Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
cybersecurity risk
corporate cyber attacks Corporate Data Breach Cyber Attacks Cyber Gangs Cyber Security Ransomware Attacks cybersecurity risk

Crazy Ransomware Gang Abuses Net Monitor and SimpleHelp for Stealthy Network Persistence

 

Not long ago, security analysts from Huntress spotted someone tied to the Crazy ransomware group using standard employee surveillance and remote assistance programs. This person used common system tools - not custom malware - to stay hidden within company networks. Instead of flashy attacks, they moved quietly through digital environments already familiar to IT teams. What stands out is how ordinary software became part of a stealthy buildup toward data encryption. Behind the scenes, attackers mimic regular maintenance tasks to avoid suspicion. Their method skips complex hacking tricks in favor of blending in. Over time, such tactics make detection harder since alerts resemble routine actions. Rather than breaking in, they act like insiders who belong. Recently, this approach has become more frequent across different cybercrime efforts. Normal-looking tool usage now masks malicious goals deep inside infrastructure.

Throughout several cases reviewed by Huntress, Net Monitor for Employees Professional appeared next to SimpleHelp’s remote access software. Using both together let attackers maintain ongoing, hands-on access to affected machines. This pairing lowered their chances of setting off detection mechanisms. Each tool played a role in staying under the radar. 

A single instance involved deployment of surveillance software through Windows Installer by running msiexec.exe, enabling adversaries to pull the agent straight from the official provider site. With it active, complete remote screen access emerged alongside command launching, data movement, and live observation of machine activity - delivering control similar to admin privileges on compromised devices. 

To tighten their hold, the hackers tried turning on the default admin account via "net user administrator /active:yes." Another layer came when they pulled down SimpleHelp using PowerShell scripts. Files were hidden under names that looked real - some copied Visual Studio’s vshost.exe pattern. Others posed as OneDrive components, tucked inside folders like ProgramData. Despite detection of a single remote component, operations persisted due to multiple deployment layers. 

Occasionally, the SimpleHelp executable appeared under altered names, mimicking standard corporate software files. Observed by analysts, these changes helped it evade immediate recognition. At times, Huntress noticed efforts aimed at weakening Microsoft Defender - achieved by halting and removing related system services - to limit detection on infected devices. One breach showed attackers setting up alert triggers inside SimpleHelp, activated whenever machines reached sites tied to digital currency storage or trading. 

These triggers watched for terms linked to wallet providers, exchange portals, blockchain lookup tools, and online payment systems. Elsewhere, the surveillance tool logged mentions of remote access software like RDP, AnyDesk, TeamViewer, UltraViewer, and VNC, possibly to spot signs of IT staff or security teams logging into affected endpoints. Despite just a single confirmed instance leading to Crazy ransomware activation, Huntress identified shared command servers and repeated file names like “vhost.exe.” These similarities point toward one actor behind both breaches. 

Notably, infrastructure links emerged across incidents. One attack stood out in impact. Yet patterns in execution imply coordination. File artifacts matched closely. Operation methods showed consistency. The evidence ties the events together indirectly. Reuse of tools strengthens that view. Infrastructure overlap was clear. Execution timing varied. Still, the digital fingerprints align. Not just one but two security incidents traced back to stolen SSL VPN login details, showing how shaky remote entry points can open doors. 

Instead of assuming safety, watch for odd patterns - like when trusted remote management software shows up without warning, used now more often by attackers who twist normal tools into stealthy weapons. Despite growing reliance on standard tools by attackers, requiring extra verification steps for every remote login helps block stolen passwords from being useful. Because hackers now blend in using common management programs, watching network behavior closely while limiting who can enter key systems stays essential for company security.
Read more »
Group IB
Credential Theft Cyber Attacks Cyberbreaches Cybercrime Ecosystem Digital Supply Chain Risk Global Supply-Chain Attack Group IB

Group-IB Warns Supply Chain Attacks Are Becoming a Self-Reinforcing Cybercrime Ecosystem

 

Cybercrime outfits now reshape supply chain intrusions into sprawling, linked assaults - spinning out data leaks, stolen login details, and ransomware in relentless loops, says fresh research by Group-IB. With each trend report, the security group highlights how standalone hacks have evolved: today’s strikes follow blueprints meant to ripple through corporate systems, setting off chains of further break-ins. 

Instead of going after one company just to make money fast, hackers now aim at suppliers, support services, or common software tools - gaining trust-based entry to many users at once. Cases highlighted in recent reports - the Shai-Hulud NPM worm, the break-in at Salesloft, and the corrupted OpenClaw package - all show how problems upstream spread quickly across systems. Not limited to isolated targets, these attacks ripple outward when shared platforms get hit. 

Modern supply chain attacks unfold in linked phases, says Group-IB. One stage might begin with a tainted open-source component spreading malicious code while quietly collecting login details. Following that, attackers may launch phishing efforts - alongside misuse of OAuth tokens - to seize user identities, opening doors to cloud services and development pipelines. Breached data feeds these steps, supplying access keys, corporate connections, and situational awareness required to move sideways across systems. Later comes ransomware, sometimes followed by threats - built on insights gathered during earlier stages of breach. One step enables another, creating loops experts call self-sustaining networks of attack. 

Soon, Group-IB expects artificial intelligence to push this shift further. Because of AI-powered tools, scanning for flaws in vendor networks, software workflows, or browser add-on stores happens almost instantly. These systems let hackers find gaps faster - operating at speeds humans cannot match. 

Expectations point to declining reliance on classic malware, favoring tactics centered on stolen identities. Rather than using obvious harmful software, attackers now mimic authorized personnel, slipping into everyday operational processes. Moving quietly through standard behaviors allows them to stay hidden longer, gradually reaching linked environments. Because they handle sensitive operations like human resources, customer data, enterprise planning, or outsourced IT support, certain platforms draw strong interest from threat actors. 

When a compromise occurs at that level, it opens doors not just to one company but potentially hundreds connected through shared services - multiplying consequences far beyond the initial point of failure. Cases like Salesloft and the breach tied to Oracle in March 2025 show shifts in how data intrusions unfold. Rather than seeking quick payouts, hackers often collect OAuth credentials first. Missteps in third-party connections give them room to move inward. 

Once inside client systems, fresh opportunities open up. Data copying follows naturally. Trust-based communication chains become tools for disguise later. Infected updates spread quietly through established channels. Fraud grows without drawing early attention. Fault lines in digital confidence now shape modern cyber threats, according to Dmitry Volkov, who leads Group-IB. Rather than one-off breaches, what unfolds are ripple effects across systems. Because outside providers act like open doors, companies should treat them as part of their own risk landscape. 

Instead of reacting late, they build models for supply chain risks early. Automated scans track software links continuously. Insight into how information moves becomes essential - without it, gaps stay hidden until exploited. With breaches in supply chains turning into routine operations, protecting confidence among users, collaborations, and code links has shifted from being a backup measure to a core part of today’s security planning. 

