Category: Malware
-
Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2
Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2 Gamaredon, a Russian state-backed espionage group, is deploying a new VBScript worm that hides inside native Windows features while using popular cloud services as covert command-and-control (C2) channels in an ongoing campaign against Ukrainian targets. The operation showcases a modular toolset built…
-
MyPillow listed on ransomware gang’s leak site, but denies it has been breached
MyPillow listed on ransomware gang’s leak site, but denies it has been breached A notorious ransomware gang claims to have stolen MyPillow’s private data, but CEO Mike Lindell calls it a politically motivated “hit job.” With the countdown ticking toward a massive dark web leak, who is telling the truth? Read more in my article…
-
BTMOB: A stealthy RAT burrowing deep into Android devices
BTMOB: A stealthy RAT burrowing deep into Android devices The malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise Go to eset
-
Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware
Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware A financially motivated threat actor known as Fox Tempest has been operating a sophisticated malware-signing-as-a-service (MSaaS) platform that abused Microsoft’s Artifact Signing infrastructure to generate trusted digital signatures for malicious code. This activity enabled cybercriminals to bypass security controls and distribute malware that appeared…
-
TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules
TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules A highly sophisticated Brazilian banking trojan named TCLBANKER, tracked under the campaign REF3076, this malware represents a major update to the older Maverick and SORVEPOTEL families. It stands out because it uses a fake, signed Logitech installer to infect systems and spreads automatically via…
-
Inside Department 4: Russia’s secret school for hackers
Inside Department 4: Russia’s secret school for hackers Most universities have a careers fair. At Bauman Moscow State Technical University, however, an elite group of students appear to have something rather more unusual: a direct pipeline into some of the world’s most notorious state-sponsored hacking groups. Read more in my article on the Hot for…
-
DarkSword Malware
DarkSword Malware DarkSword is a sophisticated piece of malware—probably government designed—that targets iOS. Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG…
-
Fast16 Malware
Fast16 Malware Researchers have reverse-engineered a piece of malware named Fast16. It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet: “…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then…
-
Linux ELF Malware Generator Evades ML Detection With Semantic-Preserving Changes
Linux ELF Malware Generator Evades ML Detection With Semantic-Preserving Changes Researchers from the Czech Technical University in Prague have developed a new adversarial malware generator targeting Linux ELF binaries. It achieves a 67.74% evasion rate against ML-based malware detectors while keeping the payload fully functional. Published on arXiv on April 24, 2026, the study by…
-
108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users
108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been quietly stealing user credentials, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers – all reporting back to the same central point. Read more in my article on…
-
Python Supply-Chain Compromise
Python Supply-Chain Compromise This is news: A malicious supply chain compromise has been identified in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file (litellm_init.pth, 34,628 bytes) which is automatically executed by the Python interpreter on every startup, without requiring any explicit import of the litellm module. There…
-
Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware
Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware The cybersecurity community is on high alert following a massive source code leak from Anthropic. On March 31, 2026, the company accidentally exposed the complete source code for Claude Code, its flagship terminal-based coding assistant. The leak occurred due to a packaging error in…
-
Possible US Government iPhone Hacking Tool Leaked
Possible US Government iPhone Hacking Tool Leaked Wired writes (alternate source): Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it…
-
Alleged RedLine malware developer extradited to United States
Alleged RedLine malware developer extradited to United States A man has appeared in federal court in Austin, Texas, after being extradited to the United States to face charges related to his alleged role as a key developer of the notorious RedLine malware. Read more in my article on the Hot for Security blog. Graham Cluley…
