Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

NIST and MITRE Launch $20 Million AI Research Centers to Protect U.S. Manufacturing and Critical Infrastructure

  The National Institute of Standards and Technology (NIST) has announced a new partnership with The MITRE Corporation to establish two art...

All the recent news you need to know
Zero-day vulnerability
Chrome Security Patch In-The-Wild Exploit iOS Security Update MDM Compliance Memory Corruption Bug Remote Code Execution State-Backed Spyware Vulnerabitlites and Exploits WebKit Exploit Zero-day vulnerability

Google and Apple Deploy Rapid Security Fixes Following Zero-Day Attacks


 

It has been revealed that a set of advanced zero-day vulnerabilities, utilizing which a highly targeted hacking campaign was targeting private individuals, has been leveraged by Apple as an emergency security patch. Several weeks ago, in an official security advisory, the company said it believed the flaws had been weaponized, and were being used to attack a selective group of specific individuals using iOS versions prior to iOS 26 through an exceptionally sophisticated attack. 

In the list of vulnerabilities, CVE-2025-43529 stands out as a critical vulnerability that can be exploited remotely by WebKit, the open-source browser engine that forms the basis for Safari and supports a variety of core applications like Mail and the App Store, as well as supporting remote code execution. According to cybersecurity platform BleepingComputer, the vulnerability can be triggered whenever a device processes malicious web content, potentially giving attackers access to arbitrary code. 

Upon confirmation that the vulnerability was discovered by a collaborative security review and that the vulnerability was attributed to Google Threat Analysis Group, the vulnerability was deemed to be extremely serious, as WebKit is widely integrated throughout both macOS and iOS ecosystems and is also used as a basis for third-party applications such as Chrome on iOS, underscoring its severity. 

The company has urged all users to update their devices immediately, stating that the patches were created to neutralize active threats that had already circulated in the wild. According to the security advisory, the incident goes beyond the disclosure of a standard vulnerability, as it appears that it was the result of a highly precise and technically advanced exploitation effort directed at a number of individuals prior to the release of patches in this case. 

In an acknowledgement that Apple acknowledged awareness that at least one of these critical vulnerabilities may have already been exploited in an "extremely sophisticated attack" against carefully selected targets, Apple confirmed that two critical flaws affecting iPhones and iPads running iOS versions older than iOS 26 had already been fixed. 

The term zero-day exploit is used in cybersecurity terminology to refer to previously undisclosed software flaws which are actively exploited before the developers have had the opportunity to formulate defenses. It is often the case that the tactics employed by these operations are correlated with those of well-resourced threat actors, such as government-linked groups and commercial surveillance companies. 

Historically, malware frameworks developed by companies like NSO Group and Paragon Solutions have been linked to intrusions involving journalists, political dissenters, and human rights advocates, as well as many other types of malware. In response to both Apple and Google's announcements of emergency updates across their respective ecosystems, the scope of the alert grew dramatically. As a result, millions of iPhone, iPad, Mac, and Google Chrome users, particularly in New Delhi, are being urged to be on the lookout for cyber attacks as the threat grows. 

Google has also confirmed an active exploit of a Chrome vulnerability and has issued a priority patch that users should upgrade immediately, citing the browser's vast global footprint as a significant risk. Apple’s Security Engineering division and Google’s Threat Analysis Group have independently identified the flaw, a group that has been identified for its involvement in state-aligned intrusion campaigns and commercial spyware activity, and this has contributed to further strengthening the conclusion that the attack was carried out by elite surveillance operators, rather than opportunistic cybercriminals. 

It has been suggested by industry experts that even a single unpatched vulnerability in a platform like Chrome could expose millions of devices if it is not fixed immediately, so it's imperative to update as soon as possible, and it's a good reminder that the failure to update could have serious privacy and security implications. There has been an acknowledgement from Apple of the fact that recently patched security flaws could have been used to exploit highly targeted intrusion attempts affecting legacy iOS versions. 

The fixes have also been extended to a number of older iPad models and the iPhone 11, in keeping with Apple's long-standing policy that it doesn't release granular technical information, reiterating that it does not comment on ongoing security investigations in public. These patches were released in conjunction with broader ecosystem updates that covered WebKit as well as Screen Time and several other system-level components, reinforcing the fact that the vulnerabilities are cross-functional in nature. 

