A cybercriminal group known as Fog Ransomware has claimed responsibility for a cyberattack on the University of Notre Dame in Perth, Australia. According to reports, the group has allegedly stolen 62.2GB of sensitive data, including student medical records, staff and student contact information, and confidential documents.
The university was first alerted to a cybersecurity breach in January 2025. Recently, technology news sources revealed that Fog Ransomware had posted details of the attack on its dark web leak site. The group claimed to have accessed and stolen a large amount of private and institutional information.
As of now, the hackers have not made any ransom demands or issued a deadline for payment. Cybersecurity experts believe that this group has a history of targeting educational and recreational institutions worldwide.
The cyberattack has disrupted essential university operations, making it difficult for students and staff to access key services. Some of the areas impacted include:
1. Payroll and leave management – Employees have been unable to process payments and leave applications as usual. Temporary manual processes have been put in place.
2. Student enrolments and timetables – Many students have struggled to access their class schedules and register for courses.
3. Communication services – Internet and email systems have also been affected, causing delays in official university communication.
University official Patrick Hampton, who is both the Deputy Head of Education and President of the National Tertiary Education Union WA Notre Dame branch, stated that the attack had disrupted critical functions necessary for the university’s daily operations. He also emphasized that staff and students need additional support to cope with these challenges.
At this stage, the university has not been able to confirm exactly what data has been stolen. A spokesperson explained that while primary systems handling student records, finance, and human resources appear secure, some separately stored data might have been compromised.
To assess the situation, the university has engaged international cybersecurity experts and is working to determine the extent of the breach. Officials have assured that if any personal data is found to be affected, the university will notify those impacted as soon as possible.
The incident has been reported to the Australian Cyber Security Centre (ACSC), and the university is taking necessary precautions to strengthen its security measures. Despite the ongoing challenges, the university has confirmed that classes for the 2025 academic year will begin as scheduled.
Meanwhile, the staff union is pushing for greater transparency from the university administration. They are demanding that university leadership keep staff and students fully informed about what data has been compromised and provide assurances about data protection measures moving forward.
This attack is a reminder of the increasing cybersecurity threats faced by educational institutions. Universities hold vast amounts of sensitive student and staff data, making them prime targets for cybercriminals.
A group of hackers has been caught running a large-scale cyber spying operation, now called REF7707. The attack was first noticed in November 2024 when strange activity was detected in the Foreign Ministry of a South American country. As experts looked deeper, they found that the same hackers had also targeted several other organizations in Southeast Asia.
The attackers used advanced hacking tools to break into computer systems, steal information, and stay hidden for a long time. However, even though they were highly skilled, they made serious mistakes that exposed their operation.
The Malicious Software Used in the Attack
The hackers used three main types of malware (harmful programs) to infect computers and control them remotely:
FINALDRAFT: A Hidden Control System
One of the key tools in this attack was FINALDRAFT, a type of software that allowed hackers to secretly take control of a computer. Once installed, they could:
GUIDLOADER and PATHLOADER: Sneaky Installers
These two programs acted as delivery tools that installed FINALDRAFT on infected computers. Instead of storing dangerous files on a computer’s hard drive (where they could be detected), they loaded the malware directly into the computer’s memory. This method helps cybercriminals avoid antivirus scans.
To further cover their tracks, they hid malware downloads on popular websites, including:
1. Google Firebase (a cloud service used by developers)
2. Pastebin (a site often used to store and share text)
3. Web storage systems of Southeast Asian universities
By using trusted websites, they made it harder for security systems to recognize the attack.
Hackers Misused Windows Tools to Spread
Instead of only relying on their own hacking tools, the attackers took advantage of built-in Windows programs to spread across networks:
By using tools that were already part of Windows, they avoided setting off alarms that custom-made malware might trigger.
How the Hackers Were Caught
Even though REF7707 was a well-planned attack, the hackers made several big mistakes that helped cybersecurity experts uncover their activities.
