CyberSecurity news
FlagThis - #cybercrime
|
Graham Cluley@Blog RSS Feed
//
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.
Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks. This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world. Recommended read:
References :
Dissent@DataBreaches.Net
//
A massive collection of 16 billion login credentials has been discovered, representing one of the largest data thefts in history. Cybernews reports that the exposed data likely originates from various infostealers, malicious software designed to gather sensitive information from infected devices. Researchers have uncovered 30 exposed data sets containing millions to over 3.5 billion records each, totaling the astounding 16 billion credentials. These datasets include logins for major platforms like Apple, Google, Facebook, and Telegram, raising significant concerns about widespread account compromise.
Researchers noted that these datasets were not simply recycled from old data leaks but represent new, potentially "weaponized" information. The exposed data contains a mix of details from stealer malware, credential stuffing sets, and repackaged leaks. While it was not possible to compare data between the different sets effectively, the sheer volume and the platforms targeted highlight the severity of the situation. The data sets were only exposed for a short period and it remains unknown who controlled the large amount of data. The exposure of these 16 billion credentials poses a significant risk of account takeovers, identity theft, and targeted phishing attacks. Cybercriminals now have access to an unprecedented volume of personal data. Users are advised to take immediate action to protect their accounts, including enabling multi-factor authentication and using strong, unique passwords for all online services. News sources indicate that this is not a new data breach but is rather a compilation of previously leaked credentials. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A sophisticated cybercriminal network known as VexTrio has been exploiting WordPress sites to run a global scam network. Cybersecurity researchers have uncovered a large-scale campaign involving malicious JavaScript injections into legitimate websites. These injections redirect visitors to various scam pages through traffic broker networks associated with VexTrio, a major cybercriminal affiliate network. The network uses sophisticated DNS techniques, traffic distribution systems (TDS), and domain generation algorithms to deliver malware and scams across global networks, impacting thousands of websites globally.
VexTrio operates through a network of malicious adtech companies, including Los Pollos, Taco Loco, and Adtrafico, which function as commercial affiliate networks. These networks connect malware distributors with "advertising affiliates" who promote illicit schemes such as gift card fraud, malicious apps, phishing sites, and scams. The compromised WordPress sites are injected with malicious code, initiating a redirection chain to VexTrio's scam infrastructure. Examples of such malicious injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns. The campaign has seen significant activity, with over 269,000 websites infected with JSFireTruck JavaScript malware in a single month. This obfuscation technique uses only six ASCII characters to produce working code, making it difficult to analyze without specialized tools. The injected code checks for search engine referrers and redirects users to malicious URLs delivering malware, exploits, and malvertising. While efforts to disrupt the network, such as the exposure of Los Pollos' involvement, have caused temporary disruptions and shifts in tactics, the VexTrio network continues to pose a substantial threat. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A large-scale malware campaign, dubbed JSFireTruck, has infected over 269,000 legitimate websites by injecting malicious JavaScript code. Researchers at Palo Alto Networks Unit 42 discovered the campaign, noting the injected code utilizes JSF*ck, an obfuscation technique making detection difficult. This method leverages only six ASCII characters to create working JavaScript, obscuring the code's true purpose and hindering analysis. The obfuscated code primarily consists of the symbols [, ], +, $, {, and }, further complicating identification.
The injected JavaScript code checks the website referrer, and if a user arrives from a search engine like Google, Bing, DuckDuckGo, Yahoo!, or AOL, the code redirects them to malicious URLs. These URLs can lead to malware downloads, exploits, traffic monetization schemes, and malvertising. Unit 42's telemetry detected 269,552 web pages infected with JSFireTruck code between March 26 and April 25, 2025, highlighting the widespread impact and rapid proliferation of this campaign. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day. The campaign's scale and stealth pose a significant threat, indicating a coordinated effort to compromise legitimate websites and use them as attack vectors for further malicious activities. The use of JSF*ck further complicates analysis, requiring specialized tools for deobfuscation. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:Advanced WildFire, Advanced URL Filtering and Advanced DNS Security. Recommended read:
References :
@cyberscoop.com
//
INTERPOL has announced the successful culmination of Operation Secure, a global initiative targeting the infrastructure of information-stealing malware. The operation, which spanned from January to April 2025, involved law enforcement agencies from 26 countries who worked collaboratively to locate servers, map physical networks, and execute targeted takedowns. This coordinated effort resulted in the dismantling of more than 20,000 malicious IP addresses and domains associated with 69 different variants of infostealer malware, significantly disrupting cybercriminal activities worldwide.
