Cybercriminals are now weaponizing artificial intelligence (AI) to create potentially devastating off-the-shelf ransomware. Researchers at cybersecurity company ESET have discovered what they called “the first known AI-powered ransomware”. The malware, which ESET has named PromptLock, has the ability to exfiltrate, encrypt, and possibly even destroy data, though this last functionality appears not to have been implemented in the malware as yet.
Throughout June and August of this year, a sophisticated off-the-shelf malware campaign targeted over 300 organizations. According to cybersecurity company CrowdStrike, the campaign deployed SHAMOS, a malware variant of Atomic macOS Stealer (AMOS) developed by cybercriminal group COOKIE SPIDER.
The International Union of Railways is launching cybersecurity courses specifically for the transport industry. Developed by industry specialists, the CYRUS training program aims to address the growing need for cybersecurity awareness in the industry, particularly among non-technical staff.
Cybersecurity firm Cyera has raised $540 million in a Series E funding round, bringing its total to over $1.3 billion. Cyera’s valuation has surged to $6 billion in six months, reporting a 353 percent year-over-year growth.
Many organizations’ ongoing enthusiasm for incorporating artificial intelligence (AI) is leaving them open to sophisticated and carefully planned cyber-attacks. Cybersecurity company Mandiant, a Google subsidiary, has issued an urgent warning for companies to be wary of downloading AI tools from unvetted websites.
In today’s daily roundup – Victoria’s Secret website faces a security breach, SentinelOne experienced a global service disruption affecting customer-facing services, and Chinese state-sponsored group APT41 is using Google Calendar to embed malware on compromised devices
The frequency of Advanced Persistent Threats (APTs) has surged, with Kaspersky’s latest report revealing a 74% increase in such attacks compared to last year. APTs were detected in 25% of organizations, accounting for 43% of high-severity security incidents, highlighting a sharp rise in sophisticated cyber threats.
Kaspersky’s analysis suggests attackers are refining their tactics to bypass security measures, leveraging human-operated techniques rather than automated exploits. The report underscores the growing persistence of APT actors, emphasizing the need for proactive defense strategies across industries.
Approximately 2,850 Ivanti Connect Secure VPN instances remain vulnerable to CVE-2025-22467, a critical stack buffer-overflow flaw, according to Shadowserver Foundation.
Despite Ivanti patching the vulnerability on February 11, unpatched devices could allow remote authenticated attackers to execute code. The U.S. and Japan lead in exposure, with 852 and 384 vulnerable instances, respectively.
A new and unusually dangerous and sophisticated gang of cybercriminals, named BlackLock, has emerged as a major ransomware threat in 2025.
Cybersecurity company Reliaquest observed a staggering 1,425 percent increase in the gang’s activities in the last quarter of 2024. Its ransomware is built to target Windows, VMWare ESXi, and Linux environments and is designed as a double-extortion attack, which involves not only locking the target organization’s critical data by encrypting it, but also by identifying sensitive information and threatening to expose it.
“BlackLock’s rise has been both swift and strategic, targeting organizations across a wide range of sectors and geographies,” reports Reliaquest.
Apple computer users are suffering a growing number of ‘infostealer’ attacks across multiple regions and industries. These are a form of malicious software created to breach computer systems in order to steal sensitive information.
The Palo Alto Networks Unit42 research group has detected a 101 percent increase in macOS infostealers in the last two quarters of 2024. The researchers identified three particularly prevalent macOS infostealers: Poseidon, Atomic, and Cthulhu.
The developers of Atomic Stealer sell it as malware as a service (MaaS) in hacker forums and on Telegram. The Atomic Stealer operators usually distribute their malware via malvertising – the use of online advertising to spread malware. This typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. It is capable of stealing notes and documents, browser data such as passwords, and cookies, cryptocurrency wallets, and instant messaging data. Atomic Stealer, also known as AMOS was first discovered in April 2023.
Researchers have revealed current vulnerabilities in Amazon’s data storage services, the knock-on effect of which could potentially result in the biggest supply-chain attack in the internet’s history.
