How to detect and defeat spam | Kaspersky official blog

“Hello, this is your distant relative from Nigeria. I’m writing because I have a terminal illness and no other living relatives. My dying wish is to transfer my inheritance of $100 million to you while I still can…” — we’ve all probably received an email like this at some point during our online existence. Originally known as “Nigerian prince” scams, today they bear the label “419” (after the section of the Nigerian Criminal Code dealing with fraud). These days, however, instead of a “Nigerian prince”, you’re more likely to receive a letter from a fake employee of a bank, online store, or delivery service — or even… the President of the United States.

This post looks at the most common types of spam emails, and explains what to do if one lands in your inbox.

Emails from investors, philanthropists, and other rich people

This is perhaps the oldest — and most common — email scam scenario. Even in 2025, benefactors of all stripes are queuing up to hand over their hard-earned cash to you in particular. Such emails are nothing if not formulaic: a fabulously rich individual (a) describes their source of wealth, (b) mentions a problem, and (c) proposes a solution. Let’s take a look at each step in turn:

  • The source of wealth can be anything: an inheritance, an incredibly profitable business in a faraway land, or a discovered crypto wallet worth millions.
  • The problem can also vary — from a fatal disease to a burning desire to donate everything to charity, and your help is needed.
  • The solution is always the same: the money needs to be transferred to your account ASAP.

Of course, if you reply with your deepest condolences and bank details, it’s unlikely that the promised millions will materialize. Instead, the scammers will use every tool in the box to get you transfer cash to them. For example, this may take the form of a “transfer fee” they can’t pay themselves for some reason.

Don’t believe such an email, even if it seems to come from the U.S. president. Riding the wave of the Donald Trump phenomenon, spammers have launched a new-old scam in which they email potential victims pretending to be the White House incumbent, who for some reason has decided to give US$15 million to a handful of lucky souls around the world. To claim your millions, you only need to reply to the email, whereupon the fake Donald will ask you to follow a link and enter your bank details, or pay a fee to have the funds transferred to your account.

Delivery scams

Spam arrives from spoofed email addresses of delivery services, marketplaces, and online stores. The message is simplicity itself: “Dear customer, we are having problems with sending your goods and kindly ask that you pay a surcharge for delivery.” You’re asked to pay for delivery by following a link to a web page that asks for your bank details at the very least, and often also your home address. You can find examples of such spam in our Delivery payment fraud post.

There are more complex variations of this scheme. Just as “philanthropists”, “investors”, and “Nigerian princes” spin yarns about their imminent death from covid-19 as a pretext to make contact, delivery scammers also exploit current events. Last year, for instance, ahead of International Women’s Day, we warned readers of a flower delivery scam: cybervillains introduce themselves as flower-shop employees offering free bouquets — except that delivery charges are covered by the recipient. You guessed it: no one gets any flowers, and the “delivery fee” (as well as the bank card details) are lost.

Compensation scams

If you’ve swallowed the bait once, there’s a high risk you’ll be offered some more — but under a different guise. Masquerading as a bank, law enforcement agency, or international organization, scammers may offer to pay compensation: allegedly you’ve been the victim of fraud and the targeted institution is reaching out to those affected.

Alternatively, the senders of the fake email may pose as “fellow victims” who are seeking out others in the same boat: if we all chip in, they say, we can hire a merry band of Robin Hood hackers who, for a reward, will get all our money back.

Spammers can even pose as top managers of large banks. In this case, the email will weave a tale about how ~“… bad employees tried to steal your money, but we, the good managers, are ready to compensate you for the inconvenience.” But of course, there’ll be no compensation at all — it’s just a pretext for further extortion.

What to do if spam lands in your inbox

The first step is to identify it as such. Nowadays, most email clients automatically send unsolicited and suspicious messages to the Spam folder, but if one does sneak into your inbox, you need to identify it yourself. Carefully examine the text of the email for spelling and grammar mistakes, check the sender address, and ask yourself a few questions:

  1. Is it relevant to me?
  2. Why has a millionaire uncle I’ve never heard of suddenly got in touch?
  3. Where did they get my email address?
  4. Why should I pay to receive the money?

By answering these four questions honestly, you’ll know whether the email in front of you is spam or not. Here are our tips to reduce the amount of spam in your inbox:

  • Don’t respond. Even if the sender wants to give you a million bucks, buy you a new smartphone, or help you get back something stolen.
  • Don’t disclose personal information. Threat actors can scrape your name, phone number, and email address from a social network where you’ve kindly provided them yourself.
  • Don’t follow suspicious links. It’s quite easy to distinguish real links from fake ones: our Passwords 101: don’t enter your passwords just anywhere they’re asked for post explains how. Easier still is to install reliable protection on all your devices: Kaspersky Premium automatically blocks redirects to malicious sites — keeping you safe.
  • Don’t enter your data. If you impulsively followed a link in an email, or responded to the sender in some way, and now you’re having doubts, don’t under any circumstances enter personal or payment information. A request for such data is the same as hanging out a red flag saying “We are scammers!”
  • Report fraud. Here are the instructions on how to report spam in Google Mail, and how to filter messages on Apple devices.

Kaspersky official blog – ​Read More

Cyber Attacks on DeepSeek AI: What Really Happened? Full Timeline and Analysis

Less than a month after its launch, DeepSeek has already shaken up the industry, caused NVidia’s stock to shed $600 billion, and sparked political controversy.  

Now, the AI company is dealing with the consequences of major cyber attacks. As of February 5, DeepSeek is still having trouble letting new users join.  

Let’s review the entire timeline of the attacks and take a closer look at the two botnets, HailBot and RapperBot, responsible for the latest disruptions, using ANY.RUN’s Interactive Sandbox

What is DeepSeek 

DeepSeek is an Artificial Intelligence company based in China and founded in late 2023. On January 20, 2025, it launched its first DeepSeek-R1 model, which instantly gained millions of app downloads worldwide.  

The success of the release came down to several factors: 

  • DeepSeek achieved AI model performance comparable to OpenAI’s (the company behind ChatGPT) for under $6 million. 
  • DeepSeek uses less-advanced chips, making its AI operations up to 50 times cheaper than competitors. 
  • DeepSeek’s AI is open source. 

Cyber Attacks on DeepSeek: Timeline 

January 27 

DeepSeek paused new user registrations, citing “large-scale malicious attacks” on its infrastructure. 

January 28 

Wiz.io reported discovering a leaked ClickHouse database linked to DeepSeek, which contained users’ chat histories and API keys. This leak was likely unrelated to the cyber attacks mentioned by DeepSeek. 

