Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for France Arrests 22-Ye ...

 Cyber News

French authorities have arrested a 22-year-old man in connection with a French Interior Ministry cyberattack, marking an important development in an investigation into the breach of the ministry’s internal email systems. The arrest was carried out on December 17, 2025, following an inquiry led by the cybercrime unit   show more ...

of the Paris prosecutor’s office. According to a notice issued by France’s Ministry of the Interior, the suspect was taken into custody on charges including unauthorized access to a state-run automated personal data processing system. The offense carries a maximum sentence of up to 10 years in prison. "A person was arrested on December 17, 2025, as part of an investigation opened by the cybercrime unit of the Paris prosecutor's office, on charges including unauthorized access to a state-run automated personal data processing system, following the cyberattack against the Ministry of the Interior," the press release, translated into English, said. The ministry confirmed that the individual, born in 2003, is already known to the justice system and was convicted earlier in 2025 for similar cyber-related offenses. Authorities have not disclosed the suspect’s identity. "The suspect, born in 2003, is already known to the justice system, having been convicted of similar offenses in 2025," release added further. [caption id="attachment_107868" align="aligncenter" width="923"] Source: French Interior Ministry[/caption] Investigation Into Cyberattack on France’s Ministry of the Interior  The French Interior Ministry cyberattack was first publicly acknowledged last week, after officials revealed that the ministry’s internal email servers had been compromised. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. French Interior Minister Laurent Nuñez described the incident as more serious than initially believed. Speaking to Franceinfo radio, he said, "It's serious. A few days ago, I said that we didn't know whether there had been any compromises or not. Now we know that there have been compromises, but we don't know the extent of them." Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information. However, Nuñez urged caution when assessing the scale of the breach. I can tell you that there have not been millions of pieces of data extracted as of this morning (...), but I remain very cautious about the level of compromise," he added. Legal Action Aganist French Interior Ministry cyberattack In a statement issued by Public Prosecutor Laure Beccuau, officials said the suspect of French Interior Ministry cyberattack was arrested as part of an investigation into unauthorized access to an automated data processing system, allegedly carried out as part of an organized group. Prosecutors reiterated that this offense is punishable by up to 10 years’ imprisonment. The investigation is being conducted by OFAC, France’s Office for Combating Cybercrime. Authorities noted that a further statement will be released once the police custody period ends, which can last up to 48 hours. French prosecutors also confirmed that while the suspect has prior convictions for similar crimes in 2025, they are not disclosing further details about those cases. Government Response and Security Measures Following the French Interior Ministry cyberattack, the Ministry of the Interior implemented standard security protocols and strengthened access controls across its systems. Speaking on RTL Radio, Minister Nuñez confirmed the attack and the immediate response, "There was indeed a cyberattack. An attacker was able to access a number of files. So we implemented the usual protection procedures." He further stated that investigations into French Interior Ministry cyberattack are ongoing at both judicial and administrative levels, and that France’s data protection authority, the National Commission for Information Technology and Civil Liberties (CNIL), has been notified. On RTL Matin, Nuñez emphasized that the origin of the French Interior Ministry cyberattack remains unclear, "It could be foreign interference, it could be people wanting to challenge the authorities and demonstrate their ability to access systems, and it could also be cybercrime. Right now, we don't know what it is." Claims of Responsibility Surface Online Following public disclosure of the French Interior Ministry cyberattack incident, a post appeared on an underground forum claiming responsibility for the breach. The post stated, "We hereby announce that, in revenge for our arrested friends, we have successfully compromised 'MININT' — the French Ministry of the Interior." The message appeared to reference the 2025 arrests of five BreachForums moderators and administrators, known online as “ShinyHunters,” “Hollow,” “Noct,” “Depressed,” and “IntelBroker.” However, authorities have not confirmed any direct link between the arrested suspect and these claims. As the investigation into the French Interior Ministry cyberattack continues, French officials have stressed that all possibilities remain under consideration and that further updates will follow once the custody period concludes.

image for EU Authorities Disma ...

