The internet is vast — and it’s all too easy to end up in the wrong place; especially if you’re a child. That’s why it’s so important to help kids navigate cyberspace and guide them toward safe, age-appropriate content. But how can you know what’s safe or appropriate if you don’t even know what kids are into these days?

This is where Kaspersky Safe Kids comes in. We’ve collected a year’s worth of data from our app, and can now answer that persistent question in every parent’s mind: “What’s my child actually doing online?”

Kaspersky experts have conducted a study to find out what kids are searching for online (including on YouTube), what apps they’re using, which games they love, what music they listen to, and which influencers they follow. You’ll find answers to these and other questions in the full version of the report.

Searching for brainrot memes

We discovered that memes make up 4.87% of the content kids search for on YouTube — a significant percentage. Unsurprisingly, music (21.11%) and influencers (17.17%) are the most popular searches, with cartoons at 6.19% and memes right behind. As for kids’ taste in memes — it’s pretty specific. Right now, brainrot content is hugely popular among children worldwide.

Italian brainrot memes are currently number one with kids all over the world

If you’re an active TikTok user, you might already be familiar with a three-legged shark in sneakers or a crocodile-cum-bomber-plane, and if someone asks you “Who’s stronger: Tralalero Tralala or Tung Tung Tung Sahur?” you’ll be ready to name your favorite. If none of that makes any sense to you, here’s an explanation: these are the main characters of the new brainrot meme wave. They’ve replaced the previous fad of Skibidi Toilet — and kids around the world absolutely love them.

Listening to tunes

Music is by far the most popular children’s search category on YouTube — making up over one-fifth of all their searches. And no major changes to what particular genres they prefer have been noted: kids still listen to things like phonk and nightcore.

As for specific artists, there are some interesting changes. Yes, Taylor Swift and Billie Eilish are still hugely popular — but now they’re sharing the spotlight with Sabrina Carpenter, whose hit Espresso went viral, along with several K-pop stars. The most popular song of all was Like Jennie by South Korean artist Jennie. Meanwhile, the most popular group was BLACKPINK — of which Jennie is a member.

Jennie is an extremely popular Korean artist (it’s not her in the screenshot)

Searching for favorite game content (guess which!)

Gaming influencers took third place in YouTube search popularity (with 17.15% of all searches) and general game content came fourth (with 10.14%). Combined, that makes game content even more popular than music. In Google searches, games ranked second in popularity after streaming platforms — making up 13.27%.

As for which games kids love the most — almost no surprises here: Minecraft, Brawl Stars, Fortnite, Roblox and… Sprunki. Sprunki is a newcomer to this list. We suspect this is just a passing trend and may not be as popular next year. However, for the present at least, YouTube is overflowing with Sprunki videos: content creators are posting let’s plays and creating their own full-fledged cartoons based on the game.

Sprunki has broken into the top YouTube search trends alongside Brawl Stars and Roblox

These same games, as we’ve covered before, are also a common target for scammers. They regularly come up with new schemes promising free skins, in-game currency, or gifts in exchange for in-game actions — but really they’re just trying to trick kids and drain their parents’ credit cards. So if your child is into any of these games, it’s worth telling them about these and other potential dangers.

What else are kids interested in online?

From what we’ve observed, children around the world currently share a fairly common digital environment. They all enjoy the same games, follow the same influencers, listen to the same music, and laugh at the same memes.

One more thing unites them — they tend to adopt new technologies much earlier than most adults. ChatGPT and other popular neural networks have already become a normal part of kids’ online experience. Now, many children even create their own chatbots using Character.ai — just to “chat” with characters from their favorite games, movies, influencers, and other icons.

Helping children navigate cyberspace is the duty of every responsible adult. Of course, it’s parents who know their child best, so we just want to share some general tips.

• Explore Kaspersky Cybersecurity alphabet together— it’ll help your child get used to the basic principles of cyber-hygiene from an early age.
• Install reliable protection on your children’s devices.
• Subscribe to our Telegram channel to keep yourself informed of potential online dangers.
• Read the full version of our report to learn more about what interests kids online.
• Use Kaspersky Safe Kids, which helps protect your child from inappropriate content.

