Esse Health says the personal information of over 263,000 individuals was stolen in an April 2025 cyberattack.
The post 263,000 Impacted by Esse Health Data Breach appeared first on SecurityWeek.
SecurityWeek – Read More
Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.
The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.
“Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary
The Hacker News – Read More
The US government is again warning about potential Iranian cyberattacks as researchers find that hackers’ favorite ICS targets remain exposed.
The post Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning appeared first on SecurityWeek.
SecurityWeek – Read More
Many Citrix NetScaler systems are exposed to attacks exploiting the vulnerabilities tracked as CVE-2025-5777 and CVE-2025-6543.
The post Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities appeared first on SecurityWeek.
SecurityWeek – Read More
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
New ransomware strains continue to surface frequently, and many of them are loosely built on or repackaged from existing families. One such case involves a sample resembling DragonForce ransomware, yet bearing several unique traits and identifiers suggesting the involvement of a separate entity known as DEVMAN.
A previously analyzed campaign connected to the Mamona strain, itself linked to BlackLock affiliates and the Embargo group, also intersected with DragonForce activity. During one such attack, DragonForce actors exfiltrated a target’s .env file and published it on their Dedicated Leak Site (DLS) on Tor with the caption: “Is this your .env file?”
This newer sample, uploaded by TheRavenFile, appears related but not entirely identical to the DragonForce lineage. Despite being labeled as a DragonForce or Conti variant by most AV engines, the sample displays unique behaviors that point toward DEVMAN involvement.
Some time ago, DragonForce introduced their RaaS (Ransomware-as-a-Service) model, aiming to recruit both affiliates to operate their ransomware and others who wanted to use their infrastructure, branding, and reputation as a platform to publish stolen data.
This shift brought new actors into the landscape, increasing overall activity, noise, and irregularities, including the sample analyzed here. Depending on the analyst or tool, it may be labeled as DragonForce, Conti (the base framework for DragonForce), or DEVMAN.
DEVMAN? A relatively new actor has recently emerged under this name, featuring its own Dedicated Leak Site (DLS) called Devman’s Place, a separate infrastructure, and nearly 40 claimed victims, primarily in Asia and Africa, with occasional incidents in Latin America and Europe.
Let’s analyze the sample inside ANY.RUN’s secure interactive sandbox:
This sample, flagged by most antivirus engines as a DragonForce (or Conti), is actually, modified to behave like a new variant belonging to DEVMAN. It uses that name as the file extension for encrypted data but otherwise shares a large part of its codebase with DragonForce, including leftover strings and identifiers. That strongly suggests DEVMAN may be using a DragonForce build for some of its operations.
This appears to be a lightly customized version; one that hasn’t attracted much attention, either from the threat intelligence community or from its own operator. The result is a tangled ransomware crossbreed with overlapping traits.
A closer look reveals more.
First things first — our newborn dragon does what dragons do: it burns down the village. Files are encrypted rapidly and automatically, also attempting to locate SMB shared folders to spread further — but in our lab environment, it wasn’t that lucky.
Two things caught our attention immediately. First, on Windows 11, the sample was unable to change the wallpaper for unknown reasons, while on Windows 10 it worked flawlessly.
Second, although desktop files are the most visible, they are not the last to be encrypted. The process continues beyond them.
The ransom notes were not dropped as expected. Instead, every location where a note should have appeared contained, quite mysteriously, a file with a scrambled name and the .DEVMAN extension, suggesting the sample might be malfunctioning and targeting its own files.
Fortunately, ANY.RUN logs all activity, not just network traffic, but disk writes as well, allowing us to reconstruct one of those files right at the moment it was created. And, interestingly enough, the ransom note isn’t just similar to the ones used by DragonForce. It is, in fact, a DragonForce ransom note.
When retrieving the list of created and modified files, we noticed an interesting pattern: the sample scrambles file names instead of simply appending an extension.
And here’s the most curious part; its own readme.txt files, once encrypted, are always renamed to e47qfsnz2trbkhnt.devman. This strongly suggests the use of a deterministic function that produces static outputs for identical inputs.
So, let’s focus on those local oddities, and a good place to start it’s the binary itself.
Aside from the aforementioned SMB connections, no suspicious network dialogue was observed, suggesting that all malicious activity takes place locally and offline.
Using FLOSS, a tool by Mandiant, we can decode and extract additional strings to better understand the sample’s internal logic prior to disassembly.
The first thing we notice is that the sample checks for Shadow Copies (probably just to make sure we’ve got a solid backup policy in place) and lists a series of file extensions that it deliberately avoids encrypting.
Further analysis reveals multiple encryption modes: full encryption, header-only encryption, and custom encryption, designed to prioritize either speed or complexity, depending on the intended scenario.
Header-only encryption, in particular, allows the malware to corrupt large volumes of data in less time, trading completeness for speed.
