CyberSecurity news

FlagThis - #infostealers

@cyberscoop.com //

INTERPOL Dismantles Infostealer Infrastructure Globally Arrests Cybercriminals

INTERPOL has announced the successful culmination of Operation Secure, a global initiative targeting the infrastructure of information-stealing malware. The operation, which spanned from January to April 2025, involved law enforcement agencies from 26 countries who worked collaboratively to locate servers, map physical networks, and execute targeted takedowns. This coordinated effort resulted in the dismantling of more than 20,000 malicious IP addresses and domains associated with 69 different variants of infostealer malware, significantly disrupting cybercriminal activities worldwide.

Operation Secure also led to the seizure of 41 servers and over 100 GB of data, providing valuable insights into the operations of cybercriminals. A total of 32 suspects were arrested across multiple countries in connection with illegal cyber activities, demonstrating the effectiveness of international cooperation in combating cybercrime. Eighteen arrests occurred in Vietnam, where authorities confiscated devices, SIM cards, business registration documents, and a substantial sum of cash, revealing a scheme to open and sell corporate accounts for illicit purposes.

The operation was further bolstered by the contributions of private sector cybersecurity firms, including Group-IB, Kaspersky, and Trend Micro, who provided critical intelligence and Cyber Activity Reports to assist cyber teams. This collaboration resulted in the takedown of 79% of identified suspicious IP addresses. Hong Kong police played a key role by analyzing over 1,700 pieces of intelligence and identifying 117 command-and-control servers used by cybercriminals to orchestrate phishing schemes, online fraud, and social media scams.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • www.helpnetsecurity.com: Operation Secure takes down 20,000 malicious IPs and domains.
  • The Hacker News: INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure
  • therecord.media: Interpol said a global operation successfully targeted the infrastructure of infostealer malware.
  • cyberinsider.com: INTERPOL Seizes 20,000 Infostealer-Linked Assets, Arrests 32 Operators
  • Threats | CyberScoop: Operation Secure targeted malicious IPs, domains and servers used for infostealer operations that claimed more than 216,000 victims.
  • hackread.com: Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested
  • securityaffairs.com: Operation Secure: INTERPOL dismantles 20,000+ malicious IPs in major cybercrime crackdown
  • The Record: Interpol said a global operation successfully targeted the infrastructure of infostealer malware.
  • www.cybersecuritydive.com: Global law-enforcement operation targets infostealer malware
  • CyberInsider: INTERPOL Seizes 20,000 Infostealer-Linked Assets, Arrests 32 Operators
  • cyberscoop.com: Global law enforcement action in Asia nets large infrastructure seizure, 32 arrests
  • www.trendmicro.com: Operation Secure: Trend Micro's Threat Intelligence Fuels INTERPOL's Infostealer Infrastructure Takedown
  • Tech Monitor: Interpol’s cybercrime operation dismantles over 20,000 malicious domains
  • securityonline.info: Interpol & Asian Agencies Dismantle Major Malware Infrastructure: 20,000 Malicious IPs Blocked
Classification:
djohnson@CyberScoop //

Fake AI Generators Deliver Rust-Based Malware

A Vietnam-based cybercriminal group, identified as UNC6032, is exploiting the public's fascination with AI to distribute malware. The group has been actively using malicious advertisements on platforms like Facebook and LinkedIn since mid-2024, luring users with promises of access to popular prompt-to-video AI generation tools such as Luma AI, Canva Dream Lab, and Kling AI. These ads direct victims to fake websites mimicking legitimate dashboards, where they are tricked into downloading ZIP files containing infostealers and backdoors.

The multi-stage attack involves sophisticated social engineering techniques. The initial ZIP file contains an executable disguised as a harmless video file using Braille characters to hide the ".exe" extension. Once executed, this binary, named STARKVEIL and written in Rust, unpacks legitimate binaries and malicious DLLs to the "C:\winsystem\" folder. It then prompts the user to re-launch the program after displaying a fake error message. On the second run, STARKVEIL deploys a Python loader called COILHATCH, which decrypts and side-loads further malicious payloads.

This campaign has impacted a wide range of industries and geographic areas, with the United States being the most frequently targeted. The malware steals sensitive data, including login credentials, cookies, credit card information, and Facebook data, and establishes persistent access to compromised systems. UNC6032 constantly refreshes domains to evade detection, and while Meta has removed many of these malicious ads, users are urged to exercise caution and verify the legitimacy of AI tools before using them.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • The Register - Security: GO The Register reports that miscreants are using text-to-AI-video tools and Facebook ads to distribute malware and steal credentials.
  • PCMag UK security: Warning AI-Generated TikTok Videos Want to Trick You Into Installing Malware
  • Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
  • cloud.google.com: Google's Threat Intelligence Unit, Mandiant, reported that social media platforms are being used to distribute malware-laden ads impersonating legitimate AI video generator tools.
  • Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
  • hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
  • www.techradar.com: Millions of users could fall for fake Facebook ad for a text-to-AI-video tool that is just malware
  • CyberInsider: CyberInsider: Cybercriminals Use Fake AI Video Tools to Deliver Infostealers
  • Metacurity: Metacurity for a concise rundown of the most critical developments you should know, including UNC6032 uses prompt-to-video AI tools to lure malware victims
  • PCMag UK security: Cybercriminals have been posting Facebook ads for fake AI video generators to distribute malware, Google’s threat intelligence unit Mandiant .
  • Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
  • hackread.com: Fake ChatGPT and InVideo AI Downloads Deliver Ransomware
  • PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
  • Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
  • ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
  • aboutdfir.com: Google warns of Vietnam-based hackers using bogus AI video generators to spread malware
  • BleepingComputer: Cybercriminals exploit AI hype to spread ransomware, malware
  • www.pcrisk.com: Novel infostealer with Vietnamese attribution
  • ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools – Source:thehackernews.com
  • securityonline.info: Warning: Fake AI Tools Spread CyberLock Ransomware and Numero Destructive Malware
  • Vulnerable U: Fake AI Video Generators Deliver Rust-Based Malware via Malicious Ads Analysis of UNC6032’s Facebook and LinkedIn ad blitz shows social-engineered ZIPs leading to multi-stage Python and DLL side-loading toolkits
  • oodaloop.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
  • OODAloop: Artificial intelligence tools are being used by cybercriminals to target users and propagate threats. The CyberLock and Lucky_Gh0$t ransomware families are some of the threats involved in the operations. The cybercriminals are using fake installers for popular AI tools like OpenAI’s ChatGPT and InVideoAI to lure in their victims.
  • bsky.app: LinkedIn is littered with links to lurking infostealers, disguised as AI video tools Deceptive ads for AI video tools posted on LinkedIn and Facebook are directing unsuspecting users to fraudulent websites, mimicking legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI.
  • BGR: AI products that sound too good to be true might be malware in disguise
  • Security Risk Advisors: Cisco Talos Uncovers Multiple Malware Families Disguised as Legitimate AI Tool Installers
  • blog.talosintelligence.com: Cisco Talos discovers malware campaign exploiting #AI tool installers. #CyberLock #ransomware #Lucky_Gh0$t & new "Numero" malware disguised as legitimate AI installers.
  • cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
  • phishingtackle.com: Hackers Exploit TikTok Trends to Spread Malware Via ClickFix
  • gbhackers.com: Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware
Classification:
  • HashTags: #AI #Malware #SocialEngineering
  • Company: Mandiant
  • Target: AI Users
  • Attacker: UNC6032
  • Feature: Malvertising
  • Malware: EDDIESTEALER
  • Type: Malware
  • Severity: Major

Posts

Blogs

Research Tools