Google's and Apple's updates are most closely aligned in terms of technical issues. In fact, both companies have now corrected the CVE-2025-14174 flaw. It was originally addressed in Chrome Stable releases earlier in the month, and has been categorized as a serious memory access problem in ANGLE, a graphics abstraction layer which is also used by WebKit, which gives a better picture of the parallel impact on Apple platforms. 

It was later formally identified as an out-of-bounds memory access vulnerability in ANGLE that was the cause of this vulnerability. Google and the National Vulnerability Database confirmed that exploits had already been detected in the wild and that exploit activity had already been detected. 

According to Apple, in its own advisory, the same CVE is associated with a WebKit memory corruption condition triggered by maliciously crafted web content, further implying precise targeting rather than indiscriminate exploitation in the case of this vulnerability. 

Security researchers noted that the near-simultaneous disclosures reflect a growing risk caused by shared open-source dependencies across major consumer platforms, and that both companies responded with emergency updates within days of each other. SoCRadar, one of the leading sources of information on security, highlighted the strategic significance of this flaw by pointing out that it is present in both Chrome and WebKit environments, which is a clear example of indirect cross-vendor exposure as a result of its dual presence. 

It has been recommended by security analysts and enterprise security teams that the issue be remedied quickly, as it can leave devices vulnerable to post-exploitation instability, memory compromise, and covert code execution if the patch is not deployed in a timely fashion. 

As a result of the security advisory, organizations were advised to prioritize updating devices that are used by high-risk profiles, enforce compliance with endpoint management frameworks, monitor abnormal browser crashes or process anomalies, and limit access to unverified web content in order to reflect the seriousness of vulnerabilities that have already been identified as being exploited by active parties. 

On Wednesday, Google released a security update for Chrome without making any public announcement, stating only that investigations and remediation efforts were still in progress despite the vulnerability. The phrase "under coordination," which is used to indicate that investigations and remediation efforts were still underway, does not convey much information to the public. 

Several days after Apple released its own security advisory, the company quietly revised its internal patch documentation, intimating that there was a technical intersection between the two organizations' parallel assessments. Historically, this vulnerability has been attributed to Apple's security engineering division, which in collaboration with Google's Threat Analysis Group (TAG), has been identified as a shared vulnerability, officially titled CVE-2025-14174.

It is a highly specialized unit that is primarily tasked with identifying state-aligned cyber operations and commercial spyware networks instead of typical malware campaigns. The nature of the attribution, even though neither company has published extensive technical breakdowns, has reinforced industry consensus that this exploit aligns more closely with spyware-grade surveillance activities than with broad, untargeted cybercrime.

Both firms have also experienced an increase in the number of zero-day attacks resulting from the dual disclosure, which reflects the sustained adversarial interest in browsers and mobile operating systems as strategic attack surfaces. 

As of now, Apple has mitigated nine vulnerabilities that have been confirmed as having active exploitation chains by 2025, whereas Google has resolved eight Chrome zero-days in the same period—an unusually concentrated cadence that security researchers believe reflects an exceptionally well-resourced and persistent threat ecosystem that continues to treat consumer platforms as valuable infrastructure for precision intrusions and intelligence collection. 

It highlights one of the fundamental aspects of modern cybersecurity: software ecosystems have become increasingly interconnected, and a vulnerability in one widely used component can spread across competing platforms before users even realize the problem exists. However, despite the fact that emergency patches have curtailed active exploitation, the incident reflects a growing awareness of zero-day threats and how they often unfold silently, leaving very little room for delay in responding.

A number of security experts have pointed out that timely updates are among the most effective means of preventing complex exploit chains, which even advanced monitoring tools are struggling to detect in the early stages when they may be unable to detect them. 

The risk of consumer behavior can be significantly reduced by managing automatic updates, limiting exposure to untrusted web links, and monitoring unusual browser behavior. It is imperative for enterprises to enforce compliance through centralized device management, strengthen endpoint visibility, and correlate cross-vendor vulnerability disclosures in order to anticipate indirect exposure from shared dependencies that organizations must take into consideration.

The experts also recommend that periodic device audits be conducted, high-risk users should be protected more, browser isolations should be implemented, and threat intelligence feeds should be implemented to detect anomalies early on. Although it was severe, the breach has resulted in an increase in collaboration within security research units, demonstrating that when deployed quickly and strategically, coordinated defenses can outperform even the most elaborate intrusion attempts.
Read more »
Telegram
cryptocurrency Cyber Crime Dark Web Scams Telegram

Telegram-Based Crypto Scam Networks Are Now Larger Than Any Dark Web Market in History

 



For years, illegal online marketplaces were closely linked to the dark web. These platforms relied on privacy-focused browsers and early cryptocurrencies to sell drugs, weapons, stolen data, and hacking tools while remaining hidden from authorities. At the time, their technical complexity made them difficult to track and dismantle.

