Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Financial Data
Athenian Tech Classified Information Data Breach Defence Ministry Financial Data

Cyberattack Exposes Confidential Defence Data, Raising Security Concerns

 



A massive collection of classified defence documents has reportedly been stolen by hackers and put up for sale. The stolen information includes blueprints for a weapon, details about an upcoming Air Force facility, procurement strategies, and India's defence partnerships with other countries.  

Cybersecurity firm Athenian Tech, which analyzed the data, believes it was taken from the personal device of a former Defence Ministry official. Among the leaked files are emergency evacuation procedures for high-ranking government officials, including the President and Prime Minister, in the event of an aerial attack. This has raised serious concerns about national security.  


Defence Agency denies data breach

The Defence Research and Development Organisation (DRDO), which is responsible for developing military technology, is known for its strict security rules. Employees are not even allowed to carry personal mobile phones in certain areas. However, the stolen data has been linked to DRDO, raising concerns about how such critical information was accessed.  

Despite these claims, DRDO officials have denied that their systems were breached. They stated that the stolen files do not belong to their organization but have not provided further details to clarify the situation.  


Hackers Claim Responsibility 

A ransomware group called Babuk Locker 2.0 announced on March 10, 2025, that it was behind the attack. The hackers claim to have stolen 20 terabytes of sensitive defence data from DRDO’s servers, including classified military documents and login credentials. They released a small portion of this data, approximately 753 MB, as proof of their claims.  

The sample files include technical details about upgrades to the T9 Bhishma Tank, along with records of India’s defence collaborations with countries such as Finland, Brazil, and the United States.  

Athenian Tech examined conversations between the hackers and found that they were communicating in Indonesian, suggesting they may be based in Indonesia. However, after further analysis, the firm believes the hackers might have exaggerated the scale of the breach.  

The report indicates that much of the leaked data is linked to Puneet Agarwal, who served as a Joint Secretary in the Defence Ministry between 2019 and 2021. His personal information, including Aadhaar details, financial records, and travel documents, were found in the files. This suggests that the breach might have come from his personal device rather than DRDO’s secured internal network.  


Major Security Risks 

The exposure of such sensitive information highlights major cybersecurity vulnerabilities. It raises concerns about insider threats and whether India’s defence infrastructure is adequately protected from sophisticated cyberattacks.  

Athenian Tech has stressed the need for stronger security measures, tighter access controls, and constant monitoring to prevent such incidents from happening again.  

One of the biggest concerns is that classified documents were stored on a personal device, which indicates serious gaps in data security policies. If the hackers also obtained login credentials, they could use them to infiltrate more secure systems and gain access to additional classified information.  

Read more »
trending news
Africa under cyber threats bfsi BFSI cyber security Cyber Security News trending news

Cyber Threats Surge Across Africa’s Financial Sector, Urging Stronger Cybersecurity Defenses

 

In 2024, the financial landscape in Africa has been rocked by a series of high-impact cyberattacks, underscoring the urgent need for enhanced digital defenses across the Banking, Financial Services, and Insurance (BFSI) sector. From Uganda to Zimbabwe and South Africa, institutions are increasingly in the crosshairs of sophisticated cybercriminal groups. One of the most alarming incidents involved the Bank of Uganda, which reportedly lost approximately $16.8 million to an offshore hacking group known as “Waste.” 

In a similar breach of security, ZB Financial Holdings in Zimbabwe suffered a ransomware attack in July that led to substantial data exposure, compromising both customer details and operational systems. South Africa’s Standard Bank also confirmed a recent data breach that affected limited personal and financial data, highlighting how widespread and varied these threats have become. Interpol’s 2024 African Cyberthreat Assessment paints a grim picture—cyberattacks on African businesses surged by 23% in 2023, with ransomware and data breaches being the most prevalent. 

These figures reflect not only a rising frequency but also the growing sophistication of cybercrime on the continent. The IBM 2024 Cost of a Data Breach report further reveals that the average cost of a data breach in South Africa has risen sharply to R53.1 million, a significant jump from R49.45 million the previous year. Historical incidents continue to serve as cautionary tales. The 2020 Experian breach compromised 24 million personal records, while the 2023 Medusa ransomware attack on the Bank of Africa’s Malian unit resulted in the leak of 2TB of sensitive data. 

These events demonstrate the severe financial and reputational risks African financial institutions face. As the sector increasingly adopts technologies such as artificial intelligence, blockchain, and cloud computing, new avenues for cyber exploitation have emerged. Threats like phishing schemes, insider sabotage, and regulatory compliance issues now loom larger than ever before. “Cybercrime is evolving at an alarming rate, and financial institutions in Africa are prime targets,” said Abe Wakama, CEO of IT News Africa. 

“The BFSI Security Summit will offer a vital platform for industry leaders to collaborate, exchange knowledge, and deploy effective strategies to protect their institutions,” he further added. 

Cybersecurity experts and Chief Information Security Officers (CISOs) across the continent are responding by urging a multi-layered approach to digital defense—deploying AI-powered threat detection systems, implementing zero trust security models, and ensuring compliance with key data privacy regulations like South Africa’s Protection of Personal Information Act (POPIA) and the EU’s GDPR. Additional measures such as continuous monitoring, advanced endpoint protection, and robust incident response planning are becoming standard practice. Equally critical are human factors—regular employee training and rigorous penetration testing play a pivotal role in building organizational cyber resilience.
Read more »
Sanctions
Crypto Exchange cryptocurrency cryptocurrency security Cyber Security financial risks Garantex Russian Crypto Sanctions

Sanctioned Russian Crypto Exchange Garantex Allegedly Rebrands as Grinex

 

International efforts to dismantle illicit financial networks are facing new challenges, as the recently sanctioned Russian cryptocurrency exchange Garantex appears to have rebranded and resumed operations under a new name—Grinex. Reports from blockchain analytics firm Global Ledger suggest that Grinex may be a direct successor to Garantex, which was shut down earlier this month in a joint operation by law enforcement agencies from the U.S., Germany, and Finland. 

Despite the crackdown, Global Ledger researchers have identified on-chain movements linking the two exchanges, including the transfer of Garantex’s holdings in a ruble-backed stablecoin, A7A5, to wallets controlled by Grinex. Off-chain clues further support the connection, such as the sudden surge in trading volume—Grinex reportedly handled over $40 million in transactions within two weeks of its launch. According to Lex Fisun, CEO of Global Ledger, social media activity also suggests a direct relationship between the platforms.

In a Telegram post, Sergey Mendeleev, a known figure associated with Garantex, downplayed the similarities between the two exchanges while making light of the situation. Meanwhile, reports indicate that former Garantex users have been transferring funds at the exchange’s physical offices in Europe and the Middle East, strengthening claims that Grinex is simply a rebranded version of the defunct platform. While leading blockchain analytics firms such as Chainalysis and TRM Labs have yet to verify these findings, Andrew Fierman, Head of National Security Intelligence at Chainalysis, acknowledged that early indicators point to a connection between Garantex and Grinex. 

