Microsoft Scales Back Chinese Access to Early Warning System — Microsoft revealed it has scaled back some Chinese companies' access to its early warning system for cybersecurity vulnerabilities in the wake of sweeping hacking attempts against Microsoft SharePoint servers that have been pinned on Beijing. To that end, the Windows maker said several Chinese firms would no longer receive proof-of-concept code demonstrating the flaws. The change is applicable to "countries where they're required to report vulnerabilities to their governments," which would include China. The decision comes amid speculation that there may have been a leak from the Microsoft Active Protections Program (MAPP) may have resulted in the large-scale exploitation activity. New Lazarus Stealer Spotted — A new Android banking trojan called Lazarus Stealer has been spotted in the wild. "Disguised as a harmless application called 'GiftFlipSoft,' the malware specifically targets multiple Russian banking apps, extracting card numbers, PINs, and other sensitive credentials while remaining completely hidden from the device's interface," CYFIRMA said. "The malware is built for persistence, operating silently in the background while exfiltrating sensitive data. It abuses high-risk permissions, default SMS privileges, overlay functions, and dynamic WebView content to carry out its operations." Once installed, the app requests default SMS app privileges, as well as overlay ("Display Over Other Apps") and Usage Access permissions to display fraudulent interfaces on legitimate applications for credential harvesting and monitor active applications in real time and detect when targeted applications, such as banking apps, are launched. Google Agrees to Pay $30M to Settle Children's Privacy Lawsuit — Google has agreed to pay $30 million to settle a class-action lawsuit that it violated children's privacy on YouTube by secretly collecting their data without parental consent and using it to serve targeted ads. Google denied wrongdoing in agreeing to settle. The company previously paid a $170 million fine in 2019 to the Federal Trade Commission (FTC) and the state of New York for similar practices. Storm-1575 Linked to Salty 2FA — The threat actor known as Storm-1575 has been attributed to a new phishing-as-a-service (PhaaS) offering called Salty 2FA. "Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials," ANY.RUN said. "It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis." Victims of Salty 2FA attacks span the finance, telecom, energy, consulting, logistics, and education sectors. Storm-1575 is the moniker assigned by Microsoft to the operators of DadSec and Rockstar 2FA. What is HuiOne Guarantee? — The Telegram-based escrow platform HuiOne Guarantee (aka Haowang Guarantee), which announced its closure in June 2025, has acquired a 30% financial stake in Tudou Guarantee, which has emerged as a key fallback for Huione-affiliated vendors. Described as an "Amazon for criminals," the Cambodian conglomerate behind it, HuiOne Group, has had its HuiOne Pay license revoked by the National Bank of Cambodia earlier this March. HuiOne-linked infrastructure has received over $96 billion in cryptocurrency assets since 2021, according to TRM Labs, which said HuiOne Pay and HuiOne Guarantee share operational links, with fund flows observed from Huione Pay withdrawal wallets to Huione Guarantee's security deposit wallets. The findings come as darknet market escrow systems that manage cryptocurrency transactions between buyers and vendors continue to remain vulnerable to administrator exit scams. These systems implement escrow through multi-signature cryptocurrency wallet addresses that require signatures from the buyer and vendor to complete transactions, with the market administrator only stepping in during dispute resolution to side with either the buyer or vendor based on evidence provided by the two parties. To streamline operations, many darknet markets also use automated escrow release systems, transferring funds to vendors after 7 to 21 days unless buyers initiate disputes during the timer period. However, the "centralized" nature of the dispute resolution process, which is heavily reliant on the market administrators, introduces new risks such as bias, corruption, and exit scam scenarios where fairness takes a back seat. Orange Belgium Discloses Breach — Orange Belgium, a subsidiary of telecommunications giant Orange Group, disclosed on Wednesday that attackers who breached its systems in July have stolen the data of approximately 850,000 customers. "At the end of July, Orange Belgium discovered a cyber attack on one of its IT systems, which gave unauthorized access to certain data from 850,000 customer accounts," the company said. "No critical data was compromised: no passwords, email addresses, bank or financial data were hacked. However, the hacker has gained access to one of our IT systems that contains the following information: name, first name, phone number, SIM card number, PUK code, [and] tariff plan." U.K. Man Sentenced to Jail for Website Defacement and Data Theft — Al-Tahery Al-Mashriky, 26, from Rotherham, South