Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

From December 20 to 24, 2024, the Quetzal Team identified a phishing campaign targeting the cryptocurrency and fintech sectors. This campaign aimed to distribute a newly discovered stealer malware, which we have named Zhong Stealer, as there were no prior public references to this threat. 

In this article, we’ll use ANY.RUN’s real-time malware analysis capabilities to cover:

  • Execution flow: How the malware runs from initial launch to full system infiltration. 
  • Data exfiltration tactics: How Zhong transmits stolen credentials to a C2 server hosted in Hong Kong. 
  • Persistence techniques: How it modifies registry keys and scheduled tasks to survive reboots. 

A Flood of Phishing Attempts 

The attack pattern was simple yet persistent: 

  1. Open a new support ticket from a freshly created, empty account. 
  1. Use broken language and ask for help in Chinese. 
  1. Attach a ZIP file containing screenshots or additional details. 
  1. Insist that support staff open it, growing frustrated when they refused. 
Suspicious ZIP files named with Simplified Chinese characters

During this period, we managed to collect several suspicious ZIP file samples, all named with Simplified Chinese characters: 

  • 图片_20241224 (2).zip (Image_20241224 (2).zip). 
  • Android 自由截图_20241220.zip (Android Free Screenshot_20241220.zip) 
  • Android – Screenshots2024122288jpg.zip 

Each ZIP file contained an EXE file inside, which immediately raised red flags: 

  • 图片_20241224.exe (Image_20241224.exe – Simplified Chinese) 
  • 圖片2024122288jpg.exe (Image2024122288jpg.exe – Traditional Chinese) 
  • 图片_20241220.exe (Image_20241220.exe – Simplified Chinese) 
Way more suspicious EXE files named with Simplified and Traditional Chinese characters

The Zhong Stealer Revealed 

Over four days, we received multiple samples of what appeared to be the same malware. Initially, only one global detection flagged it as “Unsafe,” a vague and generic label. 

Generic detection, lacking a naming convention or detailed insights 

As time passed, some samples began to receive more global detections, but with a twist: all of them were either generic or driven by heuristic/machine learning/artificial intelligence-powered systems.  

However, these detections lacked meaningful naming conventions, making tracking difficult. 

AI/ML-based detection with no naming convention or substantial details 

Generic conventions (such as “Win.MSIL”, “Detected”, or “Unsafe”) and AI-generated names (like “AIDetectMalware”, “Malware.AI”, “ML.Attribute.HighConfidence”, “malicious_confidence_90%”, “Static AI”) may be useful for internal classification or as temporary indicators but their lack of specificity makes it difficult to track malware over time or correlate research findings. 

AI/ML-based detections—hard to follow with these naming conventions 

To solve this, we decided to give this malware a proper name: Zhong Stealer, inspired by the email address of the first submitter to hit the ticketing system. From now on, we’ll track all these strains under this family name. 

Now that we’ve made a new “friend”, let’s play with it a little bit. 

Dissecting Zhong 

Running Zhong Stealer in ANY.RUN revealed its behavior almost immediately. Upon execution, it queried a C2 server based in Hong Kong, hosted by Alibaba Cloud. 

View sandbox analysis

First and follow-up contacts with the C2 server in Hong Kong 

Stage 1: Initial Contact 

Inventory file signalling the malware’s components to download 

The first action involves reading a TXT file, which serves as an inventory. This file contains links to itself and other components that need to be downloaded. 

Submit suspicious files and URLs to ANY.RUN
for proactive analysis of threats targeting your company 



Get 14-dat free trial


Stage 2: Downloader Execution 

Next, another stage is downloaded: down.exe, a file signed with a previously valid but now revoked certificate from Morning Leap & Cazo Electronics Technology Co., suggesting it was likely stolen. Notably, the file masquerades as a BitDefender Security updater, a deliberate choice that adds an extra layer of deception to evade suspicion. 

Fake signature posing as BitDefender and using a potentially stolen certificate 

Alongside this stage, Zhong downloaded additional components: 

  • TASLogin.log (a log file) 
  • TASLoginBase.dll (a dynamic-link library) 

These components helped facilitate execution of the next stage. 

Zhong Stealer downloading components and preparing for the next stage 

Stage 3: Persistence & Reconnaissance 

Once active, down.exe creates a BAT file with a random 4-digit name in the user’s temporary folder (e.g., 4948.bat on my setup). This script sets up the environment by invoking system utilities like Conhost.exe and Attrib.exe to unhide and grant execution permissions to the next step. 

BAT file preparing the environment for the next stage 

The stealer then queries the system’s supported languages, a tactic often seen in ransomware. It is used to avoid targeting specific regions. It also schedules itself to run periodically via Task Scheduler, which serves as a fallback persistence method, though not its primary one (more on this later). 

Zhong scheduling itself via Task Scheduler and checking language properties 

Next, Zhong disables trace logs (point 1 in the image below) and initiates reconnaissance routines.  

This includes reading registry keys to collect details such as the machine hostname, GUID, proxies, software policies, and supported languages (points 2 and 3). It also evaluates Internet Explorer/Edge security settings (point 4). 

Zhong staging, reconnaissance, and evasion routines in practice 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Stage 4: Credential Theft & Data Exfiltration 

With the preparation complete, Zhong moves to its final stage, where it aims to execute a clean attack.  

Specific registry keys read by Zhong before launching the final stage 

Now, the real action starts. Zhong establishes persistence by adding a registry key (point 1 in the image below) at: 

HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN 

Next, it harvests browser credentials and extension data (point 2) before connecting to its C2 server on port 1131(point 3) to exfiltrate the stolen information. 

Let’s break down these actions step by step. 

Routines to gain persistence, steal credentials, and communicate with its C2 

The registry key serves as Zhong’s primary persistence mechanism, with the scheduled task acting as a fallback in case the registry entry is removed. Once persistence is secured, Zhong shifts its focus to harvesting credentials and browser extension data. 

Persistence mechanisms and exfiltration routines in action 

Next, Zhong scans browser extensions and credentials, starting with Brave Browser on this setup. 

Zhong scanning Brave Browser for sensitive data 

It then moves on to Edge/Internet Explorer, which comes pre-installed on most Windows systems, making them valuable targets for data theft. 

Zhong scanning Edge for sensitive data 

After collecting sensitive data, Zhong contacts its Hong Kong-based C2 server on port 1131 to exfiltrate relevant information. 

Zhong exfiltrating data via its C2 server 

At this point, the outcome is predictable—Zhong evolves from a mere nuisance into a full-fledged data thief. 

Now, let’s break down its techniques into a clear and structured MITRE ATT&CK Matrix to visualize its full attack chain. 

Fortunately, ANY.RUN simplifies this process, mapping out the malware’s behavior step by step for better analysis and threat tracking. 

Zhong Stealer’s Tactics & Techniques 

This particular piece of malware employs a variety of TTPs which are common, simple, and yet, highly effective: 

  • Disabling Event Logging (T1562) – Prevents security tools from recording malicious activity, making detection and forensic analysis more difficult. 
  • Gaining Persistence via Registry Keys (T1547) – Modifies Windows registry settings to ensure the malware automatically runs at startup. 
  • Harvesting Credentials (T1552) – Extracts saved passwords, browser session data, and authentication tokens from compromised systems. 
  • Scheduling Tasks (T1053) – Creates scheduled tasks to maintain persistence, ensuring the malware executes even after a system reboot. 
  • Communicating via Non-Standard Ports (T1571) – Uses uncommon network ports, such as port 1131, to avoid detection and transmit stolen data to a command-and-control server. 