January 29 

Global Times revealed that DeepSeek had been facing regular distributed denial-of-service (DDoS) attacks since early January, involving reflection amplification techniques. 

Starting January 22, HTTP proxy attacks began, gradually increasing in frequency and peaking on January 28. These were further accompanied by brute-force attack attempts, which allegedly originated from IP addresses in the United States. 

January 30 

Based on a report by XLab, Global Times disclosed that the latest wave of attacks on DeepSeek involved two botnets, HailBot and RapperBot, both variants of the infamous Mirai botnet.  

The attacks launched early on January 30 used 16 command-and-control (C2) servers and over 100 C2 ports. 

Why Businesses Must Pay Attention 

The cyber attacks on DeepSeek highlight that businesses of all sizes and industries, especially those dependent on extensive digital infrastructure, can be vulnerable to such threats. With botnets like HailBot and RapperBot available as a service, attackers can launch cyber assaults without needing advanced technical skills. 

For companies that rely on AI services, the consequences can be even more severe, including service disruptions, data breaches, and loss of customer trust. As AI becomes more integral to business operations, it is crucial for companies to invest in robust cybersecurity measures.  

How HailBot and RapperBot Botnets Work 

HailBot 

HailBot, named after the string “hail china mainland,” is known for its DDoS attack capabilities. This variant of Mirai exploits vulnerabilities such as CVE-2017-17215, which affects certain Huawei devices.  

HailBot can compromise a wide range of devices and use them to launch distributed denial-of-service attacks. 

Analysis of HailBot in ANY.RUN’s sandbox 

By uploading a sample of HailBot to ANY.RUN’s Interactive Sandbox, we can get a detailed view of how it operates. 

View analysis 

HailBot’s network connections detected by ANY.RUN 

The network traffic shows how the malware connects to its C2 server.

Suricata rule used for detecting HailBot’s C2 activity 

Suricata IDS instantly identifies HailBot’s connection and notifies the user about its activities. 

Submit suspicious files and URLs to ANY.RUN
for proactive analysis of threats targeting your company 



Create free account


RapperBot  

RapperBot primarily spreads through SSH brute-force attacks. It is identified by the string “SSH-2.0-HELLOWORLD” and reports valid credentials back to its command and control (C2) server. Once RapperBot compromises a device, it performs several malicious actions: 

  • Replaces the ~/.ssh/authorized_keys file with its own public key, ensuring persistent access to the compromised device. 
  • Creates a superuser account called “suhelper” by editing the /etc/passwd and /etc/shadow files. 
  • Continually scans for more targets using updated credential lists provided by its C2 server. 

RapperBot also includes cryptojacking capabilities through the XMRig Monero miner, allowing it to mine cryptocurrency on compromised devices. 

After we upload RapperBot’s sample to the sandbox, we can see how it generates significant network traffic.  

View analysis 

The number of connections attempted by RapperBot reached 139,405 in three minutes 

In less than three minutes, nearly 140,000 attempts to establish network connections were recorded.

The sandbox provides a conclusive verdict on the threat along with relevant tags

This high volume of traffic makes these botnets easily detectable in ANY.RUN’s sandbox environment. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Conclusion 

The cyberattack on DeepSeek underscores the ongoing threat posed by sophisticated botnets like HailBot and RapperBot. As cybersecurity experts continue to analyze the incident, it is crucial for organizations to remain vigilant and proactive in their defense strategies.  

ANY.RUN’s detection capabilities have proven effective in identifying these threats, and we will continue to monitor and report on such incidents. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Cyber Attacks on DeepSeek AI: What Really Happened? Full Timeline and Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

The biggest supply chain attacks in 2024 | Kaspersky official blog

A supply-chain attack can totally thwart all a targeted company’s efforts to protect its infrastructure. Preventing such attacks is extremely difficult because a significant portion of an attack occurs in infrastructure that’s not within the security team’s control. This makes supply-chain attacks one of the most dangerous threats in recent years, and today we’ll look at some of the biggest that took place in 2024.

January 2024: malicious npm packages stole SSH keys from hundreds of developers on GitHub

The first major supply-chain attack in 2024 involved malicious npm packages uploaded to GitHub in early January. The main purpose of these modules, named warbeast2000 and kodiak2k, was to search infected systems for SSH keys and send them back to the criminals. Some versions of kodiak2k also included a script to launch Mimikatz, a tool used to extract passwords from memory.

In total, attackers managed to publish eight versions of warbeast2000, and over 30 versions of kodiak2k. By the time they were discovered and removed from the repository, the malicious packages had already been downloaded 412 and 1281 times, respectively — meaning potentially hundreds of developers were affected.

February 2024: abandoned PyPI package used to distribute NovaSentinel infostealer

In February, a malicious update was discovered in the django-log-tracker package, which was hosted on the Python Package Index (PyPI). The latest legitimate version of this module was published in 2022, and since then it had been abandoned by its creators. It appears that the attackers managed to hijack the developer’s PyPI account and upload their own malicious version of the package.

The malicious update contained only two files with identical and very simple code; all the original module content was deleted. This code downloaded an EXE file from a certain URL and executed it.

This EXE file was an installer for the NovaSentinel stealer malware. NovaSentinel is designed to steal any valuable information it can find in the infected system, including saved browser passwords, cryptocurrency wallet keys, Wi-Fi passwords, session tokens from popular services, clipboard contents, and more.

March 2024: backdoor implanted in popular Linux distributions using XZ Utils

In late March an incident was reported that could potentially have become the most dangerous supply-chain attack of 2024 with devastating consequences. As part of a sophisticated operation lasting two-and-a-half years, a GitHub user known as Jia Tan managed to gain control over the XZ Utils project — a set of compression utilities included in many popular Linux distributions.

With the project under his control, Jia Tan published two versions of the package (5.6.0 and 5.6.1), both containing the backdoor. As a result, the compromised liblzma library was included in test versions of several Linux distributions.

According to Igor Kuznetsov, head of Kaspersky’s Global Research & Analysis Team (GReAT), the CVE-2024-3094 vulnerability could have become the biggest ever attack on the Linux ecosystem. Had the vulnerability been introduced into stable distributions, we might have seen massive server compromises. Fortunately, CVE-2024-3094 was detected in test and rolling-release distributions, so most Linux users remained safe.

April 2024: malicious Visual Studio projects spread malware on GitHub

In April, an attack targeting GitHub users was discovered in which attackers published malicious Visual Studio projects. To aid their attack, the attackers skillfully manipulated GitHub’s search algorithm. First, they used popular names and topics for their projects. Second, they created dozens of fake accounts to “star” their malicious projects, creating the illusion of popularity. And third, they automatically published frequent updates, making meaningless changes to a file included solely for this purpose. This made their projects appear fresh and up-to-date compared to available alternatives.

