Financial software firm Finastra is notifying individuals whose personal information was stolen in a recent data breach.
The post Finastra Starts Notifying People Impacted by Recent Data Breach appeared first on SecurityWeek.
SecurityWeek – Read More
London, United Kingdom, 18th February 2025, CyberNewsWire
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
Lee said it was analyzing whether sensitive or personal data was stolen in the cyberattack.
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
A newly discovered Golang backdoor is abusing Telegram for communication with its command-and-control (C&C) server.
The post Golang Backdoor Abuses Telegram for C&C Communication appeared first on SecurityWeek.
SecurityWeek – Read More
Singulr AI announced its launch with $10 million in seed funding raised for an enterprise AI security and governance platform.
The post Singulr Launches With $10M in Funding for AI Security and Governance Platform appeared first on SecurityWeek.
SecurityWeek – Read More
Is AI really reshaping the cyber threat landscape, or is the constant drumbeat of hype drowning out actual, more tangible, real-world dangers? According to Picus Labs’ Red Report 2025 which analyzed over one million malware samples, there’s been no significant surge, so far, in AI-driven attacks. Yes, adversaries are definitely continuing to innovate, and while AI will certainly start playing a
The Hacker News – Read More
Microsoft has observed a new variant of the XCSSET malware being used in limited attacks against macOS users.
The post Microsoft Warns of Improved XCSSET macOS Malware appeared first on SecurityWeek.
SecurityWeek – Read More
Our smartphones and other devices collect and then transmit massive amounts of data about us to dozens, maybe hundreds, of third-party companies every single day. This includes our location information, and the market for such information is huge. Naturally enough, the buying and selling goes on without our knowledge, creating obscure risks to our privacy.
The recent hack of location data broker Gravy Analytics clearly illustrates the potential pitfalls of such practices. This post analyzes how data brokers operate, and what can happen if the information they collect leaks. We also give tips on what you can do to protect your location data.
Data brokers are companies that collect, process, and sell information about users. They get this information from mobile apps, online ad networks, online analytics systems, telecom operators, and a host of other sources from smart-home devices to cars.
In theory, this data is only collected for analytics and targeted advertising. In practice, however, there are often no restrictions on usage, and seemingly anyone can buy it. So, out there in the real world, your data can be used for pretty much any purpose. For example, an investigation last year revealed that commercial data brokers — directly or through intermediaries — may even serve government intelligence agencies.
Data brokers collect all kinds of user information, of which one of the most important and sensitive categories is location data. It’s so in demand, in fact, that besides more generalized data brokers, firms exist that focus on it specifically.
Those are the location-data brokers — organizations that specialize in collecting and selling information about user location. One of the major players in this segment is U.S. location tracking firm Gravy Analytics, which merged with Norway’s Unacast in 2023.
In January 2025, news broke of a data leak at Gravy Analytics. At first it was confined to unofficial reports based on a post that appeared on a private Russian-language hacker forum. The poster claimed to have hacked Gravy Analytics and stolen the location data of millions of users, providing screenshots of the data trove as proof.
It wasn’t long before official confirmation came through. Under Norwegian law, Gravy Analytics’ parent, Unacast, was legally required to notify the national regulator.
The company’s statement reported that on January 4, an unauthorized individual gained access to Gravy Analytics’ AWS cloud storage environment “through a misappropriated access key”. The intruder “obtained certain files, which could contain personal data”.
Unacast and Gravy Analytics were in no hurry to specify what data could have been compromised. However, within a few days, an independent security researcher published their own in-depth analysis of the leaked information based on a sample of the stolen data they’d been able to obtain.
The Gravy Analytics leak included the location data of users worldwide. Source
It turned out that the Gravy Analytics hack did indeed leak a gigantic set of location data of users worldwide — from Russia to the United States. The fragment analyzed by the researcher was 1.4GB in size, and consisted of around 30 million records — mostly collected in the first days of January 2025. Meanwhile, the hacker claimed the stolen database is 10TB, meaning it could potentially contain over 200 billion records!