Further exploration reveals a bit more detail about the sample’s attempts to connect to SMB folders, explicitly referencing local network octets and hardcoding the ADMIN$ share name, along with several error and debug messages.
Another interesting behaviour that further supports the Conti lineage of this sample is its interaction with the Windows Restart Manager. The malware creates temporary sessions under the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftRestartManagerSession0000
There, it logs metadata such as Owner, SessionHash, RegFiles0000, and RegFilesHash, pointing to system-critical files like NTUSER.DAT and its corresponding logs.
Each of these entries is quickly deleted after being written, likely an attempt to avoid leaving persistent forensic traces. This pattern mirrors behaviour seen in Conti and later carried on by DragonForce, which now appears to be inherited by DEVMAN (what a Zoo!).
The goal seems clear: use the Restart Manager to bypass file locks and ensure encrypted access to active user session files. It’s noisy, and somewhat old, but it works.
Another notable behavior involves the use of synchronization primitives, particularly mutexes, to coordinate the sample’s execution and possibly prevent multiple instances from running in parallel. This is standard among ransomware families derived from Conti, and this case is no exception.
Right from the beginning, the sample creates a mutex named: hsfjuukjzloqu28oajh727190
This mutex is not randomly generated; it is hardcoded into the binary, as confirmed by decoded strings extracted using FLOSS. Its presence suggests that the sample uses it to detect existing instances of itself, a basic anti-reentry mechanism.
The sample also creates several mutexes and interacts with objects under the naming pattern:
These mutexes are tied to the Windows Restart Manager API and match the behaviour seen in previous ransomware families (notably Conti and its derivatives), which use this mechanism to query which processes are holding handles to specific files.
This facilitates forced encryption of locked resources, including user profile data like NTUSER.DAT.
The reuse of fixed strings can serve as a strong indicator of compromise (IOC) for future detection or correlation with other samples likely created using the same packer or builder. However, this is a volatile indicator that is likely to change over time.
When possible, assign a “trust” expiration date (or half-life) to indicators; it can be a valuable practice for maintaining detection accuracy over time.
This sample looks more like an affiliate testing a new build than something currently being deployed that you’d casually run into in a production environment. While not particularly sophisticated, it presents a number of unusual behaviors worth highlighting, particularly its tendency to encrypt its own ransom notes.
While it’s ironic that no one could, at least not easily, pay the ransom without knowing who to pay (because the ransom note gets encrypted), the underlying message here is more serious: there’s a core design flaw in the builder that allows it to self-encrypt key components.
That simple .txt file is often the only clue victims have to identify the threat actor and initiate negotiation; and for the threat actor, it’s the best chance of getting paid.
I spoke with DEVMAN, who stated “[…] we stopped using DragonForce months ago […]”.
One noteworthy indicator of a threat actor’s maturity is their ability to maintain polite, detailed, and respectful communication; a trait that also applies to DEVMAN. This attitude seems to echo in their technical approach, even in cases where their ransomware encrypts its own ransom notes.
Now, if we strip this sample of its oddities, there’s not much to talk about it on its own merits (no offense meant to the developers), or at least nothing to say that we haven’t covered in other articles about ransomware.
Still, its oddities make it a valuable case study, not for technical innovation, but for the way it reflects shifting actor dynamics and common development pitfalls in the ransomware ecosystem.
Unusual samples like this DEVMAN variant can easily slip past traditional analysis workflows. With ransom note encrypted, scrambled filenames, and unexpected behavior across operating systems, manual investigation becomes time-consuming and risky to overlook.
This is where ANY.RUN’s Interactive Sandbox proves invaluable. By logging every action in real time, from file system changes to mutex creation and registry modifications, it enables analysts to trace even fragmented or malfunctioning ransomware behavior.
This kind of visibility gives security teams a real operational advantage:
Start 14-day trial of ANY.RUN’s Interactive Sandbox in your SOC today
Let’s jump to drafting a quick ATT&CK matrix for this sample, which ANYRUN does automatically for us:
The executable requires user (or threat actor) interaction to launch.
Presence of scheduling-related strings implies possible persistence via tasking.
Internal file renaming and readme scrambling suggest static obfuscation logic.
The sample deletes registry keys and values shortly after writing them.
Explicit scanning for SMB shares (ADMIN$, IP ranges like 192.x, 172.x).
Uses netapi32, srvcli, and netutils to interact with administrative shares.
Enumerates and encrypts user data including NTUSER.DAT and log files.
Core functionality: encrypting files with .DEVMAN extension.
Attempts to interact with volume shadow copies.
MD5:e84270afa3030b48dc9e0c53a35c65aa
SHA256:df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7
403
FileName:hsfjuukjzloqu28oajh727190
FileName:e47qfsnz2trbkhnt.devman
SHA256:018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8
Analysis: https://app.any.run/tasks/64918027-01e6-415a-85b3-474fca5fc5c4
VirusTotal Analysis (multiple labeling/attribution): https://www.virustotal.com/gui/file/
df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
Original Intel Pulse (OTX): https://otx.alienvault.com/pulse/
68535853fe15cff17229577d
The post DEVMAN Ransomware: Analysis of New DragonForce Variant appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate’s most tech-savvy lawmakers says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.
