Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Telecom Company Freedom Mobile Suffers Data Breach Resulting in Data Leak

About the incident  Freedom Mobile has revealed a data breach that leaked personal information belonging to a limited number of customers. T...

All the recent news you need to know
Zero Day
CVE exploits LNKs Microsoft Vulnerabilities and Exploits Windows Zero Day

Microsoft Quietly Changes Windows Shortcut Handling After Dangerous Zero-day Abuse

 



Microsoft has changed how Windows displays information inside shortcut files after researchers confirmed that multiple hacking groups were exploiting a long-standing weakness in Windows Shell Link (.lnk) files to spread malware in real attacks.

The vulnerability, CVE-2025-9491, pertains to how Windows accesses and displays the "Target" field of a shortcut file. The attackers found that they could fill the Target field with big sets of blank spaces, followed by malicious commands. When a user looks at a file's properties, Windows only displays the first part of that field. The malicious command remains hidden behind whitespace, making the shortcut seem innocuous.

These types of shortcuts are usually distributed inside ZIP folders or other similar archives, since many email services block .lnk files outright. The attack relies on persuasion: Victims must willingly open the shortcut for the malware to gain an entry point on the system. When opened, the hidden command can install additional tools or create persistence.


Active Exploitation by Multiple Threat Groups

Trend Micro researchers documented in early 2025 that this trick was already being used broadly. Several state-backed groups and financially motivated actors had adopted the method to deliver a range of malware families, from remote access trojans to banking trojans. Later, Arctic Wolf Labs also observed attempts to use the same technique against diplomats in parts of Europe, where attackers used the disguised shortcut files to drop remote access malware.

The campaigns followed a familiar pattern. Victims received a compressed folder containing what looked like a legitimate document or utility. Inside sat a shortcut that looked ordinary but actually executed a concealed command once it was opened.


Microsoft introduces a quiet mitigation

Although Microsoft first said the bug did not meet the criteria for out-of-band servicing because it required user interaction, the company nonetheless issued a silent fix via standard Windows patching. With the patches in place, Windows now displays the full Target field in a shortcut's properties window instead of truncating the display after about 260 characters.

This adjustment does not automatically remove malicious arguments inside a shortcut, nor does it pop up with a special warning when an unusually long command is present. It merely provides full visibility to users, which may make suspicious content more easily identifiable for the more cautious users.

When questioned about the reason for the change, Microsoft repeated its long-held guidance: users shouldn't open files from unknown sources and should pay attention to its built-in security warnings.


Independent patch offers stricter safeguards

Because Microsoft's update is more a matter of visibility than enforcement, ACROS Security has issued an unofficial micropatch via its 0patch service. The update its team released limits the length of Target fields and pops up a warning before allowing a potentially suspicious shortcut to open. This more strict treatment, according to the group, would block the vast majority of malicious shortcuts seen in the wild.

This unofficial patch is now available to 0patch customers using various versions of Windows, including editions that are no longer officially supported.


How users can protect themselves

Users and organizations can minimize the risk by refraining from taking shortcuts coming from unfamiliar sources, especially those that are wrapped inside compressed folders. Security teams are encouraged to ensure Windows systems are fully updated, apply endpoint protection tools, and treat unsolicited attachments with care. Training users to inspect file properties and avoid launching unexpected shortcut files is also a top priority.

However, as the exploitation of CVE-2025-9491 continues to manifest in targeted attacks, the updated Windows behavior, user awareness, and security controls are layered together for the best defense for now. 

Read more »
spyware sanctions
global spyware operations Intellexa Iraq surveillance malware Predator spyware Recorded Future Insikt Group spyware sanctions

Intellexa Spyware Activity Appears to Slow in 2025, but New Research Suggests Broader Global Footprint

 

Despite U.S. sanctions imposed last year, the global footprint of Intellexa’s spyware operations may be larger and more elusive than previously believed, with researchers warning that shifting domain practices could be masking continued activity in 2025.

New research from Recorded Future’s Insikt Group reveals emerging evidence that Intellexa systems are currently being deployed in Iraq. The Record, which reported these findings, operates independently from Recorded Future.

