Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Fraud. Show all posts
YouTube Account
Account Hack Cyber Fraud Malicious Campaign Online Creator Social Media YouTube Account

Millions at Risk as Malicious Actors Hijack Popular YouTube Accounts

 

At a startling rate, cybercriminals are taking over well-known YouTube channels, exposing viewers to malware, frauds, and data theft. With billions of views and millions of followers at risk, a single mistake can have disastrous results. 

According to new research from Bitdefender Labs, social media account takeovers increased in 2024 and persisted into early 2025. Content creators and influencers with large followings and views have become primary targets. 

Bitdefender discovered more than 9,000 fraudulent livestreams on YouTube in 2024. These are frequently presented on hacked channels that use trusted brands and public figures to propagate fraud and malware. 

One such hijacked account had 12.4 billion views; if even 1% of viewers were duped, 124 million users would be impacted. Attackers frequently imitate well-known brands such as Tesla, Ripple, and SpaceX, holding phoney livestreams with deepfakes of public people like Elon Musk and Donald Trump to push cryptocurrency frauds and phishing links. 

Beyond YouTube, Instagram has been a key target. Hackers send phishing emails impersonating Meta or Instagram Support, cloning login pages, and tricking creators into revealing SMS verification numbers. 

Malicious sponsorships are another form of infiltration. Cybercriminals trick creators into downloading malicious files disguised as promotional content. Malvertising, which includes adverts for bogus AI products or games like GTA VI that install info-stealers and remote access trojans on victims' gadgets, is also a prevalent strategy.

Events with enormous internet audiences, such as Apple keynotes, the XRP-SEC litigation, or CS2 tournaments, are regularly targeted. Attackers take advantage of these periods of high interest to run frauds disguised as official livestreams or contests.

Prevention tips 

To stay safe, creators should utilise the finest browsers with built-in security measures, enable multi-factor authentication (MFA), and regularly monitor account activity for any unusual changes. Unexpected sponsorship offers, particularly those related to trending issues, must also be carefully scrutinised.

It is recommended that you use the best DDoS protection to avoid service disruptions caused by account takeovers, and that you use a reputable proxy service to offer an extra layer of anonymity and security when managing accounts across many platforms.
Read more »
Scam
Cyber Fraud Cyberattack CyberCrime Hacking Pune Scam

Pune Company Falls Victim to ₹6.49 Crore Cyber Fraud in Major Man-in-the-Middle Attack

 

A 39-year-old director of a Mohammedwadi-based firm, which operates in IT services and dry fruit imports, was duped into transferring ₹6.49 crore following a sophisticated Man-in-the-Middle (MitM) cyberattack on March 27. In a MitM scam, cybercriminals secretly intercept communications between two parties, impersonating one to deceive the other, often stealing sensitive information or funds.

According to investigators, the company director was at his residence near NIBM Road when he received what appeared to be a legitimate payment request via email from a business associate. Trusting the authenticity, he initiated the payment and even instructed his bank to process it. However, when he later contacted the exporter to confirm receipt, they denied getting any money.

Upon closer inspection, the director discovered subtle changes in the sender's email ID and bank account details — just one letter altered in the email address and a different bank account number. These minor discrepancies went unnoticed initially, police said.

Senior Inspector Swapnali Shinde of the Cyber Police told TOI, "It has two divisions, one for IT services and another for importing dry fruits. The company director would import the dry fruits from different countries, including the United States and those in the Middle-East. On March 27, he received a payment request from an exporter of dry fruits based in the US. The email demanded payment of nearly Rs 6.5 crore. The victim, thinking it was for the almonds he'd recently imported, initiated the transaction."

Realizing the fraud only on April 17, the director registered an FIR with Pune's cyber police on April 23.

Shinde added, "Officials from his bank called him to verify the transaction, but he told them to proceed. The amount was across in five transactions," explaining that the online ledger displayed only the first few letters of the firm's name and bank details.

