The complete story of the 2024 ransomware attack on UnitedHealth

/in

About a year ago, UnitedHealth Group, the U.S. health-insurance giant, was targeted in one of the largest ransomware attacks ever. It had such far-reaching, severe consequences that new details about the attack and its aftermath have continued to emerge since the incident. To mark its anniversary, we’ve compiled a summary of all the data available today.

The ransomware attack on UnitedHealth Group

Before we proceed, let’s briefly introduce this organization to those unfamiliar with it. With a capitalization of approximately $500 billion, UnitedHealth Group is the largest company in the U.S. market for health insurance and healthcare services. It ranks ninth globally in terms of revenue — right after Apple.

UnitedHealth Group comprises two companies. One of them, UnitedHealthcare, focuses on health insurance. The other, Optum, specializes in delivering a broad spectrum of healthcare services ranging from pharmaceuticals and direct medical care to the IT systems underlying healthcare operations.

Optum Insight, one of Optum’s three divisions (and the most profitable), handles the latter. In the fall of 2022, UnitedHealth Group acquired the Change Healthcare platform, and Optum Insight integrated it. This digital platform processes insurance claims — acting as a financial intermediary between patients, healthcare providers, and insurers.

Change Healthcare was the target of the attack. On February 21, 2024, its systems were infected with ransomware — rendering the platform inaccessible. The incident wreaked havoc on the U.S. healthcare system, leaving many patients to shoulder the financial burden of medical expenses as insurance claims couldn’t be processed quickly. Healthcare providers were forced to process bills manually.

Recovering the compromised systems took several months. For instance, the Change Healthcare clearing service didn’t resume full operations until November. UnitedHealth Group even set up a dedicated website to track the restoration efforts. Even now, a year after the attack, the company is still regularly publishing updates on the website, and some systems are still listed as only “partially available”.

Timeline of the attack on UnitedHealth Group

A few months after the incident, on May 1, the CEO of UnitedHealth Group, Andrew Witty, was summoned to testify before Congress. From that testimony, the general public was finally able to learn about how the attack on the company unfolded.

According to Witty, the attack began on February 12. The attackers used compromised credentials to gain access to the Change Healthcare Citrix portal, which was used for remote desktop connections. Two-factor authentication should have stopped them but… it wasn’t enabled. Thus, attackers were able to gain entry simply by using the compromised credentials.

After gaining initial access, they began to move laterally and harvest data. The attackers clearly managed to collect a substantial amount of valuable data within the following nine days. In any case, on February 21, they deployed ransomware — initiating the encryption of Change Healthcare’s systems.

Faced with this situation, UnitedHealth decided to disconnect Change Healthcare data centers from the network to contain the ransomware attack.

Witty argued that the decision effectively prevented the infection from spreading to Optum, UnitedHealthcare, UnitedHealth Group, and any external organizations. However, the complete shutdown of a critical digital platform had a devastating impact on both UnitedHealth Group’s business operations and the broader U.S. healthcare system as a whole.

Thus, the most extensive ransomware attack of 2024 was caused by the absence of two-factor authentication on a remote desktop access portal — precisely the place where it absolutely should have been enabled. As Oregon Senator, Ron Wyden, summarized, “This hack could have been stopped with cybersecurity 101”.

UnitedHealth Group pays up

Several days after the breach, the BlackCat/ALPHV cybercrime gang claimed responsibility for it. The attackers claimed to have exfiltrated 6TB of confidential data — including medical records, financial documents, and personal information belonging to U.S. civilians and military personnel, among other sensitive information.

In March 2024, UnitedHealth Group paid a ransom of $22 million to the gang. But the story didn’t end there: after receiving the ransom, ALPHV feigned having their infrastructure seized by the FBI again. This was likely a ploy to double-cross one of their associates — pocketing the funds and disappearing into the ether.

Said associate claimed ALPHV had failed to give them their cut, and later teamed up with another ransomware gang — RansomHub. That gang made some of the stolen data public in April 2024, and then tried to extort more money from UnitedHealth.

ALPHV website announcing the UnitedHealth breach

Post by RansomHub demanding a second ransom from UnitedHealth Group. Source

It remains unclear whether UnitedHealth ever paid the second ransom, as there was no official confirmation. However, the demand was later removed from RansomHub’s website, and no further leaks of the stolen company data have been observed. Therefore, it can be assumed that the company did, in fact, pay twice. This is even more likely if one considers that the ransom amounts are dwarfed by the massive financial impact the attack had on UnitedHealth Group.

The aftermath of the ransomware attack on UnitedHealth Group

UnitedHealth Group posted $872 million in losses associated with the cyberattack in Q1 2024 alone. The company also estimated in its Q1 report that the annual cost of the breach could reach $1.35 to $1.6 billion.

Those initial estimates proved to be far too optimistic: predicted damage kept growing quarter after quarter, first increasing to $2.3 to $2.45 billion, and then to $2.87 billion.

By the end of the fiscal year, as reported by UnitedHealth Group in January 2025, the incident resulted in a total annual loss of $3.09 billion. Although the damage estimate for 2024 is now finalized, the total damage could still increase substantially as the company continues to deal with the consequences of the attack.

An official estimate of the number of individuals whose data could have been stolen by the cybercriminals took a long time to materialize. It was only eight months after the incident, on October 24, 2024, that UnitedHealth Group finally came up with a tally. It was a mind-boggling figure: 100 million, or nearly a third of the entire population of the United States.

Nevertheless, it would become evident that these estimations were as overly hopeful as the original predictions about the financial losses. Three months later, at the end of January 2025, UnitedHealth Group released an updated report that put the number of those impacted by the breach at 190 million.

Protecting your company against ransomware

Clearly, the most obvious lesson to be learned from the UnitedHealth Group breach is that two-factor authentication is a must for any public-facing service. Otherwise, a single compromised password could cause massive problems and billions of dollars in losses.

Essential as it is, two-factor authentication is by no means sufficient protection against ransomware. Defending corporate infrastructure from ransomware attacks must be multilayered. Here are some additional tips:

Kaspersky official blog – ​Read More

Weathering the storm: In the midst of a Typhoon

/in

Summary

Weathering the storm: In the midst of a Typhoon

Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.

Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.

A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders.

No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.

Therefore, our recommendation — which is consistent with our standard guidance independent of this particular case—is always to follow best practices to secure network infrastructure.

Activities observed

Credential use and expansion

The use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor. We have observed the threat actor actively attempting to acquire additional credentials by obtaining network device configurations and deciphering local accounts with weak password types—a security configuration that allows users to store passwords using cryptographically weak methods. In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers. The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.

Configuration exfiltration

In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself offline. In addition to the sensitive authentication material, configurations often contain named interfaces, which might allow an attacker to better understand the upstream and downstream network segments and use this information for additional reconnaissance and subsequent lateral movement within the network.

Infrastructure pivoting

A significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure. This “machine to machine” pivoting, or “jumping,” is likely conducted for a couple of reasons. First, it allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted. Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected.

The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances. Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.

Configuration modification

We observed that the threat actor had modified devices’ running configurations as well as the subsystems associated with both Bash and Guest Shell. (Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities, including Bash.)