 Cyber News

European law enforcement agencies have dismantled a large-scale criminal network operating fraudulent call centres in Ukraine, following a coordinated international operation supported by Eurojust. The investigation targeted fraudulent call centres in Ukraine organized scam operations that defrauded victims across   show more ...

Europe, causing estimated losses of more than EUR 10 million. According to a press note issued by the European Union Agency for Criminal Justice Cooperation (Eurojust), authorities from the Czech Republic, Latvia, Lithuania, and Ukraine worked together to shut down call centres operating in Dnipro, Ivano-Frankivsk, and Kyiv. The criminal group ran a professional setup, employing individuals who were paid a percentage of the money extracted from victims. “Authorities from the Czech Republic, Latvia, Lithuania and Ukraine with the support of Eurojust took action against a criminal network operating call centres in Dnipro, Ivano-Frankivsk and Kyiv, Ukraine that scammed victims across Europe,” Eurojust said in its press notice. How the Fraudulent Call Centres in Ukraine Operated Investigators found that the fraudulent call centres in Ukraine used multiple scam techniques. Criminals often posed as police officers or bank employees, convincing victims that their bank accounts had been compromised. Victims were instructed to transfer money to so-called “safe” accounts controlled by the network. In several cases, victims were persuaded to download remote access software and enter banking credentials, allowing the criminals to gain full control over their bank accounts. The network recruited employees from the Czech Republic, Latvia, Lithuania, and other countries, bringing them to Ukraine to carry out the scams. The investigation revealed that around 100 individuals from various European countries worked in the call centres. Members of the group had clearly defined roles, including making scam calls, forging police and bank certificates, and collecting cash from victims. Employees who successfully extracted funds received up to 7% of the proceeds. Criminal leaders also promised bonuses such as cash, cars, or apartments in Kyiv if callers obtained more than EUR 100,000, though these rewards were never paid. Coordinated Raids and Arrests Across Ukraine A joint investigation team (JIT) was established at Eurojust to enable smooth cooperation between national authorities. Officials met three times at Eurojust’s headquarters in The Hague to share intelligence and plan coordinated action. On 9 December, authorities carried out 72 searches across three Ukrainian cities. Offices, homes, and vehicles were searched, resulting in the seizure of forged police and bank IDs, computers, laptops, hard drives, mobile phones, and a polygraph machine. Law enforcement also confiscated cash, 21 vehicles, weapons, and ammunition. Twelve suspects were arrested during the action day. Across the broader investigation in the Czech Republic, Latvia, Lithuania, and Ukraine, 45 individuals have been identified as suspects. Czech Police Highlight OCTOPUS and CONNECT Operations In a separate press note, the Czech police confirmed that the takedown was part of international operations OCTOPUS and CONNECT. “NCTEKK crime investigators, together with Czech and foreign colleagues, have uncovered an exceptionally large-scale cybercrime operation,” Czech police said. Operation OCTOPUS focused on fraudulent investment schemes, where criminals created imitation investment websites and fake advertisements promising high returns. According to Czech police, the fraud caused damage of CZK 43,000,000 to at least 138 victims, with the number expected to rise significantly. “Another successful intervention in Ukraine will protect Europeans' money,” the Czech police stated. Meanwhile, Operation CONNECT targeted fraudulent phone scams involving fake police officers and bankers. Authorities dismantled three call centres and seized hundreds of laptops and mobile phones, real estate, vehicles, cash, and weapons. Ongoing Risk and Public Warnings Czech authorities warned that such scams are becoming increasingly advanced and that criminal groups frequently relocate call centres to avoid detection. “We regularly warn about these fraudulent phone calls, in which fraudsters pretend to be bankers or police officers,” Czech police said. Officials urged the public to report suspicious calls and emphasized that law enforcement and central banks never request money transfers or withdrawals over the phone.

image for FBI Seizes E-Note Cr ...