"The victim did not realise that the account number of the company, with whom he had regular business with, was changed. He just clicked on the button and initiated the transactions," Shinde said.

Cyber investigators are now tracing the trail of the siphoned funds. "The cash went to several accounts. We're still trying to establish a trail. As of now we can say that about Rs 3 crore is yet to reach the suspects. We will try our best to salvage the money," Shinde stated.
Read more »
User Security
Cyber Fraud Deepfakes Financial Scam Hong Kong Police User Security

Eight Arrested Over Financial Scam Using Deepfakes

 

Hong Kong police have detained eight people accused of running a scam ring that overcame bank verification checks to open accounts by replacing images on lost identification cards with deepfakes that included scammers' facial features. 

Senior Superintendent Philip Lui Che-ho of the force's financial intelligence and investigation division stated on Saturday that the raid was part of a citywide operation on scams, cybercrime, and money laundering that took place between April 7 and 17. Officers arrested 503 persons aged 18 to 80. Losses in the cases surpassed HK$1.5 billion (US$193.2 million. 

Officers arrested the eight suspects on Thursday for allegedly using at least 21 Hong Kong identification cards that were reported lost to make 44 applications to create local bank accounts, according to Chief Inspector Sun Yi-ki of the force's cybersecurity and technology crime branch. 

“The syndicate first tried to use deepfake technology to merge the scammer’s facial features with the cardholder’s appearance, followed by uploading the scammer’s selfie to impersonate the cardholder and bypass the online verification process,” Sun said. 

Following the successful completion of online identification checks at banks, thirty out of the forty-four applications were accepted. In half of the successful attempts, artificial intelligence was used to construct images that combined the identity card's face with the scammer's. The others just substituted the scammer's photo for the one on the ID.

Police claimed the bank accounts were used to apply for loans and make credit card transactions worth HK$860,000, as well as to launder more than HK$1.2 million in suspected illegal proceeds. Sun said the force was still looking into how the syndicate obtained the ID cards, which were claimed lost between 2023 and 2024. On suspicion of conspiracy to defraud and money laundering, police detained the six men and two women and seized numerous laptops, phones, and external storage devices. 

The accused range in age from 24 to 41, with the mastermind and main members of the ring allegedly belonging to local triad gangs. Lui urged the public against renting, lending, or selling access to their bank accounts to anyone.

The 333 men and 170 women arrested during the citywide raid were discovered to be engaged in 404 crimes, the most of which were employment frauds, financial swindles, and internet shopping scams. They were caught for conspiracy to defraud, gaining property by deception, and money laundering. Two cross-border money-laundering operations were busted in coordination with mainland Chinese authorities over the last two weeks. 

Lui claimed that one of the syndicates laundered alleged illicit earnings from fraud operations by hiring tourists from the mainland to purchase gold jewellery in Hong Kong. Between last December and March of this year, the syndicate was discovered to have been involved in 240 mainland scam instances, resulting in losses of 18.5 million yuan (US$2.5 million). 

“Syndicate masterminds would recruit stooges from various provinces on the mainland, bringing them to Hong Kong via land borders and provide hostel accommodation,” the senior superintendent stated.

Syndicate members would then arrange for the recruits to purchase gold jewellery in the city using digital payment methods, with each transaction costing tens to hundreds of thousands of Hong Kong dollars. On Tuesday last week, Hong Kong police apprehended three individuals who had just purchased 34 pieces of gold jewellery for HK$836,000 per the syndicate's orders. Two of them had two-way passes, which are travel documents that allow mainlanders to access the city. The third suspect was a Hong Konger.