However, a full assessment of Grinex’s infrastructure is still underway. If Grinex is indeed a rebranded Garantex, it would not be the first time a sanctioned exchange has attempted to evade regulatory scrutiny through rebranding. Similar cases have been observed in the past—BTC-E, a Russian exchange taken down by U.S. authorities in 2017, later reemerged as WEX, only to collapse due to internal conflicts. Likewise, Suex, another Russian exchange sanctioned for facilitating illicit transactions, resurfaced as Chatex before facing renewed enforcement actions. 

The reappearance of Garantex in another form underscores the persistent difficulties regulators face in enforcing financial sanctions. Despite the seizure of its servers and domain, the exchange’s infrastructure appears to have been quickly reestablished under a new identity. Experts warn that non-compliant exchanges operating in high-risk regions will continue to find ways to circumvent restrictions. Before its takedown, Garantex had been identified as a hub for money laundering and illicit financial transactions. 

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the exchange in 2022, citing its involvement in facilitating payments for ransomware groups such as Black Basta and Conti, as well as its ties to darknet marketplaces like Hydra. Court documents also revealed that Garantex provided financial services to North Korea’s Lazarus Group, a state-backed hacking organization responsible for some of the largest cryptocurrency heists in history, including the $1.4 billion Bybit hack.

Additionally, Russian oligarchs reportedly used the platform to bypass economic sanctions imposed after Russia’s invasion of Ukraine. Two individuals linked to Garantex’s operations, Lithuanian national and Russian resident Aleksej Besciokov and Russian citizen Aleksandr Mira Serda, have been charged with conspiracy to commit money laundering. Besciokov was arrested in India earlier this month while on vacation with his family and is expected to be extradited to the U.S. to face trial. 

While authorities work to contain illicit financial activity in the crypto space, the rapid emergence of Grinex serves as a reminder of how easily such operations can adapt and reappear under new identities. Analysts warn that other high-risk exchanges in Russia, such as ABCEX and Keine-Exchange, are poised to take advantage of regulatory loopholes and fill the void left by Garantex’s shutdown.
Read more »
United States
Data Breach Military Operations National Security Security Breach Signal app United States

Experts Warn Trump Officials Using Signal for War Plans Risk Massive Leaks

 

Reports that senior Trump administration officials discussed classified military operations using the encrypted texting app Signal have raised serious security concerns. Although Signal provides encryption, lawmakers and cybersecurity specialists have warned that it is still susceptible to hacking and should never be used for private government communications. 

When journalist Jeffrey Goldberg of The Atlantic was accidentally included in a Signal group discussion where senior Trump officials were discussing military operations in Yemen, the issue became apparent. Goldberg called the conversation an act of "shocking recklessness" and said it included "precise information about weapons packages, targets, and timing.” 

Mark Montgomery, senior director of the Foundation for Defence of Democracies, criticised the decision, saying, "I guess Signal is a few steps above leaving a copy of your war plan at the Chinese Embassy—but it's far below the standards required for discussing any elements of a war plan.” 

Signal has become increasingly popular in Washington despite cybersecurity concerns after Chinese-affiliated hackers significantly compromised U.S. telecommunications networks. To safeguard against spying, officials recommend using encrypted services such as Signal. Experts warn that even while the app has robust encryption and deletes messages automatically, it is not approved for use in government-level sensitive communications. 

Lawmakers call for investigation

Top Democrats have slammed the use of Signal for military discussions, describing it as a significant security breach. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, criticised the Trump administration for failing to vet group chat users. “It should go without saying that administration officials should not be using Signal for discussing intelligence matters,” Thompson noted. 

House Foreign Affairs Committee Ranking Member Gregory Meeks (D-N.Y.) has requested a hearing, calling the episode "the most astonishing breach of our national security in recent history." Ranking member of the House Intelligence Committee, Jim Himes (D-Conn.), said he was "horrified" by the usage of an insecure app. He cautioned that lower-level officials might risk criminal charges for such a failure. 

Michael Waltz, Trump's National Security Adviser, admits to organising the Signal group chat, which inadvertently included writer Jeffrey Goldberg. Waltz first blamed a staff member, but later admitted that he founded the group himself. "It is embarrassing, definitely. We're going to get to the bottom of it," he added, adding that he was engaging Elon Musk on technical matters. 

In support of Waltz, Trump described him as a "good man" who had only "learnt a lesson." "The leak was the only glitch in two months, and it turned out not to be a serious one," he said, downplaying the breach as a small mistake. But there has been a quick pushback, with lawmakers and security experts voicing serious concerns.
Read more »
Steam
Cyber Attacks Gaming Internet Online Gaming Phishing Attack Steam

Hackers Target 'Counter Strike-2' Players Via Fake Steam Login Pop-ups

Hackers Target 'Counter Strike-2' Players Via Fake Steam Login Pop-ups

Browser-in-the-browser attacks are simple yet sophisticated phishing scams. Hackers emulate trusted services via fake pop-up windows that look like the actual (real) login pages. While there have been a lot of reports describing browser-in-the-browser tactics, it is very difficult to actually catch a hacker deploying this campaign.

Fake Steam pages used to target gamers

Cybercriminals are targeting Counter-Strike 2 (a free-to-play tactical first-person shooter game) players using a disguised Steam login page that looks quite convincing. The fake page tricks innocent gamers into giving away their account IDs and passwords.

The hackers distributed the attack on the websites that pretended to represent the sports team Navi. “Part of the campaign’s attack tactics also includes abusing the name of a professional esports team called Navi,” reports cybersecurity vendor Silent Push. The hackers offered visitors free weapons skins or a “free case” that could be used in the game. To get these freebies, the phishing page demanded users to log in to Steam. 

“All of the websites our team has found so far were in English save one Chinese site, simplegive[.]cn, which was created in Mandarin, with some English wording, and used the top-level domain (TLD) '.cn,” reports Silent Push.

Campaign explained

The campaign, an example of browser-in-the-browser tactic, is built around creating an almost real-looking fake browser pop-up windows that display the URL of the actual website. It aims to make a visitor feel safe; the users believe the pop-up window is part of the real site. When a victim tries to log into the fake Steam portal, the hackers steal their login credentials and also try to take over victim accounts for future resale. After this, the site shows a fake pop-up page that mimics the Steam login portal, including the official “steamcommunity.com” domain in the web address. But the pop-up is a dummy window inside the phishing webpage; Silent Push has shown this in its video.

More about fake pop-up and how to identify it

According to Silent Push, the fake pop-up to the Steam login “cannot be maximized, minimized, or moved outside the browser window even though victims can ‘interact’ with the URL bar of the fake pop-up.” Silent Push also said that the campaign can be more effective for desktop users because the pop-ups are designed to be viewed on a larger resolution, in this case, big screens. All the fake Navi websites discovered were in English, except one Chinese site, which was in Mandarin with few English words. 

