Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cybersecurity. Show all posts
python
Blockchain cryptocurrency Cyber Attacks Cybersecurity GitHub Hacker JavaScript Linkedin malware python

North Korean Hacker Group Targets Cryptocurrency Developers via LinkedIn

 

A North Korean threat group known as Slow Pisces has launched a sophisticated cyberattack campaign, focusing on developers in the cryptocurrency industry through LinkedIn. Also referred to as TraderTraitor or Jade Sleet, the group impersonates recruiters offering legitimate job opportunities and coding challenges to deceive their targets. In reality, they deliver malicious Python and JavaScript code designed to compromise victims' systems.

This ongoing operation has led to massive cryptocurrency thefts. In 2023 alone, Slow Pisces was tied to cyber heists exceeding $1 billion. Notable incidents include a $1.5 billion breach at a Dubai exchange and a $308 million theft from a Japanese firm. The attackers typically initiate contact by sending PDFs containing job descriptions and later provide coding tasks hosted on GitHub. Although these repositories mimic authentic open-source projects, they are secretly altered to carry hidden malware.

As victims work on these assignments, they unknowingly execute malicious programs like RN Loader and RN Stealer on their devices. These infected projects resemble legitimate developer tools—for instance, Python repositories that claim to analyze stock market data but are actually designed to communicate with attacker-controlled servers.

The malware cleverly evades detection by using YAML deserialization techniques instead of commonly flagged functions like eval or exec. Once triggered, the loader fetches and runs additional malicious payloads directly in memory, making the infection harder to detect and eliminate.

One key malware component, RN Stealer, is built to extract sensitive information, including credentials, cloud configuration files, and SSH keys, especially from macOS systems. JavaScript-based versions of the malware behave similarly, leveraging the Embedded JavaScript templating engine to conceal harmful code. This code activates selectively based on IP addresses or browser signatures, targeting specific victims.

Forensic investigations revealed that the malware stores its code in hidden folders and uses HTTPS channels secured with custom tokens to communicate. However, experts were unable to fully recover the malicious JavaScript payload.

Both GitHub and LinkedIn have taken action against the threat.

"GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity," the companies said in a joint statement.

Given the increasing sophistication of these attacks, developers are urged to exercise caution when approached with remote job offers or coding tests. It is recommended to use robust antivirus solutions and execute unknown code within secure, sandboxed environments, particularly when working in the high-risk cryptocurrency sector.

Security experts advise using trusted integrated development environments (IDEs) equipped with built-in security features. Maintaining a vigilant and secure working setup can significantly lower the chances of falling victim to these state-sponsored cyberattacks.
Read more »
Zoom
APTs cryptocurrency CyberCrime Cyberfraud Cyberhackers Cybersecurity CyberThreat Elusive lazarus Privacy Zoom

Zoom Platform Misused by Elusive Comet Attackers in Fraud Scheme

 


Recent reports suggest that North Korean threat actors are now employing an alarming evolution in the tactics they employ to launch a sophisticated cybercrime operation known as Elusive Comet, a sophisticated cybercrime operation. This newly uncovered campaign demonstrates a way of exploiting Zoom's remote control capabilities to gain unauthorised access to cryptocurrency industry users' systems. 

It is clear from this development that a significant trend is occurring in which widely trusted communication platforms are being exploited as tools to facilitate high-level cyber intrusions. Security Alliance, one of the most reputable cybersecurity research organisations, conducted the investigation and analysis that led to the discovery. Elusive Comet exhibited some significant operational similarities to activities previously associated with North Korea's notorious Lazarus Group, a group which has been linked to North Korea for some years. 

The findings suggest that definitive attribution is yet to be made. Due to the lack of conclusive evidence, attempts to link this campaign with any known state-sponsored entity have been complicated, further demonstrating how covert cyberattacks have become increasingly common in the financial sector. This campaign, according to security experts, marks a dramatic departure from the traditional methods of gaining access to cryptocurrency targets previously used to attack them. This is because the attackers can leverage legitimate features of mainstream platforms such as Zoom, which not only makes their operations more successful but also makes detection and prevention much more difficult. 

Using such ubiquitous communication tools emphasises the need for enhanced security protocols in industries that handle digital assets to stay on top of digital threats. With the emergence of Elusive Comet, the threat landscape continues to evolve, and adversaries are increasingly adopting innovative approaches to bypass traditional defences, a reminder that the threat landscape is constantly changing and that adversaries are continuously evolving. The threat actors behind Elusive Comet have invested considerable resources into establishing a convincing online persona to maintain an appearance of legitimacy. 

To reinforce their facade of authenticity, they operate credible websites and maintain active social media profiles. As one example of the fraudulent entities that are associated with the group, Aureon Capital, a fake venture capital company posing as a legitimate company, Aureon Press, and The OnChain Podcast have all been carefully designed to trick unsuspecting individuals and businesses. 

The attackers usually contact users by sending them direct messages via X (formerly Twitter), or by contacting them via email, or by offering invitations to appear on their fabricated podcast as a guest. In the study, researchers found that after initiating contact and establishing a certain level of trust, attackers then move swiftly to set up a Zoom meeting under the pretext of learning more about the target's professional activities. 