On the same day, mainland police arrested 17 persons. The second cross-border syndicate arranged for mainlanders to create accounts in Hong Kong using fraudulent bank, employment, and utility bill documents. Police in Hong Kong and the mainland arrested a total of 16 persons in connection with the investigation. From December 2023 to April, the syndicate was involved in 61 scam instances in the city, resulting in losses of HK$26.7 million. Accounts were created to receive the scam money.
Read more »
Verification
AI Cyber Fraud Cybersecurity Deepfake Fraud identity Recruitment Resume Verification

Fake Candidates, Real Threat: Deepfake Job Applicants Are the New Cybersecurity Challenge

 

When voice authentication firm Pindrop Security advertised an opening for a senior engineering role, one resume caught their attention. The candidate, a Russian developer named Ivan, appeared to be a perfect fit on paper. But during the video interview, something felt off—his facial expressions didn’t quite match his speech. It turned out Ivan wasn’t who he claimed to be.

According to Vijay Balasubramaniyan, CEO and co-founder of Pindrop, Ivan was a fraudster using deepfake software and other generative AI tools in an attempt to secure a job through deception.

“Gen AI has blurred the line between what it is to be human and what it means to be machine,” Balasubramaniyan said. “What we’re seeing is that individuals are using these fake identities and fake faces and fake voices to secure employment, even sometimes going so far as doing a face swap with another individual who shows up for the job.”

While businesses have always had to protect themselves against hackers targeting vulnerabilities, a new kind of threat has emerged: job applicants powered by AI who fake their identities to gain employment. From forged resumes and AI-generated IDs to scripted interview responses, these candidates are part of a fast-growing trend that cybersecurity experts warn is here to stay.

In fact, a Gartner report predicts that by 2028, 1 in 4 job seekers globally will be using some form of AI-generated deception.

The implications for employers are serious. Fraudulent hires can introduce malware, exfiltrate confidential data, or simply draw salaries under false pretenses.

A Growing Cybercrime Strategy

This problem is especially acute in cybersecurity and crypto startups, where remote hiring makes it easier for scammers to operate undetected. Ben Sesser, CEO of BrightHire, noted a massive uptick in these incidents over the past year.

“Humans are generally the weak link in cybersecurity, and the hiring process is an inherently human process with a lot of hand-offs and a lot of different people involved,” Sesser said. “It’s become a weak point that folks are trying to expose.”

This isn’t a problem confined to startups. Earlier this year, the U.S. Department of Justice disclosed that over 300 American companies had unknowingly hired IT workers tied to North Korea. The impersonators used stolen identities, operated via remote networks, and allegedly funneled salaries back to fund the country’s weapons program.

Criminal Networks & AI-Enhanced Resumes

Lili Infante, founder and CEO of Florida-based CAT Labs, says her firm regularly receives applications from suspected North Korean agents.

“Every time we list a job posting, we get 100 North Korean spies applying to it,” Infante said. “When you look at their resumes, they look amazing; they use all the keywords for what we’re looking for.”

To filter out such applicants, CAT Labs relies on ID verification companies like iDenfy, Jumio, and Socure, which specialize in detecting deepfakes and verifying authenticity.

The issue has expanded far beyond North Korea. Experts like Roger Grimes, a longtime computer security consultant, report similar patterns with fake candidates originating from Russia, China, Malaysia, and South Korea.

Ironically, some of these impersonators end up excelling in their roles.

“Sometimes they’ll do the role poorly, and then sometimes they perform it so well that I’ve actually had a few people tell me they were sorry they had to let them go,” Grimes said.

Even KnowBe4, the cybersecurity firm Grimes works with, accidentally hired a deepfake engineer from North Korea who used AI to modify a stock photo and passed through multiple background checks. The deception was uncovered only after suspicious network activity was flagged.

What Lies Ahead

Despite a few high-profile incidents, most hiring teams still aren’t fully aware of the risks posed by deepfake job applicants.

“They’re responsible for talent strategy and other important things, but being on the front lines of security has historically not been one of them,” said BrightHire’s Sesser. “Folks think they’re not experiencing it, but I think it’s probably more likely that they’re just not realizing that it’s going on.”

As deepfake tools become increasingly realistic, experts believe the problem will grow harder to detect. Fortunately, companies like Pindrop are already developing video authentication systems to fight back. It was one such system that ultimately exposed “Ivan X.”

