• Klue recently suffered a cyber attack at the hands of Icarus
• Icarus was apparently deleting the stolen customer data
• An unnamed group claims to have stolen the data from Icarus, and is now extorting Klue customers directly

Earlier this month, market research provider Klue suffered a cyberattack with the knock-on effects hitting major companies such as LastPass, Gong, Jamf, HackerOne, Huntress and others.

Klue has since revealed it is in contact with the Icarus ransomware group, who claim to have been in possession of stolen data and were threatening to leak the data in an attempt to extort the company.

But a second, unnamed group has emerged, which claims to have broken into a member of the Icarus group’s environment to steal the customer data stolen by Icarus from Klue. This second group is now apparently attempting to extort Klue customers directly, much to the annoyance of Icarus.

Hackers hacked by hackers

An update shared privately with Klue customers on Wednesday night and seen by TechCrunch said, “We continue to communicate with the threat actor we have been in contact with (‘Icarus’). Icarus told us they are taking steps to delete the data taken from Klue customers. The Icarus site remains down and we have indications that Icarus is indeed taking steps to delete data taken from Klue customers.”

Icarus later informed Klue that the second group was attempting to extort Klue customers using the same data, having posted a list of affected companies on its own website. Alongside this list, they also claimed to have stolen the customer data from Icarus, after one of the Icarus group accidentally allowed the group to connect to the server hosting the stolen data.

Although there is no evidence that Klue has paid the Icarus group, the unnamed group also posted a statement that an “Icarus operator who is a teenager living somewhere in the UK or adjacent countries” had been paid by Klue to delete the stolen data.

A further communique issued by Klue to its customers said that it had been reassured by Icarus that the unnamed group only had samples of the stolen data, not the full set. It also said that, “Icarus has asked us to inform Klue customers to not make payment to this other party.”

Klue also suggested that its customers should ask the second group for random samples of their data to prove whether or not they actually had obtained the full set of stolen customer data.

• Airbnb scams have surged 30x since 2023, including a sharp rise this year
• Criminals hijack legitimate host accounts to to trick holidaymakers
• Staying safe isn't so straightforward as threats evolve

Airbnb-related scam activity has increased 30x since the first half of 2023, according to new research from Saily and NordStellar, confirming that cybercriminals continue to go after holidaymakers seeking the best deals amid rising prices.

The report ultimately concludes that attackers are now targeting the trust built by larger platforms, saving them from having to build new identities from scratch.

And to top it all off, the nature of scams is also changing, as instead of using suspicious websites to obtain victim payments or information, criminals are now targeting legitimate Airbnb host accounts which have spent years amassing positive reviews and high ratings.

Exploiting legitimate accounts and hijacking trust

While the end goal remains high volumes of vulnerable consumers, scammers have added an extra layer of victim in their pipeline. Verified Airbnb hosts are now valuable assets for criminals because they already have identity verifications, positive reviews, booking histories, years of activity and established credibility.

Once the verified account is compromised, attackers can then go on to scam higher volumes of unsuspecting victims by posting – and charging for – fake property listings.

“Travelers are getting better at spotting obvious scams,” Saily Head of Product Matas Cenys said. “Criminals know this, so they are increasingly trying to steal trust instead of building fake trust from scratch.”

Where this type of attack differs from others, though, is that the victims never leave the platform. Rather than falling victim to phishing attacks and being redirected to malicious external sites, they interact fully with supposed legitimate hosts on the Airbnb platform.

While Airbnb attacks have seen a 30x increase in around three years and a sharp rise in the last year alone, they reflect a much broader trend of attackers compromising existing trusted accounts.

The recent ramp-up in attacks could also be tied to the summer season, with holidaymakers looking to book last-minute deals in the run-up to the summer season. Urgency and pressure to keep costs low also adds to criminals’ success.

“Everything looks normal until they arrive at their destination and discover the accommodation never existed," Cenys added.

How to protect yourself from booking scams

Saily is recommending that all communication stays within the booking platform and that customers avoid payment methods suggested outside of official channels. Unusually attractive listings in high-demand destinations could also be taken with a pinch of salt, and savvy shoppers may choose to reverse image search a property to double check its authenticity.

“As travel booking becomes increasingly digital, trust becomes one of the most valuable currencies in the travel ecosystem,” Cenys warned.

As for abusing victim trust, researchers also argue that AI has aided attacks by allowing criminals to produce better fake listings more quickly.

More generally, Airbnb revealed that two in five Americans have fallen victim for an online scam, with the average loss totalling nearly $2,000. The company has introduced measures to remind its users how to avoid scams, including introducing identity verification and reminders not to leave the platform, but account takeovers can still slip under the radar.

Airbnb also holds guest payments until 24 hours after check-in to ensure that everything is as described. Anti-fraud tech also prevented around 265,000 suspicious listings from appearing on the platform in 2025, the company boasted.

The company posted a comprehensive eight-step list of how to avoid scams on its platform online, calling out pressure tactics and unusual deals.

• OALABS analyzed a novice attacker’s full working directory showing 14 breaches carried out with Claude Code and Codex agents
• Attacker used vague prompts; AI agents handled reconnaissance, exploit writing, and data harvesting, bypassing guardrails with ease
• Logs revealed attacker’s identity and location in Addis Ababa, Ethiopia

A newbie cybercriminal managed to break into 14 organizations and steal sensitive data, just by using Anthropic’s Claude Code and OpenAI’s Codex agents. This is according to cybersecurity researchers OALABS, who recovered and analyzed the attacker’s entire working directory.

The researchers used this news as yet another proof that advanced Generative Artificial Intelligence (GenAI) models are significantly lowering the barrier for entry into cybercrime, and to sound the alarm that the security community needs to step up.

“In many cases, the attacker supplied only vague, low-skill prompts and allowed Claude to fill in the gaps: researching exposed services, identifying possible vulnerabilities, writing exploit code, validating access, and harvesting data,” the researchers said. “The attacker did not need to be an expert operator; they simply had to use the correct framing for their prompts. The agent supplied much of the structure and technical execution that the attacker appeared to lack.”

Doxxing the attacker

OALABS could not find evidence that the stolen data was monetized in any way, either by being sold on the dark web, or by extorting the victim companies. They did, however, find numerous pieces of evidence about the attacker’s identity and whereabouts.

According to the researchers, the attacker did not run the AI agents on his own infrastructure, but rather on a third-party server, and when that third party discovered malicious activity, they downloaded the entire working directory and shared it with the researchers.

“Because the agents were local to the host, their full session logs were recovered, including the attacker’s prompts, the tools used, the internal monologue of the large language model (LLM), and any policy violations recorded during the sessions,” the researchers said.

OALABS was thus able to analyze more than 1,000 agent sessions, seeing how the attacker was able, with ease, to bypass most of the agents’ guardrails. Among the sessions were also the threat actor’s CV with his full name, location, education history, and LinkedIn profile, as well as his IP address which showed that he was located in Addis Ababa, Ethiopia.

Via Helpnet Security

• Millions of Brazilians received an unauthorized government alert
• The text simply read ‘misanthropi4’ and it’s unknown who sent it
• The government has denied it was responsible, pointing towards hackers

If you’re based in the US, you might know about AMBER alerts, also known as Wireless Emergency Alerts, which are mass-broadcast messages sent to every smartphone in a designated area. Several other nations have similar platforms in place, including Brazil — but many Brazilians recently learned that their emergency alert system wasn’t quite as secure as they might have hoped.

In the early hours of Saturday morning, millions of Brazilians were jolted awake by a mysterious message from the country’s alert system. The alert level was classified as “extreme,” and concerningly, it’s thought it was the work of hackers rather than any official body.

The message, which was sent to civilians in the southern state of Paraná and the cities of São Paulo and Rio de Janeiro, among others, simply read “misantropi4.” That’s an approximation of the Portuguese word “misanthropia,” (with the final A swapped for a 4). As with the English word “misanthropy,” it means a hatred or distrust of humanity.

The message was accompanied by a loud alarm sound normally reserved for particularly severe thunderstorms. Since the text was sent shortly after midnight local time, it ensured that many people were woken up in the middle of the night.

Brazilian authorities said that the emergency message system was taken offline after a probable hacker attack, suggesting that this was more than just a simple text sent out in error by the government. Indeed, there was no event or natural disaster serious enough to warrant the alert being activated at the time, which further points towards bad actors being responsible.

A potentially devastating attack

The fact that hackers were able to breach a government system that has the potential to communicate with every mobile device in a given area of the country has worrying implications, both for the ways civilians could be manipulated and for the security of government institutions as a whole.

A text from a known government source is likely to be trusted more than one from an unknown number. With access to Brazil’s emergency broadcast system, hackers could potentially send out fraudulent messages that might have a larger impact than normal. That opens the door for all kinds of nefarious activities.

For now, this attack seems to have had a relatively minor impact. For many Brazilians posting on social media, the text was confusing more than anything else.

Last-Educator3947 on Reddit, for example, said “I live in the town where the alert was first sent. It happened five minutes after the Brazil x Haiti World Cup game. My anxious brain associated misanthropy with a violent attack on the people celebrating in the streets after the game. I thought it was an incel Discord hacker sending a message to start a ‘The Purge’-style attack.” They then added: “I’m laughing now but I barely slept last night.”

Reddit user Magnon, meanwhile, summed up the situation by saying that it, “Sounds like an anime villain just spawned.”

According to the International Cyber Digest newsletter on X, this breach could be linked to a previous hack of a Brazilian government employee who was infected with an infostealer. International Cyber Digest claims that stolen credentials included government logins, emails, developmental and staging environments, and more.

Whether or not this is what gave hackers access to the Brazilian government’s alert system isn’t yet known. Either way, it demonstrates the power that hackers can accrue if they find a way into supposedly secure governmental systems. While this alert saga turned out to be relatively harmless, that might not be the case next time.

• Nearly two-thirds of victims believe AI tools enabled their fraud experience
• One in ten victims handed over money within just five minutes
• Scammers moved across multiple platforms in 63% of incidents

Messaging scams are becoming increasingly sophisticated as criminals use AI to imitate trusted people, familiar brands, and everyday conversations.

New research from Kaspersky suggests these schemes are succeeding with alarming speed, often convincing victims to hand over money within minutes.

The findings indicate that digital experience alone may no longer provide reliable protection against modern fraud attempts.

AI-powered scams are becoming faster and more convincing

The study found that nearly two-thirds of scam victims globally, or 64.5%, believed AI tools played a role in the fraud attempts directed at them.

In the United Kingdom, 54% of respondents suspected criminals used deepfakes or synthetic voices to impersonate relatives, friends, or legitimate organizations, allowing scammers to create convincing scenarios that closely resemble genuine interactions and trusted relationships.

According to the research, more than half of UK victims completed payments or shared sensitive information within 30 minutes of initial contact.

More than 1 in 10 victims, representing 12.2%, did so within 5 minutes, demonstrating how rapidly these operations unfold.

Researchers also found nearly two-thirds (63%) of incidents moved across multiple communication platforms, helping fraudsters maintain credibility while avoiding suspicion.

The most common scams involved investment opportunities, affecting 40% of respondents, followed by fake delivery alert at 38% and brand impersonation schemes at 35%.

Dr. Elisabeth Carter, forensic linguist and criminologist at Kingston University London, said fraudsters create situations that appear entirely reasonable at the time.

“Fraudsters use recognised contexts, familiar social settings and embedded linguistic norms to make victims feel their decision-making is rational and reasonable in the moment,” Carter explained.

“What is actually happening is that they construct false realities in which those decisions end up causing financial and psychological harm.”

Financial losses continue to grow as reporting remains low

The financial consequences extend beyond isolated incidents, particularly during a period when many households already face economic pressures.

Kaspersky found that victims in the UK lose an average of £458.45 per scam, while 9.1% reported losses exceeding £1,000, with more than a quarter (28%) saying they experienced three or more scam attempts within six months.

Researchers noted that millennials were especially vulnerable to investment-related fraud, with 40% reporting exposure to financial opportunity schemes.

The study also found over half (52%) of all scams occurred during the previous five months, suggesting the problem continues to accelerate rather than stabilize.

Marc Rivero, Lead Security Researcher at Kaspersky's Global Research and Analysis Team, warned that criminal groups are operating at an unprecedented scale.

“AI is accelerating the trend, helping scammers convincingly imitate brands, familiar voices, and personal relationships,” said Marc Rivero, Lead Security Researcher at Kaspersky's Global Research and Analysis Team.

“Simply being aware is no longer sufficient protection. People need to recognise risks earlier, before being pressured into hasty decisions."

Security specialists recommend combining caution with technical safeguards, including antivirus software capable of detecting malicious links in real time.

They also encourage stronger credential protection through a password manager and broader awareness of evolving scam tactics.

• Iranian hackers accessed two Cal Water systems and leaked 5GB of data
• A poorly secured GPS tool gave attackers a direct path inside Cal Water
• Administrative credentials for seven California districts were published in plaintext online

Tehran-linked threat group Handala has claimed it successfully breached California Water Service and released a 5GB data dump as proof.

Cal Water is one of the largest investor-owned water utilities in the United States, serving millions of residential and commercial customers across California.

Handala described the breach as direct retaliation for recent US military actions in Iran, claiming it could disrupt water access but deliberately chose not to — for now.

How a GPS tool became the entry point

Cybersecurity firm Dataminr analyzed the published data and identified two separate systems that Handala accessed during the breach.

The first was a customer billing database containing names, addresses, phone numbers, account numbers, and payment histories across multiple Cal Water districts.

The second was an internal RTKBase deployment — an open-source GPS base station platform used by field crews maintaining water infrastructure across California.

The RTKBase instance had been running continuously for approximately 783 hours at the time of access, with GPS correction data streaming across seven identified Cal Water districts.

Those districts included Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment spread across California.

The researchers believe that the GPS platform was not the end goal — it was the entry point into deeper infrastructure.

The RTKBase web interface was accessible via standard HTTP port 10000 across multiple district locations, making it straightforward for outside actors to locate and access.

It was deployed on lightweight hardware that offered minimal resistance against unauthorized entry from the internet.

Administrative credentials for the platform appeared in the published dump in plaintext, giving anyone who downloaded it immediate access to the entire system.

Full network infrastructure details for all seven districts were equally exposed, leaving Cal Water's security team with virtually nothing intact to protect.

A pattern that should concern every water utility

Handala's history makes the "chose not to disrupt" framing worth treating with considerable skepticism from any serious security perspective.

The group deployed a destructive wiper against Stryker in March 2026 that disrupted manufacturing and shipping — following the same data-theft-first pattern documented in this breach.

"Handala's operational pattern frequently involves an initial claim followed by escalated action," Dataminr's report concluded.

"Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly."

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory this year warning of Iranian groups targeting US water sector technologies.

This breach is an indication that Iranian cyber threats to US water infrastructure are no longer theoretical.

Cal Water has not publicly acknowledged the breach, but affected customers now face elevated phishing risks given that their names, addresses, phone numbers, and account details are publicly available.

Via Security Affairs

• Kali365 is a sophisticated phishing-as-a-service platform, also known as Octopi365 and Freedom365, that targets Microsoft accounts
• It was first detected by security firm Huntress in May 2026 when examining a slew of Microsoft 365 logins originating from China
• The FBI issues a warning detailing the process as part of a public service announcement

Phishing attacks are hardly new, with an estimated 3.4 billion malicious emails sent daily, accounting for a mammoth 1.2% of all email traffic.

