Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Microsoft Ends Support for Windows 10: Millions of PCs Now at Security Risk

  Microsoft has officially stopped supporting Windows 10, marking a major change for millions of users worldwide. After 14 October 2025, Mic...

All the recent news you need to know

Global Ransomware Groups Hit Record High as Smaller Threat Actors Emerge

 

The number of active ransomware groups has reached an unprecedented high, marking a new phase in the global cyber threat landscape. According to GuidePoint Security’s latest Ransomware & Cyber Threat Report, the total number of active groups surged 57%, climbing from 49 in the third quarter of 2024 to an all-time peak of 77. Despite this sharp rise, the number of victims has remained consistent, averaging between 1,500 and 1,600 per quarter since late last year. 

The United States continues to bear the brunt of these attacks, accounting for 56% of all reported victims. Germany and the United Kingdom followed distantly at 5% and 4%, respectively. Manufacturing, technology, and the legal sectors were among the hardest hit, with the manufacturing industry alone reporting 252 publicly claimed attacks in the second quarter—a 26% increase from the previous quarter. 

GuidePoint’s senior threat intelligence analyst, Nick Hyatt, noted that while the overall ransomware volume has stabilized, the number of distinct groups is soaring. He explained that this growth reflects both the consolidation of experienced threat actors under major ransomware-as-a-service (RaaS) platforms and the influx of newer, less skilled operators trying to gain traction in the ecosystem. 

Among the most active groups, Qilin led with a dramatic 318% year-over-year surge, claiming 234 victims this quarter. Akira followed with 130 victims, while IncRansom—first detected in August 2023—emerged as the third most active group after a sharp increase in attacks. Another rising player, SafePay, has steadily expanded its operations since its appearance in late 2024, now linked to 258 victims across 29 industries and 30 countries in 2025 alone. 

GuidePoint’s researchers also observed a growing number of unclaimed or unattributed ransomware attacks, suggesting that many threat actors are either newly formed or deliberately avoiding public identification. This trend points to an increasingly fragmented and unpredictable ransomware environment. 

While the stabilization in overall attack numbers might appear reassuring, experts warn against complacency. The rapid diversification of ransomware groups and the proliferation of smaller, anonymous actors underline the evolving sophistication of cybercrime. As Hyatt emphasized, this “new normal” reflects a sustained, adaptive threat landscape that demands continuous vigilance, proactive defense strategies, and cross-industry collaboration to mitigate future risks.

Crypto Vanishes: North Korea’s $2B Heist, Discord Breach Exposes Millions

 

North Korean hackers have stolen over $2 billion in cryptocurrency in 2025, while a Discord breach exposed sensitive user data, including government IDs of approximately 70,000 individuals. These incidents highlight the growing sophistication of cyber threats targeting both financial assets and personal information.

Cybercrime surge

North Korean state-sponsored hacking groups, such as the Lazarus Group, have significantly increased their cryptocurrency thefts, amassing more than $2 billion in 2025 alone, marking a record for these cybercriminals. The funds are believed to support North Korea’s nuclear weapons and missile development programs.The regime’s hacking activities now contribute approximately 13% to its estimated $15.17 billion GDP. 

The largest single theft occurred in February 2025, when hackers stole $1.4 billion from the crypto exchange ByBit, with other attacks targeting platforms like WOO X and Seedify resulting in millions more in losses. North Korean hackers are increasingly focusing on wealthy individual cryptocurrency holders, who often lack the robust security measures of institutional investors, making them vulnerable targets. 

Discord ID breach and data exposure

Discord confirmed a breach in which hackers accessed the government-issued identification documents of around 70,000 users who had uploaded them for age verification disputes. The attackers infiltrated a third-party customer service provider, 5CA, to gain access to this sensitive data. 

The stolen information, including selfies holding IDs, email addresses, and partial phone numbers, is being shared in Telegram groups, raising serious privacy concerns about digital age verification systems. This incident underscores the risks associated with centralized storage of personal identification documents.

