Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Qilin Remains Top Ra ...

 Cyber News

Qilin remained the top ransomware group in August, but two rapidly emerging competitors are threatening to shake up the threat landscape. Those are some of the conclusions from Cyble’s monthly ransomware blog published today. Qilin’s 104 victims in August were well ahead of Akira’s 56 (chart below), but the   show more ...

rapid rise of Sinobi and The Gentlemen and the reemergence of LockBit are just some of the developments that threaten to upend the ransomware landscape in September. [caption id="attachment_105359" align="aligncenter" width="1200"] Top ransomware groups for August 2025 (Cyble)[/caption] August’s 467 ransomware attacks marked the fourth straight monthly increase, even as attacks remain well below February’s record (chart below). Several attacks had software supply chain implications, part of a troubling trend of surging supply chain attacks. [caption id="attachment_105361" align="aligncenter" width="729"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] The U.S. accounted for nearly 60% of August’s ransomware attacks, roughly ten times greater than Germany and the UK. Qilin Dominates Following RansomHub’s Decline Since the decline of RansomHub at the end of March, Qilin’s 398 claimed victims are more than 70% ahead of Akira (chart below). Cyble noted that Qilin’s “features and incentives appear to be gaining traction with former RansomHub and other affiliates.” [caption id="attachment_105363" align="aligncenter" width="936"] Top ransomware groups April-August 2025 (Cyble)[/caption] Qilin has claimed more than 18% of the 2,164 total ransomware attacks since April, while Akira, at 10.7%, is the only other ransomware group above 10%. Cyble noted that “the rapid rise of Sinobi might be even more impressive, as the group has vaulted into third place after only two months in existence.” Sinobi has claimed 41 victims so far, all but two of which have been in the U.S. Because of code and data leak site similarities, Sinobi might be connected to Lynx, which itself has been connected to INC Ransom. All three groups remain active, so they may merely be connected rather than a rebranding. Sinobi has claimed only one new victim since August 24, Cyble said, so its meteoric rise may prove unsustainable. The Gentlemen Emerges as LockBit Returns The Gentlemen has been another very active new group, with more than 30 victims so far in September, “so the most active ransomware group list may well change again this month,” Cyble said. Meanwhile, former ransomware leader LockBit is making another comeback attempt with its 5.0 release, so September could turn out to be yet another pivotal month for ransomware groups. “The continued evolution of ransomware groups and variants remains one of the biggest threats faced by cybersecurity teams and organizations of all sizes,” Cyble concluded. “The financial, data, infrastructure, and operational damage caused by these attacks requires the strongest possible vigilance on the part of security teams.” With some noteworthy recent cyberattacks bringing organizations to a standstill for weeks at a time or longer, vigilance seems like good advice in general for security teams.

image for Key Scattered LAPSUS ...

 Cyber News

UK authorities have arrested a 19-year-old UK national alleged to be a key figure in the Scattered LAPSUS$ Hunters threat collective. UK authorities arrested Thalha Jubair and a second individual on September 16, the U.S. Department of Justice (DoJ) said today in announcing charges against Jubair that include   show more ...

“conspiracies to commit computer fraud, wire fraud, and money laundering, in relation to at least 120 computer network intrusions and extortion involving 47 U.S. entities.” The unsealed U.S. complaint alleges that Jubair’s victims paid at least $115 million in ransom payments, the DoJ said. Scattered LAPSUS$ Hunters Hackers Behind JLR, Salesloft Attacks The DoJ statement specifically mentions the Scattered Spider threat group, but Jubair is believed to have emerged as part of the LAPSUS$ threat group that recently formed a collective with Scattered Spider and ShinyHunters. The collective announced earlier this month that it is going dark – but evidence has already emerged of potential new activity. Recent Scattered LAPSUS$ Hunters attacks have allegedly included the crippling Jaguar Land Rover cyberattack and the Salesloft Drift campaign that targeted Salesforce instances – attacks that were high profile enough that the collective may have thought it best to lay low for a while. The groups are also believed to be connected to a broader cybercrime community known as The Com. The groups have also been referred to as UNC6040 and UNC6395. Scattered Spider is also tracked as UNC3944, among other names. “For the record, since I think it's now safe to say - Thalha Jubair (a teen) is the key guy behind LAPSUS$/Scattered Spider/ShinyHunters and basically most of the big cyber incidents of the past 5 years,” security researcher Kevin Beaumont said on Mastodon today. “He's been running rings around everybody since he was 14.” Jubair Could Face 95 Years in Prison The DoJ said that UK authorities “arrested Jubair and a second individual in connection with a separate U.K. investigation related to a computer intrusion that targeted U.K. critical infrastructure.” The UK National Crime Agency (NCA) named the second man as Owen Flowers, 18, of Walsall. Flowers and Jubair have been remanded into custody and are due to appear at Southwark Crown Court on October 16. In the U.S., the DoJ said Jubair is charged with “computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison.” According to the U.S. complaint, Jubair – also known as “EarthtoStar,” “Brad,” “Austin” and “@autistic” – began his alleged activity in 2022. “From as early as May 2022 to as recently as September 2025, Jubair and his associates were involved in approximately 120 network intrusions, including accessing the computer networks of at least 47 U.S.-based victims,” the DoJ said. Some of the ransom payments from at least five victims “were sent to wallets on a server controlled by Jubair,” the DoJ said. “In July 2024, while law enforcement was seizing that server — including successfully seizing cryptocurrency worth approximately $36 million at the time of the seizure — Jubair transferred a portion of cryptocurrency that originated from one of the victims, worth approximately $8.4 million at the time, to another wallet.”

