Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacking. Show all posts
threat
APT41 Attack Calendar Cybersecurity Detection Google Hacking malware phishing threat

APT41 Exploits Google Calendar in Stealthy Cyberattack; Google Shuts It Down

 

Chinese state-backed threat actor APT41 has been discovered leveraging Google Calendar as a command-and-control (C2) channel in a sophisticated cyber campaign, according to Google’s Threat Intelligence Group (TIG). The team has since dismantled the infrastructure and implemented defenses to block similar future exploits.

The campaign began with a previously breached government website — though TIG didn’t disclose how it was compromised — which hosted a ZIP archive. This file was distributed to targets via phishing emails.

Once downloaded, the archive revealed three components: an executable file and a dynamic-link library (DLL) disguised as image files, and a Windows shortcut (LNK) masquerading as a PDF. When users attempted to open the phony PDF, the shortcut activated the DLL, which then decrypted and launched a third file containing the actual malware, dubbed ToughProgress.

Upon execution, ToughProgress connected to Google Calendar to retrieve its instructions, embedded within event descriptions or hidden calendar events. The malware then exfiltrated stolen data by creating a zero-minute calendar event on May 30, embedding the encrypted information within the event's description field.

Google noted that the malware’s stealth — avoiding traditional file installation and using a legitimate Google service for communication — made it difficult for many security tools to detect.

To mitigate the threat, TIG crafted specific detection signatures, disabled the threat actor’s associated Workspace accounts and calendar entries, updated file recognition tools, and expanded its Safe Browsing blocklist to include malicious domains and URLs linked to the attack.

Several organizations were reportedly targeted. “In partnership with Mandiant Consulting, GTIG notified the compromised organizations,” Google stated. “We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.”

Google did not disclose the exact number of impacted entities.
Read more »
Hacking
arrest Bangladesh Breach Court Cyber Security Data E-Commerce Evaly Fraud Hacking

Evaly Website Allegedly Hacked Amid Legal Turmoil, Hacker Threatens to Leak Customer Data

 

Evaly, the controversial e-commerce platform based in Bangladesh, appeared to fall victim to a cyberattack on 24 May 2025. Visitors to the site were met with a stark warning reportedly left by a hacker, claiming to have obtained the platform’s customer data and urging Evaly staff to make contact.

Displayed in bold capital letters, the message read: “HACKED, I HAVE ALL CUSTOMER DATA. EVALY STAFF PLEASE CONTACT 00watch@proton.me.” The post included a threat, stating, “OR ELSE I WILL RELEASE THIS DATA TO THE PUBLIC,” signaling the potential exposure of private user information if the hacker’s demand is ignored.

It remains unclear what specific data was accessed or whether sensitive financial or personal details were involved. So far, Evaly has not released any official statement addressing the breach or the nature of the compromised information.

This development comes on the heels of a fresh wave of legal action against Evaly and its leadership. On 13 April 2025, state-owned Bangladesh Sangbad Sangstha (BSS) reported that a Dhaka court handed down three-year prison sentences to Evaly’s managing director, Mohammad Rassel, and chairperson, Shamima Nasrin, in a fraud case.

Dhaka Metropolitan Magistrate M Misbah Ur Rahman delivered the judgment, which also included fines of BDT 5,000 each. The court issued arrest warrants for both executives following the ruling.

The case was filed by a customer, Md Rajib, who alleged that he paid BDT 12.37 lakh for five motorcycles that were never delivered. The transaction took place through Evaly’s website, which had gained attention for its deep discount offers and aggressive promotional tactics.
Read more »
Trojan
cryptocurrency Cyberattack Hacking malware printing Ransomware remoteaccess Security Software Trojan

Malware Discovered in Procolored Printer Software, Users Advised to Update Immediately

 

For at least six months, the official software bundled with Procolored printers reportedly included malicious code, including a remote access trojan (RAT) and a cryptocurrency-stealing malware.

Procolored, a Shenzhen-based manufacturer known for its affordable Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers, has built a strong reputation in the digital printing market. Since its founding in 2018, the company has expanded to over 31 countries and developed a considerable footprint in the United States.