Running configuration modifications

  • AAA/TACACS+ server modification (server IP address change)
  • Loopback interface IP address modifications
  • GRE tunnel creation and use
  • Creation of unexpected local accounts
  • ACL modifications
  • SNMP community string modifications
  • HTTP/HTTPS server modifications on both standard and non-standard ports

Shell access modifications

  • Guest Shell enable and disable commands
  • Started SSH alternate servers on high ports for persistent access, such as sshd_operns (on port 57722) on underlying Linux Shell or Guest Shell
    • /usr/bin/sshd -p X
  • Created Linux-level users (modification of “/etc/shadow” and “/etc/passwd”)
  • Added SSH “authorized_keys” under root or other users at Linux level

Packet capture

The threat actor used a variety of tools and techniques to capture packet data throughout the course of the campaign, listed below:

  • Tcpdump – Portable command-line utility used to capture packet data at the underlying operating system level.
    • Tcpdump –i
  • Tpacap – Cisco IOS XR command line utility used to capture packets being sent to or from a given interface via netio at the underlying operating system level.
    • Tpacap –i
  • Embedded Packet Capture (EPC) – Cisco IOS feature that allows the capture and export of packet capture data.
    • Monitor capture CAP export ftp://<ftp_server>
    • Monitor capture CAP start
    • Monitor capture CAP clear

Operational utility (JumbledPath)

The threat actor used a custom-built utility, dubbed JumbledPath, which allowed them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. This tool also attempted to clear logs and impair logging along the jump-path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the capture on a remote device. The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.

Weathering the storm: In the midst of a Typhoon

This utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely useable across Linux operating systems, which also includes a variety of multi-vendor network devices. This utility was found in actor configured Guestshell instances on Cisco Nexus devices.

Defense evasion

The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices (see “Infrastructure pivoting” section).

Weathering the storm: In the midst of a Typhoon

The threat actor routinely cleared relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable, to obfuscate their activities. Shell access was restored to a normal state in many cases through the use of the “guestshell disable” command.

The threat actor modified authentication, authorization, and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.

Detection

We recommend taking the following steps to identify suspicious activity that may be related to this campaign:

  • Conduct comprehensive configuration management (inclusive of auditing), in line with best practices.
  • Conduct comprehensive authentication/authorization/command issuance monitoring.
  • Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
  • Monitor your environment for unusual changes in behavior or configuration.
  • Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
  • Where possible, develop NetFlow visibility to identify unusual volumetric changes.
  • Look for non-empty or unusually large .bash_history files.
  • Additional identification and detection can be performed using the Cisco forensic guides.

Preventative measures

The following guidance applies to entities in all sectors.

  • Cisco-specific measures
    • Always disable the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server” commands.
    • Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
    • If not required, disable the guestshell access using “guestshell disable” for those versions which support the guestshell service.
    • Disable Cisco’s Smart Install service using “no vstack”.
    • Utilize type 8 passwords for local account credential configuration.
    • Use type 6 for TACACS+ key configuration.
  • General measures
    • Rigorously adhere to security best practices, including updating, access controls, user education, and network segmentation.
    • Stay up-to-date on security advisories from the U.S. government and industry, and consider suggested configuration changes to mitigate described issues.
    • Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of-life hardware and software.
      • Select complex passwords and community strings and avoid default credentials.
    • Use multi-factor authentication (MFA).
    • Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
    • Lockdown and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
    • Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
    • Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP(s)).
    • Disable all non-encrypted web management capabilities.
    • Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
    • Enhance overall credential and password management practices with stronger keys and/or encryption.
      • Use type 8 passwords for local account credential configuration.
      • Use type 6 for TACACS+ key configuration.
    • Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.

Analyst’s comments

There are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks, and the threat actor’s extensive technical knowledge. Furthermore, the long timeline of this campaign suggests a high degree of coordination, planning, and patience—standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.

During this investigation, we also observed additional pervasive targeting of Cisco devices with exposed Smart Install (SMI) and the subsequent abuse of CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software. This activity appears to be unrelated to the Salt Typhoon operations, and we have not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are associated with this potentially unrelated SMI activity.

Legacy devices with known vulnerabilities, such as Smart Install (CVE-2018-0171), should be patched or decommissioned if no longer in use. Even if the device is a non-critical device, or carries no traffic, it may be used as an entry door for the threat actor to pivot to other more critical devices.

The findings in this blog represent Cisco Talos’ understanding of the attacks outlined herein. This campaign and its impact are still being researched, and the situation continues to evolve. As such, this post may be updated at any time to reflect new findings or adjustments to assessments.

Indicators of Compromise (IOCs)

IP Addresses:

185[.]141[.]24[.]28

185[.]82[.]200[.]181

Cisco Talos Blog – ​Read More

Katharine Hayhoe: The most important climate equation | Starmus highlights

/in

The atmospheric scientist makes a compelling case for a head-to-heart-to-hands connection as a catalyst for climate action

WeLiveSecurity – ​Read More

How to Identify and Investigate Phishing Kit Attacks

/in

Phishing kits have invested greatly in the popularity of phishing. They drop the entry threshold for cybercriminals enabling even low-skilled hackers to conduct successful attacks.  

In general, a phishing kit is a set of tools for creating convincing fake webpages, sites, or emails that trick users into divulging sensitive information like passwords or credit card credentials. Security specialists should never underestimate this type of malware and fail to be ready to counter its users. 

What Phishkits are made of 

These ready-to-use packages can be basic, with some pre-written code and website and email templates, and they can be advanced phishing-as-a-service (PHaaS) kits that offer more sophisticated and customizable features. These may even contain automated updates or encryption features.  

A typical kit includes:  

  • Website (email, social network pages) templates mimicking legitimate brands (banks, email providers, cloud services, etc.) 
  • Data harvesting scripts that capture input in webpage forms 
  • Automated deployment tools for quick setup 
  • Bypass techniques such as reverse proxies that intercept multi-factor authentication 
  • Server-side components that manage the data collected from victims 

Some notable Phishkits 

  • 16Shop: targeted Apple, PayPal, and Amazon users and was distributed as a subscription service. 
  • Evilginx2: a framework to intercept authentication tokens that helped to bypass MFA. 
  • BulletProofLink: a PHaaS platform that offered pre-hosted phishing pages and even reused stolen credentials to maximize profit. 
Example of a Greatness phishkit attack analyzed in ANY.RUN’s Interactive Sandbox
  • Greatness: targets Microsoft 365 users and can dynamically generate fake login pages customized for the victim. 
  • GoPhish: an open-source framework meant for businesses to test their exposure to phishing by imitating attacks but also used maliciously. 
  • King Phisher: offers advanced features like campaign management and cloning of websites. 
  • Blitz: known for its simplicity and quick creation of phishing webpages. 

Why Phishkits are a serious issue for businesses 

Phishing kits are employed to attack both individuals and organizations, but they represent a specific threat to businesses by inviting wider audience of would-be hackers to the industry, multiplying risks and providing an increased workload to security systems.  
 
Besides, phishing kit attacks make it easier to turn any employee into a soft spot of the cyber security perimeter. Even targeted at people, such attacks are a headache for SOC teams.  
 
The features of phishkits that pose increased risks for organizations are:  
 
Scalability: They allow attackers to automate and run phishing campaigns against thousands of employees simultaneously. 

MFA Bypass: Modern phishkits integrate Adversary-in-the-Middle (AiTM) techniques to steal session cookies, bypassing multi-factor authentication. 