 Cyber News

The FBI E-Note cryptocurrency exchange takedown marks a major international law enforcement action against financial infrastructure allegedly used by transnational cybercriminal groups. The U.S. Department of Justice confirmed on Wednesday that the FBI, working with partners in Germany and Finland, disrupted and   show more ...

seized the online infrastructure of E-Note, a cryptocurrency exchange accused of laundering illicit funds linked to ransomware attacks and account takeovers. According to the United States Attorney’s Office for the Eastern District of Michigan, the coordinated operation targeted websites and servers used to operate E-Note, which allegedly provided cash-out services for cybercriminals targeting U.S. healthcare organizations and critical infrastructure. [caption id="attachment_107893" align="aligncenter" width="1024"] Source: https://www.justice.gov/[/caption] “The United States Attorney’s Office for the Eastern District of Michigan announced today a coordinated action with international partners and the Michigan State Police to disrupt and take down the online infrastructure used to operate E-Note, a cryptocurrency exchange that allegedly facilitated money laundering by transnational cyber-criminal organizations,” the Justice Department said. E-Note Allegedly Laundered Over $70 Million in Illicit Funds Investigators say the FBI E-Note cryptocurrency exchange takedown follows years of financial tracking by federal authorities. Since 2017, the FBI identified more than $70 million in illicit proceeds transferred through the E-Note payment service and its associated money mule network. These funds were allegedly tied to ransomware attacks and account takeovers, including proceeds stolen or extorted from victims in the United States. “Since 2017, the FBI identified more than $70,000,000 of illicit proceeds of ransomware attacks and account takeovers transferred via E-Note payment service and money mule network,” the DOJ stated. Authorities believe the exchange played a key role in converting cryptocurrency into various cash currencies, allowing cybercriminals to move funds across international borders while avoiding detection. Russian National Charged in Money Laundering Conspiracy As part of the operation, U.S. prosecutors unsealed an indictment against Mykhalio Petrovich Chudnovets, a 39-year-old Russian national. Chudnovets is charged with one count of conspiracy to launder monetary instruments, an offense that carries a maximum sentence of 20 years in prison. According to court documents, Chudnovets began offering money laundering services to cybercriminals as early as 2010. Prosecutors allege that he controlled and operated the E-Note payment processing service until law enforcement seized its infrastructure. “Until this seizure by law enforcement, Chudnovets offered money laundering services via the E-Note payment processing service, which he controlled and operated,” the DOJ said. Investigators allege that Chudnovets worked closely with financially motivated cybercriminals to transfer criminal proceeds internationally and convert cryptocurrency into cash. Servers, Websites, and Apps Seized in Coordinated Action During the FBI E-Note cryptocurrency exchange takedown, U.S. and international authorities seized servers hosting the operation, as well as related mobile applications. Law enforcement also took control of the websites “e-note.com,” “e-note.ws,” and “jabb.mn.” U.S. authorities separately obtained earlier copies of Chudnovets’ servers, which included customer databases and transaction records, providing investigators with detailed insight into the alleged laundering activity. The Justice Department confirmed that the action was carried out with support from the German Federal Criminal Police Office, the Finnish National Bureau of Investigation, and the Michigan State Police Michigan Cyber Command Center (MC3). Investigation Led by FBI Detroit Cyber Task Force The case is being investigated by the FBI Detroit Cyber Task Force, with Assistant U.S. Attorney Timothy Wyse prosecuting. The announcement was made jointly by United States Attorney Jerome F. Gorgon, Jr. and Jennifer Runyan, Special Agent in Charge of the FBI’s Detroit Division. Authorities emphasized that individuals who believe their funds were laundered through E-Note should contact law enforcement. “Any individual who believes he/she is a victim whose funds were laundered through Chudnovets should reach out to law enforcement via email address e-note-information@fbi.gov,” the DOJ said. The Justice Department also noted that the indictment remains an allegation. “An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.”

image for France Alleges ‘Fo ...