What once seemed secondary now shapes the foundation. Trust must hold firm where systems connect - because failure at one point pulls down many. Security can no longer treat relationships as external risks; they are built-in conditions. When components rely on each other, weakness spreads fast. The report frames this shift clearly: resilience lives not just in tools but in verified connections. Not adding layers matters most - it is about strengthening what already ties everything together.
Read more »
Data Exfilteration
APT28 APT28 Cyber Espionage Cyber Attacks Cyber Phishing cybersecurity threat Data Exfilteration

APT28’s Operation MacroMaze Targets Western Europe With Stealthy Macro-Based Attacks

 

A fresh wave of digital intrusions, tied to Russian operatives known as APT28, emerges through findings uncovered by S2 Grupo’s LAB52 analysts. Throughout late 2025 into early 2026, these efforts quietly unfolded across Western and Central European institutions. Dubbed Operation MacroMaze, the pattern reveals reliance on minimalistic yet precisely timed actions. Instead of complex tools, attackers favored subtle coordination - bypassing alarms by design. Each phase unfolded with restraint, avoiding flashiness while maintaining persistence behind the scenes. 

Starting the operation, cyber actors send targeted emails with harmful attachments designed to trick users. Instead of using typical methods, these documents include an XML feature named “INCLUDEPICTURE.” That field points to a JPG stored on webhook[.]site, acting as a hidden reference. As soon as someone views the file, the system pulls the image from that external address. Unlike passive downloads, this transfer initiates a background connection outward. Midway through loading, the request exposes details about the user’s environment automatically. So, without visible signs, attackers receive confirmation plus technical footprints tied to the access event. 

Over time, different versions of the documents appeared, spotted by analysts during an extended review period. Each one carried small changes in macro design, though the core behavior stayed largely unchanged. Instead of sticking with automated browser launching, newer samples began mimicking keystrokes through SendKeys functions. This shift may have aimed at dodging detection mechanisms while keeping interactions less obvious to people opening files. 

When turned on, it runs a Visual Basic Script pushing the attack forward. A CMD file gets started by the script, setting up ongoing access using timed system jobs before releasing a batch routine. Out of nowhere, a tiny HTML segment encoded in Base64 appears inside Edge running without display. That fragment pulls directives from one online trigger point, carries out those steps on the machine, gathers what happens, then sends everything back - packed into an HTML document - to another web destination. 

A different version of the batch script skips headless browsing by shifting the browser window beyond the visible screen area. Following that shift, any active Edge instances are closed - this isolates the runtime setting. Once the created HTML document opens, form submission begins on its own, sending captured command results to a server managed by the attacker, all without engaging the user. 

LAB52 points out that the attack shows hackers using ordinary tools - batch scripts, minimal VBS launchers, basic HTML forms - to form a working breach system. Hidden browser tabs become operational zones, letting intrusions unfold without obvious footprints. Webhook platforms, meant for routine tasks, carry commands one way and stolen information the other. Instead of loud breaches, quiet integration with standard processes helps evade detection. The method thrives not on complexity, but on repurposing everyday components in stealthy ways. 

What stands out in Operation MacroMaze is how basic tools, when timed precisely, achieve advanced results. Not complexity - but clever order - defines its success. Common programs, used one after another in quiet succession, form an invisible path through defenses. Trusted system features play a central role, slipping past alarms. Persistence emerges not from novelty, but repetition masked as routine. Across several European organizations, the method survives simply by avoiding attention.
Read more »
XFS API exploitation
ATM jackpotting ATM malware attacks Cyber Attacks cyber physical crime FBI security alert Ploutus malware XFS API exploitation

FBI Warns of Surge in ATM Jackpotting Attacks After $20 Million Stolen in 2025

 

More than $20 million was stolen from compromised ATMs across the United States last year through a growing malware-driven scheme, according to a recent alert from the Federal Bureau of Investigation (FBI). Authorities say the tactic, known as ATM jackpotting, has seen a sharp rise in activity.

ATM jackpotting is a cyber-physical attack in which criminals manipulate both hardware and software weaknesses in ATMs to install malicious programs. Once deployed, the malware forces the machine to release cash on command without approval from the bank. Since 2020, nearly 1,900 such incidents have been recorded, with over 700 reported in 2025 alone, as detailed in a Thursday security advisory.

Attackers typically begin by using universal or generic keys to unlock the ATM cabinet. After gaining access, they either remove the machine’s hard drive to load malware onto it before reinstalling it, or swap it entirely with a pre-infected drive containing jackpotting software.

One of the most frequently used tools in these operations is Ploutus malware. This malicious program targets eXtensions for Financial Services (XFS), an open-standard API that enables ATMs and point-of-sale systems to communicate with banking applications across different hardware providers. 

Under normal conditions, XFS allows banking software to process transactions and authorize cash withdrawals. However, the malware manipulates this system, letting attackers send unauthorized commands that trigger the ATM to dispense money instantly.

Unlike card skimming schemes that compromise customer data and PIN numbers, jackpotting attacks primarily impact financial institutions. Banks and ATM operators bear the financial losses, which total tens of millions of dollars annually. These incidents are also challenging to detect in real time, often only becoming apparent after funds have already been removed.

In its latest advisory, the FBI outlined several warning signs for ATMs operating on Windows systems. These include suspicious executable files and scripts, unusual system event IDs linked to USB device insertions, missing hard drives, unauthorized hardware connected to the machine, and unexpected “out of cash” notifications. Financial institutions are urged to review these indicators closely to prevent further exploitation
Read more »
Supply Chain Attack
Crypto Exchange Cyber Attacks dYdX PyPI Package Supply Chain Attack

Malicious dYdX Packages Drain User Wallets in Supply Chain Attack

 

Malicious open-source packages targeting the dYdX cryptocurrency exchange have enabled attackers to drain user wallets, exposing once again how fragile software supply chains can be in the crypto ecosystem. Researchers found that legitimate-looking libraries on popular repositories were quietly stealing seed phrases and other sensitive data from both developers and end users, turning everyday development workflows into vectors for wallet compromise. The incident shows that even reputable projects using standard tooling are not immune when upstream dependencies are poisoned.

The attack focused on npm and PyPI packages associated with dYdX’s v4 trading stack, specifically the JavaScript package @dydxprotocol/v4-client-js and the Python package dydx-v4-client in certain versions. These libraries are widely used to build trading bots, automated strategies, and backend services that interact with the exchange and therefore routinely handle mnemonics and private keys needed to sign transactions. By compromising such central components, attackers gained access not just to individual wallets but to any application that pulled in the tainted releases.

Inside the malicious npm package, attackers added a surreptitious function that executed whenever a wallet seed phrase was processed, quietly exfiltrating it along with a fingerprint of the device running the code. The fingerprinting allowed the threat actors to correlate stolen credentials across multiple compromises and track victims over time. Stolen data was sent to a typosquatted domain crafted to resemble legitimate dYdX infrastructure, increasing the chances that network defenders would overlook the outbound connections.

The PyPI package carried similar credential-stealing behavior but escalated the threat by bundling a remote access Trojan capable of executing arbitrary Python code on infected systems. Running as a background daemon, this RAT regularly contacted a command‑and‑control server, fetched attacker-supplied code, and executed it in an isolated subprocess using a hard-coded authorization token. With this access, adversaries could steal keys and source code, plant persistent backdoors, and broadly surveil developer environments beyond just wallet data.