The fake websites were hosted on domains like casenaps[.]com, caserevs[.]com, and caseneiv[.]com. However, it doesn’t seem likely that the hackers took the time to make fake pop-ups for mobile phone viewing. To stay safe, users should always check for fake URL bars in any login pop-ups. If you find any URL bar, always drag that window outside of your browser. If it doesn’t move, you can tell the pop-up is fake.

Read more »
Troy Hunt
API Keys Credential Phishing Cyber Attacks CyberCrime Cybersecurity CyberThreat Have I Been Pwned Troy Hunt

HaveIBeenPwned Founder Compromised in Phishing Incident

 


The cybersecurity expert Troy Hunt, who founded the data breach notification platform Have I Been Pwned, recently revealed that he had been the victim of a phishing attack that was intended to compromise his subscriber list for the attacker to gain access to his data. Hunt explained the circumstances surrounding this incident in a detailed blog post, and provided screenshots of the deceptive email which enabled the attack to succeed.

In the fraudulent message, the author impersonated Mailchimp, a legitimate email marketing company, and embedded a hyperlink that was directed to a nearly identical, but fraudulent domain, which was a common phishing attack. It was very difficult to distinguish at a glance between the spoofed and authentic domains, which is why MailChimp-sso.com (now deactivated) is so closely similar. In Hunt's case, he acknowledged that he was severely fatigued at the time of the attack, which made it harder for him to act correctly. He also mentioned that he was experiencing jet lag at the time of the attack. 

In response to the email, he accidentally entered his credentials along with the one-time password, which was used for authentication. However, the fraudulent webpage did not proceed to the expected interface as he expected, signalling that the attack had been carried out. As a result of this incident, phishing scams represent a very prevalent risk, which underscores the importance of maintaining constant vigilance, even among cybersecurity professionals.

As soon as Troy Hunt discovered that he had been victimized by a phishing scam, he reset his password and reviewed his account activity immediately. However, since the phishing attack was highly automated, his credentials were already exfiltrated by the time he could respond. Although Hunt has extensive cybersecurity experience, this particular phishing attempt proved to be extremely successful. 

Hunt attributes the success to both his exhaustion after a long flight, as well as the sophistication of the email that was intended to fool others. According to him, the phish was "well-crafted" and was subtly manipulating psychological triggers. In the email, rather than utilizing overt threats or excessive urgency, it was suggested that he would not be able to send newsletters unless he took action. It was thus possible to send the email with just the right amount of apprehension to prompt action without creating suspicions. 

As a result, Hunt, the founder of the Have I Been Pwned platform, a platform that alerts people to compromised credentials, has taken steps to ensure that the information exposed in this incident will be incorporated into his platform in the future, which he hopes will lead to improved performance. A direct notification will be sent to individuals who have been affected by the breach, including both current subscribers and those who have already unsubscribed but are still impacted by the breach. 

Troy Hunt, a cybersecurity expert who runs a blog dedicated to cyber security and privacy, was targeted on March 25, 2018, by a phishing attack that compromised subscriber data from his blog. The attack originates from an email that impersonates Mailchimp, the platform he uses for sending out blog updates via email. According to the fraudulent message, his account had been suspended temporarily because of a spam complaint and he was required to login in order to resolve it.

The fake email made it look authentic by threatening disruption of service and creating a sense of urgency. Hunt was unable to distinguish this attack despite his extensive experience in identifying similar scams, as he was fatigued and jet lag affected his judgment in the process. In his attempt to log in with the email's link, he noticed an anomaly-his password manager did not automatically fill in his credentials. As a result, this could indicate that the website is fraudulent, but this is not a definitive indication, since legitimate services sometimes require a login from a different domain in some cases. 

As a result of the attack, approximately 16,000 email records were successfully exfiltrated, including those of active and unsubscribed readers alike. It is the result of Mailchimp's policy of retaining unsubscribed user information, a practice that is now being reviewed. There were emails, subscription statuses, IP addresses, location metadata and email addresses included in the compromised data, though the geolocation data did not pinpoint subscriber locations specifically. 

When the breach was discovered, immediate steps were taken to prevent further damage from occurring. It was determined that the attacker's API key would be revoked by Mailchimp, and the phishing website would be taken offline once the password was reset. Founder of Have I Been Pwned, a platform that tracks data breaches, Hunt has now added this incident to its database, making sure that affected users have been made aware of the incident. 

As phishing has become increasingly sophisticated over the years, it has moved beyond stereotypical poorly worded emails and implausible requests, moving into new levels of complexity. Cybercriminals today employ extremely sophisticated tactics that take advantage of human psychology, making it more and more difficult for consumers to distinguish between legitimate and fraudulent communications. The recent incident highlights the growing risks associated with targeted phishing attacks, as well as the importance of cybersecurity awareness and defense. 

Key Insights and Takeaways:

Psychological Manipulation and the Subtle Use of Urgency 

The majority of phishing emails are crafted to create a feeling of immediate panic, such as threats of account suspension or urgent payment requests, causing immediate panic within the target. However, modern attackers have honed their strategies, utilizing subtle psychological strategies to weaken the defences of their targets. As a matter of fact, in this case, the fraudulent email implied a very minor yet urgent issue: that the newsletter could not be sent. To manipulate the recipient into taking action, the email created just enough concern without raising suspicions, which led the recipient to respond to the email effectively. It is therefore imperative to recognize psychological manipulation in social engineering attacks, even for small requests that are relatively urgent, especially when it comes to logging into an account or updating one's credentials, to be viewed with suspicion. 

Password Manager Behavior as a Security Indicator 

In this attack, several red flags were pointing at Hunt's password manager's behaviour. Password managers are designed to recognize and auto-fill credentials only when they are used on legitimate websites. It should have been a warning sign in this case that the credentials of the user failed to automatically populate on the website, which could have indicated the website was fraudulent. By paying close attention to their password manager behaviour, users will be able to become more aware of security risks associated with their password manager. The site may be a spoofed one if the credentials are not automatically filled. Instead of entering the login details manually, users should double-check the source of the website and confirm it is authentic before proceeding with the transaction. 

The Limitations of One-Time Passwords (OTPs) in Phishing Attacks 

The multi-factor authentication (MFA) technique is widely considered to be one of the best security measures available, but it is not immune to phishing attacks. In this case, the attackers also requested Hunt to provide a password along with an OTP after he provided his username and password. Once he provided the password, the attackers gained access to his legitimate account immediately. 

A major weakness of OTP-based authentication is the inability to protect against real-time phishing attacks, where credentials are stolen and used instantly. The risk can be mitigated by requiring users to enter OTPs when they see sites that look suspicious or differ slightly from their usual login flow. Users are advised to be cautious when they are asked to enter OTP.