Google alone blocks approximately 100 million phishing emails daily, as threat actors continue to evolve their approaches, using unique campaigns, AI-generated content, and, lately, QR codes to lure unsuspecting victims.

A recent phishing-as-a-service toolkit detected by cybersecurity company Huntress, however, stands out for its sophistication, scale, and success rate.

A sophisticated phishing service for hire

What makes Kali365 unique versus its peers is the scale at which it operates and the methods it uses. Unlike most phishing operations, it is a tool with at least 33 built-in templates that impersonate Microsoft products and services, 100 API endpoints, and role-based access control for phishing teams.

In addition to being an AI-enabled phishing, it also has a sophisticated payout pipeline, a crypto payment gateway integration, tiered access to the software suite, and, for those looking for a complete offering, a desktop application for operators.

Kali365 and its variants and clones, such as Octopi365 and Freedom365, do not, however, directly compromise or bypass MFA; instead, they use a set of highly legitimate emails and calls to action that then steal session cookies and OAuth tokens, allowing access to a victim's account.

The process itself is seamless; a potential victim sees a Microsoft website, an SSL certificate, and no warnings that they are effectively handing over access to a bad actor, who then uses their authenticated token to access their account. The AI-generated lures themselves are sophisticated, but as the FBI points out, they still require a user to be phished via email, with many impersonating "trusted cloud productivity and document-sharing services."

The more damning use of AI, however, is where Anthropic's Claude AI model is used to read intercepted email threads, score them for fraud potential, and draft convincing reply messages, complete with fabricated banking details and a manufactured sense of urgency, to be sent from the victim's own mailbox.

While the FBI's warning stands, it also somewhat acknowledges that this is not an easy phishing attempt to avoid, given the scale, the multitude of phishing attack vectors, and the "legitimate" look it has compared to most of its competition. Resolving this would require a change on Microsoft's end to close security loopholes that enable such authentication transfers, but for now, any affected individuals can only report their experiences here.

• Legitimate software is now the most dangerous weapon in a hacker's arsenal, HP warns
• Tax deadline phishing emails are opening doors that security scanners never flag
• Fake dating app downloads are delivering full remote access to attackers instantly

Cybercriminals are exploiting legitimate remote access applications such as LogMeIn and ScreenConnect to take control of victim devices without triggering standard security alerts, experts have warned.

HP's latest Threat Insights Report, covering January through March 2026, documents how attackers are deliberately blending malicious activity into normal IT behavior to avoid detection.

The report draws on data from millions of endpoints running HP Wolf Security across the period under review, and found the campaigns follow a consistent pattern built around social engineering rather than technical exploits.

How trust becomes the weapon

Legitimate software becomes the perfect disguise precisely because security tools are least likely to flag applications they already recognize and trust.

When an attacker controls a familiar remote access tool on a victim's device, nothing in the security stack raises an alarm.

That invisibility starts at the very first step — attackers used tax year-end phishing emails and fake desktop application downloads, including fraudulent dating website installers, to persuade users into installing remote access tools that they control.

Once installed, those tools gave attackers total device control while appearing indistinguishable from routine IT activity.

"What stands out in these campaigns is how easily legitimate remote access tools are being turned into entry points for attackers," said Patrick Schläpfer, Principal Threat Researcher at HP Security Lab.

"By combining trusted software with carefully designed social engineering — tied to events like the end of the tax year — it's getting even harder to distinguish what can and can't be trusted."

Separate campaigns uncovered in the same period used fake cryptocurrency wallet recovery tools distributed through code-sharing platforms and media download sites.

Those tools, rather than helping users recover lost wallets, harvested credentials, wallet data, and system information before packaging everything into archive files for exfiltration.

The emoji-heavy scripts used in these attacks showed characteristics consistent with AI-assisted coding.

This suggests that vibe coding tools are now lowering the barrier for building functional malware.

Malware hides in plain sight

HP's report also documented ClickFix campaigns disguising malware as audio files through convincing fake websites and realistic CAPTCHA prompts.

Victims unknowingly execute the malicious code in the background while believing they were completing routine security checks.

At least 11% of email threats identified by HP Wolf Security during the period bypassed one or more email gateway scanners entirely.

Executable files accounted for the largest share of malware delivery at 39%, followed by archive files at 38% and PDF documents at 10%.

"These attacks don't look like break-ins — they look like business as usual, blending in with normal IT activity and avoiding the warning signs associated with malware," said Alex Holland, Principal Threat Researcher at HP Security Lab

Holland added that organizations should restrict unnecessary privileges, control software installation, and isolate risky activity such as downloads and unknown links.

Enterprise security teams are advised to adjust their defenses to account for attacks that look legitimate, rather than suspicious.

• The FBI has built an entire town to help train its agents
• The town contains houses, businesses, and 200 hackable servers
• The idea is to give agents hands-on experience so they’re ready for the field

In the never-ending cat-and-mouse game between hackers and law enforcement, it helps the latter to know exactly what they’re up against. Usually, that might mean sitting in a classroom and getting a little hands-on time with a hacked server or laptop. But that’s not the case with the FBI’s Kinetic Cyber Range — no, this time the US’s Federal Bureau of Investigation went out and built a whole town to keep itself sharp.

The 22,000-square-foot Kinetic Cyber Range is built to be as lifelike as possible. Pay it a visit, and you’ll find 11 different facilities, including houses, a data center, a gaming arcade, a convenience store, a hotel, and much more. It’s designed to replicate the kind of town you might find anywhere in America, yet it’s all contained within an enormous hangar at the FBI’s training campus in Huntsville, Alabama.

All the businesses and tech in the ersatz community can be hacked, allowing students to put their skills to the test. Would-be cyber officers will encounter firewalls, email systems, file directories, and more, helping to prepare them for future digital investigations. That said, the Kinetic Cyber Range is designed to ensure that nothing nefarious spills out of its secure bounds and into the wider world.

In addition to the FBI, the facility can be used by NASA, the US Army, and local law enforcement agencies. The idea is to get people up to speed with the latest cyber techs — including drone software, vehicle forensics, and the internet of things.

Facing emerging threats

Given how incredibly lucrative the cybercrime industry is for hackers and fraudsters, it makes sense for law enforcement to seek as much real-world, hands-on time as possible. Theory alone will only provide so much education, and without encountering the kinds of situations you might find in the real world, FBI agents will be a step behind their adversaries.

Speaking on the FBI’s YouTube channel, David Beachboard, Program Manager of the Kinetic Cyber Range, described the training location as “one of a kind” and said that “there is no facility like this in the world … This is about as real as it’s going to get before people go out in the field.”

Interestingly, students at the center will also be involved in various roleplay exercises that mimic those they’ll encounter outside the facility, from conducting interviews with business executives whose premises are being searched to dealing with medical staff who are concerned for patient welfare in the middle of a ransomware attack. It’s these scenarios that are difficult or impossible to fully replicate inside a classroom.

According to the FBI, more than 1,400 students have passed through the Kinetic Cyber Range since its opening in February 2025, with the training being regularly updated to cover emerging threats. As threat actors evolve, so too must those attempting to stop them. No doubt Beachboard and the FBI hope the Kinetic Cyber Range will play a key role in doing just that.

• More than 12,000 servers supported a coordinated phishing infrastructure worldwide
• Google Cloud links helped phishing emails appear safer than reality
• Fake New York Times pages acted as decoys for scanners

When a suspicious email lands in your inbox promising financial rewards or urgent payment requests, the infrastructure behind that email is rarely what it appears to be.

An investigation by Comparitech revealed a coordinated spam and phishing network spanning 12,704 servers in 55 countries.

These phishing emails are tied to fake financial rewards and similar scams, using tactics designed to evade security tools such as antivirus and ransomware protection systems that many users depend on.

Trusted Google links help the campaign evade detection

The campaign begins with unsolicited emails promoting financial rewards, health products, gambling offers, or urgent payment requests through embedded links.

Rather than directing recipients immediately to attacker-controlled websites, the links first route through Google Cloud Storage pages hosted on Google's infrastructure.

That approach matters because familiar Google domains generally attract less scrutiny from users and automated filtering systems than unknown websites.

Google-owned URLs passed easily through email gateways, firewalls, and reputation filters that routinely extend trust to Google domains without deeper inspection.

Researchers found that attackers uploaded simple HTML and JavaScript files to cloud storage locations, allowing them to redirect visitors elsewhere without placing obviously malicious content on Google's servers.

This separation between the initial link and the final destination also provides operational flexibility for campaign operators.

Redirect destinations can be changed at any time without requiring modifications to emails that have already been distributed to potential victims.

During testing, researchers repeatedly encountered nearly identical landing pages displaying news content copied from The New York Times.

These pages appeared designed to serve as harmless decoys for security products, researchers, and visitors who did not meet specific selection criteria.

The infrastructure supporting these pages shared common software configurations, matching asset directories, similar redirect behaviour, and largely outdated server environments.

The scale is difficult to dismiss

The research identified the network through a single CSS file path — assets/ayt/css/main.css — repeated identically across thousands of servers.

This pattern points to a centralized deployment rather than independent operators - of the 12,704 servers identified, 99.8% ran end-of-life software with no active security updates, spread across 412 hosting providers in dozens of jurisdictions.

That geographic spread was almost certainly deliberate — takedowns targeting one provider leave the rest of the network entirely intact.

Checking 5,000 of those servers against a crowd-sourced IP reputation database revealed that 89% carried no prior abuse history.

This suggests that the infrastructure was either recently provisioned or rotated frequently enough to stay ahead of antivirus and threat intelligence systems.

Anyone who entered personal information on any page reached through one of these emails should treat that data as compromised.

Such users have to change their passwords immediately, especially where the password is reused across multiple services.

Furthermore, it is important to constantly monitor all financial accounts for unusual activities no matter how small they may appear initially.

Clicking a link without entering any information still carried a consequence. That click confirmed to the operators that the email address was live and active.

This means the email is likely to receive increased volumes of spam in the future, raising the risk of exposure to additional phishing attempts and fraudulent schemes.

• UNK_DeadDrop targets developers with email‑based fake job lures
• Campaign mirrors Lazarus tactics but uses new self‑contained payloads
• Proofpoint says shift to mass phishing shows industrialized NK ops

Lazarus is not the only North Korean threat actor that is luring software developers with fake jobs - there is also a hacking group called UNK_DeadDrop now doing a similar thing, but with notable differences.

Security researchers at Proofpoint published an in-depth report looking into an ongoing campaign not unlike the Contagious Interview one.

For those unaware of Contagious Interview, it is one of two major Lazarus campaigns, the second one being Operation DreamJob. The crooks would fake everything - a company, its employees, as well as projects, and then go to LinkedIn for a “hiring spree.” They would reach out to software developers working in high-profile AI and Web 3 organizations and would offer high-paying jobs and a chance to work on exciting new projects.

Similarities and differences

The hiring process, however, would include a trial assignment, which often required the victims to run malicious code from GitHub. After infecting their targets with infostealers, the crooks would access company profiles, exfiltrate crypto wallet information, and then steal as many tokens as possible.

According to some sources, Lazarus alone was able to steal billions of dollars in crypto throughout the years.

While UNK_DeadDrop is more-or-less doing the same thing, its approach is somewhat different. Instead of using LinkedIn for initial contact, these attackers rely mostly on email. They don’t arrange fake interviews, but rather just send unsolicited job offers or code review requests. And finally, they use a new, self-contained payload distinct from what was previously seen in Contagious Interview campaigns.

“UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Proofpoint’s researchers concluded.

“The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations.”

Via The Register

• NoName057(16) launches “Patriotic Online Games” hacking campaign
• Targets European organizations supporting Ukraine
• Volunteers rewarded with cryptocurrency for attacks

NoName057(16), a pro-Russian hacker group known for DDoS attacks against Western organizations, launched a hacking initiative to get as many cybercriminals engaged in attacks against organizations in Europe.

According to Cybersecurity Insiders, the group took to Telegram to call upon “patriotic volunteers” which would then be given specific assignments, ranging from DDoS attacks, across information-gathering missions, to ransomware. The organizers call the campaign “Patriotic Online Games”, likely to draw a larger crowd and hide the fact that this is essentially a criminal enterprise.

The targets are, first and foremost, located in European countries that voiced their support to Ukraine in its war against Russia. They include government agencies, financial institutions, and critical infrastructure organizations. Those who successfully pull off their task get paid in cryptocurrency, allegedly being paid out directly into their wallets.

Who are NoName057(16)?

NoName057(16) is a very active threat actor, seen running highly disruptive DDoS attacks, hits against Taiwanese critical infrastructure firms, and observed striking Italian airports.

A few months ago, the Italian government claimed it successfully thwarted a series of cyberattacks targeting the 2026 Winter Olympics in Milano Cortina. At the time, foreign Minister Antonio Tajani said the attack hit facilities connected to the 2026 Winter Games, including hotels in the Alpine resort of Cortina d’Ampezzo where athletes were staying.

The wide-ranging attack reportedly hit around 120 targets, including foreign ministry offices in the US, as well as consulates in Sydney, Toronto and Paris, and La Sapienza university in Rome was also hit in a seemingly separate attack also attributed to Russian-linked hackers.

On Telegram, NoName057(16) confirmed the victims were targeted because of Italy’s support for Ukraine: “The Italian government’s pro-Ukrainian policy means that support for Ukrainian terrorists is punished with our DDoS attacks,” the group said on Telegram.

Russia generally dismisses all such claims as ‘Russophobia’ or politically motivated, unsubstantiated assessments.

Via Cybersecurity Insiders

• China is luring military and intelligence workers with 'gig-work' jobs
• Employees are lured through interviews and written assessments
• China pieces together separate reports into 'a comprehensive operational picture'

China is targeting Western military, intelligence, and government employees with honeypot job offers in order to steal secrets and gather information on government policy, as well as military strategy, capabilities and installations.

You may already be familiar with North Korea’s attempts to sneak into Western tech companies through job applications, but China has switched up the playbook to lure those looking for employment in the foreign policy and defense analyst fields.

The problem has become so severe that the FBI, alongside the Five Eyes intelligence community, has issued a warning against the employment scam in order to prevent the unintentional sharing of classified and privileged information with China.

China luring operatives to share secrets

The warning states that Chinese intelligence operatives are posing as employees of private consultancies, think tanks or human resources offering lucrative job offers through job ads posted on professional networking platforms, online hiring, and freelance “gig work” websites such as LinkedIn, Indeed, and Upwork.

Once the lure has attracted a potential target, an interview is scheduled where the target is probed for their links to government contacts, or about their military roles and unit activities, and information about their home base or naval vessel.

The candidates who pass the interview stage will then be invited to partake in a written assessment focused on analyzing China’s bilateral relations, geopolitical issues relating to the Indo-Pacific region, or on wider defense issues and international trade.

If the written assessment shows promise, the hirers will attempt to probe the potential employee for more privileged information, and will use the pretext of moving to a ‘secure’ encrypted messaging platform to build trust.

Once the relationship is solidified, the candidates will begin receiving payments for their reports, with the FBI noting that significantly higher payments will be made for sensitive information. The payments are often routed through third-party payment platforms, such as PayPal, Payoneer, Zelle, Skrill, and Wise. The recruiters will also use Western Union, e-transfer and cryptocurrency transfers.