This is not the first time dYdX has faced targeted abuse of its ecosystem, following prior incidents involving malicious npm uploads and website hijacking campaigns aimed at draining user funds. For the broader industry, the episode underlines how high‑value crypto platforms and their developer tooling have become prime targets for supply-chain attacks. Developers are urged to rigorously audit dependencies, verify package integrity and publishers, and avoid using real wallet credentials in testing environments, while users should quickly review any apps or bots that rely on the affected dYdX client libraries.
Read more »
social engineering attacks
Cryptographic Credential Theft Cyber Attacks Device Linking Exploitation QR Code Phishing Secure Messaging Security Signal Account Hijacking social engineering attacks

German Authorities Alert Public to Signal Account Takeover Campaign

 

The use of secure messaging applications has long been seen as the final line of defense against persistent digital surveillance in an era of widespread digital surveillance. This assumption is now being challenged by Germany's domestic intelligence service, the Federal Office for the Protection of the Constitution, which, in conjunction with the Federal Office for Information Security, has jointly issued a rare advisory detailing a calculated cyberattack attributed to a state-backed adversary. 

It is clear that the warning highlights a deliberate strategy to infiltrate private communications through deception, rather than technical exploits, targeting individuals who rely heavily on them. The agencies report that the operation targets high-ranking political decision-makers, senior military personnel, diplomatic representatives, and investigative journalists in Germany and across Europe. Its implications go beyond the compromise of individual accounts to include high-ranking officials and foreign diplomats. 

Access to secure messenger profiles by unauthorized users could expose confidential information, sensitive professional networks, and trusted contact chains, which in turn could compromise entire institutional ecosystems. 

As a result, the campaign does not rely on malware deployment or the exploitation of Signal platform vulnerabilities. It attempts to manipulate the application's legitimate account recovery and verification features in order to achieve its objectives.

The attackers intend to quietly intercept private conversations and harvest contact information without triggering conventional security alarms by exploiting human trust rather than software vulnerabilities. The attack sequence reflects this strategy. The attackers are impersonating “Signal Support” or impersonating a fabricated assistance channel called a “Signal Security ChatBot” and contacting selected victims directly. 

Receivers are pressured to divulge verification codes or PINs sent via SMS as a precaution against data loss or account suspension, under the pretense that the adversary will be able to take control of the account upon surrendering these credentials. Based on the initial findings, the joint advisory clarifies that the attack is not a result of technical compromise of the platform's codebase or malicious payload deployment. 

By combining carefully staged social engineering with Signal's routine functionality, the operators are exploiting the trust users place in its privacy-centered design. By manipulating the standard account verification and recovery workflows, the attackers are able to induce their victims to divulge the very credentials that secure their communication. 

In one documented scenario, a person impersonating an official support channel is referred to as “Signal Support” or “Signal Security Chatbot.” The targeted organization receives messages alleging fabricated security irregularities and urges it to act immediately to prevent alleged data loss or account suspension. 

By engineering urgency, recipients are prompted to disclose their Signal PINs or SMS verification codes, overriding caution. When the adversary possesses these credentials, they may re-register the account on infrastructure under their control, effectively transferring ownership of the account. Such situations may result in the legitimate user being locked out and the intruder gaining unfettered access to message histories, active conversations, and stored contact information. 

A parallel technique utilizes Signal's multi-device linking capability, enabling seamless synchronization across mobile, tablet, and desktop clients. By causing victims to scan a malicious QR code, threat actors are able to inadvertently attach additional devices to their accounts by posing as a threat actor. With this method, one-on-one exchanges, group discussions, and associated metadata are persistently visible, almost real-time, without generating immediate suspicion.

Since the original device remains functional, the victims may not be aware that their communications are mirrored elsewhere. Authorities emphasize that the absence of malware is a defining characteristic of the campaign. In lieu of exploit chains or zero-day vulnerabilities, attackers rely solely on the voluntary disclosure of valid cryptographic credentials to gain access. 

Through the use of this approach, they are able to circumvent conventional endpoint security systems and network monitoring systems because the account access appears to be procedurally valid within the platform's security environment. 

Using trusted features inappropriately complicates the detection process as well as amplifies the potential intelligence value of the intrusion. It is further noted that individuals whose communications are sensitive from a diplomatic, military, political, or investigative perspective have been given priority in the targeting profile. 

By compromised such accounts, one can gain access to confidential discussions, gain insight into policy decisions and operational planning, and reconstruct professional networks to target subsequent targets. Furthermore, controlling trusted accounts provides an opportunity for impersonation, allowing misleading information to be distributed or sensitive exchanges to be manipulated.

It is reported that the activity was likely to be perpetrated by a state-sponsored actor, but officials caution that these techniques are neither technical complex nor exclusive to government-backed organizations. 

The use of social engineering rather than sophisticated exploitation reduces the barrier to replication, enhancing the likelihood that criminal enterprises or other hostile actors may use similar tactics with comparable impact in the future. The German authorities emphasize in their concluding guidance that the durability of encrypted communication ultimately depends on both informed user vigilance and cryptographic strength. 

Educating institutions and high profile individuals on how to respond to unsolicited account-related requests with heightened scrutiny, strengthening internal awareness of verification workflows, and integrating secure messaging hygiene into operational security procedures is recommended.

An audit of linked devices on a regular basis, strict control over authentication credentials, as well as the activation of additional account safeguards are not offered as optional enhancements, but as mandatory requirements in a threat environment where deception replaces exploitation. 

According to the agencies, resilience will depend more on disciplined user behavior and proactive defensive posture than on technological assurances alone, as adversaries continue to use legitimate platform features for covert access. 

s a result of the advisory, institutions will not be able to protect themselves from compromise when authentication workflows themselves become an attack surface for compromised platforms. 

It is recommended that organizations evaluate how secure messaging tools are integrated into executive and diplomatic communications, ensuring that account recovery procedures, device management policies, and identity verification protocols are governed by formal security controls as opposed to informal user discretion, according to German officials. 

An adversary who weaponizes legitimacy rather than exploiting flaws will need to cultivate procedural discipline, a continuous threat awareness, and a recognition that trust, once manipulated, can have the same impact as any technical vulnerability.
Read more »
Spanish government data breach
Cyber Attacks cybercrime surge 2025 GordonFreeman hacker IDOR vulnerability exploit Ministry of Science cyberattack Spain Spanish government data breach

Spain Ministry of Science Cyberattack Triggers IT Shutdown, Hacker Claims Data Breach

 

A cyberattack targeting the Ministry of Science, Innovation and Universities has led to a partial shutdown of government IT infrastructure, interrupting essential digital services relied upon by researchers, universities, students, and businesses nationwide.

Authorities initially referred to the disruption as a “technical incident,” but mounting evidence — alongside confirmations from Spanish media — now indicates the event was the result of a cyberattack that may have compromised sensitive academic, personal, and financial data.

The ministry is a key pillar of Spain’s higher education and research framework. Any outage affecting its digital systems carries significant operational and administrative consequences, elevating the seriousness of the breach beyond a routine technical malfunction.

