attacks Data Sharing digital data email security financial attack Financial Data Hacker attack OCC

Top U.S. Banks Cut Off Digital Data Sharing With OCC After Major Cyberattack

 

Several of the largest banks in the United States have curtailed or reassessed how they share sensitive data with the Office of the Comptroller of the Currency (OCC), after a significant cyberattack compromised the regulator’s email system. 

According to Bloomberg, JPMorgan Chase and Bank of New York Mellon have paused all electronic communications with the OCC. Bank of America is continuing to share data, but through what it considers more secure digital channels. The decision follows the discovery that hackers had accessed over 100 email accounts at the OCC for more than a year—a breach labeled a “major incident” by both the OCC and the U.S. Treasury Department. 

The hackers reportedly obtained highly sensitive information related to financial institutions, although their identities remain unknown. The OCC, a bureau under the Treasury, oversees over 1,000 national banks and savings associations, including the U.S. branches of foreign institutions. Among the materials potentially exposed are reports on cybersecurity protocols, internal vulnerability assessments, and National Security Letters—documents that may contain classified intelligence regarding terrorism or espionage. 

Banks have raised concerns about the extent of the breach and the OCC’s communication about the incident. Some financial institutions reportedly did not learn of the scope of the compromise until media coverage surfaced. As a result, there is growing distrust among regulated institutions regarding how the OCC has handled disclosure and mitigation. The OCC said it is actively working with independent cybersecurity experts, including Mandiant and Microsoft, to investigate the breach and determine whether stolen data has surfaced on the dark web. 

A contractor is also reviewing two internal communication systems—BankNet and another used for transferring large files—to assess whether they were affected. While JPMorgan and BNY Mellon have suspended digital transmissions, Citigroup has continued data sharing due to its existing consent order with the OCC. It remains unclear whether other major banks like Wells Fargo or Goldman Sachs have taken similar steps. Experts warn that the breach could enable targeted cyberattacks or extortion attempts, as the stolen material may offer insight into institutional vulnerabilities. 

According to former Treasury CIO Eric Olson, the exposed data is “as sensitive as it gets.” The incident has drawn attention from Congress, with both the House Financial Services Committee and the Senate Banking Committee seeking more information. Experts view the banks’ decision to reduce data sharing as a sign of eroding trust in the OCC’s ability to safeguard critical regulatory communications.
Read more »
Ransomwares
Cyber Attacks Cyber Breach Cyber Defenses Data protection financial attack Financial Loss Ransomware attack Ransomwares

Fourlis Group Confirms €20 Million Loss from IKEA Ransomware Attack

 

Fourlis Group, the retail operator responsible for IKEA stores across Greece, Cyprus, Romania, and Bulgaria, has revealed that a ransomware attack targeting its systems in late November 2024 led to significant financial losses. The cyber incident, which coincided with the busy Black Friday shopping period, disrupted critical parts of the business and caused damages estimated at €20 million (around $22.8 million). 

The breach initially surfaced as unexplained technical problems affecting IKEA’s e-commerce platforms. Days later, on December 3, the company confirmed that the disruptions were due to an external cyberattack. The attack affected digital infrastructure used for inventory restocking, online transactions, and broader retail operations, mainly impacting IKEA’s business. Other brands under the Fourlis umbrella, including Intersport and Holland & Barrett, were largely unaffected.  

According to CEO Dimitris Valachis, the company experienced a loss of approximately €15 million in revenue by the end of 2024, with an additional €5 million impact spilling into early 2025. Fourlis decided not to comply with the attackers’ demands and instead focused on system recovery through support from external cybersecurity professionals. The company also reported that it successfully blocked a number of follow-up attacks attempted after the initial breach. 

Despite the scale of the attack, an internal investigation supported by forensic analysts found no evidence that customer data had been stolen or exposed. The incident caused only a brief period of data unavailability, which was resolved swiftly. As part of its compliance obligations, Fourlis reported the breach to data protection authorities in all four affected countries, reassuring stakeholders that personal information remained secure. Interestingly, no known ransomware group has taken responsibility for the attack. This may suggest that the attackers were unable to extract valuable data or are holding out hope for an undisclosed settlement—though Fourlis maintains that no ransom was paid. 

The incident highlights the growing risks faced by digital retail ecosystems, especially during peak sales periods when system uptime is critical. As online platforms become more central to retail operations, businesses like Fourlis must invest heavily in cybersecurity defenses. Their experience reinforces the importance of swift response strategies, external threat mitigation support, and robust data protection practices to safeguard operations and maintain customer trust in the face of evolving cyber threats.
Read more »
Subscribe to: Posts (Atom)