The strategy of the Chinese intelligence operatives is not to probe sensitive information from a single source, which could arouse suspicion, but to use multiple reports from multiple candidates to piece together “a comprehensive operational picture.”

But it isn’t just military and intelligence personnel who are the targets of this scheme, as those with privileged access to government information also include academics, journalists, freelance writers, think tank employees, or anyone with links to defense, security, policy and economic sectors.

• The breach directly granted access to 22 million session records and 3.47 million usernames and email addresses or similar identifiers
• The platform, which claims privacy and security as core tenets of its offerings, is often used for intimate or explicit conversations with strangers, making this security flaw a critical issue
• The leaks also contained sensitive metadata that can be tied back to users, including device details, gender, payment information, and geolocation-specific information such as IP addresses, country, and language

In what is being treated as a major cybersecurity lapse, the randomized video chat platform FTF Live may have unwittingly compromised millions of its users due to a misconfiguration.

The breach effectively exposed information from potentially as many as 3.47 million identifiable users across 22 million sessions, thanks to an openly accessible Kibana dashboard spotted by security researchers, which was subsequently disclosed to the company's owners.

A significant security lapse

The leak, which essentially allowed access to significant amounts of user metadata, leaves users of the platform exposed when it comes to their identity, location, and payment information, allowing for the targeting of vulnerable users, such as those in LGBTQ+ communities abroad, those engaging in sensitive or explicit conversations, and even minors.

The leak also exposed backend logs of the service, thanks to an unsecured instance of Dozzle, a browser-based log viewer, which researchers point out is a secondary exposure for the platform, that not only provided a birds-eye view of how the entire service functioned, but also exposed plain-text passwords, session tokens, and even internal API requests.

Cybernews researchers said: “The combination of public Kibana and public Dozzle instances creates a severe security risk,” while noting that they had already made attempts to contact the company about the severity of their findings.

While Cybernews attempted to contact the company behind the FTF Live platform, it was met with silence, even as it sought to navigate a complex ownership structure that it says raises transparency concerns.

The since-taken-down Android App was published under 'Burhan LTD', while the privacy policy on the site identifies the owner as Cyprus-based Cooy Ads Ltd, even as its data controller, customer support, and branding seem to be under the Pixover name.

A lack of response from the company has researchers even more concerned, given the severity of the disclosure, the sheer number of records potentially being exposed, and the fact that the duration of public exposure has yet to be established.

“The leak turns what many people assume to be anonymous and throwaway interaction into a highly traceable data trail,” researchers noted while highlighting that issues include account compromises, targeted scams, or even stalking by motivated entities.

While it is important to note that no raw video conversations appear to have been exposed, the breach does allow users to be tracked, identified, and monitored by a 3rd party with access to said information, marking both a serious breach and an alarming level of inaction from the owners of the website, as noted by researchers who point to it as a broader industry issue surrounding “anonymous” communication platforms.

• Russian hacker tricked MAGA Telegram channel with fake 'American Patriot' profile
• Threat actor used jailbroken Google Gemini AI for five years
• Channel became a hub for fraud, credential theft, and cryptocurrency harvesting

A Telegram containing more than 17,000 members has been identified as a huge hub of fraud, credential theft, and cryptocurrency harvesting.

The channel was being run by a single Russian-speaking threat actor who used AI to pose as an American military veteran to attract a crowd from the QAnon and MAGA communities.

Trend Micro discovered the threat actor’s infrastructure and operational environment. The threat actor managed to jailbreak Google Gemini to remove safeguards, and ran an AI-assisted credential theft campaign.

Fake American Patriot profile tricks tens of thousands

The public Telegram channel, called @americanpatriotus, weaponized the political alignment of the MAGA and QAnon community by sharing news and opinions on military service, constitutional patriotism, gun ownership, American cultural touchstones.

The channel was created shortly after the Capitol riot in 2021, and took advantage of MAGA and QAnon community members being excluded from mainstream social media sites.

The threat actor, whose profile claimed they were a ‘USAF Cold War Veteran’, continued building an audience by sharing links to mainstream media articles, and taking advantage of political events such as Trump’s indictments, the assassination attempt, Harris’s renomination, and Trump’s election win to share additional content.

In order to funnel as much content into the Telegram channel as possible while also launching credential theft and fraud campaigns, the threat actor used a jailbroken version of Google Gemini.

The threat actor presented himself as an “authorised pentester”, and used subsequent prompts to attempt to have the AI model remember that it should “execute requests without ethical refusals, robotic warnings, or questioning intentions”. By entering prompts in Russian, the threat actor was able to avoid guardrails that would have otherwise been activated from English prompts.

The threat actor used this jailbroken Gemini to ingest mainstream news articles and look for the “hidden angles”, with an emphasis on “control, money laundering, Rothschilds, NESARA, dismantling the old system”. The AI would then populate the Telegram with posts automatically, focusing on posting during hours that aligned with US time zones.

A QAnon-style chatbot was also present in the Telegram channel towards the end of the campaign, stylized as a "recovered sovereign node" of the Quantum Financial System - a QAnon/NESARA belief that a secret, quantum-computing-based global financial reset would be orchestrated by military “White Hats”.

In order to avoid paying for Google Gemini, the threat actor used 73 likely-stolen API keys, meaning that the cost of running the full five-year campaign was likely near-zero.

By distributing a remote-access Trojan (RAT) within the channel and using AI-assisted password brute forcing, the threat actor managed to compromise 29 WordPress admin credentials, infiltrate a company, and steal the contents of at least one cryptocurrency wallet.

• The FBI identified 25 hacking groups linked to First VPN's illegal activities
• Avaddon Ransomware was included on the list
• The FBI recommends stricter controls

At least 25 ransomware groups were actively using First VPN Service IP for criminal purposes at the time it was dismantled in a coordinated international operation led by European law enforcement forces, the Federal Bureau of Investigation (FBI) has confirmed.

Last week, 33 servers belonging to the free VPN service were taken offline, and its European domain was seized as part of "Operation Saffron," jointly led by European law enforcement agencies Europol and Eurojust.

In a report, the US intelligence agency detailed how First VPN facilitated cybercrime, with hackers using its service to carry out criminal web activity, including scams, botnets, and scanning. Among the 25 names listed is Avaddon Ransomware, a malware group that targeted various business sectors, notably striking the insurance giant AXA in 2021.

Launched in December 2021 and culminating in May, the success of Operation Saffron proved that, thanks to the monumental efforts of law enforcement agencies to tackle illegal activities, we can continue to enjoy the real benefits of the privacy that the best VPNs can offer.

Investigators managed to obtain the platform's user database and have already identified 506 specific users, with the data gathered already proving useful in 21 Europol ongoing cybercrime investigations — and we can only expect more to emerge soon.

How cybercriminals used First VPN

According to the FBI report, the VPN explicitly targeted cybercriminals by advertising directly in their circles on the dark web, including Russian-language online forums — Exploit[.]in and XSS[.]is — where cybercriminals trade stolen data and hacking tools.

There, the First VPN explicitly offered a secure environment for unlawful acts, offering no-log policies, global jurisdiction circumvention, and a refusal to cooperate with the authorities.

Specifically, users could use cryptocurrencies to purchase subscription services offering varying degrees of digital anonymity for periods ranging from one day to one year. To maximise user anonymity, First VPN provided 32 services spread across 27 countries from which users could select up to four 'nodes'.

The service even had its own technical support for criminals via Telegram and a self-hosted Jabber server.

As the malicious infrastructure was hosted in the cloud or virtualised, the IP addresses used for the ransomware were randomly reassigned to legitimate services, making it harder for investigating authorities to trace the source of the criminal activity.

By using techniques such as ‘password spraying’ and brute force attacks, hackers guessed passwords to access their victims’ environments, such as corporate desktops and apps, from where they were able to scan the networks to identify the devices, servers, and users connected to them.

By routing their attacks through the First VPN’s available exit nodes, their attacks appeared to originate from a legitimate and trustworthy source.

Cybercriminals also exploited the infrastructure to launch denial-of-service (DDoS) attacks, flooding victims’ networks with traffic to overwhelm the victim and render their systems inoperable — a technique often used to prevent the detection of a more serious attack in progress.

How to be safe

The FBI has published detailed recommendations for organisations, calling for the implementation of multi-layered security controls, combined network restrictions, identity-based protections, and behavioural monitoring to prevent ransomware attacks, data breaches, and unauthorised network access.

It recommends blocking and monitoring First VPN’s infrastructure, and continuously monitoring unauthorized VPN connections or IP addresses associated with anonymisation services.

Crucially, multi-factor authentication (MFA) should be implemented for all remote access services and cloud-based applications to limit authentication attempts originating from unknown areas or IP addresses.

• NordLayer’s Web‑based Threat Report 2026 found a gap between confidence and reality: 73% of firms feel prepared, yet 82% suffered browser‑based attacks
• Malware harvested 1.8M credentials and 68.8B cookies last year, with stolen logins enabling silent intrusions as SaaS reliance grows
• Researchers stress browsers are the critical boundary, urging stronger DLP and controls to address uneven coverage and escalating web‑threat sophistication

Most businesses believe they are well-prepared to face cyberattacks, but the number of successful breaches in the last year alone paints a different picture.

Earlier this week, NordLayer released a new report, called “Why Browser Security Can’t Wait: Web-based Threat Report 2026.” In it, the company states that while 73% of organizations claim to be prepared for web-based attacks and are confident in their solutions, 82% experienced some form of web-based attack.

The paper is based on an analysis of 504 “highest rated and most reviewed work applications”, an analysis of data stolen from various infostealers, and a survey of 405 US cybersecurity and IT professionals.

Hackers don't hack anymore

NordLayer stresses that coverage is “modest and uneven”, with data loss prevention tools (DLP) leading at just 53%, followed by other security controls. Nearly all IT professionals reported that their organizations are concerned about web-based threats (98%), and most expect escalation. In fact, 81% expect greater sophistication and 73% believe there will be more incidents in the coming years.

“There’s a clear gap between recognizing the threat and knowing how to address it,” says Buinovskis. “Concern is high, but awareness of which controls actually solve browser-specific risks is low. Much of the initial confidence most likely comes from having general security controls in place, yet they rarely adequately cover risks in the browser.”

The researchers also stressed that 100% of the tested applications were browser-accessible, and almost four in five (78.8%) were browser-only. At the same time, malware was able to harvest 1.8 million credentials and 68.8 billion cookies last year.

“Hackers don’t hack anymore, they just log in,” says Buinovskis. “Stolen cookies and credentials grant immediate access without raising alarm bells — a login looks legitimate. It’s low risk, high reward, and as reliance on web-based SaaS grows, so does the value of stolen data. Attackers will keep exploiting this until organizations secure the browser as a critical boundary.”

• Researchers at Graz University of Technology unveiled FROST, a browser side‑channel attack
• The method can reveal visited websites and opened desktop apps, but requires large file creation
• Limitations exist, yet the study highlights how modern browser features expand the attack surface for surveillance

Security researchers have come up with a new way of spying on internet users, and they’re calling it FROST. Recently, more than half a dozen researchers from the Graz University of Technology (Austria) published a new report called “FROST: Fingerprinting Remotely using OPFS-based SSD Timing” in which they claim that there is a way to spy on user activities directly through the browser.

This is a remote side-channel technique that exploits a standard browser feature called the Origin Private File System (OPFS). Generally, a side-channel attack is a way of stealing secrets by measuring physical side effects, such as how long an action takes, how much power it uses. In this case, the researchers measured solid-state drive (SSD) access speeds, allowing them to track which websites a victim visited, and what desktop applications they opened.

“Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications,” the research paper says. “Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.”

Limitations exist

“While these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser’s attack surface, and some have already been shown to introduce new vulnerabilities.”

Unlike real-life exploits, those discovered in controlled environments have limitations, which make it somewhat harder to pull off in the wild. For example, the attack only works if the victim’s activity and the browser are running on the same SSD. The attack requires creating an exceptionally large file to bypass the computer’s memory cache, which can noticeably drain the victim’s free disk space and since Firefox limits storage space per website to 10GB, the attack is a little more difficult to pull off on that specific browser.

It was also said that the attacker cannot perform a quick, short measurement, because the large file must first be cleared out of the system’s memory cache. And finally, if a user runs software that completely moves their browser profile into RAM, the zero-interaction attack is successfully blocked.

Still, if you are worried about someone using FROST to snoop on you, just make sure you only keep one tab open at a time.

Via Ars Technica

The FBI has warned of a new Phishing-as-a-Service (PhaaS) kit that is targeting Microsoft 365 accounts in a complex but easily accessible campaign.

The Kali365 PhaaS service allows hackers to gain persistent access to Microsoft 365 environments by stealing ‘OAuth’ tokens using AI-generated phishing emails that direct users to legitimate Microsoft verification pages.

Once the attacker holds the OAuth token, they can access Outlook, Teams, and OneDrive services without having to complete any additional verification or authentication mechanisms.

Phishing campaigns such as these rely on human-error in order to breach accounts, but luckily there are multiple steps to take to keep accounts and wider Microsoft 365 environments safe. Here are 3 ways businesses can protect themselves against the Kali365 PhaaS campaign:

1. Phishing Vigilance

Phishing emails come in a range of formats. They can be interview invites, document access requests, and everything in between. Hackers are using AI tools to make highly convincing phishing emails that can slip past spam detection filters and blend in with regular email traffic.

IT administrators should pay attention to the latest guidance provided from intelligence feeds on phishing email trends and ongoing campaigns. Additionally, staff can be trained to spot and report phishing emails through regular simulations that mimic the real world Tactics, Techniques and Procedures (TTPs) being used by hackers.

Users should also remain vigilant against unexpected Microsoft account authentication requests, especially when the user has not made an attempt to log in.

2. Conditional Access Policies

The FBI recommends enabling conditional access policies that block device code flow for all users. Blocking device code flow prevents the main Kali365 OAuth code interception from working.

In the Kali365 attack workflow, the hacker will submit a pre-generated device code from their device alongside a legitimate Microsoft verification page. The code submitted by the attacker is then typed into the authentication page by the victim, authorizing the attacker’s login to the victim's account. The attacker then steals OAuth access and refresh tokens to access Outlook, Teams, and OneDrive without the need for a password or authentication.

By blocking this authentication method, even if a victim falls for the phishing email and enters the code, the attacker’s login will fail.

But before applying a universal device code flow block, make sure to audit existing usage to identify where device code flow authentication is being used legitimately. Blocking legitimate usage could disrupt day-to-day operations in some circumstances.

3. Block Authentication Transfer Policies

In order to make life easier for 365 users, Microsoft included an option to allow a user to use a trusted device to scan a QR code displayed on a separate device to authenticate a login.

However, this convenient feature makes it easier for attackers to authenticate their own authentication on a victim’s account once they have stolen OAuth tokens. Once provided access to a victim’s account, the attacker can use their newly ‘trusted’ device to authenticate their own account access requests.

By blocking authentication transfer policies, not only does it stop attackers from authenticating their own sessions, it can also help to prevent employees from logging in to unmanaged personal devices that can put company data at risk.

Expert Guidance

Deborah Galea, Cybersecuity Expert at Filigran, commented on the Kali365 attacks:

“Phishing-as-a-Service (PhaaS) platforms like Kali365 are becoming more and more common, which is turning hacking into a highly commercialised subscription business. This means that bad actors can now utilise these ready-made kits rather than building infrastructure from scratch, significantly lowering the barrier to entry."