Investigators also detected indicators “likely associated” with the use of Predator spyware by an entity connected to Pakistan. The report says it remains uncertain whether the intended targets were linked to Pakistan or if the operator was simply based within the country.

Intellexa, the creator of Predator spyware, has been at the center of global surveillance controversies, with its tools reportedly used against activists, journalists, and business leaders. Three former executives of the company are currently facing trial in Greece, where numerous victims of Predator surveillance have been identified.

The report also highlights ongoing Intellexa customer activity in Saudi Arabia, Kazakhstan, Angola, and Mongolia. Meanwhile, previous customers in Egypt, Botswana, and Trinidad and Tobago appear to have “ceased communication” since spring and summer — a shift that may reflect discontinued operations or a transition to new infrastructure.

A cluster linked to Mozambique, first identified earlier this year, continued functioning until at least late June 2025, according to the researchers.

This latest assessment builds on Insikt’s June report, which noted that Intellexa has repeatedly reconfigured its infrastructure in response to intensifying scrutiny — a strategy that complicates efforts to track its operations.

Researchers additionally uncovered several new companies suspected to be tied to Intellexa. Like many firms in the commercial spyware sector, Intellexa has long relied on shell companies and complex business networks to obscure its activities.

One newly identified company appears responsible for shipping Intellexa’s products to customers, while two more operate in the advertising sector and may be linked to a known infection vector that distributes spyware through online ads.

Two additional Intellexa-connected firms were traced to Kazakhstan and the Philippines, suggesting what researchers describe as an “expanding network footprint.”

Intellexa was added to the U.S. Commerce Department’s Entity List in July 2023, marking it as a threat to national security and foreign policy. In March 2024, the Commerce Department sanctioned founder Tal Jonathan Dilian, a former Israeli intelligence officer. Six months later, five more individuals and one affiliated entity were also sanctioned.

At the time, senior U.S. officials stressed the need for further action, pointing to Intellexa’s “opaque web of corporate entities, which are designed to avoid accountability.”

On Thursday, Amnesty International disclosed that Intellexa can remotely access Predator customer logs, allowing staff to view “details of surveillance operations and targeted individuals [which] raises questions about its own human rights due diligence processes,” according to Jurre van Bergen, Technologist at Amnesty’s Security Lab.

Van Bergen added: “If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware.”
Read more »
npm malware attack
Cyber Attacks cybersecurity risks Developers Malware Attack Malwares NPM NPM malware npm malware attack

Sha1-Hulud Malware Returns With Advanced npm Supply-Chain Attack Targeting Developers

 

A new wave of the Sha1-Hulud malware campaign has unfolded, indicating further exacerbation of supply-chain attacks against the software development ecosystem. The recent attacks have hit the Node Package Manager, or npm, one of the largest open-source package managers that supplies JavaScript developers around the world. Once the attackers compromise vulnerable packages within npm, the malicious code will automatically be executed whenever targeted developers update to vulnerable versions, oblivious to the fact. Current estimates indicate nearly 1,000 npm packages have been tampered with, thereby indirectly affecting tens of thousands of repositories. 

Sha1-Hulud first came into light in September 2025, when it staged its first significant intrusion into npm's ecosystem. The past campaign included the injection of trojanized code into weakly-secured open-source libraries that then infected every development environment that had the components installed. The malware from the initial attack was also encoded with a credential harvesting feature, along with a worm-like mechanism intended for the proliferation of infection. 

The latest rendition, seen in new activity, extends the attack vector and sophistication. Among others, it includes credential theft, self-propagation components, and a destructive "self-destruct" module that aims at deleting user data in case interference with the malware is detected. The malware now demonstrates wide platform compatibility, running across Linux, macOS, and Windows systems, and introduces abuse of GitHub Actions for remote code execution. 