Key Errors They Made:
1. Left behind test versions of their malware: Some samples contained error messages and incomplete code, revealing how they built their attack.
2. Exposed their own websites: Many of their fake websites remained open and accessible, allowing experts to track their movements.
3. Messed up their encryption: Some malware was poorly coded, which made it easier for researchers to analyze and understand how it worked.
Tracing the Hackers’ Footsteps
By following these mistakes, security researchers tracked the hackers’ network of fake websites and compromised services. Some of the suspicious domains they discovered included:
1. digert.ictnsc[.]com
2. support.vmphere[.]com
3. hobiter[.]com and vm-clouds[.]net, which shared the same setup, suggesting they were controlled by the same group.
The attackers also abused Microsoft’s services to make their hacking traffic look like normal company activity.
What We Can Learn from This Attack
REF7707 is a clear example of how cybercriminals use sophisticated tricks to break into important systems, stay hidden, and steal data. But it also proves that even expert hackers can make mistakes— and when they do, security teams can use those errors to track them down.
Hackers are constantly improving their tactics, but as this case shows, cybersecurity experts are also getting better at catching them.
Cybercriminals have found a new way to trick smartphone users, fake wedding invitations. According to cybersecurity researchers, a newly discovered malware named Tria is being used to infect Android devices, primarily in Malaysia and Brunei. The attackers are disguising malicious links as wedding invitations and sending them via WhatsApp and Telegram to unsuspecting victims.
Once a user clicks the link and downloads the application, the malware starts working silently in the background, stealing sensitive personal information.
How the Malware Works
This cyberattack has been active since mid-2024. It follows a simple but effective strategy:
1. The hackers send a fake wedding invitation through group or private chats.
2. The invitation asks recipients to download an app to access event details.
3. Once installed, the app secretly collects private information from the victim’s phone.
The stolen data includes:
Cybersecurity experts warn that this stolen data can be used in several ways, including:
1. Hijacking banking accounts
2. Resetting passwords for email and social media
3. Taking over messaging apps to send fraudulent messages
Why Hackers Want Control of Your Messaging Apps
One of the biggest concerns is that hackers aim to take control of WhatsApp and Telegram accounts. Once they gain access, they can:
To process the stolen data, cybercriminals use Telegram bots, automated systems that collect and sort the information.
The exact group responsible for this attack is unknown, but cybersecurity researchers suspect that the hackers speak Indonesian. They have not been linked to any specific organization yet.
Similarities to Previous Attacks
This type of scam is not entirely new. In 2023, cybersecurity experts discovered a malware campaign called UdangaSteal, which targeted users in Indonesia, Malaysia, and India.
1. UdangaSteal also used fake invitations and job offers to trick victims.
2. It mainly focused on stealing SMS messages.
However, Tria is more advanced because it collects a wider range of data, including emails and instant messaging conversations.
How to Protect Yourself
Cybersecurity experts recommend taking extra precautions to avoid falling victim to such scams:
1. Be cautious of unexpected messages, even from known contacts.
2. Never download apps from links shared in messaging apps.
3. Use official app stores (Google Play Store) to download apps.
4. Enable two-factor authentication (2FA) for your accounts.
5. Verify invitations by calling or messaging the sender directly.
As online scams grow more intricate, staying vigilant is the best way to protect your personal data. If something seems too unusual or suspicious, it’s best to ignore it.
In a conversation with cybersecurity news portal TechCrunch, Simon Wijckmans, founder and CEO of the web security company c/side, said the hacking campaign is still “very much live”.
The hackers aim to distribute malware to loot passwords and sensitive data from Mac and Windows users. According to c/side, a few hacked websites rank among the most popular ones on the internet. Reporting on the company’s findings, Himanshu Anand believes it is a “widespread and very commercialized attack” and told TechCrunch the campaign is a “spray and pray” cyber attack targeting website visitors instead of a specific group or a person.