In November 2024, watchTowr Labs decided to show how a significant Internet-wide supply-chain attack could be caused by abandoned infrastructure left unattended and forgotten on the internet. The researchers chose to focus on an Amazon business data storage service, known as ‘S3 buckets’.
The bust of the illegal Cracked and Nulled crime forums evidences the global nature of cybercrime and the impossibility of seeing it as a threat that has no regard for national boundaries.
Although at least 17 million US citizens were victims of the crime forums. law enforcement agencies in the United States, Romania, Australia, France, Germany, Spain, Italy, and Greece were all involved in the bust, according to the US Department of Justice.
A new and rising threat to decentralized financing has been identified. Threat intelligence researcher, the Insikt group, has uncovered “Crazy Evil,” a rapidly growing Russian crypto-scam gang that targets cryptocurrency users and influencers. According to Insikt Group, over ten active social media scams are linked directly to Crazy Evil, garnering millions of dollars in illicit funds and infiltrating tens of thousands of devices.
Crazy Evil is what is referred to as a “traffer” team, which Insikt describes as “a collective of social engineering specialists tasked with redirecting legitimate traffic to malicious landing pages.” Allegedly operating since 2021 on dark web forums and amassing thousands of followers on their public Telegram channels, Crazy Evil’s primary targets are cryptocurrency users, non-fungible token (NFT) traders and gaming professionals – all of whom often use decentralized platforms with little or no regulatory oversight.
A ransomware gang, Hellcat, that emerged in 2024 is being seen as representative of a new type of threat actor using off-the-shelf malware and innovative extortion techniques.
According to cybersecurity company Cato Networks: “Hellcat’s emergence in 2024 marks a troubling shift in the landscape of cybercrime. By leveraging a ransomware-as-a-service (RaaS) model and utilizing double extortion tactics, Hellcat has not only increased the accessibility of ransomware but also heightened the psychological impact on its victims.”
The US Justice Department and FBI have completed a law enforcement operation to delete Chinese malware from approximately 4,258 U.S.-based computers and networks. The international operation was led by French law enforcement and France-based private cybersecurity company Sekoia.io.
According to court documents unsealed in the Eastern District of Pennsylvania, a group of hackers paid by the People’s Republic of China (PRC), known as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware to infect, control, and steal information from victim computers. Since at least 2014, Mustang Panda hackers have infiltrated thousands of computer systems in campaigns targeting US victims, European and Asian governments and businesses, and Chinese dissident groups.
The Dutch Police, Politie, claim to have removed a major threat to organizations all over the world by dismantling two of the most notorious ‘infostealers’, software designed to breach computer systems to steal sensitive information.
“Operation Magnus,” conducted in collaboration with Team Cybercrime Limburg, is reported to have taken down the Redline and META info stealers, which have been responsible for infecting millions of computers worldwide with malware, leaving them open to devastating ransomware attacks and other threats.
The US is the top target for cyber-attacks focusing on mobile devices and those connected by the Internet of Things (IoT) plus the operational technology (OT) systems than run facilities such as power plants.
According to cybersecurity firm Zscaler’s ThreatLabz 2024 Mobile, IoT, and OT Threat Report, mobile remains a top threat vector, with 111% growth in spyware and 29% growth in banking malware. Technology (18 percent), education (18 percent) and manufacturing (14 percent) continue to be the sectors most targeted by mobile malware. The education sector saw the most dramatic rise in blocked transactions, with a 136 percent increase on the previous year.
The United States Secret Service is doubling down on the search for cybercriminal “Stalin.”
On August 26, 2024, the U.S Department of State partnered with the US Secret Service to put out a bounty of up to $2.5 million for information leading to the arrest of Belarusian hacker Volodymyr Kadariya, sometimes going by the alias “Stalin.”
Kadariya was allegedly part of a malicious advertising (“malvertising”) ring responsible for transmitting the Angler Exploit Kit, a toolkit utilized by threat actors to exploit vulnerabilities in a system or code.
The US Federal Bureau of Investigation (FBI) has laid the blame for escalating worldwide ransomware attacks squarely at Russia’s door.