The infection chain starts with a modified installation sequence. Inside the package.json file, the compromised npm packages bear a pre-install script named setup_bun.js. Posing as a legitimate installer for the Bun JavaScript runtime, the script drops a 10MB heavily obfuscated payload named bun_environment.js. From there, malware begins searching for tokens, API keys, GitHub credentials, and other sensitive authentication data. It leverages tools like TruffleHog to find more secrets. After stealing the data, it automatically gets uploaded into a public repository created under the victim's GitHub account, naming it "Sha1-Hulud: The Second Coming," thus making those files accessible not just to the attackers but to actually anyone publicly browsing the repository. 

The malware then uses the stolen npm authentication tokens to compromise new packages maintained by the victim. It injects the same malicious scripts into those packages and republishes them with updated version numbers, triggering automatic deployment across dependent systems. If the victim tries to block access or remove components, the destructive fail-safe is initiated, which wipes home directory files and overwrites data sectors-this significantly reduces the chances of data recovery. 

Security teams are encouraged to temporarily stop updating npm packages, conduct threat-hunting activities for the known IoCs, rotate credentials, and reevaluate controls on supply-chain risk. The researchers recommend treating any system showing signs of infection as completely compromised.
Read more »
Social Engineering
Cyber Fraud Phishing Campaign RMM Tools Social Engineering

Hackers Weaponize Trusted IT Tools for Full System Control

 

Malicious actors are weaponizing legitimate Remote Monitoring and Management (RMM) tools, turning trusted IT software into a means for unauthorized system access. This strategy represents a significant shift from traditional malware attacks, as it exploits programs like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to gain full remote control over a victim's computer, bypassing many conventional security measures because the software itself is not inherently malicious.

Modus operandi 

The core of this attack methodology lies in social engineering, where attackers trick individuals into installing these legitimate RMM applications under false pretenses. Security researchers have noted a significant increase in telemetry for detections labeled RiskWare.MisusedLegit.GoToResolve, indicating a rise in this type of threat. The attackers employ various deceptive tactics, including using misleading filenames for the installers.

One common method involves sending phishing emails that appear legitimate. For instance, an email sent to a user in Portugal contained a link that, when hovered over, pointed to a file hosted on Dropbox. By using a legitimate file-hosting service like Dropbox and a trusted RMM tool, attackers increase the likelihood of bypassing security software that might otherwise flag suspicious links or attachments .

In other cases, attackers set up fraudulent websites that perfectly mimic the download pages of popular free utilities like Notepad++ and 7-Zip, tricking users into downloading the malicious RMM installer instead of the software they were seeking.

When a victim clicks the malicious link, it delivers an RMM installer that has been pre-configured with the attacker’s unique "CompanyId." This hardcoded identifier automatically links the victim's machine directly to the attacker’s control panel.

This setup allows the attacker to instantly spot and connect to the newly compromised system without the need for stolen credentials or the deployment of additional malware . Because RMM tools are designed to run with administrative privileges, and their network traffic is often allowed by firewalls and other security solutions, the malicious remote access blends in with normal IT administrative traffic, making it extremely difficult to detect.

Mitigation tips

To defend against this evolving threat, it is crucial to be vigilant about the source of all software downloads .

  • Download carefully: Always download software directly from the official developer's website or verified sources.
  • Verify before installing: Check file signatures and certificates before running any installer to ensure they are from a trusted publisher.
  • Question unexpected prompts: If you receive an unexpected prompt to update software, verify the notification through a separate, trusted channel, such as by visiting the official website directly .
  • Stay updated: Keep your operating system and all installed software up to date with the latest security patches.
  • Recognize social engineering: Learn to identify the deceptive tricks attackers use to push malicious downloads .
Read more »
Phishing Attacks
Account Takeover AI Powered Scams Amazon Scam Alert Consumer Data Protection Cyber Security Cyberthreats Fake Retail Websites Holiday Fraud Risks Online Shopping Safety Phishing Attacks

Amazon Sounds Alarm Over Attack Threatening 300 Million Accounts

 


In the face of looming Black Friday 2025 frenzy, Amazon has unveiled a warning to its large customer base that is expected to overlap the holiday season's busiest shopping week. The warning warns of a surge in sophisticated scams expected to shadow the holiday season's busiest shopping week. On November 24, the company emailed a security advisory to millions of users, one that Forbes first reported on, warning that cybercriminals are increasingly exploiting the seasonal spike in online purchases by impersonating individuals, using fraudulent advertising, and sending unsolicited messages to elicit personal and financial information from them. 