image for Viruses on official ...

 Threats

Experienced gamers are well aware of the risks of downloading games, mods, skins, and other gaming software from unofficial sources. However, infections can also originate from platforms users typically trust — developer websites and official stores. In this post, we review several cases where attackers distributed   show more ...

malware through official gaming resources. We also explain how to protect your system, loot, and account — so you can keep playing on your favorite platforms without any nasty surprises. Infected Endgame Gear mouse-configuration tool In July 2025, Endgame Gear, a manufacturer of advanced mice aimed at esports players and seasoned gamers, reported a malware infection in its OP1w 4k v2 mouse-config utility. The Trojan remained on the companys official site for almost two weeks, from June 26 to July 9, 2025. The official page for the Endgame Gear OP1w 4k v2 mouse hosted a malware-infected setup tool. SourceAs a result, users who downloaded the utility from the product page during that period also received malware with it. Endgame Gear did not specify what the malicious payload was, but user-scan data suggests it was an XRed backdoor. XRed offers a wide range of capabilities for remote control of infected systems. These include a keylogger and enables attackers to access the command line, browse disks and folders, download and delete files, and take screenshots. XRed can also download additional modules and exfiltrate system data to remote servers. It was gamers themselves who first noticed something was wrong with the OP1w 4k v2 configuration tool. They began discussing suspicious signs on Reddit nearly two weeks before Endgame Gear released an official statement. The key details that raised user suspicions were the size of the program — the infected version was 2.8MB instead of the usual 2.3MB — and the file signature, listed as Synaptics Pointing Device Driver instead of Endgame Gear OP1w 4k v2 Configuration Tool. In its official statement on the incident, Endgame Gear clarified that users who downloaded the tool from the general downloads page (endgamegear.com/downloads), GitHub, or the companys Discord channel are safe. The threat only affected gamers who downloaded software directly from the OP1w 4k v2 product page between June 26 and July 9, 2025. After that, the malware was removed from the companys site. The mouse manufacturer recommends the following steps for any potentially affected users: Delete all contents of the folder C:ProgramDataSynaptics. Run a full system scan with a reliable antivirus. Download a clean version of the utility. In addition, users should change passwords for all important accounts, including financial services, email, and work-related logins. Malware in three early-access Steam games In 2025, several cases were reported of malware being distributed through early-access games on Steam. In February, this involved PirateFi, a survival sim (we covered this case on the Kaspersky Daily blog). In March, a similar incident occurred with the tactical shooter Sniper: Phantom's Resolution. In July, attackers uploaded an infected version of Chemia, another survival game. All three cases involved early-access titles — likely because Steam applies looser verification procedures for pre-release games. Let's take a closer look at these three cases. A few days after the beta release of PirateFi — the first game developed by a studio called Seaworth Interactive — one user reported on a Steam forum that his antivirus had prevented the game from launching. The security software detected the presence of Trojan.Win32.Lazzzy.gen malware, which the game attempted to install in the AppData/Temp directory after launch. PirateFi promised players a pirate-themed survival sim, but in reality it stole browser cookies to hijack accounts. Source The Trojan's primary goal was to steal browser cookies. These cookies allowed the attackers to access victims' accounts for financial services, social networks, and other online platforms. Several players who downloaded and ran the game reported that the criminals changed the passwords on their accounts and stole funds. PirateFi was pulled from Steam just four days after release. All users who had downloaded the game — fortunately, only around 800 people — received an official notification from the platform warning them of the malware on their devices. Steam users who downloaded the infected PirateFi game were warned of malware on their devices. Source Just a month later, a similar situation occurred with another game — Sniper: Phantom's Resolution by Sierra Six Studios. Once again, players were the first to suspect something was wrong: they noticed that the game's description and screenshots were clearly copied from other projects. Another red flag was the developer's offering a demo installer hosted on an external GitHub repository rather than through Steam. Further examination of the installer's code by Reddit users revealed suspicious software hidden inside. Like the creators of PirateFi, those behind Sniper: Phantom's Resolution seemed to be after victims' online accounts. Following user reports, both GitHub and Steam quickly removed the malicious game from their platforms. The game Sniper: Phantom's Resolution was published on Steam with an