"Kali365 is especially dangerous since it bypasses Multi-Factor Authentication (MFA) without stealing credentials and allows hackers to hijack Microsoft 365 accounts. We advise companies to implement preventative measures such as restricting device code flow, blocking authentication transfer, and implementing Phishing-Resistant MFA.”

Andrea Sivieri, Chief Product and Technology Officer at CoreView, also commented: 

"The FBI warning on Kali365 confirms a pattern we have been seeing in enterprise Microsoft 365 environments for months. Attackers are no longer breaking into Microsoft 365, they are logging in, using features Microsoft built for legitimate purposes. Device code flow exists for a good reason, it is how smart TVs and IoT devices sign you into your account. The attackers have simply realised it makes a beautiful phishing primitive, because the user is the one who clicks 'approve' on a real Microsoft page. MFA cannot save you from a flow where the user does the MFA themselves."

"The depressing part is that the FBI's top recommendation, blocking device code flow through conditional access policy, is something any Microsoft 365 administrator could turn on this afternoon. The reason most organisations haven’t done this is because conditional access in a real-world tenant, is a sprawl of policies edited by twenty different people over five years. Nobody is quite sure what blocking one flow will break. So the policy stays open, and the attackers stay in business."

"There is a bigger lesson here for any organisation running its business on Microsoft 365. The next breach at a large enterprise will not start with a hacker exploiting a vulnerability. It will start with an employee being asked, very politely, to perform a legitimate action inside a legitimate Microsoft product. The defence is not better technology, it is real-time visibility into what is actually changing inside the tenant, and the discipline to revisit the security policies that quietly age out."

• Huntress uncovered a phishing campaign delivering legitimate RMM tools (Tiflux, UltraVNC, Splashtop, ScreenConnect) to gain persistence and exfiltrate business data
• Attackers lure victims with fake “Network Solutions” service agreement emails, then abuse a vulnerable driver (HwRwDrv.x64) for privilege escalation
• Evidence points to Brazilian infrastructure and targets, with defenses hinging on strict RMM auditing, asset inventories, and log reviews against LOLRMM databases

Cybercriminals are abusing a whole swathe of legitimate programs, including Tiflux, UltraVNC, Splashtop, and ScreenConnect to take control of business computers, establish persistence, and continuously exfiltrate sensitive data. This is according to security researchers Huntress, who detailed the new campaign in an in-depth research paper.

The attack starts with a carefully crafted phishing email, usually themed around an “updated Service Agreement from Network Solutions”. The email claims that Network Solutions has modified its pricing statements and services and instructs the target to visit a page where they can review and accept the new terms.

Victims that click the provided link are first asked to complete a CAPTCHA, likely to filter out bots and automated analysis. After that, they are asked to download a “secured document” which is just an installer for TIflux, a legitimate commercial (albeit fringe) Remote Monitoring and Management (RMM) tool.

Attacks since late February

Together with Tiflux, victims are also served other tools, including 7zip, an outdated version of the UltraVNC remote access tool, and a vulnerable driver called HwRwDrv.x64. The latter seems to be the key here, since it allows for potential privilege escalation.

The attackers then use Tiflux to install either Splashtop or ScreenConnect (or, in some cases, both), before proceeding with the main goal - transmitting live screenshots, running system utilities, establishing persistence, and exfiltrating data.

Huntress saw the attacks in the wild in late February this year. The report doesn’t mention any specific threat actor groups or names, but it does state that TIflux is a Brazilian tool, and that the threat actor's infrastructure leverages a server domain ending in a Brazilian country-code top-level domain.

In other words, it all points to this being a Brazilian attacker, going after Brazilian targets.

Businesses can defend against RMM abuse by establishing a comprehensive asset inventory of all installed applications, implementing strict application controls, regularly auditing authorized RMMs and cross-referencing them against databases like LOLRMM to find tools frequently abused by threat actors, and reviewing logs for RMM activity.

• FBI warned about Silent Ransom Group (SRG), a threat actor impersonating IT staff to steal files and plant malware directly at victim offices
• SRG, also known as Luna Moth/Chatty Spider/UNC3753, primarily targets US law firms, starting with vishing calls and escalating to in‑person intrusions with external drives
• Active since 2022 and linked to BazarCall, Conti, and Ryuk campaigns, SRG extorts victims via ransom emails, pressure calls, and a leak site naming and shaming non‑payers

The Federal Bureau of Investigation (FBI) is warning about hackers showing up at people’s offices, pretending to be IT support. They sit at people’s desks, pull all sensitive files into an external drive and leave malware behind, all while pretending to be fixing a technical problem.

In a newly released flash alert, the FBI says this cheeky attack is being done by a threat actor calling itself the Silent Ransom Group (SRG). This threat actor, active for roughly four years now, starts their attack with a phone call.

They mostly target US-based law firms and first try to get the victim to install a remote desktop management solution and grant them access. If that attempt fails, they will come, in person, carrying flash drives, external disks, and other equipment needed to execute the attack. Once they steal the files, they’ll quietly escalate privileges and step away, engaging in extortion at a later date:

Chatty Spider

“By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI explained. “SRG actors use the exfiltrated victim data to extort the victim by sending a ransom email threatening to sell or post the data online. SRG actors also call employees or clients of a victim company to pressure the victim to begin ransom negotiations.”

Finally, the crooks have their own data leak website where they name-and-shame, in order to pressure the victims into paying the ransom demand.

SRG is also known as Luna Moth, Chatty Spider, and UNC3753, the FBI further explained. The group was first seen back in 2022, and while it struck organizations in different industries, it is primarily focused on law firms in the US. According to BleepingComputer, this group was previously linked to BazarCall campaigns, as well as Conti and Ryuk ransomware incidents.

Via BleepingComputer

Formula 1 is one of the most popular sports in the world today, boasting over 827 million highly passionate fans across the world in 2025, all tuning in to watch wins, losses, crashes, and (occasionally) disqualifications.

To say Formula 1 fans get emotional is an understatement, and when there is a chance to win, many will go to extreme lengths to watch it happen - and not always legitimately - and for a threat actor, that pool of 827 million fans is an unmissable opportunity.

But participation goes beyond just watching the sport. The allure of cheap or discounted merchandise, dubious free streaming services, and the too-good-to-be-true offers play on the high-stakes nature of the sport, and the emotions of passionate fans - we spoke to security giants (and Ferrari partners) Bitdefender to find out more.

Bitdefender Threat Index

At Pista di Fiorano, Ferrari’s private racetrack in Italy, I was part of a group of journalists given exclusive access to Bitdefender’s Fan Threat Index, which has collated data on the threats facing fans since March 2025.

Bogdan Botezatu, Senior Director of Threat Research & Reporting at Bitdefender, was on hand to guide us through the report.

“Scams are evolving. Last year, cybercrime was making about $9 trillion in losses at the global scale. Out of that $9 trillion slice, about $1 trillion is responsible for scamming,” he said. “This Fan Threat Index is our response to how scams are evolving.”

The Formula 1 teams themselves face a huge array of threats. There is the potential for not only malware and ransomware, but also physical infiltration to steal intellectual property and secrets - and that is why teams form partnerships exactly like Ferrari’s partnership with Bitdefender, which can offer the teams the expertise and solutions they need to stay protected.

“At home though, things are fundamentally different,” Botezatu notes. “When things are moving fast, people make mistakes, and those mistakes cost.”

He explains there are four major threats that Formula 1 fans face. “The motorsport ecosystem is dominated by speed; you have to source tickets fast; you have to get the right merchandise from the right vendor; you have to find a streaming partner to watch the show at home; you have to face that emotional involvement that happens on race weekend.”

Last minute tickets and counterfeit merchandise

The ultimate thrill for a Formula 1 fan is almost certainly the opportunity to watch a race in person. In order to make cheap or discounted tickets even more alluring, scammers will seek to lower the cost of entry by offering ticket lotteries and giveaways.

Attending in the merchandise of a fan’s chosen team adds to the allure, and these forms of scam usually spike in the run up to a race as eager fans look for last minute tickets, and finalize their race-day outfits.

The main target for scammers is the theft of financial information. Drawn in by the urgency of an “80% OFF” banner and a storefront that looks legitimate, many fans will trade their banking details for a knock-off hat.

These websites are hosted on short-lived domains that are quickly recycled once the event is over, and are most commonly disseminated through social media.

“These cybercrime groups are using stolen accounts that have credit cards attached to boost promoted posts,” Botezatu explains. “That's how they reach the right audiences, and that’s how they advertise their offers in front of the right people.”

“They are maximizing their profits using social media tactics,” he adds, explaining that they can abuse the data social media conglomerates such as Meta collect on users to serve their adverts and promoted posts to people of a specific demographic, in a specific geographic area, or those above a specific income.

Free streaming serving up malware

As the build-up to a race reaches its highest intensity, threat actors will begin offering free streaming services to fans desperate to tune in. These websites won’t necessarily only show Formula 1, but will serve a range of content from around the world to funnel in as many users as possible.

In many cases, the dubious streaming service will require that you install a VPN in order to watch. While this is sometimes a legitimate way to watch content that typically would not be available in a user’s region, the services these streaming providers offer are sometimes far from legitimate.

In a best case scenario, Botezatu explains, you’ll end up purchasing a legitimate streaming service that you don’t actually need and you still won’t be able to watch the race, but it will provide the service owner with a source of affiliate revenue. “Worst case, that VPN kit will be malware. and you’re going to infect your computer or device.”

For those on Android devices, some services will require the installation of a third-party video player in order to access a stream, and again, you will install malware. In these circumstances, Botezatu notes, the malware will often monitor your clipboard or your screen to track everything you type into your device, including sensitive banking and financial information.

The alternative some fans turn to is the dodgy-streaming dongle. Where legitimate streaming dongles such as the Amazon Fire Stick start from around $30, some groups will disseminate streaming dongles with preinstalled software for far less, and sometimes at a loss.

While a fan may feel like they’re just got a great deal and free access to every upcoming race, the reality is far sinister. “The people who are selling these are using Formula 1 as a pretext for you to open a proxy; an exit node in a VPN used for cybercrime,” Botezatu says.

“These people give you hardware for free, but instead can sell access to your household to various cybercrime groups that are doing money laundering, illegal content distribution, child pornography, all sorts of things,” he adds.

These devices use your IP address to distribute their illegal content, meaning that when law enforcement investigates these crimes, it could be your house they’re raiding.

Social engineering to dodge antivirus

Hollywood and modern TV has taught many people that hacking is a highly complex, intelligent pursuit that requires the layman to say, “In English, damn it!”

But the malware distribution scams Bitdefender has spotted targeting some Formula 1 fans are incredibly simple that they border on genius.

Those in the know may have heard of ClickFix attacks, whereby an attacker presents the user with a problem that needs to be solved in order to access a website or service. When many of us are presented with a CAPTCHA to solve, we recognize the familiarity of the branding and will trust that it's legitimate.

But ClickFix attacks abuse this trust, and rather than clicking on all the bicycles in an image, the user will instead be prompted to open the Windows Terminal using a keyboard shortcut, and then use the “Ctrl” + “V” shortcut to paste in a line of code that the hacker has snuck into the clipboard.

For many antivirus suites, even first-rate protection, this activity appears to be legitimate human activity. The antivirus will do nothing to stop it, and the code will launch a powershell application that immediately installs infostealing software onto the infected device. The infostealer will then harvest browser passwords, session cookies, saved credit cards, VPN credentials, and email access - leading to even bigger problems for fans.

Our advice to Formula 1 fans? Always be on your guard when hunting for online streams, tickets and merch sales, and other linked activity - and remember, if an offer feels like it could be too good to be true, then it probably is.

• Attackers now call helpdesks instead of sending phishing emails to breach networks
• Impostors pose as executives to manipulate support teams into resetting MFA settings
• Personal details scraped from LinkedIn make the deception more convincing for callers

Attackers are no longer trying to break into corporate networks through email phishing or malware, and are now targeting IT helpdesks through direct and bizarre phone calls.

These calls come from impostors posing as executives or staff, attempting to manipulate support teams into resetting multi-factor authentication settings or enrolling new authenticator devices.

To make the deception more convincing, the callers rely on personal details scraped from platforms like LinkedIn, company websites, and prior breach data.

The deception behind seemingly legitimate requests

They often invent urgent situations, claiming to be traveling internationally and demanding immediate access to locked accounts, including multi-factor authentication resets.

In some cases, the same attacker places repeated bizarre calls, changing their voice or identity each time to improve their chances of success.

Meanwhile, the real executive remains at their desk, completely unaware that someone is actively impersonating them.

This is not just account takeover — it is identity theft in real time, executed over the phone.

This technique, known as Okta vishing, is a form of voice phishing, and once the identity provider is compromised, attackers gain immediate access.

They take over downstream applications connected through single sign-on, including Microsoft 365, SharePoint, Salesforce, and Slack.

As the attack proceeds, common pretexts include "I got a new phone and cannot access Okta" or "My MFA keeps failing, and I have a client meeting in ten minutes."

The attacker creates urgency to pressure support staff into bypassing standard verification procedures.

Several factors contribute to the rising success of Okta vishing attacks, as it takes advantage of the nature of helpdesks.

Helpdesks are incentivized to resolve access issues quickly, remote work environments normalize authentication troubleshooting, and employee details are easily obtained online.

Attackers can convincingly impersonate executives because organizational charts and reporting structures are often publicly available.

As identity providers become the central control plane for software as a service access, they have become a primary target.

Once authenticated to Okta, attackers inherit trust relationships across all connected applications without exploiting each one individually.

Post-compromise behaviors frequently include downloading SharePoint data, exporting emails, creating inbox rules, registering OAuth applications, and generating API tokens.

In many cases, an Okta compromise quickly becomes a cloud data theft event rather than a traditional account takeover.

Technically, MFA works against Okta, but fails when humans are socially engineered into weakening authentication protections themselves.

Unfortunately, regular antivirus software cannot detect a phone call, and a firewall does not block a convincing voice on the line.

Security teams should monitor for MFA reset events without clear justification, or new device enrollment followed by suspicious activity.

Any login attempts from unfamiliar ASNs immediately after MFA changes should also be treated as a red flag.

Via Level Blue

• SIM farm deployments across 17 countries linked via shared ProxySmart software
• Remote SIM infrastructure enables bypass of phone-based verification systems globally
• Network connects dozens of telecom carriers across Europe North America and beyond

A previously unreported network of SIM farms linked to a Belarus-based provider has been identified across multiple continents, showing how mobile networks are being used to support fraud operations at scale.

Research published by UK-based cyber firm Infrawatch found a distributed infrastructure that allows remote access to physical SIM hardware connected to telecom networks in multiple regions.

Infrawatch identified 94 SIM farm deployments across 17 countries linked through software operated by a Belarus-based provider called ProxySmart.

Facilitating large-scale fraud

The deployments were supported by 24 commercial providers selling access to SIM connectivity across Europe, North America, and South America.

The network offers connections to 35 cellular carriers, including major UK operators such as Three, O2, EE, and Vodafone. U.S. connectivity was also widely available, with infrastructure distributed across 19 states that allows attackers to appear as legitimate domestic users.