You can find more TTPs used by Zhong Stealer in the screenshot below: 

MITRE ATT&CK Matrix on ANY.RUN detailing the analyzed points

How to Protect Against Zhong Stealer 

To combat Zhong Stealer and similar social engineering-based malware, security teams must adopt proactive detection and analysis strategies. Traditional antivirus solutions often fail to recognize stealthy threats, but with ANY.RUN’s Interactive Sandbox, organizations can identify, analyze, and block malicious activity in real time before it causes harm. 

Here’s how to protect your organization from Zhong Stealer: 

  • Train customer support teams to recognize phishing tactics and avoid opening suspicious file attachments in support chats. 
  • Restrict ZIP file execution from unverified sources and enforce zero-trust security policies to prevent unauthorized file access. 
  • Monitor outbound network traffic for suspicious C2 connections, especially to non-standard ports like 1131, a key indicator of Zhong Stealer’s activity. 
  • Use ANY.RUN’s real-time analysis to safely detonate unknown executables, observe their behavior step by step, and extract critical IOCs before the malware can spread. 

With ANY.RUN’s in-depth behavioral analysis, security teams can stay ahead of evolving threats like Zhong Stealer and prevent cybercriminals from using social engineering to bypass traditional defenses. 

Final Thoughts 

Zhong Stealer’s campaign is a prime example of how social engineering and persistent phishing tactics can be used to distribute malware. By targeting customer support teams, the attackers attempted to bypass traditional security measures and exploit human trust. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

IOCs 

FileHash-MD5:778b6521dd2b07d7db0eaeaab9a2f86b 

FileHash-SHA1:ce120e922ed4156dbd07de8335c5a632974ec527 

FileHash-SHA256:02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827f 

FileHash-SHA256:1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf 

FileHash-SHA256:4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e 

FileHash-SHA256:dd44dabff5361aa9b845dd891ad483162d4f28913344c93e5d59f648a186098 

FileHash-SHA256:e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd 

FileHash-SHA256:5f422be165e4b6557f45719914f724a4fe1840fa792ecc739861bfdb45c1550 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLogin.log 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLoginBase.dll 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/down.exe 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/uu.txt 

email:zhongmaziil992@outlook.com 

hostname:kkuu.oss-cn-hongkong.aliyuncs[.]com 

IPv4:156.245.23.188 

IPv4:47.79.64.228 

The post Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Gravy Analytics leak: How to protect your location data | Kaspersky official blog

Our smartphones and other devices collect and then transmit massive amounts of data about us to dozens, maybe hundreds, of third-party companies every single day. This includes our location information, and the market for such information is huge. Naturally enough, the buying and selling goes on without our knowledge, creating obscure risks to our privacy.

The recent hack of location data broker Gravy Analytics clearly illustrates the potential pitfalls of such practices. This post analyzes how data brokers operate, and what can happen if the information they collect leaks. We also give tips on what you can do to protect your location data.

What location data brokers are

Data brokers are companies that collect, process, and sell information about users. They get this information from mobile apps, online ad networks, online analytics systems, telecom operators, and a host of other sources from smart-home devices to cars.

In theory, this data is only collected for analytics and targeted advertising. In practice, however, there are often no restrictions on usage, and seemingly anyone can buy it. So, out there in the real world, your data can be used for pretty much any purpose. For example, an investigation last year revealed that commercial data brokers — directly or through intermediaries — may even serve government intelligence agencies.

Data brokers collect all kinds of user information, of which one of the most important and sensitive categories is location data. It’s so in demand, in fact, that besides more generalized data brokers, firms exist that focus on it specifically.

Those are the location-data brokers — organizations that specialize in collecting and selling information about user location. One of the major players in this segment is U.S. location tracking firm Gravy Analytics, which merged with Norway’s Unacast in 2023.

The Gravy Analytics data leak

In January 2025, news broke of a data leak at Gravy Analytics. At first it was confined to unofficial reports based on a post that appeared on a private Russian-language hacker forum. The poster claimed to have hacked Gravy Analytics and stolen the location data of millions of users, providing screenshots of the data trove as proof.

It wasn’t long before official confirmation came through. Under Norwegian law, Gravy Analytics’ parent, Unacast, was legally required to notify the national regulator.

The company’s statement reported that on January 4, an unauthorized individual gained access to Gravy Analytics’ AWS cloud storage environment “through a misappropriated access key”. The intruder “obtained certain files, which could contain personal data”.

Analysis of the data Gravy Analytics leaked

Unacast and Gravy Analytics were in no hurry to specify what data could have been compromised. However, within a few days, an independent security researcher published their own in-depth analysis of the leaked information based on a sample of the stolen data they’d been able to obtain.

User location-data leaked worldwide

The Gravy Analytics leak included the location data of users worldwide. Source

It turned out that the Gravy Analytics hack did indeed leak a gigantic set of location data of users worldwide — from Russia to the United States. The fragment analyzed by the researcher was 1.4GB in size, and consisted of around 30 million records — mostly collected in the first days of January 2025. Meanwhile, the hacker claimed the stolen database is 10TB, meaning it could potentially contain over 200 billion records!

This data was collected by mobile apps and acquired by Gravy Analytics to be aggregated and subsequently sold to clients. As the analysis of the leak showed, the list of apps used to collect location data runs into the thousands. For example, the sample studied contained data collected from 3455 Android apps — including dating apps.

UK-based Tinder users' location

UK-based Tinder users’ location data is an example of what can be found in the data leaked from Gravy Analytics. Source

Tracking and deanonymizing users with the Gravy Analytics’ leak data

What’s most unpleasant about the Gravy Analytics hack is that the leaked database is linked to advertising IDs: IDFA for iOS and AAID for Android devices. In many cases, this makes it possible to track users’ movements over time. Here, for instance, is a map of such movements in the vicinity of the White House in Washington, D.C. (remember that this visualization uses only a small sample of the stolen data; the full database contains a lot more):

Tracking users through the Gravy Analytics leak

Data in the Gravy Analytics leak linked to advertising IDs can be used to track users’ movements over time. Source

Worse yet, some data can be deanonymized. For example, the researcher was able to track the movements of a user who visited the Blue Origin launch pad:

First example of user deanonymization through the Gravy Analytics leak

An example of user deanonymization using location data leaked from Gravy Analytics. Source

Another example: the researcher was able to track a user’s movements from the Columbus Circle landmark in Manhattan, New York City, to his home in Tennessee, and then to his parents’ house the next day. Based solely on OSINT data, the researcher learned a great deal about this individual, including their mother’s name and the fact that their late father was a U.S. Air Force veteran.

Second example of user deanonymization through the Gravy Analytics leak

Another example of user deanonymization using location data leaked from Gravy Analytics. Source

The Gravy Analytics data breach demonstrates the serious risks associated with the data broker industry, and location data brokers in particular. As a result of the hack, a huge volume of user location records collected by mobile apps spilled out into the public domain.

This data makes it possible to track the movements of a great many people with fairly high accuracy. And even though the leaked database doesn’t contain direct personal identifiers such as first and last names, ID numbers, addresses, or phone numbers, the linkage to advertising IDs can in many cases lead to deanonymization. So, based on various quasi-identifiers, it’s possible to establish a user’s identity, find out where they live and work, as well as trace their social connections.

How to protect your location data?

Unfortunately, collecting user location data is now such a widespread practice that there’s no easy answer to this question. Alas, there’s no switch you can simply flick to stop all the internet companies worldwide harvesting your data.

