Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Bithumb Mistakenly Credits Users With Billions in Bitcoin During Promotion Error

  A promotional campaign at South Korean cryptocurrency exchange Bithumb turned into a large scale operational incident after a data entry m...

All the recent news you need to know
Information Compromised
Critical Infrastructure critical infrastructure cybersecurity Cyber Breaches cyber espionage Cyber Security Information Compromised

Shadow Campaigns Expose 37 Nations to State-Linked Cyber Espionage Operations

 

A state-backed cyber espionage effort known as the “Shadow Campaigns” has quietly breached government bodies and critical infrastructure across 37 countries. Investigators from Palo Alto Networks’ Unit 42 assess that the activity began by early 2024 and likely originates from Asia. While no formal attribution has been made, the actor is tracked as TGR-STA-1030 or UNC6619. The campaign is marked by stealth and persistence, focusing on long-term intelligence gathering rather than overt disruption. 

At least 70 organizations were confirmed compromised, primarily government ministries and agencies handling finance, trade, energy, mining, immigration, border control, diplomacy, and law enforcement. Victims span multiple regions, including Brazil’s Ministry of Mines and Energy, Mexican and Bolivian government-linked entities, infrastructure in Panama, and agencies across Europe such as those in Germany, Italy, Poland, and Czechia. Other affected organizations include an Indonesian airline, Malaysian government departments, Mongolian law enforcement, a Taiwanese power equipment supplier, and critical infrastructure entities across parts of Africa. 

Reconnaissance activity was even broader. Between November and December, infrastructure linked to 155 countries was scanned. Systems associated with Australia’s Treasury, Afghanistan’s Ministry of Finance, Nepal’s prime minister’s office, and hundreds of European Union and German government IP addresses showed signs of probing. Analysts noted spikes in activity during politically sensitive periods, including the U.S. government shutdown in October 2025 and the lead-up to Honduras’ national election, suggesting interest in geopolitical developments. Initial access often relied on highly targeted phishing emails referencing internal government matters. 

These messages delivered malware via compressed files hosted on Mega.nz, deploying a loader called Diaoyu that could fetch Cobalt Strike and VShell payloads after performing evasion checks. The group also exploited at least 15 known vulnerabilities in products such as Microsoft Exchange Server, SAP Solution Manager, D-Link devices, and Windows systems. A key finding was a custom Linux kernel rootkit, ShadowGuard, which operates at the kernel level to hide malicious activity and evade detection. 

Infrastructure supporting the campaign used legitimate VPS providers in the U.S., Singapore, and the U.K., along with relay servers and anonymization layers. Researchers conclude the actor is highly capable and remains an ongoing threat to governments and critical services worldwide.
Read more »
Vulnerabilities and Exploits
Coveware ESXi Strain Nitrogen Ransomware VMware Vulnerabilities and Exploits

Nitrogen Ransomware Bug Locks Out Attackers from Victims' Data

 

Nitrogen ransomware developers have suffered a self-inflicted blow due to a critical coding error that permanently locks victims' data, even from themselves. This bug in their VMware ESXi-targeting malware corrupts the public key during encryption, rendering decryption impossible despite payments. Cybersecurity firm Coveware's analysis highlights how the group's overconfidence backfired spectacularly.

The flaw stems from a memory management error in Nitrogen's ransomware, derived from leaked Conti 2 source code. During the encryption process, loading a new 64-bit variable (QWORD) overlaps and overwrites the first four bytes of the public key with zeros. This corrupted key lacks a matching private key, making file recovery mathematically unfeasible for attackers too. Victims face total data loss without backups, amplifying the irony of the group's double-extortion tactics. 

Nitrogen, active since 2023, employs sophisticated multi-stage loaders delivered via malvertising and trojanized apps like WinSCP. Initial access leads to DLL sideloading, stagers unpacking Python scripts, and C2 beacons such as Cobalt Strike for persistence and lateral movement. The operation exfiltrates data to Bulgarian servers before encrypting files with a ".nba" extension and dropping "readme.txt" ransom notes. Targets span finance, manufacturing, and healthcare, including recent hits on Durashiloh and LumioDental. 

This attack exemplifies the danger posed by the development of ransomware, where attackers reuse poorly written code without sufficient testing. Coveware points out that the ESXi strain of this ransomware has the potential to make hypervisors unrecoverable, causing attackers to lose interest in their targets following failed negotiation attempts. This supports the strategy of not paying the ransom, as there is no real cost involved in this situation. Immutable backups and network segmentation are essential in countering such threats. 