Inside these projects, malware resembling Keyzetsu Clipper was hidden. This malware intercepts and replaces cryptocurrency wallet addresses copied to the clipboard. As a result, crypto-transactions on the infected system are redirected to the attackers instead of the intended recipient.

May 2024: backdoor discovered in the JAVS courtroom video recording software

In May, reports emerged about the trojanization of the JAVS (Justice AV Solutions) courtroom recording software. This system is widely used in judicial institutions and other law enforcement-related organizations, with around 10 000 installations worldwide.

A dropper was found inside the ffmpeg.exe file — included in the JAVS.Viewer8.Setup_8.3.7.250-1.exe installer on the official JAVS website. This dropper executed a series of malicious scripts on infected systems, designed to bypass Windows security mechanisms, download additional modules, and collect login credentials.

June 2024: tens of thousands of websites using Polyfill.io delivered malicious code

In late June, the cdn.polyfill.io domain began distributing malicious code to visitors of websites relying on the Polyfill.io service. Users were redirected to a Vietnamese-language sports betting site through a fake domain impersonating Google Analytics (www[.]googie-anaiytics[.]com).

Polyfill.io was originally created by the Financial Times to ensure that websites remain compatible with older or less common browsers. However, in 2024, it was sold to Chinese CDN provider Funnull, along with its domain and GitHub account — and this is where the trouble began.

Over the years, Polyfill.io became very popular. Even at the time of the incident, more than 100 000 websites worldwide — including many high-profile ones — were still using polyfills, even though they’re no longer needed. Following the attack, the original creator of Polyfill.io advised users to stop using the service. However, the script is currently still present on tens of thousands of websites.

July 2024: trojanized jQuery version found on npm, GitHub, and jsDelivr

In July, a trojanized version of jQuery — the popular JavaScript library used to simplify interaction with the HTML Document Object Model (DOM) — was discovered. Over the course of several months, the attackers managed to publish dozens of infected packages to the npm registry. The trojanized jQuery was also found on other platforms, including GitHub, and even jsDelivr n — a CDN service for delivering JavaScript code.

Despite being compromised, the trojanized versions of jQuery remained fully functional. The main difference from the original library was the inclusion of malicious code designed to capture all user data entered into forms on infected pages and then send it to an attacker-controlled address.

August 2024: infected plug-in for the multi-protocol messenger Pidgin

At the end of August, one of the plug-ins published on the official Pidgin messenger page was found distributing DarkGate — a multi-functional malware that gives attackers remote access to infected systems where they can install additional malware.

Pidgin is an open-source “all-in-one” messenger, allowing users to communicate across multiple messaging systems and protocols without installing separate applications. Although Pidgin’s peak popularity has long passed, it remains widely used among tech enthusiasts and open-source software advocates.

The infected ss-otr (ScreenShareOTR) plug-in was designed for screen sharing over the Off-The-Record (OTR) protocol — a cryptographic protocol for secure instant messaging. This means the attackers specifically targeted users who prioritize privacy and secure communication.

September 2024: hijacking deleted projects on PyPI

In September, researchers published a study exploring the theoretical possibility of hijacking deleted PyPI projects — or rather, their names. The issue arises because after a package is deleted, nothing prevents anyone from creating a new project with the same name. As a result, developers who request updates for the deleted package end up downloading a fake, malicious version instead.

PyPI is aware of this risk, and issues a warning when you try to delete a project:

PyPI warning when deleting a project

When a project is deleted, PyPI alerts its current owner about the potential consequences. Source

In total, the researchers found over 22 000 PyPI projects vulnerable to this attack. Moreover, they discovered that the threat is not just theoretical — this attack method was already observed “in the wild”.

To protect some of the most obvious high-risk targets, the researchers registered the names of certain popular deleted projects under a secure account they created.

October 2024: malicious script in the LottieFiles Lottie-Player

In late October, a supply-chain attack targeted the LottieFiles Lottie-Player, a JSON-based library for playing lightweight animations used in mobile and web applications. The attackers simultaneously published multiple versions of Lottie-Player (2.0.5, 2.0.6, and 2.0.7) containing malicious code. As a result, a cryptodrainer appeared on sites thar used this library.

At least one major crypto-theft has been confirmed, with the victim losing nearly 10 bitcoins (over US$700 000 at the time of the incident).

November 2024: JarkaStealer found in the PyPI repository

In November, our experts from the Global Research and Analysis Team (GReAT) discovered two malicious packages in the PyPI repository: claudeai-eng and gptplus. These packages had been available on PyPI for over a year — downloaded over 1700 times by users across 30+ countries.

The packages posed as libraries for interacting with popular AI chatbots. However, in reality, claudeai-eng and gptplus only imitated their declared functions using a demo version of ChatGPT. Their real purpose was to install the JarkaStealer malware.

As you might guess from the name, this is an infostealer. It steals passwords and saves browser data, extracts session tokens from popular apps (Telegram, Discord, Steam), gathers system information, and takes screenshots.

December 2024: infected Ultralytics YOLO11 AI model in PyPI

In December, another AI-themed supply-chain attack was carried out via the PyPI repository. This time, the attack targeted the popular package, Ultralytics YOLO11 (You Only Look Once) — an advanced AI model for real-time object recognition in video streams.

Users who installed the Ultralytics YOLO11 library, whether directly or as a dependency, also unknowingly installed the cryptominer XMRig Miner.

How to protect against supply-chain attacks

For detailed recommendations on preventing supply-chain attacks, check out our dedicated guide. Here are the main tips:

Kaspersky official blog – ​Read More

Release Notes: System Updates, New YARA and Suricata Rules, Signatures, and More

Hello, cybersecurity enthusiasts! 

January may often feel like a slow month, but at ANY.RUN, we’ve been hard at work behind the scenes, focusing on system and threat coverage updates. 

As the new year kicked off, our team dived straight into fine-tuning the platform, optimizing performance, and strengthening detection capabilities. 

Now that February is here, let’s take a look at what we’ve been up to and how these updates enhance your malware-hunting experience. 

System Updates: Keeping Things Running Smoothly 

In January, we focused on making ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup faster, more stable, and overall better for you. 

Our team has been fixing bugs, fine-tuning the system, and optimizing performance so that everything runs like clockwork. These aren’t the kind of changes you immediately notice, but they make a big difference in keeping your malware analysis smooth and hassle-free. 

While January was all about optimizations, stay tuned as we have plenty of exciting updates coming your way soon! 

Threat Coverage Updates 

We continued expanding ANY.RUN’s detection capabilities and strengthening its ability to identify emerging threats. This included adding new malware signatures, refining YARA rules, and enhancing Suricata rule sets to keep up with evolving attack techniques. 

New Malware Signatures 

We’ve introduced new signatures to detect a wide range of malware families. Here are some of the threats we now cover: 

Try advanced malware analysis with ANY.RUN 



Get 14-day trial


New YARA Rules 

To improve our malware classification and detection precision, we’ve added YARA rules for the following: 

YARA + Signatures 

For even more precise detections, we’ve combined YARA rules and malware signatures to cover: 

APT Detection Updates 

Our threat intelligence team has improved detection capabilities for several APT groups, focusing on domain-related threats: 

  • Patchwork APT 
  • Ducktail APT 
  • Sidewinder APT 
  • ScreenConnect 

Suricata Rule Updates 

We’ve also strengthened our network-based detection capabilities by adding 5,578 new Suricata rules. Notable additions include focused detections for phishing kits such as: 

Helping Businesses Stay Ahead of Cyber Threats 

Businesses can’t afford to fall behind the constantly evolving cyber threats. Attackers are getting smarter, using new techniques to bypass defenses and target organizations with phishing kits and malware.  

That’s why we’re always refining ANY.RUN’s detection capabilities and analysis tools. From spotting emerging malware families to improving APT detection, we’re making sure security teams have the insights they need to stop threats before they cause real damage. 

Cybercriminals adapt fast, but let’s always stay one step ahead. More updates, more improvements, and better ways to protect your business are on the way. Stay tuned! 


ANY.RUN cloud interactive sandbox interface

Sandbox for Businesses

Discover all features of the Enterprise plan designed for businesses and large security teams.



About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post Release Notes: System Updates, New YARA and Suricata Rules, Signatures, and More appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

New Tria stealer intercepts text messages on Android | Kaspersky official blog

Getting married is certainly one of the most important events in anyone’s life. And in many cultures, it’s customary to invite hundreds of guests to the celebration — including some you barely know. Cybervillains take advantage of such traditions, using wedding invitations as bait to launch attacks on Android smartphone users.

Here’s what threat actors have come up with this time, and how to defeat it.

How weddings and APKs are linked

You may already know about our global threat intelligence network — Kaspersky Security Network (KSN). In 2024, we spotted several suspicious and clearly malicious APK samples circulating in both Malaysia and Brunei. At the same time, social networks were buzzing with Android users of those same countries complaining about having their WhatsApp accounts hacked, or receiving suspicious APKs through WhatsApp or other messenger apps.

Connecting the dots, we deduced that cybercriminals were sending Android users in Brunei and Malaysia wedding invitations in the form of an APK, which victims were urged to install on their own devices themselves. In the message, the attacker begins by apologizing for inviting the recipient to such an important event through WhatsApp rather than in person, then suggests that the user find the time and place of the celebration in the attached file — which turned out to be the same malicious APK that we found in KSN.

Examples of wedding invitations sent by attackers in the Indonesian language

Examples of wedding invitations sent by attackers in the Indonesian language

The scheme uses two versions of the same stealer (one appeared in March 2024, the other with added functionality in August), which we’ve called Tria — after the name of the user who appears to be responsible for supporting or even conducting the entire campaign.

What the Tria stealer does

The malware primarily harvests data from text and email messages, but also reads call and message logs that it later sends to the C2 server through various Telegram bots. Naturally, the attackers don’t do this out of their love of reading other people’s correspondence. All stolen data is used to hack victims’ Telegram, WhatsApp, and other accounts, and then message their contacts asking for money. However, an even more unpleasant scenario is possible: attackers could gain access to the victim’s online banking accounts by requesting and intercepting OTP codes needed for login.

To disguise itself, the stealer employs social engineering tactics: hiding behind a gear icon, it mimics a system application to get the permissions it needs from the user. The malware needs ten permissions in total, including access to network activity and sending/reading text messages. For details on what other permissions Tria requests and how exactly the stealer works, see the full post on our Securelist blog.

It’s known at present that the attacks were limited to users in Malaysia and Brunei, and not targeted at any specific individuals; however, the cybervillains may decide to expand their reach going forward. And when it comes to the bogus invitation that leads to installing the APK, the scope isn’t limited to weddings — future attacks could exploit religious ceremonies, birthdays… you name it. So be vigilant, arm yourself with reliable protection, and read our tips on how to combat this stealer and other malware for Android.

How to guard against the Tria stealer

The simple method of distribution makes it fairly easy to protect yourself against:

  • Never respond to strangers in messenger apps — especially if they ask you to download and install something. Be wary of such messages even if they come from people in your contact list.
  • Never open APKs downloaded from untrusted sources. If you need to install something on your smartphone, always use official app stores (though even these aren’t immune to malware) or developer websites.
  • Install Kaspersky for Android on your smartphone to protect it from Tria.
  • Don’t grant apps more permissions than they need. Be wary of new apps that are permission-hungry.
  • Harden your accounts in other messenger apps and social networks. You can find in-depth guides to privacy settings at the Privacy Checker

At the end of any scam-themed post, we usually recommend setting up two-factor authentication (2FA) for all applications and services where it’s possible. However, in the fight against Tria, as well as many other Trojans, 2FA with OTP by text isn’t much help: this malware can intercept incoming messages, extract codes from them, and even delete such messages so you never notice anything.

As such, we advise using an authenticator app to generate 2FA codes. Kaspersky Password Manager is the perfect solution — it securely generates OTPs and reliably stores passwords and confidential documents, with the option to sync them across all your devices.

It’s worth noting that stealers are particularly fond of hijacking Telegram accounts. To avoid losing yours, we recommend setting up a Telegram cloud password this very instant, using Kaspersky Password Manager to create and store it. To find out how to configure 2FA, refer to our What to do if your Telegram account is hacked post.

Kaspersky official blog – ​Read More

Ransomware attacks in 2024 | Kaspersky official blog

You may have noticed a slight drop in the amount of coverage of ransomware on our Kaspersky Daily blog in recent years. Sadly, it’s not that ransomware attacks have stopped. Far from it — such incidents are now so commonplace that they’ve become part of the cyber-furniture. Nevertheless, some ransomware attacks still have the power to shock. In this post, we take you through the ransomware incidents of 2024 that made a lasting impression in terms of scale, impact, or mode of attack…

January 2024: ransomware attack on Toronto Zoo

One of the first major ransomware incidents of 2024 was the January attack on Canada’s biggest zoo, located in Toronto. The zoo’s management was quick to reassure the public that no systems related to animal care were impacted. Indeed, its website and ticketing service were also unaffected, so the zoo continued to welcome visitors as usual.

