alt=A hooded figure sits at a laptop, silhouetted against the red background of the Chinese flag featuring yellow stars.
Cyber security
2025-04-26 Post a Comment

FBI offers $10M for info on China’s Salt Typhoon hackers

Stefanie Schappert

Stefanie Schappert

Senior Journalist

The Federal Bureau of Investigation on Friday announces a $10 million reward for information on Salt Typhoon, the China-backed hacking group responsible for targeting several US telecoms, as well as the US Treasury.

The agency said it is especially interested in any information that could help identify the specific individuals behind the campaign or about its operations targeting the telecommunications sector.

“Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale,” the FBI said in its announcement.

Cybersecurity insiders have identified Salt Typhoon as a known nation-state adversary and Advanced Persistent Threat (APT) group sponsored by the Chinese government.

The nation-state threat actor made headlines last September after the US government discovered the group had breached the nation’s commercial telecoms infrastructure, including major companies such as Verizon, AT&T, T-Mobile, and Lumen Technologies.

The FBI said it is aggressively committed to identifying, mitigating, and disrupting Salt Typhoon’s malicious cyber activity. “If you have information about Salt Typhoon, we want to hear from you,” the FBI posted on X, in both English and Chinese.

The group was able to obtain “call data logs, a limited number of private communications, and select information subject to court-ordered US law enforcement requests,” the FBI said.

The phone records of then-President-elect Donald Trump and vice presidential running mate, Ohio Senator JD Vance, as well as some Kamala Harris campaign staffers, were all targeted by the group in the lead-up to the 2024 presidential election.

What’s more, the FBI said that the People’s Republic of China (PRC)-linked threat actors had been lurking in several of the telecom providers for an undetermined amount of time – and likely still remain.

Salt Typhoon is said to be highly sophisticated and uses anti-forensic and anti-analysis techniques, allowing the group to go undetected for months. The group is thought to have been operating in 2020.

Also known as GhostEmperor and FamousSparrow, experts warn the malicious campaign appears to be a part of China’s ongoing cyber efforts to infiltrate US critical infrastructure. China has repeatedly denied any allegations of its involvement.

Salt Typhoon is also believed to be behind the hack of the US Treasury Department, discovered in February, in which threat actors gained access to the laptops of some senior officials.

Anyone with information on Salt Typhoon can file a report with the FBI’s Internet Crime Complaint Center (IC3) or contact your local FBI field office.

In conjunction, the US State Department is also offering a $10 million reward for information about individuals engaging in cyber activities on behalf of foreign governments to target US critical infrastructure.

read more
alt=A hooded figure types on a keyboard in a dark room, focused on multiple screens displaying financial charts and code.
Cyber security
2025-04-26 Post a Comment

North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures

î „Ravie Lakshmanan

North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process.

“In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread malware via ‘job interview lures,” Silent Push said in a deep-dive analysis.

The activity, the cybersecurity company said, is being used to distribute three different known malware families, BeaverTail, InvisibleFerret, and OtterCookie.

Contagious Interview is one of the several job-themed social engineering campaigns orchestrated by North Korea to entice targets into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment.

The activity is tracked by the broader cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, UNC5342, and Void Dokkaebi.

The use of front companies for malware propagation, complemented by setting up fraudulent accounts on Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab, marks a new escalation for the threat actors, who have been observed using various job boards to lure victims.

“The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas […] appear to be fake,” Silent Push said. “When viewing the ‘About Us’ page of blocknovas[.]com via the Wayback Machine, the group claimed to have been operating for ’12+ years’ – which is 11 years longer than the business has been registered.”

The attacks lead to the deployment of a JavaScript stealer and loader called BeaverTail, which is then used to drop a Python backdoor referred to as InvisibleFerret that can establish persistence on Windows, Linux, and macOS hosts. Select infection chains have also been found to serve another malware codenamed OtterCookie via the same JavaScript payload used to launch BeaverTail.

BlockNovas has been observed using video assessments to distribute FROSTYFERRET and GolangGhost using ClickFix-related lures, a tactic that was detailed earlier this month by Sekoia, which is tracking the activity under the name ClickFake Interview.

BeaverTail is configured to contact an external server (“lianxinxiao[.]com”) for command-and-control (C2) to serve InvisibleFerret as the follow-up payload. It comes with various features to harvest system information, launch a reverse shell, download additional modules to steal browser data, files, and initiate the installation of the AnyDesk remote access software.