In a statement posted on its electronic headquarters, the ministry acknowledged the disruption and announced the temporary closure of several digital services.

“As a result of a technical incident that is currently being assessed, the electronic headquarters of the Ministry of Science, Innovation and Universities has been partially closed.”

The notice further stated: “All ongoing administrative procedures are suspended, safeguarding the rights and legitimate interests of all persons affected by said temporary closure, resulting in an extension of all deadlines for the various procedures affected.”

Officials added that deadline extensions would remain active: "until the complete resolution of the aforementioned incident occurs," citing Article 32 of Law 39/2015.

While the extension of deadlines offers procedural protection to affected users, the absence of immediate clarity regarding the nature of the disruption sparked concern among stakeholders.

Hacker Claims Responsibility for Breach

Concerns escalated after a threat actor operating under the alias Gordon Freeman appeared on underground forums claiming responsibility for the attack. The individual alleged exploitation of a critical Insecure Direct Object Reference (IDOR) vulnerability, which reportedly granted “full-admin-level access” to internal systems.

The attacker published sample screenshots online — though their authenticity has not been independently confirmed — showing what appear to be official documents, email addresses, enrollment records, and internal communications.

Spanish outlet OKDIARIO reported that a ministry spokesperson acknowledged the IT disruption stemmed from a cyberattack and confirmed that the electronic headquarters had been taken offline to evaluate the potential scope of the breach.

Although the forum where the leak was allegedly posted has since gone offline and the data has not resurfaced elsewhere, early indicators suggest the materials could be genuine. If verified, the breach would represent a significant failure in access control safeguards.
According to the attacker’s claims, the compromised data may include:
  • Scanned identification documents, including NIEs and passports
  • Email addresses
  • Payment confirmations displaying IBAN numbers
  • Academic transcripts and apostilled degrees
  • Curricula containing private personal details
If confirmed, the breach could expose thousands of students and researchers to identity theft, financial fraud, and long-term privacy risks. Academic records, once leaked, are particularly difficult to revoke or replace.

The incident reflects a broader cybersecurity challenge in Spain. Cybercrime now represents more than one in six recorded criminal offenses nationwide. Authorities have reported a 35% increase in cyberattacks this year, with daily incidents exceeding 45,000. Between late February and early March, reported attacks surged by 750% compared to the same timeframe last year.

During the week of 5–11 March 2025, Spain ranked as the most targeted country globally, accounting for 22.6% of all recorded cyber incidents — surpassing even the United States.

Experts attribute the trend to two primary factors: rapid digital transformation — accelerated by EU-backed modernization initiatives — and insufficient investment in cybersecurity infrastructure. Ransomware incidents alone have climbed 120%, disproportionately affecting public institutions and small-to-medium enterprises.


Read more »
Technology
Chelsea Cyber Attacks data intrusion Kensington London Technology

London Boroughs Struggle to Restore Services After November Cyber Attack




A cyber intrusion identified on November 24, 2025 has disrupted essential local authority services in two central London boroughs, freezing parts of the property market and delaying administrative functions.

The Royal Borough of Kensington and Chelsea and Westminster City Council have both been unable to operate several core systems since the breach was detected. Although Kensington and Chelsea is internationally associated with high-value homes, luxury retail outlets and tree-lined residential streets, routine civic operations in the borough are currently under strain.

A notice published on the Kensington and Chelsea council website states that disruption is expected to continue for several more weeks and that restoring all services may take months.

According to HM Land Registry figures, approximately 2,000 property transactions occur annually within Kensington and Chelsea. Many of those transactions are now impacted because the councils cannot conduct local authority searches. These searches are mandatory checks that examine planning history, land charges, infrastructure proposals and regulatory constraints linked to a property.

Nick Gregori, Head of Research at property data platform LonRes, explained that local authority searches are fundamental to the conveyancing process. Buyers relying on mortgage financing cannot secure loans without completed searches. Even purchasers using cash are advised to obtain them to ensure proper due diligence.

Jo Eccles, founder of buying agency Eccord, said two of her clients purchasing in Westminster have had to obtain indemnity insurance because official searches are not expected to resume until April due to accumulated delays. She noted that private banks are sometimes willing to proceed with indemnity-backed transactions, whereas retail lenders are generally less accommodating.

Robert Green, Head of Sales at John D Wood & Co. in Chelsea Green, stated that indemnity policies do not eliminate the need for careful investigation. Solicitors are attempting to reconstruct due diligence by reviewing historical documentation held by sellers or from previous acquisition files. Buyers without access to private lending or substantial liquidity are finding transactions extremely difficult to complete.

Planning services have also stalled. Architect Emily Ceraudo has two projects paused: one involving listed building consent in South Kensington and another concerning a mansard roof extension in Mayfair. She said clients initially struggled to accept that the entire planning system could remain offline for this duration, prompting her to share official correspondence confirming the cause of delay. Councils have indicated that some applications may be processed offline, but no revised timeframe has been provided.

There are reports of contractors reconsidering site activity and some clients contemplating proceeding with works in anticipation of retrospective approval.

Housing benefit payments were also interrupted. Laurence Turner, who rents a studio flat in Chelsea to an elderly tenant with medical needs, said he only became aware of the issue after two missed payments. He emphasized that he has no contractual relationship with the council and that his tenant had consistently paid rent early for five years. His letting agent, Maskells, contacted the council for clarification. Payments due in mid-December and mid-January were missed, leaving £2,870 outstanding before funds were eventually received.

Turner observed that council service charges were skipped once in mid-December but resumed in mid-January, whereas housing benefit was missed twice. He acknowledged that municipal financial systems are complex and that he may not see the full administrative context.

Neither borough has provided a definitive restoration date. Kensington and Chelsea stated that systems are being reactivated gradually under guidance from NCC Group, the Metropolitan Police and the National Cyber Security Centre. Property searches are expected to return as soon as possible, with a limited search service available before full restoration.

Council Leader Cllr Elizabeth Campbell described the incident as a n intricate criminal cyber attack. She said prior investment in digital, data and technology infrastructure, including updated cyber defence systems, helped reduce overall damage. She confirmed that the planning system is undergoing checks, that new planning applications cannot progress beyond validation, and that local land charge searches remain unavailable. She added that £10 million in housing benefits has been issued since the incident and that recovery work continues with specialist partners to ensure systems are restored safely and with strengthened resilience. 

Read more »
Ransomware
Cloud Corporate Cyber Attacks Data Ransomware

Iron Man Data Breach Only Impacted Marketing Resources


Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries. 

About the breach 

The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials. 

Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials. 

The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks. 

History 

In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom. 

The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place.

If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents. 

What is the impact?

Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems. 

Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

Read more »
TGR-STA-1030
APT28 Cyber Espionage Chinese Hackers Cyber Attacks Palo Alto TGR-STA-1030

Palo Alto Softens China Hack Attribution Over Beijing Retaliation Fears

 

Palo Alto Networks is facing scrutiny after reports that it deliberately softened public attribution of a vast cyberespionage campaign that its researchers internally linked to China. According to people familiar with the matter, a draft from its Unit 42 threat intelligence team tied the prolific hacking group, dubbed “TGR-STA-1030,” directly to Beijing, but the final report described it only as a “state-aligned group that operates out of Asia.” The change has reignited debate over how commercial cybersecurity firms navigate geopolitical pressure while disclosing state-backed hacking operations. 