After the hacked WordPress sites load in a user’s browser, the content immediately turns to show a false Chrome browser update page, asking the website visitor (user) to download and install an update to access the website, researchers believe.
When a visitor agrees to the update, the compromised website will ask the user to download a harmful malware file disguised as the update, depending on whether the visitor is a Mac or Windows user. Researchers have informed Automattic (the company) that makes and distributes Wordpress.com about the attack campaign and sent a list of harmful domains.
According to TechCrunch, Megan Fox, spokesperson for Automattic, did not comment at the time of press. Later, Automattic clarified that the security of third-party plugins is the responsibility of WordPress developers.
“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users,” Ms Fox told TechCrunch. “Authors have access to a Plugin Handbook which covers numerous security topics, including best practices and managing plugin security,” she added.
C/side has traced over 10,000 sites that may have been a target of this hacking campaign. The company found malicious scripts on various domains by crawling the internet, using a reverse DNS lookup to find domains and sites linked with few IP addresses which exposed a wider number of domains hosting malicious scripts. TechCrunch has not confirmed claims of C/side’s data, but it did find a WordPress site showing malicious content earlier this week.
A newly discovered vulnerability in Ivanti Connect Secure VPN systems, called CVE-2025-0282, has been actively exploited by hackers to deploy custom malware. This critical security flaw affects older versions of Ivanti’s VPN appliances, including Connect Secure, Policy Secure, and Neurons for ZTA gateways. Despite the wide impact, Ivanti has clarified that the attacks are currently limited to a small number of users.
The problem was a stack-based buffer overflow that could be exploited by hackers using specially crafted requests to breach systems. The breaches were reported to have started in December 2024 by Mandiant, a leading cybersecurity firm. Hackers accessed the compromised devices using this flaw, disabled all important security settings, and installed malicious software.
New Malware Families Identified
During the course of the investigation, two other malware variants, Dryhook and Phasejam, were discovered on infected systems. There is no established connection between these malware families and any known hacking groups. In addition, hackers utilized a toolkit named Spawn, which is also used by suspected Chinese espionage groups.
Dryhook: This malware captures login credentials, such as usernames and passwords, during the authentication process.
Phasejam: A dropper that installs malicious web shells, allowing hackers to execute commands remotely.
How the Attack Works
The attack process involves several steps:
1. Identifying Targets: Hackers scan devices using specialized HTTP requests to identify vulnerable systems.
2. Exploitation: They exploit the CVE-2025-0282 flaw to bypass security.
3. Malware Deployment: They disable protections, modify system files, and install tools such as backdoors and tunneling utilities once inside.
4. Data Theft: They steal sensitive information, including session details and credentials. This data is often archived and staged for transfer via public servers.
5. Maintaining Access: Hackers alter upgrade processes, making their changes persist even after system updates.
When the vulnerability was discovered, more than 3,600 Ivanti VPN devices were exposed online. Although the number decreased to around 2,800 after the software patch, most systems are still exposed to this threat.
What Can Be Done?
To defend against this threat, Ivanti advises doing the following:
Why it Matters
This makes it strongly essential for organizations to pay much heed to their cybersecurity. Hackers have become really intricate in operation, where they steal the most sensitive data from widely used systems such as VPNs. Businesses need to be alert and update their system with frequent revisions in the security policies to curb these threats.
In the cybercrime world, Initial Access Brokers (IABs) are essential for facilitating attacks. These specific hackers break into company systems, steal login credentials, and then sell access to other criminals who use it to launch their own attacks. They essentially act as locksmiths for hackers, making it easy for those willing to pay to get into systems.
What Exactly Do IABs Do?
IABs function as a business where they sell access to corporate systems stolen from their organizations on dark markets, either private forums or Telegram channels. The credentials offered include the most basic login information and even the highest administrator accounts. They even have guarantees by giving a refund if the stolen credentials fail to work.