The attack also demonstrates the ever-changing nature of the world of cybersecurity, where the haste of attackers provides an opportunity for exploitation. The Nitrogen leak site, “NitroBlog,” has begun to leverage the unrecoverable victims, although experts recommend ignoring such threats. Although more careful code analysis could have avoided this self-defeating behavior in the future, the fast development of malware remains a problem.
Read more »
Technology
Cloudflare Moltworker Cloudflare Workers edge computing platform Moltbot AI agent self-hosted AI assistant Technology

Cloudflare Launches Moltworker to Run Self-Hosted AI Agent Moltbot on Its Developer Platform

 

Cloudflare has unveiled Moltworker, an open-source framework designed to run Moltbot—a self-hosted personal AI agent—directly on its Developer Platform, eliminating the requirement for dedicated on-premise hardware. Moltbot, formerly known as Clawdbot, functions as a customizable personal assistant that operates within chat applications. It connects with AI models, web browsers, and third-party services while maintaining user control over data and workflows.

Moltworker modifies Moltbot to function within Cloudflare Workers by pairing an entrypoint Worker with isolated Sandbox containers. The Worker serves as the API routing and administrative interface, while Moltbot’s runtime and integrations execute inside secure Sandboxes. To overcome the temporary nature of containers, persistent data—such as conversation history and session information—is stored in Cloudflare R2.

The deployment takes advantage of recent improvements to Node.js compatibility within Cloudflare Workers. According to Cloudflare, enhanced native Node API support reduces reliance on workaround solutions and enables a wider range of npm packages to run without modification. Although Moltbot currently runs primarily inside containers, the company suggests that stronger compatibility could allow more agent logic to shift closer to the edge over time.

Moltworker also incorporates multiple Cloudflare services to mirror and expand upon the local Moltbot setup. AI traffic is routed through Cloudflare AI Gateway, which provides access to multiple model providers along with centralized monitoring and configuration tools. Browser automation is powered by Cloudflare Browser Rendering, enabling Moltbot to operate headless Chromium sessions for tasks such as page navigation, form submissions, and content extraction—without embedding a browser directly within the container. Access control for APIs and the administrative interface is secured through Cloudflare Zero Trust Access.

Early community feedback has been divided. Some users view the hosted model as a way to simplify deployment and encourage broader adoption. Commenting on the announcement, Peter Choi noted that running Moltbot on Cloudflare could significantly broaden adoption, but questioned whether the shift alters the project’s original appeal, which emphasized full local control.

Others emphasized operational convenience. One user wrote:I've been self-hosting on a VPS, which works fine, but managing the box is a chore. This looks like the 'set it and forget it' version. Curious how state persistence works across worker invocations.

Cloudflare has released Moltworker as an open-source project on GitHub and describes it as a proof of concept rather than a fully supported product. The company presents it as a demonstration of how its Developer Platform—integrating Workers, Sandboxes, AI Gateway, Browser Rendering, and storage services—can securely deploy and scale AI agents at the edge.


Read more »
zero Day vulnerability
Cyber Extortion Trends Data Breach Education Sector Cybersecurity K 12 Cyber Threats ransomware attacks zero Day vulnerability

Global Data Indicates Slowdown in Ransomware Targeting Education


 

It is evident on campuses once defined by open exchange and quiet routine that a new kind of disruption has taken hold, one that does not arrive in force but rather with encrypted files, locked networks, and terse ransom notes. 

Over the past year, ransomware has steadily evolved from an isolated IT emergency to a systemic operation crisis for school districts, universities, and public agencies. There are stalling lecture schedules, freezing admissions systems, and wobbling payroll cycles, and administrators are faced with more than just technical recovery challenges; reputational and legal risks also arise. 

What was once considered a cybersecurity issue has now spread into governance, continuity planning, and public trust. Recent figures indicate that the pace has somewhat slowed down. With approximately 180 attacks documented worldwide across the first three quarters of 2025, ransomware incidents targeting the education sector have recorded their first quarterly decline since early 2024. 

It appears on the surface that there has been a pause in digital extortion. However, beneath the statistical dip, there is a complex reality beneath that dip. As opposed to strengthening defenses, the slowdown seems more likely to be the result of a recalibration of attacker priorities rather than a retreat. 

Rather than casting a wide net, they are selecting targets with more deliberate consideration, spending more time on reconnaissance, and applying pressure to areas where disruption has the greatest impact. Therefore, this apparent decline is not indicative of diminished risk, rather it reflects adaptation. 

Data from the U.K.-based research firm Comparitech confirms that this recalibration has been made. In its latest education ransomware roundup, the company reports that 251 attacks have been publicly reported against educational institutions worldwide in 2025, a marginal increase from 247 in 2024. A total of 94 of these incidents have been formally acknowledged by the affected institutions.

The volume appears to have remained relatively unchanged on paper, but the operational consequences have not remained unchanged. As of 2025, approximately 3.9 million records have been exposed through confirmed breaches, which represents an increase of 27 percent over the 3.1 million records compromised last year. 