Further analysis of the malicious infrastructure has revealed the presence of a “Status Dashboard” hosted on one of BlockNovas’ subdomains to maintain visibility into four of their domains: lianxinxiao[.]com, angeloperonline[.]online, and softglide[.]co.

A separate subdomain, mail.blocknovas[.]com domain, has also been found to be hosting an open-source, distributed password cracking management system called Hashtopolis. The fake recruitment drives have led to at least one developer getting their MetaMask wallet allegedly compromised in September 2024.

That’s not all. The threat actors also appear to be hosting a tool named Kryptoneer on the domain attisscmo[.]com that offers the ability to connect to cryptocurrency wallets such as Suiet Wallet, Ethos Wallet, and Sui Wallet.

“It’s possible that North Korean threat actors have made additional efforts to target the Sui blockchain, or this domain may be used within job application processes as an example of the ‘crypto project’ being worked on,” Silent Push said.

BlockNovas, according to an independent report published by Trend Micro, also advertised in December 2024 an open position for a senior software engineer on LinkedIn, specifically targeting Ukrainian IT professionals.

As of April 23, 2025, the BlockNovas domain has been seized by the U.S. Federal Bureau of Investigation (FBI) as part of a law enforcement action against North Korean cyber actors for using it to “deceive individuals with fake job postings and distribute malware.”

Besides using services like Astrill VPN and residential proxies to obfuscate their infrastructure and activities, a noteworthy aspect of the malicious activity is the use of artificial intelligence (AI)-powered tools like Remaker to create profile pictures.

The cybersecurity company, in its analysis of the Contagious Interview campaign, said it identified five Russian IP ranges that have been used to carry out the operation. These IP addresses are obscured by a VPN layer, a proxy layer, or an RDP layer.

“The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk,” security researchers Feike Hacquebord and Stephen Hilt said.

“Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea.”

If Contagious Interview is one side of the coin, the other is the fraudulent IT worker threat known as Wagemole, which refers to a tactic that involves crafting fake personas using AI to get their IT workers hired remotely as employees at major companies.

These efforts have dual motivations, designed to steal sensitive data and pursue financial gain by funneling a chunk of the monthly salaries back to the Democratic People’s Republic of Korea (DPRK).

“Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment,” Okta said.

“These GenAI-enhanced services are required to manage the scheduling of job interviews with multiple DPRK candidate personas by a small cadre of facilitators. These services use GenAI in everything from tools that transcribe or summarize conversations, to real-time translation of voice and text.”

Telemetry data gathered by Trend Micro points to the Pyongyang-aligned threat actors working from China, Russia, and Pakistan, while using the Russian IP ranges to connect to dozens of VPS servers over RDP and then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services.

“Given that a significant portion of the deeper layers of the North Korean actors’ anonymization network is in Russia, it is plausible, with low to medium confidence, that some form of intentional cooperation or infrastructure sharing exists between North Korea and Russian entities,” the company said.

read more
alt=Blue digital graphic featuring a Wi-Fi symbol and a padlock, representing cybersecurity and data protection concepts.
Cyber security
2025-04-26 Post a Comment

Don’t just lock your door: MFA alone is not enough in today’s cybersecurity climate

Story by Jon Jarvis

The cybersecurity landscape is evolving with serious pace, and organizations are facing increasingly sophisticated threats from attackers who are constantly finding new ways to bypass traditional defenses.

For years, Multi-Factor Authentication (MFA) has been heralded as a cornerstone of modern security practices, providing an additional layer of protection beyond passwords. However, as threat actors sharpen their tools and exploit vulnerabilities, it has become clear that MFA alone is no longer sufficient to safeguard sensitive information.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-1-5c32856b-7ad4-48de-b397-b175ccdaf0e8″ size=”_2x_1y” part=””>

Ad

IoT Gateway for Modbus RTU

To truly protect against today’s advanced threats, organizations must embrace a layered security approach that goes far beyond MFA.

The limitations of multi-factor authentication

The concept of MFA is simple yet effective: requiring multiple forms of verification—such as a password and a one-time code sent to a mobile device—adds an extra layer of security. It could be seen as locking your door with two different locks instead of just one. This has been especially valuable in combating password-based attacks, as it makes it significantly harder for attackers to gain access with stolen credentials. Yet, despite its strengths, MFA is far from infallible.

Sophisticated attackers have developed numerous methods to bypass MFA protections. Phishing remains one of the most common tactics, where users are tricked into revealing their MFA credentials on fake websites or through deceptive communications.