This system benefits both inexperienced attackers and advanced hacking groups. For less skilled criminals, IABs provide access to high-value targets they could never reach independently. For seasoned ransomware operators, purchasing pre-stolen access saves time and allows them to focus on deploying malware or stealing sensitive data.
Such credentials as usernames and passwords are a hacker's key to entering a system directly, bypassing all the security barriers. Such an attack occurred during major breaches such as in the
How to Protect Against IABs
Organizations must adopt proactive measures to counteract these threats:
1. Threat Intelligence: Tools can monitor underground markets for stolen credentials. If a company’s data appears on these platforms, immediate action—like forcing password changes can help minimize damage.
2. Complex Passwords: It is recommendable that companies enforce rules forcing employees to use complex, unique passwords and to update them regularly. Platforms like Specops Password Policy allow companies to check their credentials against known breached databases to prevent using the same breached passwords.
Although IABs have made cybercrime more efficient, organizations can protect themselves by understanding their tactics and strengthening their defenses. Regular monitoring, strong password practices, and quick responses to breaches are key to staying ahead of these threats. By closing the gaps hackers exploit, companies can make it harder for cybercriminals to succeed.
Hackers associated with North Korea have taken cyber theft to a record-breaking level in 2024, stealing $1.8 billion in cryptocurrency. According to a detailed report by blockchain analytics firm Chainalysis, this highlights the growing sophistication of these attackers and the risks they pose to international security, particularly in the United States. Here's a simpler, step-by-step explanation of the issue.
In 2024, more than half of the $3 billion taken from cryptocurrency platforms globally was attributed to North Korean hackers. The figures increased sharply from last year. In 2023, there were 20 incidents that collectively totaled $660.5 million. This year, it skyrocketed to $1.8 billion through 47 incidents.
These hackers are using increasingly advanced strategies to target and steal digital currencies, showcasing their ability to exploit vulnerabilities in cryptocurrency platforms.
How Do Hackers Launder Stolen Cryptocurrency?
After stealing funds, the hackers use complex methods to hide the origins of the money. Some common techniques include:
1. Financial Platforms: They give the user options to make anonymous transactions, making traceability difficult
2. Crypto Mixing Services: they mix a stolen amount of money with actual money, hiding the source from which it comes
3. Mining Services: Hackers prefer mining because this is the procedure of changing their stolen funds to untraceable forms.
With these, authorities face challenges tracking and recovering such stolen funds.
Advanced Tools and Phony Jobs
Hackers use deception and advanced tactics in targeting their victims. For example:
To complete this, they use specialized tools to target the cryptocurrency platforms; therefore, hackers make their operations even more efficient.
Why Does North Korea Do This?
North Korea has been under heavy sanctions from the international community, eliminating many sources of revenue. Cyber theft has become a critical way for the country to generate funds. Although stolen funds declined in 2023 to $1 billion from $1.7 billion in 2022, the sharp increase in 2024 shows that they are not letting up on cybercrime.
This is not just a matter of money; it affects global security. The stolen funds are believed to help North Korea sustain its regime and avoid financial penalties imposed by the global community. US officials and cybersecurity experts warn that these activities are a growing threat to financial systems worldwide.
To remedy this, cryptocurrency sites should enhance their security level. People must also remain vigilant against these types of scams, including false employment advertisements. International cooperation will be needed to address these cybercrimes and safeguard digital financial systems.
In summary, the scale and sophistication of North Korean hackers are on the rise, which calls for stronger defenses and global efforts to curb cyber theft. This story is a wake-up call for governments, businesses, and individuals alike.
Browser isolation is a widely used cybersecurity tool designed to protect users from online threats. However, a recent report by Mandiant reveals that attackers have discovered a novel method to bypass this measure by utilizing QR codes for command-and-control (C2) operations.