Analysts caution that this figure is preliminary. It is common for disclosure timelines to be delayed in public sector organizations, particularly in the aftermath of an intrusion, and several incidents from the second half of the year are still being evaluated. The cumulative impact of data loss is expected to increase as further breach notifications are filed, suggesting that the true extent of the data loss may not yet be fully apparent. 

An in-depth examination of institutional segmentation reveals a significant divergence in impact. K-12 districts continued to constitute a significant proportion of reported incidents in both 2024 and 2025, accounting for roughly three quarters of incidents. However, higher education institutions were more likely to experience substantial data exposures. 

The disparity between K-12 institutions and higher education institutions increased sharply by the year 2025, with approximately 1.1 million compromised records reported in 2024 as compared to 1.9 million in 2025. In the United States, approximately 175,000 records were exposed as a result of K-12 breaches, while approximately 3.7 million records were exposed at colleges and universities. 

Comparitech attributed much of the increase to a small number of high-impact intrusions that were linked to a previously unseen vulnerability in Oracle E-Business Suite discovered in August that was previously undisclosed. 

CLOP exploited a zero-day flaw that was not known to the vendor at the time it was exploited to gain unauthorized access to enterprise environments, resulting in confirmed breaches at five academic institutions. There is a broader pattern underlying the current threat landscape highlighted by this episode: there are fewer opportunistic attacks, more targeted exploitation of enterprise-grade software, and a greater emphasis on high-yield compromises which result in large data exposures. 

Rather than a sustained defensive advantage, there appears to be a shifting criminal economics at play in the education sector that is contributing to relative stability in incident counts. In Comparitech's January analysis, some threat groups may have directed operational resources towards manufacturing, where supply chain dependency and production downtime can lead to more rapid ransom negotiations. 

Despite overall ransomware activity remaining active across other verticals, schools and universities have experienced a plateau in annual attack totals due to that redistribution of focus. There has also been a decline in the average global ransom demand between 2024 and 2025, falling from $694,000 to $464,000 on average. 

Financial demands within the education sector have also adapted. At first glance, this reduction may appear to indicate shrinking leverage. However, analysts caution that headline figures do not fully reflect an incident's overall costs, which typically include forensic investigations, legal reviews, system restorations, notification of regulatory agencies, and reputational repair. These attacks frequently carry a substantial economic burden in addition to the initial extortion amount. 

Operational disruption remains an integral part of these attacks. Uvalde Consolidated Independent School District reported a ransomware intrusion in September that forced the district to temporarily close its schools due to malicious code discovered within district servers supporting telephony, video monitoring, and visitor management.

According to District communications, the affected infrastructure is integral to campus safety and security. As a result of the aforementioned update, the district informed the public that it had not paid the ransom and had restored its systems from backups. In addition to confirmed disclosures, additional claims illustrate that local education agencies are facing increasing pressure from the federal government. 

A comprehensive investigation is still being conducted despite the fact that there is no indication that sensitive or personal information had been accessed without authorization. Based on comparison technology reports, Medusa has named Fall River Public Schools and Franklin Pierce Schools as 2025 targets, and has requested $400,000 in compensation from each district. 

Both districts have not publicly confirmed the full scope of the claims at the time of reporting, however both cases were among the five largest ransom demands made against educational institutions worldwide last year. It is evident, however, that the data reinforce a consistent pattern despite stabilizing attack volumes and decreasing average demands. 

However, the sector remains at risk for episodic, high-impact events that can disrupt instruction, undermine public confidence, and produce substantial data risk. Though the tactical tempo may change, structural vulnerability remains the same. As a result, policymakers and institutional leaders have clear repercussions. 

The current trajectory calls for complacency, but for structural reinforcement Education networks are often decentralized and resource-constrained and rely heavily on legacy enterprise systems. To ensure the integrity of these networks, patch management disciplines, network segmentation, multi-factor authentication enforcement, and continuous monitoring are necessary that detects lateral movement before encryption is initiated. 

It is also crucial that incident response planning be integrated into executive governance so that crisis decision-making, legal review, and stakeholder communication frameworks are established well in advance of an intrusion. 

As ransomware groups continue to emphasize precision over volume, resilience will be largely determined by the ability to embed cybersecurity as a core operational function rather than merely a peripheral IT responsibility rather than relying solely on isolated events.
Read more »
Windows
Avast malware PC Games pirated games Software Windows

Windows Malware Distributed Through Pirated Games Infects Over 400,000 Systems

 



A Windows-focused malware operation spreading through pirated PC games has potentially compromised more than 400,000 devices worldwide, according to research released by Cyderes. The company identified the threat as “RenEngine loader” and reported that roughly 30,000 affected users are located in the United States alone.