That model has now changed drastically. In 2025, some of the largest illegal crypto markets in history are operating openly on Telegram, a mainstream messaging application. According to blockchain intelligence researchers, these platforms no longer depend on sophisticated anonymity tools. Instead, they rely on encrypted chats, repeated channel relaunches after bans, and communication primarily in Chinese.

Analysis shows that Chinese-language scam-focused marketplaces on Telegram have reached an unprecedented scale. While enforcement actions earlier this year temporarily disrupted a few major platforms, activity quickly recovered through successor markets. Two of the largest currently active groups are collectively processing close to two billion dollars in cryptocurrency transactions every month.

These marketplaces function as service hubs for organized scam networks. They provide money-laundering services, sell stolen personal and financial data, host fake investment websites, and offer digital tools designed to assist fraud, including automated impersonation technologies. Researchers have also flagged listings that suggest serious human exploitation, adding to concerns about the broader harm linked to these platforms.

Their rapid growth is closely connected to large-scale crypto investment and romance scams. In these schemes, victims are gradually manipulated into transferring increasing amounts of money to fraudulent platforms. Law enforcement estimates indicate that such scams generate billions of dollars annually, making them the most financially damaging form of cybercrime. Many of these operations are reportedly run from facilities in parts of Southeast Asia where trafficked individuals are forced to carry out fraud under coercive conditions.

Compared with earlier dark web marketplaces, the difference in scale is striking. Previous platforms processed a few billion dollars over several years. By contrast, one major Telegram-based marketplace alone handled tens of billions of dollars in transactions between 2021 and 2025, making it the largest illicit online market ever documented.

Telegram has taken limited enforcement action, removing some large channels following regulatory scrutiny. However, replacement markets have repeatedly emerged, often absorbing users and transaction volumes from banned groups. Public statements from the platform indicate resistance to broad bans, citing privacy concerns and financial freedom for users.

Cryptocurrency infrastructure also plays a critical role in sustaining these markets. Most transactions rely on stablecoins, which allow fast transfers without exposure to price volatility. Analysts note that Tether is the primary stablecoin used across these platforms. Unlike decentralized cryptocurrencies, Tether is issued by a centralized company with the technical ability to freeze funds linked to criminal activity. Despite this capability, researchers observe that large volumes of illicit transactions continue to flow through these markets with limited disruption. Requests for comment sent to Tether regarding its role in these transactions did not receive a response at the time of publication.

Cybercrime experts warn that weak enforcement, fragmented regulation, and inconsistent platform accountability have created conditions where large-scale fraud operates openly. Without coordinated intervention, these markets are expected to continue expanding, increasing risks to users and the global digital economy.



Read more »
Malwares
AI cybersecurity AI tools Cyber Security Cyber Security Tool GitHub GitHub Actions vulnerability GitHub Bug Malware Attack Malwares

Webrat Malware Targets Students and Junior Security Researchers Through Fake Exploits

 

In early 2025, security researchers uncovered a new malware family dubbed Webrat, which at that time was predominantly targeting ordinary users through fake distribution methods. The first propagation involved masking malware as cheats for online games-like Rust, Counter-Strike, and Roblox-but also as cracked versions of some commercial software. By the second half of that year, though, the Webrat operators had indeed widened their horizons, shifting toward a new target group that covered students and young professionals seeking careers in information security. 

This evolution started to surface in September and October 2025, when researchers discovered a campaign spreading Webrat through open GitHub repositories. The attackers embedded the malicious payloads as proof-of-concept exploits of highly publicized software vulnerabilities. Those vulnerabilities were chosen due to their resonance in security advisories and high severity ratings, making the repositories look relevant and credible for people searching for hands-on learning materials.  

Each of the GitHub repositories was crafted to closely resemble legitimate exploit releases. They all had detailed descriptions outlining the background of the vulnerability, affected systems, steps to install it, usage, and the most recommended ways of mitigation. Many of the repository descriptions have a similar or almost identical structure; the defensive advice offered is often strikingly similar, adding strong evidence that they were generated through automated or AI-assisted tools rather than various independent researchers. Inside each repository, users were instructed to fetch an archive with a password, labeled as the exploit package. 