Related video: Cyber security expert’s tips to keep phones safe (ITN)

a mobile phone because we have such a thriving second
Loaded: 20.57%

Current Time 0:06
Duration 1:56

ITN
Cyber security expert’s tips to keep phones safe

0

View on WatchView on Watch

Man-in-the-middle attacks intercept session tokens during transmission, rendering MFA useless in certain scenarios. MFA fatigue attacks—where users are inundated with repeated authentication requests until they approve one out of frustration or confusion—are becoming alarmingly frequent.

SIM swapping allows attackers to hijack phone numbers used for SMS-based authentication, while session hijacking enables them to bypass MFA altogether by stealing authenticated tokens. These techniques demonstrate that while MFA is necessary, it is insufficient as a standalone solution.

The rise of AI-driven cyberattacks and the proliferation of SaaS applications further complicate the picture. As businesses increasingly rely on interconnected systems and cloud-based platforms, managing identities—both human and non-human—has become more challenging than ever. Attackers exploit these complexities to target vulnerabilities in identity management systems, leading to a surge in identity-driven breaches.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-2-3e2ef4de-4221-4747-b7c0-b359d46a3710″ size=”_2x_1y” part=””>

Ad

ลูกค้าพึงพอใจ ให้คะแนน 4.9/5

The need for a layered security approach

To address these challenges, organizations must adopt a layered security strategy that incorporates multiple defenses working together to protect against threats. This approach, often referred to as “defense in depth,” recognizes that no single security measure can provide complete protection. Instead, overlapping layers create redundancies that ensure if one layer fails, others remain effective.

A foundational element of this strategy is the implementation of zero trust architecture. Zero trust operates on the principle of “never trust, always verify,” meaning that every user and device must be continuously authenticated and authorized before accessing sensitive resources. Unlike traditional perimeter-based security models—which assume that everything inside the network is safe—zero trust assumes that threats can exist anywhere and requires constant vigilance.

<cs-card “=”” class=”card-outer card-full-size ” card-fill-color=”#565656″ card-secondary-color=”#272727″ gradient-angle=”112.05deg” id=”native_ad_inarticle-3-5af6de0b-81db-40c5-8d65-c5a2d4ec6314″ size=”_2x_1y” part=””>

Ad

ธน ชาต ประกันภัย ชั้น 1 ราคา

Zero trust builds upon MFA by incorporating additional checks and balances into the authentication process. For example, adaptive authentication uses AI and machine learning to assess risk factors such as user behavior, device type, location, and login patterns before granting access. Biometric authentication methods like fingerprint scanning or facial recognition add another layer of security while improving user experience by eliminating reliance on passwords or codes.

Enhancing endpoint protection

Endpoint protection is another critical component of a layered security strategy. Devices such as laptops, smartphones, and tablets are often the first line of defense against attacks—and also the most vulnerable entry points for attackers seeking access to an organization’s network. Advanced Endpoint Detection & Response can detect and prevent malware infections, unauthorized access attempts, and other threats targeting devices.

Implementing robust endpoint security measures involves not only deploying software solutions but also ensuring that devices are regularly updated and patched. This includes maintaining strong identity and access management (IAM) practices to ensure that only authorized users can access sensitive data from these devices.

Network segmentation and monitoring

Network segmentation further enhances security by dividing an organization’s network into smaller segments or zones based on sensitivity levels. This limits the spread of potential breaches and ensures that attackers cannot move laterally across the entire network even if attackers gain access to one segment.

Comprehensive monitoring and detection systems play a vital role in identifying and responding to threats in real time. Centralized monitoring solutions can analyze vast amounts of data from across the organization’s infrastructure to detect anomalies or suspicious activity. When combined with automated response mechanisms, these systems enable rapid remediation before threats escalate into full-blown breaches.

The future of cybersecurity

The future of cybersecurity lies in embracing a holistic approach that combines technology with proactive strategies. Organizations must invest not only in advanced tools but also in employee training programs to raise awareness about phishing attacks and other social engineering tactics. Security policies should be regularly updated to reflect emerging threats and technological advancements.

It’s clear that the cybersecurity landscape will continue to evolve at breakneck speed. Threat actors are becoming more sophisticated by leveraging AI-driven techniques and exploiting gaps in traditional defenses like MFA. Organizations must remain agile and adaptable—constantly reassessing their security strategies—to stay ahead of these evolving threats.