It is common for key meeting details to be withheld until very near the time of the scheduled meeting, a tactic employed by the organisation to create an impression of urgency and encourage compliance among participants. A common occurrence is that victims are often asked to share their screens during the call so that they can demonstrate their work, and in doing so, they unknowingly expose their sensitive systems and data to the attackers. As a result of the Elusive Comet operation, Jake Gallen, CEO of the cryptocurrency company Emblem Vault, lost over $100,000 of his digital assets, which included his company's cryptocurrency. As a result, he was targeted after agreeing to participate in a Zoom interview with someone who was posing as a media person. 

By manipulating Gallen during the session into granting remote access to his computer under the disguise of technical facilitation, the attacker succeeded in obtaining his permission to do so. The attackers were able to install a malicious payload, referred to by the attackers as "GOOPDATE," which allowed them to gain access to his cryptocurrency wallets and steal the funds that resulted from this attack. 

It is clear from this incident that cryptocurrencies are vulnerable, especially among executives and high-net-worth individuals who interact regularly with media outlets and investors, which makes them particularly susceptible to sophisticated social engineering schemes because of their high level of exposure to these media outlets. Additionally, the breach emphasises that professionals operating in high-value financial sectors should have heightened awareness of cybersecurity and adopt stricter digital hygiene policies. 

A leading cybersecurity research and advisory firm specialising in forensics and advanced persistent threats (APTS), Security Alliance, meticulously tracked and analysed the Elusive Comet campaign, a campaign that is highly likely to persist for many years to come. Security Alliance published a comprehensive report in March 2025 detailing the tactics, techniques, and procedures (TTPS) used by threat actors and presenting comprehensive insights into these tactics. In their research, the attackers were able to install malware on victims' systems based primarily on a combination of social engineering and using Zoom's remote control features to get their malicious code into the systems of their victims. 

Despite drawing parallels between the methods used to conduct this campaign and those of the notorious Lazarus Group of North Korea, Security Alliance exercised caution when attributions were made. It was noted in the research that the similarities in techniques and tools could indicate common origins or shared resources; however, the researchers stressed the difficulties associated with attribution in a cyber threat landscape where various actors tend to duplicate or repurpose the methodologies of each other. 

Taking into account the methods employed by the Elusive Comet campaign, cryptocurrency professionals are strongly advised to take a comprehensive and proactive security posture to reduce the risk of falling victim to the same types of sophisticated attacks again. First and foremost, companies and individuals should make sure that Zoom's remote control feature is disabled by default, and that it is only enabled when necessary by the organisation and the individual. This functionality can be significantly restricted by restricting the use of this feature, which reduces the chances of cybercriminals exploiting virtual engagements as well.

It is also important to exercise increased caution in responding to unsolicited meeting invitations. When invitations are sent by an unknown or unverified source, it is essential to verify the identity of the requester through independent channels. In order to increase account security in cryptocurrency-related platforms, including digital wallets and exchanges, it is imperative to implement multi-factor authentication (MFA) as a critical barrier. 

MFA serves as an additional layer of protection if credentials are compromised as well, providing an extra layer of defence. Further, it will be beneficial for organisations to deploy robust endpoint protection solutions as well as maintain all software, including communication platforms such as Zoom, consistently updated, to protect against the exploitation of known vulnerabilities. Additionally, regular cybersecurity education and training for employees, partners, and key stakeholders is also extremely important. 

An organisation can strengthen the security awareness of its teams through the development of a culture of security awareness, which will allow them to identify and resist threat actors' tactics, such as social engineering, phishing attacks, and other deceptive tactics. The Elusive Comet operation highlights a broader, more dangerous threat to the cryptocurrency industry as cybercriminals are increasingly manipulating trusted communication tools to launch highly targeted and covert attacks targeting the crypto market. 

There is a strong possibility that the attacker may have been part of the North Korean Lazarus Group, but an official attribution remains elusive, further illustrating the difficulty in identifying cyber threat actors, yet there are some clear lessons to be learned from this attack. 

As today's cybersecurity landscape becomes more volatile and more complex, it is more important than ever for organisations to maintain vigilance, implement rigorous security protocols, and continually adapt to emerging threats to survive. The adversaries are continually refining their tactics, so the only people who can successfully safeguard the assets and reputation of their organisations and businesses against evolving threats to their identity and reputation will be those who invest in resilient defence strategies.
Read more »
Ransomware
Credentialstealing Cyber Security Cybersecurity IdentityTheft infostealers phishing Ransomware

Cybercriminals Shift Tactics Towards Stealth and Identity Theft: IBM X-Force 2025 Report

 

iThe IBM X-Force 2025 Threat Intelligence Index highlights a growing trend of cybercriminals adopting more covert attack strategies. Drawing from analysis of over 150 billion security events daily across 130+ countries, the report notes an 84% spike in email-delivered infostealers in 2024 compared to the previous year. This surge signals a marked pivot towards credential theft, even as enterprise-targeted ransomware attacks show a notable decline.

“Cybercriminals are most often breaking in without breaking anything – capitalising on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said IBM cybersecurity services global managing partner Mark Hughes. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernising authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

The report found that critical infrastructure organisations bore the brunt of attacks, accounting for 70% of incidents handled by IBM X-Force last year. More than a quarter of these breaches exploited system vulnerabilities. Data theft (18%) overtook encryption-based attacks (11%) as the preferred method, reflecting improvements in detection tools and increased law enforcement pressure, which have forced threat actors to rethink their strategies.