 Cyber News

France is investigating whether “foreign interference” was behind remote access trojan (RAT) malware that was discovered on a passenger ferry. The ferry malware was “capable of allowing the vessel's operating systems to be controlled remotely,” Le Monde reported today, citing the Interior Minister.   show more ...

Interior Minister Laurent Nuñez told France Info radio that hacking into a ship's data-processing system “is a very serious matter ... Investigators are obviously looking into interference. Yes, foreign interference.” Nuñez would not speculate if the attack was intended to interfere with the ship’s navigation and he did not specifically name Russia, but he said, "These days, one country is very often behind foreign interference." The office of the Paris prosecutor said it had opened an investigation into a suspected attempt "by an organized group to attack an automated data-processing system, with the aim of serving the interests of a foreign power.” Latvian Arrested in Ferry Malware Case Two crew members, a Latvian and a Bulgarian, were detained after they were identified by Italian authorities, but the Bulgarian was later released. The Latvian was arrested and charged after the malware was found on the 2,000-passenger capacity ferry the Fantastic, which is owned by the Italian shipping company GNV, while it was docked in France's Mediterranean port of Sète. GNV said it had alerted Italian authorities, saying in a statement that it had "identified and neutralized an attempt at intrusion on the company's computer systems, which are effectively protected. It was without consequences," France 24 reported. Christian Cevaer, director of the France Cyber Maritime monitor, told AFP that any attempt to take control of a ship would be a "critical risk" because of "serious physical consequences" that could endanger passengers. Cevaer said such an operation would likely require a USB key to install the software, which would require "complicity within the crew." The investigation is being led by France's domestic intelligence service, the General Directorate for Internal Security (DGSI), as a sign of the importance of the case, France 24 said. After cordoning off the ship in the port, the Fantastic was inspected by the DGSI, “which led to the seizure of several items,” France 24 said. After technical inspections ruled out any danger to passengers, the ship was cleared to sail again. Searches were also conducted in Latvia with the support of Eurojust and Latvian authorities. Meanwhile, the Latvian suspect’s attorney said the investigation “will demonstrate that this case is not as worrying as it may have initially seemed,” according to a quote from the attorney as reported by France 24. Ferry Malware Follows French Interior Ministry Attack The ferry malware incident closely follows a cyberattack on the French Interior Ministry’s internal email systems that led to the arrest of a 22-year-old man in connection with the attack. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. Nuñez described the incident as more serious than initially believed. Speaking to France Info radio, he said, “It’s serious. A few days ago, I said that we didn’t know whether there had been any compromises or not. Now we know that there have been compromises, but we don’t know the extent of them.” Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information.

image for Cisco Warns of Activ ...

 Firewall Daily

Cisco has identified an ongoing cyberattack campaign exploiting vulnerabilities in a subset of its appliances running Cisco AsyncOS Software. The attack specifically affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances, allowing threat actors to execute arbitrary commands with   show more ...