While MFA remains an important piece of the puzzle, it is no longer enough on its own. A robust layered security approach ensures that if one defense fails, others remain effective in protecting sensitive information from compromise.

The days when locking your door once or twice was enough are long gone; today’s threat landscape demands multiple layers of protection working together seamlessly. Only by embracing this mindset can organizations hope to safeguard their assets in an increasingly interconnected digital world where attackers are always one step ahead—and where cybersecurity must evolve just as rapidly as the threats it seeks to counteract.

We’ve featured the best privacy tool and anonymous browser.

read more
alt=Image illustrating tips for safeguarding social media accounts against hacking threats.
Cyber security
2025-04-23 Post a Comment

Thailand introduces new cybercrime law to tackle data misuse

Photo of Puntid Tantivangphaisal Puntid Tantivangphaisal

A new cybercrime law aims to tackle cybercrime at its roots by preventing the misuse of personal data, as stated by the Personal Data Protection Committee (PDPC).

PDPC Secretary General, Police Colonel Surapong Plengkham, announced yesterday, April 21, that the Royal Decree on Measures for the Prevention and Suppression of Cybercrime 2025 has been officially published in the Royal Gazette.

A primary aspect of the law, effective from April 13, is the protection of personal data, with strict penalties for violators.

Sharing data without consent could result in up to one year of imprisonment and a fine of up to 100,000 baht. Those involved in the buying or selling of such data may face up to five years in prison, a fine of 500,000 baht, or both.

This decree represents a significant advancement in addressing cybercrime by preventing the exploitation of personal data, particularly by online scammers and call centre gangs.

The law also extends to the data of deceased persons. Using or allowing others to use such information for criminal or technological offences will result in legal consequences.

Thailand introduces new cybercrime law to tackle data misuse | News by Thaiger
Photo courtesy of Bangkok Post

Pol. Col. Surapong noted that the new decree enhances the existing Personal Data Protection Act (PDPA), which aims to prevent the malicious use of personal data.

He advised the public to refrain from sharing sensitive information and to report any suspicions of their personal data being compromised or misused.

Additionally, the PDPC has launched the PDPC Eagle Eye Centre, which collaborates with the Cyber Police’s Cyber Eye Centre to monitor personal data breaches continuously and enforce the law effectively, reported Bangkok Post.

In similar news, Thailand’s National Cyber Security Agency (NCSA) issued a warning to logistics firms, urging them to strengthen customer data protection following a cyberattack that exposed a significant security vulnerability in one operator’s system.

This alert coincided with the launch of an investigation by the Personal Data Protection Commission into the breach.

Air Vice Marshal Amorn Chomchoey, Secretary General of the NCSA, highlighted the vast amount of sensitive consumer data handled by delivery firms, particularly in the rapidly growing e-commerce, mobile app, and courier sectors. He emphasised that leaked delivery addresses present a more immediate threat than standard registration data.

read more
alt=A person holds a smartphone, surrounded by digital security icons like locks and keys, indicating data protection and cybersecurity themes.
Cyber security
2025-04-23 Post a Comment

The growing threat of device code phishing and how to defend against It

Story by Mike Britton

Just as we think we’re getting one step ahead of cybercriminals, they find a new way to evade our defenses.

The latest method causing trouble for security teams is that of device code phishing, a technique that tricks users into granting access to sensitive accounts without attackers needing to steal a password.

Microsoft recently issued a warning about a particular device code phishing campaign being conducted by Storm-2372, where a supposed Russian-backed threat actor was wreaking havoc by hijacking user sessions through legitimate authentication flows. These attacks are trickier to detect than usual given that they exploit real login pages (rather than the spoofed versions that traditional phishing techniques relied on) and are capable of bypassing multi-factor authentication (MFA).

The recent warning from Microsoft will most likely be the first of many. Various other platforms follow the same style of authentication flows and attackers will most likely replicate the technique elsewhere. It is down to security teams once again to identify the warning signs of this new breed of phishing, and implement the best cybersecurity practices to get ahead of the curve.

Related video: Cyber security expert’s tips to keep phones safe (ITN)

And not just to open the phone for other apps
Loaded: 100.00%

Current Time 1:03
Duration 1:56

ITN
Cyber security expert’s tips to keep phones safe

100

View on WatchView on Watch

Understanding device code phishing

Unlike traditional credential phishing attacks, device code phishing is unique in that there is no need to directly steal a password. Instead, attackers manipulate victims into handing over access to their accounts by exploiting authentication methods designed to make logging in easier.