Although Ivan claimed to be in western Ukraine, his IP address revealed he was operating from a Russian military base near North Korea, according to the company.

Pindrop, backed by Andreessen Horowitz and Citi Ventures, originally focused on detecting voice-based fraud. Today, it may be pivoting toward defending video and digital hiring interactions.

“We are no longer able to trust our eyes and ears,” Balasubramaniyan said. “Without technology, you’re worse off than a monkey with a random coin toss.”
Read more »
Toll Payment
Cyber Fraud Cybersecurity CyberThreat E-ZPass FasTrak Road Toll Scam Alert SMiShing SMS Toll Payment

Smishing Triad Broadens Fraud Campaign to Include Toll Payment Services

 


Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate. As a result of these fraudulent campaigns, unsuspecting motorists are lured into clicking harmful links and sending unauthorized payments by impersonating legitimate toll payment notification emails. 

The main issue is that the tolling infrastructure does not contain system intrusions or data breaches, contrary to common misconceptions. As a result, bad actors are exploiting widely recognized tolling practices as a means of deceiving individuals into engaging with malicious content, which is in direct contravention of public trust. 

A critical line of defense against these fraudulent activities, which toll operators are strengthening their collaboration with cybersecurity experts and law enforcement agencies, remains public awareness. Communication professionals within these organizations play a crucial role in proactively informing and educating their consumers regarding these fraudulent activities. It is imperative that outreach and messaging are clear and consistent so that individuals can recognize legitimate correspondence and avoid falling victim to sophisticated digital deception. 

To combat this growing threat, we need not only technological measures but also a comprehensive communication strategy centred on transparency, vigilance and trust. As part of the increasing prevalence of digital fraud, deceptive text messages alleging that toll charges have not been paid are becoming increasingly prevalent. 

There is a tactic in practice known as "smishing," a combination of short message service (SMS) and email fraud, which involves the use of text messaging platforms to deceive users into disclosing sensitive personal or financial information, or unintentionally install malicious software, which is referred to as smishing. While this fraudulent premise may seem straightforward, the impact it has is tremendous. As well as suffering direct financial losses, victims may also compromise the security of their devices, allowing them to be vulnerable to identity theft and data breaches. 

A Chinese cybercrime syndicate known as Smishing is responsible for an increase in toll-related scams, a trend which is associated with a marked increase in smishing attacks. A group called Triath has begun launching highly coordinated fraud campaigns that target consumers in the United States and the United Kingdom, with indications that the fraud might expand globally in the coming months. The deceptive messages are often misconstrued as legitimate toll service notifications, citing recognizable platforms such as FasTrak, E-ZPass, and I-Pass as a means of convincing the reader that the message is legitimate. 

There is a strong correlation between these operations and the group's previous international fraud patterns, which suggests that the group is seeking to exploit tolling systems across various regions as a larger strategic initiative. By exploiting an E-ZPass account credential harvesting scheme, cybercriminals are targeting an increasing number of E-ZPass users across multiple states. Scammers are sending fraudulent text messages posing as official tolling authorities to alert victims to the fact that there is an outstanding toll balance on their accounts. 

It is common for these messages to contain false claims that the account has expired or is delinquent, prompting the user to make an urgent payment to avoid penalties. As for the requests, typically they range between $3.95 and $12.55 — sums that are low enough to avoid raising suspicions, but high enough to be exploited at scale. 

By utilizing a minimal financial impact, it is more likely that the recipient will comply since such minor charges may not be scrutinized by the recipient. When an attacker entices their users to click embedded links, they redirect them to counterfeit portals that steal sensitive information like logins or payment information, which in turn compromises the users' data under the guise of a routine toll notification, which can then compromise their personal information. 

The most insidious part of these campaigns is the sophisticated spoofing of Sender IDs, which makes it seem as if the messages are from official sources, making them seem particularly dangerous. There are various instant messaging platforms available today that offer relatively limited spam protection, compared to email-based phishing, which is increasingly mitigated by advanced filtering technologies. These platforms, such as SMS, iMessage, and similar services, offer comparatively limited spam protection, compared to email-based phishing. 