New tactics: EtherHiding on blockchains

In a significant evolution of cyber-espionage tactics, a North Korean threat actor tracked as UNC5342 has been observed using a technique called “EtherHiding” since February 2025. This method involves embedding malicious code within smart contracts on public blockchains like Ethereum or BNB Smart Chain, using the decentralized ledger as a resilient command-and-control server. 

This approach, part of a campaign named “Contagious Interview,” uses social engineering—posing as recruiters on LinkedIn—to lure victims into executing malware that downloads further payloads via blockchain transactions. The decentralized nature of blockchains makes EtherHiding highly resistant to takedown efforts, presenting a new challenge for cybersecurity defenses.

Astaroth Malware Adopts GitHub Infrastructure to Target Crypto Investors

 


A new attack is now underway involving the notorious Astaroth banking Trojan, a banking Trojan which is used to steal cryptocurrency credentials, and cybersecurity researchers at McAfee have discovered that this Trojan exploited the GitHub platform for distribution. This is a worrying revelation that emphasises the increasing sophistication of cybercrime. 

Known for its stealthy and persistent nature, the malware has evolved to make use of GitHub repositories as backup command-and-control centres whenever its primary servers are taken down, thus enabling it to continue operating even under takedown attempts on its primary servers.

A McAfee study found that the campaign is mostly spread through deceptive emails that lure unsuspecting recipients into downloading malicious Windows shortcuts (.lnk) files as a result of these emails. It is believed that the Astaroth malware is silently installed by the malicious executable files. Once these files are executed, they will deeply enslave the victim's system, as soon as they are executed. 

As the Trojan runs quietly in the background, it employs advanced keylogging techniques so that it can steal banking and cryptocurrency credentials, transmitting the stolen information to the attackers' remote infrastructure via the Ngrok reverse proxy. 

In this sophisticated approach, cybercriminals are increasingly utilising legitimate platforms such as GitHub to conceal their tracks, maintain persistence, and extend their reach in the digital finance ecosystem, thereby illustrating how hackers are using legitimate platforms to maintain persistence, conceal their tracks, and expand their reach. 

McAfee Threat Research's investigation revealed that this campaign represents a pivotal shift in the Astaroth Trojan's operational framework, signalling that malware has entered a new age when it comes to adaptability and resilience. A major improvement over its earlier versions is the fact that now the latest variant does not rely on traditional command-and-control (C2) servers to handle its operations. 

As a result, GitHub is using its trusted and legitimate infrastructure to host crucial malware configuration files, allowing it to keep operating even when law enforcement or cybersecurity experts take down its primary servers to maintain uninterrupted activity. Using this strategic transition, Astaroth will be able to dynamically restore its functionality as it draws updates directly from GitHub repositories. 

These attackers have inserted encrypted configuration data into seemingly harmless images uploaded to these repositories that appear harmless by using advanced steganography techniques. A hidden portion of these images contains crucial operational instructions, which the malware retrieves and updates every two hours to update its parameters and evade detection. 

Astaroth exploits GitHub in this way to turn a mainstream development platform into a covert, self-sustaining control system, one that is much more elusive and difficult to counter than traditional C2 systems, making it much easier to use. In their research, researchers identified a highly deceptive infection strategy used by the Astaroth Trojan, involving phishing emails that are constructed in such a way that they seem both genuine and convincing.

As a result of the messages, recipients are enticed to download a Windows shortcut (.lnk) file that, when executed, discreetly installs malware on the host computer. A silent data theft program by Astaroth, which operates quietly behind the scenes, harvests sensitive banking and cryptocurrency credentials from unsuspecting victims by utilising keylogging techniques. 

For the stolen data to reach the attackers, an intermediary channel between the infected device and the command infrastructure is established by the Ngrok reverse proxy, which acts as a proxy between the attackers and the infected device. There is one distinctive aspect of this particular campaign: its adaptability to maintain operational continuity by using GitHub repositories instead of hosting malicious payloads directly. 