This data was collected by mobile apps and acquired by Gravy Analytics to be aggregated and subsequently sold to clients. As the analysis of the leak showed, the list of apps used to collect location data runs into the thousands. For example, the sample studied contained data collected from 3455 Android apps — including dating apps.
UK-based Tinder users’ location data is an example of what can be found in the data leaked from Gravy Analytics. Source
What’s most unpleasant about the Gravy Analytics hack is that the leaked database is linked to advertising IDs: IDFA for iOS and AAID for Android devices. In many cases, this makes it possible to track users’ movements over time. Here, for instance, is a map of such movements in the vicinity of the White House in Washington, D.C. (remember that this visualization uses only a small sample of the stolen data; the full database contains a lot more):
Data in the Gravy Analytics leak linked to advertising IDs can be used to track users’ movements over time. Source
Worse yet, some data can be deanonymized. For example, the researcher was able to track the movements of a user who visited the Blue Origin launch pad:
An example of user deanonymization using location data leaked from Gravy Analytics. Source
Another example: the researcher was able to track a user’s movements from the Columbus Circle landmark in Manhattan, New York City, to his home in Tennessee, and then to his parents’ house the next day. Based solely on OSINT data, the researcher learned a great deal about this individual, including their mother’s name and the fact that their late father was a U.S. Air Force veteran.
Another example of user deanonymization using location data leaked from Gravy Analytics. Source
The Gravy Analytics data breach demonstrates the serious risks associated with the data broker industry, and location data brokers in particular. As a result of the hack, a huge volume of user location records collected by mobile apps spilled out into the public domain.
This data makes it possible to track the movements of a great many people with fairly high accuracy. And even though the leaked database doesn’t contain direct personal identifiers such as first and last names, ID numbers, addresses, or phone numbers, the linkage to advertising IDs can in many cases lead to deanonymization. So, based on various quasi-identifiers, it’s possible to establish a user’s identity, find out where they live and work, as well as trace their social connections.
Unfortunately, collecting user location data is now such a widespread practice that there’s no easy answer to this question. Alas, there’s no switch you can simply flick to stop all the internet companies worldwide harvesting your data.
That said, you can at least minimize the amount of information about your location that falls into the hands of data brokers. Here’s how:
For more tips on how to put the brakes on generalized data brokers collecting information on you, see our post Advertisers sharing data about you with… intelligence agencies.
Kaspersky official blog – Read More
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
From December 20 to 24, 2024, the Quetzal Team identified a phishing campaign targeting the cryptocurrency and fintech sectors. This campaign aimed to distribute a newly discovered stealer malware, which we have named Zhong Stealer, as there were no prior public references to this threat.
In this article, we’ll use ANY.RUN’s real-time malware analysis capabilities to cover:
The attack pattern was simple yet persistent:
During this period, we managed to collect several suspicious ZIP file samples, all named with Simplified Chinese characters:
Each ZIP file contained an EXE file inside, which immediately raised red flags:
Over four days, we received multiple samples of what appeared to be the same malware. Initially, only one global detection flagged it as “Unsafe,” a vague and generic label.
As time passed, some samples began to receive more global detections, but with a twist: all of them were either generic or driven by heuristic/machine learning/artificial intelligence-powered systems.
However, these detections lacked meaningful naming conventions, making tracking difficult.
Generic conventions (such as “Win.MSIL”, “Detected”, or “Unsafe”) and AI-generated names (like “AIDetectMalware”, “Malware.AI”, “ML.Attribute.HighConfidence”, “malicious_confidence_90%”, “Static AI”) may be useful for internal classification or as temporary indicators but their lack of specificity makes it difficult to track malware over time or correlate research findings.
To solve this, we decided to give this malware a proper name: Zhong Stealer, inspired by the email address of the first submitter to hit the ticketing system. From now on, we’ll track all these strains under this family name.
Now that we’ve made a new “friend”, let’s play with it a little bit.
Running Zhong Stealer in ANY.RUN revealed its behavior almost immediately. Upon execution, it queried a C2 server based in Hong Kong, hosted by Alibaba Cloud.
The first action involves reading a TXT file, which serves as an inventory. This file contains links to itself and other components that need to be downloaded.