Passkeys as a Stronger, Phishing-Resistant Alternative There is no better way to authenticate a user than using passkeys, which are cryptographic credentials linked to the device of a user instead of traditional passwords. Passkeys are based on biometric authentication, for example, fingerprints, facial recognition, or even on-device authentication mechanisms. 

As passkeys are not associated with manually entering credentials, they have a much higher resistance to phishing attacks than traditional passwords. Passkeys work on the trust-based model, unlike passwords and OTPs, where they require physical access to the device registered for authentication. In contrast to traditional login methods, passkeys are a powerful alternative that can be used in place of traditional login methods and can serve as a valuable defence against phishing attempts as well. 

The Importance of Continuous Security Awareness 


Despite their expertise, even cybersecurity experts can be susceptible to sophisticated attacks, highlighting the importance of maintaining constant vigilance. The best way to enhance your security is to verify URLs carefully – Keep an eye out for slight misspellings or variations in URLs, as attackers are often able to create a lookalike URL by using security keys or passkeys. By using hardware-based authentication, such as YubiKeys, or passkeys, you can be assured that your information will be secure. If anyone receives a suspicious email asking for login credentials, security updates, or sensitive actions, be cautious and verify the message separately. 

Using Advanced Threat Protection – Organizations should take advantage of tools powered by artificial intelligence that are capable of detecting phishing attempts and blocking them in real-time. Educating Employees and Individuals – By attending regular cybersecurity training, you can become aware of the ever-evolving tactics used by phishing websites, minimizing the chances of human error. 

Although it is not possible to ensure complete protection against phishing attacks with just one security measure, adopting a multi-layered approach, a combination of awareness, technological safeguards, and behavioural vigilance, can greatly reduce your chances of becoming a victim of the attack. Despite being an experienced cybersecurity professional, even the most experienced individuals are not immune to social engineering techniques as demonstrated by the Troy Hunt incident. 

There was a significant contribution of fatigue and reduced attentiveness in this case, leading to a misjudgment that was essentially avoidable. It is known that social engineering can be extremely effective when it is employed in the right circumstances to reach the right people at the right time, resulting in a misjudgment that could have been avoided if it had been implemented correctly. The incident illustrates the way cybercriminals are using human weaknesses to achieve their objectives by exploiting human vulnerabilities. 

According to Aditi Gupta, a principal security consultant at Black Duck, attackers use a variety of tactics to manipulate unsuspecting victims, such as fear, urgency, and fatigue, to fool inexperienced people, reinforcing the theory that no one can escape sophisticated phishing schemes altogether. However, Hunt has been praised for being transparent in sharing his experience, which has served as a powerful tool for educating others about the risks associated with cybersecurity, despite the setbacks he has experienced. 

Despite admitting that he had made mistakes, he also expressed concern about Mailchimp’s security practices, especially the fact that the company did not offer two-factor authentication that is phishing resistant and kept intact for years to come. Cyber threats are not only mitigated through continuous vigilance, robust authentication mechanisms, and organizational responsibility, but also through continuous vigilance, robust authentication mechanisms, and organizational responsibility. 

The threat of social engineering attacks continues to increase and to remain protected from these attacks, it is imperative to strengthen security protocols, eliminate conventional authentication methods, and maintain cybersecurity awareness throughout the organization.
Read more »
RedCurl
Cyber Attacks Hyper-V encryption QWCrypt ransomware Ransomware attack RedCurl

Corporate Espionage Group ‘RedCurl’ Expands Tactics with Hyper-V Ransomware

 

RedCurl, a cyber threat group active since 2018 and known for stealthy corporate espionage, has now shifted its approach by deploying ransomware targeting Hyper-V virtual machines.

Initially identified by Group-IB, RedCurl primarily targeted corporate organizations globally, later expanding its reach. However, as reported by Bitdefender Labs, the group has now incorporated ransomware into its operations.

"We've seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods of time," states the Bitdefender report. "However, one case stood out. They broke their routine and deployed ransomware for the first time."

With businesses increasingly adopting virtualized infrastructure, ransomware groups are adapting by designing encryptors for these environments. While most ransomware variants target VMware ESXi servers, RedCurl’s latest tool, QWCrypt, focuses specifically on Hyper-V.

Bitdefender’s analysis reveals that RedCurl initiates attacks through phishing emails containing .IMG attachments disguised as CVs. When opened, these disk image files auto-mount in Windows, executing a malicious screensaver file. This technique exploits DLL sideloading via a legitimate Adobe executable, enabling persistence through scheduled tasks.

To avoid detection, RedCurl employs living-off-the-land (LOTL) techniques, leveraging native Windows utilities. A custom wmiexec variant facilitates lateral movement across networks without triggering security tools, while Chisel provides tunneling and remote desktop access.

Before deploying ransomware, the attackers disable security measures using encrypted 7z archives and a multi-stage PowerShell script.

Unlike standard Windows ransomware, QWCrypt supports multiple command-line arguments, allowing attackers to fine-tune encryption strategies. In observed attacks, RedCurl used the --excludeVM argument to avoid encrypting network gateway virtual machines, ensuring continued access.

The XChaCha20-Poly1305 encryption algorithm is employed to lock files, appending .locked$ or .randombits$ extensions. Additionally, QWCrypt offers intermittent encryption (block skipping) and selective file encryption based on size, optimizing speed.

The ransom note, named "!!!how_to_unlock_randombits_files.txt$", incorporates text fragments from multiple ransomware groups, including LockBit, HardBit, and Mimic.

Unlike most ransomware gangs, RedCurl does not operate a dedicated leak site, raising speculation about its true intentions. Experts propose two theories:

The ransomware may serve as a cover for data theft, creating a distraction while RedCurl exfiltrates sensitive corporate information. It could also act as a backup monetization method when clients fail to pay for stolen data. Another possibility is that RedCurl may conduct covert negotiations with victims, focusing on financial gain without public exposure.

"The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics," Bitdefender concludes. "This departure from their established modus op
Read more »
SaaS Ransomware
2FA Cyber crimes Operational Technology Ransomware SaaS Ransomware

Ransomware Attacks Are Increasing— How Hackers Are Adapting

 



Cybercriminals are finding new ways to launch ransomware attacks, and recent reports show a major increase in these incidents. The latest warning from security experts highlights how hackers are evolving their tactics, making these threats more dangerous than ever.  


Ransomware Attacks Have Risen Sharply  

The number of ransomware attacks has grown in early 2025, with reports showing a 132% increase compared to late 2024. At the same time, a specific type of scam known as deepfake phishing—where AI is used to trick people into giving away sensitive information—has surged by more than 1,600%. These scams often lead to ransomware infections, as hackers use them to gain access to private systems.  

Although many organizations have improved their cybersecurity measures, hackers are adapting. Cybercriminals are focusing on new methods to steal information, including bypassing two-factor authentication (2FA). In many cases, they intercept security codes or hijack login sessions, allowing them to enter accounts without needing passwords.  