Brand Abuse & Reputation Damage: Phishing pages tend to impersonate well-known brands, leading to loss of their customer trust when credentials are stolen. 

Supply Chain Attacks: Phishkits can be used to target third-party vendors and gain access to corporate networks via compromised partners. 

Defusing Phishkits with Threat Intelligence 

Cyber threat intelligence has long proven useful in countering phishkit-based attacks. It involves gathering, analyzing, and acting upon information about current and emerging threats. For countering phishkits, it enforces:  

  • Early detection: TI helps to collect the indicators of compromise associated with the use of certain phishkits and set up network monitoring for detecting the elements of phishkit infrastructure. 
  • Behavioral Analys: TI is used to analyze patterns and behaviors of phishing campaigns, to identify new kits or variations of known ones before they cause harm. 
  • Proactive Blocking: Intelligence feeds are used to update security systems like firewalls, email gateways, or intrusion detection systems to block known malicious domains or IPs. 
  • Employee Training: By helping to understand phishkits’ anatomy and behavour, TI can facilitate realistic phishing simulations based on actual threats, training staff to recognize and report phishing attempts. 
  • Vulnerability Management: Seeing what types of phishkits are targeting specific sectors or technologies, organizations prioritize patching vulnerabilities or enhance security measures where they are most needed.

How to Track and Identify Phishing Kit Attacks with TI Lookup 

TI Lookup lets you identify and investigate phishkit attacks

Threat Intelligence Lookup from ANY.RUN provides access to an extensive database of the latest threat data extracted from millions of public sandbox sessions.  

It allows analysts to conduct targeted indicator searches with over 40 different parameters, from IPs and hashes to mutexes and registry keys, to enrich their existing intel on malware and phishing attacks.  

With TI Lookup, users can collect as well as pin their existing indicators to specific cyber threats. Each indicator in TI Lookup can be observed as part of wider context  

Learn more about TI Lookup 

Threat Intelligence Lookup empowers organizations with: 

  • Streamlined Access to Threat Information: Simplifies and speeds up the process of finding threat-related information, making it more convenient and efficient. 
  • Detailed Insights into Attacks: Provides detailed information on attacker methods, helping to determine the most effective response measures. Deep analysis makes the actions of analysts more precise and effective. 
  • Reduced Mean Time to Respond (MTTR): Offers quick access to key threat information, enabling analysts to make swift decisions. 
  • Increased Detection and Response Speed: Ensures data is up-to-date, helping businesses improve the speed of detecting and responding to new threats. 

Collect intelligence on phishkit attacks
with ANY.RUN’s TI Lookup 



Get free requests to test it


1. Collecting Intel on Tycoon2FA Phishkit Abusing Cloudflare Workers 

Tycoon2FA is a phishkit that has been offered as a service to cyber criminals since 2023. This threat’s specialty is adversary-in-the-middle attacks that make it possible to not only steal victims’ login credentials but also bypass two-factor authentication (2FA).  

Tycon2FA operators make extensive use of Cloudflare Workers and Cloudflare Pages for hosting fake login forms that are abused for stealing personal data.  

With TI Lookup, we can collect the latest example of domains utilized for Tycoon2FA attacks using the following query: 

domainName:”*.workers.dev” 

Use wildcards like the asterisk in TI Lookup for more flexible searches 

TI Lookup provides 49 domains, with some of them being labeled with the “phishing” tag. At this point, users can collect these indicators to enrich their defense. 

TI Lookup provides verdicts on known malicious indicators 

Using TI Lookup can be also helpful during triage, when you need to check if a certain Cloudflare Workers domain is malicious. As you can see in the image above, the service instantly informs you about the threat level of the queried domain. 

The Tasks tab in TI Lookup provides a list of the latest analysis reports performed in ANY.RUN’s Interactive Sandbox featuring the requested domains. 

TI Lookup provide a list of sandbox sessions featuring the requested indicators 

Here, we can discover that Cloudflare’s domain is also used by another phishing-as-a-service tool, EvilProxy.  

Fake Outlook page created with the help of a phishing kit

If you want to dig deeper, you can open any of these reports inside the sandbox and observe real-world attacks as they unfolded and rerun analysis of these URLs yourself. 

Get 50 free TI Lookup requests to try it in your organization 



Try it


2. Researching Phishkit Campaigns via Suricata rules  

Threat Intelligence Lookup supports search by Suricata IDS rules. Add a rule ID (SID) and see an assortment of incidents where the same rule was triggered.  

Suricata rule for detecting social engineering attempts

Let’s use the rule with the class “Possible social engineering attempted” via the following query: 

suricataID:”8001050″ 

Search by Suricata rule to uncover more examples of phishkit attacks 

Among the results, we can see examples of Gabagool and Sneaky2FA phishing kit attacks, as well as Tycoon2FA’s which are linked to the Storm1747 APT.

Learn more on how to track APTs

You can download data on all of these samples, which includes hashes, and use it to further enrich your security systems. As always, you can also explore each report in detail to collect even more insights into these attacks. 

TI Lookup lets you receive fresh updates on the results for any query 

TI Lookup also lets you automatically receive notifications about the new results available for specific search queries. All you need to do is click the bell icon, and all of the updates will be displayed in the left side menu. 

3. Tracking new samples of Mamba2FA Phishkit 

If your organization has been previously attacked with a certain phishing kit, then you can easily stay updated on the newest indicators related to it. 

Let’s take Mamba2FA as an example. It is a widely utilized phishkit that has been used in numerous attacks against businesses in the financial and manufacturing sectors. 

With a simple query that combines the name of the phishkit with an empty domain name field, we can quickly discover both new attacks, as well as network indicators like domains and URLs recorded during sandbox analysis: 

threatName:”mamba” AND domainName:”” 

TI Lookup provides a wealth of threat data on phishing kit attacks

Learn more about proactively identifying Mamba2FA attacks in the article by a phishing analyst


Enrich your threat knowledge with TI Lookup

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup


Read full guide


Conclusion  

Security experts are far from underestimating the risks behind phishing kits. They don’t just open gates to a mass of low-skilled beginners to the cybercrime market. They abuse known brands and trademarks by impersonating their resources, employ sophisticated infiltration and anti-evasion techniques, and are constantly evolving.  

To avoid financial and reputational loss, organizations should consider investing in high-end threat intelligence solutions as well as emphasize employee educating and training.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How to Identify and Investigate Phishing Kit Attacks appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

XMRig miner attacks corporate users | Kaspersky official blog

/in

From December 31, 2024, our telemetry began detecting a significant surge in the activity of the XMRig cryptominer. While most of the malware launches were detected by home security solutions, some were found on corporate systems. A thorough investigation revealed that cybercriminals had been distributing the malware through game torrents. The attack likely targeted gamers in various countries, including Russia, Brazil, and Germany. However, the cryptominer also surfaced on corporate networks — probably due to employees using work computers for personal use.

Malicious campaign

The campaign, affectionately named StaryDobry (“the good old one” in Russian) by our analysts, was carefully planned: malicious distributions were created and uploaded to torrent sites between September and December 2024. Of course, the infected games were repacks — modified versions designed to bypass authenticity checks (in other words, cracked).