Browser isolation is a security technique that separates a user's browsing activity from their local device. It streams only visual content from web pages into the user's browser, preventing direct interaction with potentially harmful sites or exploits. This can be implemented through cloud-based, on-premises, or local solutions.
Traditionally, attackers rely on HTTP requests to communicate with a C2 server and issue commands to compromised systems. However, browser isolation disrupts this process by streaming only webpage pixels, effectively blocking HTTP-based attack methods.
To bypass browser isolation, Mandiant researchers devised a technique that embeds command data within QR codes. The process works as follows:
This approach exploits browser isolation’s reliance on transmitting visual data, allowing the QR code to be captured and decoded without triggering traditional security defenses.
Mandiant demonstrated the attack using tools like Puppeteer and Chrome in headless mode. They further integrated the technique with Cobalt Strike’s External C2 feature, showcasing its practicality. However, the technique has certain limitations:
Despite this new attack vector, browser isolation remains a valid and essential security measure. Mandiant recommends a layered defense strategy to mitigate such threats:
This novel attack demonstrates the evolving nature of cybersecurity threats and the need for constant vigilance. Organizations should adopt a comprehensive approach, including education and robust protection strategies, to defend against emerging threats effectively. Browser isolation remains an important tool when integrated into a layered security framework.
Dutch security authorities have recorded growing cyber threats from state-affiliated Russian and Chinese hackers targeting organisations in the country. The attacks, mostly to gain access to the critical infrastructure, are seen as preparations for future sabotage and for gathering sensitive information, according to a recent report by the Dutch National Coordinator for Security and Counterterrorism (NCTV).
Rise of Non-State Hackers in Support of Government Agendas
The report says cyber attacks can no longer be considered the preserve of state actors: in fact, it turns out that non-state hackers in Russia and China increasingly are joining in. Of course, Russia: for some of the past year's cyber espionage and sabotage, hacktivists--independent hacking groups not officially communicating with the government are said to have conducted parts of this past year. At times, Russian state cyber actors work in conjunction with them, sometimes using their cover for their own operations, sometimes directing them to fit state goals.
China's cyber operations often combine state intelligence resources with academic and corporate collaborations. Sometimes, persons are performing dual roles: conducting research or scientific duties coupled with pushing forward China's intelligence goals. Such close cooperation treads the fine line between private and state operations, introducing an element of complexity to China's cyber strategy.
China's Advancing Sabotage Capabilities
For some years now, Chinese cyber campaigns focused on espionage, particularly those targeting the Netherlands and other allies, have been well known. Recent developments over the past year, however, have found China's cyber strategies getting broader in scope and quite sophisticated. The recent "Volt Typhoon" campaign, attributed to China, was an example of shifting toward actual sabotage, where critical U.S. infrastructure is the chief target. Although Europe is not currently under such threats from Volt Typhoon, the Netherlands remains vigilant based on China's rapid advancements in its cyber capabilities, which will potentially be implemented globally at a later stage.
Cyber/Disinformation Combined Threat
In the Netherlands, there is a national coordinator for security and counterterrorism, Pieter-Jaap Aalbersberg, who underscored that cyber threats frequently act as part of an integrated approach, which includes information operations. Coordinated actions are riskier because the cyber attack and digital influence operation come together to compromise security. Aalbersberg indicated that risks need to be balanced collectively, both from direct cyber threats and other consequences.
Recent Breach in Dutch Police Forces Concerns
Earlier this month, the Dutch national police announced a breach into officers' personal contact details with thousands of officers being involved, including names, telephone numbers, and email. The attackers behind this breach are unknown, although it is believed that this incident is "very likely" to be carried out by a state-sponsored group. Still, no country was indicated.
The Dutch government views such heightened cyber hostility as pushing a stronger defensive response from its measures about the cybersecurity fields, particularly since the threats from Russians and Chinese are still multiplying. This scenario now presents strong appeal in asking for added fortifications at international cooperation and greater action in stopping these mounting operations of said aggressive expansions through cyber warfare.