The perception of urgency embedded in the communication often provokes immediate action as well, since they are highly trusted by their users. Those scams that combine technical evasion with psychological manipulation are highly effective, outperforming the effectiveness of traditional phishing vectors such as email and search engine manipulation in terms of success rates. 

With the widespread adoption of cashless tolling systems and the increasing use of mobile devices for routine transactions, there is a ripe environment for the exploitation of these devices. These evolving digital habits are exploited by fraudsters by impersonating legitimate agencies and utilizing the appearance of urgency to induce immediate action, often uncritical, from the target group. 

According to the Federal Bureau of Investigation's Internet Crime Complaint Center, over 60,000 reports involving such scams were received during 2024, indicating the alarming nature of the problem. There is a trend among text-based fraud that includes toll-related schemes, but it is also a common occurrence. 

Text-based fraud can be based on overdue phone bills, shipping notifications, or even fake cybersecurity alerts. Attacks like these are often carried out by increasingly organized international criminal networks by using automated systems able to target thousands of individuals at the same time. The federal and state governments, along with the transportation agencies, have responded to the situation by issuing public advisories to raise awareness and encourage vigilance. Although specific actors have not yet been officially identified, it has become increasingly apparent that cybercrime syndicates are engaged in these toll-related smishing campaigns due to their scope and precision. 

Recent developments in emerging intelligence have revealed several important developments, including: 

In a recent report, it has been reported that criminal groups based in China are selling ready-made pre-compiled phishing kits, making it easier for fraudsters to impersonate toll agencies with the highest degree of accuracy and with the least amount of technical knowledge. 

The attackers registered thousands of fake domain names that appear to be legitimate toll websites and made them appear as if they were legitimate toll websites from multiple states, including Massachusetts, Florida, and Texas. 

Fraudsters are actively exploiting the names of well-known toll systems to mislead the public into believing that they are dealing with a genuine problem and coerce them into clicking malicious links or disclosing personal information. 

“The rise of these sophisticated road toll scams is catching many people off guard, highlighting the evolving nature of cybercrime. What we're seeing is a well-organized and potentially lucrative operation,” 
— Gene Kingsley, Special VP, Board of Directors, InfraGard National Members Alliance; Chairman, American Security and Resilience Foundation 

A more effective way of deterring crime is to raise public awareness about it through the following methods: 

This level of sophistication emphasizes the pivotal role public education plays as the first line of defence against such threats. The aim is to raise individuals' awareness about these types of tactics, to enable them to recognize and report suspicious messages. 

As a precautionary measure against the potential risks, the Federal Bureau of Investigation (FBI) recommends the following protective measures: 

Do not respond to unsolicited text messages seeking personal and financial information. 

Do not click on links that appear in unexpected messages, as these may lead to fake websites that are designed to steal users' personal information. The toll agency can be contacted directly through official channels to verify the message. 

The FBI Internet Crime Complaint Center can be contacted at www.ic3.gov, where users can report fraud along with the sender's name and suspicious links. Once they report the scam, delete any fraudulent messages to prevent unintentional interaction with the sender. 

To disrupt these fraudulent operations and protect their digital identity, consumers must follow these steps and remain sceptical when it comes to unsolicited communications.
Read more »
Scam
Antivirus Cyber Fraud Cybersecurity Fraud Hackers phishing Scam

Phishing Scams Are Getting Smarter – And More Subtle : Here’s All You Need to Know

 

Cybercriminals are evolving. Those dramatic emails warning about expired subscriptions, tax threats, or computer hacks are slowly being replaced by subtler, less alarming messages. New research suggests scammers are moving away from attention-grabbing tactics because people are finally catching on.

Kendall McKay, strategic lead for cyber threat intelligence at Cisco’s Talos division, said phishing scams are adapting to stay effective. “They probably know that we've caught on to this and the tricky, sensational email isn't going to work anymore,” McKay said. “So they've moved towards these benign words, which are likely to show up in your inbox every day."