-
Apple’s Camera Indicator Lights
Apple’s Camera Indicator Lights A thoughtful review of Apple’s system to alert users that the camera is on. It’s really well-designed, and important in a world where malware could surreptitiously start recording. The reason it’s tempting to think that a dedicated camera indicator light is more secure than an on-display indicator is the fact that…
-
LeakNet ransomware: what you need to know
LeakNet ransomware: what you need to know A ransomware gang that claims to be a group of “investigative journalists”? Meet LeakNet – the group using fake CAPTCHA pages to trick employees into hacking themselves. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
GlassWorm Campaign Uses 72 Malicious Open VSX Extensions to Broaden Reach
GlassWorm Campaign Uses 72 Malicious Open VSX Extensions to Broaden Reach In a major escalation of supply chain attacks, the GlassWorm malware campaign has evolved to infect developer environments using transitive dependencies. On March 13, 2026, the Socket Research Team reported identifying at least 72 new malicious Open VSX extensions linked to this campaign. Instead…
-
Smashing Security podcast #458: How not to steal $46 million from the US government
Smashing Security podcast #458: How not to steal $46 million from the US government A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn’t stirred since 2024 – and within minutes, giant woodpecker images are plastered across the internet’s favourite encyclopaedia. Meanwhile, a crypto contractor hired to help the US Marshals manage seized…
-
Phishing Attacks Against People Seeking Programming Jobs
Phishing Attacks Against People Seeking Programming Jobs This is new. North Korean hackers are posing as company recruiters, enticing job candidates to participate in coding challenges. When they run the code they are supposed to work on, it installs malware on their system. News article. Bruce Schneier Go to bruce schneier
-
The Promptware Kill Chain
The Promptware Kill Chain Attacks against modern generative artificial intelligence (AI) large language models (LLMs) pose a real threat. Yet discussions around these attacks and their potential defenses are dangerously myopic. The dominant narrative focuses on “prompt injection,” a set of techniques to embed instructions into inputs to LLM intended to perform malicious activity. This…
-
New Clickfix Exploit Tricks Users into Changing DNS Settings for Malware Installation
New Clickfix Exploit Tricks Users into Changing DNS Settings for Malware Installation A new evolution in the ClickFix social engineering campaign, which now employs a custom DNS hijacking technique to deliver malware. This attack method tricks users into executing malicious commands that utilize DNS lookups to fetch the next stage of the infection, allowing attackers…
-
Threat Actors Exploit Claude Artifacts and Google Ads to Target macOS Users
Threat Actors Exploit Claude Artifacts and Google Ads to Target macOS Users A sophisticated malware campaign targeting macOS users through Google-sponsored search results and legitimate platforms, including Anthropic’s Claude AI and Medium. The campaign has already reached over 15,000 potential victims through two distinct attack variants that exploit users’ trust in established online services. 15,000…
-
Promptware – Hackers Can Use Google Calendar Invites to Stream Victims’ Cameras via Zoom
Promptware – Hackers Can Use Google Calendar Invites to Stream Victims’ Cameras via Zoom A new and dangerous class of cyberattack called “Promptware” has been discovered, capable of turning your personal AI assistant into a sleeper agent that spies on you. Security researchers from Ben-Gurion University, Tel Aviv University, and Harvard have demonstrated a terrifying…
-
Socelars Malware Attacking Windows Systems to Steal Sensitive Business Data
Socelars Malware Attacking Windows Systems to Steal Sensitive Business Data A dangerous information-stealing malware called Socelars is actively targeting Windows systems to collect sensitive authentication data, with particular focus on Facebook Ads Manager accounts and session cookies. Unlike traditional malware that causes immediate system damage, Socelars operates silently in the background, turning infected machines into…
-
Cybercriminals Use Malicious Cybersquatting Attacks to Distribute Malware and Hijack Data
Cybercriminals Use Malicious Cybersquatting Attacks to Distribute Malware and Hijack Data Digital squatting has evolved from a simple trademark nuisance into a dangerous cybersecurity threat. In 2025, the World Intellectual Property Organization (WIPO) handled a record-breaking 6,200 domain disputes. This represents a 68% increase since 2020. Security experts warn that criminal networks are now using…
-
Smashing Security podcast #452: The dark web’s worst assassins, and Pegasus in the dock