Asia and North America emerged as the primary targets, together representing almost 60% of all global attacks. Asia faced 34% of the incidents, while North America encountered 24%. For the fourth consecutive year, the manufacturing industry remained the most impacted sector, attributed to its sensitivity to operational disruptions and susceptibility to ransomware.

Emerging AI-related threats also garnered attention. Although no major AI-focused attacks surfaced in 2024, security teams are racing to find and patch vulnerabilities before they are exploited. A critical remote code execution flaw within an AI development framework is expected to gain traction in 2025 as adoption grows. Experts warn that attackers may soon develop dedicated toolkits aimed specifically at AI systems, underlining the urgent need to secure AI infrastructure.Persistent challenges in critical infrastructure security largely stem from outdated technologies and delayed patch management. IBM X-Force revealed that vulnerabilities accounted for over 25% of exploited incidents. Analyzing discussions on dark web forums showed that four of the ten most talked-about CVEs were associated with advanced threat groups, including state-sponsored actors, escalating the risks of disruption and extortion.

Research in collaboration with Red Hat Insights found that over 50% of Red Hat Enterprise Linux users had not patched at least one critical vulnerability, with 18% leaving five or more critical CVEs unaddressed. Moreover, ransomware variants like Akira, Lockbit, Clop, and RansomHub have expanded their capabilities to affect both Windows and Linux systems.

A sharp rise in phishing campaigns distributing infostealers was another key finding, with a 180% jump compared to 2023. The use of credential phishing and infostealers enables hackers to swiftly exfiltrate sensitive information while maintaining a low profile.

While ransomware still accounted for 28% of malware attacks in 2024, its overall prevalence declined compared to previous years. Cybercriminals are increasingly shifting towards identity-based attacks, adapting to countermeasures that have made traditional ransomware operations more difficult.
Read more »
Privacy
Cyberhackers Cybersecurity CyberThreat Fake PDF FBI information stealer PDF Exploits Privacy

Cybersecurity Alert Says Fake PDF Converters Stealing Sensitive Information

 


Online PDF converters provide efficient conversions of documents from one file format to another, and millions of individuals and businesses use these services to do so. However, this free service also poses significant cybersecurity risks despite its convenience. According to the Federal Bureau of Investigation's (FBI) advisory issued a month ago, cybercriminals have been increasingly exploiting online file conversion platforms to spread malware to consumers and businesses. 

As a result of the threat actor's embedding of malware into seemingly legitimate file conversion processes, data, financial information, and system security are being put at serious risk as a result. As the popularity of these services grows, so does the potential for widespread cyberattacks. Thus, users must exercise heightened caution when choosing tools for managing digital assets online and adhere to best practices when protecting their digital assets when selecting online tools. 

Among the many concerns regarding cyber threats that have recently erupted in the form of a report by a cybersecurity firm, a sophisticated malware campaign has been discovered that takes advantage of counterfeit PDF-to-DOCX conversion platforms to compromise users and expose their data. 

Using highly capable malware, this campaign can steal a wide variety of sensitive data, such as passwords, cryptocurrency wallets, and other confidential personal data from websites. This threat emerged in a matter of time following a public advisory issued by the Denver division of the FBI, warning the public of the increase in malicious file conversion services being used to spread malware. As a result of the findings of cybersecurity firm, cybercriminals have meticulously developed deceptive websites like candyxpdf[.]com and candyconverterpdf[.]com, which imitate the appearance and functionality of the legitimate file conversion service pdfcandy.com, to exploit the public. 

PDFcandy.com's original platform, well-known for its comprehensive PDF management tools, is reportedly attracting approximately 2.8 million visitors per month, making it a prime target for threat actors seeking to exploit its user base as a means of gaining a competitive advantage. A significant aspect of the platform is the significant number of users based in India, where 19.07% of its total traffic comes from, equivalent to approximately 533,960 users per month. As a result of this concentration, cybercriminals operating fraudulent websites have an ample pool of potential victims to exploit. 

According to data collected in March of 2025, the impersonating sites fetched approximately 2,300 and 4,100 visitors from unsuspecting users, indicating an early but concerning growth among those unaware of the impersonating sites. A growing number of sophisticated threats are being employed by threat actors, as indicated by these developments. They emphasize the need for heightened user vigilance and strong cybersecurity measures at all levels. 

An FBI report has highlighted the growing threat posed by fraudulent online document conversion tools, which have been issued by the Federal Bureau of Investigation (FBI). This is in response to an alert recently issued by the FBI Denver Field Office, which warns of the increasing use of these seemingly benign services not just by cybercriminals to steal sensitive user information, but also to install ransomware on compromised devices, in more severe cases. As a result of an alarming rise in reports concerning these malicious platforms, the agency issued a statement in response. 

There has been an increase in the number of deceptive websites offering free document conversion, file merging, and download services by attackers, as indicated in the FBI's advisory. It is important to note that although these tools often perform the file conversions promised, such as converting a .DOC file into a. A PDF file or merging multiple .JPG files into one.PD, the FBI warns that the final downloaded files may contain malicious code. It can be used by cybercriminals to gain unauthorised access to the victim’s device, thereby putting the victim in an extremely dangerous position in terms of cybersecurity. 

