CyberSecurity news

FlagThis - #cybercriminals

Nathaniel Morales@feeds.trendmicro.com //

FOG Ransomware Impersonates U.S. DOGE in Attacks - A new FOG ransomware variant is being distributed through phishing emails, disguising itself as communications from the U.S. Department of Government Efficiency (DOGE) and exploits older vulnerabilities to compromise systems.
Cybercriminals are actively deploying FOG ransomware disguised as communications from the U.S. Department of Government Efficiency (DOGE) via malicious emails. This campaign, which has been ongoing since January, involves cybercriminals spreading FOG ransomware by claiming ties to DOGE in their phishing attempts. The attackers are impersonating the U.S. DOGE to infect targets across multiple sectors, including technology and healthcare. It has been revealed that over 100 victims have been impacted by this -DOGE-themed ransomware campaign since January.

Cybercriminals are distributing a ZIP file named "Pay Adjustment.zip" through phishing emails. Inside this archive is an LNK file disguised as a PDF document. Upon execution, this LNK file triggers a PowerShell script named "stage1.ps1", which downloads additional ransomware components. The script also opens politically themed YouTube videos, potentially to distract the victim. The initial ransomware note makes references to DOGE to add confusion. The attackers utilize a tool called 'Ktool.exe' to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver.

The ransomware note, RANSOMNOTE.txt, references DOGE and includes names of individuals associated with the department. Victims are being asked to pay $1,000 in Monero, although it is unclear whether paying the ransom leads to data recovery or if it is an elaborate troll. Trend Micro revealed that the latest samples of Fog ransomware, uploaded to VirusTotal between March 27 and April 2, 2025, spread through distribution of a ZIP file containing a LNK file disguised as a PDF.

Recommended read:
References :
  • cyberinsider.com: FOG Ransomware Impersonates U.S. DOGE to Infect Targets
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • www.trendmicro.com: FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE
  • www.scworld.com: Fog ransomware notes troll with DOGE references, bait insider attacks
  • gbhackers.com: Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails
  • securityonline.info: FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
  • darkwebinformer.com: FOG Ransomware Attack Update for the 21st of April 2025
  • bsky.app: DOGE-themed ransomware hit 100+ victims since January
  • www.cybersecurity-insiders.com: The Fog Ransomware gang, which has been making headlines over the past week due to its increasingly audacious demands, is now requesting a staggering $1 trillion from its victims.
  • The Register - Security: Fog ransomware channels Musk with demands for work recaps or a trillion bucks
@cyberalerts.io //

Ransomware Attack at Port of Seattle Impacts - The Port of Seattle is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
The Port of Seattle, the U.S. government agency responsible for Seattle's seaport and airport, is currently notifying approximately 90,000 individuals about a significant data breach. The breach occurred after a ransomware attack in August 2024, where personal information was stolen from previously used port systems. The compromised data includes names, dates of birth, Social Security numbers, driver’s licenses, ID cards, and some medical information. The organization runs Seattle-Tacoma International Airport, parks, and container terminals. Of those affected, about 71,000 are Washington state residents.

The August 24 incident severely damaged the systems used by the city’s port and airport, forcing workers to take extraordinary measures to help travelers. The ransomware attack caused considerable disruption, knocking out the airport’s Wi-Fi, and employees had to resort to using dry-erase boards for flight and baggage information. Screens throughout the facility were down, and some airlines had to manually sort through bags. Legacy systems utilized for employee data were specifically targeted, and the post-mortem revealed that encryptions and system disconnections impacted services like baggage handling, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.

Following the attack, the Rhysida ransomware group claimed responsibility and demanded a ransom. However, port officials confirmed in September that they refused to pay, with executive director Steve Metruck explaining that “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” The Port is offering one year of free credit monitoring services to the victims and has posted the breach notice online for those without available mailing addresses. The agency emphasizes that the attack did not affect the proprietary systems of major airline and cruise partners or the systems of federal partners like the Federal Aviation Administration, Transportation Security Administration, and U.S. Customs and Border Protection.

Recommended read:
References :
  • BleepingComputer: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • The DefendOps Diaries: Ransomware Breach at Port of Seattle: An In-Depth Analysis
  • www.bleepingcomputer.com: Port of Seattle says ransomware breach impacts 90,000 people
  • bsky.app: ​Port of Seattle, the U.S. government agency overseeing Seattle's seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • therecord.media: Port of Seattle says 90,000 people impacted in 2024 ransomware attack
  • securityaffairs.com: SecurityAffairs article discussing Port of Seattle data breach impacts 90,000 people
  • Talkback Resources: Port of Seattle August data breach impacted 90,000 people [mal]
  • Cybernews: Port of Seattle has informed approximately 90,000 individuals about a data breach that happened last year.
  • www.scworld.com: Officials at the Port of Seattle confirmed that nearly 90,000 individuals, most of whom are from Washington state, had their data stolen following an August attack by the Rhysida ransomware operation, reports Security Affairs.
Deeba Ahmed@hackread.com //

Hackers Exploit Stripe API for Web Skimming, Card Theft - A web-skimming campaign exploits a legacy Stripe API to steal payment information from online retailers by validating stolen card details in real-time.
References: hackread.com , , thehackernews.com ...
Cybersecurity researchers at Jscrambler have uncovered a sophisticated web-skimming campaign targeting online retailers. This campaign exploits a legacy Stripe API to validate stolen credit card details in real-time before transmitting them to malicious servers. This ensures that only active and valid card numbers are harvested, significantly increasing the efficiency and potential profit of their operations. The operation has been ongoing since at least August 2024 and has affected at least 49 online stores.