Smashing Security podcast #452: The dark web’s worst assassins, and Pegasus in the dock In episode 452, a London-based YouTuber wins a landmark court case against Saudi Arabia after his phone was hacked with Pegasus spyware — exposing how a single, seemingly harmless text message can turn a smartphone into a round-the-clock surveillance device. Plus,…
-
Beware! Fake ChatGPT browser extensions are stealing your login credentials
Beware! Fake ChatGPT browser extensions are stealing your login credentials If you’ve installed a browser extension to enhance your ChatGPT experience, you might want to think again. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Researchers Gain Access to StealC Malware Command-and-Control Systems
Researchers Gain Access to StealC Malware Command-and-Control Systems Security researchers successfully exploited vulnerabilities in the StealC malware infrastructure, gaining access to operator control panels and exposing a threat actor’s identity through their own stolen session cookies. The breach highlights critical security failures in criminal operations built around credential theft. XSS Vulnerability Exposes StealC Operators StealC,…
-
New MacSync Stealer Uses Signed macOS App to Evade Gatekeeper and Steal Data
New MacSync Stealer Uses Signed macOS App to Evade Gatekeeper and Steal Data Cybersecurity researchers have discovered a new variant of the MacSync malware targeting macOS users. Unlike previous versions that relied on complex ClickFix techniques, this iteration masquerades as a legitimately signed, notarised Apple application, thereby bypassing macOS Gatekeeper security and stealing sensitive data.…
-
Phishing Campaign Uses Maduro Arrest Story to Deliver Backdoor Malware
Phishing Campaign Uses Maduro Arrest Story to Deliver Backdoor Malware Cybercriminals are leveraging the recent arrest of Venezuelan President Nicolás Maduro to distribute sophisticated backdoor malware. The threat actors exploited news surrounding Maduro’s arrest on January 3, 2025, demonstrating how geopolitical events continue to serve as effective lures for malicious campaigns. The attack likely begins…
-
Infostealers Enable Attackers to Hijack Legitimate Business Infrastructure for Malware Hosting
Infostealers Enable Attackers to Hijack Legitimate Business Infrastructure for Malware Hosting A dangerous cybercrime feedback loop has emerged where stolen credentials from infostealer malware enable attackers to hijack legitimate business websites and turn them into malware distribution platforms. Recent research by the Hudson Rock Threat Intelligence Team reveals this self-sustaining cycle transforms victims into unwitting…
-
VVS Stealer Uses PyArmor Obfuscation to Evade Static Analysis and Signature Detection
VVS Stealer Uses PyArmor Obfuscation to Evade Static Analysis and Signature Detection The cybersecurity landscape is witnessing a rise in sophisticated malware that leverages legitimate tools to mask malicious intent. A prime example is VVS Stealer (also styled VVS $tealer). This Python-based malware family has been actively marketed on Telegram since April 2025. This threat…
-
IoT Hack
IoT Hack Someone hacked an Italian ferry. It looks like the malware was installed by someone on the ferry, and not remotely. Bruce Schneier Go to bruce schneier
-
U.S. DOJ Charged 54 in Connection With ATM Hacking Attack by Deploying Ploutus Malware
U.S. DOJ Charged 54 in Connection With ATM Hacking Attack by Deploying Ploutus Malware The U.S. Department of Justice (DOJ) has charged 54 individuals in a sweeping crackdown on a transnational cyber-physical attack network. The indictments, announced by U.S. Attorney Lesley A. Woods, allege a massive conspiracy involving “ATM jackpotting” to fund Tren de Aragua…
-
CISA Releases New Indicators of Compromise Tied to BRICKSTORM Malware
CISA Releases New Indicators of Compromise Tied to BRICKSTORM Malware The Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA) and Canadian Centre for Cyber Security (Cyber Centre), has released updated indicators of compromise (IOCs) and detection signatures for BRICKSTORM malware. The latest update, published on December 19, 2025, includes an…
-
Hackers Weaponize SVG Files and Office Documents to Target Windows Users
Hackers Weaponize SVG Files and Office Documents to Target Windows Users Cybersecurity researchers have uncovered a sophisticated email campaign deploying a commodity loader to distribute Remote Access Trojans and information stealers. The operation primarily targets manufacturing and government organizations across Italy, Finland, and Saudi Arabia, using highly evasive techniques. Infection chain Multi-Vector Attack Strategy The…
-
Smashing Security podcast #448: The Kindle that got pwned