root privileges. This campaign has been tracked under CVE-2025-20393 and has been classified as critical with a CVSS 10.0 rating.  The vulnerability, detailed in Cisco Advisory ID cisco-sa-sma-attack-N9bf4, impacts appliances when the Spam Quarantine feature is enabled and exposed to the internet—a configuration not enabled by default according to Cisco deployment guides. Both physical and virtual instances of the affected appliances are vulnerable.  Cisco noted that the attack allows attackers to implant a persistence mechanism, maintaining long-term control over compromised appliances. The company has confirmed that appliance parts of Cisco Secure Email Cloud are not affected and that there is no evidence of exploitation against Cisco Secure Web.  Attack Detection and Timeline  The cyberattack was initially identified through a routine Cisco Technical Assistance Center (TAC) case. Following the discovery, Cisco Talos documented the threat in a blog post, noting the active targeting of Cisco Secure Email Gateway and Web Manager appliances. Evidence suggests that attackers leveraged exposed ports to gain unauthorized root access, disable security tools, and establish covert channels for ongoing remote access.  Administrators can check whether the Spam Quarantine feature is enabled by accessing the appliance's web management interface:  For Cisco Secure Email Gateway: Navigate to Network > IP Interfaces and select the interface configured for Spam Quarantine.  For Cisco Secure Email and Web Manager: Navigate to Management Appliance > Network > IP Interfaces and select the relevant interface.  If the Spam Quarantine checkbox is enabled, the appliance is vulnerable.  No Direct Workarounds for CVE-2025-20393 Cisco has stated that no immediate workarounds exist to fully mitigate the risk of cyberattacks. Organizations are strongly urged to follow recommended mitigation steps to restore appliances to a secure configuration. If an appliance is suspected of compromise, Cisco recommends opening a TAC case and, in confirmed cases, rebuilding the appliance to eliminate the threat actors’ persistence mechanisms.  Additional security hardening recommendations include:  Restricting appliance access to known, trusted hosts and avoiding direct exposure to the internet.  Deploying appliances behind firewalls and filtering traffic to allow only authorized communication.  Separating mail and management network interfaces for Cisco Secure Email Gateway to limit internal access risk.  Regularly monitoring web logs and sending logs to external servers for post-event analysis.  Disabling unnecessary network services such as HTTP and FTP and using SSL/TLS with certificates from trusted authorities.  Upgrading appliances to the latest Cisco AsyncOS Software release.  Implementing strong authentication methods like SAML or LDAP and creating dedicated administrator and operator accounts with passwords.  Cisco also recommends reviewing deployment guides for both Secure Email Gateway and Secure Email and Web Manager to ensure all security best practices are followed.  Broader Implications  The cyberattack on Cisco Secure Email Gateway and Web Manager shows how misconfigured ports can lead to full system compromise. Organizations are urged to immediately assess exposure, restrict access, and consult Cisco TAC for potential compromises, while continuously monitoring and patching appliances.   Leveraging Cyble’s real-time vulnerability intelligence can help detect zero-day exploits, new cyber threats, and high-risk vulnerabilities, enabling enterprises to prioritize and remediate critical risks efficiently. Request a Cyble demo today to strengthen your organization’s cyber resilience. 

image for Askul Restarts Logis ...

 Firewall Daily

Japanese office and household goods supplier Askul Corporation has begun restoring core logistics operations following a prolonged disruption caused by a ransomware incident. The Askul cyberattack, first detected on October 19, 2025, led to system outages, operational paralysis, and the confirmed exposure of sensitive   show more ...