As opposed to hosting malicious payloads directly, the attackers use GitHub to store configuration files that direct infected bots to active servers when law enforcement or cybersecurity experts dismantle primary command-and-control systems. According to Abhishek Karnik, McAfee's Director of Threat Research and Response, GitHub's role in the attack chain can be attributed to the fact that it hosts these configuration files, which, in turn, redirect the malware to its active control points, thus ensuring sustained operation despite efforts to remove it. 

A recent Astaroth campaign does not represent the first time the organisation has targeted Brazilian users, a region in which it has repeatedly carried out malicious activities. According to both Google and Trend Micro, similar clusters of activity were detected in 2024, coded PINEAPPLE and Water Makara, which spread the same Trojan through deceptive phishing campaigns. 

As in previous waves, the latest wave of infection follows a comparable infection chain, starting with a convincing phishing email with the DocuSign theme that tricks the recipient into downloading a compressed Windows shortcut (.lnk). When this file is downloaded and opened, it initiates an Astaroth installation process on the compromised system. 

Under the surface of the LNK file, a malicious script is hidden that obfuscates JavaScript, allowing it to retrieve further malicious scripts from an external source. By executing the AutoIt script, which downloads several components from randomly selected hard-coded domains, as well as an AutoIt script, further payloads are executed. 

It is believed that the Astaroth malware will be decrypted and injected into a newly created RegSvc.exe process as a result of this chain of execution, which culminates with the loading of a Delphi-based dynamic link library (DLL). Using the Delphi programming language, Astaroth constantly monitors browser activity, checks for open banking or cryptocurrency websites periodically, and also captures login credentials through keylogging. 

A reverse proxy, such as the Ngrok reverse proxy, facilitates the filtering of stolen credentials, ensuring that sensitive financial information is safely transmitted to the attackers and that immediate detection is avoided. In addition to having far-reaching implications for the cryptocurrency market and the broader digital economy, Astaroth's persistent threat carries far-reaching repercussions as well. Initially, this situation raised the vigilance of users and raised concerns about the reliability of digital asset security, which has increased the level of anxiety in the market.

Financial losses among affected individuals have intensified market anxiety, resulting in a dwindling of confidence among new participants, and thereby slowing adoption rates in the emerging digital finance space. Those kinds of incidents are expected to encourage the development of more stringent cybersecurity protocols on a long-term basis, resulting in exchanges, wallet providers, and blockchain-based businesses investing heavily in proactive defence mechanisms over the long run. 

In general, the market sentiment has remained cautious, as investors are wary of recurring attacks that threaten the perceived safety of cryptocurrencies. In addition to identifying the latest Astaroth campaign, McAfee's Advanced Threat Research team stepped in to report the malicious GitHub repositories that hosted its configuration promptly, as they played a crucial role in uncovering it. 

The collaborative efforts they made resulted in the removal of the repositories and the interruption of the malware's activities for a short period of time. As Director of Threat Research and Response at McAfee, Abhishek Karnik emphasised the widespread nature of the Trojan, particularly in Brazil, but acknowledged that it is still impossible to estimate how much money was stolen, especially in this country.

To reduce exposure, users should be vigilant, avoid opening unsolicited attachments, maintain updated security software, and use two-factor authentication to minimise vulnerability. It should be noted that the resurgence of Astaroth has highlighted a growing class of cyber threats aimed at the rapidly expanding Web3 ecosystem as a whole. 

According to industry experts, the industry's resilience will become increasingly dependent upon robust safeguards such as smart contract audits, decentralised identity frameworks, and cross-industry intelligence sharing as decentralised finance and blockchain applications mature and mature. In their opinion, improving security is a vital component of preventing breaches of data, but it is also essential to restore and sustain user trust. 

While regulators are still refining compliance standards for the digital asset sector, developers, organisations, and users need to work together to create a safe and sustainable crypto environment that is secure. In light of the Astaroth campaign, it is clear that cybercriminals are becoming not only more innovative but they are also more strategic when it comes to exploiting trusted digital ecosystems. 