The issue was first identified by Cameron Coward, a tech YouTuber behind the channel Serial Hobbyism. He was installing the driver and companion software for a $7,000 Procolored UV printer when his security tool flagged a threat: the Floxif USB worm.

After further investigation, cybersecurity firm G Data confirmed that malware was being distributed through Procolored’s official software packages—potentially impacting customers for over half a year.

Initially dismissed by Procolored as a “false positive,” Coward found that every time he attempted to download or unzip the printer software, his system immediately quarantined the files.

“If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” said the YouTuber.

Coward turned to Reddit for support in analyzing the malware before publishing a critical review. G Data researcher Karsten Hahn responded and discovered that six printer models—F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro—came with software downloads hosted on Mega that were infected with malware.

Mega.nz is the file-sharing platform Procolored uses to distribute printer software via its official website.

Hahn found 39 infected files, including:

  • XRedRAT: A RAT with capabilities such as keylogging, taking screenshots, accessing the remote shell, and file manipulation. Its hardcoded command-and-control (C2) URLs were consistent with previously analyzed samples.
  • SnipVex: A newly identified clipper malware that infects .EXE files and hijacks Bitcoin addresses copied to the clipboard. This malware is believed to have compromised the developer’s machine or software build environment.

According to G Data, the SnipVex malware was used to steal around 9.308 BTC (worth nearly $1 million at current exchange rates).

Company Response and Security Measures

Though Procolored initially denied any wrongdoing, the compromised software was removed from its website on May 8, and the company launched an internal probe.

In communication with G Data, Procolored explained that the infected files had been uploaded via a USB drive possibly infected with the Floxif worm.

“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.

“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”

G Data later confirmed that the newly uploaded software packages are clean and safe to install.

Customers who previously downloaded Procolored software are urged to update to the new versions and perform a system scan to remove remnants of XRedRAT and SnipVex. Given the nature of SnipVex's binary tampering, experts recommend a thorough system cleaning.

In a comment to BleepingComputer, Procolored emphasized that all of its software has now been verified and is secure:

“Procolored confirms that its software is completely safe, clean, and has no connection whatsoever to any cryptocurrency-related incidents. All software packages have been thoroughly scanned and verified by third-party tools including VirusTotal and G Data, with no threats detected. Users can purchase and use Procolored products with complete confidence, as there is no risk of Bitcoin or other cryptocurrency theft linked to their software.”

“To further reassure customers, Procolored has provided third-party certifications and conducted strict technical checks to prove its software is secure.”

“In particular, the hash values of the key ‘PrintExp.exe’ file were verified and confirmed to match the official values published on Procolored’s website, proving the file is authentic, untampered, and free of any viruses or malware.”

“The company remains fully committed to customer care — no matter the issue, whether software or hardware, Procolored promises to resolve it to customer satisfaction, supported by their dedicated after-sales team and U.S.-based service resources.”


Read more »
Vulnerability
AI Cybersecurity Data Encryption Hacking Passwords penetration redteam SharePoint Vulnerabilities and Exploits Vulnerability

Pen Test Partners Uncovers Major Vulnerability in Microsoft Copilot AI for SharePoint

 

Pen Test Partners, a renowned cybersecurity and penetration testing firm, recently exposed a critical vulnerability in Microsoft’s Copilot AI for SharePoint. Known for simulating real-world hacking scenarios, the company’s redteam specialists investigate how systems can be breached just like skilled threatactors would attempt in real-time. With attackers increasingly leveraging AI, ethical hackers are now adopting similar methods—and the outcomes are raising eyebrows.

In a recent test, the Pen Test Partners team explored how Microsoft Copilot AI integrated into SharePoint could be manipulated. They encountered a significant issue when a seemingly secure encrypted spreadsheet was exposed—simply by instructing Copilot to retrieve it. Despite SharePoint’s robust access controls preventing file access through conventional means, the AI assistant was able to bypass those protections.

