Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

CISA Warns of Rising Targeted Spyware Campaigns Against Encrypted Messaging Users

  The U.S. Cybersecurity and Infrastructure Security Agency has issued an unusually direct warning regarding a series of active campaigns de...

All the recent news you need to know
Zero-Click Exploits
CISA advisory Mobile Security Spyware Zero-Click Exploits

CISA Warns of Spyware Gangs Targeting Signal and WhatsApp Users

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about state-backed threat actors and cyber-mercenaries actively exploiting commercial spyware to compromise Signal and WhatsApp accounts belonging to high-value targets. The alert, published in late November 2025, reveals that attackers are bypassing encryption protocols through sophisticated social engineering, spoofed applications, and zero-click exploits rather than breaking the encryption itself.

Targeted victims

CISA identifies the primary targets as high-value individuals including current and former senior government officials, military personnel, political figures, and civil society organizations across the United States, Middle East, and Europe. Attackers establish initial access through spyware deployment, then use that foothold to deliver additional malicious payloads and expand their control over compromised devices.

Modus operandi 

The campaigns employ multiple sophisticated techniques to sidestep encryption protections. Russia-aligned groups including Sandworm and Turla exploited Signal's linked devices feature by tricking victims into scanning malicious QR codes, allowing attackers to quietly add their own devices to accounts and intercept messages in real time. Palo Alto Networks' Unit 42 uncovered the LANDFALL spyware campaign targeting Samsung Galaxy devices through a zero-click WhatsApp exploit that required only sending a malicious image to compromise the device upon receipt.

Additional campaigns relied on app impersonation tactics, with ProSpy and ToSpy masquerading as legitimate applications like Signal and TikTok to harvest chat data, recordings, and files. Zimperium researchers identified ClayRat, an Android spyware family distributed across Russia through counterfeit Telegram channels and phishing sites impersonating WhatsApp, TikTok, and YouTube.

Policy implications

The alert arrives during increased scrutiny of commercial spyware vendors. The US government recently prohibited NSO Group from targeting WhatsApp users with Pegasus spyware, and the House of Representatives banned WhatsApp from staff devices earlier in 2025 due to security concerns. CISA's warning underscores a critical reality: attackers are not breaking encryption algorithms but instead exploiting vulnerabilities in the underlying devices and application features that encrypted messengers rely upon.
Read more »
SIM Swap Scams
Cyber Attacks Cybercrime Networks cybersecurity breaches Data Protection Strategies Digital Identity Risks Global Data Leaks Online Fraud Tactics Phishing Crimes SIM Swap Scams

The Digital Trail That Led Scammers to Her Personal and Financial Information


 

In an unmistakable demonstration of the speed and sophistication of modern financial fraud, investigators say a sum of almost six crore was transferred within a matter of minutes, passing through an extensive chain of locations and accounts before disappearing without leaving a trace. It all began in a plush condominium tower in a gated enclave in the National Capital Region. 

Over time, it unravelled to a modest three-room home in a Haryana village, and then onto a rented terrace room on the outskirts of Hyderabad, and then to 15 further states across the country. It has been reported that as the trail grew colder, the money passed through 28 bank accounts, touching 141 more, revealing the increasingly brazen precision with which organized cyber-fraud networks operate as they operate through their intricate, circuitous route. 

Sue’s experience is an example of how a single cyber-security breach can cause the unraveling of an entire digital life. The personal details she provided were later found circulating freely online, which served as the entranceway for criminals who carried out a SIM-swap attack, convincing the mobile network that they were the legitimate account holders and obtaining access to her number. By doing so, they were able to access nearly all of her online accounts and reset the credentials. 

A woman describes the experience as “horrible” because she recalls being hijacked from her Gmail account, having her bank logins repeatedly locked after failing security checks, and even having her credit card stolen. Over £3,000 worth of vouchers had been purchased before she was able to stop it from happening. She took multiple trips to both her bank and her mobile provider in order to get control back. 

Each of these visits provided her with a greater understanding of what had happened to her identity - yet even then, the scammers did not quit attempting to exploit her. There is a common pattern among cyber fraudsters which exploits trust, urgency, and fear in order to breach people's digital defences in order to take advantage of them.

The scammers use these techniques to exploit trust, urgency, and fear in order to gain access to their victims. In addition to impersonating banks, government agencies, delivery companies and well-known brands, these groups construct convincing narratives designed to make individuals make hurried decisions. 