The line between legitimate and malicious online activity is becoming increasingly blurred. Therefore, both individuals and organisations must become more aware of proactive defences and digital hygiene. As such, evolving threats become more prevalent, organisations must enhance resilience against them by strengthening incident response frameworks, integrating artificial intelligence for real-time threat detection, and investing in zero-trust security models. 

A cryptocurrency user's continuous education is more important than ever, such as recognising red flags for phishing, verifying email authenticity, and securing wallets with multi-factor authentication and hardware-based protection. Furthermore, it will be crucial for cybersecurity researchers to collaborate with technology platforms, regulatory authorities, and other organisations to eliminate the infrastructure that makes these attacks possible.

Ultimately, the fight against threats such as Astaroth transcends immediate containment; it represents an ongoing commitment to bolster digital trust, which is vital to the success of these attacks. In the process of embedding cybersecurity awareness into every layer of the Web3 ecosystem, the industry can transform every attempt at an attack into a catalyst for stronger, more adaptive security standards, which will enable businesses to remain competitive and secure.

Gmail Users Face New AI Threats as Google Expands Encryption and Gemini Features

 

  
Gmail users have a fresh security challenge to watch out for — the mix of your Gmail inbox, Calendar, and AI assistant might pose unexpected risks. From malicious prompts hidden in emails or calendar invites to compromised assistants secretly extracting information, users need to stay cautious.

According to Google, “a new wave of threats is emerging across the industry with the aim of manipulating AI systems themselves.” These risks come from “emails, documents, or calendar invites that instruct AI to exfiltrate user data or execute other rogue actions.”

The integration of Gemini into Gmail was designed to simplify inbox management with smarter search, replies, writing assistance, and summaries. Alongside this, Google has rolled out another significant Gmail feature — expanded client-side encryption (CSE).

As announced on October 2, this feature is now “generally available.” Gmail users with CSE can send end-to-end encrypted (E2EE) messages to anyone, even non-Gmail users. Recipients simply receive a notification and can view the encrypted message through a guest account — offering secure communication without manual key exchanges.

However, these two major Gmail updates — Gemini AI and encryption — don’t work seamlessly together. Users must choose between AI assistance and total privacy. When CSE is active, Google confirms that “the protected data is indecipherable to any unauthorized third-party, including Google or any generative AI assistants, such as Gemini.”

That means Gemini cannot access encrypted messages, which aligns with how encryption should work — but it limits AI functionality. Google adds that the new encryption will be “on by default for users that have access to Gmail Client-side encryption.” While the encryption isn’t purely end-to-end since organizations still manage the keys, it still offers stronger protection than standard emails.

When it comes to Gemini’s access to your inbox, Google advises users to “apply client-side encryption to prevent Gemini’s access to sensitive data.” In short, enabling encryption remains the most crucial step to ensure privacy in the age of AI-driven email management

BreachForums Taken Down by FBI and French Authorities as LAPSUS$-Linked Group Threatens Salesforce Data Leak

 



U.S. and French law enforcement agencies have seized the latest version of BreachForums, a cybercrime platform known for hosting stolen databases and leaked information. The takedown was carried out by the Federal Bureau of Investigation (FBI), the U.S. Department of Justice, and French cybercrime authorities, who placed an official seizure notice on the site on October 9.

This development comes just hours before an extortion deadline announced by a threat group calling itself Scattered LAPSUS$ Hunters, which had threatened to leak data allegedly stolen from Salesforce and Salesloft if ransom demands were not met by October 10.

The seizure was first noticed on Telegram before it became official. A threat actor using the alias “emo” had observed that BreachForums’ domain was using Cloudflare name servers associated with previously seized FBI sites, suggesting law enforcement action was imminent.

Following the seizure, Scattered LAPSUS$ Hunters confirmed the action on its Telegram channel through a PGP-signed message, claiming that all their BreachForums-related domains and backend infrastructure were taken offline and destroyed. The group, however, asserted that its members had not been arrested and that their Tor-based data leak site remained active.