The agency also warns that documents that are uploaded to these platforms may contain sensitive information such as names, Social Security numbers, cryptocurrency wallet seeds and addresses, passphrases, email credentials, passwords, and banking information, among others. In addition to identity theft, financial fraud, and subsequent cyberattacks, such information can be exploited to steal identities, commit financial fraud, or commit further cyberattacks. 

The FBI Denver Field Office confirmed in a report that complaints were on the rise, with even the public sector reporting incidents recently in the metro Denver area. During her remarks, Vicki Migoya, FBI Denver Public Affairs Officer, pointed out that malicious actors often use subtle methods to deceive users. For instance, malicious actors alter a single character in a website URL or substitute suffixes such as “INC” for “CO” to create a domain name that is very similar to legitimate ones. Additionally, as search engine algorithms continue to prioritise paid advertisements, some of which may lead to malicious sites, users searching for “free online file converters” should be aware of this warning, as they may be particularly vulnerable to threats. 

Despite the FBI's decision to withhold specific technical details so as not to alert threat actors, the agency confirmed that such fraudulent tools remain a preferred method for spreading malware and infecting unsuspecting computer users. Upon investigating the malware campaign further, the FBI discovered that the deceptive methods employed by the fraudulent websites to compromise users were deceptively deceptive. 

When a user visits such websites, he or she is required to upload a PDF document to convert it into Word format. It is then shown that the website has a loading sequence that simulates a typical conversion process, to give the impression that the website is legitimate. Additionally, the site presents users with a CAPTCHA verification prompt as well, a method of fostering trust and demonstrating that the website complies with common security practices seen on reputable websites. Nevertheless, as soon as the user completes the CAPTCHA, they are deceptively instructed to execute a PowerShell command on their system, which is crucial to begin the malware delivery process. 

After the user clicks on Adobe. A zip file is then installed on the user's device and contains a malware infection called ArechClient, a family of information-stealing malware which is associated with the Sectopratt malware family. Known to be active since 2019, this particular strain of malware is specifically designed to gather a wide range of sensitive data, including saved usernames and passwords, as well as cryptocurrency wallet information and other important digital assets. 

Some of these malicious websites have been taken offline by authorities in recent weeks, but a recent report by a known cybersecurity firm states that over 6,000 people have visited these websites during the past month alone. Clearly, cybercriminals are actively exploiting this vulnerability at scale and with a high degree of frequency. Users must verify the legitimacy of any online conversion service they use due to the increasing sophistication of such attacks. 

During the time of a web-based search, it is essential to make sure that the website is legitimate, not a phoney copy that is being manipulated by hackers. If an unknowing compromise has taken place on a device, action must be taken immediately, such as isolating it and resetting all the associated passwords, to minimise any damage done. For sensitive file conversions, cybersecurity experts recommend using trustworthy offline tools whenever possible to reduce their exposure to online attacks.

As cyber threats to online file conversion services have become increasingly sophisticated, users must be increasingly vigilant and security-conscious when conducting digital activities. For all individuals and organisations to feel comfortable uploading or downloading any files to a website, they are strongly encouraged to check for its authenticity before doing so. Among the things that users should do is carefully examine URLS for subtle anomalies, verify a secure connection (HTTPS), and favour trusted, well-established platforms over those that are less-known or unfamiliar. 

In addition, users should avoid executing any unsolicited commands or downloading unexpected files, even when the website seems to be a genuine one. It is crucial to prioritise the use of offline, standalone conversion tools whenever possible, especially when dealing with sensitive or confidential documents. If it is suspected that a compromised device or computer has been compromised, immediate steps should be taken to isolate the affected device, reset all relevant passwords, and contact cybersecurity professionals to prevent a potential breach from taking place. 

In the age of cybercriminals who are constantly enhancing their tactics, fostering a culture of proactive cyber awareness and resilience is no longer optional, but rather a necessity. To combat these evolving threats, it will be imperative for organisations to consistently train staff, update security protocols, and effectively use best practices. Users need to exercise greater caution and make informed decisions to prevent themselves as well as their organisations from the far-reaching consequences of cyberattacks in the future.
Read more »
Windows
blocking unauthorized access Cyberattacks CyberCrime Cybersecurity Data Breach Deleted Files IT Professional Windows

Preventing Unauthorised Recovery of Deleted Files

 


As far as users are concerned, once a file is removed from their computer, it is forever gone. However, the reality is more complex. The likelihood of recovering a deleted file depends on how it was deleted, as well as where it came from. It is common for a Windows computer to move files from its internal storage area to the Recycle Bin, which allows users to easily restore files that have been deleted from the Windows computer's internal storage. 

It is also worth mentioning that if the file is deleted using the Shift + Delete mode or if it is removed from an external device such as an external hard drive, it bypasses the Recycle Bin and appears to have been permanently deleted. Despite this, the data is not erased from the system immediately. When users mark the hard drive space as available, Windows makes sure that the original file content remains unchanged until new data is written over it. 

During this time, the computer can be used for file recovery with the appropriate methods or software, so users have a window of opportunity to recover lost files. Understanding these mechanisms is key not only to regaining access to lost files but also to ensuring the permanent and secure deletion of confidential data whenever necessary. 