They start the same way as most email attacks do: through social engineering. By impersonating a trusted colleague or IT administrator, the attackers send an email invitation to an online meeting (often a Microsoft Teams meeting) that looks legitimate. The email is designed to appear normal – for instance, it might look like a genuine Teams meeting invite.

When the victim clicks the link in the fake invite, they are prompted to log in using a special code (the “device code”), which is provided by the attacker. And because the website they land on is a real Microsoft login page, the user doesn’t suspect anything phishy.

What makes this technique especially dangerous is that it exploits legitimate authentication systems without creating counterfeit ones. This removes the need for attackers to steal passwords. Instead, they can gain access by capturing session tokens which allow them to operate without triggering additional authentication prompts. And because the tokens are already verified, attackers can often bypass MFA.

At first glance, nothing seems unusual. Suspicion is reduced due to the official Microsoft website, and therefore, victims won’t hesitate to enter a device code to authenticate the session. However, instead of linking their own device, they are unknowingly authorizing the attacker’s session. Once access is granted, the attacker has the keys to the kingdom and is free to operate within the victim’s account, access sensitive information, and launch lateral attacks.

How users can recognize and avoid these attacks

Device code phishing has created a minefield where legitimate tools are utilized for malicious purposes. Organizations must be proactive in recognizing these attacks and be sure to have effective authentication security measures in place.

Users should always treat unexpected meeting invites with suspicion, especially if they contain login prompts that require immediate action. Before entering any device code, users should verify the legitimacy of the request through a separate communication channel, such as a direct phone call or an internal messaging platform. If a login request appears out of the blue, it’s always best to avoid proceeding until its authenticity is confirmed.

Device codes are particularly impactful as they are designed to be entered on trusted devices. As a result, users should never share a login code with another person or enter a code they receive via email or chat unless they personally initiated the request. Legitimate services will never email a device code and then ask a user to input it on a separate website. If workforces can get to grips with this fundamental security principle, it can prevent many device code phishing attempts from succeeding.

Organizational steps to mitigate risk

Protecting against these attacks can’t rely solely on the user and organizations must take steps to reduce the risk of device code phishing.

One of the most effective measures is to disable any unnecessary device code authentication flows. If it isn’t essential for business operations, then it should be removed to eliminate a significant attack vector. Security teams should regularly review authentication policies and restrict device code logins to only trusted devices.

Conditional access policies go one step further, as they can restrict authentication attempts based on user behavior, device type, geographic location, and risk level. If a login attempt occurs from an unfamiliar location or outside of approved business hours, access can be blocked or require additional verification.

This is why it’s key to embrace behavioral AI measures which can establish baseline “normal” behaviors within an organization’s IT environment, and in turn question anything that seems out of the ordinary. Behavioral AI systems analyze characteristics like login patterns to detect anomalies, such as multiple authentication attempts from different locations or unusual device code submissions. By comparing these activities to known-good user behaviors, deviations from the norm can be flagged as suspicious.

And since device code phishing hinges on meeting invites to spread the attack, these should also be monitored. Security teams should regularly audit and flag unusual meeting request patterns, particularly those originating from compromised accounts.

Lastly, security awareness programs should be an ongoing feature of any cybersecurity strategy. Cyber threats evolve constantly, so training should also be continuous. Employees must be trained to recognize the warning signs of device code phishing and understand the risks of entering authentication codes without verification. Creating a culture where security is front of mind when handling unexpected requests is vital.

The time to act is now

As this latest technique continues to prove effective, cybercriminals will no doubt expand their use of device code phishing. Organizations must act now to defend against this emerging threat. A combination of user awareness and strong security policies which are strengthened by advanced threat detection can help organizations to stay ahead.

The sooner organizations implement these measures, the sooner they can reduce their exposure to device code phishing and protect their employees, data, and systems from this growing cyber threat.

We’ve listed the best identity management software.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

read more
alt=Silhouette of a figure at a laptop against the North Korean flag, symbolizing cyber activities and hacking threats.
Cyber security
2025-04-23 Post a Comment

North Korean hackers are using LinkedIn to entice developers to coding challenges

Story by Efosa Udinmwen

A hacker group from North Korea known as Slow Pisces has launched a sophisticated campaign targeting developers in the cryptocurrency sector through LinkedIn.

The group, also known as TraderTraitor or Jade Sleet, poses as recruiters to lure victims with seemingly genuine job offers and coding challenges, only to infect their systems with malicious Python and JavaScript code.