Next, another stage is downloaded: down.exe, a file signed with a previously valid but now revoked certificate from Morning Leap & Cazo Electronics Technology Co., suggesting it was likely stolen. Notably, the file masquerades as a BitDefender Security updater, a deliberate choice that adds an extra layer of deception to evade suspicion.
Alongside this stage, Zhong downloaded additional components:
These components helped facilitate execution of the next stage.
Once active, down.exe creates a BAT file with a random 4-digit name in the user’s temporary folder (e.g., 4948.bat on my setup). This script sets up the environment by invoking system utilities like Conhost.exe and Attrib.exe to unhide and grant execution permissions to the next step.
The stealer then queries the system’s supported languages, a tactic often seen in ransomware. It is used to avoid targeting specific regions. It also schedules itself to run periodically via Task Scheduler, which serves as a fallback persistence method, though not its primary one (more on this later).
Next, Zhong disables trace logs (point 1 in the image below) and initiates reconnaissance routines.
This includes reading registry keys to collect details such as the machine hostname, GUID, proxies, software policies, and supported languages (points 2 and 3). It also evaluates Internet Explorer/Edge security settings (point 4).
With the preparation complete, Zhong moves to its final stage, where it aims to execute a clean attack.
Now, the real action starts. Zhong establishes persistence by adding a registry key (point 1 in the image below) at:
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Next, it harvests browser credentials and extension data (point 2) before connecting to its C2 server on port 1131(point 3) to exfiltrate the stolen information.
Let’s break down these actions step by step.
The registry key serves as Zhong’s primary persistence mechanism, with the scheduled task acting as a fallback in case the registry entry is removed. Once persistence is secured, Zhong shifts its focus to harvesting credentials and browser extension data.
Next, Zhong scans browser extensions and credentials, starting with Brave Browser on this setup.
It then moves on to Edge/Internet Explorer, which comes pre-installed on most Windows systems, making them valuable targets for data theft.
After collecting sensitive data, Zhong contacts its Hong Kong-based C2 server on port 1131 to exfiltrate relevant information.
At this point, the outcome is predictable—Zhong evolves from a mere nuisance into a full-fledged data thief.
Now, let’s break down its techniques into a clear and structured MITRE ATT&CK Matrix to visualize its full attack chain.
Fortunately, ANY.RUN simplifies this process, mapping out the malware’s behavior step by step for better analysis and threat tracking.
This particular piece of malware employs a variety of TTPs which are common, simple, and yet, highly effective:
You can find more TTPs used by Zhong Stealer in the screenshot below:
To combat Zhong Stealer and similar social engineering-based malware, security teams must adopt proactive detection and analysis strategies. Traditional antivirus solutions often fail to recognize stealthy threats, but with ANY.RUN’s Interactive Sandbox, organizations can identify, analyze, and block malicious activity in real time before it causes harm.
Here’s how to protect your organization from Zhong Stealer:
With ANY.RUN’s in-depth behavioral analysis, security teams can stay ahead of evolving threats like Zhong Stealer and prevent cybercriminals from using social engineering to bypass traditional defenses.
Zhong Stealer’s campaign is a prime example of how social engineering and persistent phishing tactics can be used to distribute malware. By targeting customer support teams, the attackers attempted to bypass traditional security measures and exploit human trust.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Request free trial of ANY.RUN’s services →
FileHash-MD5:778b6521dd2b07d7db0eaeaab9a2f86b
FileHash-SHA1:ce120e922ed4156dbd07de8335c5a632974ec527
FileHash-SHA256:02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827f
FileHash-SHA256:1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf
FileHash-SHA256:4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e
FileHash-SHA256:dd44dabff5361aa9b845dd891ad483162d4f28913344c93e5d59f648a186098
FileHash-SHA256:e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd
FileHash-SHA256:5f422be165e4b6557f45719914f724a4fe1840fa792ecc739861bfdb45c1550
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLogin.log
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLoginBase.dll
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/down.exe
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/uu.txt
email:zhongmaziil992@outlook.com
hostname:kkuu.oss-cn-hongkong.aliyuncs[.]com
IPv4:156.245.23.188
IPv4:47.79.64.228
The post Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