That said, you can at least minimize the amount of information about your location that falls into the hands of data brokers. Here’s how:

  • Be strict with apps asking for access to location data. Often, they’ll work just fine without it — so unless there’s a compelling reason for the app to know your location, just say no.
  • Carefully configure privacy in apps that genuinely need your geolocation to function. For example, see our guides to configuring all the most popular running apps.
  • Don’t allow apps to track your location in the background. When granting permissions, always select the “Only while using the app” option.
  • Uninstall apps you no longer use. In general, try to keep the number of apps on your smartphone to a minimum — this will reduce the number of potential data collectors on your device.
  • If you use Apple iOS, iPadOS, or tvOS devices, opt out of app tracking. This will prevent data collected on you from being deanonymized.
  • If you use Android, delete your device’s advertising ID. If this option is unavailable in your OS version, reset the advertising ID regularly.
  • Install a robust security solution capable of blocking ad-tracking on all your devices.

For more tips on how to put the brakes on generalized data brokers collecting information on you, see our post Advertisers sharing data about you with… intelligence agencies.

Kaspersky official blog – ​Read More

Trojanized game PirateFi discovered on Steam | Kaspersky official blog

There are probably no gamers left who don’t know that downloading games from torrent trackers is risky business. Yes, they come at no cost, cracked and sometimes conveniently repacked, but they might contain malware. That’s why security solutions throw a fit — quarantining torrent files, preventing the installation of cracks… well, we should be thankful for that!

Official app stores like Steam are a different story, right? Surely everything’s perfectly safe there, isn’t it? Nope. In February, a game bundled with malware was discovered on the platform. Not to worry, though: last week, Valve removed the game “PirateFi” from its Steam platform after a user reported that their antivirus software prevented them from running the game due to the presence of malware. The user’s antivirus flagged the game as containing Trojan.Win32.Lazzzy.gen, prompting Valve to act swiftly and remove it from the platform. We can confirm that it was Kaspersky’s antivirus solution that detected the threat, thanks to the Kaspersky Security Network recognizing the malware.

Survival sim starring your computer

The game in question was PirateFi, a survival sim offering users the chance to play as a pirate in both single-player and multiplayer modes. It appears it wasn’t just the players who needed to survive, but their computers too.

PirateFi was touted as the thrifty gamer's Sea of Thieves

PirateFi was touted as the thrifty gamer’s Sea of Thieves

It wasn’t exactly a hit: maybe five concurrent players at peak times, and just 165 subscribers. The exact number of victims is unknown. VG Insights estimates around 1,500, while Gamalytic puts the number of downloads at 859.

The game was found to contain Windows-based malware designed to infect users’ computers and steal sensitive information. The malware, disguised as “Howard.exe,” was programmed to unpack itself into the user’s /AppData/Temp/ directory upon launching the game, subsequently stealing browser cookies and potentially allowing attackers to gain unauthorized access to various online accounts. Several users who downloaded the game reported compromised accounts, password changes, and unauthorized transactions.

In the end, everyone who had played PirateFi on Steam received a notification email about a potential malware threat on their computers. There were no details about the malware or any explanations as to how it had slipped into the app store. So, victims don’t know exactly what ended up on their devices: a miner, a stealer, or something else entirely. Instead, Valve, the company behind Steam, recommended that they run a scan of their computers with a reliable security solution.

Players found the suggestion to “reformat” their operating systems particularly amusing

As for the game’s developers, Seaworth Interactive, there is virtually no information about them online. PirateFi was their debut in the gaming industry, so it’s safe to assume that the malware campaign was intentional. PCMag supported this theory, noting attempts to promote the game through Telegram channels targeting users in the U.S. For example, a job posting for a PirateFi in-game chat moderator was listed. It promised $17 per hour, with payments every two days. This sounded way too good to be true, particularly because moderators in free-to-play games are typically students with a lot of free time, who are usually paid in in-game currency.

PirateFi isn’t the only such case

Malware infiltrated Steam a decade ago as well. Back then, it was Dynostopia players who got hit with a Trojan. The game was in its beta phase and was hosted on Steam Greenlight, which was Valve’s program for indie developers, discontinued in 2017. As for the Trojan, affected users reported that upon downloading the game, their desktops were immediately locked, preventing any access even after a system reboot. Sometime later, they’d discover their Steam profiles had been modified: a proud label declaring them as Dynostopia beta testers would be added, along with a prompt for all their friends to experience this “fantastic” game.

Malware keeps finding its way into apps, including games and Google Play apps. Recently, it has even managed to infiltrate the App Store as well. Thus, mobile gaming faces a much greater challenge than PC gaming, and it’s not a matter of platform moderation. It’s simply a matter of numbers: there are significantly more apps for smartphones than for computers, hence the higher prevalence of malware on mobile platforms. For this reason, we consistently urge smartphone users to pay attention to app reviews and ratings. Although this isn’t a guarantee of safety, as positive ratings can be easily inflated, PC gamers should also heed this advice.

Another way cybercriminals target players is by distributing Trojan-infected mods or cheats. Call of Duty fans are all too familiar with this. Last year, Activision conducted a large-scale investigation to determine how Trojans were ending up on their players’ systems. Among the potential causes suggested by the tech giant was the use of third-party tools, such as mods, cheats, and trainers.

Security tips for gamers

First of all, be vigilant and play fair. Stay away from cheats unless you want to lose your game account and, even worse, have your bank or crypto wallet details on your computer compromised. Stick to tried-and-tested games with lots of reviews — they might be negative, but so long as they’re honest, that’s what matters.

The second, but no less important, piece of advice is to install gaming antimalware. If you’ve played PirateFi or some other obscure title, follow Valve’s advice and install a security solution immediately. Don’t rely on game moderation alone on Steam or any other platform. It might keep you 99% safe from trojanized games, but that last, treacherous 1% could always be the one that gets you. So, do your homework: explore the tests, look at the reviews, and make an informed decision about which option you’ll entrust with your computer’s security.

Kaspersky Premium includes a dedicated gaming mode that busts the myth that antivirus programs cause performance issues on gaming PCs. Here’s how it functions: when you launch a game, Kaspersky Premium temporarily halts its database updates, notification pop-ups, and scheduled system scans. The background protection will save you from unknowingly becoming a beta tester for Dynostopia and other malware disguised as games.

Kaspersky official blog – ​Read More

All the scams and safety tips you need to know about when buying meme coins | Kaspersky official blog

We’ve all heard about cryptocurrencies like blockchain or Bitcoin. What’s less well known is how this market works, why people invest in it, how they earn money, and what mistakes can lead to instant ruin. Our three posts on blockchain and cryptocurrencies, NFTs, and the metaverse cover the crypto basics. Today, we take a dive into a topic made hot by Donald Trump’s victory in the U.S. presidential election: alternative cryptocurrencies such as meme coins.

For those with little time to spare, here’s the TL;DR: Since 2021, the market capitalization of meme coins has fluctuated wildly between $8 billion and $103 billion, with towering ups and crashing downs. The chances of losing money greatly outweigh those of making it, and the number of scams is high even by crypto market standards. So the moral is: don’t invest money that you can’t afford to lose — even into something that bears the name of the current U.S. President.

For those with a little more time on their hands, let’s take a look at some joke cryptocurrencies, explore what — if anything — they have in common with NFTs, and tell you what precautions to take if you’re determined to invest in this high-risk market.

Meme coin market capitalization

Check out how meme-coin market capitalization has changed over the past few years. Source

Meme coins and altcoins — what are they?