Kaspersky Safe Kids helps you not only flexibly control what your kids are allowed to search for online and how much time they spend per day on certain apps, but also find out in real time where they are, whether they’ve gone beyond the permitted “geofence”, and how much their phones are charged. Parents can view the history of kids’ internet surfing and set up regular reports on the use of their devices. You can find more information on all the features and settings of Kaspersky Safe Kids in our post Keeping kids safe: a new variation on an old theme.

More articles on children’s safety online:

• Do Apple’s new child safety initiatives do the job?
• Parents’ handbook for a kids’ first gadget
• How to talk to your kids about cybersecurity?
• Cyberthreats at school: messengers and social networking
• How scammers attack young gamers

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

In the words of Game Changer host Sam Reich, “And your host, me! I’ve been here the whole time!”  

Okay, maybe it’s not the whole time, but for the past three months, I’ve been settling into my role here at Cisco Talos. Editing blogs, writing and publishing social media posts, and organizing this newsletter every week — I’ve been working behind the scenes to ensure everything runs smoothly and delivers the most helpful information to the cybersecurity community. 

I often get raised eyebrows when I mention that, prior to my last job as a technical writer, I had never worked in STEM. I don’t blame them, because how could someone who had never opened Terminal (and admittedly, up until last month sometimes forgot what it was called) end up with a job offer from Talos? 

My college degree is in anthropology, or the study of humans and culture, past and present. Though my niche research interest was/is Malaysian culture, LGBTQ+ history, and politics (even getting a research grant to travel to peninsular Malaysia for a month), my first career out of college was fundraising for a homeless services nonprofit in Arlington, Virginia. After I moved to another state, I held a content writing position at a startup, where I wrote fundraising letters and emails for a portfolio of over 200 nonprofits.

While I felt invested in these organizations’ missions, I began to feel understimulated. I craved a career that would build on my experiences and skills while giving me the chance to learn and grow in new, exciting ways. While searching for new jobs on LinkedIn, I happened upon a nearby physical layer encryption startup that was seeking a technical writer. I had no clue what the physical layer even was, so I was grateful when they took a chance on hiring me, and found that my background in anthropological research, as well as my ability to adapt content for a lot of different audiences, became a huge asset in technical writing. 

I’ve always said that if I could magically be paid to go to school forever, I would. Technical writing (and its cousins, like my current position) is as close as I can get! After I joined Talos, I found that people here are incredibly kind and very patient. Like Jon Munshaw, the person who held this role before me, my favorite question to Talos researchers is “Can you explain this to me like I’m your grandmother?” Not only does it help me grasp the concepts they’re sharing, but it also helps me find the clearest way to communicate them. 

Talosians are brilliant people, and I’m only human, so it’s easy to feel like you don’t belong when you don’t have a STEM background. In a recent moment of doubt, I remembered that Joe had published a newsletter introduction about imposter syndrome two days after I started at Talos. One line stuck out to me: “You are where you are because others saw value in your work.” 

As I took in the sentence, I realized that it was entirely true. If there’s one thing that I’ve learned over the past few months, it’s that everyone you meet has something to teach and everyone has something to learn. Our collective knowledge and experience are gifts we share with one another. I hope that the content I edit and produce will bring value to you. 

So what kind of content will I bring to this newsletter? You can expect intros that aren’t just informative, but also relatable and engaging. They may even remind you of your beginnings in cybersecurity. I’ll make complex topics feel accessible, highlight the human side of cybersecurity, and share insights that help the community grow stronger. 

At the end of the day, our work isn’t just about threats, but about the humans working tirelessly to defend against them.

The one big thing 

Talos has identified threats disguised as legitimate AI solution installers, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero. These threats highlight how malicious actors are leveraging the rise of AI to distribute harmful software. 

Why do I care? 

Cybercriminals are targeting the trust and excitement around AI tools to deliver malware, which could affect anyone looking to adopt AI for personal or business use, putting their systems and data at risk. Understanding these threats helps you stay vigilant and avoid falling victim to such deceptive tactics. 

So now what? 

Snort SIDs and ClamAV detections are available at the bottom of the blog post. Otherwise, always verify the source of any AI tools or software before downloading, use trusted cybersecurity solutions to protect your systems, and stay informed about emerging threats by keeping up with updates from reliable sources like Cisco Talos.