Toronto Zoo reports a cyberattack

The official Toronto Zoo website reports a cyberattack and assures that all animals are fine. Source

It soon transpired that the attackers had stolen a significant amount of zoo employees’ personal information — dating back to 1989. This incident served as yet another reminder that even organizations far removed from critical sectors can become targets of ransomware attacks.

February 2024: $3.09 billion attack on UnitedHealth

February’s attack on the U.S. healthcare insurance giant UnitedHealth would easily claim the “ransomware incident of the year” award if such existed. The attack was in fact carried out on Optum Insight, a UnitedHealth subsidiary that provides technology-enabled services.

Getting granular here, the direct target was Change Healthcare, which has been part of Optum since 2022. This company’s platform serves as a financial intermediary between payers, patients, and healthcare providers. The attack took down over a hundred different Optum digital services. As a result, UnitedHealth was able to process neither electronic payments nor medical applications. Essentially, the company couldn’t perform its core function — causing chaos across the U.S. healthcare system.

The attack’s repercussions were so extensive that UnitedHealth even set up a dedicated website to provide updates about the process of restoring the company’s affected IT systems. The bulk of the restoration work was carried out in the first months after the attack. However, almost a year on, the site continues to post regular updates, and some systems still have the “service partially available” status.

A few days after the attack, the ransomware gang BlackCat/ALPHV claimed responsibility. In addition, they reported stealing 6TB of confidential data — including medical records, financial documents, personal data of U.S. civilians and military personnel, and a wealth of other sensitive information.

UnitedHealth ended up paying the gang a $22 million ransom. And it’s rumored that the company had to pay up again when BlackCat’s accomplices from the RansomHub group claimed they hadn’t received their share and began leaking the stolen data into the public domain.

However, compared to the total financial losses caused by the incident, the ransom was a mere drop in the ocean. UnitedHealth’s own financial reports estimate the damage in Q1 alone at $872 million. As for the total damage for the year 2024, it reached an eye-watering $3.09 billion.

According to the latest reports, the attackers stole medical data of more than 100 million patients, which is approximately one in three U.S. residents!

March 2024: Panera Bread’s week-long outage

In March, ransomware attackers targeted U.S. food-chain giant Panera Bread. The incident knocked out many of its IT systems, including the online ordering service, offline payment system, telephony, website and mobile apps, loyalty program, various internal systems for employees, and other services.

Panera Bread website unavailable

Stub message on the Panera Bread website. Source

Over 2000 restaurants in the Panera Bread chain continued to operate after the attack — but in stone-age conditions: payment was by cash only; subscription offers (such as unlimited drinks for $14.99 per month) were temporarily unavailable; loyalty program points weren’t awarded; and restaurant staff had to manually coordinate their work schedules with managers. The outage lasted about a week.

During the attack, as we learned three months later, the personal data of Panera Bread employees was stolen. By the looks of it, the company ended up paying a ransom to keep that data from being published.

April 2024: Hunters International attack on Hoya Corporation

Early April saw an attack on Hoya Corporation, the major Japanese optics manufacturer. In an official statement, the company said that the systems of some manufacturing plants, plus the ordering system for several products had been affected.

Ransom demand on the Hunters International website

Hunters International demanded a ransom of $10 million (151.56 BTC at the then exchange rate) from Hoya Corporation. Source

A week after the incident, it was confirmed as a ransomware attack. The Hunters International ransomware-as-a-service group’s website reported that the attackers had stolen 1.7 million files from Hoya (around 2TB), and demanded a ransom of $10 million.

May 2024: Major disruptions at U.S. healthcare network Ascension

In early May, Ascension, one of the largest healthcare networks in the United States, had some of its systems taken offline due to a “cybersecurity event”. The “event” in question was soon revealed to be a ransomware attack on the organization’s IT infrastructure. The disruption affected electronic medical records, telephony, and systems for ordering tests, procedures, and medications.

As a result, some hospitals run by Ascension couldn’t admit emergency patients, and had to divert ambulances to other facilities. Healthcare workers also reported having to switch to pen and paper and writing out medical referrals from memory.

Restoring the affected electronic systems took over a month. The Black Basta ransomware group claimed responsibility for the attack. The investigation revealed that the root cause of the attack was an employee who downloaded a malicious file onto a company device.

It was revealed in late 2024 that the cybercriminals had stolen the personal data of 5.6 million patients and hospital staff. This data included medical records, payment details, insurance information, social security and ID numbers, addresses, dates of birth, and more. As compensation, Ascension offered all those affected a free two-year subscription to its identity-theft protection service.

June 2024: Ransomware attack on healthcare provider hits London hospitals

In early June, news broke of a ransomware attack on Synnovis, a UK company providing pathology and diagnostic services to several major London hospitals. As a result, over 800 surgeries were canceled and some patients diverted to other facilities.

Major outage reported on the Synnovis website

Major outage reported on the website of Synnovis, a healthcare provider for several major London hospitals. Source

One of the worst consequences of the attack was that doctors were unable to match donor and patient blood types, forcing them to use the universal blood type O. This quickly led to a shortage.

July 2024: Los Angeles County Superior Court shut down by ransomware

The Los Angeles County Superior Court, the largest single unified trial court in the United States, suspended all 36 courthouses in the county due to a ransomware attack. Both external services (such as the court’s website and the jury duty portal) and internal resources (including the case management system) were impacted.

The Los Angeles courts reopened two days later, but restoring publicly-accessible electronic services took about a week longer. After that, however, the Superior Court stopped updating the public about the incident, so it’s unknown how long it took to restore the courts’ internal systems. It also remains a mystery whether the court paid a ransom or what data the attackers may have gotten away with.

August 2024: Ransomware attack on vodka maker Stoli

In August, a ransomware attack targeted Stoli Group, the producer of Stolichnaya vodka and multiple other beverages. The incident had a serious impact on the company’s IT infrastructure and operations: an ERP system failure meant that all internal processes, including accounting, had to be transferred to manual mode.

In particular, the incident meant that Stoli Group companies couldn’t submit financial statements to creditors — which alleged that the Stoli companies failed to repay a debt of $78 million. Stoli Group had to file for bankruptcy in December.

September 2024: Highline Public Schools closure due to ransomware

In early October, Highline Public Schools, a public school district in the U.S. state of Washington, temporarily closed all 34 of its member schools, which serve more than 17,000 students and employ around 2000 staff. The cyberattack halted all educational activities, including sports events and meetings, for four school days.

About a month after the incident, Highline’s management confirmed that the attack was ransomware-related. Unfortunately, Highline Public Schools officials never disclosed whether any personal information of staff or students had been compromised. As a precaution, however, the district offered all Highline employees one year of free credit and identity monitoring services.

Although the schools were quite quick to reopen, it took a long time to restore the IT infrastructure back to normal operation. Regretfully, more than a month passed before employees and students were finally urged to change their passwords and reinstall the operating system on all school-supplied devices.

October 2024: Ransomware attack on Casio

In early October, Japan’s Casio, the renowned electronics manufacturer, reported unauthorized access to its network. According to its statement, the incident resulted in failure of IT systems and unavailability of certain unspecified services.

Five days later, the ransomware group Underground claimed responsibility for the attack. The group also stole data during the hack, which it posted on its website — including confidential documents, patent information, employees’ personal data, legal and financial documents, project information, and so on. The very next day, Casio confirmed the data theft.

In early 2025, Casio released more details about the number of people whose data had been stolen. According to the company, a total of 8500 people were affected, of which around 6500 were employees, and 2000 were business partners. At the same time, Casio reported not paying a ransom to the attackers and announced that most (but not all) services were already back up and running.

Interestingly, in that same October 2024, Casio was the victim of another successful attack, unrelated to the above ransomware incident.

November 2024: Ransomware attack on Bologna FC

In November, ransomware claimed a rather atypical victim — the Italian soccer club Bologna FC. The club posted on its website an official statement about a ransomware attack, warning that “it is a serious criminal offence” to store or distribute stolen data.

Official statement on the Bologna FC website

The Italian soccer club Bologna FC website reports a ransomware attack. Source

The RansomHub group claimed responsibility for the hack. Later, it published the stolen data after the club refused to pay the ransom. According to the attackers, the leaked information included sponsorship contracts, the club’s complete financial history, personal and confidential player data, medical records, transfer strategies, confidential data of fans and club employees, and much more.

December 2024: Ransomware attacks medical tissue and equipment supplier Artivion

In December, Artivion, a global supplier of tissues and equipment for cardiac surgery, announced that its IT infrastructure had been compromised by a cyberattack. The attackers encrypted some of the company’s systems and stole data from affected computers.

According to Artivion, the incident caused “disruptions to some order and shipping processes”, as well as corporate operations. The company also reported being insured against such incidents, but the policy may not fully cover the damage caused by the attack.

How to defend against ransomware attacks

Ransomware continues to evolve, and every year the attacks take on new, complex forms. Therefore, in today’s world, effective protection against ransomware requires a comprehensive approach. We recommend the following security measures:

Kaspersky official blog – ​Read More

Cyble’s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered

Cyble's Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered

Overview

Cyble’s weekly vulnerability insights to clients cover key vulnerabilities discovered between January 22 and January 28, 2025. The findings highlight a range of vulnerabilities across various platforms, including critical issues that are already being actively exploited.

Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to their Known Exploited Vulnerability (KEV) catalog this week. Among these, the zero-day vulnerability CVE-2025-23006 stands out as a critical threat affecting SonicWall’s SMA1000 appliances.

In this week’s analysis, Cyble delves into multiple vulnerabilities across widely used software tools and plugins, with particular attention to SimpleHelp remote support software, Ivanti’s Cloud Services Appliance, and issues within RealHome’s WordPress theme. As always, Cyble has also tracked underground activity, providing insights into Proof of Concepts (POCs) circulating among cyber criminals.

Weekly Vulnerability Insights

  1. CVE-2025-23006 – SonicWall SMA1000 Appliances (Critical Zero-Day Vulnerability)

A severe deserialization vulnerability in SonicWall’s SMA1000 series appliances has been identified as a zero-day, impacting systems that are not yet patched. With a CVSSv3 score of 9.8, this vulnerability is critical and allows remote attackers to exploit deserialization flaws, leading to the potential execution of arbitrary code.

This vulnerability was added to the KEV catalog by CISA on January 23, 2025, marking it as actively exploited in the wild. Organizations using SMA1000 appliances should prioritize patching as soon as an official update becomes available.

2. SimpleHelp Remote Support Software Vulnerabilities (Critical and High Severity)

Three vulnerabilities were discovered in SimpleHelp’s remote support software, used by IT professionals for remote customer assistance. These flaws include:

  1. CVE-2024-57726: A privilege escalation vulnerability that allows unauthorized users to gain administrative access due to insufficient backend authorization checks.
  2. CVE-2024-57727: A path traversal vulnerability that could expose sensitive configuration files, including those containing hashed passwords.
  3. CVE-2024-57728: An arbitrary code execution vulnerability that can be exploited by attackers with administrative access to upload malicious files to the server.

These vulnerabilities pose considerable risks to users of SimpleHelp, potentially leading to unauthorized access or full system compromise. The vulnerabilities have been confirmed to be actively exploited, with proof-of-concept code already circulating in underground forums.

3. CVE-2024-8963 – Ivanti Cloud Services Appliance (Critical Administrative Bypass)

Ivanti’s Cloud Services Appliance (CSA) suffers from multiple vulnerabilities that have been chained by threat actors to gain initial access and implant malicious code. The most critical issue is CVE-2024-8963, an administrative bypass flaw that allows unauthenticated attackers to exploit other vulnerabilities in the appliance. Other related flaws include:

  1. CVE-2024-9379: SQL injection vulnerability that permits remote attackers to execute arbitrary SQL commands.
  2. CVE-2024-8190 and CVE-2024-9380: Remote code execution vulnerabilities, allowing attackers to run arbitrary code on vulnerable systems.

The severity of these vulnerabilities has prompted both CISA and the FBI to issue warnings about their active exploitation. Despite patches being available since September 2024, the ongoing exploitation of these vulnerabilities highlights the urgency of updating and patching vulnerable systems.

4. CVE-2024-32444 – RealHome WordPress Theme (Critical Privilege Escalation)

A critical privilege escalation vulnerability in the RealHome WordPress theme allows attackers to register as administrators on affected sites. This flaw enables them to take full control over websites, compromising sensitive data and content. As of January 2025, no patch has been released for this vulnerability, leaving many WordPress sites exposed.

5. CVE-2025-24085 – Apple iOS and macOS (Use-After-Free Zero-Day Vulnerability)

Apple’s iOS and macOS systems are affected by a use-after-free vulnerability in the Core Media component. This zero-day flaw, which has a CVSS score of 7.8, could allow attackers to execute arbitrary code with elevated privileges on affected devices running versions prior to iOS 17.2. While no public exploit code has been observed, the vulnerability remains a serious risk for iOS and macOS users.

Vulnerabilities Under Active Exploitation

Several vulnerabilities continue to be actively exploited, especially in high-value systems used by organizations worldwide. Among them are:

  • CVE-2024-38063: A critical Remote Code Execution (RCE) vulnerability in Windows TCP/IP, triggered by a flaw in IPv6 packet handling. This issue allows attackers to execute arbitrary code remotely, with no user interaction required, making it a “zero-click” vulnerability.
  • CVE-2024-55591: A critical authentication bypass vulnerability affecting FortiOS and FortiProxy versions 7.0.0 through 7.2.12. Attackers exploiting this flaw can bypass authentication mechanisms and gain unauthorized access to affected systems.
  • CVE-2023-32315: This vulnerability affects Ignite Realtime’s Openfire server, allowing unauthenticated attackers to perform path traversal and gain access to sensitive server files.

Cyble also noted a significant incident involving CVE-2025-0411, a critical vulnerability in 7-Zip that allows remote attackers to execute arbitrary code. Proof of concept for this flaw was shared on deep web forums, signaling increased interest among cyber criminals.

Underground Activity and Exploitation Trends

Cyble Research tracked discussions of known vulnerabilities across underground forums and Telegram channels. The most notable trends include:

  • CVE-2025-0411 (7-Zip): This flaw has been weaponized and is being sold on underground forums. Attackers can use it to execute arbitrary code on vulnerable systems.
  • CVE-2024-38063 (Windows TCP/IP): Exploit code for this vulnerability has circulated among threat actors, enabling them to remotely execute code on systems with vulnerable TCP/IP stacks.
  • CVE-2023-32315 (Openfire Server): Malicious actors are actively discussing how to exploit this path traversal flaw to gain unauthorized access to server environments.

Recommendations for Mitigating Exploitation Risks

To mitigate the risks posed by these vulnerabilities, Cyble offers the following recommendations:

  1. Regularly update all software and hardware systems with the latest patches from official vendors. Immediate patching of known exploited vulnerabilities, such as those listed in the KEV catalog, is critical.
  2. Use network segmentation to limit the exposure of critical systems to the internet. This reduces the potential attack surface and helps contain breaches if they occur.
  3. Implement a robust incident response plan, testing it regularly to ensure it aligns with emerging threats. Ensure that your organization is prepared to act quickly in the event of an attack.
  4. Educate employees and administrators on the latest phishing and social engineering tactics and how to recognize malicious activities on their networks.
  5. Enforce MFA across all sensitive systems to add an extra layer of protection against unauthorized access.

Conclusion

This week’s Weekly Vulnerability Insights report highlights the continued risks associated with high-severity vulnerabilities and emphasizes the importance of patching, monitoring, and threat intelligence sharing. Organizations must remain vigilant and ensure their systems are protected from known exploited vulnerabilities and emerging zero-day threats. Cyble’s AI-driven platforms, like Cyble Vision and Cyble Hawk, help organizations stay ahead of evolving threats. Book a free demo today and strengthen your defense against cyber adversaries with Cyble’s cutting-edge cybersecurity solutions.

To access full IT vulnerability and other reports from Cyble, click here.

The post Cyble’s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered appeared first on Cyble.

Blog – Cyble – ​Read More

Dark Web Activity January 2025: A New Hacktivist Group Emerges

Cyble-Blogs-Dark-Web

Overview

Cyble dark web researchers investigated more than 250 dark web claims by threat actors in January 2025, with more than a quarter of those targeting U.S.-based organizations.

Of threat actors (TAs) on the dark web targeting U.S. organizations during the month, 15 were ransomware groups claiming successful attacks or selling data from those attacks.

Ransomware group claims accounted for about 40% of the Cyble investigations. Most of the investigations examined threat actors claiming to be selling data stolen from organizations, or selling access to those organizations’ networks.

Several investigations focused on cyberattacks orchestrated by hacktivist groups – including a new Russian threat group identified here for the first time.

‘Sector 16’ Teams Up With Russian Hacktivists Z-Pentest

New on the scene is a group calling itself “Sector 16,” which teamed with Z-Pentest – a threat group profiled by Cyble last month – in an attack on a Supervisory Control and Data Acquisition (SCADA) system managing oil pumps and storage tanks in Texas. The groups shared a video showcasing the system interface, revealing real-time data on tank levels, pump pressures, casing pressures, and alarm management features.

Both groups put their logos on the video, suggesting a close alliance between the two (image below).

Sector 16 also claimed responsibility for unauthorized access to the control systems of a U.S. oil and gas production facility, releasing a video purportedly demonstrating their access to the facility’s operational data and systems. The video reveals control interfaces associated with the monitoring and management of critical infrastructure. Displayed systems include shutdown management, production monitoring, tank level readings, gas lift operations, and Lease Automatic Custody Transfer (LACT) data, all critical components in the facility’s operations. Additionally, they were also able to access valve control interfaces, pressure monitoring, and flow measurement data, highlighting the potential extent of access.

Russian hacktivist groups have posted several videos of their members tampering with critical infrastructure control panels in recent months, perhaps more to establish credibility or threaten than to inflict actual damage, although in one case, Z-Pentest claimed to disrupt a U.S. oil well system.

Among other hacktivist groups active in January, pro-Islamic hacktivists Mr. Hamza – who united with Z-Pentest and other pro-Russian groups in European attacks in December – teamed with Velvet Team to claim responsibility for a series of Distributed Denial-of-Service (DDoS) attacks on the U.S. government and military platforms. Targeted systems include a U.S. Army development and communications network, an FBI portal for bank robbery information, and the United States Africa Command’s official platform.

Active Ransomware Groups and Targets

The 15 active ransomware groups observed by Cyble in January included:

  • CL0P
  • INC
  • Lynx
  • Akira
  • Rhysida
  • SafePay
  • RansomHub
  • Monti
  • Qilin
  • BianLian
  • Medusa
  • Cactus
  • FOG
  • LockBit
  • BlackBasta

CL0P has claimed at least 115 victims from attacks on Cleo MFT vulnerabilities.

Victims claimed by the 15 ransomware groups span a wide range of sectors, including a major port, a chip equipment maker, an automotive parts manufacturer, major universities and colleges, state and local police, defense contractors, a casino, a water utility, multiple government agencies, a food company, a plumbing equipment manufacturer, a telecom company, numerous healthcare companies, and more.

Several victims had been targeted previously by other ransomware groups.

Data Breach Claims

Some of the U.S. data breach claims Cyble investigated in January included:

threat actor offering a SIM-swapping service targeting subscribers of a U.S.-based telecommunications service suggests that the TA may possess unauthorized access to an internal portal that facilitates such swap requests, or they could be leveraging insider access.

A TA advertised a web shell and unauthorized admin access to an undisclosed U.S. government website.

Another threat actor offered unauthorized access to an undisclosed ISP, a router manufacturer, a real estate company, and a logistics and transportation organization. The TA claimed to have gained root access to the company’s servers.