Hackers Are Targeting More Systems  

A growing concern is that cybercriminals are now attacking systems that control important operations, such as industrial machines and corporate networks. These systems, known as operational technology (OT) environments, are becoming frequent targets for ransomware groups.  

Security researchers from Ontinue warn that cybercriminals are not just trying to lock files and demand payments— they are using artificial intelligence (AI) and legitimate tools to break into networks without being detected. Instead of relying solely on traditional phishing emails, hackers now interact with IT staff, tricking them into sharing confidential details that can be used for future attacks.  


Ransom Payments Are Declining— But The Threat Isn’t  

One positive trend is that fewer companies are paying ransom demands. Recent studies show that overall payments have dropped by 35%. This is partly due to stronger law enforcement efforts, international cooperation, and organizations refusing to give in to extortion.  

However, experts warn that this might not last. Cybercriminals are constantly adjusting their methods. Instead of just encrypting files, many ransomware groups now steal sensitive data and threaten to leak it unless victims pay up. Some hackers even demand multiple payments—one to prevent data from being leaked, another to unlock encrypted files, and sometimes an additional ransom for other threats.  


The Future of Ransomware Attacks  

Security professionals are seeing a shift in how ransomware works. Hackers are no longer just sending out mass phishing emails. They are carefully studying security systems, looking for vulnerabilities, and even using software-as-a-service (SaaS) platforms to deliver attacks.  

Experts recommend that businesses and individuals take extra precautions. Strengthening cybersecurity defenses, keeping software updated, and being cautious of unexpected emails or messages can help prevent falling victim to these evolving threats.

Read more »
Data Theft
AT&T cloud storage services CyberCrime cybercriminal arrests Data Breach Data Hackers data security Data Theft

Connor Moucka Extradited to U.S. for Snowflake Data Breaches Targeting 165 Companies

 

Connor Moucka, a Canadian citizen accused of orchestrating large-scale data breaches affecting 165 companies using Snowflake’s cloud storage services, has agreed to be extradited to the United States to face multiple federal charges. The breaches, which targeted high-profile companies like AT&T and Ticketmaster, resulted in the exposure of hundreds of millions of sensitive records. 

Moucka, also known by online aliases such as “Waifu,” “Judische,” and “Ellyel8,” was arrested in Kitchener, Ontario, on October 30, 2024, at the request of U.S. authorities. Last Friday, he signed a written agreement before the Superior Court of Justice in Kitchener, consenting to his extradition without the standard 30-day waiting period. The 26-year-old faces 20 charges in the U.S., including conspiracy to commit computer fraud, unauthorized access to protected systems, wire fraud, and aggravated identity theft. Prosecutors allege that Moucka, along with co-conspirator John Binns, extorted over $2.5 million from victims by stealing and threatening to expose their sensitive information. 

The data breaches tied to this cybercrime operation have had widespread consequences. In May 2024, Ticketmaster’s parent company, Live Nation, confirmed that data from 560 million users had been compromised and put up for sale on hacking forums. Other companies affected include Santander Bank, Advance Auto Parts, and AT&T, among others. Moucka and Binns are believed to be linked to “The Com,” a cybercriminal network involved in various illicit activities, including cyber fraud, extortion, and violent crimes. 

Another alleged associate, Cameron Wagenius, a 21-year-old U.S. Army soldier, was arrested in December for attempting to sell stolen classified information to foreign intelligence agencies. Wagenius has since indicated his intent to plead guilty. U.S. prosecutors claim Moucka and his associates launched a series of cyberattacks on Snowflake customers, gaining unauthorized access to corporate environments and exfiltrating confidential data. 
These breaches, described as among the most extensive cyberattacks in recent history, compromised sensitive 
records from numerous enterprises. While the exact date of Moucka’s extradition remains undisclosed, his case underscores the growing threat of cyber extortion and the increasing international cooperation in tackling cybercrime. His legal representatives have not yet issued a statement regarding the extradition or upcoming trial proceedings.
Read more »
VanHelsing
AR CyberCrime CyberThreat ESXi Platforms Google Window malware Ransomware VanHelsing

VanHelsing Ransomware Strikes Windows ARM and ESXi Platforms

 


As part of an ongoing analysis of ransomware-as-a-service operations, a new operation known as VanHelsing has been identified. This operation demonstrates a sophisticated multi-platform capability, posing a significant cybersecurity threat. This new strain of ransomware is designed to be able to compromise a wide range of systems, including Windows, Linux, BSD, ARM and ESXi, highlighting how adaptable and powerful the malware is.

During the spring of 2025, VanHelsing became highly visible in underground cybercriminal forums, where it was actively promoted to potential affiliates. The most significant aspect of the program was the fact that experienced cybercriminals were given free access, while those with less expertise were required to pay a $5,000 deposit as a condition to participate. In this case, the targeted recruitment strategy seems to be a calculated one to attract both seasoned and aspiring threat actors to expand the scope of the ransomware's operational capabilities. 

A few weeks back, cybersecurity firm CYFIRMA first revealed the existence of VanHelsing, providing insight into its emergence and early stages. The findings of Check Point Research's extensive technical analysis, published yesterday in the journal Security Research, provide a more in-depth understanding of the ransomware's mechanics as well as its operational framework, which was published following this discovery. It has become apparent that VanHelsingRaaS is spreading rapidly, raising serious concerns among cybersecurity professionals. 

Just two weeks after the ransomware launched, three confirmed victims of the ransomware have been successfully compromised. This virus has already gone through further development and has already been redeveloped into a more advanced version. The speed at which it has developed highlights how powerful it could become within the cyber threat landscape, and it warrants security professionals around the world to be vigilant and take proactive measures to combat it. 

While the ransomware is still evolving, multiple infections have already been detected, which indicates that it has been deploying rapidly in real-world attacks. To investigate several variants, which have so far been restricted to the Windows platform, cybersecurity researchers have conducted an in-depth examination. All of these variants have been identified as being based on Windows. A notable aspect of the malware is that it has been improved incrementally with each subsequent iteration, which suggests that the malware is constantly being improved. 

It is clear from the frequent updates and rapid progress of the ransomware that the developers are committed to expanding their capabilities, and this raises concerns regarding its potential impact as the ransomware matures. According to the available evidence, VanHelsing ransomware was first found in the wild on March 16, when the ransomware was first detected in the wild. To secure the files within this malware, a 32-byte (256-bit) symmetric key and a 12-byte nonce are generated for each file by the ChaCha20 encryption algorithm. 

In addition, VanHelsing also encrypts these generated values with the use of an embedded Curve25519 public key to further enhance its encryption processes. These encrypted keys and nonces are then embedded in the affected file to make them more secure. A notable feature of VanHelsing is its extensive command-line interface (CLI) customization that enables attackers to tailor the attack to meet the specific requirements of their target users. 