installer containing malware, and was removed after user complaints. Source The third case, involving a game called Chemia by Aether Forge Studios, was a little different: this time, it was a beta version of a legitimate game that was infected. Cybersecurity researchers believe the attack was carried out by the hacker group EncryptHub, also known as Larva-208. It remains unclear how the attackers managed to inject malware into the game. However, players who launched the Chemia playtest unknowingly downloaded two infostealers to their devices. Both ran silently in the background without affecting gameplay, leaving gamers unaware their systems were compromised. The Chemia playtest on Steam was distributed with infostealing malware that ran in the background, extracting data from browsers. Source The attackers were targeting data stored in browsers, including saved passwords, autofill info, cookies, and cryptowallet details. At the time of writing, the game is no longer available on Steam. However, neither the platform nor the game's developer has issued an official statement. Malicious skins on the official Minecraft website Sometimes dangers lurk not just on Steam, but also on developers' official sites — including the biggest names. In 2018, about fifty thousand Minecraft players fell victim to attackers who uploaded malicious skins to the official Minecraft website. That platform has a fan-interaction system where any player can share skins they create with others — and that's what the attackers exploited. The Minecraft skins that could reformat hard drives and delete system programs. Source The malware was spread via PNG skin files, and was capable of deleting programs, formatting hard drives, and destroying backup data. One peculiar detail was that some victims received bizarre messages with titles such as: "You Are Nailed, Buy A New Computer This Is A Piece Of Sh*t", "You have maxed your internet usage for a lifetime", "Your a** got glued." The malicious code's specifics make experts believe that professional cybercriminals were likely not behind the attack. Still, the Minecraft case clearly demonstrated the vulnerability of content-sharing mechanisms on gaming platforms. How to avoid becoming a victim Installing games, mods, skins, and other gaming software from official sources is, of course, safer than pirating them from shady ones. However, as we've shown in this post, even legitimate sites require vigilance. Read reviews carefully before downloading any game or gaming software. Do a quick background check — a simple search might lead you to a Reddit thread discussing suspicious issues. Be cautious with early-access games on Steam. Three malicious games in a single year already signals a trend. Install reliable protection on your device. Many gamers may be skeptical about this last tip, as it's a common belief in the gaming community that antivirus software slows down games. That may have been true years ago, but tests these days show that the latest security solutions cause no measurable drops in performance. Moreover, Kaspersky Premium even includes a dedicated gaming mode. It turns on automatically when a game launches, postponing database updates, notifications, and routine scans until the session ends — thus minimizing system resource usage. How else do attackers target gamers? Check out our selection of articles on this topic: Arcane stealer instead of Minecraft cheats Live hack: Apex Legends esports tournament scandal How scammers attack young gamers Mario Forever, malware too: a free game with a miner and Trojans inside The Phantom Menace: how gamers of different ages are being attacked

 Feed

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild. The zero-day vulnerability in question is CVE-2025-10585, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. Type confusion vulnerabilities can have severe consequences as they can be

 Feed

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. "CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit,

 Feed

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. "SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said. "SilentSync also extracts

 Feed

AI’s growing role in enterprise environments has heightened the urgency for Chief Information Security Officers (CISOs) to drive effective AI governance. When it comes to any emerging technology, governance is hard – but effective governance is even harder. The first instinct for most organizations is to respond with rigid policies. Write a policy document, circulate a set of restrictions, and

 Feed

SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts. The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its

 Law & order

When "bad actors" stop being hackers and start being... actual actors. This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for a   show more ...

serious film. We unpack why positive lurescan short-circuit scepticism just as effectively as fear. Plus, the UK's ICO says students are increasingly hacking their own schools. Meanwhile, Graham heads to 1960s Oxford with Endeavour, while Jenny investigates the Wirral’s mysterious "Catman". All this, and more, in episode 435 of the "Smashing Security" podcast.

2025-09
Aggregator history
Thursday, September 18
MON
TUE
WED
THU
FRI
SAT
SUN
SeptemberOctoberNovember