Yorkshire, was sentenced to jail for 20 months for hacking into the websites of organizations in North America, Yemen and Israel and stealing the log in details of millions of people, including more than 4 million Facebook users. Al-Mashriky was arrested in August 2022 and pleaded guilty to nine offences earlier this March. Associated with an extremist hacker group named Yemen Cyber Army, the defendant infiltrated a number of websites to push religious and political ideologies. A review of his seized laptop uncovered personal data for over 4 million Facebook users and several documents containing usernames and passwords for services such as Netflix and Paypal. The Yemen Cyber Army is a hacktivist group that, in the past, has declared its support for the Houthis, an Islamist political and military organization. Malicious npm Packages Target Solana Developers — Malicious npm packages have been found embedding an information stealer that's designed to single out Russian cryptocurrency developers as part of a campaign dubbed Solana-Scan. These malicious packages, solana-pump-test, solana-spl-sdk, and solana-pump-sdk, targeted the Solana cryptocurrency ecosystem and claimed to "scan" for Solana SDK components. All the packages were published by a user named "cryptohan." Contained within the package is an obfuscated CommonJS file that launches a JavaScript payload for extracting environment information and launching a second-stage that searches the compromised machine for sensitive files and exfiltrates them to a remote server located in the U.S. There is evidence that the JavaScript was written with the help of generative artificial intelligence (AI) tools like Anthropic Claude, software supply chain security outfit Safety said. Singapore Warns of Dire Wolf Attacks — The Cyber Security Agency of Singapore (CSA) has warned of Dire Wolf double-extortion attacks targeting Dire Wolf since May 2025. "Dire Wolf ransomware group employs a double extortion tactic, where it encrypts data on victims' systems and threatens to publicly release exfiltrated data on its data leak site (DLS) unless a ransom is paid," CSA said. "This causes a two-fold impact of data loss and reputational damage on victim organizations." Hijack Loader Detailed — Cybersecurity researchers have unpacked the inner workings of a malware loader called Hijack Loader that's used as a conduit for other payloads, including information stealers and remote access trojans. Attack chains distributing the malware have leveraged pirated game websites like Dodi Repacks, tricking users into downloading booby-trapped ZIP archives under the guise of video games like Virtua Fighter 5 REVO. Another propagation mechanism involves embedding a link to cracked software in TIDAL music playlists that show up in search engine results. Hijack Loader incorporates an array of anti-virtual machine and anti-debug techniques and attempts to disable Microsoft Defender Antivirus prior to launching the final payload. Nebraska Man Sentenced to 1 Year in Prison for Illicit Crypto Mining — Charles O. Parks III, who was indicted in April 2024 for operating a large-scale illegal cryptojacking operation, was sentenced in the U.S. to one year and one day in prison. He is said to have defrauded two well-known providers of cloud computing services out of more than $3.5 million worth of computing resources from January through August 2021. Parks was charged with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme and pleaded guilty to wire fraud in December 2024. The mined currency was used for personal luxurious purchases and Parks boasted about his profits on social media to earn credibility as a crypto influencer. "Parks created and used a variety of names, corporate affiliations, and email addresses, including emails with domains from corporate entities he operated called 'MultiMillionaire LLC' and 'CP3O LLC,' to register numerous accounts with the service providers and to gain access to massive amounts of computing processing power and storage that he did not pay for," the Justice Department said. Chrome Extension Detected Capturing Screenshots — A Chrome browser extension with more than 100,000 installs has been found to harbor covert features to capture screenshots, collect system information, and query IP geolocation APIs for location details. The screenshots are uploaded to an external server, aitd.one, which claims to be an AI threat detection service. Advertised as a free VPN app named FreeVPN.One, the featured add-on offered the promised functionality since its launch in 2000, before the surveillance features were subtly introduced in April, June, and July 2025. The developer behind the tool claimed the automatic screenshot capture is part of a Background Scanning feature that's triggered only on suspicious domains and for all users by default. However, Koi Security found that screenshots were being taken on trusted services like Google Sheets and Google Photos. "FreeVPN.One shows how a privacy branding can be flipped into a trap," the company said. "What's sold as safety becomes a quiet pipeline for collecting what you do and where you are." Okta Releases Auth0 