A file deletion is not a direct removal of data from a digital devicee, contrary to popular belief; merely an update to the file system is performed by the operating system as a way to notify the operating system that space previously occupied by the deleted file is now available for new data. While the visible references to the file, such as its name and path, are removed from the storage medium, the data within the file remains intact until it is overwritten with new information.

There severalr of risks involved in handling sensitive or confidential material, including this temporary persistence, because the data is potentially recoverable through specialized means, and thus creates a vulnerability. In general, the notion that files can be permanently deleted is often misunderstood by individuals organisationsions, resulting in an underestimation of the risk associated with improper data disposal. 

The majority of deleted files can be recovered by using advanced recovery software to scan storage devices for residual data patterns and file signatures. In reality, these software programs can be used to recover many deleted files. Several factors influence the success of these efforts, such as the amount of new data that has been written to the device since the deletion, and the type of storage hardware involved. As beneficial as this recovery potential may be for accidental deletions, it also highlights a critical challenge in the field of data security when it comes to data security. 

Without deliberate and thorough methods of sanitisation, deleted files may still be accessible, posing a threat to data privacy and compliance. Increasing volumes of digital information, as well as their sensitivity, make it increasingly necessary to know how to delete a file and be aware of the limitations of basic removal methods for managing data responsibly. 

Although conventional deletion methods are limited to removing file references and leaving the actual data intact in recoverable sectors, tspecialisedized tool uses secure overwriting methtor to prevent data recovery from being possible, even with advanced forensic software. This tool actively seeks unallocated disk space to ensure that previously deleted data is permanently removed from the storage device by overwriting the overwritten files. 

The tool's interface was streamlined to accommodate ease of use, and it features a simple drag-and-drop interface to support intuitive operations. The application can be used to delete selected files or folders instantly, while broader drive-level functions can completely sanitise leftover data remnants left behind by routine data deletions. 

The application has a minimalistic appearance, but is purpose-driven and efficient, requiring only a few actions to safely dispose of the information it contains. There are no advanced overwrite configurations available in the tool, but it is compatible with Windows 7, 10, and 11 systems. However, it does not support advanced overwrite configurations such as Dod 522022-M or Gutmann methoDespitee of this limitation, the default overwrite process is sufficient for most consumer and professional applications, providing adequate protection against attempts to retrieve the information.

As a result of the unrestricted usage of this solution across multiple devices and the lack of installation requirements, it is particularly useful for IT professionals managing hardware upgrades or for people who wish to secure their data. The application is an efficient and reliable alternative to more complex and resource-intensive software that offers a variety of benefits in the process of removing files securely. 

The recovery of recently deleted files on a Windows system can be accomplished through several practical methods, each varying in complexity and effectiveness based on what the deletion was about. It is important to know that one of the most immediate methods is to use the shortcut key Ctrl + Z, which is a built-in Windows function which allows users to reverse recent actions, including deletions of files. 

When a file has been deleted from the computer and no further operations have overwritten it, this approach is often effective and quick for retrieval. Nevertheless, it is limited in its usefulness; it is unable to recover files that have been permanently deleted or those whose contents have been overwritten by subsequent data writing. Another commonly used technique is to inspect the Recycle Bin, which serves as a temporary storage place for files deleted by the standard processes. 

In the case that deleted items are still present, it is easy to recover them either by dragging them back to the desired location or by right-clicking and selecting the "Restore" option to put them back in their original locations. Despite being a straightforward solution to a problem, this method can only be used to restore non-permanently deleted data. When the Recycle Bin does not help, it becomes necessary to assess whether the deleted files were backed up at some point in the past. 

 It is possible to still retrieve data that has been transferred to external storage devices, synced to cloud services, or archived using a third-party backup software tool, even if they have been movedsynchronisedized. Windows' built-in File History feature, for example, makes it possible for users to browse through older versions of files and restore them relatively easily if it has been set up correctly before deleting them. 

It is usually necessary to develop dedicated recovery solutions in case of more complex data loss scenarios, such as those involving permanent deletion, malware interference, Shift + Delete commands, or corrupted file systems. Of these, MiniTool Power Data Recovery stands out amongst them as a robust, easy-to-use option, with a wide spectrum of data loss events that can be handled by the software, including those caused by antivirus software, system errors, or CHKDSK. 

With the ability to recover a variety of types of files, including documents, multimedia files, system data, and even optical disks, it is capable of retrieving data from a wide range of media. For example, it can recover data from hard drivHDDSHDDs), solid-state drivSSDSSSDs), USB flash drives, SD cards, and even optical disks. 

There is a free edition of the tool that is compatible with Windows versions 8 through 11, which includes up to 1 GB of complimentary data recovery, making it an ideal solution for both individual and professional users must understandtand the different techniques and choose the appropriate method based on the specific circumstances surrounding the loss of the file, which highlights the significance of understanding the different methods. 

Data confidentiality must be ensured by user organisations in a way that goes beyond basic deletion methods and adopts secure erasure practices. The fact that deleted files are recoverable reinforces the importance of reliable tools sanitising data. Data disposal should be handled proactively to maintain privacy, prevent breaches, to meet security standards in the digital era.
Read more »
Spyware
API Keys Cybersecurity Data Breach Developers malware npm packages open-source phishing Software Supply Chain Spyware

Rise in Data-Stealing Malware Targeting Developers, Sonatype Warns

 

A recent report released on April 2 has uncovered a worrying rise in open-source malware aimed at developers. These attacks, described as “smash and grab” operations, are designed to swiftly exfiltrate sensitive data from development environments.