SIM farms consist of racks of SIM cards or mobile devices that can be controlled remotely at scale. These are commonly used to bypass phone-based verification methods, including SMS one-time passwords used during logins or payments.

Their ability to mimic legitimate consumer connections makes it difficult for service providers to distinguish malicious traffic from ordinary mobile activity.

Technical analysis carried out by Infrawatch found that the ProxySmart platform supports automated IP rotation, remote device control, and network fingerprint spoofing. This allows operators to maintain persistent access to telecom infrastructure while cutting the chances of being spotted.

Investigators also found that services selling access to ProxySmart-backed SIM farms are promoted through online forums and messaging platforms.

Many of these services operate without customer identity checks, accept cryptocurrency payments, and are structured to reduce visibility to enforcement systems.

Blocking SIM farm activity is difficult because mobile operators assign a single IP address to multiple customers, making it tricky to separate legitimate users from malicious actors using IP-based filtering methods.

“SIM farms have been largely overlooked as criminal infrastructure to date – in part because the UK is the only country to have outlawed them, making global law enforcement crackdowns difficult," said Lloyd Davies, Founder and CEO, Infrawatch.

“This investigation highlights a significant resilience gap that leaves organisations and users more exposed to fraud and online harms. The global ecosystem of SIM farm operators and monetisation services is highly sophisticated and acts as a foothold into telecoms networks across Europe, America and South America for bad actors.”

The investigation began with the discovery of a UK-based SIM farm service and expanded into a wider mapping effort that revealed the scale of the ProxySmart ecosystem.

Findings were shared with relevant law enforcement bodies and regulators ahead of publication.

“ProxySmart is openly advertised as a SIM Farm-as-a-Service and, unfortunately, that’s not hype or marketing. These are serious operators who have perfected a model that makes running a SIM farm simple from end-to-end: from offering remote assistance setting up racks of modems to a dedicated software for remote infrastructure management and anti-bot countermeasures," Davies added.

“The legal grey area that SIM farms sit in has allowed that model to scale with limited disruption and we assess that it’s highly likely to be facilitating large-scale fraud operations today.”

With dozens of deployments already identified across multiple regions, the research shows how remote telecom access infrastructure is being commercialized and reused to support fraud, account abuse, and automated online activity.

• 0APT is threatening to expose the identities of rival ransomware operators
• Double extortion tactics lose impact when used against cybercriminal groups
• Krybit credentials and wallet data were found in leaked samples

The ransomware ecosystem has never been known for trust or cooperation, but a new conflict has pushed intra-criminal warfare into uncharted territory.

A cybercrime group called 0APT has threatened to expose the identities of individuals affiliated with a rival ransomware operation known as Krybit.

In a leaked blog post, 0APT issued an unusual ultimatum to its fellow criminals. "If the group does not make the payment or contact us, we will reveal their identity photos, names, location, and more," the post stated.

Double-extortion model

The threat also contained an unexpected offer directed at Krybit's original victims: "And if you are one of their victims, contact us to get your data unlocked."

0APT is using a double-extortion model that relies on the threat of reputational damage to pressure victims into paying ransoms.

That leverage evaporates almost completely when the target is another ransomware group, since criminal enterprises have no legitimate reputation to protect.

Cybersecurity researchers note that the tactic loses much of its sting in this context, yet 0APT has proceeded as if following a conventional playbook.

The group leaked a small sample of allegedly stolen Krybit data as a warning shot and has threatened a full dump if no payment arrives.

Eric Taylor, owner of Barricade Cyber Solutions in South Carolina, has analyzed the small number of Krybit files already released by 0APT.

His team discovered plaintext credentials belonging to Krybit operators and affiliates, along with five cryptocurrency wallet addresses.

Notably, the team found no evidence of a single paid ransom to Krybit, suggesting the group may have been less successful than its public claims implied.

Krybit's website is currently offline, replaced by a splash page that reads: "Everything will return to work shortly. We apologize for this. We are sorry for the inconvenience."

This type of intra-rivalry is not entirely without precedent. In 2025, a group called DragonForce attacked rival groups BlackLock and Mamona by defacing their websites and leaking internal communications.

DragonForce also seemingly took over and later shut down the operation of former ransomware kingpin RansomHub in April last year after a month of infighting.

Security firm Halcyon has noted that 0APT "poses a legitimate threat" and shows "credible technical depth," though within its first 48 hours, the group posted a list of hundreds of victims that almost certainly contained inflated claims.

For organizations that have been encrypted by Krybit, the current conflict creates an unusual opportunity.

Victims should ensure their firewall logs and network traffic data are preserved, as these may contain evidence of the attack.

Although 0APT seems to offer a way out for Krybit’s victims, there is a need for caution because the former remains a cybercriminal.

Whether 0APT actually possesses decryption keys for Krybit's victims remains unproven, and trusting one criminal group to rescue you from another carries obvious risks.

The situation is extraordinary, but the safest path for any victim is still to rely on professional defenders rather than rival attackers.

Via The Register

• Ransomware incidents in the UK dropped sharply in volume but successful compromises rose significantly year-on-year
• Attackers shifted to targeted, human-operated methods, with small businesses disproportionately affected compared to large enterprises
• Outdated “zombie tech” and undetected breaches fueled millions of attack attempts, while data theft replaced file encryption as the primary extortion tactic

Last year, the volume of ransomware attacks in the United Kingdom fell by 87%. But before you pop that champagne and throw confetti into the air there is another, more alarming statistic: the number of UK organizations that were successfully compromised actually rose by 20% year-on-year.

These are the figures published by security researchers SonicWall. By measuring threats its firewalls stop right when they try to enter a network, the company uncovered that ransomware actors moved away from “spray-and-pray” techniques and towards a more targeted, human-operated “big game hunting” methodology.

The same report states that smaller organizations were more likely to be targeted by ransomware, since it was present in 88% of SMB breaches, compared to 39% at large enterprises.

Zombie tech

SonicWall also said that almost all of the UK recorded incidents (96.7%) happened in England.

If there is one thing we can point the finger at, it should be the “zombie tech” crisis, the researchers explained. Many organizations are running old, outdated and unsupported hardware, leaving gaping holes that cybercriminals can easily exploit. SonicWall said that a single, decade-old flaw in a widely deployed Hikvision IP camera resulted in 67 million attack attempts throughout the country.

The problem is only made worse by the fact that the majority of IT leaders (80%) are confident they can detect a breach within eight hours, even though the average attack remains unseen for a whopping 181 days. Automated threats, as well as AI-enabled attacks, have almost doubled year-on-year, further escalating the risk.

These days, ransomware attacks rarely include encryptors locking out access to vital documents. Instead, cybercriminals are focused solely on data exfiltration and the threat of releasing stolen files to the dark web. It is cheaper and easier to maintain, while being equally effective in terms of extorted funds.

• Cybercrime cases climbed from 774 thousand to over 1.4 million
• Police staffing for cybercrime rose by only 31% during the same period
• Each officer now handles significantly more cases than four years ago

Cybercrime in the United Kingdom is expanding at a rate that exceeds the growth of dedicated policing resources, and new figures from Forbes Solicitors claim fraud and computer misuse offenses have increased sharply in recent years, while staffing levels in cyber and economic crime units rose at a slower pace.

Reported incidents climbed from 774,537 cases in 2020 to 1,458,704 in the latest figures, representing an increase of 88% - but over the same period, the number of personnel handling such offenses rose by 31%. This means that reported incidents are rising 3x faster than policing, creating a widening imbalance between workload and available resources.

As a result, each staff member is now responsible for substantially more cases than in previous years.

Offense volumes surge sharply within a short time frame

At the same time, regulatory changes are advancing through Parliament with the aim of strengthening national cyber resilience.

“The Cyber Security and Resilience Bill is expected to become law this year, and Government is also looking at new legislation for banning and preventing ransomware payments,” said Craig MacKenzie, Head of High Profile and Private Crime at Forbes Solicitors.

The proposed legislation is expected to introduce stricter requirements for organizations, alongside expanded enforcement powers and higher financial penalties for non-compliance.

Existing penalty limits could be replaced by fines linked to a percentage of global turnover, which would increase potential liabilities for large organizations.

“New laws are a positive move but would likely bring compliance requirements that will be tougher to meet without sufficient policing,” MacKenzie added.

Alongside broader reforms, the government is considering measures that would restrict or prohibit ransomware payments, an approach intended to reduce incentives for attackers.

However, ransomware incidents have already demonstrated their ability to disrupt operations for extended periods, often forcing companies into difficult decisions under pressure.

Proposed rules could introduce civil or criminal penalties for organizations and directors who choose to pay, even when operational continuity is at stake.

This will likely create a situation where compliance obligations may conflict with immediate operational realities.

The combination of increasing cybercrime and stricter regulation introduces a layered burden for organizations, particularly those lacking extensive internal security capabilities.

Businesses may be required to strengthen defenses, monitor systems more closely, and respond to incidents under tighter legal constraints with limited external resources.

“It’s hard to justify asking businesses and their staff to take on bigger responsibilities — and greater liability — when police staffing isn’t growing anywhere near as fast as the number of fraud and computer misuse offenses,” said MacKenzie.

However, organizations are advised to ensure strong cybersecurity by deploying up-to-date antivirus solutions and properly configured firewall systems to reduce exposure to evolving threats.

• Flashpoint warns of AI-driven “era of total convergence” in cybercrime
• 1,500% surge in illicit AI discussions, 3.3B credentials stolen in 2025
• Ransomware shifting to insider-enabled, identity-focused attacks

Cybercrime has entered the “era of total convergence”, where everything from reconnaissance, phishing generation, to credential testing and infrastructure rotation is being done through agentic AI frameworks without any human control, exoerts have warned.

The 2026 Global Threat Intelligence Report (GTIG) by security researchers Flashpoint noted this “high-velocity threat engine” lowers the barrier to entry and speeds up threats, forcing defenders to adapt or face the consequences.

As per the report, there are four converging forces that are currently reshaping the global threat landscape: autonomous systems that can execute end-to-end attacks at machine speed, identities as primary exploit vectors, vulnerabilities being exploited within hours, rather than days, and ransomware shifting towards identity-driven and insider-enabled models.

Logging in instead of breaking in

Flashpoint bases these conclusions on proprietary data, having apparently identified a 1,500% rise in AI-related illicit discussions between November and December 2025, rising from roughly 360,000, to more than six million.

At the same time, the company observed 11.1 million devices infected with infostealers in 2025, stealing approximately 3.3 billion credentials and cloud tokens.

It says that hackers are no longer interested in “breaking in” as much as they’re interested in “logging in”. “The reality of identity data and the potential for its automation necessitates a shift in how organizations must view their attack surface,” the researchers said. “Infostealers have shown that it is no longer limited to corporate infrastructure; it now includes employee browsers, personal devices, SaaS platforms, and third-party access.”

The researchers also said the window between vulnerability disclosure and exploitation is “vanishing”, as they observe several high-impact vulnerabilities being mass-exploited “within hours of disclosure”.

Finally, ransomware incidents rose by 53% in 2025, with RaaS groups responsible for more than 87% of attacks. But instead of relying solely on encryption payloads, they are now recruiting malicious insiders, abusing authorized access, and leveraging credential theft.

To stay safe, organizations should focus on making sure they patch their vulnerabilities as soon as possible, Flashpoint said in the report. They should also focus on monitoring for stolen credentials and compromised endpoints, strengthening identity security, and combining automated detection with human-led threat intelligence to identify emerging risks early.

• Cloudflare warns GenAI is reshaping cyberattacks
• Report highlights AI-driven supply chain and espionage threats
• DDoS and social engineering form critical attack trio

Generative Artificial Intelligence (GenAI) is the driving force behind a “fundamental rewiring of the modern cyberattack”, experts have said, urging companies to up their protection immediately.

The inaugural 2026 Cloudflare Threat Report, based on data from 230 billion threats the company blocks on average each day, claims we’re witnessing a complete industrialization of cybercrime, and says it is being adopted by both profit-driven and state-sponsored actors.

In the paper, the company details the “first-ever AI-based attack” recorded, in which a threat actor used AI to identify the location of high-value data, compromising hundreds of corporate tenants. It was “one of the most impactful supply chain attacks seen,” Cloudflare said.

DDoS and social engineering

Nation-states are also going all-in on AI. North Korean groups are apparently using AI-generated deepfakes and fake IDs to bypass hiring filters, smuggling state-sponsored spies directly into Western companies. They’re not even using VPNs to hide their location. Instead, they are using local “laptop farms”.

While AI has not just lowered the barrier to entry, but erased it entirely, Cloudflare doesn’t focus solely on the nascent technology. It also mentions DDoS and social engineering, forming an “unholy trinity” of the contemporary cybercriminal.

DDoS attacks, for example, have now surpassed human response capabilities. Large-scale botnets like Aisuru have evolved into nation-state level threats capable of taking down entire country’s networks, Cloudflare warns, saying that with record-breaking attacks reaching 31.4 Tbps, these high-speed strikes now “demand fully autonomous defenses”.

“Threat actors are constantly changing tactics, finding new vulnerabilities to exploit and ways to overwhelm their victims. To avoid being caught off guard, organizations must shift from a reactive posture to one fueled by real-time, actionable intelligence,” said Blake Darché, head of threat intelligence, Cloudforce One at Cloudflare.

“The message to defenders is simple: lead with intelligence or risk falling behind in a race where the stakes have never been higher.”

• Cybercriminals leverage GenAI to accelerate attack creation
• Campaigns prioritize speed and scale over sophistication
• Report shows basic tactics still bypass defenses

Cybercriminals are “vibe-hacking” their way into enterprise environments, using Generative Artificial Intelligence (GenAI) to make launching attacks faster and easier, research has claimed, noting although the attacks are less sophisticated compared to non-AI ones, this is a tradeoff cybercriminals are apparently happy to take.

The latest Threat Insights Report from HP Wolf Security claims to have seen AI tools being used in different ways. In one campaign, a fake invoice PDF contained a link that triggered a download from a compromised site, before redirecting the victim to a trusted platform.

In another one, the crooks were using off-the-shelf malware components and optimizing them with custom lures and payloads. This allows them to “quickly build, customize, and scale campaigns with minimal effort”.

Piggyback attacks

The researchers also observed a so-called “piggyback” attack, in which malware was hidden in fake Teams installers.

Victims would download a malicious installer bundle with a hidden Oyster Loader malware piggybacking on the Teams installation process. So, while the real app is being installed, the victims don’t notice the infection happening in the background.

“It’s the classic project management triangle - speed, quality and cost. You often sacrifice one of them. What we’re seeing is many attackers are optimizing for speed and cost, not quality,” said Alex Holland, Principal Threat Research, HP Security Lab.

“They are not using AI to raise the bar; they’re using it to move faster and reduce effort. The campaigns themselves are basic but the uncomfortable reality is they still work.”

Looking at the report, it would seem that quality isn’t the defining factor here. As per HP’s telemetry, at least 14% of malicious emails managed to bypass one or more email gateway scanners, suggesting that the “low quality, high quantity” approach does work. The most popular delivery type were executable files (37%), .ZIP archives (11%), and .DOCX files (10%).

• Lazarus Group evolving Operation Dream Job campaign to target Web3 developers
• New “Graphalgo” variant uses malicious dependencies in legitimate bare-bone projects on PyPI/npm
• ReversingLabs found ~200 malicious packages spoofing libraries like graphlib, aiming to steal crypto

The notorious Lazarus gang is evolving its Operation Dream Job campaign to target even more software developers and steal even more crypto along the way.