Thanks to this campaign, the group has been able to steal substantial amounts of cryptocurrency. In 2023 alone, they were linked to over $1 billion in stolen funds. A $1.5 billion hack at a Dubai exchange and a $308 million theft from a Japanese company are among the recent attacks.

Coders beware!

After initially sending PDF documents containing job descriptions, the malicious actors follow up with coding assignments hosted on GitHub.

Although these repositories appear to be based on legitimate open-source projects, they have been secretly altered to include hidden malware.

Victims, believing they are completing programming tests, unintentionally allow malware like RN Loader and RN Stealer onto their systems.

These booby-trapped projects mimic legitimate developer tools and applications. For instance, Python repositories might seem to analyze stock market trends using data from reputable sources, while secretly communicating with attacker-controlled domains.

The malware evades most detection tools by using YAML deserialization, avoiding commonly flagged functions like eval or exec. Once triggered, the loader fetches and executes additional payloads directly in memory, making it difficult to detect or remove.

One such payload, RN Stealer, is specifically designed to exfiltrate credentials, cloud configuration files, and stored SSH keys, particularly from macOS systems.

JavaScript variants of the malware operate similarly, using the Embedded JavaScript templating engine to hide malicious code, which activates only for targeted victims based on factors like IP addresses or browser headers.

Forensic analysis shows that the malware stores code in hidden directories and communicates over HTTPS using custom tokens. However, investigators were unable to recover the full JavaScript payload.

GitHub and LinkedIn have responded by removing the malicious accounts and repositories involved.

“GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity,” the companies said in a joint statement.

There is a growing need for caution when approached with remote job offers and coding tests. Developers are advised to use strong antivirus software and run unfamiliar code in secure environments, particularly when working in sensitive sectors like cryptocurrency.

Those concerned about security should verify they are using the best IDEs, which typically include integrated security features. Staying alert, and working on a secure, controlled setup, can significantly reduce the risk of falling prey to state-backed cyber threats.

read more
alt=Green text on a black screen displays a command line interface with options to deploy SMS, track clicks, and harvest data.
Cyber security
2025-04-19 Post a Comment

Chinese Smishing Kit Powers Widespread Toll Fraud Campaign Targeting U.S. Users in 8 States

î „Ravie Lakshmanan

Cybersecurity researchers are warning of a “widespread and ongoing” SMS phishing campaign that’s been targeting toll road users in the United States for financial theft since mid-October 2024.

“The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by ‘Wang Duo Yu,'” Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence.

The phishing campaigns, per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat.

It’s worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-based SMS phishing service called Lighthouse that’s advertised on Telegram.

While Apple iMessage automatically disables links in messages received from unknown senders, the smishing texts urge recipients to respond with “Y” in order to activate the link – a tactic observed in phishing kits like Darcula and XiÅ« gÇ’u.

Should the victim click on the link and visit the domain, they are prompted to solve a fake image-based CAPTCHA challenge, after which they are redirected to a fake E-ZPass page (e.g., “ezp-va[.lcom” or “e-zpass[.]com-etcjr[.]xin”) where they are asked to enter their name and ZIP code to access the bill.

Targets are then asked to proceed further to make the payment on another fraudulent page, at which point all the entered personal and financial information is siphoned to the threat actors.

Talos noted that multiple threat actors are operating the toll road smishing campaigns by likely making use of a phishing kit developed by Wang Duo Yu, and that it has observed similar smishing kits being used by another Chinese organized cybercrime group known as the Smishing Triad.

Interestingly, Wang Duo Yu is also alleged to be the creator of the phishing kits used by Smishing Triad, per security researcher Grant Smith. “The creator is a current computer science student in China who is using the skills he’s learning to make a pretty penny on the side,” Smith revealed in an extensive analysis in August 2024.

Smishing Triad is known for conducting large-scale smishing attacks targeting postal services in at least 121 countries, using failed package delivery lures to coax message recipients into clicking on bogus links that request their personal and financial information under the guise of a supposed service fee for redelivery.

Furthermore, threat actors using these kits have attempted to enroll victims’ card details into a mobile wallet, allowing them to further cash out their funds at scale using a technique known as Ghost Tap.

The phishing kits have also been found to be backdoored in that the captured credit/debit card information is also exfiltrated to the creators, a technique known as double theft.

“Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels,” Talos said. “The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support.”