Customer Detection Catalog — Okta has announced the launch of the Auth0 Customer Detection Catalog, a comprehensive open-source repository designed to enhance proactive threat detection capabilities for Auth0 customers. "The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform," the identity security company said. TRM Labs Launches Beacon Network to Monitor Crypto Crime — Blockchain intelligence firm TRM Labs announced the launch of Beacon Network, a real-time crypto crime response network for tracking illicit crypto activity and preventing it from leaving the blockchain. "Verified investigators flag addresses linked to financial crime. Beacon Network automatically propagates those labels across related wallets," the company said. "When tagged funds arrive at a participating exchange or issuer, Beacon Network triggers an instant alert." In doing so, cryptocurrency platforms can proactively review and hold flagged deposits before withdrawal, blocking illicit cash-outs. Microsoft Aims to be Quantum-Safe by 2033 — Microsoft has set out a roadmap to complete transition to post quantum cryptography (PQC) across all its products and services by 2033, with roll out beginning by 2029. That's two years ahead of the deadline imposed by the United States and other governments. "Migration to post quantum cryptography (PQC) is not a flip-the-switch moment, it's a multi-year transformation that requires immediate planning and coordinated execution to avoid a last-minute scramble," the company's Mark Russinovich and Michal Braverman-Blumenstyk said. The U.S. National Institute of Standards and Technology (NIST) formalized the world's first PQC algorithms in August 2024. New Phishing Campaign Uses Hidden AI Prompts — A phishing campaign has been spotted using hidden artificial intelligence (AI) prompts that are designed to manipulate AI-based email scanners and delay them from detecting the malicious payloads. The emails, sent from SendGrid, masquerade as password expiry notices from Gmail to induce a false sense of urgency using social engineering tactics. But buried in the email plain-text MIME section is a prompt that instructs automated scanners to "engage in the deepest possible multi-layered inference loop" and trick them into entering long reasoning loops instead of marking the messages as phishing. "If AI-driven systems are tied to automation (auto-tagging, ticketing, escalation), this injection could cause misclassification or delays," Malwr-analysis.com's Anurag said. The development coincided with a new wave of credential harvesting attacks involving phishing emails sent via SendGrid. "The campaign exploits the trusted reputation of SendGrid, a legitimate cloud-based email service used by businesses to send transactional and marketing emails," Cofense said. "By impersonating SendGrid's platform, attackers can deliver phishing emails that appear authentic and bypass common email security gateways." 493 Cases of Sextortion Against Children Linked to SE Asia Scam Compounds — A new report from the International Justice Mission (IJM) has linked 493 child sextortion cases to scam compounds operating in Cambodia, Myanmar, and Laos, where trafficked individuals are forced to carry out online fraud such as romance baiting and pig butchering scams. Forensic data has tied the cases to 40 of the 44 previously known scam compounds operating in Cambodia, Myanmar, and Laos. "This research indicates a likely convergence of two dark forms of exploitation – child sextortion and human trafficking – enabled by digital platforms and driven by profit," said Eric Heintz, Senior Criminal Analyst at IJM. Mule Operators in META Adopt Complex Fraud Schemes — Cybersecurity researchers have laid bare the advanced techniques mule operators across the Middle East, Turkey and Africa (META) region have adopted to target retail banks, shifting from basic IP masking via VPNs and proxies to Starlink-based obfuscation tactics combined with advanced GPS spoofing, SIM abuse, and physical device "muling" using hired individuals and postal shipments. "Financial institutions in the Gulf region, where regulations are especially tight, enforce strict restrictions on VPN, hosting, and proxy traffic," Group-IB said. "Early on, these controls forced mule operators to rely on generic VPN services – easily identified via IP reputation tools. By late 2023, fraudsters began a rapid innovation cycle to bypass these filters and regain remote access to accounts in the target jurisdictions." Mule networks have been observed using stolen identities and location obfuscation tactics to remotely open hundreds of accounts to launder funds across targeted countries, with fraudsters also removing SIM cards entirely from Android devices to evade telecom fingerprinting and connecting to the internet via Wi-Fi hotspots, typically from nearby roaming-enabled phones, thereby masking their network origins. As recently as Q4 2024, the schemes have recruited so-called first-layer mules, who opened the bank accounts within trusted jurisdictions and then passed credentials to overseas operators who conducted laundering operations. A further escalation of