Cisco’s 2024 Year in Review report found that common phishing emails now include subject lines like “request,” “forward,” and “report”—a shift from the usual “urgent” or “payment overdue.” Despite the growing use of advanced tools like AI, scammers still favor phishing because it works. Whether they’re targeting large corporations or individuals, their aim remains the same: to trick users into clicking malicious links or giving up sensitive information.

The most impersonated brands in blocked phishing emails last year included:
  • Microsoft Outlook – 25% of total phishing attempts
  • LinkedIn
  • Amazon
  • PayPal
  • Apple
  • Shein
“Phishing is still prominent, phishing is effective, and phishing is only getting better and better, especially with AI,” McKay said.

Common phishing tactics include:
  • Unsolicited messages via email, text, or social media—especially if they come from people or companies you haven’t contacted.
  • Fake job offers that appear legitimate. Always verify recruiter details, and never share personal information unless it’s through a trusted channel.
  • Requests for gift cards or cryptocurrency payments—these are favored by scammers because they’re untraceable. Official entities like the IRS won’t ever ask for payment in these forms or reach out via email, phone, or text.
  • Online romance scams that play on emotional vulnerability. The FTC reported $384 million in losses from romance scams in just the first nine months of 2024.
  • Charity scams tied to current events or disasters. Always donate through official websites or verified sources.
To protect yourself if you think you’ve been phished:
  • Install and update antivirus software regularly—it helps filter spam and block malware-laced attachments.
  • Use strong, unique passwords for every account. A password manager can help manage them if needed.
  • Enable two-factor authentication (2FA) using apps or physical security keys (avoid SMS-based 2FA when possible).
  • Freeze your credit if your Social Security number or personal data may have been compromised. Experts even suggest freezing children’s credit to prevent unnoticed identity theft.
  • Scams are no longer loud or obvious. As phishing becomes more polished and AI-powered, the best defense is staying alert—even to the emails that seem the most routine.
Read more »
Password Breach
Credential Stuffing Cyber Fraud Cybersecurity Infostealer Malware Password Breach

Massive Password Breach Fuels Rise of Automated Credential-Stuffing Attacks

 

If you’re still relying solely on passwords to protect your digital life, this might be your wake-up call. A surge in infostealer malware has compromised billions of credentials, with 85 million fresh passwords now actively being used in cyberattacks. And even with two-factor authentication (2FA), you're not necessarily safe — hackers are leveraging stolen session cookies to bypass 2FA protections entirely.

This threat has escalated with the emergence of a sophisticated hacking tool: Atlantis AIO. A recent threat intelligence report by Abnormal Security warns that this automated credential-stuffing machine is exploiting stolen credentials to infiltrate everything from email and VPNs to streaming and food delivery services.

“Atlantis AIO has emerged as a powerful weapon in the cybercriminal arsenal,” Abnormal Security analysts said, “enabling attackers to test millions of stolen credentials in rapid succession.”

Credential stuffing isn’t a new concept — but it’s becoming more dangerous. Cybercriminals are constantly refining tools to make these attacks more efficient. In a previous report from March 15, internal chat logs from the Black Basta ransomware group exposed how an automated brute-force attack system was being used to infiltrate accounts.

Both brute-force and credential-stuffing attacks work by bombarding accounts with endless combinations of usernames and passwords. By leveraging databases of breached credentials from the dark web and criminal forums, hackers can easily gain access to multiple accounts that share reused passwords.

What sets Atlantis AIO apart is its plug-and-play structure. It offers pre-configured modules tailored to target over 140 different platforms — from popular email providers like Hotmail, Yahoo, AOL, GMX, and Web.de, to VPNs, streaming platforms, banking apps, and food delivery services.

The message is clear: if you're still reusing passwords, it's time to rethink your security habits. Passwords alone are no longer enough to stay safe online.

Read more »
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Subscribe to: Posts (Atom)