Top security headlines of the week 

MathWorks, Creator of MATLAB, Confirms Ransomware Attack 
The attack dirsupted MathWorks’ systems and online applications, but it remains unclear which ransomware group targeted the software company and whether they stole any data. (DarkReading) 

Deepfakes, Scams, and the Age of Paranoia 
This hit home, both as a jobseeker within the past year and a young(er) person who’s worried about her parents’ security. I may be able to parse AI portraits with six fingers and hair phasing through their clothes, but have you ever seen a convincing deepfake? (Wired) 

Companies Warned of Commvault Vulnerability Exploitation 
CISA says that the ongoing exploitation of a Commvault vulnerability that was targeted as a zero-day is likely part of a broader campaign against software-as-a-service (SaaS) solutions. (SecurityWeek) 

US student agrees to plead guilty to hack affecting tens of millions of students
A Massachusetts student has agreed to plead guilty to federal charges relating to hacking and extorting one of the largest U.S. education tech companies. PI included names, addresses, phone numbers, Social Security numbers, medical information, and school grades. (TechCrunch)

Can’t get enough Talos? 

UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. Read the blog here.

The day I found an APT group in the most unlikely place 
In this Dark Reading Confidential episode, Talosian Vitor Ventura shares stories about the tricks he used to track down APTs, and the surprises discovered along the way. Listen to the podcast here.

Upcoming events where you can find Talos 

• Cisco Live U.S. (June 8 – 12) San Diego, CA 
• NIRMA (July 28 – 30) St. Augustine, FL 
• Black Hat USA (Aug. 2 – 7) Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa 
MD5: df11b3105df8d7c70e7b501e210e3cc3 
VirusTotal: https://www.virustotal.com/gui/file/59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa 
Typical Filename: DOC001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA256:3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341 
MD5: b6bc3353a164b35f5b815fc1c429eaab 
VirusTotal: https://www.virustotal.com/gui/file/3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341 
Typical Filename: b6bc3353a164b35f5b815fc1c429eaab.msi 
Claimed Product: n/a  
Detection Name: Simple_Custom_Detection 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Typical Filename: c0dwjdi6a.dll  
Claimed Product: N/A   
Detection Name: Trojan.GenericKD.33515991 

Cisco Talos Blog – ​Read More

• Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky_Gh0$t, and a newly-discovered malware we call “Numero,” all of which masquerade as legitimate AI tool installers. 
• CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim’s system. The threat actor deceitfully claims in the ransom note that the payments will be allocated for humanitarian aid in various regions, including Palestine, Ukraine, Africa and Asia. 
• Lucky_Gh0$t ransomware is yet another variant of the Yashma ransomware, which is the sixth iteration of the Chaos ransomware series, featuring only minor modifications to the ransomware binary. 
• The newly-identified destructive malware, Numero, affects victims by manipulating the graphical user interface (GUI) components of their Windows OSs, rendering systems completely unusable. 

AI has increasingly proliferated across various business verticals, leading to a transformation of industries through automation, data-driven decision-making and enhanced customer engagements. However, as AI continues to propel multiple industry sectors forward, malicious actors are exploiting its popularity by distributing a range of malware disguised as AI solutions’ installers and tools.  

Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results, as well as platforms such as Telegram or social media messengers. 

As a result, unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded. This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions. Therefore, organizations and users must exercise extreme caution, meticulously verify sources, and rely exclusively on reputable vendors to avoid falling prey to these threats. 

Talos has recently uncovered multiple threats masquerading as AI solutions being circulated in the wild, including the CyberLock and Lucky_Gh0$t ransomware families, along with a newly discovered destructive malware, dubbed “Numero.” The legitimate versions of these AI tools are particularly popular within the B2B sales domain and the technology and marketing sectors, indicating that individuals and organizations in these industries are particularly at risk of being targeted by these malicious threats. 

CyberLock ransomware 

Talos observed a threat actor creating a lookalike fake AI solution website with the domain ‘novaleadsai[.]com’, likely masquerading as the original website domain ‘novaleads.app’, a lead monetization platform designed to help businesses maximize the value of their leads through various services and performance-based models. 