“The agent then successfully printed the contents,” said Jack Barradell-Johns, a red team security consultant at Pen Test Partners, “including the passwords allowing us to access the encrypted spreadsheet.”

This alarming outcome underlines the dual-nature of AI in informationsecurity—it can enhance defenses, but also inadvertently open doors to attackers if not properly governed.

Barradell-Johns further detailed the engagement, explaining how the red team encountered a file labeled passwords.txt, placed near the encrypted spreadsheet. When traditional methods failed due to browser-based restrictions, the hackers used their red team expertise and simply asked the Copilot AI agent to fetch it.

“Notably,” Barradell-Johns added, “in this case, all methods of opening the file in the browser had been restricted.”

Still, those download limitations were sidestepped. The AI agent output the full contents, including sensitive credentials, and allowed the team to easily copy the chat thread, revealing a potential weak point in AI-assisted collaborationtools.

This case serves as a powerful reminder: as AItools become more embedded in enterprise workflows, their securitytesting must evolve in step. It's not just about protecting the front door—it’s about teaching your digital assistant not to hold it open for strangers.

For those interested in the full technical breakdown, the complete Pen Test Partners report dives into the step-by-step methods used and broader securityimplications of Copilot’s current design.

Davey Winder reached out to Microsoft, and a spokesperson said:

“SharePoint information protection principles ensure that content is secured at the storage level through user-specific permissions and that access is audited. This means that if a user does not have permission to access specific content, they will not be able to view it through Copilot or any other agent. Additionally, any access to content through Copilot or an agent is logged and monitored for compliance and security.”

Further, Davey Winder then contacted Ken Munro, founder of Pen Test Partners, who issued the following statement addressing the points made in the one provided by Microsoft.

“Microsoft are technically correct about user permissions, but that’s not what we are exploiting here. They are also correct about logging, but again it comes down to configuration. In many cases, organisations aren’t typically logging the activities that we’re taking advantage of here. Having more granular user permissions would mitigate this, but in many organisations data on SharePoint isn’t as well managed as it could be. That’s exactly what we’re exploiting. These agents are enabled per user, based on licenses, and organisations we have spoken to do not always understand the implications of adding those licenses to their users.”
Read more »
Web3
Blockchain cryptocurrency Cyber Attacks CyberCrime Cybersecurity global threat Hacking IT workers North Korea Sanctions Web3

North Korea’s Global Cybercrime Network Uncovered: Fake IT Workers Funding Regime's Ambitions

 

A new report by cybersecurity firm DTEX has exposed how North Korea is operating a sophisticated international cybercrime network by embedding fake information technology workers within leading global corporations. These operatives, disguised as freelance developers, are channeling millions in stolen cryptocurrency to fund the reclusive nation’s military and weapons programs.

According to the report, North Korean agents are not driven by ideology but by a systemic need to survive. Trained from a young age, many are groomed to become covert cyber operatives or IT contractors. Two individuals, using the aliases “Naoki Murano” and “Jenson Collins,” were found residing in Russia and are believed to be involved in infiltrating Western companies. They’ve been linked to a $6 million cryptocurrency theft.

The regime operates through shadowy IT entities like Chinyong, which positions agents in countries like China, Laos, and Russia. These agents gain trust within blockchain and cryptocurrency projects, ultimately diverting digital assets back to Pyongyang. Since 2017, North Korea has reportedly funneled tens of millions of dollars through such schemes—prompting U.S. sanctions for financing weapons development (see: US Sanctions North Korean Entities for Sending Regime Funds).

The report states that North Korea’s cyber program has reached a pivotal stage, with its tactics becoming more aggressive and unpredictable. The regime now deploys techniques ranging from supply chain attacks to financial sector infiltration and even online propaganda. DTEX researchers noted that these operatives are so deeply integrated into major cryptocurrency and Web3 initiatives that, “it would seem that every other Web3 project has a North Korean on the payroll.”

“The threat of unintentionally hiring North Korean IT workers is larger than most people realize,” Kevin Mandia, founder and former CEO of Mandiant, said in a statement accompanying the report. “It's cover is global and active right now - which is why the industry and government need to work together to come up with solutions to counter the threat.”