There are approximately 310 million active customers on Amazon, making the retailer a high-value target for attackers looking for easy money during the holiday season, so they outlined five prominent tactics currently used to deceive shoppers, including the use of fake account verification emails and unsolicited phone calls to deceive shoppers. 

As Consumer Protection experts, we agree with these concerns; Mr. Mike Andrews, a representative from National Trading Standards, told Metro that scammers have an advantage over consumers when it comes to the weeks leading up to Christmas, knowing that even a small fraction of successful attempts during peak retail activities can yield significant returns. 

In a new study published in the journal Cybercrime: Science and Technology, a cybercriminal network has stepped up their impersonation campaigns against global companies such as Netflix, PayPal, and many more, with the use of browser-based notification traps and criminal infrastructures, as well as a variety of other methods for deceiving large numbers of users. 

Amidst this background, Amazon’s advisory dated November 24 details how similar tactics have now been employed against Amazon’s own customers, as scammers are attempting to coerce victims into providing them with personal data, financial credentials, and Amazon login information in exchange for money. The fact that such scams aren't new, but they have become more refined and adaptive as they cycle through techniques such as credential-stuffing attacks and malware-assisted account takeovers. 

Fraudsters often carry out such operations by posing as customer service personnel or technical support personnel - a similar tactic that the FBI has also warned about in parallel alerts concerning bank-related scams. The underlying mechanics of the deception are essentially the same: attackers send persuasive text messages, emails, or phone calls that push customers to verify activity, or to resolve a supposed issue, resulting in password disclosures or multifactor authentication codes. 

A fraudster will immediately reset all of the security settings within an account once he has gained access. He will lock out legitimate users' accounts as soon as he gets access. A recent study by the FBI reveals that there have been an increase in lookalike websites and bogus alerts mimicking delivery updates and promotional offers, as well as misleading third-party advertisements and unsolicited calls masquerading as Amazon support. 

These methods are closely related to the patterns outlined in recent FBI investigations. According to FortiGuard Labs, new findings published on November 25 further emphasize the urgency of Amazon's warning. These findings indicate a sharp increase in threats specifically designed for the holiday season, which has already been identified by the researchers. 

Over 18,000 domains were recently registered that included the terms "Black Friday," "Christmas," and "Flash Sale," with over 750 of those domains already confirmed to be malicious. In addition, nearly 3,000 of the 19,000 domains that were designed to mimic major retailers, including Amazon, were verified by the report as fraudulent, of which nearly half were identified as frauds. Decoy sites are often created with subtle spelling variations and visual similarities, which can be easily overlooked by shoppers who are rushing through deals while focusing on them. 

Among the cyber security experts who warn that the threat landscape is changing at a rapid rate, experts like Anne Cutler of Keeper Security point out that many of the latest scams are driven by artificial intelligence. By doing so, attackers are able to generate convincing order confirmations, spoofed customer service conversations, and highly realistic retailer websites with the aid of artificial intelligence. 

A response to these escalating risks has been the adoption by Amazon of stricter digital hygiene guidelines. Amazon has requested that customers rely solely on the Amazon app or website to manage their accounts, enable two-factor authentication or use passkeys to protect their login credentials, and remember that Amazon never solicits your payment or credential information via unsolicited phone calls or email. 

There is no doubt that the retailer stressed the importance of these safeguards as cybercriminals intensify their efforts before the busiest shopping season of the year. In the end, Amazon shoppers should also keep in mind that security experts warn that the threat goes well beyond phishing attacks and fraudulent domains; it is also possible to face threats within the broader online marketplace. 

A researcher, Mike Andrews, explains that artificial intelligence has made it significantly easier for scammers to manipulate product credibility by creating a large volume of convincing fake reviews on popular platforms like Google, Trustpilot, and Amazon in order to create fake reviews for their products. A growing number of bots are capable of flooding product pages with glowing testimonials, making it more difficult for customers to distinguish genuinely well-rated products from items that have been artificially boosted to mask inferior and even dangerous products. 