Technically, meme coins (aka meme tokens, meme cryptocurrencies) are a type of altcoin; that is — alternative cryptocurrencies. “Alternative” purely in the sense of not being the largest and most widespread  of cryptoassets: Bitcoin and Ethereum. Historically, altcoins tended to be launched as independent blockchain platforms, but today they’re more likely to piggyback an existing popular blockchain platform, such as Solana.

Meme coins with the highest market capitalization

To get a sense of the volatility of the meme coin market, compare the price and capitalization of certain randomly-chosen tokens in three weeks from late January (top) to mid-February (bottom), 2025. Source

In their issuance and circulation mechanisms, most altcoins offer holders some tangible benefits — from low fees and high transaction speeds to pegging to real-world assets. However, meme coins, of which Dogecoin was the first, were initially issued as a joke, and a chance to invest in a fleeting social trend — to show one’s love for a meme, or support for an actor, public figure, or media personality. Although a meme coin is a cryptocurrency, its value is determined primarily by how enthusiastic people are to invest in it. As a result, these crypto assets are prone to sharp price spikes, depending on who wrote what on social media, whether people liked an actor’s new movie, and other such factors.

Meme coins and NFTs — similarities and differences

Both meme coins and NFTs use blockchain technology to store ownership info and transaction history. But unlike cryptocurrencies — where any two coins are equivalent and interchangeable, just like a couple of hundred-dollar bills, each individual NFT is unique, and hence the name: non-fungible tokens. Each token secures ownership of some unique digital asset — imparting collector value to NFTs.

And because collector value is largely subjective, NFTs, like meme coins, are highly susceptible to hype, speculation, and wild price swings.

Top meme coins

This section will age fast, but at the time of posting, the biggest meme coins by market capitalization are Dogecoin (ticker symbol: DOGE), Shiba Inu (SHIB), Pepe (PEPE), OFFICIAL TRUMP (TRUMP), and Bonk (BONK) — with the first exceeding $39 billion, and the last just below $1.5 billion. The TRUMP meme coin was nowhere in the vicinity of this top list a month ago — further proof of just how fickle this market is.

The pack leader, Dogecoin, however, is a real survivor. More than a decade old, its value hovered between $0.0001 and $0.0002 for the first two years, and rarely nudged past $0.01 in the following four. However, after being endorsed by Elon Musk in 2021, it briefly soared to $0.63, before sinking to around $0.06. It spiked again last November to over $0.4 after the presidential victory of the crypto-supporting Trump — over whom Musk appears to have some influence.

Price dynamics of the oldest meme coin, Dogecoin (DOGE)

Price dynamics of the oldest meme coin, Dogecoin (DOGE). Source

TRUMP, MELANIA, and BARRON

The new U.S. President’s family deserves a separate chapter in our story because it perfectly illustrates the essential properties of meme coins.

Just three days before taking office in 2025, Trump announced the launch of his eponymous meme coin, which climbed to $75 in just two days, then halved, and has been steadily falling over the past three weeks — dropping to around $19 at the time of posting. Technically, TRUMP is issued on the Solana blockchain, with a total “mintage” of one billion coins. However, only 200 million were released into circulation, while the rest remained under the control of CIC Digital LLC and Fight Fight Fight LLC — both affiliated with the Trump Organization.

Price dynamics of the OFFICIAL TRUMP meme coin (TRUMP)

Price dynamics of the OFFICIAL TRUMP meme coin (TRUMP). Source

With the issue structured in this way, the Trump Organization can dictate both prices and demand, since it controls significantly more coins than are on the open market. It can make money by selling coins at high prices — both saturating the market and driving prices down. Or it can choose not to sell, and instead wait for an uptick in market sentiment to maximize profits. Value dilution due to increased supply primarily hits those who bought the coins at peak value and hype — favoring both buyers who got the coins cheaply, and those who issued the coin in question.

This approach has drawn criticism from many in the crypto industry, such as Nick Tomaino: “Trump owning 80% and timing launch hours before inauguration is predatory and many will likely get hurt by it”.

Blockchain analysis firm Chainalysis showed that in the first few days after the launch, almost 80% of the 600,000 buyers earned less than $100 on the token, and barely recouped their investment. Tellingly, 50% of TRUMP buyers were crypto first-timers who had only created a wallet and plunged into the market specifically for this deal.

A few weeks later, almost all TRUMP investors were out of pocket. At the same time, a select group of 21 “whales” (buyers of 500,000+ tokens) made over $214 million in the first days of the meme coin’s circulation.

In all fairness, the website distributing the coins does state that buying them represents “an expression of support for, and engagement with, the ideals and beliefs embodied by the symbol $TRUMP”, and is not to be seen as an investment.

Two days after the TRUMP announcement, the First Lady followed suit with the launch of her own meme coin. Having briefly risen above $12, just a day later MELANIA took a downward turn and spent a couple of days at the $3-5 range, before stabilizing at around $1.4. Just as the MELANIA launch news broke, TRUMP plummeted.

Naturally, all this hullabaloo over “political” meme coins could hardly escape the attention of scammers. Blockchain platforms witnessed a mushrooming of tokens with TRUMP as the ticker symbol or in the description — despite having nothing to do with the “official” meme coin.

The most eye-catching was the meme coin in the name of the U.S. president’s youngest son, Barron Trump. Aided by a profile on the Pump.fun website (where anyone can quickly launch their own meme coin) plus a handful of X posts pretending to be related to an investigation and leaked insider information, in just a few hours the unofficial meme token scored a market capitalization of $460 million. However, when proof of “presidential” origin failed to materialize, the token crashed by 95%.

Major meme coin and NFT scams

Rug pull (exit scam). The most common scam associated with newly-issued crypto assets. Scammers mislead buyers about the origins of a particular coin or NFT project and the value of the tokens, sell a bunch of them, and vanish. The purchased tokens remain with the new owners but rapidly depreciate. In the case of meme coins, this scheme is often implemented with a celebrity allegedly issuing their own token, which later turns out to be a hoax. In the case of NFTs, buyers are promised non-existent privileges or collector value. An infamous case was the Baller Ape Club NFT, which led to one of the first indictments for NFT fraud. According to Chainalysis, almost one in 20 tokens issued in 2024 may have been rug pulls; while in 2021, these scams brought crypto investors a total loss of $2.8 billion.

“Namesake” attack. For easy identification on crypto exchanges and other crypto platforms, each token is assigned a unique code known as a ticker — just like on traditional exchanges: BTC, USDT, TRUMP, and so on. But in reality, the buying and selling of tokens is based not on tickers, but on long, hard-to-read smart contract addresses. A common attack exploits this duality. Scammers create their own tokens (altcoins) with a different contract address in the blockchain — but under the same ticker as a popular token, for example, TRUMP. Sometimes the scheme might even work when the ticker is different, and the big-draw name simply appears in the coin description. Such tokens are often launched on a different blockchain where the original coin isn’t traded. All these scenarios boil down to the same thing: the victim buys a totally different crypto asset, which likely has no value.

Website lists the smart contract address for buying TRUMP tokens explicitly. Scammers can forge the website and substitute the smart contract address.

The website selling genuine TRUMP tokens states the associated smart contract address explicitly. However, scammers can create a copy of the website and post a different smart contract address

 

Honeypot tokens. These are tokens whose smart contract doesn’t allow their sale. In other words, you can invest money in them, but not withdraw it. This scam is often combined with the “namesake” attack.