The study also challenges the notion that North Korean cyber operatives follow rigid roles. Instead, many shift between missions, take on leadership responsibilities, and reuse false identities—suggesting a highly adaptive and fluid structure.

Past investigations have revealed that North Korean attacks on European tech firms were often facilitated by individuals operating from the U.S. and the U.K. An April report by Mandiant warned of increasing attempts by North Korean IT workers to secure positions in defense and government agencies, with U.S. businesses being their primary focus—even as operations grow across Europe (see: North Korean IT Scammers Targeting European Companies).

Michael Barnhart, the lead analyst behind the DTEX report, said his research is based on open-source intelligence, testimonies from defectors, blockchain forensics, and insights from Web3 infrastructure. He also leveraged proprietary datasets from unnamed partners to trace how North Korean agents shift money, access, and identities across borders.

“DPRK operatives are persistent,” Barnhart wrote, adding that North Korean cyber agents “do not take kindly to scrutiny” and “will try to uncover who is studying them and how.”
Read more »
Power Outage
Cyber Defenses Cyber Security Cyber Threats Cyberattack Hacker attack Hacking Portugal Cyber Army Portugese Power Grids Power Outage

Spain Investigates Cybersecurity of Power Suppliers After Widespread Grid Outage

 

Spain is investigating the cybersecurity practices of its power suppliers following a major power outage that affected much of the Iberian Peninsula at the end of April. While initial assessments by Spanish and Portuguese grid operators ruled out a cyberattack, authorities are now questioning whether smaller, independent energy producers may have inadvertently opened vulnerabilities within the national power infrastructure. 

The outage disrupted electricity supply across both Spain and Portugal, with most regions regaining power after ten hours. However, it took nearly a full day—23 hours—for Spain’s grid to be fully restored. Although no immediate signs of hacking were found, the duration and scale of the disruption raised alarms, prompting deeper scrutiny into the resilience of Spain’s decentralized energy network. According to a report from the Financial Times, Spain’s National Cybersecurity Institute (INCIBE) has reached out to various smaller renewable energy producers, asking whether they experienced any unusual activity before the blackout on April 28. 

The inquiries also covered their use of recent security patches and whether their systems could be remotely accessed, signaling a broader concern over cybersecurity readiness among these suppliers. This line of investigation is significant given Spain’s heavy reliance on renewable energy, much of which is generated by smaller, less centralized plants. The concern is that these entities, though critical to Spain’s green transition, may lack the robust cyber defenses maintained by larger grid operators. 

While this doesn’t point to renewable energy as unreliable, it highlights how a fragmented supplier ecosystem could pose a collective security risk. Cybersecurity experts have also weighed in. A blog post by security firm Specops Software compared the Spanish outage to known cyberattacks on power grids, such as those in Ukraine in 2015 and 2016. While Specops acknowledged the Spanish grid operators’ conclusion that no breach was detected through their internal monitoring systems, the firm noted similarities in how the shutdown unfolded. 

However, Barracuda Networks’ regional director Miguel López suggested that if a cyberattack had indeed compromised critical systems, it would have taken significantly longer to recover, casting doubt on hacking as the root cause. Still, the possibility that attackers exploited a less secure third-party provider has not been ruled out. This renewed scrutiny comes amid global concerns over cyber threats to critical infrastructure. 

The U.S. and U.K. have both issued alerts about increased activity by pro-Russian hacktivists targeting industrial control systems. With recent research showing that 95% of critical infrastructure organizations experienced a data breach in the past year, Spain’s situation underscores the urgent need for improved cyber vigilance across all levels of the energy supply chain.
Read more »
SK Telecom
Data Breach Hacking sim cards SK Telecom

Personal Data Leak Hits SK Telecom Users, SIM Swap Threat Grows

 


A recent cyberattack has put the personal information of millions of South Korean mobile users at risk. SK Telecom, the country’s largest mobile service provider, has confirmed that a major data breach has affected up to 25 million customers. The attack was carried out using malware that could allow criminals to perform SIM swapping — a method where someone takes control of a person's phone number to access their accounts and data.