There are numerous ways in which fraudsters use phishing emails that mimic official communications and redirect users to fraudulent websites, to vishing calls where fraudsters try to force targets into divulging OTPs, banking credentials, and smishing messages which warn of blocked cards or suspicious transactions to get recipients to click on their malicious links in the hope that they will become victims. 

The methods each use rely on social engineering, which refers to manipulating human behaviour rather than breaking technical systems, and have proven increasingly effective as more personal data is made available online. 

Experts point out that targeting a person does not necessarily mean they are wealthy; rather, anyone with a digital footprint is a potential target. India has become increasingly digitalized, which means that a greater amount of information can be stored, shared, and exposed on multiple platforms. This has created a greater opportunity for criminals to misuse that information, placing users in a much more vulnerable position than they are aware of. 

As a result of the wide-ranging exposure of data to scams in recent years, it has become fertile ground for global scam networks. A pattern that is highlighted by the number of high-profile breaches reported in the year 2025. Marks & Spencer revealed in April that there had been a similar substantial intrusion at its retail outlets, but they have yet to disclose exactly the extent of the attack. 

The Co-op confirmed that personal information of 6.5 million people had been compromised, whereas Marks & Spencer confirmed a similar intrusion in April. According to Harrods, the company's luxury retail operations were breached after the disclosure of 400,000 customer details, and Qantas announced that 5.7 million flyers' data was compromised. 

Data Breach Observatory of Proton Mail estimates that so far this year, 794 verified breaches have been identified from identifiable sources, which have exposed more than 300 million records in a combined fashion. In the opinion of cybersecurity specialist Eamonn Maguire, the theft of personal information is one of the primary reasons why criminals are willing to pay such high prices for this information, as this information can be used for fraud, blackmail, and even further cyberattacks. Yet there is still a conflict between the corporate response to victims and the standard of standard of care that they are expected to provide. 

While companies are required to inform customers and regulators, no universally accepted protocol has been established for what support the affected individuals should receive. A free credit monitoring service has become less popular compared to a time when it was a standard gesture: Ticketmaster offered it last year to those affected by its breach, but some companies have refused to do the same for companies like Marks & Spencer and Qantas. 

The Co-op, on the other hand, chose to give customers a £10 voucher that they could redeem only with a purchase of £40, a gesture that has been widely criticized as insufficient. More and more victims are turning to class-action lawsuits as frustration grows, though these suits usually do not succeed since it can be difficult to prove individual harm in such suits. 

The following exceptions exist: T-Mobile has begun distributing payments to 76 million subscribers in response to a breach in 2021 which affected 76 million of them, a settlement worth $350 million. The compensation is estimated to range between $50 and $300. Despite this expanding threat landscape, experts warn vigilance and accountability are now essential components of effective protection as authorities struggle to cope with the resulting challenges. 

There is a call for individuals to monitor their financial activity closely and protect themselves from identity theft by enabling multifactor authentication and by treating unsolicited phone calls and messages with suspicion. Furthermore, policy-makers are urging clearer breach-response standards to ensure companies don't leave victims alone to deal with the fallout. 

It has become increasingly evident that cyber-fraud networks are becoming more agile and that data leaks have become more widespread and routine. Protecting one's digital identity is no longer an option, it is the first and most crucial defense against a system that too often in its favors the attacker.
Read more »
Internet
Cloud Cyber Security Data hack Google Internet

Google Confirms Data Breach from 200 Companies


Google has confirmed that hackers stole data from more than 200 companies after exploiting apps developed by Gainsight, a customer success software provider. The breach targeted Salesforce systems and is being described as one of the biggest supply chain attacks in recent months.

What Happened

Salesforce said last week that “certain customers’ Salesforce data” had been accessed through Gainsight applications. These apps are widely used by companies to manage customer relationships. According to Google’s Threat Intelligence Group, over 200 Salesforce instances were affected.  

Who Is Behind the Attack

A group calling itself Scattered Lapsus$ Hunters, which includes members of the well-known ShinyHunters gang, has claimed responsibility. The gang has a history of targeting large firms and leaking stolen data online.  

The hackers have already published a list of alleged victims. Names include Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters and Verizon. Some of these companies have denied being impacted, while others are still investigating.

What next?

This is a serious case of risks of third-party apps in enterprise ecosystems. By compromising Gainsight’s software, attackers were able to reach hundreds of companies at once.  

According to Tech Crunch, supply chain attacks are especially dangerous because they exploit trust in vendors. Once a trusted app is breached, it can open doors to sensitive data across multiple organisations.

Industry Response

Salesforce has said it is working with affected customers to secure systems. Gainsight has not yet issued a detailed statement. Google continues to track the attackers and assess the scale of the stolen data.  