The attack starts with the injection of malicious JavaScript code, mimicking legitimate payment forms, into checkout pages. This code captures customer payment information as it's entered. The compromised sites, often using platforms like WooCommerce, WordPress, and PrestaShop, were injected with malicious JavaScript that overlaid the legitimate checkout page with a fake one to harvest payment information. After the payment information is taken, a fake error appears asking the customer to reload the page.

Recommended read:
References :
  • hackread.com: Hackers Exploit Stripe API for Web Skimming Card Theft on Online Stores
  • : Stripe API Skimming Campaign Unveils New Techniques for Theft
  • bsky.app: An online skimming operation is abusing a legacy Stripe API to verify if stolen payment card details are still valid. The skimming operation was active on almost 50 online stores
  • thehackernews.com: Legacy Stripe API Exploited to Validate Stolen Payment Cards in Web Skimmer Campaign
  • www.scworld.com: Ongoing web skimmer campaign taps deprecated Stripe API
  • www.techradar.com: Old Stripe APIs are being hijacked for credit card skimmer attacks
  • BleepingComputer: An online skimming operation is abusing a legacy Stripe API to verify if stolen payment card details are still valid.
@The DefendOps Diaries //

Attackers Exploit Google Ads to Target SEO Professionals - Cybercriminals are exploiting Google Ads with malicious Semrush advertisements to steal Google account credentials from SEO professionals, redirecting users to deceptive login pages that harvest Google account information and exploit trust in Semrush.
Cybercriminals are actively targeting SEO professionals through a sophisticated phishing campaign that exploits Google Ads. The attackers are using fake Semrush advertisements to trick users into visiting deceptive login pages designed to steal their Google account credentials. This campaign is a new twist in phishing, going after users of the Semrush SaaS platform, which is popular among SEO professionals and businesses, and is trusted by 40% of Fortune 500 companies.

This scheme is effective due to the SEO professionals' trust in Semrush, a platform used for advertising and market research. The malicious ads appear when users search for Semrush and redirect them to counterfeit login pages, which look similar to legitimate Semrush URLs. The attackers register domain names that closely resemble real Semrush domains and the only login option is with a Google account, harvesting Google account information for further malicious activities. This provides the attackers with valuable access to Google Analytics and Google Search Console, giving them insight into the companies' financial performance.

Recommended read:
References :
  • The DefendOps Diaries: Cybercriminals exploit Google Ads to target SEO pros, using fake Semrush ads to steal Google credentials.
  • Help Net Security: Malicious ads target Semrush users to steal Google account credentials
  • Malwarebytes: Semrush impersonation scam hits Google Ads
  • www.tripwire.com: Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • bsky.app: Fake Semrush ads used to steal SEO professionals’ Google accounts
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • : Threat actors are looking to compromise Google accounts to further malvertising and data theft
  • Email Security - Blog: Cyber criminals have launched a sophisticated phishing campaign that exploits the trusted reputation of Semrush — an SEO firm that's captured of Fortune 500 brands as customers — to compromise Google account credentials.
  • gbhackers.com: Hackers Deploy Fake Semrush Ads to Steal Google Account Credentials
@cyberalerts.io //

FBI Warns of Malicious File Converter Tools - The FBI has issued an alert regarding the rise of fake file converter tools used to distribute malware that steals credentials and collects sensitive information.
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.

The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.

The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.

Recommended read:
References :
  • Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
  • gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
  • www.bitdefender.com: Free file converter malware scam “rampantâ€� claims FBI
  • Malwarebytes: Warning over free online file converters that actually install malware
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
  • Help Net Security: FBI: Free file converter sites and tools deliver malware
  • www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
  • bsky.app: Free file converter malware scam "rampant" claims FBI.
  • Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
  • securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
  • The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
  • PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
  • www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
  • www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
  • www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
  • www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
  • Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]
@cyberinsider.com //

Dutch Authorities Dismantle Bulletproof Hoster - Dutch Police dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers used by cybercriminals for illegal activities.
Dutch Police have dismantled the ZServers/XHost bulletproof hosting operation, seizing 127 servers. The takedown follows a year-long investigation into the network, which has been used by cybercriminals to facilitate illegal activities. This includes the spread of malware, botnets, and various cyberattacks.

Earlier this week, authorities in the United States, Australia, and the United Kingdom announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. ZServers was accused of facilitating LockBit ransomware attacks and supporting the cybercriminals' efforts to launder illegally obtained money, according to The Record. The Cybercrime Team Amsterdam will conduct an additional probe of the servers, as the company advertised the possibility for customers to allow criminal acts from its servers while remaining anonymous to law enforcement.

Recommended read:
References :
  • cyberinsider.com: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
  • gbhackers.com: Dutch Authorities Dismantle Network of 127 Command-and-Control Servers
  • www.bleepingcomputer.com: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
  • www.scworld.com: Zservers/XHost servers dismantled by Dutch police
  • Metacurity: Dutch cops dismantle ZServers bulletproof hosting operation
  • BleepingComputer: The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
  • CyberInsider: Police Dismantle Bulletproof Hosting Provider ZServers/XHost
  • DataBreaches.Net: Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster
  • www.politie.nl: Politie Amsterdam ontmantelt digitaal crimineel netwerk; 127 servers offline gehaald - "an investigation of over a year, dismantled a bulletproof hoster on the Paul van Vlissingenstraat in Amsterdam. During the raid on February 12, 127 servers were taken offline and seized."
  • Cybernews: After a year-long investigation, Amsterdam's Cybercrime Team shut down a bulletproof hosting provider, seizing 127 servers.
  • securityaffairs.com: Dutch Police shut down bulletproof hosting provider Zservers and seized 127 servers

Posts

Blogs

Research Tools