Smashing Security podcast #448: The Kindle that got pwned Think your Kindle is harmless? Think again! In this episode, we unpack a Black Hat Europe talk revealing how a boobytrapped audiobook could exploit the Amazon eBook reader – potentially letting an attacker break into your account and seize control of your credit card. Plus a…
-
Man jailed for teaching criminals how to use malware
Man jailed for teaching criminals how to use malware A 49-year-old man has received a five-and-a-half year jail sentence after admitting to creating detailed video tutorials that showed members of a criminal gang how to infect Android phones with spyware and drain their bank accounts. Read more in my article on the Hot for Security…
-
Google Warns Multiple Hacker Groups Are Exploiting React2Shell to Spread Malware
Google Warns Multiple Hacker Groups Are Exploiting React2Shell to Spread Malware Google Threat Intelligence Group (GTIG) has issued a warning regarding the widespread exploitation of a critical security flaw in React Server Components. Known as React2Shell (CVE-2025-55182), this vulnerability allows attackers to take control of servers remotely without needing a password. Since the vulnerability was disclosed…
-
Rust-Based Luca Stealer Spreads Across Linux and Windows Systems
Rust-Based Luca Stealer Spreads Across Linux and Windows Systems Threat actors are increasingly abandoning traditional languages like C and C++ in favor of modern alternatives such as Golang, Rust, and Nim. This strategic shift enables developers to compile malicious code for both Linux and Windows with minimal modifications. Among the emerging threats in this landscape…
-
New Phantom Stealer Campaign Hits Windows Machines Through ISO Mounting
New Phantom Stealer Campaign Hits Windows Machines Through ISO Mounting Researchers have uncovered a sophisticated phishing campaign originating in Russia that deploys the Phantom information-stealing malware via malicious ISO files. The attack, dubbed “Operation MoneyMount-ISO,” targets finance and accounting departments explicitly using fake payment confirmation emails to trick victims into executing the payload. The campaign…
-
New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads
New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads A dangerous new Android banking malware named FvncBot was first observed on November 25, 2025. This malicious tool is designed to steal sensitive financial information by logging keystrokes, recording screens, and injecting fake login pages into banking apps. The malware initially spreads through a…
-
FBI warns of surge in account takeover (ATO) fraud schemes – what you need to know
FBI warns of surge in account takeover (ATO) fraud schemes – what you need to know The FBI has recently issued a public service announcement that warns that since January 2025 there have been more than 5,100 complaints of account takeover fraud, and total reported losses in excess of US $262 million. Read more in…
-
Asahi cyber attack spirals into massive data breach impacting almost 2 million people
Asahi cyber attack spirals into massive data breach impacting almost 2 million people Asahi Group Holdings, the makers of the popular Japanese beer Asahi Super Dry, has confirmed that the ransomware attack that disrupted its operations in late September also saw a significant data breach that affects more than 1.5 million customers and approximately 275,000…
-
New Albiriox Malware Attacking Android Users to Take Complete Control of their Device
New Albiriox Malware Attacking Android Users to Take Complete Control of their Device A sophisticated new Android malware family dubbed “Albiriox” has emerged on the cybercrime landscape, offering advanced remote access capabilities as a Malware-as-a-Service (MaaS). Identified by researchers at Cleafy, the malware is designed to execute On-Device Fraud (ODF) by granting attackers full control…
-
State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns
State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns CISA, the US Cybersecurity and Infrastructure Security Agency, has issued a new warning that cybercriminals and state-backed hacking groups are using spyware to compromise smartphones belonging to users of popular encrypted messaging apps such as Signal, WhatsApp, and Telegram. Read more in my article…
-
Operation Endgame disrupts Rhadamanthys information-stealing malware
Operation Endgame disrupts Rhadamanthys information-stealing malware International cybercrime-fighting agencies, co-ordinated by Europol, took down over 1000 servers and seized 20 domains earlier this month as part of Operation Endgame 3.0. Their target? Three major malware platforms: the infostealer known as Rhadamanthys, the VenomRAT remote access trojan, and the Elysium botnet. Read more in my article…
-
Smashing Security podcast #444: We’re sorry. Wait, did a company actually say that?