Drainers. Our separate post covers this threat in detail. Thinking they’re buying meme coins or NFTs, victims enter their credentials on a fake website and have their crypto wallets emptied. The bait website either mimics the official one, or offers a fake promotion such as a token airdrop.

Phishing and malware. Under the guise of social media posts by celebrities, messages from technical support, and countless other pretexts, attackers swindle private keys and seed phrases from crypto holders, as well as install malware on their computers and phones to siphon off crypto-related information. The outcome is always the same: the loss of all funds in the crypto wallet.

There are other, more exotic ways of stealing cryptocurrency: hacking old Bitcoin wallets through encryption algorithm bugs, fake hardware crypto wallets, and infected games like Mario Forever or tanks.

There are even Robin Hood scams targeting crypto thieves themselves. A juicy bait is dangled before their eyes — for example, “leaked” credentials of wallets supposedly containing hundreds of thousands of dollars or seed phrases for real crypto wallets — but after paying a “fee” to withdraw the funds, they discover that a withdrawal isn’t possible.

Our blog is home to dozens of other gripping detective stories about crypto scams. Sadly, the list is expanding daily, so subscribe now to keep up to date with all the latest threats.

How not to lose money on crypto, NFTs, and meme coins

  1. Don’t invest in crypto assets if you have any doubts about your financial situation or the stability of global markets, or don’t feel sufficiently qualified.
  2. Don’t invest in crypto assets (or anything else) what you can’t afford to lose.
  3. If you need crypto assets for payment purposes, use coins with low volatility, such as USDT stablecoins, and don’t buy more crypto than you need to settle the account.
  4. If you’re investing in crypto assets for profit, be prepared to closely monitor the market dynamics and react quickly. This is a daily job, all the more so for meme coins — you need to track social media trends and strike when the market is hot. Cryptocurrency speculation (on meme coins in particular) is very strong in Asia, so you may have to adjust your “trading day” to the Far Eastern time zone.
  5. Give preference to projects and tokens that have been on the market for a while and earned a certain reputation.
  6. If buying a newly launched token, make sure it isn’t a rug pull or Ponzi scheme. This will require researching the reputation of the project creators and the token’s technical features. If the project’s smart contracts have been audited, study the results. The lack of such an audit isn’t a red flag per se, but it should put you on your guard. If it’s a meme coin linked to a celebrity, look at their official social media accounts and profiles, and make sure they were actually involved.
  7. Buy tokens on large platforms that have internal standards and comply with legal regulations. Examples include Binance and Coinbase. When getting information about a token, especially its smart contract address, make sure you visit the official site and not a fake. Don’t enter crypto wallet credentials, card details, or other sensitive information on third-party sites.
  8. Carefully check smart contract and crypto wallet addresses to avoid buying a “namesake”.
  9. Be careful when searching for crypto-related sites, news, and social media accounts, and be wary of messages sent to you in email and messaging apps. Crypto investors are frequent targets of phishing and pig butchering
  10. Install comprehensive security solutions on all your devices to protect against malware and websites designed to steal crypto assets. We recommend Kaspersky Premium, which offers additional privacy protection and data-leak monitoring tools, plus the built-in online payment protection system Safe Money.

The information in this article is for informational purposes only and does not constitute investment advice. The instruments discussed may not match your investment profile, financial situation, investment experience, or investment goals.

Kaspersky official blog – ​Read More

ClearML and Nvidia vulns

ClearML and Nvidia vulns

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.    

ClearML XSS and information disclosure vulnerabilities 

Discovered by Edwin Molenaar of Cisco Meraki.  

ClearML contains two vulnerabilities. ClearML is an open-source AI platform that supports the entire AI development lifecycle from research to production. It is designed to integrate with existing tools and infrastructures, allowing developers and DevOps teams to build, train and deploy models at scale. 

TALOS-2024-2110 (CVE-2024-39272) is a cross-site scripting vulnerability. A specially crafted HTTP request can allow an attacker to upload HTML files to a dataset through an existing ClearML account. The files can later be rendered within the browser of an authenticated ClearML user and execute JavaScript.  

TALOS-2024-2112 (CVE-2024-43779) is an information disclosure vulnerability. A specially crafted HTTP request can lead to an attacker reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. 

Nvidia memory corruption and heap-based buffer overflow vulnerabilities 

Discovered by Dimitrios Tatsis. 

The nvJPEG2000 library is provided by NVIDIA as a high-performance JPEG2000 encoding and decoding library. The prerequisite is a CUDA enabled GPU in the system that allows faster processing than traditional CPU implementations. 

TALOS-2024-2080 (CVE-2024-0142) and  TALOS-2024-2095 (CVE-2024-0143) are memory corruption vulnerabilities. A specially crafted JPEG2000 file can lead to an out-of-bounds write with arbitrary data which can lead to further memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 

 TALOS-2024-2108 (CVE-2024-0144) and TALOS-2024-2113 (CVE-2024-0145) are heap-based buffer overflow vulnerabilities in the Ndecomp field handling and parameter. A specially crafted JPEG2000 file can lead to memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities. 

Cisco Talos Blog – ​Read More

Container security tools and their business benefits | Kaspersky official blog

Three out of four organizations worldwide use hybrid clouds, and three-quarters of them consider their IT migration and modernization projects to be successful. But what is success — and how does a successful IT project affect the business and capabilities of a company? Authors of the Enterprise Application Modernization: A Journey through Container-Based Cloud Architecture Transformation study tried to answer these questions and to summarize the available information on how the transition to cloud and container infrastructure affected the activities of companies that have made this transformation.

The economic arguments in favor of the transition turned out to be weighty. In the studied organizations, IT operating costs decreased by an average of 31%, and infrastructure costs by 45%, including routine maintenance costs that decreased by 52%. More importantly, for the first time in many years, businesses were able to unburden their IT teams from the tasks of supporting old code, and use their resources for new developments. In large organizations, IT services spend up to 80% of the budget on legacy IT support, and the transition to modern infrastructure not only speeds it up, but also frees up additional personnel for innovation. Software update cycles are ultimately accelerated by 65%, ensuring a quick response to market changes and better satisfaction of user needs. The authors call the transition to container and microservice architectures in the cloud environment, as well as automated assembly lines, the “three pillars” of efficiency that are responsible for all these radical improvements.

Part of the study is devoted to information security issues. Thanks to this, you can see what contribution various information security tools make to improving the efficiency of IT development, and what indicators you should strive for in your organization. We decided to analyze the main principles and tools and explain how they’re implemented in the updated version of Kaspersky Cloud Workload Security.

Automatic application and monitoring of information security policies

A key challenge for IT and information security is maintaining visibility and control over all IT assets, and this task has become more complex with the transition to hybrid cloud infrastructure. The diversity of assets and management tools results in increased costs and time spent on managing this “zoo” for the company. Therefore, unification of management, compliance control, creation and application of policies should be one of the priority goals in IT transformation projects. If the selected set of information security tools is able to solve this problem in the company’s cloud infrastructure, IT and information security services will save 73% of the time spent on policy management and achieving security compliance.

The practical embodiment of this principle can be seen in the new version of Kaspersky Cloud Workload Security, a solution that provides comprehensive protection for container infrastructure, cloud servers, and virtual machines. Several tools at once simplify work with policies and give administrators a centralized overview and control over the entire infrastructure. The security analysis function of the orchestrator and its clusters helps quickly find problems by structuring them by problem type. Automatic container profiling allows you to improve the security policies applied in the infrastructure with minimal human intervention, as well as to find abnormally operating containers for detailed analysis.