As of March 2025, the e-crime group is believed to have focused their efforts on a new Lighthouse phishing kit that’s geared towards harvesting credentials from banks and financial organizations in Australia and the Asia-Pacific region, according to Silent Push.

The threat actors also claim to have “300+ front desk staff worldwide” to support various aspects of the fraud and cash-out schemes associated with the phishing kit.

“Smishing Triad is also selling its phishing kits to other maliciously aligned threat actors via Telegram and likely other channels,” the company said. “These sales make it difficult to attribute the kits to any one subgroup, so the sites are currently all attributed here under the Smishing Triad umbrella.”

In a report published last month, PRODAFT revealed that Lighthouse shares tactical overlaps with phishing kits such as Lucid and Darcula, and that it operates independently of the XinXin group, the cybercrime group behind the Lucid kit. The Swiss cybersecurity company is tracking Wang Duo Yu (aka Lao Wang) as LARVA-241.

“An analysis of attacks conducted using the Lucid and Darcula panels revealed that Lighthouse (Lao Wang / Wang Duo Yu) shares significant similarities with the XinXin group in terms of targeting, landing pages, and domain creation patterns,” PRODAFT noted.

Cybersecurity company Resecurity, which was the first to document Smishing Triad in 2023 and has also been tracking the scam toll campaigns, said the smishing syndicate has used over 60,000 domain names, making it challenging for Apple and Google to block the fraudulent activity in an effective manner.

“Using underground bulk SMS services enables cybercriminals to scale their operations, targeting millions of users simultaneously,” Resecurity said. “These services allow attackers to efficiently send thousands or millions of fraudulent IM messages, targeting users individually or groups of users based on specific demographics across various regions.”

read more
alt=A parachute delivers a box with a skull symbol labeled "Infected!" to a computer screen, symbolizing malware distribution.
Cyber security
2025-04-19 Post a Comment

Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader

î „Ravie Lakshmanan

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader.

“Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution,” Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign.

The starting point of the attack is a deceptive email that poses as an order request to deliver a malicious 7-zip archive attachment, which contains a JavaScript encoded (.JSE) file.

The phishing email, observed in December 2024, falsely claimed that a payment had been made and urged the recipient to review an attached order file. Launching the JavaScript payload triggers the infection sequence, with the file acting as a downloader for a PowerShell script from an external server.

The script, in turn, houses a Base64-encoded payload that’s subsequently deciphered, written to the Windows temporary directory, and executed. Here’s where something interesting happens: The attack leads to a next-stage dropper that is either compiled using .NET or AutoIt.

In case of a .NET executable, the encrypted embedded payload – an Agent Tesla variant suspected to be Snake Keylogger or XLoader – is decoded and injected into a running “RegAsm.exe” process, a technique observed in past Agent Tesla campaigns.

The AutoIt compiled executable, on the other hand, introduces an additional layer in an attempt to further complicate analysis efforts. The AutoIt script within the executable incorporates an encrypted payload that’s responsible for loading the final shellcode, causing .NET file to be injected into a “RegSvcs.exe” process, ultimately leading to Agent Tesla deployment.

Multi-Stage Malware Attack

“This suggests that the attacker employs multiple execution paths to increase resilience and evade detection,” Khanzada noted. “The attacker’s focus remains on a multi-layered attack chain rather than sophisticated obfuscation.”

“By stacking simple stages instead of focusing on highly sophisticated techniques, attackers can create resilient attack chains that complicate analysis and detection.”

IronHusky Delivers New Version of MysterySnail RAT#

The disclosure comes as Kaspersky detailed a campaign that targets government organizations located in Mongolia and Russia with a new version of a malware called MysterySnail RAT. The activity has been attributed to a Chinese-speaking threat actor dubbed IronHusky.

IronHusky, assessed to be active since at least 2017, was previously documented by the Russian cybersecurity company in October 2021 in connection with the zero-day exploitation of CVE-2021-40449, a Win32k privilege escalation flaw, to deliver MysterySnail.

The infections originate from a malicious Microsoft Management Console (MMC) script that mimics a Word document from the National Land Agency of Mongolia (“co-financing letter_alamgac”). The script is designed to retrieve a ZIP archive with a lure document, a legitimate binary (“CiscoCollabHost.exe”), and a malicious DLL (“CiscoSparkLauncher.dll”).

It’s not exactly known how the MMC script is distributed to targets of interest, although the nature of the lure document suggests that it may have been via a phishing campaign.