Brian Fox, co-founder and CTO of Sonatype, explained that developers are increasingly falling victim to deceptive software packages. Once installed, these packages execute malicious code to harvest confidential data such as API keys, session cookies, and database credentials—then transmit it externally.

“It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.”

Sonatype, a leader in software supply-chain security, revealed that 56% of malware identified in Q1 2025 focused on data exfiltration. These programs are tailored to extract sensitive information from compromised systems. This marks a sharp increase from Q4 2024, when only 26% of open-source threats had such capabilities. The company defines open-source malware as “malicious code intentionally crafted to target developers in order to infiltrate and exploit software supply chains.”

Fox emphasized that these attacks often begin with spear phishing tactics—posing as legitimate software packages on public repositories. Minor changes, such as replacing hyphens with underscores in filenames, can mislead even seasoned developers.

“The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us.

These stolen data fragments—while small—can have massive consequences. API keys, hashed passwords, and cookie caches serve as backdoors for broader attacks.

“They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said.

The 2025 report highlights early examples:

Compromised JavaScript packages on npm were found to steal environment variables, which typically contain API tokens, SSH credentials, and other sensitive information.

A fake npm extension embedded spyware that enabled complete remote access.

Malicious packages targeted cryptocurrency developers, deploying Windows trojans capable of keylogging and data exfiltration. These packages had over 1,900 downloads collectively.

A separate report published by Sonatype in November 2024 reported a 156% year-over-year surge in open-source malware. Since October 2023, over 512,847 malicious packages have been identified—including but not limited to data-exfiltrating malware.
Read more »
Vulnerabilities
Andriod ATR Cyber Hackers Cybersecurity CyberThreat MaaS malware NFC SiperCard TLS Vulnerabilities

New Android Threat Raises Concern Over NFC Relay Attack Vulnerabilities

 


In recent times, there has been considerable concern with regards to some newly uncovered Android-based malware-as-a-service (Maas) platforms, particularly those based on Android and known as SuperCard X. This is because this platform was able to execute these attacks in near-field communication (NFC). A sophisticated tool such as this enables threat actors to make unauthorised contactless payments, allowing them to withdraw money without requiring direct physical access to their cards. 

Through advanced near-field communication (NFC) relay techniques, this malware is able to allow threat actors to authorize illicit transactions at contactless-enabled ATMs and Point-of-Sale (POS) terminals without actually requiring the victim to give them their card details. Using such methods, the attacker deceives users into installing a malicious Android application, during which their payment cards are tapped against their compromised devices. 

The sensitive data from the NFC tags is intercepted and relayed in real time to the attacker-controlled infrastructure while the attack is taking place. It appears that the platform has been part of a Malware-as-a-Service MaasS) ecosystem for Chinese-speaking users. In addition, it appears to have a significant amount of code overlap with NGate, a malicious NFC toolkit that was previously documented by ESET in 2024. The campaign has had a wide-reaching impact on not only banking customers but also credit card issuers and payment processors as well. 

With the help of widely adopted contactless payment technologies, attackers are able to devise an extremely effective means of executing an unauthorised cashout, especially if they trick the user into disabling transaction limits. This campaign's success has been attributed to its combination of streamlined malware and persuasive social engineering, a development that signals a significant change in the tactics used by mobile threat actors in the future.

Apparently, the current campaign appears to be primarily targeting Italian bank customers and cardholders, according to recent research conducted by the fraud prevention firm Cleafy. It is reported that the attackers intend to collect sensitive payment card data through a methodical and layering approach in a very systematic way. Several analysts, including Federico Valentini, Alessandro Strino, and Michele Roviello, have concluded that SuperCard X uses a multiphase strategic attack method. 

Social engineering tactics are used to lure victims into installing malicious Android applications, which can intercept NFC data that has been compromised from a compromised device. This can include SMS-based phishing (smishing) as well as deceptive phone calls that lure victims into installing malicious Android applications. Additionally, preliminary findings indicate that the service is actively promoted on Telegram channels, which suggests that the tool’s distribution and monetisation are being supported by a larger underground network. 

The campaign's focus is on covert data harvesting and real-time exploitation of data, a trend which highlights the importance of mobile devices as a critical point of entry for financial fraudsters. A growing number of mobile payments is highlighting a need for enhanced awareness of users, robust security protocols, and real-time threat intelligence to combat the ever-increasing number of mobile-focused cyberattacks. As far as the malware's operational architecture is concerned, it displays a clever combination of sophistication and subtlety. 

To keep the component known as "Reader" from being detected by security platforms that are based on heuristics or signature-based and signature-driven algorithms, such as VirusTotal, the component is intentionally designed to only ask for basic system permissions as well as some NFC permissions, an intentional design choice. The technical findings of Cleafy indicate significant code reuse from the open-source relay toolkit NFCGate and the malicious variant NGate, both of which were identified by ESET in 2024. 

Using publicly available frameworks has probably accelerated development and led to a quicker onboarding process for new threat actor affiliates because it allows development to take place faster. When victims are coerced into tapping their credit or debit cards against a compromised device, they are silently captured, including low-level smart card responses such as the Answer To Reset (ATR) messages, from the compromised device. This is often done through social engineering.