The unified cloud console of Kaspersky Hybrid Cloud Security provides an overview of the cloud or hybrid infrastructure, and allows security personal to instantly update policies for large groups of IT assets or simultaneously run tasks on them.

As for virtual and physical servers, the lightweight agent that protects them performs several functions related to compliance and security posture in automatic mode: from automatic patch management and system hardening to detailed event logging and the use of a role-based access control system (RBAC).

Container scanning in the DevSecOps pipeline

Integration of automated cybersecurity checks at all stages of development and operation of an IT product is the key to significantly increasing the level of security while reducing the workload of IT and information security teams and improving all metrics of the IT system’s “health”. Companies that have implemented a comprehensive approach to container security report a 79% reduction in the number of security-related incidents, and the elimination of 94% of known vulnerabilities at the stages before the deployment of the IT system. As a result, it’s possible to reduce the risk of incidents in the operated system by 89%, the risk of failure at the deployment stage by 68%, and at the same time reach a 99.97% level of unification of the configuration of similar containers. The unification is important because scanning containers is used not only to check for component vulnerabilities and malware, but also the for detection of insecure configurations, as well as typical developer errors, such as API keys and other secrets embedded directly in the code. Kaspersky Cloud Workload Security also implements integration with the HashiCorp Vault, allowing you to securely store solution secrets in this secrets manager software. Kaspersky Cloud Workload Security supports control of container image signatures, and integrates all checks directly with the DevOps pipeline, which helps developers not to take malicious and vulnerable images as a basis of their projects, as well as interrupt the process product development if critical security defects are detected. In general, KCWS helps the development team implement a shift-left approach, in which testing and quality assurance are performed at the early stages of development, including verification of APIs, container configurations, and microservice interactions. All this allows you to find and fix errors earlier, reducing the cost of maintaining and testing of the final product.

Effective monitoring of running processes

Despite numerous preliminary checks of images, runtime environments, and other infrastructure components, monitoring running containers, virtual servers, and the computing environment in which all this occurs remains a critical security task. According to the authors of the study, these measures allow detecting 87% of threats in the first half-minute after their occurrence, and preventing 96% of unauthorized access attempts.

Monitoring results in significant costs: additional computing load on cloud services, multiplied by the number of servers and clusters, as well as man-hours of SOC specialists. Therefore, computing and cost efficiency are critical requirements for both the containerization infrastructure itself and its security system.

This aspect is carefully thought out in Kaspersky Cloud Workload Security. For virtual and physical servers, Light Agent technology saves up to 30% of computing resources in a private cloud, and in a container infrastructure, security agents are launched in separate containers to prevent the performance degradation of the entire cluster. The system has excellent scalability and can protect clusters with up to ten thousand nodes.

Savings start right from the installation of the product — from flexible licensing terms adapted to a specific infrastructure, to effective security settings and rules “out of the box” that reduce the time of initial setup significantly.

Rapid incident response

How to prepare for a situation when an attacker has successfully penetrated the system? In this case, the information security team should have playbooks for incident response, and information security systems should provide the necessary tools. In an IT infrastructure equipped with a comprehensive cloud security system, the response time (MTTR), according to research, is reduced by an impressive 71%. The real difference can be seen in the example of a fast ransomware attack: will it be considered a routine information security incident, or a full-scale paralysis of the entire business for several days or weeks?

To simplify response, the new version of Kaspersky Cloud Workload Security has a container forensic function that permits investigating policy violations and gaining deeper insight into both specific violating events and events that occurred in a close time frame. Event logs in a running container have additional fields that are often needed when investigating an incident. Protection and logging are also carried out on the orchestrator nodes. In addition, event logs can now be sent directly from agents to SIEM systems. Comprehensive logging simplifies detection of the source of an attack, helps compare events that are registered during this attack, or detects vulnerabilities and other risks.

The transition to container and cloud infrastructures usually begins with economic necessity and the requirements of a competitive market. But in order to successfully make the transition and get the promised benefits, it’s important not to outweigh them by creating new high cyber-risks, or implementing an information security approach that will be economically ineffective. These negative scenarios can be avoided by implementing a comprehensive and well-scalable cloud security system, such as Kaspersky Cloud Workload Security.

Kaspersky official blog – ​Read More

Germany is Strengthening Cybersecurity with Federal-State Collaboration and Digital Violence Prevention 

Cybersecurity

BSI Expands Cybersecurity Cooperation with Hamburg 

Germany continues to strengthen its cybersecurity framework as the Federal Office for Information Security (BSI) and the Free and Hanseatic City of Hamburg formalize their collaboration. The agreement, signed on February 7, at Hamburg City Hall, establishes a structured approach to cyber threat intelligence sharing, incident response coordination, and awareness initiatives for public sector employees. 

BSI Vice President Dr. Gerhard Schabhüser called for the urgency of strengthening cybersecurity across federal and state levels: 

“In view of the worrying threat situation in cyberspace, Germany must become a cyber nation. State administrations and municipal institutions face cyberattacks daily. Attacks on critical infrastructure threaten social order. Germany is a target of cyber sabotage and espionage. Our goal is to enhance cybersecurity nationwide. To achieve this, we must collaborate at both federal and state levels.” 

This partnership is part of a broader federal initiative, with BSI having previously signed cooperation agreements with Saxony, Saxony-Anhalt, Lower Saxony, Hesse, Bremen, Rhineland-Palatinate, and Saarland. These agreements provide a constitutional framework for joint cyber defense efforts, strategic advisory services, and rapid response measures following cyber incidents. 

With cyber threats growing in complexity, state-level cooperation plays a vital role in reinforcing Germany’s cybersecurity resilience, ensuring government agencies, public sector institutions, and critical infrastructure operators have the necessary tools and expertise to prevent, detect, and mitigate cyber threats effectively. 

Addressing Digital Violence 

Days later, on February 11, BSI hosted “BSI in Dialogue: Cybersecurity and Digital Violence” in Berlin, bringing together representatives from politics, industry, academia, and civil society to address the growing risks associated with digital violence in an increasingly interconnected world. 

While cybercriminals typically operate remotely, digital violence introduces a new layer of cyber threats, where attackers exploit personal relationships, home technologies, and social connections to manipulate, monitor, or harm individuals. This includes: 

  • Unauthorized access to smart home devices for spying, stalking, or harassment. 
  • Misuse of digital vulnerabilities to monitor victims or leak personal data. 
  • Exploitation of location tracking features to stalk or control individuals. 

The event initiated several working groups to develop strategic responses to digital violence and was mainly focused on: 

Defining Digital Violence 

  • International research has varied definitions of digital violence, making it difficult to establish a legal and policy framework in Germany. 
  • Experts emphasized the need for a standardized definition to develop measurement tools and track digital violence cases more effectively. 

Technical Support for Victims 

  • The WEISSER RING initiative presented concepts for a technical contact point to assist victims. 
  • Discussions concluded that victims and advisors need greater technical expertise to counter digital violence effectively. 

Corporate Responsibility 

  • Businesses were encouraged to implement protective policies for employees and integrate security-by-design principles in their products to prevent misuse. 
  • Manufacturers and service providers must take accountability for securing digital products against exploitation. 

Empowerment Through Cybersecurity Education 

  • Widespread digital literacy programs can help individuals identify and mitigate digital threats. 
  • BSI-led initiatives will focus on consumer awareness, IT security training, and response strategies for digital violence victims. 

Schabhüser pressed on the human aspect of cybersecurity during the meet: 

“People can only move safely in a digitalized environment if they recognize the opportunities and risks of digital technologies and can overcome challenges through their own actions.” 