“The era of forums is over,” the message read, warning members to maintain operational security and avoid new BreachForums clones, which the group claimed could be “honeypots” operated by law enforcement.


Compromised Infrastructure and Data

The group stated that during the seizure, all BreachForums database backups dating from 2023 to the present were compromised, along with escrow and server systems. They also alleged that their onion hidden service was affected because the underlying infrastructure had been seized and destroyed.

Despite this, Scattered LAPSUS$ Hunters insisted that the takedown would not affect their planned Salesforce data leak campaign. The group reiterated that the October 10 deadline for victims to comply with their ransom demands remained unchanged.

This marks the fourth major seizure in the history of BreachForums and its predecessors, including the earlier RaidForums. Both forums have been repeatedly targeted by global law enforcement operations and linked to several high-profile arrests over the years.

The group also revealed that the widely known administrator “pompompurin,” believed to have launched BreachForums after RaidForums’ closure, had merely been a “front,” suggesting that the forum’s operations were coordinated by a wider network of individuals from the start.


What Lies Ahead

While the seizure has temporarily disrupted the group’s clearnet operations, cyber experts caution that criminal forums often migrate to the dark web or encrypted channels to continue their activities. Authorities are expected to pursue further investigations in the coming weeks to identify and apprehend those involved.

For cybersecurity professionals and enterprises, it's high time to give importance to monitoring data exposure risks and staying alert to potential secondary leaks, especially when extortion groups remain active through alternate platforms.



Data Breach at Bectu Exposes Members’ Information and Bank Details


 

Prospect, one of the UK's leading trade unions, has revealed that in June 2025, it was seriously affected by a cyberattack which had been discovered in the wake of a sophisticated cyberattack that had been launched against it. This underscores the sophistication and persistence of cyber attacks against professional bodies that are becoming ever more sophisticated. A significant part of the data that has been compromised is sensitive financial and personal data belonging to members of Prospect, the union affiliated with Prospect, and its member union, Bectu, a major representation body for professionals in the film and television industry in the country. 

Prospect, a national organisation of close to 160,000 engineers, scientists, managers, and specialists from companies including BT Group, Siemens, and BAE Systems, disclosed that the breach involved a considerable amount of confidential information from its members. Based on preliminary findings, it has been found that the attackers have accessed names, birthdates, contact information, bank account information, including sort codes, for over one year. 

Moreover, it has been suggested that data related to protected personal characteristics, including gender, race, religion, disability status, and employment status, may also have been compromised. A disclosure of this nature is not surprising considering that unions and membership-based organisations are increasingly relying on digital platforms for managing member records, communicating with members, and processing subscriptions – all of which make them attractive targets for cybercriminals who are looking for large quantities of personal information in bulk. 

Bectu Members Among the Most Affected

It is estimated that thousands of people, including Bectu, one of the largest unions in the UK representing professional workers in the film and television industries, as well as theatre and live entertainment, will be affected by this strike. The organisation, which operates under Prospect, acts as an important voice for screen and stage workers, from technicians to creative freelancers, as well as the production crew. A significant percentage of Bectu's approximately 40,000 members may have been affected by the breach, according to internal assessments. While it has not yet been officially confirmed how large a compromise was, early indications suggest that the attack may have exposed highly detailed personal information, leaving individuals open to the possibility that their data could be misused. There are several types of information that have been compromised in addition to bank account information and financial details, including addresses, phone numbers, and email accounts, as well as personal identifiers such as birth dates. The information, which includes diversity and equality statistics and individual case files - often used in representation and employment disputes - was also accessed in some instances. 

Timeline and Discovery of the Breach 

There was a report of a cyberattack that occurred in June 2025, however the full extent of the incident did not become apparent until a detailed forensic investigation of the incident in the months that followed. Prospect's General Secretary, Mike Clancy, formally notified members of the breach in October 2025 via email communications, explaining the nature of the breach, as well as the measures that were being taken to address it. After the incident occurred, Prospect has reported it to the Information Commissioner's Office (ICO), the police, and other relevant authorities. The company has also hired cybersecurity specialists to assist in the ongoing investigation, strengthen internal defences, and ensure that affected individuals receive information on how to safeguard their personal information. 