Operation Secure also led to the seizure of 41 servers and over 100 GB of data, providing valuable insights into the operations of cybercriminals. A total of 32 suspects were arrested across multiple countries in connection with illegal cyber activities, demonstrating the effectiveness of international cooperation in combating cybercrime. Eighteen arrests occurred in Vietnam, where authorities confiscated devices, SIM cards, business registration documents, and a substantial sum of cash, revealing a scheme to open and sell corporate accounts for illicit purposes. The operation was further bolstered by the contributions of private sector cybersecurity firms, including Group-IB, Kaspersky, and Trend Micro, who provided critical intelligence and Cyber Activity Reports to assist cyber teams. This collaboration resulted in the takedown of 79% of identified suspicious IP addresses. Hong Kong police played a key role by analyzing over 1,700 pieces of intelligence and identifying 117 command-and-control servers used by cybercriminals to orchestrate phishing schemes, online fraud, and social media scams. Recommended read:
References :
iHLS News@iHLS
//
OpenAI has revealed that state-linked groups are increasingly experimenting with artificial intelligence for covert online operations, including influence campaigns and cyber support. A newly released report by OpenAI highlights how these groups, originating from countries like China, Russia, and Cambodia, are misusing generative AI technologies, such as ChatGPT, to manipulate content and spread disinformation. The company's latest report outlines examples of AI misuse and abuse, emphasizing a steady evolution in how AI is being integrated into covert digital strategies.
OpenAI has uncovered several international operations where its AI models were misused for cyberattacks, political influence, and even employment scams. For example, Chinese operations have been identified posting comments on geopolitical topics to discredit critics, while others used fake media accounts to collect information on Western targets. In one instance, ChatGPT was used to draft job recruitment messages in multiple languages, promising victims unrealistic payouts for simply liking social media posts, a scheme discovered accidentally by an OpenAI investigator. Furthermore, OpenAI shut down a Russian influence campaign that utilized ChatGPT to produce German-language content ahead of Germany's 2025 federal election. This campaign, dubbed "Operation Helgoland Bite," operated through social media channels, attacking the US and NATO while promoting a right-wing political party. While the detected efforts across these various campaigns were limited in scale, the report underscores the critical need for collective detection efforts and increased vigilance against the weaponization of AI. Recommended read:
References :
Matt Burgess,@WIRED
//
References:
arstechnica.com
, WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.
The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information. Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations. Recommended read:
References :
@gbhackers.com
//
The Haozi Phishing-as-a-Service (PhaaS) platform has resurfaced, marking a concerning development in the cybercrime landscape. This Chinese-language operation distinguishes itself with its ease of use, comprehensive customer support, and a cartoon mouse mascot, lowering the barrier to entry for aspiring cybercriminals. Haozi provides a "plug-and-play" system, transforming complex phishing campaigns into point-and-click operations accessible to those with minimal technical expertise. The platform boasts a fully automated, web-based control panel, enabling users to manage multiple phishing campaigns, filter traffic, view stolen credentials, and fine-tune attack behavior.
Haozi's business model resembles legitimate software companies, offering a subscription plan and a-la-carte sales. Transactions are conducted using Tether (USDT), with the associated wallet having processed over $280,000 to date. The platform also monetizes the broader attack ecosystem by selling advertising space that connects buyers to third-party services such as SMS gateways. This allows Haozi to act as a middleman, generating revenue not only from phishing kits but also from ancillary services. According to reports, the Haozi platform immediately gained nearly 2,000 followers on Telegram after its initial community on the encrypted messaging app was dismantled. What sets Haozi apart is its fully automated installation process. Attackers simply input their server credentials into a hosted installation page, and the system automatically deploys a phishing site and admin dashboard, eliminating the need for command-line setup or server configuration. The kits themselves simulate real user experiences, with phishing templates mimicking bank verification and credit card prompts with response logic. For example, after capturing credit card details, the operator may decide to request a 2FA code based on the response received from a card transaction attempt. The resurgence of Haozi highlights the escalating threat presented by PhaaS networks and underscores the need for intensified cybersecurity training programs. Recommended read:
References :
Cynthia B@Metacurity
//
The U.S. Treasury Department has sanctioned Funnull Technology Inc., a Philippines-based company, for providing infrastructure that facilitated "pig butchering" scams, a type of cryptocurrency investment fraud that has cost Americans over $200 million. The Treasury’s Office of Foreign Assets Control (OFAC) took action on May 29, 2025, targeting Funnull and its administrator, Liu Lizhi. The FBI has also issued an advisory warning against Funnull, highlighting its role as a major distributor of online scams. Funnull is accused of enabling cybercriminals by purchasing IP addresses in bulk from major cloud service providers and then selling them to operators of fraudulent investment platforms.