BSI’s dual efforts in federal-state cybersecurity collaboration and digital violence prevention reflect Germany’s proactive stance against emerging cyber threats. As cybercriminals adapt and evolve their tactics, both government agencies and individual users must be equipped with the necessary knowledge, tools, and policies to fortify digital resilience. 

Conclusion 

Through structured cooperation, regulatory frameworks, and public awareness programs, BSI aims to build a secure and cyber-resilient society, ensuring state institutions, businesses, and individuals can operate safely in an increasingly digital world. 

References: 

The post Germany is Strengthening Cybersecurity with Federal-State Collaboration and Digital Violence Prevention  appeared first on Cyble.

Blog – Cyble – ​Read More

FBI, CISA Urge Memory-Safe Practices for Software Development 

Software Development 

In a strongly worded advisory, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have urged software developers to cease unsafe development practices that lead to “unforgivable” buffer overflow vulnerabilities. 

“Despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities, many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist,” the agencies said in the February 12 Secure By Design alert. “For these reasons—as well as the damage exploitation of these defects can cause—CISA, FBI, and others designate buffer overflow vulnerabilities as unforgivable defects.” 

The agencies said threat actors leverage buffer overflow vulnerabilities to gain initial access to networks, thus making them a critical point for preventing attacks. 

We’ll look at the prevalence of buffer overflow vulnerabilities, some examples cited by CISA and the FBI, and guidance for secure development and use of memory-safe programming languages. 

Buffer Overflow Vulnerabilities: Prevalence and Examples 

The FBI-CISA guidance specifically mentions the common software weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), along with stack-based buffer overflows (CWE-121) and heap-based buffer overflows (CWE-122). 

The phrase “buffer overflow” occurs in 67 of the 1270 vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, or 5.28% of the KEV database. The words “buffer” and “overflow” occur in 84 of the KEV vulnerabilities (6.6%). 

CISA and the FBI cited six examples of buffer overflow vulnerabilities in IT products: 

  • CVE-2025-21333, a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerability 
  • CVE-2025-0282, a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 
  • CVE-2024-49138, a Windows Common Log File System Driver Elevation of Privilege vulnerability 
  • CVE-2024-38812, a VMware vCenter Server heap-overflow vulnerability 
  • CVE-2023-6549, an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Citrix Systems’ NetScaler ADC and NetScaler Gateway 
  • CVE-2022-0185, a heap-based buffer overflow flaw in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length (the CWE in this case was CWE-190, Integer Overflow or Wraparound). 

“These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution,” the agency guidance said. “Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.” 

They added that “the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities—especially the use of memory-unsafe programming languages—poses unacceptable risk to our national and economic security.” 

Memory-Safe Software Development 

The agencies urged manufacturers “to take immediate action to prevent these vulnerabilities from being introduced into their products. … Software manufacturer senior executives and business leaders should ask their product and development teams to document past buffer overflow vulnerabilities and how they are working to eliminate this class of defect.” 

Customers should hold manufacturers accountable by requesting a Software Bill of Materials (SBOM) and a secure software development attestation, the FBI and CISA said. 

For development teams, the agencies recommended the following secure by design practices to prevent buffer overflow vulnerabilities: 

  • Memory-safe languages should be used whenever possible “to shift the burden of memory management from the developer to the programming language’s built-in safety features.” They added that developers should never disable or override memory safety guarantees in languages when it’s possible to do so, and that using a memory-safe language in one part of a software package will not fix memory-unsafe code in other libraries. 

  • A phased transition plan for implementing memory-safe languages should be used for upgrading existing codebases while using technologies to limit memory vulnerabilities in existing code. “Ideally, this plan should include using memory-safe languages to develop new code and—over time and when feasible—transition their software’s most highly privileged/exposed code to memory-safe languages,” the agencies said. 

  • Enable compiler flags that implement compile time and runtime protections against buffer overflows to the extent that application performance allows, and “implement canaries that alert if an overflow occurs.” 

  • Conduct unit tests with an instrumented toolchain such as AddressSanitizer and MemorySanitizer that checks source code for buffer overflows and other memory safety issues. 

  • Perform adversarial product testing that includes static analysis, fuzzing, and manual reviews to ensure code safety and quality throughout the development lifecycle. 

  • Publish amemory-safety roadmap that outlines plans to develop new products with memory-safe languages and to migrate older ones based on risk. 

  • Conduct root cause analysis of past vulnerabilities, including buffer overflows,to identify patterns. “Where possible, take actions to eliminate entire classes of vulnerabilities across products, rather than the superficial causes,” the agencies said. 

The alert said eliminating buffer overflow vulnerabilities “can help reduce the prevalence of other memory safety issues, such as format string, off-by-one, and use-after-free vulnerabilities.” 

Conclusion 

As an initial entry point for attackers into a network, the importance of buffer overflow vulnerability prevention can’t be overstated. Development teams would be wise to implement CISA and the FBI’s advice to the maximum extent possible. 

Customers also have a role to play by demanding memory-safe documentation from suppliers. But they also shouldn’t neglect basic cybersecurity practices for the eventual vulnerabilities that will slip past even the most vigilant development teams. Zero trust, risk-based vulnerability management, segmentation, tamper-proof backups and network and endpoint monitoring are all critically important practices for limiting the damage from any cyberattacks that do occur. 

The post FBI, CISA Urge Memory-Safe Practices for Software Development  appeared first on Cyble.

Blog – Cyble – ​Read More

Changing the narrative on pig butchering scams

Changing the narrative on pig butchering scams

Welcome to this week’s edition of the Threat Source Newsletter.

Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?

You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”. 

I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.

In a statement, Interpol explained their reasoning:

“The term ‘pig butchering’ dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,”

Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it). 

By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:

“Words matter. We’ve seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud,” INTERPOL Acting Executive Director of Police Services Cyril Gout said.

“It’s time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes.”

I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better. 

What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?

Newsletter reader survey

We want your feedback! Tell us your thoughts and five lucky readers will receive Talos Swag boxes.

Launch survey

The one big thing

In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality. 

The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.

Why do I care?

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY_SOURCE, saved the day.

So now what?

The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.

Top security headlines of the week

Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).

Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)

Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).

Update to iOS 18.3.1 Right Now. There’s a ‘Sophisticated Attack’ Risk, Apple Says: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (Vice).

Can’t get enough Talos?

Google Cloud Platform Data Destruction via Cloud Build

Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 

Catch up on the latest Talos Takes podcast:

Upcoming events where you can find Talos

RSA (April 28-May 1, 2025)
San Francisco, CA

TIPS 2025 (May 14-15, 2025)
Arlington, VA

Most prevalent malware files from Talos telemetry over the week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Typical Filename: c0dwjdi6a.dll


Claimed Product: N/A


Detection Name: Trojan.GenericKD.33515991

 

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

 

SHA-256: 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1

MD5: 35f8db3dde368c6d25239d27fd79a4a7

VirusTotal: https://www.virustotal.com/gui/file/6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1/details

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: easysmartpdf.msi

Cisco Talos Blog – ​Read More

Protecting WhatsApp and Telegram accounts from hacking and hijacking in 2025 | Kaspersky official blog

Cybercriminals around the world keep honing their schemes to steal accounts in WhatsApp, Telegram, and other popular messaging apps – and any of us could fall for their scams. Only by becoming a victim of such an attack can you fully appreciate how vital a tool instant messaging has become, and how diverse the damage from hacking a WhatsApp or Telegram account may be. But better not to let it come to that, and to learn to recognize key hijacking scams in order to prevent them in time.

