Have you ever been struck by a smooth criminal?

Mar 17 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s getting talked about more than the Chris Brown lap dance with Natalia Zoppa.

Today’s hottest cyber security stories:

  • Smooth criminals in Russia and China use ‘SilkLoader’ to avoid detection
  • ChipMixer platform tied to crypto-laundering scheme gets shut down
  • Google chips away at Samsung’s reputation, uncovers 18 vulnerabilities with chips


The Chinese and the Russians appear to have joined forces (in method, if not ideology) and are both utilising a crafty new piece of technology which cybersecurity analysts in Finland have dubbed ‘SilkLoader’.

This is a novel piece of malware that’s designed to load Cobalt Strike onto infected machines. We know what you’re thinking: what the hell is Cobalt Strike?

Basically, Cobalt Strike is a tool that companies (or their cybersecurity team) can use to probe their computer systems for weakness. It’s a handy tool for good faith actors to use to test and subsequently strengthen systems to better defend them from pesky scammers.

The problem is Cobalt Strike is something of a two-edged sword because, of course, if threat actors manage to sneakily load and execute the tool on potential victims’ systems, they can easily run amok having determined where the vulnerabilities lie.

As such, there’s an ongoing battle between the good guys and the bad guys to harness the substantial power of Cobalt Strike.

The cybercriminals are constantly dreaming up new ways to disguise Cobalt Strike and trojan it into the targets’ systems. SkilLoader is the latest instance of that.

But the fact that Finnish cybersecurity company WithSecure has discovered (and named!) this latest instance bodes well for the forces of good in the cybersphere.

WithSecure researcher Hassan Nejad said: “Cobalt Strike beacons are very well known and detections against them on a well-protected machine are all but guaranteed.”

“However, by adding additional layers of complexity [such as those contained within SilkLoader] to the file content and launching it through a known application such as VLC Media Player via side-loading, the attackers hope to evade these defence mechanisms.”

Scary stuff, but let’s hear it for the lads and ladesses over in Finalnd who managed to tar and feather this latest sneaky strain.

WithSecure For The Win! Not so smooth now, are ya?


Wow, some more good news to end the week! Here’s another victory for the good guys we are very happy to report.

Hip, hip, hooray for the coalition of law enforcement agencies across Europe and the U.S. whose six year effort has this week led to the takedown of ChipMixer.

So, what exactly is ChipMixer? Nope, it’s not a new (and frankly delicious sounding) flavour of Ben & Jerry’s ice cream; it’s an unlicensed cryptocurrency ‘mixer’ that began its operations in August 2017.

Sometimes it feels like the lion’s share of these articles is spent unpacking the various terms used… Dw, it’s exhausting for us too!

So, by mixer they mean a dodgy laundering service which allows cybercriminals (along with other darkweb dwellers) to disguise their illegally begotten gains as innocent cryptocurrency gains which can subsequently be switched over to FIAT and spent on Big Macs and Ferraris and Taylor Swift concert tickets.

“Mixers processed a total of $7.8 billion in 2022, 24% of which came from illicit addresses,” and “the vast majority of illicit value processed by mixers is made up of stolen funds, the majority of which were stolen by North Korea-linked hackers.” This is according to a report from Chainalysis in January 2023.

ChipMixer, the world’s largest centralised crypto mixer service, is estimated to have laundered $3.75 billion worth of digital assets (152,000 BTC) to further a wide range of criminal schemes.

ChipMixer is also the fourth mixer service to be outlawed over the past few years following the disruption of Bestmixer, Blender, and Tornado Cash.

Take that, crypto-cronies!


Google is singing like a canary upon discovering a set of “severe” security flaws in Samsung’s Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction.

Admittedly, it sounds pretty bad and not just a vindictive PR stunt by Google… Apologies for our unrelenting cynicism, folks. You try covering cyber scams everyday and see if you retain your bright-eyed optimism!

The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

The ‘vehicles’ part sounds scary, not gonna lie. Think i, Robot… So yeah, four of the 18 flaws make it possible for a threat actor to achieve internet-to-Samsung, Vivo, and Google, as well as wearables using the Exynos W920 chipset and vehicles in late 2022 and early 2023.

“The four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” Tim Willis, head of Google Project Zero, said.

In doing so, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Additional details about the bugs have been withheld.

Well, you know it couldn’t all be good news, eh? Still, two out of three ain’t bad…

Enjoy your weekends, cyber-guardians!

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he’s your Dawg, he got you.

footer graphic cyber security newsletter

Recent articles