The underlying campaign, branded “The Shadow Campaigns,” involved years-long reconnaissance and intrusions spanning nearly every country, compromising government and critical infrastructure targets in at least 37 nations. Investigators noted telltale clues suggesting a Chinese nexus, including activity patterns aligned with the GMT+8 time zone and tasking that appeared to track diplomatic flashpoints involving Beijing, such as a focus on Czech government systems after a presidential meeting with the Dalai Lama. The operators also reportedly targeted Thailand shortly before a high‑profile state visit by the Thai king to China, hinting at classic intelligence collection around sensitive diplomatic events. 

According to sources cited in the report, Palo Alto executives ordered the language to be watered down after China moved to ban software from about 15 U.S. and Israeli cybersecurity vendors, including Palo Alto, on national security grounds. Leadership allegedly worried that an explicit attribution to China could trigger further retaliation, potentially putting staff in the country at risk and jeopardizing business with Chinese or China‑exposed customers worldwide. The episode illustrates the mounting commercial and personal-security stakes facing global security vendors that operate in markets where they may also be calling out state-backed hacking. 

The researchers who reviewed Unit 42’s technical findings say they have observed similar tradecraft and infrastructure in activity they already attribute to Chinese state-sponsored espionage. U.S. officials and independent analysts have for years warned of increasingly aggressive Chinese cyber operations aimed at burrowing into critical infrastructure and sensitive government networks, a trend they see reflected in the Shadow Campaigns’ breadth and persistence. While Beijing consistently denies involvement in hacking, the indicators described by Palo Alto and others fit a pattern Western intelligence agencies have been tracking across multiple high‑impact intrusions. 

China’s embassy in Washington responded by reiterating that Beijing opposes “all forms of cyberattacks” and arguing that attribution is a complex technical issue that should rest on “sufficient evidence rather than unfounded speculation and accusations.” The controversy around Palo Alto’s edited report now sits at the intersection of that diplomatic line and the realities of commercial risk in authoritarian markets. For the wider cybersecurity industry, it underscores a hardening dilemma: how to speak plainly about state-backed intrusions while safeguarding employees, customers, and revenue in the very countries whose hackers they may be exposing.
Read more »
HoneyMyte
Chinese Hacker CoolClient Cyber Attacks Data Theft HoneyMyte

HoneyMyte Upgrades CoolClient: New Browser Stealers Target Asia, Europe

 

The HoneyMyte threat group, also known as Mustang Panda or Bronze President, has escalated its cyber espionage efforts by significantly upgrading its CoolClient backdoor malware. This China-linked advanced persistent threat (APT) actor, active since at least 2012, primarily targets government organizations in Asia and Europe to harvest sensitive geopolitical and economic intelligence.

In 2025, security researchers from Kaspersky identified enhanced versions of CoolClient deployed in campaigns hitting countries like Myanmar, Mongolia, Malaysia, Thailand, Russia, and Pakistan.These updates reflect HoneyMyte's ongoing adaptation to evade detection and maximize data theft from high-value targets. CoolClient now employs a multi-stage infection chain, often using DLL side-loading to hijack legitimate applications from vendors like BitDefender, VLC Media Player, and Sangfor. 

This technique allows the malware to masquerade as trusted software while executing malicious payloads for persistence and command-and-control communication. The backdoor supports extensible plugins, including new capabilities to extract HTTP proxy credentials from network traffic—a feature not previously observed in HoneyMyte's arsenal. Combined with tools like ToneShell rootkit, PlugX, and USB worms such as Tonedisk, these enhancements enable deeper system compromise and long-term surveillance.

A standout addition is HoneyMyte's browser credential stealer, available in at least three variants tailored to popular browsers. Variant A targets Google Chrome, Variant B focuses on Microsoft Edge, and Variant C handles multiple Chromium-based browsers like Brave and Opera. The stealer copies login databases to temporary folders, leverages Windows Data Protection API (DPAPI) to decrypt master keys and passwords, then reconstructs full credential sets for exfiltration. This shift toward active credential harvesting, alongside keylogging and clipboard monitoring, marks HoneyMyte's evolution from passive espionage to comprehensive victim surveillance.

Supporting these implants, HoneyMyte deploys scripts for reconnaissance, document exfiltration, and system profiling, often in tandem with CoolClient infections. These campaigns exploit spear-phishing lures mimicking government services in victims' native languages, exploiting regional events for credibility.Earlier variants of CoolClient were analyzed by Sophos in 2022 and Trend Micro in 2023, but 2025 iterations show marked improvements in stealth and modularity. The group's focus on Southeast Asian governments underscores its alignment with Chinese strategic interests.

Organizations face heightened risks from HoneyMyte's refined toolkit, demanding robust defenses like behavioral monitoring for DLL side-loading, browser credential anomalies, and anomalous network traffic. Government entities in targeted regions should prioritize endpoint detection, credential hygiene, and threat intelligence sharing to counter these persistent threats. As HoneyMyte continues innovating—potentially expanding to Europe—proactive measures remain essential against this adaptable adversary.
Read more »
Microsoft Outlook security
Customer Data Cyber Attacks Cyber Phishing Data Theft Hijacking Microsoft Microsoft Outlook Microsoft Outlook security

Malicious Outlook Add-In Hijack Steals 4,000 Microsoft Credentials

 

A breach transformed the AgreeTo plug-in for Microsoft Outlook - once meant for organizing meetings - into a weapon that harvested over four thousand login details. Though built by a third-party developer and offered through the official Office Add-in Store starting in late 2022, it turned against its intended purpose. Instead of simplifying calendars, it funneled user data to attackers. What began as a practical tool ended up exploited, quietly capturing credentials under false trust. 

Not every tool inside Office apps runs locally - some pull data straight from web addresses. For AgreeTo, its feature lived online through a link managed via Vercel. That address stopped receiving updates when the creator walked away, even though people kept using it. With no one fixing issues, the software faded into silence. Yet Microsoft still displayed it as available for download. Later, someone with harmful intent took control of the unused webpage. From there, they served malicious material under the app’s trusted name. A login screen mimicking Microsoft’s design appeared where the real one should have been, according to analysts at Koi Security. 

Instead of authentic access points, users faced a counterfeit form built to harvest credentials. Hidden scripts ran alongside, silently sending captured data elsewhere. After approval in Microsoft’s marketplace, the add-in escaped further checks. The company examines just the manifest when apps are submitted - nothing beyond that gets verified later. Interface components and features load externally, pulled from servers run by developers themselves. 

Since AgreeTo passed initial review, its updated files came straight from machines now under malicious control. Oversight ended once publication was complete. From inside the attacker’s data pipeline, Koi Security found over 4,000 Microsoft login details already taken. Alongside these, information such as credit card records and responses to bank verification questions had also been collected. While analyzing activity, experts noticed live attempts using the breached logins unfolding in real time. 