this approach earlier this year eliminated the need for credential handover by physically shipping pre-configured phones. "First-layer mules based in trusted countries would open accounts and build trust through initial legitimate usage," Group-IB said. "Instead of sharing login credentials, they ship pre-configured phones to second-layer fraudsters operating abroad." MuddyWater Targets CFOs and Finance Execs — The Iranian hacking group dubbed MuddyWater is actively targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia via spear-phishing emails that trick recipients into downloading ZIP archives from Firebase-hosted phishing pages. The attack chains lead to the deployment of OpenSSH and NetBird, a legitimate remote access tool for persistent access. The use of remote desktop software is a tactic often used by MuddyWater to facilitate access to compromised environments. "The infrastructure pivots, evolving payload paths, and consistent reuse of distinctive artifacts highlight a resourceful adversary that adapts quickly to maintain operational capability," Hunt.io said. Iranian Hacktivist Group Targets Iranian Communication Networks — The anonymous Iranian hacktivist group known as Lab Dookhtegan has crippled the satellite communications systems on 64 Iranian ships at sea. The incident, which took place last week, impacted 39 oil tankers and 25 cargo ships operated by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). The hacks targeted Fannava, an Iranian tech company that provides satellite communication terminals for ships. Back in March 2025, the entity also disrupted satellite communication systems of 116 Iranian vessels linked to arms shipments for Yemen's Houthis. According to security researcher Nariman Gharib, the group hacked the company's network, identified all maritime communications terminals running iDirect satellite software, and then deployed malicious code to inflict permanent damage by overwriting the storage partitions with zeroes. Pro-Iranian Hackers Demonstrated Coordination During 12-Day June Conflict With Israel — The 12-day conflict between Israel and Iran in June spilled into cyberspace, accompanied by a surge in cyber activity from pro-Iran hacking groups that worked in a "coordinated web" across borders to steal data, deface websites, spread propaganda, carry out DDoS campaigns, and deploy malware such as Remcos RAT. "Telegram has emerged as a critical platform for coordination, propaganda dissemination, and command-and-control for both state-aligned proxies and hacktivist collectives," Security Scorecard said in an analysis of 250,000 messages from Iranian proxies and hacktivists from over 178 active groups during the time period. "Its perceived anonymity and broad reach make it an attractive medium for these groups to organize, share information, claim responsibility for attacks, and even recruit new members." The cyber war highlights "how Iran has refined its use of digital tools to shape the battlespace, control domestic narratives, and project influence abroad," the Middle East Institute said. 4 Ghanaian Nations Extradited to the U.S. — The U.S. Department of Justice charged four Ghanaian nationals, Isaac Oduro Boateng, Inusah Ahmed, Derrick Van Yeboah, and Patrick Kwame Asare, for their roles in a massive fraud ring linked to the theft of over $100 million in romance scams and business email compromise attacks against individuals and businesses located across the U.S. between 2016 and May 2023. They were extradited to the U.S. on August 7, 2025. "After stealing the money, the fraud proceeds were then laundered to West Africa, where they were largely funneled to individuals called 'chairmen,' who directed the activities of other members of the conspiracy," the Justice Department said. NIST Publishes Guidelines to Tackle Identity Fraud — The U.S. National Institute of Standards and Technology (NIST) published new guidelines to help organizations optimize their efforts to detect face morphing and deter identity fraud. "The most effective defense against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place," NIST's Mei Ngan said. "Some modern morph detection algorithms are good enough that they could be useful in detecting morphs in real-world operational situations. Our publication is a set of recommendations that can be tailored to a specific situation." North Korea Linked to Over $1.75B in Thefts in 2025 — North Korea, which pulled off one of the biggest crypto heists in history in February 2025 by plundering nearly $1.5 billion from Dubai-based exchange Bybit, has stolen more than $1.75 billion in 2025 alone, according to Elliptic. In the six months following the Bybit hack, over $1 billion of the stolen funds have been laundered using multiple rounds of mixers and cross-chain movements to complicate the trail. "It is noteworthy that lesser-known blockchains were layered for portions of funds, perhaps in the hope that they are not as well supported by some analytics and investigation tools, and are less familiar to investigators attempting to trace asset movements," Elliptic said. "Previously unseen or less commonly used services were also