The company said it is still investigating the situation but assured the public that no misuse of the stolen data has been confirmed so far. Despite this, many customers are worried that the real damage could still happen in the future.

In response to the breach, a group of victims has come together to demand answers and action. This group, calling itself the “SKT USIM Hacking Joint Response,” says SK Telecom has not been clear about how serious the breach is. They fear that leaked phone numbers and related information could be used to break into other services, such as bank accounts, messaging apps, and social media platforms — all of which often use phone numbers for verification.

To ease concerns, SK Telecom has promised to provide free replacement SIM cards to all affected users. However, the company has run into challenges with supply. So far, it has only secured one million SIM cards and plans to get five million more by the end of May. This is far from enough to cover the 25 million people impacted, so it may take a while before everyone receives their replacement card.

SK Telecom has set up an online system where customers can book appointments to get their new SIM cards. But the company has warned that long wait times should be expected because of the high demand.

This incident has raised serious questions about mobile security and how quickly companies respond to digital threats. As people rely more on their smartphones for banking, shopping, and communication, protecting mobile data has never been more important.

Read more »
phishing
ceasefire Cyber Attacks Cybersecurity DDoS disinformation Hacking India Infrastructure Pakistan phishing

Cyber Warfare After Pahalgam: Over 1.5 Million Cyberattacks Target Indian Infrastructure

 

Following the Pahalgam terror incident, India experienced a massive wave of cyberattacks launched by hostile hacker groups operating from Pakistan, Bangladesh, Indonesia, and parts of the Middle East. As per a detailed investigation by the Maharashtra Cyber Cell, over 1.5 million cyber intrusions targeted Indian websites and digital systems in a deliberate, coordinated assault meant to disrupt national infrastructure and spread psychological unrest.

According to a government report titled “Road of Sindoor,” the cyber onslaught was a retaliatory move against India’s military operation conducted under the same name. The attacks aimed at government portals, municipal databases, aviation systems, and other vital infrastructure.

Despite the scale of the offensive, only 150 of the attacks showed limited success, marking a mere 0.01% success rate. This reflects India’s growing cyber resilience and the relatively low effectiveness of these foreign cyber operatives.

7 Pakistani-Backed Hacker Groups Identified

The Maharashtra Cyber Cell report identified seven key hacker groups orchestrating the campaign:
  • APT 36
  • Pakistan Cyber Force
  • Team Insane PK
  • Mysterious Bangladesh
  • Indo Hacks Sec
  • Cyber Group HOAX 1337
  • National Cyber Crew (Pakistan-allied)
These collectives employed tactics such as DDoS attacks, malware deployment, GPS spoofing, and website defacements. One of the more visible intrusions was the defacement of the Kulgaon Badlapur Municipal Council website. Additionally, several unverified claims circulated online, alleging cyber breaches of the Mumbai airport systems and telecom infrastructures.

More concerning was the coordinated use of disinformation, which sought to falsely portray that India's banking sector, power grid, and satellite systems had been compromised. The report revealed that over 5,000 fake social media posts linked to the India-Pakistan conflict were detected and removed.

Ceasefire Didn’t Halt Cyber Assaults

Even as a ceasefire agreement remained in place between India and Pakistan, cyber offensives continued, especially from Bangladesh, Indonesia, and allied Middle Eastern entities. While officials observed a decline in attack frequency post-ceasefire, they confirmed that the attacks never fully stopped.

Authorities stated, “These campaigns weren’t amateur attempts. They were designed to destabilize. Though thwarted, they signal a persistent digital threat landscape India must be prepared for.”

State and national intelligence units are now working in tandem to bolster surveillance, reinforce cybersecurity protocols, and pre-empt future threats.

The “Road of Sindoor” report has been formally shared with the Director General of Police, the State Intelligence Department, and other key law enforcement bodies, affirming India’s strategic focus on digital sovereignty and cybersecurity preparedness.
Read more »
Subscribe to: Posts (Atom)