Smashing Security podcast #444: We’re sorry. Wait, did a company actually say that? Stop the press – a company has actually said “sorry” after a data breach, and hotels are helping hackers phish their own guests. We examine a refreshingly honest breach response (and why legacy systems are still going to ruin your week), dig…
-
Russian hacker admits helping Yanluowang ransomware infect companies
Russian hacker admits helping Yanluowang ransomware infect companies A Russian hacker accused of helping ransomware gangs break into businesses across the United States is set to plead guilty, according to recently filed federal court documents. 25-year-old Aleksey Olegovich Volkov worked as an “initial access broker”, a cybercriminal specialist who focuses on the earliest stage of…
-
Smashing Security podcast #442: The hack that messed with time, and rogue ransom where negotiators
Smashing Security podcast #442: The hack that messed with time, and rogue ransom where negotiators Time itself comes under attack as a state-backed hacking gang spends two years tunnelling toward a nation’s master clock — with chaos potentially only a tick away. Plus when ransomware negotiators turn to the dark side, what could possibly go…
-
“Pay up or we share the tapes”: Hackers target massage parlour clients in blackmail scheme
“Pay up or we share the tapes”: Hackers target massage parlour clients in blackmail scheme South Korean police have uncovered a hacking operation that stole sensitive data from massage parlours and blackmailed their male clientele. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Emerging Cyber Threats Featuring QR Codes ClickFix and LOLBins Challenging SOC Defenses
Emerging Cyber Threats Featuring QR Codes ClickFix and LOLBins Challenging SOC Defenses Cybersecurity experts at ANY.RUN recently unveiled alarming trends in how attackers are exploiting everyday technologies to bypass security operations centers (SOCs). They dissected tactics like QR code phishing, ClickFix social engineering, and Living Off the Land Binaries (LOLBins), showing how these methods evade…
-
The AI Fix #74: AGI, LLM brain rot, and how to scam an AI browser
The AI Fix #74: AGI, LLM brain rot, and how to scam an AI browser In episode 74 of The AI Fix, we meet Amazon’s AI-powered delivery glasses, an AI TV presenter who doesn’t exist, and an Ohio lawmaker who wants to stop people from marrying their chatbot. Also, we learn how Geoffrey Hinton and…
-
Cybercriminals turn on each other: the story of Lumma Stealer’s collapse
Cybercriminals turn on each other: the story of Lumma Stealer’s collapse Normally when we write about a malware operation being disrupted, it’s because it has been shut down by law enforcement. But in the case of Lumma Stealer, a notorious malware-as-a-service (MaaS) operation used to steal passwords and sensitive data, it appears to have been…
-
LLM-enabled MalTerminal Malware Leverages GPT-4 to Generate Ransomware Code
LLM-enabled MalTerminal Malware Leverages GPT-4 to Generate Ransomware Code Cybersecurity researchers have identified what is believed to be the earliest known instance of malware that leverages a Large Language Model (LLM) to generate malicious code at runtime. Dubbed ‘MalTerminal’ by SentinelLABS, the malware uses OpenAI’s GPT-4 to dynamically create ransomware code and reverse shells, presenting…
-
Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience
Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience Your computer’s mouse might not be as innocent as it looks – and one ransomware crew has a crisis of conscience that nobody saw coming. We talk about how something as ordinary as a web page could turn your mouse into…
-
Microsoft Warns of Hackers Abuse Teams Features and Capabilities to Deliver Malware
Microsoft Warns of Hackers Abuse Teams Features and Capabilities to Deliver Malware Microsoft has issued a warning that both cybercriminals and state-sponsored threat actors are increasingly abusing the features and capabilities of Microsoft Teams throughout their attack chains. The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both…
-
Japan running dry: Ransomware attack leaves nation days away from Asahi beer shortage
Japan running dry: Ransomware attack leaves nation days away from Asahi beer shortage Beer lovers will be sobbing into their pints at the news that a ransomware attack has brought Japan’s largest brewer to its knees and left the country days away from running out of its most popular beverage. Read more in my article…
-
Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware
Hackers use Weaponized Microsoft Teams Installer to Compromise Systems With Oyster Malware A sophisticated malvertising campaign is using fake Microsoft Teams installers to compromise corporate systems, leveraging poisoned search engine results and abused code-signing certificates to deliver the Oyster backdoor malware. The attack was neutralized by Microsoft Defender’s Attack Surface Reduction (ASR) rules, which blocked…
-
Smashing Security podcast #436: The €600,000 gold heist, powered by ransomware
Smashing Security podcast #436: The €600,000 gold heist, powered by ransomware Ransomware doesn’t just freeze computers – it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai…
-
INC ransomware: what you need to know
INC ransomware: what you need to know INC is the name of a ransomware-as-a-service (RaaS) operation that first appeared in late summer 2023. Learn more about what it has been up to, and how to protect against its attacks, in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Massive Cyber-Attack Attacking macOS Users via GitHub Pages to Deliver Stealer Malware
Massive Cyber-Attack Attacking macOS Users via GitHub Pages to Deliver Stealer Malware A sophisticated cyber-attack campaign exploiting GitHub Pages to distribute the notorious Atomic stealer malware to macOS users. The threat actors behind this operation are leveraging Search Engine Optimization (SEO) techniques to position malicious repositories at the top of search results across major platforms,…
-
“Pompompurin” resentenced: BreachForums creator heads back behind bars
“Pompompurin” resentenced: BreachForums creator heads back behind bars Conor Brian Fitzpatrick, the creator of the notorious BreachForums hacking forum, has been resentenced to three years in prison after a US appeals court overturned his prior sentence of time served and 20 years of supervised release. Read more in my article on the Hot for Security…
-
Smashing Security podcast #435: Lights! Camera! Hacktion!