Files that exceed 1GB in size are subjected to partial encryption, while smaller files are subjected to complete encryption. As part of this method, drives and folders will be selected, encryption parameters will be set, the attack will spread via SMB protocol, shadow copy deletions will be bypassed, and evasion will be performed in a dual-phase stealth mode. VanHelsing utilizes two types of encryption to provide high levels of security. 

It is a standardized encryption technique in which it systematically enumerates directories, encrypts file content, and then renames the affected files using the ".vanhelsing" extension. On the other hand, when in stealth mode, both the encryption and file renaming are performed in separate processes, thus minimizing detection risks since the encryption process mimics normal file input/output (I/O) activity to minimize detection risk.

During the renaming phase of the data, security tools might detect anomalies, but by that time the data is already encrypted in full. However, Check Point has identified several shortcomings in its code development that have been attributed to immature development despite its advanced functionality and rapid evolution. There are many reasons for this, including inconsistency in file extensions, flaws in exclusion list logic that could lead to duplicate encryption cycles, and several command-line flags that have not been implemented yet. 

Despite VanHelsing's many technical imperfections, it remains a formidable emerging cyber threat. Considering that it is a continuously evolving threat, security professionals and organizations must keep their eyes open for potential threats associated with this ransomware variant as it is developing. In recent years, van Helsing ransomware has emerged as an extremely sophisticated cyber threat that can be used against multiple platforms, including Windows, Linux, BSD, ARM, and ESXi, and is rapidly evolving. 

With its advanced encryption techniques, extensive CLI customization, and stealth tactics, this ransomware can be a formidable weapon in the hands of cybercriminals. There is strong evidence that the ransomware is actively spread through underground forums, as well as its recruitment strategy. Security researchers have noted that it is rapidly iterating and improving, making proactive defence measures imperative. 

Although VanHelsing may have been developed with technical flaws, it remains an incredibly dangerous threat due to its ability to spread rapidly and adapt quickly. Organizations must maintain an effective cybersecurity strategy, stay informed about emerging threats, and enhance their defences to avoid potential risks. The evolving nature of this ransomware emphasizes the need.
Read more »
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Steam security breach
Data Breach malware gaming cybersecurity threats malware in PC games PirateFi Vidar infostealer Sniper Phantom’s Resolution malware Steam security breach

Malware-Laden Game Removed from Steam as Security Concerns Grow

 

Steam, a leading digital distribution platform for PC games, recently removed Sniper: Phantom's Resolution after users discovered it contained malware designed to steal sensitive data.

The installer, disguised as a legitimate Windows process, executed evasive techniques, including launching and terminating Node.js scripts and creating startup persistence, all while masquerading as a game demo.

This isn’t an isolated case. Just a month prior, another game, PirateFi, was found distributing the Vidar infostealer—a sophisticated malware capable of compromising passwords, browser session cookies, cryptocurrency wallets, and more. Reports indicate that up to 1,500 users were affected.

The Sniper: Phantom's Resolution incident highlights how cybercriminals leverage external repositories and privilege escalation tools, while PirateFi demonstrates the power of social engineering—using cryptocurrency themes to lure unsuspecting players.

Unfortunately, these cases are becoming increasingly common, eroding trust in digital storefronts that are expected to vet and protect their users.

One of the most alarming aspects is that these malicious games were hosted on Steam’s official platform—not obscure third-party sites. This suggests that attackers are finding loopholes in the platform’s submission and moderation processes, using obfuscated builds and fake assets to bypass initial inspections.

Why This Trend is Alarming
  • High User Trust – Gamers assume platforms like Steam and Epic Games Store rigorously screen content.
  • Rapid Spread – A single infected game can be downloaded by thousands within days, giving attackers a large pool of victims.
  • Advanced Obfuscation – Cybercriminals use encryption, privilege escalation, and stealthy persistence to evade detection.
  • Credential Theft & Account Takeovers – Gamers risk losing login credentials, stored payment details, in-game assets, and cryptocurrency.
  • Delayed Detection – Users, not platforms, were the first to flag suspicious activity in both Sniper: Phantom's Resolution and PirateFi.

Despite ongoing security enhancements—such as SMS-based verification and stricter moderation—digital storefronts remain vulnerable to sophisticated cyber threats. Many platforms still rely on basic file scans and metadata checks, which fail to detect behavioral indicators of hidden malware.

Another major issue is the lax verification of developers. Fraudulent accounts can slip through, upload malicious content, and vanish before detection. Once malware is live, response times lag, allowing infections to spread rapidly.

Affected users often experience frustration due to vague or delayed notifications, leaving them unaware of potential risks and unsure of how to respond. This lack of timely communication weakens trust and security.

While platforms must improve their defenses, players should also take proactive steps to protect their systems:

  • Download Only from Official Sources – Always install games and updates directly from the platform’s interface. Avoid external links.
  • Use Reputable Antivirus Software – Keep security software updated and enable real-time protection.
  • Check Community Feedback – Look for reviews and forum discussions before installing lesser-known titles.
  • Enable Multi-Factor Authentication (MFA) – Secure accounts with MFA to prevent unauthorized access.
  • Identify Red Flags – Be cautious of games with copied assets, vague developer histories, or external download prompts.
  • Monitor Installed Software – Regularly check for unexpected applications, especially after installing new games.
  • Back Up Important Data – Secure backups help recover from potential malware infections.
  • Reset Compromised Accounts – If you suspect an infection, change passwords for email, gaming platforms, and financial services immediately.
Gaming platforms must take a more proactive stance by implementing advanced malware detection techniques such as sandboxing and behavioral analysis. Stricter developer verification, faster response times to user reports, and clear breach notifications are also crucial.

Until these measures are in place, gamers should assume that even official platforms carry risks—and take precautions accordingly.
Read more »
Privacy
Backups Data Leak Google Google Maps Privacy

Google Deletes User Data by Mistake – Who’s Affected and What to Do

 



Google has recently confirmed that a technical problem caused the loss of user data from Google Maps Timeline, leaving some users unable to recover their saved location history. The issue has frustrated many, especially those who relied on Timeline to track their past movements.


What Happened to Google Maps Timeline Data?

For the past few weeks, many Google Maps users noticed that their Timeline data had suddenly disappeared. Some users, who had been saving their location history for years, reported that every single recorded trip was gone. Even after trying to reload or recover the data, nothing appeared.

Initially, Google remained silent about the issue, providing no confirmation or explanation. However, the company has now sent an email to affected users, explaining that a technical error caused the deletion of Timeline data for some people. Unfortunately, those who did not have an encrypted backup enabled will not be able to restore their lost records.


Can the Lost Data Be Recovered?

Google has advised users who have encrypted backups enabled to try restoring their Timeline data. To do this, users need to open the latest version of Google Maps, go to the Timeline section, and look for a cloud icon. By selecting the option to import backup data, there is a chance of retrieving lost history.

However, users without backups have no way to recover their data. Google did not provide a direct apology but acknowledged that the situation was frustrating for those who relied on Timeline to recall their past visits.