Speaking at the 2024 Boston Conference on Cyber Security last week, FBI Cyber Division Assistant Director Bryan Vorndran said: “Almost all of the criminals developing sophisticated malware to enable ransomware attacks are based in Russian-speaking countries and operate as organized crime syndicates, similar to traditional organized crime elements.”
He focused on the FBI’s earlier this year disruption of Dark Web ransomware gang LockBit, stressing that organized cybercriminal gangs, particularly Russian ones, are essentially the same as old-school mafia mobsters. They differ only in their methods and avenues of attack.
An international operation coordinated by Europol has resulted in several arrests and the takedown of numerous cybercriminal networks. The operation focused on tackling the growing problem of the weaponization of botnets, which are strings of connected computers. Cybercriminal gangs use botnets to install droppers, a type of malicious software designed to install other malware, such as ransomware, onto a targeted system.
Between 27 and 29 May of this year, Europol’s “Operation Endgame” targeted droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. The actions focused on disrupting criminal services, making arrests, taking down criminal infrastructures, and freezing illegal proceeds.
The law enforcement agencies behind Operation Endgame are seeking information about Odd, who is allegedly behind the ‘Emotet’ malware.
Initially a banking trojan, the ‘Emotet’ malware evolved into a tool that delivers an array of payloads, including TrickBot, IcedID, QakBot, and others.
TeaBot, a highly sophisticated type of malware, is increasingly infecting Android smartphones. Cybersecurity firm Zscaler’s ThreatLabz reported a sharp rise in malicious activity leveraging TeaBot this week.
TeaBot, also known as “Anatsa,” is designed to impersonate seemingly harmless applications such as PDF and WR code readers. Once installed on an Android smartphone, it acts as a Trojan horse containing numerous financial scams.
“[TeaBot] is a known Android banking malware that targets applications from over 650 financial institutions, primarily in Europe. We observed Anatsa actively targeting banking applications in the US and UK. However, recent observations indicate that threat actors have expanded their targets to include banking applications in Germany, Spain, Finland, South Korea, and Singapore,” explains Zscaler ThreatLabz.
Affiliates of the infamous ransomware group LockBit have launched a potentially devastating new weaponized email tactic designed to cause maximum disruption to millions of companies in the US and around the world.
At the end of April this year, researchers at cybersecurity firm Proofpoint began to observe high-volume ransomware campaigns sending out millions of fraudulent emails over a one-week period, facilitated by the Phorpiex botnet. In all cases, email messages purported to come from “Jenny Green” with the email address Jenny@gsd[.]com. These contained an attached ZIP file capable of downloading the LockBit Black ransomware payload from Phorpiex botnet infrastructure.
The SonicWall Capture Labs team reported on threat actors developing malicious, fake Android apps to impersonate Google, Instagram, Snapchat, WhatsApp, and X.
When downloaded by victims and once permissions have been granted to use them, illegitimate apps aim to steal sensitive data from Android devices, such as contacts, text messages, call logs, and passwords.
Cisco Talos revealed its findings, showing that select Ukranian government agencies have been infected with the ‘OfflRouter’ malware since 2015.
Cisco Talos researcher, Vanja Svajcer said. “The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.”
Raspberry Robin, a tough-to-detect worm carrying malware and ransomware, is now being delivered via Windows Shortcut Files and Windows Script Files. Researchers at Hewlett Packard (HP) first began to identify the new trend in March of this year.
Previously, Raspberry Robin was delivered physically by inserting a weaponized USB stick into a targeted device. But now, this highly effective malware is being delivered via Windows Script Files (WSF), which are widely used by administrators and legitimate software to automate tasks within Windows. The WSF file format supports scripting languages, such as JScript and VBScript, that are interpreted by the Windows Script Host component built into the Windows operating system. It can, however, also be abused by attackers. The Windows Script Files are offered for download via various malicious domains and subdomains controlled by the attackers, which can be distributed via spam or fake online advertising campaigns.
Cybercriminal groups have now completely abandoned any pretense that theirs are basically victimless crimes by attacking the healthcare sector with increasing ruthlessness. Healthcare, once said to be off limits to ‘responsible’ cyber criminals, is now the subject of an urgent warning from the Cybersecurity Coordination Center (HC3) of the US Department of Health and Human Services.