As observed in many attacks, “CiscoCollabHost.exe” is used to sideload the DLL, an intermediary backdoor capable of communicating with attacker-controlled infrastructure by taking advantage of the open-source piping-server project.

The backdoor supports capabilities to run command shells, download/upload files, enumerate directory content, delete files, create new processes, and terminate itself. These commands are then used to sideload MysterySnail RAT.

The latest version of the malware is capable of accepting nearly 40 commands, allowing it to perform file management operations, execute commands via cmd.exe, spawn and kill processes, manage services, and connect to network resources via dedicated DLL modules.

Kasperksy said it observed the attackers dropping a “repurposed and more lightweight version” of MysterySnail codenamed MysteryMonoSnail after preventive actions were taken by the affected companies to block the intrusions.

“This version doesn’t have as many capabilities as the version of MysterySnail RAT,” the company noted. “It was programmed to have only 13 basic commands, used to list directory contents, write data to files, and launch processes and remote shells.”

read more
alt=A vibrant gradient background featuring shades of deep red and purple, contrasted by digital patterns and neon lighting elements.
Cyber security
2025-04-19 Post a Comment

Anonymous Hackers Expose Putin’s Secret Data—Publish Trump File

ByZak Doffman,

The Anonymous PR machine is in full flight once again, claiming a new cyberattack on Russia “in defense of Ukraine.” The hacking collective has released a cache of some 10 terabytes, it says, which includes “data on all businesses operating in Russia, all Kremlin assets in the West, pro-Russian officials, Donald Trump, and more

These Anonymous hacks don’t have the same impact as in the past, potentially because there have now been so many. And Cybernews reports that “from what files have been examined so far, the overall consensus seems to be that the leaked info is simply not that exciting, and apparently not that secret.” But it will generate headlines — which is the point — and there will be plenty of analysis on the data cache, including the Trump file and the even more intriguing “Domino’s Pizza” file.

Unsurprisingly, the Anonymous claims have been largely debunked, albeit some of what’s included in the cache — which is nowhere near 10 terabytes in size — might be useful to Ukraine’s armed forces. Per The Kyiv Post, “in March 2024, Ukraine’s Defense Intelligence (HUR) claimed a successful hack into Russia’s Ministry of Defense’s database. It said it obtained data that helped the agency establish the identity and structure of the Russian Armed Forces.”

MORE FOR YOU

At the time, Ukraine’s intelligence agency posted on Telegram that “the analysis of the obtained data also helped to identify the generals, other high-ranking managers of the structural units of the Ministry of Defense, as well as deputies, assistants, specialists — all those who used software for electronic document management called ‘bureaucrats’.” It’s possible that this leaked data contains more of the same.

While this highlights that even a collection of open source intel can be useful if collated and provided to those who can use it, it doesn’t add any credence to Anonymous’ claims. In reality, there will be little surprise that Russian officials are allegedly corrupt or that they have deep ties to the West. As one analyst notes, “mostly the information in the archive is specific to individual companies in Russia with folders for them and random PDFs for each company. This archive may be useful to the UKR armed forces since there are hundreds of PDF on defense companies in Russia.

Read More

Posting on BlueSky, DDOSecrets’ Emma Best issued a scathing riposte to Anonymous. “Claims impossible data without explanation. Releases less than 2% of what they say they have. Data looks like a scrape of existing releases. High quality folders like ‘China government site’ and ‘Dominoes pizza’…. Do I even need to say it?”

We await any further analysis of the data to see what might be included, and we have certainly seen nuggets of intel buried in such archives before. Part of the problem is that it’s unclear what information is being searched for. Russia’s role as a rogue state is well established now, especially as viewed from Europe, as its Ukraine campaign continues.

Again unsurprisingly, blue chip international names appear in the data, as well as NGOs operating in the region. But as one Redditor notes, several of those who have sifted through the data “are reporting that this is increasingly looking like it’s bunk. Don’t download the files. I would avoid anonymous’ PR website as it’s directing to the mediafire link that was being distro’d widely earlier in the day just in case it’s malware.”

And maybe we will. As another Redditor put it, “at the end of the day, let’s not pretend what they’re doing here isn’t a high tech version of a looting: they pound on some weakness, get in, grab as much as they can… And when they get out, they either got garbage bags of Pringles and lotion or Rolexes.”

Thus far, this seems more Pringles than Rolexes, albeit with some awkward questions for the Russian officials and Western firms named in the data cache.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights