What are money mules, and how to avoid accidentally becoming one | Kaspersky official blog

/in

Picture this: you’re on a train chatting with a nice lady and her young child — visitors to your home city. As the train approaches the station, she reaches for her wallet, pulls out a bank card, and her face falls. “Oh no! I accidentally snaped my card!” she exclaims. “What am I going to do now? I needed to withdraw cash…” Could I transfer you some money, so you can then withdraw it for me at an ATM?”

Most people would agree to help. She’s a young lady with a child in a new city after all, and she’s in a tight spot. What could go wrong? And she’s not asking for money — she’s sending it to you. It seems completely harmless. The money is quickly transferred to your account, you withdraw the cash from your account from an ATM, and the woman thanks you enthusiastically before disappearing into the crowds. But a couple of weeks later the police show up at your door…

You thought you were doing a good deed, but you’ve just become an unwitting participant in a money laundering scheme. People who help criminals move stolen money through their bank accounts are called “money mules”. Today we explain how you can accidentally become a money mule, and the serious consequences you could face.

How people become money mules

A money mule is anyone whose bank account is used to move or withdraw money as part of a scam. Mules are considered expendable in any fraudulent scheme, and anyone can become one — even someone who’s never heard the term before. There are many ways people get roped into these schemes, and here are just a few of them.

The “easy-money online job” scam. Job-search chats are often filled with tasty offers: “Looking for a few people, paying $50 an hour, easy work, all you need is internet access”. The “job” involves accepting transfers from certain people, and then making payments to others. Another variation involves withdrawing cash after funds are sent to you and giving it to a random courier. They might actually pay you for this “service”, but trust us, even $50 an hour isn’t worth the potential consequences, which we’ll get into later.

“I left my card at home. Do you mind helping me out?” The young-lady-in-a-tight-spot role is easy to recast in other narratives. Instead of a young lady, there could be a young man telling you a sob story about a card he’s left somewhere and needing help to pay for a smartphone, a TV, perfume, or some other expensive item. He’ll offer to transfer you funds so you can pay for the item with your own card. You may agree to help out — especially if you get cashback from using your card. But notice the difference: if this stranger messaged you online, you’d probably just tell them to get lost. However, when you’re standing next to them at the checkout counter, the likelihood of your “helping out” is much higher.

“We’ll pay you in cash under the table”. Even employees of small, shady companies can unknowingly become money mules. These companies don’t officially hire their workers, and pay only in cash under the table. Note that if the employer has obtained money illegally, all employees working without a contract may be considered money mules and could face serious legal consequences.

There are other schemes too, which primarily target teenagers. Youngsters are asked to open a bank account and pass the account details to strangers online who’ll pay them, say, $20 or $30 for the service. Opening a new bank account takes only a few seconds, and the promised sum is a real help for any hard-up student. Unfortunately, these young victims most likely have no idea who could use their accounts or how.

What happens if you become a money mule?

Nothing good. At a minimum, a money mule is considered an active participant in a criminal scheme — even if they’re unaware of their involvement. Fraudsters constantly steal large sums of digital money from both companies and ordinary people, employing hundreds of social engineering tactics. But they need a way to cash out. And that’s where schemes to create entire networks of unsuspecting money mules come in — and they’re the ones who’ll have the police knocking on their door.

Many countries have laws against money muling. Money mules get prosecuted regardless of whether they knew where the funds came from, or that they were pawns in a grand scheme. Proving the absence of criminal intent in court can be difficult, so, despite being unaware of the third party’s illicit intentions when transferring the money, they may be slapped with fines or other penalties.

Actual punishment varies by country: for example, in the United States, if criminal intent is proven, a money mule can face up to 20 years in prison. In Germany, to avoid punishment, it’s enough to turn yourself in to the police and report the scam you’ve become involved in. In Singapore, inadvertent money laundering can lead to fines of up to $150 000, or a prison sentence of up to three years if there were clear “red flags” pointing to a scam.

How to avoid becoming a money mule

Regardless of the penalties in your country for cashing out criminal money, you need to be extremely careful to avoid unwittingly becoming a money mule. Here’s a list of rules to help you avoid unwanted problems:

  • Don’t trust everyone unquestioningly. If a stranger offers to send you any amount of money for you to withdraw for a small fee, refuse.
  • Always work on-the-books, and with a formal contract. Don’t agree to off-the-books cash-in-hand, and always sign a contract for any job you do.
  • Keep your bank details private. Don’t open bank accounts at the request of someone else, or sell details of your existing accounts or bank cards.

Most importantly, remember that nothing’s truly free. Learn how to spot scammers with the help of read our Telegram channel — subscribe to stay up to date on all the new trends in cybersecurity.

What else to read on fraudulent schemes:

Kaspersky official blog – ​Read More

WordPress: vulnerabilities in plugins and themes | Kaspersky official blog

/in

The WordPress content management system (CMS) has been popping up frequently on cybersecurity news sites lately. Most of this coverage was driven by vulnerabilities in plugins and themes. However, our colleagues have also observed a case where attackers used poorly secured WordPress sites to distribute trojans. This in itself isn’t surprising — WordPress remains one of the most popular CMS platforms in the business. But the sheer number of discovered plugin vulnerabilities and related incidents shows that attackers are watching the WordPress ecosystem just as closely as its defenders.

WordPress incidents

Just this summer, several serious WordPress-related security incidents have come to light.

Gravity Forms plugin: site compromise and code infection

In early July, attackers gained access to a site running Gravity Forms — a popular form-building plugin — and injected malicious code into versions 2.9.11.1 and 2.9.12. Sites where these plugin versions were installed manually by administrators, or via the PHP dependency manager, Composer, were infected between July 9 and 10.

The malware blocked further updates, downloaded and installed additional malicious code, and created new administrator accounts. This gave the attackers full control of the site, which they then used for malicious purposes.

The Gravity Forms team urges all users to check if they’re running a potentially vulnerable version. Instructions on how to do this are available in the incident notice on the official plugin website. The notice also explains how to remove the malware. And of course, the plugin should be updated to version 2.9.13.

Alone theme: active exploitation of CVE-2025-5394

Also in July, researchers reported that attackers were actively exploiting a critical vulnerability in the unauthenticated file upload validation process (CVE-2025-5394) affecting all versions of the Alone theme for WordPress — up to and including 7.8.3. The flaw enables remote code execution (RCE), giving attackers full control over affected sites.

Notably, attacks began several days before the vulnerability was officially disclosed. According to Wordfence, already by June 12 over 120 000 attempts to exploit CVE-2025-5394 had been made. Threat actors used the flaw to upload ZIP archives containing webshells, install password-protected PHP backdoors for remote HTTP access, and create hidden administrator accounts. In some cases, they even installed full-featured file managers on the compromised WordPress site, giving them complete control over the site’s database.

The developers of the Alone theme have since released version 7.8.5, which patches the vulnerability. All users are strongly advised to update to this version immediately. Additional guidance on how to protect against this bug can be found in the Wordfence report.

Motors theme: exploitation of CVE-2025-4322

In June, attackers also targeted WordPress sites using another premium theme called Motors. In this case, attackers exploited CVE-2025-4322 — a weakness in the user validation process affecting all versions up to 5.6.67. Exploiting it allowed attackers to hijack administrator accounts.

The theme creators, StylemixThemes, released a patched version (5.6.68) on May 14, 2025. That was followed by a Wordfence statement five days later urging users to update without delay. However, not all users updated in time — attacks began the very next day, May 20, and by June 7 Wordfence had recorded 23 100 exploitation attempts.

Successful exploitation of CVE-2025-4322 grants attackers administrator rights, enabling them to create new accounts and reset passwords.

Efimer malware: spread through compromised WordPress sites

And finally, a case in which cybercriminals have not exploited vulnerabilities in plugins and themes, but that nevertheless demonstrates the interest of attackers in WordPress-based sites. In early August, our colleagues investigated an attack involving the Efimer malware — designed primarily to steal cryptocurrency. Attackers spread it via email and malicious torrents, but some infections also originated from compromised WordPress sites.

Careful analysis revealed that Efimer also included a WordPress password cracker. Essentially, each time the malware ran, it launched a brute-force attack on the WordPress admin panel using a set of standard passwords hard-coded in the script. Any successfully cracked passwords were sent back to the attackers’ command server.

Potentially dangerous vulnerabilities

Beyond the above incidents, several other vulnerabilities have been reported — though they’ve not yet been observed in real-world attacks. However, as the Motors case demonstrates, attackers could start exploiting them real soon, so they should be monitored closely.

GiveWP: a vulnerability in WordPress donation plugin

In late July, the team behind the open-source Pi-hole project discovered a vulnerability in the GiveWP plugin, which they were using on their own WordPress site. This plugin allows websites to accept online donations, manage fundraising campaigns, and more.

The developers found that the plugin inadvertently exposed donor data by displaying it in the page source, making names and email addresses accessible without authentication.