Why Does This Matter?

Many Google Maps users have expressed their disappointment, with some stating that years of stored memories have been lost. Some people use Timeline as a digital journal, tracking places they have visited over the years. The data loss serves as a reminder of how important it is to regularly back up personal data, as even large tech companies can experience unexpected issues that lead to data deletion.

Some users have raised concerns about Google’s reliability, wondering if this could happen to other services like Gmail or Google Photos in the future. Many also struggled to receive direct support from Google, making it difficult to get clear answers or solutions.


How to Protect Your Data in the Future

To avoid losing important data in cases like this, users should take the following steps:

Enable backups: If you use Google Maps Timeline, make sure encrypted backups are turned on to prevent complete data loss in the future.

Save data externally: Consider keeping important records in a separate cloud service or local storage.

Be aware of notifications: When Google sends alerts about changes to its services, take immediate action to protect your data.


While Google has assured users that they are working to prevent similar problems in the future, this incident highlights the importance of taking control of one’s own digital history. Users should not fully rely on tech companies to safeguard their personal data without additional protective measures.



Read more »
Technology
Cyberhackers Cybersecurity CyberThreat Gmail Google Google Drive Google Meet Technology

Gmail Upgrade Announced by Google with Three Billion Users Affected

 


The Google team has officially announced the launch of a major update to Gmail, which will enhance functionality, improve the user experience, and strengthen security. It is anticipated that this update to one of the world’s most commonly used email platforms will have a significant impact on both individuals as well as businesses, providing a more seamless, efficient, and secure way to manage digital communications for individuals and businesses alike.

The Gmail email service, which was founded in 2004 and has consistently revolutionized the email industry with its extensive storage, advanced features, and intuitive interface, has continuously revolutionized the email industry. In recent years, it has grown its capabilities by integrating with Google Drive, Google Chat, and Google Meet, thus strengthening its position within the larger Google Workspace ecosystem by extending its capabilities. 

The recent advancements from Google reflect the company’s commitment to innovation and leadership in the digital communication technology sector, particularly as the competitive pressures intensify in the email and productivity services sector. Privacy remains a crucial concern as the digital world continues to evolve. Google has stressed the company’s commitment to safeguarding user data, and is ensuring that user privacy remains of the utmost importance. 

In a statement released by the company, it was stated that the new tool could be managed through personalization settings, so users would be able to customize their experience according to their preferences, allowing them to tailor their experience accordingly. 

However, industry experts suggest that users check their settings carefully to ensure their data is handled in a manner that aligns with their privacy expectations, despite these assurances. Those who are seeking to gain a greater sense of control over their personal information may find it prudent to disable AI training features. In particular, this measured approach is indicative of broader discussions regarding the trade-off between advanced functionality and data privacy, especially as the competition from Microsoft and other major technology companies continues to gain ground. 

Increasingly, AI-powered services are analyzing user data and this has raised concerns about privacy and data security, which has led to a rise in privacy concerns. Chrome search histories, for example, offer highly personal insights into a person’s search patterns, as well as how those searches are phrased. As long as users grant permission to use historical data, the integration of AI will allow the company to utilize this historical data to create a better user experience.

It is also important to remember, however, that this technology is not simply a tool for executive assistants, but rather an extremely sophisticated platform that is operated by one of the largest digital marketing companies in the world. In the same vein, Microsoft's recent approach to integrating artificial intelligence with its services has created a controversy about user consent and data access, leading users to exercise caution and remain vigilant.

According to PC World, Copilot AI, the company's software for analyzing files stored on OneDrive, now has an automatic opt-in option. Users may not have been aware that this feature, introduced a few months ago, allowed them to consent to its use before the change. It has been assured that users will have full Although users have over their data they have AI-driven access to cloud-stored files, the transparency of such integrations is s being questioned as well as the extent of their data. There remain many concerns among businesses that are still being questioned. Businesses remain concerned aboutness, specifically about privacy issues.

The results of Global Data (cited by Verdict) indicate that more than 75% of organizations are concerned about these risks, contributing to a slowdown in the adoption of artificial intelligence. A study also indicates that 59% of organizations lack confidence in integrating artificial intelligence into their operations, with only 21% reporting an extensive or very extensive deployment of artificial intelligence. 

In the same way that individual users struggle to keep up with the rapid evolution of artificial intelligence technologies, businesses are often unaware of the security and privacy threats that these innovations pose. As a consequence, industry experts advise organizations to prioritize governance and control mechanisms before adopting AI-based solutions to maintain control over their data. CISOs (chief information security officers) might need to adopt a more cautious approach to mitigate potential risks, such as restricting AI adoption until comprehensive safeguards have been implemented. 

The introduction of AI-powered innovations is often presented as seamless and efficient tools, but they are supported by extensive frameworks for collecting and analyzing data. For these systems to work effectively, they must have well-defined policies in place that protect sensitive data from being exposed or misused. As AI adoption continues to grow, the importance of stringent regulation and corporate oversight will only increase. 

To improve the usability, security and efficiency of Gmail, as well as make it easier for both individuals and businesses, Google's latest update has been introduced to the Gmail platform. There are several features included in this update, including AI-driven features, improved interfaces, and improved search capabilities, which will streamline email management and strengthen security against cybersecurity threats. 

By integrating Google Workspace deeper, businesses will benefit from improved security measures that safeguard sensitive information while enabling teams to work more efficiently and effectively. This will allow businesses to collaborate more seamlessly while reducing cybersecurity risks. The improvements added by Google to Gmail allow it to be a critical tool within corporate environments, enhancing productivity, communication, and teamwork. With this update, Google confirms Gmail's reputation as a leading email and productivity tool. 

In addition to optimizing the user experience, integrating intelligent automation, strengthening security protocols, and expanding collaborative features, the platform maintains its position as a leading digital communication platform. During the rollout over the coming months, users can expect a more robust and secure email environment that keeps pace with the changing demands of today's digital interactions as the rollout progresses.
Read more »
Threat Intelligence
AI AI Tool Data Privacy Technology Threat Intelligence

AI and Privacy – Issues and Challenges

 

Artificial intelligence is changing cybersecurity and digital privacy. It promises better security but also raises concerns about ethical boundaries, data exploitation, and spying. From facial recognition software to predictive crime prevention, customers are left wondering where to draw the line between safety and overreach as AI-driven systems become more and more integrated into daily life.

The same artificial intelligence (AI) tools that aid in spotting online threats, optimising security procedures, and stopping fraud can also be used for intrusive data collecting, behavioural tracking, and mass spying. The use of AI-powered surveillance in corporate data mining, law enforcement profiling, and government tracking has drawn criticism in recent years. AI runs the potential of undermining rather than defending basic rights in the absence of clear regulations and transparency. 

