Commercial Spyware Opponents Fear US Policy Shifting

/in

Rescinded sanctions and reactivated contracts have created confusion about the Trump administration’s spyware policy and where it draws the line.

darkreading – ​Read More

Iran MOIS Colludes With Criminals to Boost Cyberattacks

/in

Iranian APTs have long pretended to be cybercriminal groups. Now they’re working with actual cybercriminal groups.

darkreading – ​Read More

US, Europol disrupt SocksEscort network that exploited thousands of residential routers

/in

The SocksEscort proxy network allowed cybercriminals to purchase access to routers infected with malware, which they used to conceal their location and IP addresses.

The Record from Recorded Future News – ​Read More

Feds Takes Down SocksEscort Proxy Network Used in Global Fraud Schemes

/in

European and US agencies dismantled the SocksEscort proxy network built on infected routers and used by cybercriminals in global fraud schemes.

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More

Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk

/in

A security flaw in the Ally WordPress plugin used on more than 400,000 sites could allow attackers to extract sensitive data without logging in.

The post Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk appeared first on TechRepublic.

Security Archives – TechRepublic – ​Read More

Exclusive: New data shows increase in FBI searches of Americans’ data last year

/in

The number of FBI searches of data collected through the surveillance program known as Section 702 of the Foreign Intelligence Surveillance Act (FISA) between December 2024 to November 2025 rose to 7,413 from 5,518 the previous year.

The Record from Recorded Future News – ​Read More

AMOS and Amatera disguised as AI agents | Kaspersky official blog

/in

We recently discussed how malicious actors are spreading the AMOS infostealer for macOS via Google Ads, leveraging a chat with an AI assistant on the actual OpenAI website to host malicious instructions. We decided to dig a little deeper, only to discover several similar malicious campaigns where attackers attempt to slip users malware disguised as popular AI tools through Google Search ads. If the victims are searching for macOS-specific tools, the payload deployed is the very same AMOS; if they’re on Windows, it’s the Amatera infostealer instead. These campaigns use the popular Chinese AI Doubao, the viral AI assistant OpenClaw, or the coding assistant Claude Code as bait. This means such campaigns pose a threat not only to home users but also to organizations.

The reality is that corporate employees are increasingly using coding assistants like Claude Code, and workflow automation agents like OpenClaw. This brings its own set of risks, which is why many organizations have yet to officially approve (or pay for) access to such tools. Consequently, some employees take matters into their own hands to find these trendy tools, and head straight to Google. They type in a search query and are served a sponsored link leading to a malicious installation guide. Let’s take a closer look at how this attack plays out, using a Claude Code distribution campaign discovered in early March as an example.

The search query

So, a user starts looking for a place to download the Anthropic agent and types something like “Claude Code download” into the search bar. The search engine returns a list of links, with “sponsored links” (paid advertisements) sitting at the top. One of these ads leads the user to a malicious page featuring fake documentation. Interestingly, the site itself is built on Squarespace, a legitimate website builder that helps it bypass anti-phishing filters.

Search result examples

Search results with ads in Romania and Brazil

The attackers’ site meticulously mimics the original Claude Code documentation, complete with installation instructions. Just like the real deal, it prompts the user to copy and run a command. However, once executed, it installs not an AI agent but malware. Essentially, this is just another flavor of the ClickFix attack — one that has earned its own nickname: InstallFix.

Malicious website

Malicious site mimicking installation instructions

Claude Code website

Genuine Claude Code site with installation instructions

Malicious payload

Just like with the original Claude Code, the command for macOS attempts to install an application using the curl command-line utility. In reality, it deploys the AMOS spyware — previously described by our experts on Securelist — which was used in a similar past campaign.

In the case of Windows, the malware is installed using the system utility mshta.exe, which executes HTML-based applications instead of curl, which is used for the genuine Claude Code. This utility deploys the Amatera infostealer, which harvests browser data, crypto-wallet info, as well as information from the user folder, and sends it to a remote server at 144{.}124.235.102.