On the fake website, the actor persuades users to download the product with an offer of free access to the tool for the first 12 months, followed with a monthly subscription of $95. The threat actor also used an SEO manipulation technique that made their fake website appear in the top search results for online search engines.   

When a user downloads the fake AI product as a ZIP archive, it contains a .NET executable with the file name ‘NovaLeadsAI.exe’. The executable was compiled on Feb. 2, 2025, which is on the same day the fake domain ‘novaleadsai[.]com’ was created.  

The ‘NovaLeadsAI.exe’ file is the loader that has the CyberLock ransomware PowerShell script embedded as the resource file. When the victim runs the loader executable, it deploys the ransomware. 

CyberLock ransom note 

The CyberLock ransomware appeared to be operating as early as Feb. 2025. The ransom note claims that the threat actor has obtained full access to sensitive business documents, personal files and confidential databases, demanding a hefty ransom in exchange for decryption keys. Victims are instructed to communicate with the threat actor by emailing ‘cyberspectreislocked@onionmail[.]org’. 

The CyberLock threat actor demands that the USD $50,000 ransom be paid exclusively in Monero (XMR) cryptocurrency and employs psychological tactics by falsely claiming that the ransom payments will be used for humanitarian aid in regions like Palestine, Ukraine, Africa and Asia. The actor splits the payment into two separate wallets, complicating defenders’ tracking efforts. 

The ransom note is structured to intimidate and manipulate victims by threatening to expose stolen data if payment is not made within three days. However, Talos did not see any evidence of data exfiltration functionality within the ransomware code. 

CyberLock, the PowerShell ransomware 

CyberLock ransomware is written in PowerShell, embedded with the CSharp code and delivered to the victims as an embedded resource of the .NET loader. 

When CyberLock is executed, it initially uses the functions GetConsoleWindow from kernel32.dll and ShowWindow from user32.dll to hide the PowerShell window. Then it generates a secret by decrypting the encrypted public key and uses it to derive the AES key and IV during the encryption process. 

CyberLock has the capability to elevate privileges and re-execute itself with administrative privileges if it is not already running in an elevated context.   

CyberLocker enumerates folders and files of the logical partitions with the labels ‘C:’, ‘D:’ and ‘E:’. It encrypts the targeted files using AES and appends the file extension ‘.cyberlock’ to the encrypted files.  

The targeted file extensions and the categories are shown below: 

After encrypting the targeted files, CyberLock creates a ransom note on the victim machine desktop with the file name ‘ReadMeNow.txt’. Ransom note contents are written into it from the embedded strings in the ransomware PowerShell script. 

Talos observed that the ransomware actor sets a wallpaper to the victim machine’s desktop after dropping the ransom note. The threat actor downloads a header image from a cybersecurity organization’s blog post to the victim machine user profile applications temporary folder. They configure the path of the downloaded image to the registry key “Wallpaper” and enable the wallpaper through PowerShell commands. Talos not fully certain of the actor’s motive for setting the victim machine’s desktop wallpaper to a security research blog post header image. 

Finally, CyberLock uses the living-off-the-land binary (LoLBin) ‘cipher.exe’ with the ‘/w’ option to erase free space on the victim’s hard drive partitions, hindering forensic recovery of deleted files. 

‘Cipher.exe’ is a built-in Windows command-line tool for managing file and folder encryption. One of its features allows users to prevent recovery of deleted files by overwriting free space with the ‘/w’ option. This was designed by Microsoft for legitimate purposes, such as securely wiping disks before reallocating them or complying with data protection laws to ensure sensitive data is unrecoverable by unauthorized parties.  

Threat actors often misuse this feature to eliminate their malicious footprints or permanently delete files from victim machines. This technique was previously utilized by a Russian APT in their attacks, as noted by Volexity researchers. However, Talos has not observed any indication that this activity is related to the activity described in prior reporting. 

Lucky_Gh0$t ransomware as fake ChatGPT installer  

Talos discovered a threat actor distributing Lucky_Gh0$t ransomware in the wild, archived in a self-extracting archive (SFX) ZIP installer with the file name ‘ChatGPT 4.0 full version – Premium.exe’. 