AI and data ethics

Despite encouraging developments, there are numerous instances of AI-driven inventions going awry, which raise serious questions. A face recognition business called Clearview AI amassed one of the largest facial recognition databases in the world by illegally scraping billions of photos from social media. Clearview's technology was employed by governments and law enforcement organisations across the globe, leading to legal action and regulatory action about mass surveillance. 

The UK Department for Work and Pensions used an AI system to detect welfare fraud. An internal investigation suggested that the system disproportionately targeted people based on their age, handicap, marital status, and country. This prejudice resulted in certain groups being unfairly picked for fraud investigations, raising questions about discrimination and the ethical use of artificial intelligence in public services. Despite earlier guarantees of impartiality, the findings have fuelled calls for increased openness and supervision in government AI use. 

Regulations and consumer protection

The ethical use of AI is being regulated by governments worldwide, with a number of significant regulations having an immediate impact on consumers. The AI Act of the European Union, which is scheduled to go into force in 2025, divides AI applications into risk categories. 

Strict regulations will be applied to high-risk technology, like biometric surveillance and facial recognition, to guarantee transparency and moral deployment. The EU's commitment to responsible AI governance is further reinforced by the possibility of severe sanctions for non compliant companies. 

Individuals in the United States have more control over their personal data according to California's Consumer Privacy Act. Consumers have the right to know what information firms gather about them, to seek its erasure, and to opt out of data sales. This rule adds an important layer of privacy protection in an era where AI-powered data processing is becoming more common. 

The White House has recently introduced the AI Bill of Rights, a framework aimed at encouraging responsible AI practices. While not legally enforceable, it emphasises the need of privacy, transparency, and algorithmic fairness, pointing to a larger push for ethical AI development in policy making.
Read more »
North Korea
Cyber Intelligence Cyber Researchers Cyber Security Cyber Warfare cybersecurity research North Korea

North Korea Establishes Research Center 227 to Strengthen Cyber Warfare Capabilities

 

North Korea has reportedly launched a new cyber research unit, Research Center 227, as part of its efforts to enhance hacking capabilities and intelligence operations. According to Daily NK, this center is expected to function continuously, providing real-time support to North Korean intelligence agencies by developing advanced cyber tools. 

The initiative highlights North Korea’s increasing reliance on cyber warfare as a key component of its broader security strategy. In February 2025, North Korean leadership directed the Reconnaissance General Bureau (RGB) under the General Staff Department to strengthen the nation’s offensive cyber capabilities. As part of this directive, Research Center 227 was formed to focus on the development of sophisticated hacking techniques and cyber warfare tools. 

These efforts are primarily aimed at infiltrating foreign cybersecurity systems, disrupting critical infrastructure, and stealing sensitive data from targeted nations. The research facility will recruit approximately 90 highly skilled professionals, including graduates from top universities and individuals with advanced degrees in computer science. Unlike frontline cyber operatives who execute attacks, these researchers will focus on creating and refining malware, intrusion methods, and other offensive cyber tools. 

By centralizing its cyber research efforts, North Korea aims to develop more sophisticated digital weapons that can be deployed by operational hacking units in intelligence and espionage missions. North Korea has significantly expanded its cyber operations in recent years, with its state-sponsored hacking groups, such as Lazarus, launching large-scale attacks across the globe. These groups have been responsible for financial cybercrimes, espionage, and the theft of cryptocurrency, targeting both private companies and government agencies. 

Their activities have included spreading malware, infiltrating secure networks, and deploying information-stealing tools to compromise Western organizations. One particularly deceptive tactic used by North Korean hackers is the “Contagious Interview” campaign, in which cybercriminals pose as recruiters or hiring managers to manipulate professionals into downloading malicious software disguised as video conferencing applications. 

This technique has allowed hackers to gain access to corporate systems and steal valuable credentials. Additionally, there have been numerous cases of North Korean operatives using false identities to secure employment in global technology firms, potentially accessing critical software infrastructure or engaging in fraudulent activities. With the establishment of Research Center 227, North Korea is likely to intensify its cyber warfare operations, making its hacking activities more strategic and efficient. 

The development of custom malware, sophisticated intrusion techniques, and advanced cyber espionage methods could further increase the scale and complexity of North Korean cyberattacks. As these threats evolve, governments and cybersecurity professionals worldwide will need to bolster their defenses against the growing risks posed by North Korea’s cyber capabilities.
Read more »
ransomware attacks
Cybersecurity Threats Document converter malware Fake file converters malware Online Scams ransomware attacks

FBI Warns Against Fake Online Document Converters Spreading Malware

 

iThe FBI Denver field office has issued a warning about cybercriminals using fake online document converters to steal sensitive data and deploy ransomware on victims' devices. Reports of these scams have been increasing, prompting authorities to urge users to be cautious and report incidents.

"The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter tools, and we want to encourage victims to report instances of this scam," the agency stated.

Cybercriminals create fraudulent websites that offer free document conversion, file merging, or media download services. While these sites may function as expected, they secretly inject malware into downloaded files, enabling hackers to gain remote access to infected devices.

"To conduct this scheme, cybercriminals across the globe are using any type of free document converter or downloader tool," the FBI added.

These sites may claim to:
  • Convert .DOC to .PDF or other file formats.
  • Merge multiple .JPG files into a single .PDF.
  • Offer MP3 or MP4 downloads.
Once users upload their files, hackers can extract sensitive information, including:
  • Names and Social Security Numbers
  • Cryptocurrency wallet addresses and passphrases
  • Banking credentials and passwords
  • Email addresses
Scammers also use phishing tactics, such as mimicking legitimate URLs by making slight alterations (e.g., changing one letter or replacing "CO" with "INC") to appear trustworthy.

“Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams,” said Vikki Migoya, Public Affairs Officer for FBI Denver.

Cybersecurity experts have confirmed that these fraudulent websites are linked to malware campaigns. Researcher Will Thomas recently identified fake converter sites, such as docu-flex[.]com, distributing malicious executables like Pdfixers.exe and DocuFlex.exe, both flagged as malware.

Additionally, a Google ad campaign in November was found promoting fake converters that installed Gootloader malware, a malware loader known for:

  1. Stealing banking credentials
  2. Installing trojans and infostealers
  3. Deploying Cobalt Strike beacons for ransomware attacks

"Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip," explained a cybersecurity researcher.

Instead of receiving a legitimate document, users were given a JavaScript file that delivered Gootloader, which is often used in ransomware attacks by groups like REvil and BlackSuit.

In order to stay safe,
  • Avoid unknown document conversion sites. Stick to well-known, reputable services.
  • Verify file types before opening. If a downloaded file is an .exe or .JS instead of the expected document format, it is likely malware.
  • Check reviews before using any online converter. If a site has no reviews or looks suspicious, steer clear
  • Report suspicious sites to authorities. Victi
  • ms can file reports at IC3.gov.
  • While not all file converters are malicious, thorough research and caution are crucial to staying safe online.
Read more »
Subscribe to: Posts (Atom)