Data such as this is sent instantly through a command-and-control network that is based on HTTP and protected with mutually negotiated TLS authentication, which limits communication to validated client instances and reduces the probability of external intrusion. During the same time, a secondary application on a separate attacker-controlled Android device called the "Tapper" is played that simulates the victim's card at a payment terminal or contactless ATM by using Host-Based Card Emulation (HCE). 

With a combination of disabling the card spending limits for the victim, this tactic can ensure that the maximum number of fraudulent withdrawals are made while remaining virtually undetectable by standard mobile security solutions. As a result of Cleafy's analysis, SuperCard X is designed to be stealthy, and it has remained undetected by all antivirus solutions listed on VirusTotal until today. 

Having such a restricted permission model, as well as the absence of overtly malicious behaviours, such as screen overlays and intrusive access requests, which are commonly flagged by heuristic-based security engines, contributes greatly to this success. There is an evident high level of technical competence among the threat actors behind SuperCard X, particularly in the implementation of an ATR-based (Answer to Reset) card emulation system, which demonstrates a high level of technical competence. 

A malware program that replicates the initial response sequence of the smartcard convincingly allows fraudulent transactions to be processed without raising suspicions at a payment terminal by convincingly mimicking authentic smartcard behaviour. In addition to this, users have built a command-and-control infrastructure with mutual Transport Layer Security (MTLS), which ensures that no client devices are permitted to communicate unless they are authenticated. 

A certificate-based verification ensures that not only is data integrity protected, but the network traffic analysis process is hindered significantly by security researchers and law enforcement agencies due to the fact that this certificate is based on verification. Together, these technical safeguards ensure that this malware does not leave a large footprint on the networks and demonstrate how mature the campaign is operationally. 

There is some evidence that the activity associated with SuperCard X is currently restricted to Italy geographically, although Cleafy's report cautions that the threat could rapidly escalate on a global scale if the problem is not addressed promptly. Cybercriminals can acquire and deploy malware-as-a-service (MaaaS) tools on dark web marketplaces that are readily available, which makes it easy for them to acquire and deploy malware against targets from any region. This raises concerns about possible expansion into broader markets, including those in North America and Europe. 

Using convincing social engineering tactics, such as urgent text messages masquerading as official communication from financial institutions, the campaign leverages persuasive social engineering techniques. The messages are designed in such a way that they cause panic in users and prompt them to immediately act, such as clicking on malicious links or downloading unauthorised applications, in order to generate immediate results. 

Individuals should ensure that they verify such messages independently by contacting their financial providers directly through trusted channels in cases where the sender's number matches the victim's actual bank number, especially if the sender's number has been spoofed to match that number. Whenever users receive a request to download an application through an external link, they should be aware that it is a red flag. No legitimate bank would ever ask users for this type of request. 

The user should only install applications from verified sources, such as the Google Play Store, which offer banking apps. It is essential to maintain the functionality of built-in security features on users' Android device, such as Google Play Protect, to mitigate the risk of exposure to threats like SuperCard X. This service continuously scans every application users install and any new applications they download for malicious behavior. 

There are a few things users should consider, such as installing a third-party mobile security solution, as well as awareness and good cyber hygiene practices. As this malware continues to circulate in the wild, awareness and good cyber hygiene are the two best ways to combat the increasing number of mobile malware threats.
Read more »
Data Leak
Anonymous Cyber Vigilantes CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach Data Leak

Cyber Vigilantes Strike Again as Anonymous Reportedly Leaks 10TB of Sensitive Russian Data

 


It has been a dramatic turn in the cyber world for the globally recognised hacktivist collective Anonymous in the last few days, with the claim that a colossal data breach has been perpetrated against the Russian government and its business elite. This is a bold claim made by Anonymous. According to reports, a group known for its high-profile digital interventions has allegedly leaked tens of terabytes of sensitive and classified data online. 
 
As a result of several sources that have been tracking the activities of the group, it appears that the breach may encompass a wide range of internal communications, financial records, and unreleased documents that are related to many key Russian institutions and corporations, including many of their key financial records. 

They first announced the leak in a post on X (formerly known as Twitter), stating the extent of the breach and describing the type of data that was compromised. There is also a mention of an unusual file titled "Leaked Data of Donald Trump" that is allegedly included within the cyber trove, adding an unexpected twist to the cyber saga. 

The authenticity of this particular file is still subject to scrutiny, but its presence implies that repercussions could extend beyond the borders of Russia because it has been leaked in the first place. As a result, it would be one of the largest political data leaks in recent years, raising serious concerns about cybersecurity vulnerabilities as well as the evolving tactics of digital activism in geopolitics, which could have a significant impact on the international landscape. Cyber analysts are closely watching the situation, as governments and corporations assess the potential fallout. 

Many are anticipating a wave of digital confrontations across global borders, as well as a response by governments and corporations. It was reported on Tuesday that the latest breach is a result of ongoing tensions between Russia and the digital activist community Anonymous, which is a decentralised and leaderless collective known for conducting cyberattacks against oppressive or corrupt entities. Anonymous warned internet users that former US President Donald Trump and Russian President Vladimir Putin have been alleged to be linked. 