Smashing Security podcast #435: Lights! Camera! Hacktion! When “bad actors” stop being hackers and start being… actual actors. This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for…
-
US charges suspected ransomware kingpin, and offers $10 million bounty for his capture
US charges suspected ransomware kingpin, and offers $10 million bounty for his capture A US federal court has unssealed charges against a Ukrainian national who authorities allege was a key figure behind several strains of ransomware, including LockerGoga, MegaCortex, and Nefilim. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
“GPUGate” Malware Abuses Google Ads and GitHub to Deliver Advanced Malware Payload
“GPUGate” Malware Abuses Google Ads and GitHub to Deliver Advanced Malware Payload A sophisticated malware campaign, dubbed “GPUGate,” abuses Google Ads and GitHub’s repository structure to trick users into downloading malicious software. The Arctic Wolf Cybersecurity Operations Center, the attack chain uses a novel technique to evade security analysis by leveraging a computer’s Graphics Processing…
-
Smashing Security podcast #433: How hackers turned AI into their new henchman
Smashing Security podcast #433: How hackers turned AI into their new henchman Your AI reads the small print, and that’s a problem. This week in episode 433 of “Smashing Security” we dig into LegalPwn – malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a…
-
Sweden scrambles after ransomware attack puts sensitive worker data at risk
Sweden scrambles after ransomware attack puts sensitive worker data at risk Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Cephalus ransomware: What you need to know
Cephalus ransomware: What you need to know Cephalus is a relatively new ransomware operation that emerged in mid-2025, and has already been linked to a wave of high-profile data leaks. Read more about it in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Europol says Telegram post about 50,000 Qilin ransomware award is fake
Europol says Telegram post about 50,000 Qilin ransomware award is fake Some cybersecurity news outlets were duped a few days ago by a claim that Europol was offering a $50,000 bounty for information about two members of the Qilin ransomware group. Turns out it was all a hoax. Read more details about what happened in…
-
Smashing Security podcast #431: How to mine millions without paying the bill
Smashing Security podcast #431: How to mine millions without paying the bill In episode 431 of the “Smashing Security” podcast, a self-proclaimed crypto-influencer calling himself CP3O thought he had found a shortcut to riches — by racking up millions in unpaid cloud bills. Meanwhile, we look at the growing threat of EDR-killer tools that can…
-
Warlock ransomware: What you need to know
Warlock ransomware: What you need to know The Warlock ransomware has hit a number of organisations including government agencies and departments, and most recently UK-based telecoms firm Colt. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Hackers Exploiting Apache ActiveMQ Vulnerability to Gain Access to Cloud Linux Systems
Hackers Exploiting Apache ActiveMQ Vulnerability to Gain Access to Cloud Linux Systems A sophisticated campaign uncovered where adversaries are exploiting CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ, to compromise cloud-based Linux systems. In this case, attackers are patching the very vulnerability they exploited to maintain exclusive access and evade detection, demonstrating advanced…
-
Zero-Day Exploit in WinRAR File
Zero-Day Exploit in WinRAR File A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups: The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously…
-
PipeMagic Malware Mimic as ChatGPT App Exploits Windows Vulnerability to Deploy Ransomware
PipeMagic Malware Mimic as ChatGPT App Exploits Windows Vulnerability to Deploy Ransomware A sophisticated malware campaign has been identified, utilizing PipeMagic, a highly modular backdoor deployed by the financially motivated threat actor Storm-2460. This advanced malware masquerades as a legitimate open-source ChatGPT Desktop Application while exploiting the zero-day vulnerability CVE-2025-29824 in Windows Common Log File…
-
Trojans Embedded in .svg Files
Trojans Embedded in .svg Files Porn sites are hiding code in .svg files: Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of “JSFuck,” a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.…
-
Ransomware plunges insurance company into bankruptcy
Ransomware plunges insurance company into bankruptcy Collapsed company’s founder says that its fortunes were hampered by the refusal of authorities to release the criminals’ seized funds to victims. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
APT37 Hackers Weaponizes JPEG Files to Attack Windows Systems Leveraging “mspaint.exe”
APT37 Hackers Weaponizes JPEG Files to Attack Windows Systems Leveraging “mspaint.exe” A sophisticated new wave of cyberattacks attributed to North Korea’s notorious APT37 (Reaper) group is leveraging advanced malware hidden within JPEG image files to compromise Microsoft Windows systems, signaling a dangerous evolution in evasion tactics and fileless attack techniques. Security researchers at Genians Security…
-
New Undectable Plague Malware Attacking Linux Servers to Gain Persistent SSH Access
New Undectable Plague Malware Attacking Linux Servers to Gain Persistent SSH Access A sophisticated Linux backdoor dubbed Plague has emerged as an unprecedented threat to enterprise security, evading detection across all major antivirus engines while establishing persistent SSH access through manipulation of core authentication mechanisms. Discovered by cybersecurity researchers at Nextron Systems, this malware represents…
-
Free decryptor for victims of Phobos ransomware released
Free decryptor for victims of Phobos ransomware released There is good news for any organisation which has been hit by the Phobos ransomware. Japanese police have released a free decryptor capable of recovering files encrypted by both the notorious Phobos ransomware, and its offshoot 8Base. Read more in my article on the Fortra blog. Graham…
-
Google Sues the Badbox Botnet Operators
Google Sues the Badbox Botnet Operators It will be interesting to watch what will come of this private lawsuit: Google on Thursday announced filing a lawsuit against the operators of the Badbox 2.0 botnet, which has ensnared more than 10 million devices running Android open source software. These devices lack Google’s security protections, and the…
-
Chinese Hackers Actively Exploiting SharePoint Servers 0-Day Flaw in the Wild
Chinese Hackers Actively Exploiting SharePoint Servers 0-Day Flaw in the Wild Microsoft has confirmed that Chinese state-sponsored threat actors are actively exploiting critical zero-day vulnerabilities in on-premises SharePoint servers, prompting urgent security warnings for organizations worldwide. The tech giant’s Security Response Center reported coordinated attacks targeting internet-facing SharePoint installations using newly disclosed vulnerabilities that enable…
-
New Mobile Phone Forensics Tool
New Mobile Phone Forensics Tool The Chinese have a new tool called Massistant. Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico. The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS…
-
Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader
Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader Police have struck a blow against the DiskStation ransomware gang which targets Synology NAS devices, and arresting its suspected ringleader. Make sure that you have properly hardened the security of your Network Access Storage devices to reduce the chances of your data being locked…
-
Smashing Security podcast #425: Call of Duty: From pew-pew to pwned
Smashing Security podcast #425: Call of Duty: From pew-pew to pwned In episode 425 of “Smashing Security”, Graham reveals how “Call of Duty: WWII” has been weaponised – allowing hackers to hijack your entire PC during online matches, thanks to ancient code and Microsoft’s Game Pass. Meanwhile, Carole digs into a con targeting the recently…
-
AiLock ransomware: What you need to know
AiLock ransomware: What you need to know The AiLock ransomware gang gives its victims just 72 hours to respond and five days to pay up… or else. If you don’t comply? They will grass you up to regulators, email your competitors, and leak your data for good measure. What a lovely bunch of cybercriminals… Read…
-
Weaponized Versions of PuTTY and WinSCP Attacking IT Admins Via Search Results
Weaponized Versions of PuTTY and WinSCP Attacking IT Admins Via Search Results A sophisticated SEO poisoning campaign targeting system administrators with malicious backdoor malware. Arctic Wolf security researchers have uncovered a dangerous search engine optimization (SEO) poisoning and malvertising campaign that has been targeting IT professionals since early June 2025. The campaign uses fake websites…
-
8 New Malicious Firefox Extensions Steals OAuth Tokens, Passwords and Spy on Users
8 New Malicious Firefox Extensions Steals OAuth Tokens, Passwords and Spy on Users Security researchers from the Socket Threat Research Team have uncovered a sophisticated network of eight malicious Firefox browser extensions that actively steal OAuth tokens, passwords, and spy on users through deceptive tactics. The discovery reveals a coordinated campaign that exploits popular gaming…
-
NightEagle APT Attacking Industrial Systems by Exploiting 0-Days and With Adaptive Malware
NightEagle APT Attacking Industrial Systems by Exploiting 0-Days and With Adaptive Malware A sophisticated APT group dubbed “NightEagle” (APT-Q-95) has been conducting targeted attacks against China’s critical technology sectors since 2023. The group has demonstrated exceptional capabilities in exploiting unknown Exchange vulnerabilities and deploying adaptive malware to steal sensitive intelligence from high-tech companies, chip semiconductor…
-
Hunters International ransomware group shuts down – but will it regroup under a new guise?
Hunters International ransomware group shuts down – but will it regroup under a new guise? The notorious Hunters International ransomware-as-a-service operation has announced that it has shut down, in a message posted on its dark web leak site. In a statement on its extortion site, the ransomware group says that it has not only “decided…
-
New “123 | Stealer” Advertised on Underground Hacking Forums for $120 Per Month
New “123 | Stealer” Advertised on Underground Hacking Forums for $120 Per Month A new credential-stealing malware dubbed “123 | Stealer” has surfaced on underground cybercrime forums, being marketed by threat actor “koneko” for $120 per month. This malware-as-a-service (MaaS) offering represents the latest evolution in information stealer technology, combining sophisticated data exfiltration capabilities with…
-
Swiss government warns attackers have stolen sensitive data, after ransomware attack at Radix
Swiss government warns attackers have stolen sensitive data, after ransomware attack at Radix The Swiss government has issued a warning after a third-party service provider suffered a ransomware attack, which saw sensitive information stolen from its systems and leaked onto the dark web. Read more in my article on the Fortra blog. Graham Cluley Go…
-
10 Best Free Malware Analysis Tools To Break Down The Malware Samples – 2025
10 Best Free Malware Analysis Tools To Break Down The Malware Samples – 2025 Malware analysis is a critical skill for cybersecurity professionals, threat hunters, and incident responders. With the growing sophistication of cyber threats, having access to reliable, free malware analysis tools is essential for dissecting, understanding, and mitigating malicious software. This article reviews…
-
SafePay ransomware: What you need to know
SafePay ransomware: What you need to know SafePay is a relatively new ransomware that is making a big impact. Find out how it is different from other ransomware, and read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley
-
Smashing Security podcast #423: Operation Endgame, deepfakes, and dead slugs
Smashing Security podcast #423: Operation Endgame, deepfakes, and dead slugs In this episode of the “Smashing Security” podcast, Graham unravels Operation Endgame – the surprisingly stylish police crackdown that is seizing botnets, mocking malware authors with anime videos, and taunting cybercriminals via Telegram. And BBC cyber correspondent Joe Tidy joins us to talk about “Ctrl-Alt-Chaos”,…
-
Cybercrime is surging across Africa
Cybercrime is surging across Africa A new INTERPOL report has sounded the alarm over a dramatic increase in cybercrime across Africa, with digital crime now accounting for a significant proportional of all criminal activity across the continent. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Marks & Spencer ransomware attack was good news for other retailers
Marks & Spencer ransomware attack was good news for other retailers When Marks & Spencer paused online orders after it was hit by ransomware, it was bad news for them… but GOOD news for other big online retailers. Fashion rivals like Next, John Lewis, and Zara saw a nice little bump while M&S sales floundered.…
-
Qilin offers “Call a lawyer” button for affiliates attempting to extort ransoms from victims who won’t pay
Qilin offers “Call a lawyer” button for affiliates attempting to extort ransoms from victims who won’t pay Imagine for one moment that you are a cybercriminal. You have compromised an organisation’s network, you have stolen their data, you have encrypted their network, and you are now knee-deep in the ransomware negotiation. However, there’s a problem.…