How to keep your company safe

Interest in AI agents continues to grow, and the emergence of new tools and their rising popularity are creating fresh attack vectors. Specifically, attempting to seek out third-party AI tools can not only jeopardize the source code of projects on the victim’s computer but also lead to the compromise of secrets, confidential corporate files, and user accounts.

To prevent this from happening, the first step should be educating employees about these dangers and the tricks used by threat actors. This can be done using our training platform: Kaspersky Automated Security Awareness. Incidentally, it includes a specialized lesson on the use of AI in corporate environments.

Additionally, we recommend protecting all corporate devices with proven cybersecurity solutions.

We also suggest checking out our previously published article on three approaches to minimizing the risks of using shadow AI.

Kaspersky official blog – ​Read More

Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays

/in

Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that’s written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem.
The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian

The Hacker News – ​Read More

US Lawmakers Move to Kill the FBI’s Warrantless Wiretap Access

/in

A bipartisan bill would force the FBI to get a warrant to read Americans’ messages and ban the federal purchase of commercial data on US residents ahead of a critical April deadline.

Security Latest – ​Read More

This one’s for you, Mom

/in

This one’s for you, Mom

Welcome to this week’s edition of the Threat Source newsletter. 

I am the product of a single parent, my mom, who along with my grandparents helped raise me into the man I am today.  I cannot fathom what it took for my mom, who worked three jobs to put herself through college to be a teacher, to struggle through it. My grandparents did some heavy lifting here, helping with me as a kid as my mom worked long hours and earned her bachelor’s degree.  

I didn’t see as much of my mom as I wanted — but in her third job where she cleaned offices on the weekend, I would often go with her and help. It got me out of the house, let me spend time with my mom, and afterwards we’d have a meal together. Shout out to the Taco Bell dollar menu, which was all we could afford. It took me well into my thirties to understand how important that time we shared was, even as I took out garbage, cleaned bathrooms, and complained the entire time.  

So why am I waxing nostalgic for my childhood janitorial days? Role models. My mom is certainly one. We also recently recognized International Women’s Day here at Talos, and I couldn’t help but think of the sacrifices and hard work my mom did to ensure I had food and clothing and was loved. It caused me to reflect on the women who work in my career space, especially here at Cisco. What parallels exist? What don’t I know about? How can I be an ally? I had previously observed that cybersecurity is a male-dominated field, but I hadn’t really dug into any data to support that. It also made me wonder: What other STEM fields suffered from a lack of, or had successes in, gender diversity?  

So I did some homework to better understand. Some sobering stats: 

Well, that was depressing. I knew it wasn’t great, but geez. 

Even though I’m a bit slow, I did find some good news. There are a lot of fantastic organizations, programs, and scholarships to help women attain skills and get great jobs in STEM, especially in cybersecurity. I’m quite partial to CTFs and competitions in this space — it’s valuable hands-on experience, and having fun hacking stuff in a safe and inclusive space is fantastic. I’m also fond of Women in Cybersecurity (WiCyS). I’ve been fortunate to do WiCyS mentorship here in Cisco, and it was an awesome experience.

Should you find yourself in a position to mentor someone that would add diversity into our career space, do it! It is incredibly rewarding. A diversity of thoughts and lived experiences make us and those we protect safer — which is what we do all day, every day here in Talos.

The one big thing 

On Tuesday, March 10, Talos updated our blog on the developing situation in the Middle East. We continue to monitor the evolving cyber threat landscape associated with the conflict and collect tactics, techniques, and procedures (TTPs); threat actor identifiers; and other intelligence to help inform defensive efforts and maintain situational awareness. 

Though select hacktivist operations are highlighted in the blog, hundreds of attacks have been claimed by numerous collectives since the beginning of the conflict. Talos cautions against accepting these claims at face value, emphasizing that defenders should independently verify them since older leaks and previously public information can be used to influence perceptions.