Investigators found the malicious code embedded inside cracked and repackaged versions of popular game franchises, including Far Cry, Need for Speed, FIFA, and Assassin’s Creed. The infected installers appear to function normally, allowing users to download and play the games. However, while the visible game content runs as expected, concealed code executes in parallel without the user’s awareness.

Researchers traced part of the operation to a legitimate launcher built on Ren'Py, an engine commonly used for visual novel-style games. The attackers embedded harmful components within this launcher framework. When executed, the launcher decompresses archived game files as intended, but at the same time initiates the hidden malware routine.

According to Cyderes, the campaign has been active since at least April of last year and remains ongoing. In October, the operators modified the malware to include an embedded telemetry URL. Each time the RenEngine loader runs, it connects to this address, allowing the attackers to log activity. Analysis of that telemetry endpoint enabled researchers to estimate overall infection levels, with the system recording between 4,000 and 10,000 visits per day.

Telemetry data indicates that the largest concentration of victims is located in India, the United States, and Brazil. The US accounts for approximately 30,000 of the infected systems identified through this tracking mechanism.

The loader’s primary function is to deliver additional malicious software onto compromised machines. In multiple cases, researchers observed it deploying a Windows-based information stealer known as ARC. This malware is designed to extract stored browser passwords, session cookies, cryptocurrency wallet information, autofill entries, clipboard data, and system configuration details.

Cyderes also reported observing alternative payloads delivered through the same loader infrastructure, including Rhadamanthys stealer, Async RAT, and XWorm. These programs are capable of credential theft and, in some cases, remote system control, enabling attackers to monitor activity or manipulate infected devices.

The investigation identified one distribution source, dodi-repacks[.]site, as hosting downloads containing the embedded malware. The domain has previously been associated with other malicious distribution activity.

Detection remains limited at the initial infection stage. Public scan results from Google’s VirusTotal platform indicate that, aside from Avast, AVG, and Cynet, most antivirus engines currently do not flag the loader component as malicious. This detection gap increases the likelihood that users may remain unaware of compromise.

Users who suspect infection are advised to run updated security scans immediately. If concerns persist, Windows System Restore may help revert the device to a prior clean state. In cases where compromise cannot be confidently removed, a full operating system reinstallation may be necessary.

The findings reinforce a recurring cybersecurity risk: unauthorized software downloads frequently serve as a delivery channel for concealed malware capable of exposing personal data and granting attackers extended access to victim systems.

Read more »
Supply Chain Attack
Crypto Exchange Cyber Attacks dYdX PyPI Package Supply Chain Attack

Malicious dYdX Packages Drain User Wallets in Supply Chain Attack

 

Malicious open-source packages targeting the dYdX cryptocurrency exchange have enabled attackers to drain user wallets, exposing once again how fragile software supply chains can be in the crypto ecosystem. Researchers found that legitimate-looking libraries on popular repositories were quietly stealing seed phrases and other sensitive data from both developers and end users, turning everyday development workflows into vectors for wallet compromise. The incident shows that even reputable projects using standard tooling are not immune when upstream dependencies are poisoned.

The attack focused on npm and PyPI packages associated with dYdX’s v4 trading stack, specifically the JavaScript package @dydxprotocol/v4-client-js and the Python package dydx-v4-client in certain versions. These libraries are widely used to build trading bots, automated strategies, and backend services that interact with the exchange and therefore routinely handle mnemonics and private keys needed to sign transactions. By compromising such central components, attackers gained access not just to individual wallets but to any application that pulled in the tainted releases.

Inside the malicious npm package, attackers added a surreptitious function that executed whenever a wallet seed phrase was processed, quietly exfiltrating it along with a fingerprint of the device running the code. The fingerprinting allowed the threat actors to correlate stolen credentials across multiple compromises and track victims over time. Stolen data was sent to a typosquatted domain crafted to resemble legitimate dYdX infrastructure, increasing the chances that network defenders would overlook the outbound connections.

The PyPI package carried similar credential-stealing behavior but escalated the threat by bundling a remote access Trojan capable of executing arbitrary Python code on infected systems. Running as a background daemon, this RAT regularly contacted a command‑and‑control server, fetched attacker-supplied code, and executed it in an isolated subprocess using a hard-coded authorization token. With this access, adversaries could steal keys and source code, plant persistent backdoors, and broadly surveil developer environments beyond just wallet data.

This is not the first time dYdX has faced targeted abuse of its ecosystem, following prior incidents involving malicious npm uploads and website hijacking campaigns aimed at draining user funds. For the broader industry, the episode underlines how high‑value crypto platforms and their developer tooling have become prime targets for supply-chain attacks. Developers are urged to rigorously audit dependencies, verify package integrity and publishers, and avoid using real wallet credentials in testing environments, while users should quickly review any apps or bots that rely on the affected dYdX client libraries.
Read more »
Subscribe to: Comments (Atom)

Featured