In addition, Andrews explains that despite the difficulty of quantifying the amount of online reviews that may be misleading, consumers should not rely on them blindly when making purchase decisions. If a high number of reviews appears within a very short period of time, overly vague praise without mentioning product features, or suspiciously generic comments are noticed, it may be a sign that the product is not as good as it sounds. 

It is possible to gain additional perspective using services like TheReviewIndex and RateBud that analyze review authenticity. Such manipulations of customer reviews vary in their goals. However, they are often aimed at convincing shoppers to make a purchase for substandard items or to purchase products that may never arrive in their hands. 

There is also an aggressive scam that seeks personal information, financial information, or Amazon login credentials through fake messages, advertisements, or phone calls. Moreover, Andrews warns that social media advertisers are becoming increasingly sophisticated when it comes to deceptive advertising, with artificial intelligence (AI) often generating storefronts that mimic small businesses or festive markets using fake images and videos. 

Even though these sites sound quite convincing, they often deliver nothing more than cheaply produced goods shipped from overseas, leaving customers disappointed and out of pocket. A surge in seasonal scams, on the other hand, illustrates the importance of taking an active role in one's online security as a shopper. Analysts believe that even simple habits, such as verifying sender addresses, checking URLs, updating passwords, and enabling multi-factor authentication, are enough to prevent the vast majority of attempts to penetrate an online network. 

The consumer is also encouraged to inform Amazon and the relevant authorities of suspicious pages or messages, so that they can be dismantled before they spread. Even though cybercriminals are developing their tactics with artificial intelligence (AI) and precision, the best way to stop them is to have an informed public that shop deliberately, questions what might be unexpected, and prioritizes safety over urgency.
Read more »
Phishing Attacks
Cyber Security Data Digital Scams Identity Thefts Internet Phishing Attacks

Scammers Used Fake WhatsApp Profiles of District Collectors in Kerala


Scammers target government officials 

In a likely phishing attempt, over four employees of Kasaragod and Wayanad Collectorates received WhatsApp texts from accounts imitating their district Collectors and asking for urgent money transfers. After that, the numbers have been sent to the cyber police, according to the Collectorate officials. 

Vietnam scammers behind the operation 

The texts came from Vietnam based numbers but showed the profile pictures of concerned collectors, Inbasekar K in Kasaragod and D R Meghasree. 

In one incident, the scammers also shared a Google Pay number, but the target didn't proceed. According to the official, "the employees who received the messages were saved simply because they recognised the Collector’s tone and style of communication." 

Two employees from Wayanad received texts, all from different numbers from Vietnam. In the Kasaragod incident, Collector Inbasekar said a lot of employees received the phishing texts on WhatsApp. Two employees reported the incident. No employee lost the money. 

Scammers used typical scripts

The scam used a similar script in the two districts. The first text read: Hello, how are you? Where are you currently? In the Wayanad incident, the first massage was sent around 4 pm, and in Kasaragod, around 5:30 pm. When the employee replied, a follow up text was sent: Very good. Please do something urgently. This shows that the scam followed the typical pitches used by scammers. 

The numbers have been reported to the cyber police. According to Wayanad officials, "Once the messages were identified as fake, screenshots were immediately circulated across all internal WhatsApp groups." Cyber Unit has blocked both Vietnam-linked and Google Pay numbers.

What needs to be done?

Kasaragod Collector cautioned the public and staff to be careful when getting texts asking for money transfers. Coincidentally, in both the incidents, the texts were sent to staff employed in the Special Intensive Revision of electoral rolls. In this pursuit, the scammers revealed the pressures under which booth-level employees are working.

According to cyber security experts, the fake identity scams are increasingly targeting top government officials. Scammers are exploiting hierarchical structures to trick officials into acting promptly. “Police have urged government employees and the public to avoid responding to unsolicited WhatsApp messages requesting money, verify communication through official phone numbers or email, and report suspicious messages immediately to cybercrime authorities,” the New Indian Express reported.

Read more »
Subscribe to: Comments (Atom)

Featured