personal and business data. After nearly two months of recovery work, Askul announced that system-based shipment operations had resumed, starting with two logistics centers located in Tokyo and neighboring Saitama Prefecture. The company said that eight additional distribution hubs will be brought back online gradually as safety assessments are completed. Speaking to reporters at a logistics center in Tokyo’s Edogawa Ward, President and CEO Akira Yoshioka issued a formal apology. “I sincerely apologize for the trouble and concern caused to many customers,” Yoshioka said. He added that the company was committed to pursuing “a full-fledged security governance reform” in response to the incident. Disruption to Operations and Gradual Recovery  The Askul cyberattack forced the company to suspend nearly all online services shortly after detection. Order intake and shipping operations across its ASKUL, Soloel Arena, and LOHACO platforms were halted on the afternoon of October 19, following confirmation that ransomware had encrypted internal systems. During the initial recovery phase, Askul accepted only limited orders via fax, restricting shipments to a small selection of essential items.  As system restoration progressed, the company gradually expanded order acceptance, prioritizing high-demand products such as copier paper. However, Yoshioka declined to provide a timeline for full restoration of logistics operations, stating that remaining hubs would reopen incrementally based on ongoing safety evaluations.  Confirmation of Large-Scale Data Theft  Beyond operational disruption, the Askul data breach revealed a loss of sensitive information. Askul confirmed that approximately 740,000 records were stolen during the ransomware incident, which has been linked to the RansomHouse extortion group.  According to Askul’s disclosures, the compromised data includes approximately 590,000 business customer service records and roughly 132,000 individual customer records. In addition, information related to around 15,000 business partners, such as agents, contractors, and suppliers, was affected, along with data belonging to about 2,700 executives and employees, including those at group companies.  Askul stated that detailed breakdowns of the exposed information were withheld to prevent secondary misuse. Affected customers and partners are being notified individually, and the company has reported the data breach at Askul to Japan’s Personal Information Protection Commission. Long-term monitoring measures have also been implemented to detect potential misuse of stolen data.  Importantly, Askul clarified that it does not store customer credit card information for LOHACO transactions, as payment processing is handled through an external system designed to prevent the company from accessing such data.  Attack Timeline and RansomHouse Involvement  The RansomHouse group publicly claimed responsibility for the Askul cyberattack, first disclosing the breach on October 30. Additional data leaks followed on November 10 and December 2. Askul confirmed that all published data was reviewed and analyzed by October 31, November 11, and December 9, respectively. A dedicated inquiry desk for affected individuals was established on November 4.  In its 13th official update, released on December 12, Askul provided a detailed chronology of the incident. After detecting ransomware activity on October 19, the company immediately isolated suspected infected systems, disconnected networks, strengthened monitoring, and initiated a company-wide password reset. By 2:00 p.m. that day, a formal incident response headquarters and specialized recovery teams were established.  External cybersecurity experts were engaged on October 20 to conduct forensic investigations, including log analysis and impact assessments. Despite these efforts, unauthorized access to an external cloud-based inquiry management system was identified on October 22. Password resets for major cloud services were completed by October 23, after which no further intrusions were confirmed.  Technical Findings and Root Cause Analysis  Askul’s investigation concluded that attackers likely gained initial access using stolen authentication credentials tied to an outsourced partner’s administrative account that lacked multi-factor authentication. After entering the internal network, the attackers conducted reconnaissance, collected additional credentials, disabled endpoint detection and response (EDR) tools, and moved laterally across servers.  Notably, Askul confirmed that multiple ransomware variants were deployed, including strains that evaded EDR signatures available at the time. Once sufficient privileges were obtained, attackers simultaneously encrypted data across logistics and internal systems, including backup files. This delayed recovery efforts.  The attack had a severe impact on Askul’s logistics infrastructure, which relies heavily on automated warehouses, picking systems, and integrated logistics platforms. When these systems were disabled, outbound shipments were completely halted.  Investigators also confirmed unauthorized access to an external cloud-based inquiry management system, from which data was exfiltrated and later published. Askul stated that no evidence of compromise was found in its core business systems or customer-facing platforms.  Security Reforms and Governance Changes  In response to the data breach at Askul, the company initiated sweeping security reforms aligned with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework. Enhancements include mandatory MFA for all remote access, strengthened log analysis, expanded 24/7 security monitoring, and improved asset integrity checks.  Askul has also committed to rebuilding its security governance framework by the end of the fiscal year in May 2026, focusing on enterprise risk management, clearer accountability, and stronger oversight.  The company noted that it has not contacted the attackers, negotiated, or paid any ransom, citing its responsibility to avoid encouraging criminal activity. It continues to cooperate with law enforcement, regulatory authorities, and information-sharing organizations such as JPCERT/CC. 

image for The Stealka stealer ...