“HC3 has recently observed threat actors employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations,” the warning states.
Tactics include contacting an organization’s IT help desk with phone calls from a familiar area code and claiming to be an employee in a financial role.
Visa released an alert on the ‘JsOutProx’ remote access trojan (RAT) malware phishing campaign which targets financial institutions and customers.
The JSOutProx malware linked to the ‘Solar Spider’ threat actor delivers a RAT that could steal sensitive data, establish a C2 connection, and extract Outlook information, among others.
According to a report released by the Cloud Security Alliance and Google Cloud, 55% of all organizations plan to use AI to boost security by 2025.
The “State of AI and Security Survey Report,” also found that 67% of organizations already tested and are pleased with AI-backed security capabilities.
AT&T sent out a mass announcement to its customers, informing them that a dataset containing sensitive data from 7.6M current users and 65.4M former users is for sale on the dark web.
To mitigate the breach, AT&T reset the passcodes of all its current users and will constantly communicate with customers to further protect accounts.
Following the US-led sanctions on Chinese individuals behind the Chinese APT31 group, the Police of Finland formally accused the group of hacking Finland’s parliament in 2020.
The country’s law enforcement confirmed the connections between the breach and the Chinese group, claiming to have identified one specific suspect.
Microsoft’s Threat Intelligence arm issued a warning on the rise of new, sophisticated tax phishing scams that could lead to stolen personal and financial data.
These tax-related phishing scams are initiated by impersonating trusted employers, tax agencies, and payment processors. Victims click on a malicious attachment, which leads to a believable landing page designed to capture sensitive information.
An under-the-radar attack that creates fake Google docs is now playing havoc across multiple sectors in the US and UK, particularly in healthcare. Companies’ increasing reliance on widely-used off-the-shelf external software may save costs and create efficiencies in the short-term, but it also offers new inroads for the current generation of increasingly devious and skilled cybercriminals
Cybersecurity firm Netskope has identified a new Google Docs threat in the wild, AZORult infostealer. It is designed to steal sensitive information such as user credentials, browser information, credit card details and crypto-wallet data. A comprehensive study conducted by Netskope’s research team has uncovered a campaign where an attacker created fake Google Docs pages on Google sites from which to download malicious payloads.
According to a Broadcom report, a banking trojan named “Cerberus” pretending to be a Google Chrome update has successfully distributed to numerous systems.
Affecting only Android users, the Cerberus malware allows attackers to completely control affected systems through its complex remote access capabilities.
Google announced major security-focused revamps to Chrome’s ‘Safe Browsing’ mode, which enables the service to work while checking against a server-side malware-site list in real-time.
The added safety feature to Google Chrome’s ‘Safe Browsing’ mode is a massive improvement compared to the browsing mode cross-checking against lists of malware-infected sites that were manually added every two hours.
Microsoft announced the cyber campaign by the Russian-state-sponsored ‘Midnight Blizzard’ hackers, resulting in the group stealing the tech giant’s source code.
The sophisticated ‘Midnight Blizzard’ campaign is said to be rooted in a grander scheme to gain unauthorized access to Microsoft’s environment using the stolen source code.
Zscaler discovered a new remote access trojan (RAT) campaign that lures victims through fake online meeting links.
Once the victims are lured into downloading the RAT through the meeting links impersonating Skype, Google Meet, and Zoom, the RAT payload may enable threat actors to steal sensitive information.
Cyberint announced the launch of ‘Ransomania’ a free-to-use ransomware attack repository featuring thousands of recorded ransomware attacks.
Ransomania allows users to browse a global map of ransomware hotspots, filtered by region, industry, and time of attack.
Group-IB discovered a new iOS Trojan named “GoldPickaxe.iOS” that was built to steal facial recognition data from infected iOS devices.
The ‘GoldPickaxe’ Trojan abuses the TestFlight exploit, which sends users innocent URLs that downloads the malware when clicked. According to Group-IB, the stolen biometric data is used to gain unauthorized access to banking accounts.
admin
Editorial Team