Digital disruption has long been a cornerstone of the group's agenda, which seeks to promote transparency. In most cases, the group targets authoritarian regimes, controversial political figures, and powerful corporations, often blurring the line between cyberwarfare and protest. 

On April 15, 2025, a leaked archive allegedly contained a large amount of politically charged material that has been leaked. Several classified documents have been compiled in the book, including classified details on the internal political machinery of the Russian Federation, as well as sensitive information on local companies and their financial operations. Particularly noteworthy are files that are allegedly about Kremlin-linked assets located overseas and influence networks spanning Western countries. 

An anonymous statement was published on their official X (formerly Twitter) account by Anonymous on September 21st: "In defense of Ukraine, Anonymous has released 10TB of data in support of Ukraine, including leaked information about every Russian business operating in the West, all Kremlin assets, pro-Russian officials, Donald Trump, and many more." In light of the extent of the unprecedented in scope as well as the implication wave of speculation, scrutiny, and concern has swept global intelligence and cybersecurity officials. 
 
With the publication of this digital exposition, it has been possible to shed new light on a variety of things that occurred behind the scenes, ranging from undisclosed financial affiliations to private information regarding high-profile politicians and other figures. As a result of the addition of data allegedly related to Donald Trump to the breach, the geopolitical implications of it grow even more significant, suggesting that Anonymous may not only be trying to expose the Russian state's inner workings, but also to highlight covert operations and transnational alliances that were previously unknown. 
 
In a statement released on Tuesday, April 15, Anonymous claimed responsibility for the leak of approximately ten terabytes of Kremlin-linked data, which was the result of what they described as a massive cyber attack conducted by the hacktivist group in support of Ukraine. Initially, Anonymous TV, a prominent affiliate channel on the social media platform X (formerly Twitter), made the disclosure as part of their first campaign for public awareness of the group’s activities. There is an indication that this trove has been leaked by the Russian government, as well as the Kremlin assets located in the West as and pro-Russian officials. 

Among the information gathered was a reshared file titled “Leaked Data of Corrupt Officials”, which was originally published by Anonymous France, a second X-based account associated with this movement. Because Anonymous is a decentralised and loosely coordinated organisation, it remains unclear what the exact relationship is between these different factions, such as Anonymous TV and Anonymous France, because their nature remains decentralised and loosely coordinated. 

Often, because of the movement's structure, cells and supporters can act independently from each other, blurring the lines between direct affiliations and amplifying the reach and impact of their campaigns at the same time. Among the screenshots shared by Anonymous TV, a glimpse of the structure of the directory was revealing. To describe the contents of the folder, it was divided into several subfolders under the heading "Leaked Data of", which contained the names of people and organisations from various fields. There was a remarkable number of entries, including those of Serbian President Aleksandar Vučić, former US President Donald Trump and, not surprisingly, the American fast food chain Domino's Pizza. 

A broad range of entities included in this data release suggests the release is not just aimed at governments and politicians, but is likely to target commercial interests believed to be operating in Kremlin-linked spheres of influence. There is no doubt that Anonymous's digital crusade is complex and it is often controversial, because of the breadth and unpredictability of its targets. There has been widespread media coverage of the alleged Anonymous data leak, but questions have emerged about the source and significance of the data that have ascended to thrface as a result. 

According to Technology journalist Mikael Thalen, in a separate report, there could be a possible source of the files as well: A user using the handle @CyberUnknown45 who reportedly had begun teasing about and discussing the existence of such data caches as early as December 2023. 

In this regard, Thalen believes that a significant percentage of the leaked material consists of previous leaks, as well as documents which have already been publicly available, scraped from various online sources, as well as documents which were previously leaked in prior hacks. Additionally, he referred to cyber researcher Best, whose insights aligned with this assessment as well. Further, Cybernews, a well-known cybersecurity publication, expressed scepticism about the archive, saying it contained a “large amount of random data,” according to the publication. 

According to the publication, early impressions from the cybersecurity community indicate that the leak is not as sensational as initially claimed. According to Cybernews, the vast trove of leaked information seems to be simply not that exciting and is more of a noise than anything. Cybernews wrote that most people do not seem to be that interested in the information released. However, an analysis of the data has been provided by an individual whose Reddit profile is titled civilservant2011, who claims to have downloaded and examined it. Their post indicated that the archive was mainly divided into company-specific folders, which contained a variety of PDF documents related to various Russian companies, primarily those associated with the defence sector. 

The user mentioned that this archive may be useful for the Ukrainian armed forces, since it contains hundreds of documents about Russian defence contractors, as well as many others related to the Ukrainian armed forces. There is no doubt that this content does not appear to be headline-worthy at first glance, however, it can still have a substantial strategic value to military intelligence or geopolitical analysts. Additionally, the report is contextualised by previous claims that Ukraine’s Defence Intelligence Agency (HUR) made in March 2024, when it claimed that Russian Ministry of Defence databases were breached.  

In addition, the HUR report also states that this operation yielded sensitive data on the Russian Armed Forces, enabling Ukraine to better understand its adversary's military infrastructure. As a result of these developments, it is becoming increasingly apparent that cyber warfare is becoming increasingly complex, where the line between hacktivism, espionage, and information warfare is continuing to get blurred.
Read more »
Subscribe to: Posts (Atom)