Why do I care? 

Cyber operations are likely to play a supporting but strategically significant role in the ongoing conflict. Iranian-aligned groups are employing network-based intrusions to target adversary infrastructure and advance strategic objectives.  

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Disruptive cyberattacks against organizations in a target country may unintentionally spill over to organizations in other countries. A more active hacktivist landscape inherently increases the threat of DDoS and website defacement attacks, as hundreds of attacks have been claimed by numerous collectives since the beginning of the conflict. 

So now what? 

Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for destructive malware. Consider minimizing the amount and sensitivity of data that is available to external parties. To improve defenses against DDoS attacks, ensure your organization has a business continuity plan in place, assess external attack surfaces, and confirm that critical systems have healthy, usable backups. For website defacement/redirect protection, ensure that websites are protected against the most commonly exploited security vulnerabilities.  

Defenders should ensure security fundamentals are being adhered to, such as robust patching for known vulnerabilities and requiring multi-factor authentication (MFA) for remote access and on critical services. Network security teams should proactively monitor their traffic for APT-associated IP addresses and implement hardening guidelines.  

We will update this blog with IOCs and further developments accordingly. 

Top security headlines of the week 

Russian government hackers targeting Signal and WhatsApp users, Dutch spies warn 
Two agencies accused “Russian state actors” of using phishing and social engineering techniques — rather than malware — to take over accounts on the two messaging apps. (TechCrunch

FBI investigating “suspicious” cyber activities on critical surveillance network 
The FBI has identified a suspected cybersecurity incident on a sensitive network used to manage wiretaps and intelligence surveillance warrants. Officials are working to determine the seriousness of the incident. (CNN

TriZetto confirms year-long hack of its network exposed records on 3.4M people 
Until recently, the total number of impacted individuals was unknown. According to a recent filing with the Office of the Maine Attorney General, the breach likely initially occurred on November 19, 2024. (HealthExec

“InstallFix” attacks spread fake Claude Code sites 
A fresh cyber attack campaign blends malvertising with a ClickFix-style technique that highlights risky behavior with AI coding assistants and command-line interfaces. (Dark Reading

ClickFix attack uses Windows Terminal to evade detection 
Victims are instructed to open Windows Terminal directly, instead of relying on the Windows Run dialog. The new approach, observed in the wild in February, allows attackers to bypass protections designed to prevent Run dialog abuse. (Dark Reading

Can’t get enough Talos? 

It’s the B+ Team: Matt Olney returns 
Matt is back to talk with the crew about about the most random things, including TikTok diagnosing us with ADHD, K-Pop Demon Hunters, ransomware in hospitals (the serious bit), attacker use of AI, and why 1999-era tricks are still undefeated.

Modernizing your threat hunt 
David Bianco joins Amy to explore the evolution of the PEAK Threat Hunting framework and talk through how security teams can modernize their approach to identifying risks before they escalate.

Spinning complex ideas into clear docs with Kri Dontje 
Kri and Amy discuss the importance of consistency, accuracy, and accessibility in documentation; how to get the most out of a subject matter expert-technical writer relationship; and the surprising connection between weaving and binary code.

Agentic AI security 
This blog emphasizes the importance of robust risk management and threat modeling to defend against both internal operational errors and potential malicious exploitation. 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe 
Detection Name: Win.Worm.Coinminer::1201  

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: d4aa3e7010220ad1b458fac17039c274_64_Dll.dll 
Detection Name: Auto.90B145.282358.in02  

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe 
Detection Name: W32.Injector:Gen.21ie.1201  

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
MD5: 41444d7018601b599beac0c60ed1bf83 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js 
Detection Name: W32.38D053135D-95.SBX.TG 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: VID001.exe 
Detection Name: W32.5E6060DF7E-100.SBX.TG

Cisco Talos Blog – ​Read More