The password was hidden in the name of one of the files inside the archive, a move intended to lure users into unzipping the file and researching its contents. Once unpacked, the archive contains a set of files meant to masquerade or divert attention from the actual payload. Among those is a corrupted dynamic-link library file meant as a decoy, along with a batch file whose purpose was to instruct execution of the main malicious executable file. The main executable, when run, executed several high-risk actions: It tried to elevate its privileges to administrator level, disabled the inbuilt security protections such as Windows Defender, and then downloaded the Webrat backdoor from a remote server and started it.

The Webrat backdoor provides a way to attackers for persistent access to infected systems, allowing them to conduct widespread surveillance and data theft activities. Webrat can steal credentials and other sensitive information from cryptocurrency wallets and applications like Telegram, Discord, and Steam. In addition to credential theft, it also supports spyware functionalities such as screen capture, keylogging, and audio and video surveillance via connected microphones and webcams. The functionality seen in this campaign is very similar to versions of Webrat described in previous incidents. 

It seems that the move to dressing the malware up as vulnerability exploits represents an effort to affect hobbyists rather than professionals. Professional analysts normally analyze such untrusted code in a sandbox or isolated environment, where such attacks have limited consequences. 

Consequently, researchers believe the attack focuses on students and beginners with lax operational security discipline. It ranges in topic from the risks in running unverified code downloaded from open-source sites to the need to perform malware analysis and exploit testing in a sandbox or virtual machine environment. 

Security professionals and students are encouraged to be keen in their practices, to trust only known and reputable security tools, and to bypass protection mechanisms only when this is needed with a clear and well-justified reason.
Read more »
Subscription Abuse
Cyber Fraud Identity Theft PayPal Scam Phishing Campaign Subscription Abuse

PayPal Subscriptions Exploited in Sophisticated Email Scam

 

Hackers have found a clever way to misuse PayPal's legitimate email system to send authentic looking phishing scams that are able to bypass security filters and look genuine to the end users.

Over the last few weeks, users are complaining that they are receiving emails from PayPal's legitimate address "service@paypal.com" informing that their automatic payment has expired. The emails successfully pass all the usual security checks such as DKIM and SPF authentication and have proved to be coming directly from PayPal’s mail servers. 

One of the reasons these messages are potent is that the scammers have altered the Customer Service URL to take users to their own websites from where they can see fake purchase notifications, claiming victims have purchased high-priced electronics such as MacBooks, iPhones, or Sony devices for USD 1,300 to 1,600.

The spam text message contains Unicode characters which can make the words bold or in different fonts, all this is to help to get round spam filters and keyword detection. Instead, the messages tell recipients to call a phony “PayPal support” phone number to cancel or dispute the alleged charges. 

BleepingComputer's analysis of logs and transactions shows that the PayPal Subscriptions feature is being abused by scammers. When merchants hold a subscriber's subscription, they can do so with their own mechanism, and PayPal, in turn, will notify subscribers via email. PayPal seems to be vulnerable to a subscription metadata attack - perhaps in an API or legacy platform - which lets attackers insert arbitrary text in the Customer Service URL field (it normally only accepts valid URLs). 

The scammers can forge emails and register a fake subscriber account for an email address associated with Google Workspace mailing list. When these accounts receive the notification from PayPal, the mailing list service sends what looks like a legitimate e-mail from PayPal to the list of "victims", making it looks more and more like a scam.

Safety measures

Recipients should ignore these emails and avoid calling the provided phone numbers. These tactics historically aim to facilitate bank fraud or trick victims into installing malware on their devices . PayPal confirmed awareness of the scam and recommends customers contact support directly through the official PayPal app or website if they suspect fraudulent activity. Users concerned about account compromise should log into their PayPal account directly rather than clicking email links to verify whether any unauthorized charges actually occurred.
Read more »
Shinhan Card
Credit Card Data Breach Personal Information Regulatory Compliance Shinhan Card

Shinhan Card Faces Regulatory Review Over Internal Data Sharing Incident

 



Shinhan Card, one of South Korea’s largest credit card companies, has disclosed a data leak involving the personal information of approximately 192,000 merchants. The company confirmed the incident on Tuesday and said it has notified the Personal Information Protection Commission, the country’s data protection regulator.

The affected individuals are self-employed merchants who operate franchised businesses and had provided personal information during standard onboarding and contract procedures. According to Shinhan Card, the exposed data was limited in nature and did not include sensitive financial or identification details.