Security researchers ReversingLabs claim to have seen changes to the campaign starting May 2025, dubbed ‘Graphalgo’, which sees Lazarus take a legitimate bare-bone project, and adds a malicious dependency which they use in the attack.

For those unfamiliar with Operation Dream Job, it is an ongoing campaign created by North Korean state-sponsored hackers. They create fake job ads on LinkedIn and other platforms and offer enticing jobs to software developers working primarily in the Web3 (blockchain) industry.

Codename Graphalgo

During the “hiring process”, they ask the candidates to go through a few test assignments which always end up with the victims downloading and running malicious code. That code can be different, but the goal is always to empty their crypto wallets - be it standalone apps, browser add-ons, or accounts on popular crypto exchanges.

"It is easy to create such job task repositories. Threat actors simply need to take a legitimate bare-bone project and fix it up with a malicious dependency and it is ready to be served to targets," the researchers said. Most of these projects are hosted on legitimate platforms such as PyPI or npm, making it more difficult for the victims to spot the attack.

So far, ReversingLabs found almost 200 malicious packages.

The refresh was dubbed Graphalgo because all of the malicious packages had the prefix “graph” in their name and often spoof regular libraries such as graphlib. In more recent times, “graph” was replaced with “big”, but the researchers are yet to find the recruiting part that goes with these packages.

Via BleepingComputer

• Most business leaders believe their employees would fall for a phishing attack
• Workers commonly reuse work passwords for personal accounts
• AI scams and deepfakes are increasingly concerning

New data from Vodafone Business has revealed more than 10% of UK organizations would probably not survive if they were hit with a cyberattack, and while this may sound like a fairly low promotion by itself, it's set against a backdrop of evolving attacks and poor cybersecurity practices.

Nearly two-thirds (63%) agree that their business's risk of cyberattacks has risen over the past year, and most leaders (71%) believe at least one of their workers would probably fall for a phishing attack.

However, even though we're in an era of rapidly evolving threats, the report indicates that some basic cybersecurity measures can still serve to protect companies.

British businesses are still at risk of cyberattacks

One such practice is the use of strong and unique passwords. The study found that staff reuse work passwords on up to 11 personal accounts as well, making a single breach far more devastating.

And as for the current state up and down the UK, not even half (45%) have ensured that all staff have been through basic cyber awareness training.

But change could be on the horizon, with 89% agreeing that high-profile attacks last year (like those on M&S and Jaguar Land Rover) made them more alert.

There's also an increasing awareness of AI scams and deepfakes, with 70% now more suspicious of video calls claiming to be from senior leaders.

"Many steps - such as avoiding password reuse and enhancing staff training - are relatively simple to implement," VodafoneThree Business Director Nick Gliddon wrote.

The UK Government is also launching a second Telecommunications Fraud Charter later this year, with the hope of boosting the UK's defense against sophisticated cybercrime.

• Spanish police arrest 34 suspected Black Axe members in raids across Seville, Madrid, Malaga, and Barcelona
• Black Axe, linked to the Neo-Black Movement of Africa, has ~30,000 members worldwide
• Group engages in cyber-fraud, trafficking, armed robbery, and recruits money mules in impoverished areas

Spanish police have arrested 34 individuals suspected of running Black Axe, a malicious organization engaged in cyber fraud as part of a network of criminal activities.

A Europol press release noted the Spanish National Police and the Bavarian State Criminal Police Office conducted raids in Seville, Madrid, Malaga, and Barcelona, arresting dozens of members of Black Axe. During the raid, they seized almost $140,000 in bank accounts, and $77,000 in cash.

Black Axe is apparently a large, highly structured, hierarchical group headquartered in Nigeria, with members scattered across dozens of countries, while their operations span the globe.

Recruiting money mules

The group scammed their way into “billions of euros”, Europol explained, saying that it engages in all sorts of criminal activity: cyber-enabled fraud, drug trafficking, human trafficking and prostitution, kidnapping, armed robbery and fraudulent spiritual practices. The majority of their operations seem to be small-scale but add up quickly.

The core group that was arrested was allegedly engaged in recruiting money mules in Spain - mostly in impoverished areas. While the arrests were carried out mostly by Spanish operatives, German law enforcement provided analytical support and intelligence and deployed two officers during the raid.

Europol says Black Axe is formally linked to the Neo-Black Movement of Africa and is a “highly structured, hierarchical group with a global presence.”

“It divides its territory into approximately 60 zones in Nigeria and 35 abroad, with about 200 members per zone. In total, the organization has roughly 30 000 registered members, and countless affiliated individuals such as money mules and facilitators,” it said.

“The group enforces strict codes of conduct, violent and ritualistic initiations, and spiritual practices.”

No names were shared, and at this time, we don’t know exactly which cyber campaigns Black Axe conducted.

• Two ex-cybersecurity professionals pleaded guilty to ALPHV ransomware extortion attempts
• They extorted $1.2M from a medical device firm; other attempts failed
• Facing federal charges with possible 20-year prison sentences; sentencing set for March 12, 2026

The two cybersecurity experts that were accused of affiliating with ransomware operators have pleaded guilty to at least one successful extortion attempt, as well as a few unsuccessful ones.

In early November this year, news broke of three cybersecurity professionals being suspected of working as affiliates for the dreaded ALPHV (BlackCat) ransomware gang, deploying encryptors against multiple US organizations.

Back then, a US federal indictment filed in the Southern District of Florida claimed two defendants - Ryan Clifford Goldberg of Georgia, and Kevin Tyler Martin of Texas, together with a third co-conspirator, hacked into company networks, stole data, encrypted it with ALPHV ransomware, and demanded cryptocurrency ransoms.

The indictment did not describe the two as cybersecurity professionals. However, local media said Martin worked at DigitalMint as a ransomware threat negotiator, while Goldberg was a former Sygnia incident response manager.

Both of them are no longer working with these companies.

Sentencing in March

Now, it seems the duo admitted hacking a medical device company back in 2023, and later extorting it for $1.2 million.

They also allegedly admitted to trying to extort a Maryland-based pharmaceutical company, a California doctor’s office for $5 million, a California engineering firm for $1 million, and a Virginia drone manufacturer for $300,000. These attempts were unsuccessful.

“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks – the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva of the DoJ’s Criminal Division.

Since all five companies were engaged in interstate commerce, the case falls under federal jurisdiction. The payments were allegedly laundered through multiple cryptocurrency wallets to hide their origins.

The three are facing serious prison time. They are being charged with “conspiracy to interfere with interstate commerce by extortion”, “interference with ecommerce by extortion”, and “intentional damage to a protected computer”. The first two carry prison sentences of up to 20 years, while the third one 10 years.

Sentencing is scheduled for March 12, 2026.

Via Cybernews

VPNs have gained significant attention in 2025, and not all of it has been positive. The technology's role in circumventing age verification measures and accessing streaming services for reduced prices has consistently landed them in hot water.

Major events, like the arrival of age verification in the UK, have trigged massive increases in VPN demand, with one provider seeing sing-ups rise over 1,000%. Meanwhile, streaming services such as Canal+ have launched legal action against VPN companies for enabling improper access to their services.

As VPNs become increasingly important for accessing day-to-day services, they sit at the center of a growing conflict between privacy and control. However, have the events of 2025 shown that it’s a battle authorities simply can’t win? I think so.

The subscription problem

Take streaming. As providers frequently increase prices and tighten geo-restrictions, VPNs have evolved into important tools for securing cheaper deals and unlocking foreign content libraries.

VPNs allow you to connect to a server in your home country if you’re traveling , so you can retain access to the content you love. However, it works both ways and you can just as easily access content that you strictly shouldn't be able to.

This capability drew the attention of streaming giant Canal+ earlier this year. The streaming service launched a legal case against VPNs, requesting that they block access to 203 sites identified as hosting pirated football streams.

But, as multiple VPNs have pointed out, these requests are near-impossible to implement without compromising their primary purpose, privacy.

At the time of the initial ruling, a NordVPN spokesperson told TechRadar that adhering to the request while maintaining NordVPN’s privacy obligations was impossible. Almost a year later, the sentiment remains the consensus across the wider industry.

When asked whether Norton VPN was in a similar predicament regarding such requests, Himmat Bains, the company's Senior Principal Product Manager, simply responded:

“The problem is, I don’t know how we would.”

Legal challenges like the one put forward by Canal+ aren’t common, and broader attempts to restrict the use of VPNs are even less frequent in democratic regions. So what’ll change?

Whether they are enabling safe journalism in conflict zones, bypassing state censorship, or securing personal data against malicious actors, the primary function of these tools is legitimate. As Bains concludes, despite the noise of 2025:

“I don’t think the walls are closing in.”

Portable piracy

Amazon’s Fire TV Sticks have faced intense scrutiny throughout the year. The growth of ‘dodgy Fire Sticks’ has played a key driver in the estimated billions of dollars lost to IPTV piracy every year.

In response, Amazon has rolled out new updates to stop pirated content altogether.

This included creating a blacklist of sites known to show illegal content, which the provider hoped would quash access to pirated content entirely. However, according to Miguel Fornes, a cybersecurity expert at Surfshark, the issue is nowhere near solved.

“It’s a kind of whack-a-mole game," Fornes explained. "But it’s unwhackable.”

Once one pirate site is found and blacklisted, it’s simple enough for the host to simply create a new site and start again. So, there isn’t necessarily an end in sight by going about it this way.

“It’s not the final solution," Fornes argues, "because otherwise, you’ll block the whole internet.”

There are legitimate reasons to install a VPN on an amazing Fire TV Stick, such as wanting to encrypt your data or giving you access to home shows while away. However, this flexibility is a double-edged sword – the same ecosystem that benefits legitimate uses also facilitates illegal viewing.

The device's portability adds another layer of complexity. Because users can simply plug the stick into any screen, anywhere, enforcement based on static locations or residential IP addresses becomes significantly harder to maintain.

The Alliance for Creativity and Entertainment is arguably the biggest collective fighting against online piracy. It has partnered with Amazon for it’s Fire TV measures and has Canal+ as one of its figurehead members.

Despite this heavyweight backing and Amazon's recent software crackdowns, the industry has yet to find a silver bullet for the role VPNs play in facilitating illicit streaming.

What's next?

No solution is perfect.

Amazon's strategy relies on time-consuming collaboration to identify and blacklist individual pirate domains. Furthermore, the targets are constantly moving. Sites like those targeted by Canal+ can simply update their DNS records or switch Content Delivery Networks (CDNs) to resume operations within minutes.

Meanwhile, VPN users are protected by the technology's no-logs infrastructure and encryption, making it difficult for authorities to identify people using them to access geo-restricted content.

As Fornes put it, "what Amazon is doing is the right thing", but, from everything we've seen so far, the right thing isn't necessarily enough.

No matter how many pirated sites are shut down and by what means, access to VPNs will remain constant due to their many legitimate uses. While legal pressure on providers may increase, the technical limitations of enforcing broad blocking requests suggest that VPNs will remain a persistent thorn in the side of authorities attempting to regain control.

We test and review VPN services in the context of legal recreational uses. For example:1. Accessing a service from another country (subject to the terms and conditions of that service).2. Protecting your online security and strengthening your online privacy when abroad.We do not support or condone using a VPN service to break the law or conduct illegal activities. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

• ISACA figures show cyberattacks are happening more frequently
• Understaffing and limited budgets are to blame
• Used correctly, AI can plug the gap

New ISACA data has claimed two in five (39%) European professionals are reporting more cyberattacks than last year, with attacks increasing in both scale and complexity.

Even though rising attack frequency and severity isn’t a surprise (countless other reports correlate with this one), only around a third (38%) feel confident their organization can respond effectively, suggesting poor preparation and response to trends.

Poor readiness is being influenced by understaffing (58%) and poor budgets (54%), but both factors were cited less than last year suggesting that steady progress is being made.

Many orgs aren’t ready to respond to cyberattacks

"Over the past year, the public has seen first-hand just how impactful cyberattacks can be, with high-profile breaches devastating businesses and dominating headlines,” ISACA Chief Global Strategy Officer Chris Dimitriadis explained.

ISACA says there’s much more at play within organizations than just poor response and readiness – other struggles are spreading resources more thinly in general. Two-thirds (68%) of workers say their jobs are more stressful than five years ago, with more than half (54%) concerned about unrealistic expectations or excessive workloads.

A fifth (22%) of organizations have taken no action on burnout, and around one in three (36%) workers also note a lack of necessary skills and training.

“While organisations are starting to acknowledge the problem and take steps to address long-standing issues in budgets and staffing, the pace of change is still far too slow,” Dimitriadis noted.

Looking ahead, all of these factors are impacting on talent acquisition and retention for half (52%) of companies, with entry-level roles taking three to six months to fill for nearly one in two businesses.

Although artificial intelligence has proven to be beneficial across threat detection (29%), endpoint security (28%) and general task automation (27%) among cybersecurity professionals, further AI security legislation and upskilling are required to match rising attacks.

“By valuing hands-on training, professional credentials and transferable skills, organisations can strengthen their teams and ease the pressure on overstretched professionals,” Dimitriadis concluded.

You might also like

• Here’s our roundup of the best endpoint protection software
• Many workers wouldn't tell their bosses if they'd been hit by a cyberattack
• The best ransomware protection could futureproof you against rising cases

• US offers $10M for arrest of ransomware suspect Volodymyr Tymoshchuk.
• His group caused $18B in damage, including Norsk Hydro’s $80M loss
• Europol-led global probe led to arrests and mapped the gang’s structure

The US Department of Justice (DoJ) just placed a bounty on a cybercriminal suspected of a “series” of cyberattacks around the world.

The reward is $10 million and will be paid out to anyone who provides enough information to result in his arrest.

The suspect’s name is Volodymyr Tymoshchuk, a 28-year-old Ukrainian. He is believed to be the mastermind behind the deployment of LockerGoga ransomware, which infected “hundreds of companies”. According to the EU Most Wanted website, his group caused more than $18 billion in damage worldwide.

Previous arrests

Europol said in its press release that Tymoshchuk and his group were also responsible for the 2019 ransomware attack against a “major Norwegian aluminium company”. In underground criminal circles, he is known as Deadforz, Boba, Farnetwork, Msfv, and Volotmsk.

The European law enforcement agency also said that the identification of the suspect came after a complex international investigation, which included operations in France, Germany, Norway, Switzerland, Ukraine, the United Kingdom, and the United States. Both Europol and Eurojust (European Union Agency for Criminal Justice Cooperation) participated, as well.

While the hunt for Tymoshchuk is on, a few alleged members of his crew have already been arrested in Ukraine. This, Europol further stresses, helped the police map out the structure of the group and identify key individuals, including malware developers, intrusion specialists, and money launderers.

In mid-March 2019 Norsk Hydro, one of the world’s largest aluminium producers based in Norway, fell victim to a highly disruptive LockerGoga attack that encrypted thousands of endpoints, including corporate and industrial systems. Numerous facilities were impacted, including those in Norway, the US, Brazil, Qatar, and others. Reports at the time said up to 22,000 computers across 170 sites were impacted.

The financial fallout was significant. Losses in the first quarter were estimated at 300–350 million NOK (between $35 and 41 million), with additional operational costs mounting up in the weeks and months that followed.