Why hijack your WhatsApp or Telegram account?

A stolen account can be appealing because of its content, access rights, or simply the fact that it’s verified, linked to a phone number, and has a good reputation. Having stolen your Telegram or WhatsApp account, cybercriminals can use it in a variety of ways:

  • To send spam and phishing messages on your behalf to all your contacts – including private channels and communities.
  • To write sob stories to all your friends asking for money. Worse yet – to use AI to fake a voice or video message asking for help.
  • To steal accounts from your friends and family by asking them to vote in a contest, “gifting” them a fake Telegram Premium subscription, or employing some other fraudulent scheme – of which there are many. Coming from someone the recipient knows, messages like this tend to inspire greater trust.
  • To hijack a Telegram channel or WhatsApp community you manage.
  • To blackmail you with the contents of your chats – especially if there’s sexting or other compromising messages.
  • To read your chats quietly, which may have strategic value if you’re a businessman, politician, military or security officer, or civil servant.
  • To upload a new photo to your account, change your name, and use your account for targeted scams: from flirting with crypto investors (pig butchering) to requests from the victim’s boss (boss scams).

Due to this variety of applications, criminals need new accounts all the time, and anyone can become a victim.

WhatsApp, Telegram, and QQ quishing

Scammers used to steal accounts by tricking people into giving them text verification codes (required to log in), or by intercepting these codes. But since this method is no longer as effective, the focus has shifted to trying to link an additional device to the victim’s account. This works best when using phishing schemes based on QR codes – known as quishing.

Attackers either put up their own ads or carefully stick malicious QR codes on top of someone else’s to overlay the legitimate code. They can also print a QR code on a flyer and drop it in a mailbox, post it on a social network or website, or simply send it by email. The pretext can be anything: an invitation to join a neighborhood chat; connect to an office, campus, or school community; download a restaurant menu or claim a discount; or view cinema showtimes or extra information on movies and other events.

The code alone can’t cause your account to be hijacked, but it can lure you to a scam website containing detailed instructions telling you where to click in the messaging app, and what to do after that. The site shows you another, dynamically generated, QR code, which the attackers’ server requests from WhatsApp or Telegram when it asks the service to link a new device to your account. And if you, determined to enjoy every benefit civilization has to offer, decide that another code won’t hurt and follow the instructions, then the device used by the attackers will get access to all your data in the app. In fact, you can see it in the “Devices” or “Linked devices” sections of Telegram or WhatsApp, respectively. However, this attack is designed for those who aren’t very familiar with messaging app settings, and who might not check such submenus regularly. Incidentally, users of QQ, China’s most popular messaging app, are also targeted by similar attacks.

Malicious polls, fraudulent gifts, and girls… undressing

Aside from QR codes, scammers may also attack you by sending seemingly harmless links, such as those for “people’s choice” votes, instant lotteries, or giveaways. On Telegram, they like to mimic the interface used for receiving a Premium subscription as a gift.

Typically, you get to such pages through messages from friends or acquaintances whose accounts have already been compromised by the same scammers. The homepage is always full of catchy phrases like “vote for me” and “claim your gift”.

A variation on the scam involves messages from a “messaging app security service”. You might get contacted by someone using a name like “Security” or “Telegram security team”. They offer to protect your data by transferring your account to a secure account clicking a link and enabling “advanced security options”.

Lastly, you could get an ad for a service or bot that offers something useful or fun – like an AI chatbot or a… nude generator.

There’s another potential scam scenario for Telegram: since 2018, the service has offered website owners authentication of visitors using the Telegram Login Widget. It’s a real, functioning system, but scammers take advantage of the fact that few people know how this authentication is supposed to work – replacing it with a phishing page to steal information.

In any of these scenarios, once you’re through the enticing landing page, you’ll be asked to “sign in to your messaging app”. This procedure might involve scanning a QR code or simply entering your phone number and the OTP code on the website. This part of the website is typically disguised as a standard WhatsApp or Telegram authentication interface – creating the illusion that you’ve been redirected to the official website for login. In reality, the entire process is happening on the attackers’ own site. If you comply and enter the data or scan the code, cybercriminals will immediately gain control of your messaging app account. Your only reward? Some kind of thank-you message like your premium subscription will activate within 24 hours (it won’t; who knew?!).

Hacking a smartphone with a fake WhatsApp or Telegram app

An old yet still effective way to hijack accounts is by using trojanized mods; that is – modified versions of messaging apps. This threat is especially relevant for Android users. You can come across ads touting “improved” versions of popular messaging apps on forums, in groups chats, or simply in search results. WhatsApp mods often promise the ability to read deleted messages and see the statuses of those who hid them, while Telegram fans are promised free Premium features.

Downloading and installing a mod like this infects your phone with malware that can steal the messaging account along with all the other data on the device. Interestingly, Android users can encounter spyware-infected mods even in the “holy of holies”: the official Google Play store.

What happens to a hijacked Telegram or WhatsApp account?

The fate of your hijacked account depends on the attackers’ intentions. If their goal is espionage or blackmail, they’ll just quickly download all your chats for analysis, and you may not notice anything at all.

If cybercriminals want to send fraudulent messages to your contacts, they’ll immediately delete sent messages by using the “delete for me only” feature to make sure you don’t notice anything for as long as possible. However, sooner or later, you’ll start receiving messages from surprised, outraged, or simply vigilant friends, or you yourself will notice traces of an unauthorized presence.

Another consequence of hacking may be the messaging service’s reaction to the spam. If recipients report your messages, your account may become restricted or blocked – preventing you from sending messages for several hours or days. You can appeal the restrictions by using a special button, such as “Request a Review” in the message from the moderators, but it’s best to first ensure that you have exclusive control over your account and wait at least a few hours afterward.

Telegram treats all devices linked to an account equally, which means scammers can take over your entire account and kick you out by disconnecting all your devices. However, to do this, they’d need to remain logged in unnoticed for a whole day: Telegram has a 24-hour waiting period before one can log out other devices from a newly connected account. If you’ve been locked out of your own Telegram account, read our detailed recovery guide.

On WhatsApp, the first device you use to log in to your account becomes the primary one, and other devices are secondary. This means hackers can’t pull off that trick there.

How to protect yourself from WhatsApp and Telegram account hijacking

You can find detailed instructions on how to secure your Telegram, WhatsApp, Signal, and Discord in our separate guides. Let’s go over the general principles again:

  • Be sure to enable two-factor authentication (also variously known as “cloud password” or “two-step verification”) in the messaging app, and use a long, complex, and unique password or passphrase.
  • On WhatsApp, you can choose a passkey instead of a password. This protection is more reliable.
  • Avoid taking part in giveaways and lotteries. Don’t accept gifts that you didn’t expect – especially if you need to log in to some websites through the messaging app to receive them.
  • Learn how legitimate authorization through Telegram looks, and immediately close any websites that look different. To put it simply, during a legitimate authorization process, all you need to do is click the “Yes, I want to go to such-and-such website” button within the Telegram chat with the bot. No scanning or entering of codes is required.
  • Check your WhatsApp and Telegram settings regularly to see what devices are connected. Disconnect any that look old or fishy.
  • Always use official messaging apps downloaded from trusted sources like Google Play or the App Store, Galaxy Store, Huawei AppGallery, and other major app stores.
  • Be more careful with desktop messaging clients – especially at the office.
  • Use a reliable protection system on all your devices to avoid visiting phishing sites or installing malware.

Kaspersky official blog – ​Read More