The company stated that information such as credit card numbers, bank account data, citizen registration numbers, and credit records were not compromised. Based on its current review, Shinhan Card said there is no evidence that the leaked information has been misused.


Incident Linked to Internal Handling, Not External Attack

Shinhan Card clarified that the incident did not involve hacking or unauthorized system access from outside the organization. Instead, the company believes the leak resulted from improper internal data handling.

Preliminary findings indicate that an employee at one of the company’s sales branches shared merchant information with a card recruiter for sales-related purposes. The data transfer reportedly violated internal policies governing the use and distribution of personal information.

The company said the internal channel used to transmit the data has since been blocked. An internal investigation was launched immediately after the issue was identified, and Shinhan Card is reviewing employee access controls and oversight mechanisms.

Most of the leaked records consisted of mobile phone numbers, accounting for around 180,000 cases. In approximately 8,000 instances, phone numbers were shared alongside merchant names. A smaller portion of the records also included additional personal details such as date of birth and gender.

Shinhan Card stated that its investigation did not uncover any cases where more sensitive personal or financial data was included in the leak. The company also said that no confirmed cases of fraud, identity theft, or other misuse linked to the exposed information have been reported to date.

The affected data belongs to merchants who signed agreements with Shinhan Card between March 2022 and May 2025.


Regulatory Notification and Review Process

The issue first came to the attention of authorities last month, when a report was submitted to the Personal Information Protection Commission. Following the initial notification, the regulator requested additional documentation to assess the scope of the incident and determine how the data was handled.

Shinhan Card formally reported the breach to the commission on December 23, in line with South Korea’s data protection disclosure requirements. The company said it continues to cooperate with the regulator as the review process remains ongoing.


Company Response and Merchant Guidance

In response to the incident, Shinhan Card issued a public apology and published detailed information through its website and mobile application. A dedicated service page has been made available to allow merchants to check whether their personal data was affected.

The company has advised merchants to remain cautious of suspicious calls, messages, or unsolicited contact attempts, even though no misuse has been confirmed so far. Shinhan Card said it is strengthening internal controls and reviewing how personal data is accessed and shared within the organization.

Regulatory authorities have not yet announced whether corrective measures or penalties will follow. Shinhan Card has said it will continue cooperating with the review while monitoring for any signs of misuse related to the exposed data.



Read more »
web domain seizure
bank account takeover Cyber Crime CyberCrime Fraud fraudulent ads US Justice Department web domain seizure

US Justice Department Seizes Web Domain Linked to Large-Scale Bank Account Takeover Fraud

 

The U.S. Justice Department (DoJ) on Monday revealed that it has taken control of a web domain and its associated database that were allegedly used to support a criminal operation aimed at defrauding Americans through bank account takeover fraud.

Authorities identified the seized domain, web3adspanels[.]org, as a backend control panel that enabled cybercriminals to store, manage, and exploit unlawfully obtained online banking credentials. Visitors attempting to access the site now encounter a seizure notice stating that the takedown was part of a coordinated international law enforcement effort involving officials from the United States and Estonia.

"The criminal group perpetrating the bank account takeover fraud delivered fraudulent advertisements through search engines, including Google and Bing," the DoJ said. "These fraudulent advertisements imitate the sponsored search engine advertisements used by legitimate banking entities."

According to investigators, the deceptive ads redirected users to counterfeit banking websites controlled by the attackers. These fake portals were embedded with malicious software that captured login details entered by unsuspecting victims. The stolen credentials were then used to access real bank accounts, allowing the criminals to seize control and siphon off funds.

So far, the fraud scheme is believed to have impacted 19 victims across the United States, including two businesses located in the Northern District of Georgia. Officials estimate attempted financial losses of around $28 million, with confirmed losses reaching approximately $14.6 million.

The DoJ further noted that the seized domain contained banking login data belonging to thousands of victims and continued to function as an operational backend for account takeover fraud as recently as last month.

Separately, data from the U.S. Federal Bureau of Investigation (FBI) indicates a sharp rise in such incidents. Since January 2025, the Internet Crime Complaint Center (IC3) has logged more than 5,100 complaints related to bank account takeover fraud, with total reported losses exceeding $262 million.

Law enforcement agencies are urging the public to remain cautious when sharing personal information online or on social media. Users should regularly review bank statements for unusual activity, use strong and unique passwords, carefully verify banking website URLs before logging in, and remain alert to phishing attempts or suspicious calls.

Read more »
Subscribe to: Comments (Atom)

Featured