The sanctions follow an FBI investigation that linked Funnull to the majority of virtual currency investment scam websites reported to them. The agency stated that Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses for U.S. victims, with average individual losses exceeding $150,000. These scams typically involve perpetrators posing as romantic partners or friends online to gain victims’ trust, then convincing them to invest in virtual currency on platforms that ultimately prove to be fraudulent. Scammers often demand additional "taxes" on purported crypto earnings before allowing victims to withdraw their funds, which never happens. Security firm Silent Push had previously identified Funnull as a criminal content delivery network (CDN) routing traffic through U.S.-based cloud providers before redirecting users to malicious websites. Their October 2024 research exposed a sprawling cluster of domains, dubbed "Triad Nexus," routed through Funnull's CDNs, revealing how cybercriminals leverage credible cloud providers for malicious activities through what they termed "infrastructure laundering." The FBI observed patterns of IP address activity on Funnull infrastructure between October 2023 and April 2025, including the simultaneous migration of hundreds of domains to other IP addresses, further complicating efforts to track and combat the scams. Recommended read:
References :
@cyberscoop.com
//
Operation Endgame, a coordinated effort by Europol, Eurojust, and law enforcement agencies internationally, has successfully disrupted the DanaBot malware network. This operation has led to the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025. The U.S. Department of Justice (DoJ) has unsealed charges against 16 individuals allegedly involved in the development and deployment of the DanaBot malware, which was controlled by a Russia-based cybercrime organization.
The DanaBot malware, initially identified in May 2018, operated as a malware-as-a-service (MaaS), renting its capabilities to other criminals. It infected over 300,000 computers globally, causing an estimated $50 million in damages through fraud and ransomware. The malware was versatile, stealing banking credentials, browsing history, and cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often occurred through spam emails containing malicious attachments or hyperlinks, turning infected computers into part of a botnet. Among those charged by the US Department of Justice are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large. The unsealed criminal complaint revealed that some of the defendants exposed their real-life identities by accidentally infecting their own systems with the malware. Operation Endgame also led to the issuance of international arrest warrants for 20 targets and the seizure of over EUR 21.2 million in cryptocurrency, including EUR 3.5 million during this latest action week. Recommended read:
References :
@www.bleepingcomputer.com
//
The US government has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, as the leader of the Qakbot botnet malware conspiracy. Gallyamov, also known as "Cortes" and other aliases, is accused of leading a group of cybercriminals responsible for developing and deploying the Qakbot malware since 2008. This indictment is part of an ongoing multinational effort involving the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime. The Justice Department has also filed a civil forfeiture complaint against Gallyamov, seeking to seize over $24 million in cryptocurrency allegedly obtained through his criminal activities.
According to court documents, Gallyamov used the Qakbot malware to infect over 700,000 computers globally, establishing a vast network or "botnet" of compromised machines. Starting in 2019, this botnet was leveraged to facilitate ransomware attacks against innocent victims worldwide, causing significant financial losses. The FBI and its international partners crippled Gallyamov's bot network in 2023, but he allegedly continued to deploy alternative methods to make his malware available to criminal cyber gangs. The Qakbot malware, also known as Qbot and Pinkslipbot, evolved over time from a banking trojan into a tool used for malware dropping and keystroke logging. Officials emphasize the commitment to holding cybercriminals accountable and disrupting their activities. "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. U.S. Attorney Bill Essayli for the Central District of California added, "The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals." The case demonstrates the FBI’s commitment to relentlessly pursuing individuals who target Americans and demand ransom, even when they reside overseas. Recommended read:
References :
@cyberscoop.com
//
A federal grand jury indictment unsealed today has charged 16 defendants who allegedly developed and deployed the DanaBot malware, a scheme that infected over 300,000 computers globally. The malware, controlled and deployed by a Russia-based cybercrime organization, facilitated fraud and ransomware attacks, causing at least $50 million in damage. Aleksandr Stepanov, 39, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, also known as “Onix”, both of Novosibirsk, Russia are amongst those charged.
The DanaBot malware was distributed through spam email messages containing malicious attachments or hyperlinks. Once a computer was infected, it became part of a botnet, allowing operators to remotely control the compromised machines. The malware operated on a malware-as-a-service model, offering access to the botnet and support tools to clients for a fee. DanaBot had extensive capabilities, including stealing data, hijacking banking sessions, recording keystrokes, and providing full remote access to victim computers. In addition to the criminal charges related to DanaBot, the U.S. Department of Justice announced the seizure of internet domains tied to the LummaC2 information-stealing malware operation, which has been actively targeting U.S. critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory warning of these campaigns, which involve the deployment of the LummaC2 infostealer to breach networks and siphon off sensitive data. Microsoft independently took down 2,300 internet domains also used by the LummaC2 actors. Recommended read:
References :
|