Cybersecurity firms are advising companies to review their integrations, tighten access controls and monitor for suspicious activity. Analysts believe this breach will renew calls for stricter checks on third-party apps used in cloud platforms.

The Larger Picture

The attack comes at a time when businesses are increasingly dependent on SaaS platforms like Salesforce. With more reliance on external apps, attackers are shifting focus to these weak links. This makes the issue dangerous.

Read more »
phishing
Cyber Security Fake Domains Login Credentials Microsoft phishing

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials

 




A new phishing operation is misleading users through an extremely subtle visual technique that alters the appearance of Microsoft’s domain name. Attackers have registered the look-alike address “rnicrosoft(.)com,” which replaces the single letter m with the characters r and n positioned closely together. The small difference is enough to trick many people into believing they are interacting with the legitimate site.

This method is a form of typosquatting where criminals depend on how modern screens display text. Email clients and browsers often place r and n so closely that the pair resembles an m, leading the human eye to automatically correct the mistake. The result is a domain that appears trustworthy at first glance although it has no association with the actual company.

Experts note that phishing messages built around this tactic often copy Microsoft’s familiar presentation style. Everything from symbols to formatting is imitated to encourage users to act without closely checking the URL. The campaign takes advantage of predictable reading patterns where the brain prioritizes recognition over detail, particularly when the user is scanning quickly.

The deception becomes stronger on mobile screens. Limited display space can hide the entire web address and the address bar may shorten or disguise the domain. Criminals use this opportunity to push malicious links, deliver invoices that look genuine, or impersonate internal departments such as HR teams. Once a victim believes the message is legitimate, they are more likely to follow the link or download a harmful attachment.

The “rn” substitution is only one example of a broader pattern. Typosquatting groups also replace the letter o with the number zero, add hyphens to create official-sounding variations, or register sites with different top level domains that resemble the original brand. All of these are intended to mislead users into entering passwords or sending sensitive information.

Security specialists advise users to verify every unexpected message before interacting with it. Expanding the full sender address exposes inconsistencies that the display name may hide. Checking links by hovering over them, or using long-press previews on mobile devices, can reveal whether the destination is legitimate. Reviewing email headers, especially the Reply-To field, can also uncover signs that responses are being redirected to an external mailbox controlled by attackers.

When an email claims that a password reset or account change is required, the safest approach is to ignore the provided link. Instead, users should manually open a new browser tab and visit the official website. Organisations are encouraged to conduct repeated security awareness exercises so employees do not react instinctively to familiar-looking alerts.


Below are common variations used in these attacks:

Letter Pairing: r and n are combined to imitate m as seen in rnicrosoft(.)com.

Number Replacement: the letter o is switched with the number zero in addresses like micros0ft(.)com.

Added Hyphens: attackers introduce hyphens to create domains that appear official, such as microsoft-support(.)com.

Domain Substitution: similar names are created by altering only the top level domain, for example microsoft(.)co.


This phishing strategy succeeds because it relies on human perception rather than technical flaws. Recognising these small changes and adopting consistent verification habits remain the most effective protections against such attacks.



Read more »
Shai-Hulud 2.0 worm
developer credentials JavaScript SDK compromise malware npm malware attack PostHog security breach Shai-Hulud 2.0 worm

PostHog Details “Most Impactful” Security Breach as Shai-Hulud 2.0 npm Worm Spreads Through JavaScript SDKs

 

PostHog has described the Shai-Hulud 2.0 npm worm incident as “the largest and most impactful security incident” the company has ever faced, after attackers managed to push tainted versions of its JavaScript SDKs and attempted to automatically harvest developer credentials.

In a recently published postmortem, PostHog — one of the affected maintainers caught up in the Shai-Hulud 2.0 outbreak — revealed that multiple packages, including core libraries such as posthog-node, posthog-js, and posthog-react-native, were compromised. The malicious versions included a pre-install script that ran the moment the package was added to a project. This script executed TruffleHog to search for secrets, exported any discovered credentials to newly created public GitHub repositories, and then used the stolen npm tokens to publish additional malicious updates, allowing the worm to continue spreading.

Researchers at Wiz, who identified the resurgence of the Shai-Hulud campaign, reported that more than 25,000 developers had their credentials exposed within just three days. Beyond PostHog, the malware also infiltrated packages from Zapier, AsyncAPI, ENS Domains, and Postman — many of which receive thousands of downloads every week.