A screenshot of the first page from Sen. Wyden’s letter to FBI Director Kash Patel.
On May 29, The Wall Street Journal reported that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country’s most influential people.
The execution of this phishing and impersonation campaign — whatever its goals may have been — suggested the attackers were financially motivated, and not particularly sophisticated.
“It became clear to some of the lawmakers that the requests were suspicious when the impersonator began asking questions about Trump that Wiles should have known the answers to—and in one case, when the impersonator asked for a cash transfer, some of the people said,” the Journal wrote. “In many cases, the impersonator’s grammar was broken and the messages were more formal than the way Wiles typically communicates, people who have received the messages said. The calls and text messages also didn’t come from Wiles’s phone number.”
Sophisticated or not, the impersonation campaign was soon punctuated by the murder of Minnesota House of Representatives Speaker Emerita Melissa Hortman and her husband, and the shooting of Minnesota State Senator John Hoffman and his wife. So when FBI agents offered in mid-June to brief U.S. Senate staff on mobile threats, more than 140 staffers took them up on that invitation (a remarkably high number considering that no food was offered at the event).
But according to Sen. Ron Wyden (D-Ore.), the advice the FBI provided to Senate staffers was largely limited to remedial tips, such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.
“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in a letter sent today to FBI Director Kash Patel. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”
Wyden stressed that to help counter sophisticated attacks, the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple’s iOS and Google’s Android phone software.
These include Apple’s Lockdown Mode, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called Advanced Protection Mode.
Wyden also urged the FBI to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, disabling ad tracking IDs in mobile devices, and opting out of commercial data brokers (the suspect charged in the Minnesota shootings reportedly used multiple people-search services to find the home addresses of his targets).
The senator’s letter notes that while the FBI has recommended all of the above precautions in various advisories issued over the years, the advice the agency is giving now to the nation’s leaders needs to be more comprehensive, actionable and urgent.
“In spite of the seriousness of the threat, the FBI has yet to provide effective defensive guidance,” Wyden said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver said Lockdown Mode or Advanced Protection will mitigate many vulnerabilities, and should be the default setting for all members of Congress and their staff.
“Lawmakers are at exceptional risk and need to be exceptionally protected,” Weaver said. “Their computers should be locked down and well administered, etc. And the same applies to staffers.”
Weaver noted that Apple’s Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, Citizen Lab documented how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.
Earlier this month, Citizen Lab researchers documented a zero-click attack used to infect the iOS devices of two journalists with Paragon’s Graphite spyware. The vulnerability could be exploited merely by sending the target a booby-trapped media file delivered via iMessage. Apple also recently updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1, which was released in February 2025.
Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on. But HelpNetSecurity observed that at the same time Apple addressed CVE-2025-43200 back in February, the company fixed another vulnerability flagged by Citizen Lab researcher Bill Marczak: CVE-2025-24200, which Apple said was used in an extremely sophisticated physical attack against specific targeted individuals that allowed attackers to disable USB Restricted Mode on a locked device.
In other words, the flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device. And as the old infosec industry adage goes, if an adversary has physical access to your device, it’s most likely not your device anymore.
I can’t speak to Google’s Advanced Protection Mode personally, because I don’t use Google or Android devices. But I have had Apple’s Lockdown Mode enabled on all of my Apple devices since it was first made available in September 2022. I can only think of a single occasion when one of my apps failed to work properly with Lockdown Mode turned on, and in that case I was able to add a temporary exception for that app in Lockdown Mode’s settings.
My main gripe with Lockdown Mode was captured in a March 2025 column by TechCrunch’s Lorenzo Francheschi-Bicchierai, who wrote about its penchant for periodically sending mystifying notifications that someone has been blocked from contacting you, even though nothing then prevents you from contacting that person directly. This has happened to me at least twice, and in both cases the person in question was already an approved contact, and said they had not attempted to reach out.
Although it would be nice if Apple’s Lockdown Mode sent fewer, less alarming and more informative alerts, the occasional baffling warning message is hardly enough to make me turn it off.
Krebs on Security – Read More
Senators add exemptions for state laws targeting unfair or deceptive practices and child sexual abuse material.
Latest stories for ZDNET in Security – Read More
U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber-attacks from Iranian state-sponsored or affiliated threat actors.
“Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events,” the agencies said.
“These cyber actors often
The Hacker News – Read More
Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.
The operation, the agency said, was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. Europol said the investigation into the syndicate
The Hacker News – Read More
If your Brother printer is affected, you need to change its default admin password now. Here’s how.
Latest stories for ZDNET in Security – Read More