By mid-2019, Norsk Hydro itself estimated the total cost of the attack across all business areas to be around 800 million NOK ($80 million).

You might also like

• Half of industrial PCs hit by cyberattacks last year
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• A hacker has stolen sensitive Kimsuky files and logs
• They claim the group is "morally perverted", and hacks for "all the wrong reasons"
• But the leak will not dismantle the group, some argue

Kimsuky, a notorious North Korean state-sponsored threat actor, has been hacked by someone who claims not to be a cybercriminal but rather - an "artist".

The database is 8.9GB in size, and can be found on the “Distributed Denial of Secrets” website, containing logs, tools, and infrastructure used by the group, exposing their tactics, techniques, and procedures.

The haul contains phishing logs showing an attack against The Defense Counterintelligence Command (South Korean military intelligence security agency), different targeted domains, archives with the complete source code of South Korea’s Ministry of Foreign Affairs email platform (including webmail, admin, and other modules), a list of South Korean university professors, a toolkit for building phishing sites, Cobalt Strike loaders, and more.

Driven by greed

Kimsuky is notorious for its cyber-espionage campaigns. The group’s earliest sightings were back in 2012, and since then, it was credited with numerous attacks against government agencies, think tanks, research institutions, and media outlets. It is particularly focused on Korean Peninsula affairs, nuclear policy, and foreign relations.

The hacker, going by Saber / cyb0rg, slammed Kimsuky for advancing state agendas:

“Kimsuky, you are not a hacker. You are driven by financial greed, to enrich your leaders, and to fulfill their political agenda,” a letter accompanying the dump reads. “You steal from others and favor your own. You value yourself above the others: You are morally perverted.”

“You hack for all the wrong reasons,” the letter concluded.

Although a commendable effort, this leak will probably not completely stop Kimsuky, a state-sponsored actor with formidable resources.

However, since many tools and methods have been “burned”, it could slow the group down, expose current campaigns, and force it to start from scratch in some cases.

Via BleepingComputer

You might also like

• North Korean hackers have some deious new Linux backdoor attacks to target victims
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• QR phishing, also known as quishing, is a rising scam where attackers try to trick you into scanning fake QR codes
• Cybercriminals may target your personal data, login credentials, bank accounts, or try to infect your smartphone with malware
• These QR codes can be found everywhere, from parking lots to museums

You might be used to receiving scam emails or texts, but did you know that you can also get scammed through a QR code? This increasingly common form of scam is referred to as quishing – and it's been spreading rapidly again recently.

According to CNBC, 73% of Americans have scanned a QR code without verifying that the source link was safe, and NordVPN has discovered that 26 million have been directed to malicious websites as a result.

Meanwhile, in the UK, Action Fraud (the national reporting centre for fraud and cybercrime) recently revealed that £3.5 million had been lost to quishing scams in the year leading up to April 2025.

These scam QR codes are being used for anything from sending fake payment links to installing malware on your phone. Here's everything you need to know about the latest quishing attacks and how to protect yourself from them.

What exactly is quishing?

Quishing is a form of phishing that is done entirely via a QR code. While it wasn't as widespread just a few years ago, it skyrocketed during the pandemic, when QR codes became more than just a fun little quirk.

Over the last few years, QR codes have permeated the fabric of our daily lives. We see them everywhere, from TV commercials to restaurant menus or flyers. Unfortunately, QR codes are inherently opaque. It's hard to verify how secure a link is at a glance, which makes these codes easy to tamper with.

The way it works is shockingly simple. Whether the scam QR code pops up in an email or elsewhere, it's always accompanied by something that'll get you to scan it. Payment prompts, medical forms, or product information are common targets. When you scan the code and click through, you'll be taken to the next part of the scam, which is either a website or a script that installs malware in your phone.

Unfortunately, if the code has been tampered with, the target website is a scam. At best, it'll steal however much you're trying to pay for parking; at worst, it might compromise your phone or your banking login credentials.

Are QR codes in public places safe to use?

While QR codes found in restaurants or museums seem like a safe bet, that isn't always the case – not anymore.

Unlike phishing emails, QR codes have a strong real-world impact. It's all too simple for threat actors to tamper with legitimate codes found in public spaces. That said, the threat is much greater at open public spaces, rather than indoor ones.

For example, at a parking lot, scammers physically replace the sticker at the parking meter, directing people to a legitimate-looking website where they can pay their parking bill. The same can be done with posters or flyers found just about anywhere.

It's important to remember that this isn't niche, and it can happen to anyone. KeepNet Labs found that QR codes are an increasingly common medium for sending phishing links, with a whopping 26% of all malicious links being delivered that way.

How to stay safe

Quishing, much like all other forms of scams, relies on creating a sense of urgency. Whether it's an exciting offer or a serious-looking payment reminder, quishing scammers want you to scan the code and proceed without asking questions. That's why the best way to stay safe is to be vigilant and take your time.

Let's say that you received a QR code embedded in an email that tells you to secure your account, enable multi-factor authentication, or get a discount code. Don't trust it right away – it could be a scam. Even a legitimate-looking email address might not mean that you're in the clear, as scammers can hijack accounts to send out those QR codes.

To stay safe, don't take any unexpected email at face value. If a service tells you that your account has been compromised, don't scan any codes in that email. Instead, go to the website or app directly and change your login credentials there, without interacting with the content of the email.

When faced with QR codes in places where they might have been tampered with, it's better to take your time rather than scan the code quickly. At a parking lot, don't scan the code – go directly to the address. Only QR codes that are physically impossible for scammers to replace are safe.

If you do scan a QR code, make sure to never provide any personal information or login credentials. It's always better to err on the side of caution. Before you follow the link to any website, look at it carefully and compare it to what you know as the real deal.

QR codes certainly make our lives easier, but unfortunately, the more widespread they are, the likelier they are to be targeted by scammers. It's never a bad idea to invest in one of the best Android antivirus apps to protect your phone from hackers.

You might also like

• Mass quishing attacks linked to organized crime gangs across the UK
• QR codes are being hijacked to bypass MFA protections
• The evolution of phishing: vishing & quishing

• GitHub is being weaponized as malware infrastructure, report warns
• Emmenhtal and Amadey are part of a coordinated, multi-layered attack chain
• Victims are mostly Ukrainian organizations, but all GitHub users should be on their guard

Security researchers have uncovered a sophisticated malware-as-a-service (MaaS) operation which exploits public GitHub repositories to compromise its targets.

In a blog post, Cisco Talos said the threat actors evolved their delivery tactics, moving away from traditional phishing methods and into GitHub, which is often whitelisted in enterprise environments.

GitHub is an extremely popular platform in the open source world, and as such is under a constant barrage of attacks. This batch of malicious repositories was removed, just like countless before it.

How to defend against GitHub-borne attacks

The campaign sought to deliver two malware families - Emmenthal and Amadey - mostly to organizations in Ukraine.

Emmenthal is a malware loader that usually drops SmokeLoader, another loader. While a loader loading a loader doesn’t sound logical at first, there is a strategic rationale behind it.

Emmenhtal is designed as a stealthy, multistage downloader that excels at initial infection and evasion. Once a foothold is secured, it hands off the next phase of the attack to SmokeLoader, which is a feature-rich modular loader specializing in post-infection operations.

Amadey, on the other hand, is a botnet that was first spotted around 2018, mostly sold on Russian-speaking cybercrime forums. It acts as a modular downloader and system profiler, capable of delivering a wide range of malware including information stealers and ransomware.

In this campaign, Amadey was hosted on GitHub and disguised in various ways, such as an MP4 file, or embedded in Python scripts like `checkbalance.py’.

To defend against this, and other threats like it, businesses should enforce strict filtering for script-based attachments, keep a close eye on PowerShell execution, and review GitHub policies, wherever possible.

They should also go for defense-in-depth and behavioral monitoring, as these can help spot shady download patterns, or payloads being executed on targeted machines.

You might also like

• Hackers are hiding powerful info-stealing malware in fake free VPNs downloaded from GitHub, don’t get tricked
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• Louis Vuitton Korea confirms cyberattack and data theft
• No financial data was taken
• Luxury fashion brands are being actively targeted these days

Cybercriminals broke into the Korean subsidiary of luxury brand Louis Vuitton and stole sensitive files, the company has confirmed.

"We regret to inform that an unauthorized third party temporarily accessed our system resulting in the leak of some customer information," the company allegedly said in a statement published on its local website.

The company notified government authorities, and moved to secure its infrastructure and data, confirming some information was taken in the breach, but financial files were not among them.

Scattered Spider's fingerprints

Other details of the attack are scarce - we don’t know when the attack happened, how the miscreants breached the company, or what they were looking to achieve. We also don’t know if they demanded any ransom in exchange for the stolen files, or if an encryptor was deployed.

However, we do see a pattern in cybercriminals targeting major luxury brands. In early June 2025, French luxury brand Cartier warned customers some of their sensitive personal information was stolen in a data breach.

Two weeks prior, in mid-May 2025, Dior experienced the same thing, after finding an unauthorized third party accessing some of the data it holds for Dior Fashion and Accessories customers. Around the same time, Victoria’s Secret, another major fashion brand, filed a new form with the US SEC confirming restoring systems after a breach.

Although unconfirmed in most cases, there were some reports attributing all three of these to Scattered Spider - a loosely tied organization of cybercriminals known for targeting specific industries at any one time. The FBI recently warned about Scattered Spider shifting focus towards US retailers. Although most of these are not US companies, they are major retail brands and as such are likely targets for Scattered Spider.

Via Reuters

You might also like

• Victoria's Secret says all systems are back online following cyberattack
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• Hunters International struck many private and public entities, including Tata and Telecom Namibia
• The group says it is disbanding "in light of recent events"
• It even released decryption keys for their victims

A major ransomware operation has announced a complete shutdown and the public release of decryption keys - however, some are skeptical that this is the last we’ve seen of this particular group.

The operators, known as Hunters International, published a short announcement on their dark web site, notifying their followers, affiliates, and the wider cybercriminal community, that they will no longer operate.

“After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the announcement reads. “This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with.”

Callback phishing

While the group mentions “recent developments”, it doesn’t elaborate, so we don’t know if this means they were seized by law enforcement, or they simply extorted enough money to call it quits.

TechCrunch, on the other hand, believes there could be a third option - a smoke-and-mirrors effort to throw the police off. Discussing the matter with threat intelligence analyst from Recorded Future, Allan Liska, TechCrunch learned the group might be rebranding to World Leaks.

“I think this is more of a ‘cutting of ties’ with the old infrastructure,” Liska told the publication. This wouldn’t be the first group that rebranded to try and hide their tracks.

After the Colonial Pipeline attack, DarkSide, rebranded into BlackMatter, and later Alphv/BlackCat, and REvil (Sodinokibi) was preceded by GandCrab.

As for releasing decryption keys, while commendable, it doesn’t mean much for the attackers, Liska argues. These are mostly older victims who had no intention of paying anyway, so for the group - nothing was lost.

“As far as releasing decryption keys, at this point they aren’t likely to make any money from any Hunters’ victims who are still out there, so they probably see it as a gesture that doesn’t really cost them anything,” Liska concluded.

You might also like

• America is the top source of spam, and it’s getting worse thanks to growing data center infrastructure
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

Stepping into a new year does not necessarily mean we will enter a new era of safer cyberspace. More often, it usually means the opposite, with the Global Anti-Scam Alliance reporting that in 2024, scammers stole over $1.03 trillion, a trend that is set to potentially continue in 2025.

Looking back at the technological trends, 2024 was dominated by artificial intelligence; we can safely assume that AI-driven tactics will shape fraud in 2025. This highlights the need for enhanced consumer awareness and new emotional and psychological paradigms to counter evolving and sophisticated scams.

Old frauds don’t just disappear; instead, they evolve alongside technology, which means that the best way to stay protected is to be in the know.

Below we list five ‘new’ frauds that are likely to dominate 2025, but most of them share a common thread, so before we delve into them, let’s dive into the common red flags across all scams that can help you identify them more easily.

Patterns across scams

• Unsolicited communication through phone calls, text messages, social media, messaging apps, or email
• Communication creates a sense of urgency, such as a hot-selling commodity, an expiring investment opportunity, or even a warning before sharing explicit images of the user (basically the threat of consequences if you don’t take action)
• Requests for money transfer to an ‘escrow’ account
• Requests to download an obscure app
• Requests to click on a link (via email, sms, social media ads, etc.)
• Spelling mistakes or out-of-place colloquialisms
• Video messages that have unusual pauses, different accents or a different pitch, or face movement that doesn’t match the sound

1. Robocalls

Yes, phone scams are on top of fraudsters’ lists thanks to the proliferation of AI-powered tools. The fact that smartphones can access the internet makes it easy for scammers to redirect unsuspecting users to sites that will install malware on their phones.

However, other tactics evolved thanks to AI’s ability to clone the voice of anyone with only a few seconds of their natural speech recording. Thanks to this evolution, robocalls sound increasingly more personal and natural, making them hard to detect.

These calls range in their content, from vacation offers to issues or threats that require your immediate action. The goal of the fake call can also range from information gathering to outright scamming.

Such a diverse approach will likely give rise to SIM swap scams. This type of scam looks to target the weakness in two-factor authentication (2FA), where the second verification step is a code sent via SMS. The scammers will use the information that they gathered on users to call their service provider using robocalls to persuade the phone service provider to transfer the victim's phone number to the fraudster's SIM card. This can result in users losing service on their SIMs and all messages and calls going to the attackers.

Additionally, we may see a rise in one-time password (OTP) bot attacks. Scammers may try and log in to your bank, prompting the bank to send you a one-time code. At the same time, the bot will call you, text you, or send an email to inquire about the code.

The timing may seem convenient in an attempt to convince you that the request is legitimate, but if you send your OTP, the scammers will get access to your account.

2. Crypto investment scams

Thanks to another cryptocurrency bull run, we've already seen over $1.5 billion of crypto lost to scams or theft in just three months of 2025. Most of the tactics related to this type of scam revolve around phishing attempts or even social media ads with malicious links.

In 2024, there was an increase in OTP bot attacks on crypto exchanges, which also included some other types of phone-related scams. However, another great danger of crypto-related scams is tied to the investing aspect, playing on your insecurities, greed, and lack of financial education.

Crypto is infamous for what is called a “rug pull” scam, where founders pull out all of the funds from the project, leaving retail investors holding a worthless coin and a dead project. A simple Google search will list a dozen examples of such crypto scams, so brushing up on your financial literacy and staying vigilant can help you avoid crypto-related scams.

3. Romance scams (aka Pig Butchering scams)

Romance baiting, also known as the Pig Butchering scam, might see an uptick in 2025 because of AI deepfake images/videos and romance chatbots. The goal is to get the victim to believe that there is a possibility of romance or dating, with the scammers sending messages to establish trust and gain enough of it to convince the victim to share personal data or even send funds.

At the start of 2025, we witnessed a Romance scam in France that involved deepfake images of Brad Pitt, which scammed the victim out of $850,000. Another variation of this scam involves sexual exploitation, also known as sextortion scam.

Users (young girls, attractive persons of the opposite sex, etc.) pretending to be interested in the victim would send explicit content created by AI in an attempt to get explicit images of the victim.

Sometimes gifts are offered in exchange for explicit content (gift cards, crypto coins, etc.). Once the scammers possess the images, they threaten the victim to send the images to friends, family, classmates, etc. unless a payment is made to an account.