Opening the harmful AgreeTo add-on in Outlook displayed a counterfeit Microsoft login screen within the sidebar rather than the expected calendar tool. Resembling an authentic authentication portal, this imitation proved hard to recognize as fraudulent. Once victims submitted their details, those credentials got sent through a Telegram bot interface. Following that transfer, individuals saw the genuine Microsoft sign-in page appear - helping mask what had just occurred. Despite keeping ReadWriteItem access, which enables viewing and editing messages, there's no proof the tool tampered with any emails. 

Behind the campaign, investigators spotted a single actor running several phishing setups aimed at financial services, online connectivity firms, and email systems. Notable because it lives inside Microsoft’s official store, AgreeTo stands apart from past threats that spread via spam, phishing, or malvertising. This marks the first time a verified piece of malware has appeared on the Microsoft Marketplace, according to Oren Yomtov at Koi. He also notes it is the initial harmful Outlook extension spotted actively used outside test environments. 

A removal of AgreeTo from the store was carried out by Microsoft. Anyone keeping the add-in should uninstall it without delay, followed by a password change. Attempts to reach Microsoft for input have been made; no reply came so far.
Read more »
Windows
BYOVD Attack cloud storage Cyber Attacks Linux phishing Ransomware Reynolds Windows

New Ransomware Uses Trusted Drivers to Disable Security Defenses

 


Security monitoring teams are tracking a new ransomware strain called Reynolds that merges system sabotage and file encryption into a single delivery package. Instead of relying on separate utilities to weaken defenses, the malware installs a flawed system driver as part of the infection process, allowing it to disable protective software before encrypting data.

The method used is known in security research as Bring Your Own Vulnerable Driver, or BYOVD. This approach abuses legitimate drivers that contain known weaknesses. Because operating systems recognize these drivers as trusted components, attackers can exploit them to gain deep system access and stop endpoint protection tools with reduced risk of detection. This tactic has been repeatedly observed across multiple ransomware operations in recent years.

In the Reynolds incidents, the malware deploys the NSecKrnl driver produced by NsecSoft. This driver contains a publicly documented vulnerability tracked as CVE-2025-68947, rated 5.7 in severity. The flaw allows any running process to be forcibly terminated, which attackers use to shut down security platforms including Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos with HitmanPro.Alert, and Symantec Endpoint Protection. The same driver has previously been abused by a threat actor known as Silver Fox in campaigns that disabled security tools before deploying ValleyRAT. Silver Fox has also relied on other vulnerable drivers, such as truesight.sys and amsdk.sys, during similar operations.

Security analysts note that integrating defense suppression into ransomware itself is not unprecedented. A comparable approach appeared during a Ryuk ransomware incident in 2020 and later in activity linked to the Obscura ransomware family in August 2025. Folding multiple attack stages into a single payload reduces operational complexity for attackers and decreases the number of separate files defenders might detect.

Investigations into recent intrusions uncovered signs of long-term preparation. A suspicious loader that used side-loading techniques was found on victim networks several weeks before encryption occurred. Following deployment of the ransomware, a remote access program known as GotoHTTP was installed within one day, indicating an effort to preserve long-term control over compromised systems.

Parallel ransomware campaigns reveal additional shifts in attacker behavior. Large phishing operations are circulating shortcut file attachments that trigger PowerShell scripts, leading to the installation of Phorpiex malware, which then delivers GLOBAL GROUP ransomware. This ransomware conducts all operations locally and does not transmit stolen data, allowing it to function in networks without internet access. Other campaigns tied to WantToCry have exploited virtual machines provisioned through ISPsystem, a legitimate infrastructure management service, to distribute malware at scale. Some of the same hosting infrastructure has been linked to LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as malware families including NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.

Researchers assess that bulletproof hosting providers are renting ISPsystem virtual machines to criminal actors by abusing a design flaw in VMmanager’s default Windows templates. Because these templates reuse identical hostnames and system identifiers, thousands of virtual machines can be created with the same fingerprint, making takedown efforts more difficult.

Ransomware groups are also expanding their business models. DragonForce now provides affiliates with a “Company Data Audit” service, which includes risk assessments, pre-written call scripts, executive-level letters, and negotiation guidance. The group operates as a cartel that allows affiliates to launch their own brands while sharing infrastructure and services.

Technical changes are shaping newer ransomware versions. LockBit 5.0 has replaced AES encryption with ChaCha20 and now targets Windows, Linux, and ESXi environments. The latest version includes file wiping capabilities, delayed execution, encryption progress tracking, improved evasion techniques, stronger in-memory operation, and reduced disk footprints. The Interlock group continues to target organizations in the United Kingdom and United States, particularly in education. One attack exploited a zero-day vulnerability in the GameDriverx64.sys anti-cheat driver, tracked as CVE-2025-61155 with a 5.5 severity score, to disable security tools using BYOVD methods. The same campaign deployed NodeSnake, also known as Interlock RAT or CORNFLAKE, with MintLoader identified as the initial access point.

Targeting strategies are also shifting toward cloud storage. Poorly configured Amazon Web Services S3 buckets are being abused through native platform functions to erase data, restrict access, overwrite files, or quietly extract sensitive information while remaining difficult to detect.

Industry tracking from Cyble indicates that GLOBAL GROUP is among several ransomware crews that appeared in 2025, alongside Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. ReliaQuest reported that Sinobi’s data leak activity increased by 306 percent in the final quarter of 2025, ranking it third behind Qilin and Akira. LockBit’s resurgence included 110 victim listings in December alone. Researchers estimate that ransomware actors claimed 4,737 attacks in 2025, compared with 4,701 in 2024. Incidents centered only on data theft rose to 6,182, reflecting a 23 percent increase. Coveware reported that average ransom demands reached $591,988 in late 2025, driven by a small number of exceptionally large settlements, and warned that attackers may shift back toward encryption-based extortion to increase pressure on victims.

Read more »
United Kingdom
Botnet construction Cyber Attacks Prometei Russia United Kingdom

UK Construction Company’s Windows Server Infiltrated by Prometei Botnet

 



In January 2026, a construction company in the United Kingdom found an unwelcome presence inside one of its Windows servers. Cybersecurity analysts from eSentire’s Threat Response Unit (TRU) determined that the intruder was a long-running malware network known as Prometei, a botnet with links to Russian threat activity and active since at least 2016.

Although Prometei has been widely observed conducting covert cryptocurrency mining, the investigation showed that this malware can do much more than simply generate digital currency. In this case, it was also capable of capturing passwords and potentially enabling remote control of the affected system.

According to the analysis shared with cybersecurity media, this attack did not involve complex hacking techniques. The initial intrusion appears to have occurred because the attackers were able to successfully log into the server using Remote Desktop Protocol (RDP) with weak or default login credentials. Remote Desktop, a tool used to access computers over a network, can be exploited easily if account passwords are simple.

Prometei is not a single program that drops onto a system. Instead, it operates as a collection of tools designed to carry out multiple functions once it gains access. When the malware first infects a machine, it adds a new service with a name such as “UPlugPlay,” and it creates a file called sqhost.exe to ensure that it relaunches automatically every time the server restarts.