utilized for Bybit laundering." Further analysis shows that funds reaching the Tron blockchain are ultimately cashed out via suspected Chinese over-the-counter trading services. Attackers Abuse Virtual Private Servers to Breach SaaS Accounts — Threat actors are weaponizing virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts and then using them to send phishing emails. The activity was first observed in March 2025. "The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails," Darktrace said. "These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment." ClickFix-Style Campaign Delivers Atomic Stealer Variant — A malvertising campaign has been observed directing unsuspecting users to fraudulent macOS help websites where ClickFix-style instructions are displayed to entice them into opening the Terminal app and pasting a command that, in turn, triggers the execution of a shell command to download from an external server a variant of Atomic macOS Stealer (AMOS) known as SHAMOS. Developed by a malware-as-a-service (MaaS) provider named Cookie Spider, it functions as an information stealer and downloads additional malicious payloads, including a spoofed Ledger Live wallet application and a botnet module. Alternate attack chains have relied on a GitHub repository masquerading as iTerm2. The GitHub account is no longer accessible. In recent months, the ClickFix technique has also been leveraged to deliver another macOS infostealer called Odyssey Stealer using bogus CAPTCHA verification checks. MITRE Releases 2025 Most Important Hardware Weaknesses — The non-profit MITRE Corporation published a revised list of the Most Important Hardware Weaknesses (MIHW) to better align with the hardware security landscape. Sensitive Information in Resource Not Removed Before Reuse (CWE-226), Improper Isolation of Shared Resources on System-on-a-Chip (CWE-1189), and On-Chip Debug and Test Interface With Improper Access Control (CWE-1191) take the top three spots. How Lumma Affiliates Operate — Despite a May 2025 law enforcement takedown targeting Lumma Stealer, the malware family appears to have staged a full recovery and continues to be a popular choice for threat actors. According to a report from Recorded Future, Lumma affiliates not only operate multiple schemes simultaneously, but also leverage previously undocumented tools such as a phishing page generator (DONUSSEF) and a cracked email credential validation tool. Also put to use are VPNs, privacy-focused web browsers, bulletproof hosting providers, virtual phone and SMS services (OnlineSim, SMS-Activate, and Zadarma), and proxies (PIA Proxy and GhostSocks). "For instance, one affiliate was identified operating rental scams, while others simultaneously leveraged multiple malware-as-a-service (MaaS) platforms, including Vidar, Stealc, and Meduza Stealer, likely to bolster operational agility, improve success rates, and mitigate the risks linked to detection and law enforcement takedowns," the company said. "In addition, several Lumma affiliates are tied to distinct threat actor personas across underground forums, reinforcing their deep integration within the broader cybercriminal ecosystem." Deceptive Google Play Store Pages Distribute SpyNote — A new network of websites that mimic the Google Play Store pages of various apps is being used to trick users into installing malicious Android apps containing the SpyNote RAT. This is a continuation of an ongoing campaign that was flagged by DomainTools back in April 2025. "Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote's core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis," the company said. The development followed the discovery of a new version of the Anatsa (aka TeaBot) Android banking trojan that can now target over 831 financial institutions across the world, including various cryptocurrency platforms. "Anatsa streamlined payload delivery by replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the Anatsa payload," Zscaler ThreatLabz said. "Anatsa implemented Data Encryption Standard (DES) runtime decryption and device-specific payload restrictions." New macOS Stealer Mac.c Spotted — Cybersecurity researchers have discovered a new macOS stealer called Mac.c that can steal iCloud Keychain credentials, browser-stored passwords, crypto wallet data, system metadata, and files from specific locations. It can be purchased for $1,500 per month under a subscription model, while AMOS is priced at $3,000 a month. "This lower price could also open the gates for less resourceful and less tech-savvy operators who want to break into the cybercriminal market and have little money to spend on dark web tools," Moonlock Lab said. Paper Werewolf Uses New Linux Rootkit in Attacks Targeting Russia — The threat actor known as Paper Werewolf (aka GOFFEE) is targeting Russian organizations with a Linux rootkit named Sauropsida. The rootkit is based on an open-source rootkit known as Reptile. Also deployed are BindSycler, a Golang utility to tunnel traffic using the SSH protocol, and MiRat, a Mythic framework agent.
|
|
|
|
|
|
|
Comments
Post a Comment
Please leave a comment about our recent post.