Prospect’s Official Response 

Michael Clancy, president of the company, issued an official statement addressing the incident in which he confirmed that internal investigations had confirmed that unauthorised access had been gained to the data of specific members. “This investigation is ongoing, but we have unfortunately identified that some member information was accessed during this incident. The evidence we have gathered has identified the members that we need to contact about an impact on their personal information. We have written to them with information on what this means for them and the support Prospect will provide to mitigate risk,” Clancy said.

Among the union's commitments to transparency and determination to assist affected members after the breach, the union stressed its commitment to transparency. Prospect will be offering a free 12-month credit and identity monitoring service as part of its response strategy to help safeguard members from potential financial fraud or identity theft caused by the stolen information as part of its response strategy. 

Cybersecurity Experts Warn of Growing Risks to Unions.  Several cybersecurity analysts have pointed out that trade unions, as well as professional associations, are becoming prime targets for data breaches due to the sheer amount of personal information they collect and store. Many unions, in contrast to corporations, do not have a lot of IT resources at their disposal, making them more vulnerable to sophisticated cyberattacks than other organisations. 

It is important to note that unions store an enormous amount of sensitive information - from payroll information to contact information to equality and disciplinary records. In addition to this, cybercriminals are highly interested in these types of data and can exploit or sell it for financial or political gain. Although the motives behind the Prospect breach remain unclear, investigators have not yet officially identified any specific threat actor responsible for the attack, despite similar incidents occurring in recent years having been linked to organised cybercrime groups that extort organisations or sell stolen data via dark web marketplaces in an attempt to profit. 

Regulatory and Legal Implications 

The UK Data Protection Act 2018 and the UK GDPR require Prospect to report significant data breaches to the Information Commissioner (ICO) and inform affected individuals “without undue delay.” As part of its review of the case, the ICO will examine whether appropriate data protection measures had been implemented before the incident and whether additional sanctions or guidance should have been issued in the future. 

There may be substantial penalties imposed on organisations which fail to implement sufficient cybersecurity safeguards, including a fine of up to £17.5 million or 4% of the company's global annual turnover, whichever is greater. There is, however, a significant difference between Prospect and other unions, which are typically nonprofit organisations, and regulatory authorities may instead concentrate on remediation, accountability, and security governance reform. 

Industry Repercussions and Member Concerns 

Many members of both Bectu and Prospect have expressed concern about the incident, since they work in sectors already confronted with job insecurity and issues relating to data privacy. A number of people have expressed concerns about the misuse of financial information or the possibility of targeted phishing attacks following the breach. 

Bectu members, whose professional lives are often based on freelance or contractual work, should be aware that any compromise of personal or banking details could lead to serious consequences for them. According to the union, members should be vigilant, monitor their bank accounts regularly, and report suspicious activity to the financial institution as soon as possible. 

In the opinion of industry observers, the reputational impact could extend far beyond the unions themselves. Due to the waning confidence in digital record-keeping systems, organisations are being urged to invest in stronger encryption, zero-trust network frameworks, and regular security audits in order to avoid similar incidents from occurring again. 

A Wake-Up Call for the Sector

A breach like this serves as an important reminder for all professional organisations that handle large amounts of member or employee data regularly. In an increasingly digitalised world, in which sensitive information is exchanged and stored online, robust cybersecurity measures are no longer optional — they are essential to maintaining trust and operational integrity in the digital age. 

 There has been a clear commitment by Prospect and Bectu to assist affected members, strengthen their IT infrastructure, and prevent future breaches as investigations continue. The outcome of the ICO’s review, which is expected to be completed later this year, may serve as a guide for how similar incidents are handled across the UK's trade union landscape going forward.

Featured