Once these persistence mechanisms are in place, the malware downloads its main functional component, often called zsvc.exe, from a command server linked to an entity identified in analysis as Primesoftex Ltd. This payload is transmitted in encrypted form and disguised to avoid detection.

After establishing itself, Prometei collects basic technical information about the infected system by using legitimate Windows utilities. It then employs credential-harvesting techniques that resemble the behaviour of publicly known tools, capturing passwords stored on the server and within the network. In the course of this activity, Prometei commonly leverages the TOR anonymity network to conceal its command and control communications, making it harder for defenders to trace its actions.

Prometei also has built-in countermeasures to evade analysis and detection. For example, the malware checks for the presence of a specific file called mshlpda32.dll. If this file is absent, instead of crashing or revealing obvious malicious behaviour, the malware executes benign-looking operations that mimic routine system tasks. This is a deliberate method to confuse security researchers and automated analysis tools that attempt to study the malware in safe environments.

In a further twist, once Prometei has established a foothold, it also deploys a utility referred to as netdefender.exe. This component monitors failed login attempts and blocks them, effectively locking out other potential attackers. While this might seem beneficial, its purpose is to ensure that the malicious operator retains exclusive control of the compromised server.

To protect systems from similar threats, cybersecurity experts urge organisations to replace default passwords with complex, unique credentials. They recommend implementing multi-factor authentication for remote access services, keeping software up to date with security patches, and monitoring login activity for unusual access attempts. eSentire has also released specialised analysis tools that allow defenders to unpack Prometei’s components and study its behaviour in controlled settings.


Read more »
Singapore Telecoms
China Nexus Cyber Attacks cyber espionage Singapore Telecoms

Singapore Telecoms Hit by China-Linked Cyber Espionage

 

Singapore’s cyber watchdog has disclosed that an advanced cyber espionage group — UNC3886, with which APT10 and Red October have been linked — was behind attacks that targeted the four major telecom operators last year. The affected companies were Singtel, StarHub, M1 and Simba Telecom, which collectively provide the backbone of Singapore’s communications infrastructure. The authorities said this is the first time they have publicly acknowledged that the group’s targets have included telecommunications networks, highlighting how these systems are increasingly viewed as vital to national security. 

Although the hackers were able to gain access to some areas of the operators' networks, the Cyber Security Agency of Singapore said that no disruptions were caused to services and that no data belonging to customers was stolen. The breaches were deemed to be orchestrated to be stealthy, rather than loud, investigators said, with the hackers taking a sideways route through compromised networks inside chosen segments, rather than triggering massive outages. Officials stressed the incident was isolated and that there is no indication that the end users were directly affected and cautioned that the breaches are a serious security issue even if the attacks didn’t seem to affect them. 

The hackers were able to extract a limited amount of technical information from the telecom environments, primarily network‑related data such as configuration details and system metadata. Singapore’s cyber agency believes this information was stolen to support the group’s longer‑term operational objectives, including planning future intrusions, improving their understanding of the infrastructure and identifying potential weak points. While the volume of exfiltrated data was described as small, officials cautioned that even narrow slices of high‑value technical data can significantly enhance a sophisticated actor’s capabilities.

Google‑owned cybersecurity firm Mandiant has profiled UNC3886 as a highly advanced “China‑nexus” espionage group that has previously targeted defence, technology and telecommunications organisations in both the United States and Asia. Beijing routinely rejects allegations that it conducts or sponsors cyber espionage, insisting that China opposes all forms of cyberattacks and is itself a victim of malicious cyber activity. The Chinese Embassy in Singapore did not immediately respond to requests for comment on the latest disclosures about UNC3886.

In a joint statement, Singtel, StarHub, M1 and Simba Telecom acknowledged that they regularly face a wide spectrum of cyber threats, ranging from distributed denial‑of‑service attacks and malware to phishing campaigns and more persistent, stealthy intrusions. The operators said they employ “defence‑in‑depth” strategies, combining layered security controls with continuous monitoring and prompt remediation when suspicious activity is detected. They added that they work closely with government agencies and industry experts to strengthen the resilience of Singapore’s telecom infrastructure as cyber adversaries grow more capable.
Read more »
KEV
CISA CISA advisory CISA KEV catalog CVE CVE vulnerability CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity vulnerability KEV

CISA Warns of Actively Exploited SmarterMail Flaw Used in Ransomware Attacks

 

CISA includes a fresh SmarterMail weakness in its KEV list - this marks the third such addition linked to the messaging system within fourteen days. Identified as CVE-2026-24423, the security gap faces real-world abuse during ransom operations. Evidence points to sustained interest in compromising SmarterTools’ broadly adopted software suite. 

Another entry joins a pair of prior SmarterMail flaws listed in the KEV database since January 26. One was tagged CVE-2025-52691 - marked by unchecked uploads of hazardous files. The second, assigned CVE-2026-23760, let attackers skip login checks entirely. Analysis came first from experts at watchTowr, who unpacked how each could be triggered. Once those specifics emerged, several security teams observed active attacks; the login flaw saw more frequent abuse. Although both were dissected publicly, it was the broken verification that drew wider misuse. 

A security issue labeled CVE-2026-24423 arises because a key part of SmarterMail - the ConnectToHub API - lacks proper access checks. Versions before v100.0.9511 are exposed, letting outsiders run harmful code remotely. Instead of requiring login details, hackers exploit it by submitting a modified POST message. This leads to direct command control on the target machine through intentional input manipulation. 

Separate findings came from teams at watchTowr, CODE WHITE GmbH, and VulnCheck. As noted by Cale Black of VulnCheck, the affected endpoint skips any login checks - opening a way to set up server directory links remotely. Because that setup pulls instructions directly from an outside machine under attacker influence, control is effectively handed over. Those instructions appear as support routines inside the system. Once SmarterMail reads them, they run unchecked on whatever platform hosts the software. 

Starting at the ConnectToHub endpoint, the process handles a remote address sent via one particular parameter. Afterward, communication initiates from the SmarterMail server toward a machine controlled by the attacker. That system replies - not with ordinary data - but with settings containing command inputs meant to run. Provided minimal checks are satisfied, execution follows without further barriers. Control over the compromised environment expands widely under these conditions. 

By February 26, 2026, U.S. federal civilian agencies must fix the vulnerability - this stems from ongoing attacks involving ransomware. Though only binding for federal bodies, its listing in CISA’s KEV catalog hints at wider exposure across any organization using affected SmarterMail versions. Not just government systems face potential harm; real-world misuse raises stakes beyond official mandates. 