 Threats

In November 2025, Kaspersky experts uncovered a new stealer named Stealka, which targets Windows users’ data. Attackers are using Stealka to hijack accounts, steal cryptocurrency, and install a crypto miner on their victims’ devices. Most frequently, this infostealer disguises itself as game cracks, cheats and   show more ...

mods. Here’s how the attackers are spreading the stealer, and how you can protect yourself. How Stealka spreads A stealer is a type of malware that collects confidential information stored on the victim’s device and sends it to the attackers’ server. Stealka is primarily distributed via popular platforms like GitHub, SourceForge, Softpedia, sites.google.com, and others, disguised as cracks for popular software, or cheats and mods for games. For the malware to be activated, the user must run the file manually. Here’s an example: a malicious Roblox mod published on SourceForge. Attackers exploited SourceForge, a legitimate website, to upload a mod containing Stealka And here’s one on GitHub posing as a crack for Microsoft Visio. A pirated version of Microsoft Visio containing the stealer, hosted on GitHub Sometimes, however, attackers go a step further (and possibly use AI tools) to create entire fake websites that look quite professional. Without the help of a robust antivirus, the average user is unlikely to realize anything is amiss. A fake website pretending to offer Roblox scripts Admittedly, the cracks and software advertised on these fake sites can sometimes look a bit off. For example, here the attackers are offering a download for Half-Life 3, while at the same time claiming it’s not actually a game but some kind of “professional software solution designed for Windows”. Malware disguised as Half-Life 3, which is also somehow “a professional software solution designed for Windows”. A lot of professionals clearly spent their best years on this software… The truth is that both the page title and the filename are just bait. The attackers simply use popular search terms to lure users into downloading the malware. The actual file content has nothing to do with what’s advertised — inside, it’s always the same infostealer. The site also claimed that all hosted files were scanned for viruses. When the user decides to download, say, a pirated game, the site displays a banner saying the file is being scanned by various antivirus engines. Of course, no such scanning actually takes place; the attackers are merely trying to create an illusion of trustworthiness. The pirated file pretends to be scanned by a dozen antivirus tools What makes Stealka dangerous Stealka has a fairly extensive arsenal of capabilities, but its prime target is data from browsers built on the Chromium and Gecko engines. This puts over a hundred different browsers at risk, including popular ones like Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, as well as many, many others. Browsers store a huge amount of sensitive information, which attackers use to hijack accounts and continue their attacks. The main targets are autofill data, such as sign-in credentials, addresses, and payment card details. We’ve warned repeatedly that saving passwords in your browser is risky — attackers can extract them in seconds. Cookies and session tokens are perhaps even more valuable to hackers, as they can allow criminals to bypass two-factor authentication and hijack accounts without entering the password. The story doesn’t end with the account hack. Attackers use these compromised accounts to spread the malware further. For example, we discovered the stealer in a GTAV mod posted on a dedicated site by an account that had previously been compromised. Beyond stealing browser data, Stealka also targets the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA services. Here are some of the most popular extensions now at risk: Crypto wallets: Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Exodus Two-factor authentication: Authy, Google Authenticator, Bitwarden Password management: 1Password, Bitwarden, LastPass, KeePassXC, NordPass Finally, the stealer also downloads local settings, account data, and service files from a wide variety of applications: Crypto wallets. Wallet configurations may contain encrypted private keys, seed-phrase data, wallet file paths, and encryption parameters. That’s enough to at least make an attempt at stealing your cryptocurrency. At risk are 80 wallet applications, including Binance, Bitcoin, BitcoinABC, Dogecoin, Ethereum, Exodus, Mincoin, MyCrypto, MyMonero, Monero, Nexus, Novacoin, Solar, and many others. Messaging apps. Messaging app service files store account data, device identifiers, authentication tokens, and the encryption parameters for your conversations. In theory, a malicious actor could gain access to your account and read your chats. At risk are Discord, Telegram, Unigram, Pidgin, Tox, and others. Password managers. Even if the passwords themselves are encrypted, the configuration files often contain information that makes cracking the vault significantly easier: encryption parameters, synchronization tokens, and details about the vault version and structure. At risk are 1Password, Authy, Bitwarden, KeePass, LastPass, and NordPass. Email clients. These are where your account credentials, mail server connection settings, authentication tokens, and local copies of your emails can be found. With access to your email, an attacker will almost certainly attempt to reset passwords for your other services. At risk are Gmail Notifier Pro, Claws, Mailbird, Outlook, Postbox, The Bat!, Thunderbird, and TrulyMail. Note-taking apps. Instead of shopping lists or late-night poetry, some users store information in their notes that has no business being there, like seed phrases or passwords. At risk are NoteFly, Notezilla, SimpleStickyNotes, and Microsoft StickyNotes. Gaming services and clients. The local files of gaming platforms and launchers store account data, linked service information, and authentication tokens. At risk are Steam, Roblox, Intent Launcher, Lunar Client, TLauncher, Feather Client, Meteor Client, Impact Client, Badlion Client, and WinAuth for battle.net. VPN clients. By gaining access to configuration files, attackers can hijack the victim’s VPN account to mask their own malicious activities. At risk are AzireVPN, OpenVPN, ProtonVPN, Surfshark, and WindscribeVPN. That’s an extensive list — and we haven’t even named all of them! In addition to local files, this infostealer also harvests general system data: a list of installed programs, the OS version and language, username, computer hardware information, and miscellaneous settings. And as if that weren’t enough, the malware also takes screenshots. How to protect yourself from Stealka and other infostealers Secure your device with reliable antivirus software. Even downloading files from legitimate websites is no guarantee of safety — attackers leverage trusted platforms to distribute stealers all the time. Kaspersky Premium detects malware on your computer in time and alerts you to the threat. Don’t store sensitive information in browsers. It’s handy — no one can argue with that. But unfortunately browsers aren’t the most secure environment for your data. Sign-in credentials, bank card details, secret notes, and other confidential information are better kept in a securely encrypted format in Kaspersky Password Manager, which is immune to the exploits used by Stealka. Be careful with game cheats, mods, and especially pirated software. It’s better to pay up for official software than to chase the false savings offered by software cracks, and end up losing all your money. Enable two-factor authentication or use backup codes wherever possible. Two-factor authentication (2FA) makes life much harder for attackers, while backup codes help you regain access to your critical accounts if compromised. Just be sure not to store backup codes in text documents, notes, or your browser. For all your backup codes and 2FA tokens, use a reliable password manager. Curious what other stealers are out there, and what they’re capable of? Read more in our other posts: Beware of stealers disguised as… wedding invitations AMOS infostealer distributed via ChatGPT chat-sharing feature Banshee: A stealer targeting macOS users Arcane stealer instead of Minecraft cheats Efimer Trojan using hacked websites to steal cryptocurrency