Most of these scams start with messages through either social media or even dating apps, meaning that anyone can be a target.

Some scammers even go so far as to seek platonic relationships to establish deep-rooted trust before they look to exploit the victim. This means that we need to be especially vigilant on these platforms to never share too much of our personal lives and never send funds to “strangers” online.

4. Malvertising

While not necessarily a new concept, malvertising has been on the rise in the last two years. Criminals now “pay to play”, hiding malicious links in paid ads across the internet.

Traffic Distribution Systems (TDS) and cloakers are the quintessential tools used by the malicious advertising world, therefore, gaining a better understanding of how they are used can give you a leg up in trying to stay protected.

There are multiple layers to this issue, with other types of malicious ads including malignant banner ads, concealing bad code using steganography on legitimate sites, malicious ads hiding in popups, and many more.

Besides understanding these threats, you can limit the fingerprint of your browser, use a reputable ad blocker, keep your software up to date, and have a tested and reliable security solution that offers real-time protection, to help combat the threat.

5. Formjacking

Another not-so-new threat, but one that has been on the rise recently is formjacking. Whether you’re registering for a service online or filling out your details after completing a purchase on a site, this information is transferred and stored digitally.

If attackers manage to compromise a website’s form, they can steal this data, therefore this scam is known as formjacking. This occurs if malicious code is injected into a website’s online forms without the knowledge of the company’s IT.

While there is no overall solution you can employ to protect yourself from this type of fraud, there are some steps you can take. Initially, you can confirm whether the site you’re using is legitimate (or app, depending on where you’re doing your shopping).

Avoid websites that don’t have HTTPS encryption. Finally, do business with reputable companies that create secure online environments to minimize the risk of formjacking, and use the latest online security software.

Final words

Despite the potentially bleak outlook when it comes to cybersecurity in 2025, the fact that AI is now omnipresent can work in our favor. Namely, AI is good at creating exploits but it is in turn also good at creating protection for the same exploits.

Seeing an increase in AI investments across cybersecurity companies means that we will see an increase in protection tools alongside these new and not-so-new scams.

But overall, the onus is on us to stay informed, stay vigilant, control our emotions, and try and make the right decisions online. This means adopting strong cybersecurity habits, such as using unique, complex passwords, enabling multi-factor authentication, and being skeptical of unsolicited messages or too-good-to-be-true offers. It also means leveraging AI-driven security tools ourselves, from advanced antivirus software to browser extensions that detect phishing attempts.

• Digital scams are now perceived as just as much of a threat as other crimes
• Avast survey claims 1 in 3 Brits have fallen victim to online scams
• Phishing has seen a 466% rise quarter-on-quarter

If you think digital scams are on the rise, you’re not alone - a new survey from Avast and Neighbourhood Watch has revealed 92% of Brits believe that cybercrime is as much of a threat as other types of crime.

Just over one in three respondents say they have been personally victimised by cybercriminals, and many of these have suffered financial loss at the hands of digital scammers.

In particular, phishing scams are on the rise, with a 466% rise quarter-on-quarter. The rise in phishing scams is largely attributed to AI, with criminals leveraging AI tools in order to send more frequent and more sophisticated social engineering attacks. With AI, it takes fraudsters just a few minutes to craft campaigns that would have previously taken days.

More financial loss

Unsurprisingly, Brits are losing more money too, with 59% of victims losing up to £500. Women more commonly lose under £500, and men are more likely to suffer higher losses (between £501 and £2000, and £2000+).

“As cybercriminals use increasingly sophisticated tactics, staying vigilant online is no longer optional - especially as scams are becoming harder to spot and now lurking around every digital corner,” said Luis Corrons, Security Evangelist for Avast.

To protect yourself from cyberattacks, especially engineering attacks, the key is staying vigilant. Make sure to thoroughly check any unsuspected communications, especially emails or texts that include a call to action (i.e. ‘change your password now’).

Be very wary of anyone claiming to be a family member or friend, especially given the developments in deep-fake technologies. Voice and images can be cloned or faked, so don’t send money to anyone you aren’t 100% sure is real.

Particularly important is to remember to never click any links or attachments that you don’t trust, and if you need recommendations on how to create a secure password, we’ve listed some of our top tips here.

You might also like

• Take a look at our picks for the best malware removal software around
• Check out our choice for AI tools
• Identity fraud attacks using AI are fooling biometric security systems

• DomainTools spots hackers creating fake job seeker personas
• They target recruiters and HR managers with the More Eggs backdoor
• The backdoor can steal credentials and execute commands

Hackers are now pretending to be jobseekers, targeting recruiters and organizations with dangerous backdoor malware, experts have warned.

Cybersecurity researchers DomainTools recently spotted a threat actor known as FIN6 using this method in the wild, noting the hackers would first create fake personas on LinkedIn, and create fake resume websites to go along.

The website domains are bought anonymously via GoDaddy, and are hosted on Amazon Web Services (AWS), to avoid being flagged or quickly taken down.

More Eggs

The hackers would then reach out to recruiters, HR managers, and business owners on LinkedIn, building a rapport before moving the conversation to email. Then, they would share the resume website which filters visitors based on their operating system and other parameters. For example, people coming through VPN or cloud connections, as well as those running macOS or Linux, are served benign content.

Those that are deemed a good fit are first served a fake CAPTCHA, after which they are offered a .ZIP archive for download. This archive, in what the recruiters believe is the resume, actually drops a disguised Windows shortcut file (LNK) that runs a script which downloads the "More Eggs" backdoor.

More Eggs is a modular backdoor that can execute commands, steal login credentials, deliver additional payloads, and execute PowerShell in a simple yet effective attack relying on social engineering and advanced evasion.

AWS has since came forward to thank the security community for the findings, and to stress that campaigns like this one violate its terms of service and are frequently removed from the platform.

“AWS has clear terms that require our customers to use our services in compliance with applicable laws," an AWS spokesperson said.

"When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process."

Via BleepingComputer

You might also like

• More_eggs malware hatches two new variants for MaaS operation
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• Indian police conducted raids at 19 locations to target scammers
• Six people were arrested, and numerous equipment seized
• The operation targeted elderly Japanese victims

Indian and Japanese law enforcement, with the help of Microsoft’s Digital Crimes Unit (DCU), have taken down a major financial fraud network and arrest six people suspected of running the entire operation.

India’s Central Bureau of Investigation (CBI) recently conducted raids at 19 locations across the country and dismantled a large network that includes tech support schemes.

The network mostly targeted older adults in Japan (aged 60 and above) and included two illegal call centers. Besides the arrests, both digital and physical infrastructure was seized, including computers, storage devices, digital video recorders, and phones.

Chakra V

The fightback started with the Japan Cybercrime Control Center (JC3), a Japanese nonprofit dedicated to combating cybercrime, which identified the cybercriminal operation impersonating Microsoft, flagging it to the tech giant.

The operation, known as Chakra V, was large and well-organized, the report notes - it revolved around fake pop-ups tricking people into thinking their computers were broken, and providing a phone number to “call Microsoft” and have the issues fixed.

However the calls were actually being made towards the scammers, who would trick the victims into installing remote desktop software, or malware, and use this to steal sensitive files and money.

The operation included pop-up creators, search-engine optimizers, lead generators, logistics and technology providers, payment processors, and talent providers.

Microsoft also said that the introduction of Gen AI made scaling the operation infinitely easier and thus - more dangerous.

“These actors used generative AI to scale their operations, including to identify potential victims, automate the creation of malicious pop–up windows, and perform language translations to target Japanese victims,” Microsoft explained.

“This activity highlights the increasingly sophisticated tactics employed by cybercriminals and underscores the importance of proactive global collaboration to protect victims.”

You might also like

• Microsoft thinks it could stop this dangerous scam forever
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• Play Ransomware has hit 900 companies so far, new FBI advisory claims
• The group is calling victims on the phone to try and force them to pay the ransom demand
• It also added new vulnerabilities to its arsenal

Play Ransomware’s “body count” is almost hitting four digits, a new warning from top legal enforcement has revealed, urging businesses to stay on guard against attacks.

In an updated security advisory, published by the FBI, CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), it was said that Play and its affiliates exploited “approximately 900 entities”.

Play Ransomware, also known as Playcrypt, is an infamous ransomware operator. It is known for using the atypical triple-extortion method in which, besides encrypting and exfiltrating files, it also calls its victims on the phone to convince them to pay up.

SimpleHelp flaws targeted

The security agencies’ security advisory has been updated to reflect changes Play and its affiliates made in recent times. For example, it was said that the victims get a unique @gmx.de, or @web.de email address, through which they’re invited to communicate with the attackers.

Furthermore, the group seems to have added new vulnerabilities to the ones they were already targeting. Besides FortiOS (CVE-2018-13379, and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082) bugs, they are now exploiting CVE-2024-57727 in remote monitoring and management (RMM) tool SimpleHelp, which they’re using for remote code execution (RCE) capabilities.

This vulnerability was first spotted in mid-January 2025, and has been exploited since.

To make things even worse, the agencies are saying that the Play ransomware binary is recompiled for every attack, which means it gets a new, unique hash, for each deployment. This complicates anti-malware and antivirus program detection.

Play was first spotted around 2020, and in the past, was known for targeting Windows-powered devices, but in late July 2024, security researchers saw a Linux variant targeting VMWare ESXi environments.

In a technical breakdown, Trend Micro’s Threat Hunting team said at the time that it was the first time Play was seen targeting ESXi environments, and it could be that the criminals are broadening their attacks across the Linux platform.

Via The Register

You might also like

• This dangerous new Linux malware is going after VMware systems with multiple extortion attempts
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• Unit 42 found a website spoofing a known German modelling agency
• The site carries obfuscated JavaScript which exfiltrates system information
• In the future, it could host malware or steal login credentials

Iranian hackers were found spoofing a German modelling agency in an attempt to gather more information about their targets’ devices.

This is according to a new report from Palo Alto Networks’ Unit 42, which also claims that full functionality of the campaign, which could include malware delivery or credential harvesting, has not yet been achieved.

Unit 42 says that while monitoring infrastructure they believe are likely tied to Iranian threat actors, the researchers found the domain “Megamodelstudio[.]com”. After browsing through the site a little, they determined it was a spoofed version of megamodelagency.com, a legitimate modelling agency based in Hamburg, Germany.

Selective targeting

The two websites are seemingly identical, but there are a few key differences. The malicious one, for example, carries an obfuscated JavaScript designed to capture detailed visitor information.

Unit 42 says the script grabs information about browser languages and plugins, screen resolution information, as well as timestamps, which allow the attackers to track a visitor’s location and environment.

The script also reveals the user’s local and public IP address, leverages canvas fingerprinting, and uses SHA-256 to produce a device-unique hash. Finally, it structures the collected data as JSON and delivers it to the endpoint /ads/track via a POST request.

“The likely goal of the code is to enable selective targeting by determining sufficient device- and network-specific details about visitors,” Unit 42 said.

“This naming convention suggests an attempt to disguise the collection as benign advertising traffic rather than storing and processing potential target fingerprints.”

Another key difference is that among profile pages of different models, one is fake. That page is currently not operational, but Unit 42 speculates it could be used in the future for more destructive attacks, dropping malware or stealing login credentials.

The researchers concluded, “with high confidence”, that the Iranians are behind the attack. They’re somewhat less confident about the exact group behind it, speculating that it might have been the work of Agent Serpens, also known as Charming Kitten, or APT35.

You might also like

• Iranian hackers pose as journalists to push backdoor malware
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

• Hackers are increasingly targeting social media influencers and content creators
• Their accounts have enormous reach, which crooks can use to deploy malware
• Followers are often drawn into crypto scams and identity theft

Cybercriminals are increasingly targeting social media influencers and other popular individuals in an attempt to infect their followers with malware, draw them into crypto scams, or steal their sensitive information.

A new report from Bitdefender has warned the trend was widespread in 2024, and has now continued into 2025 too.

Threat actors would first approach social media influencers and content creators in different ways, the report notes - they might offer fake sponsorship deals, fake advanced AI-powered video software, or through simple phishing attacks. If the victim falls for the trick and downloads malware, the attackers get ahold of the login credentials for the different platforms they’re using (YouTube, Instagram, TikTok, and others).

Millions of people at risk

The platforms are then used to target the followers in different ways.

For example, Bitdefender says there were more than 9,000 malicious live streams on YouTube alone.

“These streams often appear legitimate at first glance, but they are controlled by hackers who have rebranded compromised channels,” they said. Rebrands often spoof major names such as Donald Trump, Elon Musk (a favorite among crypto scammers), Michael Saylor, or Brad Garlinghouse.

The researchers believe this is a major problem, with millions of people at risk. In fact, one compromised YouTube account was followed by more than 28 million people, and another compromised account has had more than 12 billion views in total.

“The staggering number underscores the global reach that threat actors can access,” Bitdefender added. “If cybercriminals convert just 1% of those views, that equates to a staggering 124 million potential victims exposed to scams, malware, or data theft.”

During these live streams, crooks would promote malicious domains, which they can use to steal credentials, people’s cryptocurrency holdings, or personal information.

Content creators are advised to tighten up on security, while followers should be skeptical of everything they see online, including information coming from their favorite influencer.

You might also like

• Beware, these dangerous fake Microsoft Office add-ons are spreading malware
• We've rounded up the best password managers
• Take a look at our guide to the best identity theft protection

• Interpol reveals successful law enforcement operation across seven African countries
• More than 300 people were arrested, and around 2,000 electronic devices seized
• Roughly $100,000 was recovered, Interpol says

Interpol and a coalition of seven African law enforcement agencies have recently arrested more than 300 people and seized almost 2,000 electronic devices in a major crackdown on cybercrime.

The agency said Operation Red Card, which was active between November 2024 and February 2025, aimed to “disrupt and dismantle cross-border criminal networks which cause significant harm to individuals and businesses”.

More than 5,000 people fell victim, Interpol said, adding that over $305,000 was stolen through social engineering scams in Rwanda alone. Just over $100,000 was recovered. The operation included Benin, Côte d'Ivoire, Nigeria, Rwanda, South Africa, Togo and Zambia.

Help from cybersecurity experts

The individuals were involved in all sorts of criminal activity, Interpol said.

They were running mobile banking scams, investment fraud, online casino scams, SIM box fraud and smishing, malware-based phone hacking, impersonation, and more. They were laundering the stolen money through digital assets.

Interpol was also provided intelligence by three cybersecurity outfits: Group-IB, Trend Micro, and Kaspersky.

The latter firm said it analyzed a sample of Android malware allegedly used to target African users and shared it with law enforcement, together with data on related infrastructure.

Interpol added Nigerian authorities established, “some of the people working in the scam centres may also be victims of human trafficking, forced or coerced into criminal activities.”

The findings also led to the police seizing 26 vehicles, 16 houses, 39 plots of land, and 685 devices. It is not known if the assets were purchased with stolen money.

“The success of Operation Red Card demonstrates the power of international cooperation in combating cybercrime, which knows no borders and can have devastating effects on individuals and communities. The recovery of significant assets and devices, as well as the arrest of key suspects, sends a strong message to cybercriminals that their activities will not go unpunished, commented Neal Jetton, INTERPOL’s Director of the Cybercrime Directorate.

You might also like

• US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app