Unlike a standard trojan, Shai-Hulud 2.0 operates like a fully autonomous worm. Once a compromised package is installed, it can collect a wide range of sensitive data — from npm and GitHub tokens to cloud provider credentials (AWS, Azure, GCP), CI/CD secrets, environment variables, and other confidential information found on developer machines or build environments. PostHog has since revoked all affected tokens, removed the infected package versions, and rolled out “known-good” releases.

However, the postmortem also underscored a deeper systemic flaw: the breach wasn’t caused by a leaked secret, but by a misconfigured CI/CD workflow that allowed untrusted pull-request code to execute with overly broad privileges. A malicious pull request triggered an automated script that ran with full access to the project. Because the workflow did not restrict execution of code from the attacker’s branch, the intruder was able to extract a bot’s personal-access token with organization-wide write permissions and use it to inject malicious updates.

Using the stolen credentials, the attacker created a tampered lint workflow designed to siphon all GitHub secrets — including the npm publishing token. With that token in hand, they uploaded the weaponized SDKs to npm, turning the infection into a self-propagating dependency-chain worm.

PostHog says it is now shifting to a “trusted publisher” model for npm releases, tightening workflow review processes, and disabling install-script execution in CI/CD pipelines, among other security improvements.

If this sounds all too familiar, that’s because it reflects a broader pattern across the ecosystem: over-privileged bots, automated workflows running unchecked, and dependency updates happening faster than anyone can thoroughly validate. As the incident shows, sometimes that’s all a worm needs to thrive.
Read more »
North Korea Cyber Operations
APT Cyber Crime cyber espionage Cyber Security Financial crime Financial Cybersecurity North Korea North Korea Cyber Operations

North Korean APT Collaboration Signals Escalating Cyber Espionage and Financial Cybercrime

 

Security analysts have identified a new escalation in cyber operations linked to North Korea, as two of the country’s most well-known threat actors—Kimsuky and Lazarus—have begun coordinating attacks with unprecedented precision. A recent report from Trend Micro reveals that the collaboration merges Kimsuky’s extensive espionage methods with Lazarus’s advanced financial intrusion capabilities, creating a two-part operation designed to steal intelligence, exploit vulnerabilities, and extract funds at scale. 

Rather than operating independently, the two groups are now functioning as a complementary system. Kimsuky reportedly initiates most campaigns by collecting intelligence and identifying high-value victims through sophisticated phishing schemes. One notable 2024 campaign involved fraudulent invitations to a fake “Blockchain Security Symposium.” Attached to the email was a malicious Hangul Word Processor document embedded with FPSpy malware, which stealthily installed a keylogger called KLogEXE. This allowed operators to record keystrokes, steal credentials, and map internal systems for later exploitation. 

Once reconnaissance was complete, data collected by Kimsuky was funneled to Lazarus, which then executed the second phase of attacks. Investigators found Lazarus leveraged an unpatched Windows zero-day vulnerability, identified as CVE-2024-38193, to obtain full system privileges. The group distributed infected Node.js repositories posing as legitimate open-source tools to compromise server environments. With this access, the InvisibleFerret backdoor was deployed to extract cryptocurrency wallet contents and transactional logs. Advanced anti-analysis techniques, including Fudmodule, helped the malware avoid detection by enterprise security tools. Researchers estimate that within a 48-hour window, more than $30 million in digital assets were quietly stolen. 

Further digital forensic evidence reveals that both groups operated using shared command-and-control servers and identical infrastructure patterns previously observed in earlier North Korean cyberattacks, including the 2014 breach of a South Korean nuclear operator. This shared ecosystem suggests a formalized, state-aligned operational structure rather than ad-hoc collaboration.  

Threat activity has also expanded beyond finance and government entities. In early 2025, European energy providers received a series of targeted phishing attempts aimed at collecting operational power grid intelligence, signaling a concerning pivot toward critical infrastructure sectors. Experts believe this shift aligns with broader strategic motivations: bypassing sanctions, funding state programs, and positioning the regime to disrupt sensitive systems if geopolitical tensions escalate. 

Cybersecurity specialists advise organizations to strengthen resilience through aggressive patch management, multi-layered email security, secure cryptocurrency storage practices, and active monitoring for indicators of compromise such as unexpected execution of winlogon.exe or unauthorized access to blockchain-related directories. 

Researchers warn that the coordinated activity between Lazarus and Kimsuky marks a new phase in North Korea’s cyber posture—one blending intelligence gathering with highly organized financial theft, creating a sustained and evolving global threat.
Read more »
Subscribe to: Comments (Atom)

Featured