The malicious SFX installer included a folder that contained the Lucky_Gh0$t ransomware executable with the filename ‘dwn.exe’, which imitates the legitimate Microsoft executable ‘dwm.exe’. The folder also contained legitimate Microsoft open-source AI tools that are available on their GitHub repository for developers and data scientists working with AI, particularly within the Azure ecosystem. The threat actor’s intention in including the legitimate tools in the SFX archive is likely to evade the anti-malware file scanners detections by masquerading as a legitimate package.  

The SFX script executes the ransomware when a victim runs the malicious SFX installer file. 

Lucky_Gh0$t ransomware is the Yashma ransomware variant with most features unchanged, including the evasion techniques, deleting the volume shadow copies and backups, and AES-256 and RSA-2048 encryption techniques. Talos observed a few minor modifications in the Lucky_Gh0$t binary with targeted file size limits that are to be considered by the ransomware during encryption. 

Lucky_Gh0$t targets files on the victim machine that are approximately less than 1.2GB in size and encrypts the files with the RSA-encrypted AES key, appending a 4-digit random alphanumeric characters as the file extension. The targeted files category for encryption include: 

• Text, code and config files 
• Microsoft Office and Adobe files 
• Media formats and images 
• Archives and installers 
• Backup and database files 
• Android package kit, Java Server Pages and Active server pages 
• Certificate files 
• Visual Studio Solutions and PostScripts 

For the targeted files with a size larger than 1.2GB, the ransomware creates a new file the same size of the original file and writes a single character “?” as the file content. It appends a 4-digit random alphanumeric character file extension to the new file and deletes the original file, exhibiting destructive behavior. 

Lucky_Gh0$t ransomware provides a personal ID to the victims in their ransom note. For further communication regarding ransom payment and decryption, it instructs the victims to contact the threat actor using a secure messenger platform at ‘getsession[.]org’ with a unique session ID.

Numero pretending to be an AI video creation tool  

Talos recently discovered a new destructive malware in the wild that we call “Numero,” designed to imitate the AI video creation tool installer, InVideo AI. InVideo AI is an online platform widely used for marketing videos, social media content, explainer videos and presentations. The threat actor impersonates the product and the organization names in the malicious file’s metadata. 

The fake installer is a dropper containing a malicious Windows batch file, VB script and the Numero executable with the file name ‘wintitle.exe’. When the victim runs the fake installer, it drops the malicious components in a folder at the local user profile’s application temporary folder. Then it executes the dropped Windows batch file through Windows shell in an infinite loop. It first runs the Numero malware and then halts the execution for 60 seconds by executing the VB script through cscript.  

After resuming the execution, the batch file terminates the Numero malware process and restarts its execution. By implementing the infinite loop in the batch file, the Numero malware is continuously run on the victim machine. 

Numero’s behavior is consistent with window manipulator malware. Numero is a 32-bit windows executable written in C++ and was compiled on Jan. 24, 2025.  

Numero evades analysis by checking the process handles of various malware analysis tools and debuggers including IDA, x64 debugger, x32debugger, ollydbg, scylla, windbg, reshacker, ImportREC, Immunity debugger, Zeta debugger and Rock debugger. 

Numero malware creates and executes the thread in an infinite loop. The thread code interacts with the Windows GUI and manipulates the victim’s desktop window using the Windows APIs GetDesktopWindow, EnumChildWindows and SendMessageW. It monitors the victim machine desktop window continuously and hooks to the child window created in the victim desktop. Numero overwrites the window title, buttons and contents with the numeric string ‘1234567890’, corrupting the victim machine to become unusable.  

Coverage  

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for the threats are: 

• Snort 2: 64901, 64902, 64899, 64900, 64897, 64898, 64896 
• Snort 3: 301207, 301206, 301205 

ClamAV detections are also available for this threat:   

• Ps1.Ransomware.CyberLock-10045054-0 
• Win.Dropper.CyberLock-10045058-0 
• Win.Dropper.LuckyGhost-10045078-0 
• Win.Ransomware.LuckyGhost-10045080-0 
• Win.Loader.Numero-10045084-0 
• Win.Dropper.Numero-10045088-0 
• Win.Malware.Numero-10045090-0 
• Win.Malware.Numero-10045093-0 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More