Right now, updating to the newest SmarterMail release is a top priority, according to analysts watching threats closely. Instead of waiting, teams managing large systems should examine log data - especially activity tied to the open ConnectToHub interface, since probes might show up as odd patterns in API traffic. What stands out is how quickly multiple flaws in SmarterMail entered official exploit databases, signaling that delays in patching could lead to real breaches. Because of this, those overseeing network access must act fast while rethinking how exposed their mail platforms really are.
Read more »
Sandworm
Cyber Attacks Cyberattacks DynoWiper Energy Grid Poland Russian APT44 Sandworm

Sandworm Hackers Fail in DynoWiper Attack on Poland's Power Grid

 

A recently disclosed cyberattack against Poland’s energy infrastructure has been linked to the Russian state-backed hacking group Sandworm, highlighting the persistent threat facing Europe’s critical sectors. The incident occurred between December 29 and 30, 2025, and reportedly targeted elements of the country’s power grid, including combined heat and power plants and systems managing electricity from renewable sources such as wind and solar. Although the attackers attempted to deploy a new destructive data wiper known as DynoWiper, Polish authorities say the operation ultimately failed to cause large-scale disruption.

Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, has a long history of conducting disruptive and destructive cyber operations aligned with Russian strategic interests. Active since at least 2009 and believed to be part of Russia’s GRU Military Unit 74455, the group is infamous for past campaigns, including an attack on Ukraine’s energy grid roughly a decade ago that temporarily cut power to about 230,000 people. The latest activity in Poland fits a broader pattern of Sandworm’s focus on critical infrastructure, particularly in countries supporting Ukraine or opposing Russian policies.

In the Polish case, security firm ESET linked Sandworm to the attack and identified the destructive malware used as DynoWiper, a previously unknown data-wiping tool. Data wipers are designed to iterate through a filesystem and delete or corrupt files, rendering the operating system unusable and forcing victims to rebuild systems from backups or perform complete reinstalls. ESET says DynoWiper is detected as Win32/KillFiles.NMO and has a specific SHA-1 hash, though no public samples have yet appeared on common malware analysis platforms such as VirusTotal or Any.Run.

Polish officials reported that the attackers focused on two combined heat and power plants, as well as a management system responsible for controlling energy generated from wind turbines and photovoltaic farms. Prime Minister Donald Tusk stated that “everything indicates” the operation was carried out by groups directly linked to Russian services, underscoring the political and geopolitical context surrounding the intrusion. While authorities did not provide detailed information on the extent of the compromise or the attackers’ dwell time, they emphasized that the attempt to cause destructive impact was thwarted.

Despite the failed outcome, cybersecurity experts warn that the incident should serve as a serious wake-up call for defenders across Europe. Team Cymru’s Senior Threat Intel Advisor Will Thomas has urged security teams to review Microsoft’s February 2025 report on Sandworm to better understand the group’s tactics, techniques, and procedures. With Sandworm also tied to destructive wiper attacks on Ukraine’s education, government, and grain sectors in mid and late 2025, the Polish incident reinforces the need for robust backups, network segmentation, and proactive threat hunting in all critical infrastructure environments.
Read more »
Russia
Cyber Attacks Cyberattack Cybersecurity Threats Germany Russia

A New Twist on Old Cyber Tricks

 


Germany’s domestic intelligence and cybersecurity agencies have warned of a covert espionage campaign that turns secure messaging apps into tools of surveillance without exploiting any technical flaws. The Federal Office for the Protection of the Constitution and the Federal Office for Information Security said the operation relies instead on social engineering carried out through the Signal messaging service. In a joint advisory, the agencies said the campaign targets senior figures in politics, the military and diplomacy, as well as investigative journalists in Germany and elsewhere in Europe. 

By hijacking messenger accounts, attackers can gain access not only to private conversations but also to contact networks and group chats, potentially widening the scope of compromise. The operation does not involve malware or the exploitation of vulnerabilities in Signal. Instead, attackers impersonate official support channels, posing as “Signal Support” or a so-called security chatbot. 

Targets are urged to share a PIN or verification code sent by text message, often under the pretext that their account will otherwise be lost. Once the victim complies, the attackers can register the account on a device they control and monitor incoming messages while impersonating the user. In an alternative approach, victims are tricked into scanning a QR code linked to Signal’s device-linking feature. 

This grants attackers access to recent messages and contact lists while allowing the victim to continue using the app, unaware that their communications are being mirrored elsewhere. German authorities warned that similar tactics could be applied to WhatsApp, which uses comparable features for account linking and two-step verification. 

They urged users not to engage with unsolicited support messages and to enable registration locks and regularly review linked devices. Although the perpetrators have not been formally identified, the agencies noted that comparable campaigns have previously been attributed to Russia-aligned threat groups. Reports last year from Microsoft and the Google Threat Intelligence Group documented similar methods used against diplomatic and political targets. 

The warning comes amid a flurry of state-linked cyber activity across Europe. Norway’s security services recently accused Chinese-backed groups of penetrating multiple organisations by exploiting vulnerable network equipment, while also citing Russian monitoring of military targets and Iranian cyber operations against dissidents. 

Separately, CERT Polska said a Russian-linked group was likely behind attacks on energy facilities that relied on exposed network devices lacking multi-factor authentication. 

Taken together, the incidents highlight a shift in cyber espionage away from technical exploits towards psychological manipulation. As secure messaging becomes ubiquitous among officials and journalists, the weakest link increasingly lies not in encryption, but in the trust users place in what appears to be help.
Read more »
Notepad++
Chinese Actors Cyber Attacks Cyberattack Databreach Notepad++

A Quiet Breach of a Familiar Tool, Notepad++

For six months last year the update system of Notepad++, one of the world’s most widely used Windows text editors, was quietly subverted by hackers linked by investigators to the Chinese state. The attackers used their access not to disrupt the software openly, but to deliver malicious versions of it to carefully chosen targets. 

According to a statement published this week on the project’s official website, the intrusion began in June with an infrastructure-level compromise that allowed attackers to intercept and redirect update traffic meant for notepad-plus-plus.org. Selected users were silently diverted to rogue update servers and served backdoored versions of the application. Control over the update infrastructure was not fully restored until December. 

The developers said the attackers exploited weaknesses in how older versions of Notepad++ verified updates. By manipulating traffic between users and the update servers, they were able to substitute legitimate downloads with malicious ones. 

Although update packages were signed, earlier design choices meant those signatures were not always robustly checked, creating an opening for tampering by a well-resourced adversary. Security researchers say the campaign was highly targeted. 

The attackers installed a previously unknown backdoor, dubbed Chrysalis, which Rapid7 described as a custom and feature-rich tool designed for persistent access rather than short-term disruption. Such sophistication suggests strategic objectives rather than criminal opportunism. 

Independent researcher Kevin Beaumont reported that several organisations with interests in East Asia experienced hands-on intrusions linked to compromised Notepad++ installations, indicating that attackers were able to take direct control of affected systems. 

He had raised concerns months earlier after a Notepad++ update quietly strengthened its updater against hijacking. The episode underlines a broader vulnerability in the global software supply chain. Open-source tools such as Notepad++ are deeply embedded in corporate and government systems, yet are often maintained with limited resources. That imbalance makes them attractive targets for state-backed hackers seeking discreet access rather than noisy disruption. 

Notepad++ developers have urged users to update manually to the latest version and large organisations to consider restricting automated updates. The incident also serves as a reminder that even modest, familiar software can become a conduit for serious espionage when its infrastructure is neglected.
Read more »
Subscribe to: Comments (Atom)