Users began downloading and installing these trojanized games, and for a while, the malware showed no signs of activity. But then, on December 31, it received a command from the attackers’ remote server, triggering the download and execution of the miner on infected devices. The list of trojanized titles included popular sim games such as Garry’s Mod, BeamNG.Drive, and Universe Sandbox.

We closely examined a sample of the malware and discovered the following:

  • Before launching, the program checks whether it’s running in a debugging environment or sandbox. If it is, the installation is immediately terminated.
  • The miner is a slightly modified executable of XMRig, which we covered in detail back in 2020.
  • If the infected device has fewer than 8 CPU cores, the miner doesn’t run.

Our products detect the malware used in this campaign as Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, and HEUR:Trojan.Win64.StaryDobry.gen. More technical details and indicators of compromise can be found in the Securelist publication.

How to protect your corporate network from miners

From a corporate security perspective, the real concern isn’t just the malware itself, but where it was discovered. A miner in a corporate network is certainly unpleasant — but at least it doesn’t steal data. However, there’s no guarantee that, next time, a repacked game won’t be hiding a stealer or ransomware. As long as employees install pirated games on work computers, gaming-related malware will keep infiltrating corporate systems.

Therefore, the main recommendation for information security personnel is to block torrents at the security policy level (unless, of course, they’re necessary for your company’s business processes). Ideally, all non-work-related software should be completely prohibited. In addition, we have two traditional recommendations:

Kaspersky official blog – ​Read More

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

/in

Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X. 

From December 20 to 24, 2024, the Quetzal Team identified a phishing campaign targeting the cryptocurrency and fintech sectors. This campaign aimed to distribute a newly discovered stealer malware, which we have named Zhong Stealer, as there were no prior public references to this threat. 

In this article, we’ll use ANY.RUN’s real-time malware analysis capabilities to cover:

  • Execution flow: How the malware runs from initial launch to full system infiltration. 
  • Data exfiltration tactics: How Zhong transmits stolen credentials to a C2 server hosted in Hong Kong. 
  • Persistence techniques: How it modifies registry keys and scheduled tasks to survive reboots. 

A Flood of Phishing Attempts 

The attack pattern was simple yet persistent: 

  1. Open a new support ticket from a freshly created, empty account. 
  1. Use broken language and ask for help in Chinese. 
  1. Attach a ZIP file containing screenshots or additional details. 
  1. Insist that support staff open it, growing frustrated when they refused. 
Suspicious ZIP files named with Simplified Chinese characters

During this period, we managed to collect several suspicious ZIP file samples, all named with Simplified Chinese characters: 

  • 图片_20241224 (2).zip (Image_20241224 (2).zip). 
  • Android 自由截图_20241220.zip (Android Free Screenshot_20241220.zip) 
  • Android – Screenshots2024122288jpg.zip 

Each ZIP file contained an EXE file inside, which immediately raised red flags: 

  • 图片_20241224.exe (Image_20241224.exe – Simplified Chinese) 
  • 圖片2024122288jpg.exe (Image2024122288jpg.exe – Traditional Chinese) 
  • 图片_20241220.exe (Image_20241220.exe – Simplified Chinese) 
Way more suspicious EXE files named with Simplified and Traditional Chinese characters

The Zhong Stealer Revealed 

Over four days, we received multiple samples of what appeared to be the same malware. Initially, only one global detection flagged it as “Unsafe,” a vague and generic label. 

Generic detection, lacking a naming convention or detailed insights 

As time passed, some samples began to receive more global detections, but with a twist: all of them were either generic or driven by heuristic/machine learning/artificial intelligence-powered systems.  

However, these detections lacked meaningful naming conventions, making tracking difficult. 

AI/ML-based detection with no naming convention or substantial details 

Generic conventions (such as “Win.MSIL”, “Detected”, or “Unsafe”) and AI-generated names (like “AIDetectMalware”, “Malware.AI”, “ML.Attribute.HighConfidence”, “malicious_confidence_90%”, “Static AI”) may be useful for internal classification or as temporary indicators but their lack of specificity makes it difficult to track malware over time or correlate research findings. 

AI/ML-based detections—hard to follow with these naming conventions 

To solve this, we decided to give this malware a proper name: Zhong Stealer, inspired by the email address of the first submitter to hit the ticketing system. From now on, we’ll track all these strains under this family name. 

Now that we’ve made a new “friend”, let’s play with it a little bit. 

Dissecting Zhong 

Running Zhong Stealer in ANY.RUN revealed its behavior almost immediately. Upon execution, it queried a C2 server based in Hong Kong, hosted by Alibaba Cloud. 

View sandbox analysis

First and follow-up contacts with the C2 server in Hong Kong 

Stage 1: Initial Contact 

Inventory file signalling the malware’s components to download 

The first action involves reading a TXT file, which serves as an inventory. This file contains links to itself and other components that need to be downloaded. 

Submit suspicious files and URLs to ANY.RUN
for proactive analysis of threats targeting your company 



Get 14-dat free trial


Stage 2: Downloader Execution 

Next, another stage is downloaded: down.exe, a file signed with a previously valid but now revoked certificate from Morning Leap & Cazo Electronics Technology Co., suggesting it was likely stolen. Notably, the file masquerades as a BitDefender Security updater, a deliberate choice that adds an extra layer of deception to evade suspicion. 

Fake signature posing as BitDefender and using a potentially stolen certificate 

Alongside this stage, Zhong downloaded additional components: 

  • TASLogin.log (a log file) 
  • TASLoginBase.dll (a dynamic-link library) 

These components helped facilitate execution of the next stage. 

Zhong Stealer downloading components and preparing for the next stage 

Stage 3: Persistence & Reconnaissance 

Once active, down.exe creates a BAT file with a random 4-digit name in the user’s temporary folder (e.g., 4948.bat on my setup). This script sets up the environment by invoking system utilities like Conhost.exe and Attrib.exe to unhide and grant execution permissions to the next step. 

BAT file preparing the environment for the next stage 

The stealer then queries the system’s supported languages, a tactic often seen in ransomware. It is used to avoid targeting specific regions. It also schedules itself to run periodically via Task Scheduler, which serves as a fallback persistence method, though not its primary one (more on this later). 

Zhong scheduling itself via Task Scheduler and checking language properties 

Next, Zhong disables trace logs (point 1 in the image below) and initiates reconnaissance routines.  

This includes reading registry keys to collect details such as the machine hostname, GUID, proxies, software policies, and supported languages (points 2 and 3). It also evaluates Internet Explorer/Edge security settings (point 4). 

Zhong staging, reconnaissance, and evasion routines in practice 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis


Read full guide


Stage 4: Credential Theft & Data Exfiltration 

With the preparation complete, Zhong moves to its final stage, where it aims to execute a clean attack.  

Specific registry keys read by Zhong before launching the final stage 

Now, the real action starts. Zhong establishes persistence by adding a registry key (point 1 in the image below) at: 

HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN 

Next, it harvests browser credentials and extension data (point 2) before connecting to its C2 server on port 1131(point 3) to exfiltrate the stolen information. 

Let’s break down these actions step by step. 

Routines to gain persistence, steal credentials, and communicate with its C2 

The registry key serves as Zhong’s primary persistence mechanism, with the scheduled task acting as a fallback in case the registry entry is removed. Once persistence is secured, Zhong shifts its focus to harvesting credentials and browser extension data. 

Persistence mechanisms and exfiltration routines in action 

Next, Zhong scans browser extensions and credentials, starting with Brave Browser on this setup. 

Zhong scanning Brave Browser for sensitive data 

It then moves on to Edge/Internet Explorer, which comes pre-installed on most Windows systems, making them valuable targets for data theft. 

Zhong scanning Edge for sensitive data 

After collecting sensitive data, Zhong contacts its Hong Kong-based C2 server on port 1131 to exfiltrate relevant information. 

Zhong exfiltrating data via its C2 server 

At this point, the outcome is predictable—Zhong evolves from a mere nuisance into a full-fledged data thief. 

Now, let’s break down its techniques into a clear and structured MITRE ATT&CK Matrix to visualize its full attack chain. 

Fortunately, ANY.RUN simplifies this process, mapping out the malware’s behavior step by step for better analysis and threat tracking. 

Zhong Stealer’s Tactics & Techniques 

This particular piece of malware employs a variety of TTPs which are common, simple, and yet, highly effective: 

  • Disabling Event Logging (T1562) – Prevents security tools from recording malicious activity, making detection and forensic analysis more difficult. 
  • Gaining Persistence via Registry Keys (T1547) – Modifies Windows registry settings to ensure the malware automatically runs at startup. 
  • Harvesting Credentials (T1552) – Extracts saved passwords, browser session data, and authentication tokens from compromised systems. 
  • Scheduling Tasks (T1053) – Creates scheduled tasks to maintain persistence, ensuring the malware executes even after a system reboot. 
  • Communicating via Non-Standard Ports (T1571) – Uses uncommon network ports, such as port 1131, to avoid detection and transmit stolen data to a command-and-control server. 

You can find more TTPs used by Zhong Stealer in the screenshot below: 

MITRE ATT&CK Matrix on ANY.RUN detailing the analyzed points

How to Protect Against Zhong Stealer 

To combat Zhong Stealer and similar social engineering-based malware, security teams must adopt proactive detection and analysis strategies. Traditional antivirus solutions often fail to recognize stealthy threats, but with ANY.RUN’s Interactive Sandbox, organizations can identify, analyze, and block malicious activity in real time before it causes harm. 

Here’s how to protect your organization from Zhong Stealer: 

  • Train customer support teams to recognize phishing tactics and avoid opening suspicious file attachments in support chats. 
  • Restrict ZIP file execution from unverified sources and enforce zero-trust security policies to prevent unauthorized file access. 
  • Monitor outbound network traffic for suspicious C2 connections, especially to non-standard ports like 1131, a key indicator of Zhong Stealer’s activity. 
  • Use ANY.RUN’s real-time analysis to safely detonate unknown executables, observe their behavior step by step, and extract critical IOCs before the malware can spread. 

With ANY.RUN’s in-depth behavioral analysis, security teams can stay ahead of evolving threats like Zhong Stealer and prevent cybercriminals from using social engineering to bypass traditional defenses. 

Final Thoughts 

Zhong Stealer’s campaign is a prime example of how social engineering and persistent phishing tactics can be used to distribute malware. By targeting customer support teams, the attackers attempted to bypass traditional security measures and exploit human trust. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

IOCs 

FileHash-MD5:778b6521dd2b07d7db0eaeaab9a2f86b 

FileHash-SHA1:ce120e922ed4156dbd07de8335c5a632974ec527 

FileHash-SHA256:02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827f 

FileHash-SHA256:1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf 

FileHash-SHA256:4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e 

FileHash-SHA256:dd44dabff5361aa9b845dd891ad483162d4f28913344c93e5d59f648a186098 

FileHash-SHA256:e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd 

FileHash-SHA256:5f422be165e4b6557f45719914f724a4fe1840fa792ecc739861bfdb45c1550 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLogin.log 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLoginBase.dll 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/down.exe 

URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/uu.txt 

email:zhongmaziil992@outlook.com 

hostname:kkuu.oss-cn-hongkong.aliyuncs[.]com 

IPv4:156.245.23.188 

IPv4:47.79.64.228 

The post Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Gravy Analytics leak: How to protect your location data | Kaspersky official blog

/in

Our smartphones and other devices collect and then transmit massive amounts of data about us to dozens, maybe hundreds, of third-party companies every single day. This includes our location information, and the market for such information is huge. Naturally enough, the buying and selling goes on without our knowledge, creating obscure risks to our privacy.

The recent hack of location data broker Gravy Analytics clearly illustrates the potential pitfalls of such practices. This post analyzes how data brokers operate, and what can happen if the information they collect leaks. We also give tips on what you can do to protect your location data.

What location data brokers are

Data brokers are companies that collect, process, and sell information about users. They get this information from mobile apps, online ad networks, online analytics systems, telecom operators, and a host of other sources from smart-home devices to cars.

In theory, this data is only collected for analytics and targeted advertising. In practice, however, there are often no restrictions on usage, and seemingly anyone can buy it. So, out there in the real world, your data can be used for pretty much any purpose. For example, an investigation last year revealed that commercial data brokers — directly or through intermediaries — may even serve government intelligence agencies.

Data brokers collect all kinds of user information, of which one of the most important and sensitive categories is location data. It’s so in demand, in fact, that besides more generalized data brokers, firms exist that focus on it specifically.

Those are the location-data brokers — organizations that specialize in collecting and selling information about user location. One of the major players in this segment is U.S. location tracking firm Gravy Analytics, which merged with Norway’s Unacast in 2023.

The Gravy Analytics data leak

In January 2025, news broke of a data leak at Gravy Analytics. At first it was confined to unofficial reports based on a post that appeared on a private Russian-language hacker forum. The poster claimed to have hacked Gravy Analytics and stolen the location data of millions of users, providing screenshots of the data trove as proof.

It wasn’t long before official confirmation came through. Under Norwegian law, Gravy Analytics’ parent, Unacast, was legally required to notify the national regulator.

The company’s statement reported that on January 4, an unauthorized individual gained access to Gravy Analytics’ AWS cloud storage environment “through a misappropriated access key”. The intruder “obtained certain files, which could contain personal data”.

Analysis of the data Gravy Analytics leaked

Unacast and Gravy Analytics were in no hurry to specify what data could have been compromised. However, within a few days, an independent security researcher published their own in-depth analysis of the leaked information based on a sample of the stolen data they’d been able to obtain.

User location-data leaked worldwide

The Gravy Analytics leak included the location data of users worldwide. Source

It turned out that the Gravy Analytics hack did indeed leak a gigantic set of location data of users worldwide — from Russia to the United States. The fragment analyzed by the researcher was 1.4GB in size, and consisted of around 30 million records — mostly collected in the first days of January 2025. Meanwhile, the hacker claimed the stolen database is 10TB, meaning it could potentially contain over 200 billion records!

This data was collected by mobile apps and acquired by Gravy Analytics to be aggregated and subsequently sold to clients. As the analysis of the leak showed, the list of apps used to collect location data runs into the thousands. For example, the sample studied contained data collected from 3455 Android apps — including dating apps.

UK-based Tinder users' location

UK-based Tinder users’ location data is an example of what can be found in the data leaked from Gravy Analytics. Source

Tracking and deanonymizing users with the Gravy Analytics’ leak data

What’s most unpleasant about the Gravy Analytics hack is that the leaked database is linked to advertising IDs: IDFA for iOS and AAID for Android devices. In many cases, this makes it possible to track users’ movements over time. Here, for instance, is a map of such movements in the vicinity of the White House in Washington, D.C. (remember that this visualization uses only a small sample of the stolen data; the full database contains a lot more):

Tracking users through the Gravy Analytics leak

Data in the Gravy Analytics leak linked to advertising IDs can be used to track users’ movements over time. Source

Worse yet, some data can be deanonymized. For example, the researcher was able to track the movements of a user who visited the Blue Origin launch pad:

First example of user deanonymization through the Gravy Analytics leak

An example of user deanonymization using location data leaked from Gravy Analytics. Source

Another example: the researcher was able to track a user’s movements from the Columbus Circle landmark in Manhattan, New York City, to his home in Tennessee, and then to his parents’ house the next day. Based solely on OSINT data, the researcher learned a great deal about this individual, including their mother’s name and the fact that their late father was a U.S. Air Force veteran.

Second example of user deanonymization through the Gravy Analytics leak

Another example of user deanonymization using location data leaked from Gravy Analytics. Source

The Gravy Analytics data breach demonstrates the serious risks associated with the data broker industry, and location data brokers in particular. As a result of the hack, a huge volume of user location records collected by mobile apps spilled out into the public domain.

This data makes it possible to track the movements of a great many people with fairly high accuracy. And even though the leaked database doesn’t contain direct personal identifiers such as first and last names, ID numbers, addresses, or phone numbers, the linkage to advertising IDs can in many cases lead to deanonymization. So, based on various quasi-identifiers, it’s possible to establish a user’s identity, find out where they live and work, as well as trace their social connections.

How to protect your location data?

Unfortunately, collecting user location data is now such a widespread practice that there’s no easy answer to this question. Alas, there’s no switch you can simply flick to stop all the internet companies worldwide harvesting your data.

That said, you can at least minimize the amount of information about your location that falls into the hands of data brokers. Here’s how:

  • Be strict with apps asking for access to location data. Often, they’ll work just fine without it — so unless there’s a compelling reason for the app to know your location, just say no.
  • Carefully configure privacy in apps that genuinely need your geolocation to function. For example, see our guides to configuring all the most popular running apps.
  • Don’t allow apps to track your location in the background. When granting permissions, always select the “Only while using the app” option.
  • Uninstall apps you no longer use. In general, try to keep the number of apps on your smartphone to a minimum — this will reduce the number of potential data collectors on your device.
  • If you use Apple iOS, iPadOS, or tvOS devices, opt out of app tracking. This will prevent data collected on you from being deanonymized.
  • If you use Android, delete your device’s advertising ID. If this option is unavailable in your OS version, reset the advertising ID regularly.
  • Install a robust security solution capable of blocking ad-tracking on all your devices.

For more tips on how to put the brakes on generalized data brokers collecting information on you, see our post Advertisers sharing data about you with… intelligence agencies.

Kaspersky official blog – ​Read More

Trojanized game PirateFi discovered on Steam | Kaspersky official blog

/in

There are probably no gamers left who don’t know that downloading games from torrent trackers is risky business. Yes, they come at no cost, cracked and sometimes conveniently repacked, but they might contain malware. That’s why security solutions throw a fit — quarantining torrent files, preventing the installation of cracks… well, we should be thankful for that!

Official app stores like Steam are a different story, right? Surely everything’s perfectly safe there, isn’t it? Nope. In February, a game bundled with malware was discovered on the platform. Not to worry, though: last week, Valve removed the game “PirateFi” from its Steam platform after a user reported that their antivirus software prevented them from running the game due to the presence of malware. The user’s antivirus flagged the game as containing Trojan.Win32.Lazzzy.gen, prompting Valve to act swiftly and remove it from the platform. We can confirm that it was Kaspersky’s antivirus solution that detected the threat, thanks to the Kaspersky Security Network recognizing the malware.

Survival sim starring your computer

The game in question was PirateFi, a survival sim offering users the chance to play as a pirate in both single-player and multiplayer modes. It appears it wasn’t just the players who needed to survive, but their computers too.

PirateFi was touted as the thrifty gamer's Sea of Thieves

PirateFi was touted as the thrifty gamer’s Sea of Thieves

It wasn’t exactly a hit: maybe five concurrent players at peak times, and just 165 subscribers. The exact number of victims is unknown. VG Insights estimates around 1,500, while Gamalytic puts the number of downloads at 859.

The game was found to contain Windows-based malware designed to infect users’ computers and steal sensitive information. The malware, disguised as “Howard.exe,” was programmed to unpack itself into the user’s /AppData/Temp/ directory upon launching the game, subsequently stealing browser cookies and potentially allowing attackers to gain unauthorized access to various online accounts. Several users who downloaded the game reported compromised accounts, password changes, and unauthorized transactions.

In the end, everyone who had played PirateFi on Steam received a notification email about a potential malware threat on their computers. There were no details about the malware or any explanations as to how it had slipped into the app store. So, victims don’t know exactly what ended up on their devices: a miner, a stealer, or something else entirely. Instead, Valve, the company behind Steam, recommended that they run a scan of their computers with a reliable security solution.

Players found the suggestion to “reformat” their operating systems particularly amusing

As for the game’s developers, Seaworth Interactive, there is virtually no information about them online. PirateFi was their debut in the gaming industry, so it’s safe to assume that the malware campaign was intentional. PCMag supported this theory, noting attempts to promote the game through Telegram channels targeting users in the U.S. For example, a job posting for a PirateFi in-game chat moderator was listed. It promised $17 per hour, with payments every two days. This sounded way too good to be true, particularly because moderators in free-to-play games are typically students with a lot of free time, who are usually paid in in-game currency.

PirateFi isn’t the only such case

Malware infiltrated Steam a decade ago as well. Back then, it was Dynostopia players who got hit with a Trojan. The game was in its beta phase and was hosted on Steam Greenlight, which was Valve’s program for indie developers, discontinued in 2017. As for the Trojan, affected users reported that upon downloading the game, their desktops were immediately locked, preventing any access even after a system reboot. Sometime later, they’d discover their Steam profiles had been modified: a proud label declaring them as Dynostopia beta testers would be added, along with a prompt for all their friends to experience this “fantastic” game.

Malware keeps finding its way into apps, including games and Google Play apps. Recently, it has even managed to infiltrate the App Store as well. Thus, mobile gaming faces a much greater challenge than PC gaming, and it’s not a matter of platform moderation. It’s simply a matter of numbers: there are significantly more apps for smartphones than for computers, hence the higher prevalence of malware on mobile platforms. For this reason, we consistently urge smartphone users to pay attention to app reviews and ratings. Although this isn’t a guarantee of safety, as positive ratings can be easily inflated, PC gamers should also heed this advice.

Another way cybercriminals target players is by distributing Trojan-infected mods or cheats. Call of Duty fans are all too familiar with this. Last year, Activision conducted a large-scale investigation to determine how Trojans were ending up on their players’ systems. Among the potential causes suggested by the tech giant was the use of third-party tools, such as mods, cheats, and trainers.

Security tips for gamers

First of all, be vigilant and play fair. Stay away from cheats unless you want to lose your game account and, even worse, have your bank or crypto wallet details on your computer compromised. Stick to tried-and-tested games with lots of reviews — they might be negative, but so long as they’re honest, that’s what matters.

The second, but no less important, piece of advice is to install gaming antimalware. If you’ve played PirateFi or some other obscure title, follow Valve’s advice and install a security solution immediately. Don’t rely on game moderation alone on Steam or any other platform. It might keep you 99% safe from trojanized games, but that last, treacherous 1% could always be the one that gets you. So, do your homework: explore the tests, look at the reviews, and make an informed decision about which option you’ll entrust with your computer’s security.

Kaspersky Premium includes a dedicated gaming mode that busts the myth that antivirus programs cause performance issues on gaming PCs. Here’s how it functions: when you launch a game, Kaspersky Premium temporarily halts its database updates, notification pop-ups, and scheduled system scans. The background protection will save you from unknowingly becoming a beta tester for Dynostopia and other malware disguised as games.

Kaspersky official blog – ​Read More

All the scams and safety tips you need to know about when buying meme coins | Kaspersky official blog

/in

We’ve all heard about cryptocurrencies like blockchain or Bitcoin. What’s less well known is how this market works, why people invest in it, how they earn money, and what mistakes can lead to instant ruin. Our three posts on blockchain and cryptocurrencies, NFTs, and the metaverse cover the crypto basics. Today, we take a dive into a topic made hot by Donald Trump’s victory in the U.S. presidential election: alternative cryptocurrencies such as meme coins.

For those with little time to spare, here’s the TL;DR: Since 2021, the market capitalization of meme coins has fluctuated wildly between $8 billion and $103 billion, with towering ups and crashing downs. The chances of losing money greatly outweigh those of making it, and the number of scams is high even by crypto market standards. So the moral is: don’t invest money that you can’t afford to lose — even into something that bears the name of the current U.S. President.

For those with a little more time on their hands, let’s take a look at some joke cryptocurrencies, explore what — if anything — they have in common with NFTs, and tell you what precautions to take if you’re determined to invest in this high-risk market.

Meme coin market capitalization

Check out how meme-coin market capitalization has changed over the past few years. Source

Meme coins and altcoins — what are they?

Technically, meme coins (aka meme tokens, meme cryptocurrencies) are a type of altcoin; that is — alternative cryptocurrencies. “Alternative” purely in the sense of not being the largest and most widespread  of cryptoassets: Bitcoin and Ethereum. Historically, altcoins tended to be launched as independent blockchain platforms, but today they’re more likely to piggyback an existing popular blockchain platform, such as Solana.

Meme coins with the highest market capitalization

To get a sense of the volatility of the meme coin market, compare the price and capitalization of certain randomly-chosen tokens in three weeks from late January (top) to mid-February (bottom), 2025. Source

In their issuance and circulation mechanisms, most altcoins offer holders some tangible benefits — from low fees and high transaction speeds to pegging to real-world assets. However, meme coins, of which Dogecoin was the first, were initially issued as a joke, and a chance to invest in a fleeting social trend — to show one’s love for a meme, or support for an actor, public figure, or media personality. Although a meme coin is a cryptocurrency, its value is determined primarily by how enthusiastic people are to invest in it. As a result, these crypto assets are prone to sharp price spikes, depending on who wrote what on social media, whether people liked an actor’s new movie, and other such factors.

Meme coins and NFTs — similarities and differences

Both meme coins and NFTs use blockchain technology to store ownership info and transaction history. But unlike cryptocurrencies — where any two coins are equivalent and interchangeable, just like a couple of hundred-dollar bills, each individual NFT is unique, and hence the name: non-fungible tokens. Each token secures ownership of some unique digital asset — imparting collector value to NFTs.

And because collector value is largely subjective, NFTs, like meme coins, are highly susceptible to hype, speculation, and wild price swings.

Top meme coins

This section will age fast, but at the time of posting, the biggest meme coins by market capitalization are Dogecoin (ticker symbol: DOGE), Shiba Inu (SHIB), Pepe (PEPE), OFFICIAL TRUMP (TRUMP), and Bonk (BONK) — with the first exceeding $39 billion, and the last just below $1.5 billion. The TRUMP meme coin was nowhere in the vicinity of this top list a month ago — further proof of just how fickle this market is.

The pack leader, Dogecoin, however, is a real survivor. More than a decade old, its value hovered between $0.0001 and $0.0002 for the first two years, and rarely nudged past $0.01 in the following four. However, after being endorsed by Elon Musk in 2021, it briefly soared to $0.63, before sinking to around $0.06. It spiked again last November to over $0.4 after the presidential victory of the crypto-supporting Trump — over whom Musk appears to have some influence.

Price dynamics of the oldest meme coin, Dogecoin (DOGE)

Price dynamics of the oldest meme coin, Dogecoin (DOGE). Source

TRUMP, MELANIA, and BARRON

The new U.S. President’s family deserves a separate chapter in our story because it perfectly illustrates the essential properties of meme coins.

Just three days before taking office in 2025, Trump announced the launch of his eponymous meme coin, which climbed to $75 in just two days, then halved, and has been steadily falling over the past three weeks — dropping to around $19 at the time of posting. Technically, TRUMP is issued on the Solana blockchain, with a total “mintage” of one billion coins. However, only 200 million were released into circulation, while the rest remained under the control of CIC Digital LLC and Fight Fight Fight LLC — both affiliated with the Trump Organization.

Price dynamics of the OFFICIAL TRUMP meme coin (TRUMP)

Price dynamics of the OFFICIAL TRUMP meme coin (TRUMP). Source

With the issue structured in this way, the Trump Organization can dictate both prices and demand, since it controls significantly more coins than are on the open market. It can make money by selling coins at high prices — both saturating the market and driving prices down. Or it can choose not to sell, and instead wait for an uptick in market sentiment to maximize profits. Value dilution due to increased supply primarily hits those who bought the coins at peak value and hype — favoring both buyers who got the coins cheaply, and those who issued the coin in question.

This approach has drawn criticism from many in the crypto industry, such as Nick Tomaino: “Trump owning 80% and timing launch hours before inauguration is predatory and many will likely get hurt by it”.

Blockchain analysis firm Chainalysis showed that in the first few days after the launch, almost 80% of the 600,000 buyers earned less than $100 on the token, and barely recouped their investment. Tellingly, 50% of TRUMP buyers were crypto first-timers who had only created a wallet and plunged into the market specifically for this deal.

A few weeks later, almost all TRUMP investors were out of pocket. At the same time, a select group of 21 “whales” (buyers of 500,000+ tokens) made over $214 million in the first days of the meme coin’s circulation.

In all fairness, the website distributing the coins does state that buying them represents “an expression of support for, and engagement with, the ideals and beliefs embodied by the symbol $TRUMP”, and is not to be seen as an investment.

Two days after the TRUMP announcement, the First Lady followed suit with the launch of her own meme coin. Having briefly risen above $12, just a day later MELANIA took a downward turn and spent a couple of days at the $3-5 range, before stabilizing at around $1.4. Just as the MELANIA launch news broke, TRUMP plummeted.

Naturally, all this hullabaloo over “political” meme coins could hardly escape the attention of scammers. Blockchain platforms witnessed a mushrooming of tokens with TRUMP as the ticker symbol or in the description — despite having nothing to do with the “official” meme coin.

The most eye-catching was the meme coin in the name of the U.S. president’s youngest son, Barron Trump. Aided by a profile on the Pump.fun website (where anyone can quickly launch their own meme coin) plus a handful of X posts pretending to be related to an investigation and leaked insider information, in just a few hours the unofficial meme token scored a market capitalization of $460 million. However, when proof of “presidential” origin failed to materialize, the token crashed by 95%.

Major meme coin and NFT scams

Rug pull (exit scam). The most common scam associated with newly-issued crypto assets. Scammers mislead buyers about the origins of a particular coin or NFT project and the value of the tokens, sell a bunch of them, and vanish. The purchased tokens remain with the new owners but rapidly depreciate. In the case of meme coins, this scheme is often implemented with a celebrity allegedly issuing their own token, which later turns out to be a hoax. In the case of NFTs, buyers are promised non-existent privileges or collector value. An infamous case was the Baller Ape Club NFT, which led to one of the first indictments for NFT fraud. According to Chainalysis, almost one in 20 tokens issued in 2024 may have been rug pulls; while in 2021, these scams brought crypto investors a total loss of $2.8 billion.

“Namesake” attack. For easy identification on crypto exchanges and other crypto platforms, each token is assigned a unique code known as a ticker — just like on traditional exchanges: BTC, USDT, TRUMP, and so on. But in reality, the buying and selling of tokens is based not on tickers, but on long, hard-to-read smart contract addresses. A common attack exploits this duality. Scammers create their own tokens (altcoins) with a different contract address in the blockchain — but under the same ticker as a popular token, for example, TRUMP. Sometimes the scheme might even work when the ticker is different, and the big-draw name simply appears in the coin description. Such tokens are often launched on a different blockchain where the original coin isn’t traded. All these scenarios boil down to the same thing: the victim buys a totally different crypto asset, which likely has no value.

Website lists the smart contract address for buying TRUMP tokens explicitly. Scammers can forge the website and substitute the smart contract address.

The website selling genuine TRUMP tokens states the associated smart contract address explicitly. However, scammers can create a copy of the website and post a different smart contract address

 

Honeypot tokens. These are tokens whose smart contract doesn’t allow their sale. In other words, you can invest money in them, but not withdraw it. This scam is often combined with the “namesake” attack.

Drainers. Our separate post covers this threat in detail. Thinking they’re buying meme coins or NFTs, victims enter their credentials on a fake website and have their crypto wallets emptied. The bait website either mimics the official one, or offers a fake promotion such as a token airdrop.

Phishing and malware. Under the guise of social media posts by celebrities, messages from technical support, and countless other pretexts, attackers swindle private keys and seed phrases from crypto holders, as well as install malware on their computers and phones to siphon off crypto-related information. The outcome is always the same: the loss of all funds in the crypto wallet.

There are other, more exotic ways of stealing cryptocurrency: hacking old Bitcoin wallets through encryption algorithm bugs, fake hardware crypto wallets, and infected games like Mario Forever or tanks.

There are even Robin Hood scams targeting crypto thieves themselves. A juicy bait is dangled before their eyes — for example, “leaked” credentials of wallets supposedly containing hundreds of thousands of dollars or seed phrases for real crypto wallets — but after paying a “fee” to withdraw the funds, they discover that a withdrawal isn’t possible.

Our blog is home to dozens of other gripping detective stories about crypto scams. Sadly, the list is expanding daily, so subscribe now to keep up to date with all the latest threats.

How not to lose money on crypto, NFTs, and meme coins

  1. Don’t invest in crypto assets if you have any doubts about your financial situation or the stability of global markets, or don’t feel sufficiently qualified.
  2. Don’t invest in crypto assets (or anything else) what you can’t afford to lose.
  3. If you need crypto assets for payment purposes, use coins with low volatility, such as USDT stablecoins, and don’t buy more crypto than you need to settle the account.
  4. If you’re investing in crypto assets for profit, be prepared to closely monitor the market dynamics and react quickly. This is a daily job, all the more so for meme coins — you need to track social media trends and strike when the market is hot. Cryptocurrency speculation (on meme coins in particular) is very strong in Asia, so you may have to adjust your “trading day” to the Far Eastern time zone.
  5. Give preference to projects and tokens that have been on the market for a while and earned a certain reputation.
  6. If buying a newly launched token, make sure it isn’t a rug pull or Ponzi scheme. This will require researching the reputation of the project creators and the token’s technical features. If the project’s smart contracts have been audited, study the results. The lack of such an audit isn’t a red flag per se, but it should put you on your guard. If it’s a meme coin linked to a celebrity, look at their official social media accounts and profiles, and make sure they were actually involved.
  7. Buy tokens on large platforms that have internal standards and comply with legal regulations. Examples include Binance and Coinbase. When getting information about a token, especially its smart contract address, make sure you visit the official site and not a fake. Don’t enter crypto wallet credentials, card details, or other sensitive information on third-party sites.
  8. Carefully check smart contract and crypto wallet addresses to avoid buying a “namesake”.
  9. Be careful when searching for crypto-related sites, news, and social media accounts, and be wary of messages sent to you in email and messaging apps. Crypto investors are frequent targets of phishing and pig butchering
  10. Install comprehensive security solutions on all your devices to protect against malware and websites designed to steal crypto assets. We recommend Kaspersky Premium, which offers additional privacy protection and data-leak monitoring tools, plus the built-in online payment protection system Safe Money.

The information in this article is for informational purposes only and does not constitute investment advice. The instruments discussed may not match your investment profile, financial situation, investment experience, or investment goals.

Kaspersky official blog – ​Read More

ClearML and Nvidia vulns

/in

ClearML and Nvidia vulns

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.    

ClearML XSS and information disclosure vulnerabilities 

Discovered by Edwin Molenaar of Cisco Meraki.  

ClearML contains two vulnerabilities. ClearML is an open-source AI platform that supports the entire AI development lifecycle from research to production. It is designed to integrate with existing tools and infrastructures, allowing developers and DevOps teams to build, train and deploy models at scale. 

TALOS-2024-2110 (CVE-2024-39272) is a cross-site scripting vulnerability. A specially crafted HTTP request can allow an attacker to upload HTML files to a dataset through an existing ClearML account. The files can later be rendered within the browser of an authenticated ClearML user and execute JavaScript.  

TALOS-2024-2112 (CVE-2024-43779) is an information disclosure vulnerability. A specially crafted HTTP request can lead to an attacker reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. 

Nvidia memory corruption and heap-based buffer overflow vulnerabilities 

Discovered by Dimitrios Tatsis. 

The nvJPEG2000 library is provided by NVIDIA as a high-performance JPEG2000 encoding and decoding library. The prerequisite is a CUDA enabled GPU in the system that allows faster processing than traditional CPU implementations. 

TALOS-2024-2080 (CVE-2024-0142) and  TALOS-2024-2095 (CVE-2024-0143) are memory corruption vulnerabilities. A specially crafted JPEG2000 file can lead to an out-of-bounds write with arbitrary data which can lead to further memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 

 TALOS-2024-2108 (CVE-2024-0144) and TALOS-2024-2113 (CVE-2024-0145) are heap-based buffer overflow vulnerabilities in the Ndecomp field handling and parameter. A specially crafted JPEG2000 file can lead to memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities. 

Cisco Talos Blog – ​Read More