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an "embedded malicious code vulnerability" introduced by means of a supply chain compromise

 Feed

Cisco has alerted users to a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it

 Feed

The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). "The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile

 Feed

This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what

 Feed

Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole

 Feed

Within the past year, artificial intelligence copilots and agents have quietly permeated the SaaS applications businesses use every day. Tools like Zoom, Slack, Microsoft 365, Salesforce, and ServiceNow now come with built-in AI assistants or agent-like features. Virtually every major SaaS vendor has rushed to embed AI into their offerings. The result is an explosion of AI capabilities across

 Feed

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "

 Feed

Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a

 Data loss

Think your Kindle is harmless? Think again! In this episode, we unpack a Black Hat Europe talk revealing how a boobytrapped audiobook could exploit the Amazon eBook reader - potentially letting an attacker break into your account and seize control of your credit card. Plus a blast from 2021's "summer of   show more ...

ransomware" returns to haunt Ireland's Health Service Executive, as victims are offered €750 each. And because it's the last show before the Christmas break, there's also a Pick of the Week that veers from cosy rom-com comfort to pointy-polygon nostalgia. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast with computer security veteran Graham Cluley, joined this week by special guest Danny Palmer.

2025-12
Aggregator history
Thursday, December 18
MON
TUE
WED
THU
FRI
SAT
SUN
DecemberJanuaryFebruary