One TA advertised data stolen from a large IT company, claiming that the compromised data included source code from private GitHub repos, Docker builds, certificates (private and public keys), and more.

Another TA claimed to be selling unauthorized network access to a subdomain belonging to a major retail corporation for $16,000, claiming that the access could be leveraged to illicitly execute arbitrary commands on the compromised system.

Conclusion

Dark web monitoring is an important tool for detecting leaks early before they escalate into much bigger cyberattacks and data breaches.

Along with cybersecurity best practices such as zero trust, risk-based vulnerability management, segmentation, tamper-proof backups, and network and endpoint monitoring, there are a number of ways organizations can reduce risk and limit any cyber attacks that do occur.

The post Dark Web Activity January 2025: A New Hacktivist Group Emerges appeared first on Cyble.

Blog – Cyble – ​Read More

Defeating Future Threats Starts Today

Defeating Future Threats Starts Today

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it [TECSEC-2003]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

The one big thing

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

Why do I care?

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

So now what?

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

Top security headlines of the week

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

Can’t get enough Talos?

Today we released the new Cisco Talos Quarterly Trends Report – covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report – they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

Upcoming events where you can find Talos

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

Most prevalent malware files of the week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal:https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Typical Filename: VID001.exe
Detection Name: Simple_Custom_DetectionClaimed Product: 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

Cisco Talos Blog – ​Read More

How the Banshee stealer infects macOS users | Kaspersky official blog

Many macOS users believe their operating system is immune to malware, so they don’t need to take extra security precautions. In reality, it’s far from the truth, and new threats keep popping up.

Are there viruses for macOS?

Yes — and plenty of ’em. Here are some examples of Mac malware we’ve previously covered on Kaspersky Daily and Securelist:

  • A crypto-wallet-stealing Trojan disguised as pirated versions of popular macOS apps.
The Trojan's installation in macOS

This Trojan’s malicious payload is stored in the “activator”. The cracked app won’t work until it’s launched.Source

We could go on with this list of past threats, but let’s instead now focus on one of the latest attacks targeting macOS users, namely – the Banshee stealer…

What the Banshee stealer does

Banshee is a fully-fledged infostealer. This is a type of malware that searches the infected device (in our case, a Mac) for valuable data and sends it to the criminals behind it. Banshee is primarily focused on stealing data related to cryptocurrency and blockchain.

Here’s what this malware does once it’s inside the system:

  • Steals logins and passwords saved in various browsers: Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex Browser, and Opera.
  • Steals information stored by browser extensions. The stealer targets over 50 extensions – most of which are related to crypto wallets, including Coinbase Wallet, MetaMask, Trust Wallet, Guarda, Exodus, and Nami.
  • Steals 2FA tokens stored in the Authenticator.cc browser extension.
  • Searches for and extracts data from cryptocurrency wallet applications, including Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger.
  • Harvests system information and steals the macOS password by displaying a fake password entry window.

Banshee compiles all this data neatly into a ZIP archive, encrypts it with a simple XOR cipher, and sends it to the attackers’ command-and-control server.

In its latest versions, Banshee’s developers have added the ability to bypass the built-in macOS antivirus, XProtect. Interestingly, to evade detection, the malware uses the same algorithm that XProtect uses to protect itself, encrypting key segments of its code and decrypting them on the fly during execution.

How the Banshee stealer spreads

The operators of Banshee primarily used GitHub to infect their victims. As bait, they uploaded cracked versions of expensive software such as Autodesk AutoCAD, Adobe Acrobat Pro, Adobe Premiere Pro, Capture One Pro, and Blackmagic Design DaVinci Resolve.

Banshee stealer distribution on GitHub

The creators of Banshee used GitHub to spread the malware under the guise of pirated software. Source

The attackers often targeted both macOS and Windows users at the same time: Banshee was often paired with a Windows stealer called Lumma.

Another Banshee campaign, discovered after the stealer’s source code was leaked (more on that below), involved a phishing site offering macOS users to download “Telegram Local” – supposedly designed to protect against phishing and malware. Of course, the downloaded file was infected. Interestingly, users of other operating systems wouldn’t even see the malicious link.

Banshee being spread through a phishing site

A phishing site offers to download Banshee disguised as “Telegram Local”, but only to macOS users (left). Source

The past and future of Banshee

Let’s now turn to Banshee’s history, which is really quite interesting. This malware first appeared in July 2024. Its developers marketed it as a malware-as-a-service (MaaS) subscription, charging $3000 per month.

Business must not have been great, as by mid-August they’d slashed the price by 50% – bringing the monthly subscription down to $1500.

Discounted Banshee stealer announcement

A hacker site ad announcing a discount on Banshee: $1500 instead of $3000 per month. Source

At some point, the creators either changed their strategy, or decided to add an affiliate program to their portfolio. They began recruiting partners for joint campaigns. In these campaigns, Banshee’s creators provided the malware, and the partners executed the actual attack. The developers’ idea was to split the earnings 50/50.

However, something must have gone very wrong. In late November, Banshee’s source code was leaked and published on a hacker forum – thus ending the malware’s commercial life. The developers announced they were quitting the business – but not before attempting to sell the entire project for 1BTC, and then for $30,000 (most likely having learned of the leak).

Thus, for several months now, this serious stealer for macOS has been available to essentially anyone completely free of charge. Even worse, with the source code also available, cybercriminals can now create their own modified versions of Banshee.

And judging from the evidence, this is already happening. For example, the original versions of Banshee stopped working if the operating system was running in the Russian language. However, one of the latest versions has removed the language check, meaning Russian-speaking users are now also at risk.

How to protect yourself from Banshee and other macOS threats

Here are some tips for macOS users to stay safe:

  • Don’t install pirated software on your Mac. The risk of running into a Trojan by doing so is very high, and the consequences can be severe.
  • This is especially true if you use the same Mac for cryptocurrency transactions. In this case, the potential financial damage could significantly exceed any savings you make on purchasing genuine software.
  • In general, avoid installing unnecessary applications, and remember to uninstall programs you no longer use.
  • Be cautious with browser extensions. They may seem harmless at first glance, but many extensions have full access to the contents of all web pages, making them just as dangerous as full-fledged apps.
  • And of course, be sure to install a reliable antivirus on your Mac. As we’ve seen, malware for macOS is a very real threat.

Finally, a word on Kaspersky security products. They can detect and block many Banshee variants with the verdict Trojan-PSW.OSX.Banshee. Some new versions resemble the AMOS stealer, so they can also be detected as Trojan-PSW.OSX.Amos.gen.

Kaspersky official blog – ​Read More