GiveWP’s developers released a patch just hours after the issue was reported on GitHub. However, since the data had already been exposed, the Have I Been Pwned service added the incident to its leak database, estimating that nearly 30 000 people’s data had been compromised.

Administrators of sites using GiveWP are advised to update the plugin to version 4.6.1 or later.

Post SMTP: vulnerability CVE-2025-24000 enables administrator account takeover

The CVE-2025-24000 vulnerability — rated 8.8 on the CVSS scale — was recently discovered in the Post SMTP plugin. This extension provides more reliable and user-friendly delivery of outgoing emails from a WordPress site than the built-in wp_mail function.

CVE-2025-24000, which affects all Post SMTP versions up to and including 3.2.0, stems from a broken access control mechanism in the plugin’s REST API. The issue is that this API checks only whether a user is authenticated — not their access level. As a result, even a low-privileged user can view logs containing sent emails along with their full contents.

This makes it possible to hijack an administrator account. An attacker only needs to initiate a password reset for the admin account, then inspect the email logs to retrieve the reset message and follow the link inside, thereby gaining administrator access.

The developer released a patched version — Post SMTP 3.3.0 — on June 11. However, download statistics on WordPress.org at the time of writing show that only about half of the plugin’s users (51.2%) have updated to the fixed version. That leaves more than 200 000 sites still exposed. Moreover, nearly a quarter of all sites (23.4%, or around 100 000) are still running the outdated 2.x branch, which contains this and other unpatched vulnerabilities.

To make matters worse, proof-of-concept (PoC) exploit code for CVE-2025-24000 has already been published online, though we haven’t verified its functionality.

How to protect your WordPress site

Plugins and themes make WordPress highly flexible and user-friendly, but they also significantly expand the attack surface. While avoiding them entirely isn’t realistic, you can ensure the security of your site by following these best practices:

  • Minimize the number of plugins and themes. Install only those that are truly necessary. The fewer you use, the lower the risk that one of them will contain a vulnerability.
  • Thoroughly test plugins in an isolated environment and analyze their code for backdoors before installing.
  • Give preference to widely used plugins. Although not immune to flaws, issues in such projects are typically discovered and patched quicker.
  • Avoid abandoned components — vulnerabilities in them may remain forever.
  • Monitor for anomalies. Regularly review the list of administrator accounts for unknown users, and monitor existing accounts for sudden password failures.
  • Strengthen password policies. Require users to set strong passwords, and make two-factor authentication mandatory.
  • Respond properly to incidents. If you suspect your site has been hacked, react to the incident immediately and restore the site’s security. If you lack the expertise, contact external specialists — swift action can greatly reduce the attack’s impact.

Kaspersky official blog – ​Read More

This month in security with Tony Anscombe – August 2025 edition

/in

From Meta shutting down millions of WhatsApp accounts linked to scam centers all the way to attacks at water facilities in Europe, August 2025 saw no shortage of impactful cybersecurity news

WeLiveSecurity – ​Read More

Link up, lift up, level up

/in

Link up, lift up, level up

Welcome to this week’s edition of the Threat Source newsletter. 

As summer retreats into the rear-view mirror, I’d like to take a moment to reflect on one of my favorite things about the cybersecurity profession: the community. Earlier this month, I attended Black Hat USA 2025 and DEF CON 33 in scalding hot Las Vegas, NV. We often refer to it as “hacker summer camp,” where all the security nerds of various stripes congregate to eat, drink, party, hack and reforge or make new bonds of fellowship with other awesome hackers. Hacker summer camp is, simply put, a whirlwind of activity, from the talks to see, villages to visit, parties to attend, and knowledge to gain. In 5 days, I think I walked almost 30 miles. By the end I was exhausted, but happy to have learned so much and see many of my hacker friends. 

For all the fun and learning you can have at summer camp, it’s a very privileged position to be able to attend. Las Vegas is not a cheap town. Hotels, flights and food — everything, really — is more expensive than average. A Black Hat badge is $1,000+, and DEF CON $500+. If you’re new to this space and early in your career, or your company doesn’t have the money to send you, the FOMO can be real. Earlier in my career, getting the opportunity to visit hacker summer camp — either with my company covering my costs or me paying out of pocket — wasn’t going to happen.  

I bring this up not to flex that I went to BH/DEF CON, but to tell you that as good as those conferences are, there is so much more. Do not be daunted by what is inaccessible but know that there are other conferences out there for like-minded hackers who want to learn and share knowledge with you, wherever you are in the world. Are you in high school? I promise you there are clubs and organizations there to help you. College? There are student clubs and organizations there that will welcome you. And if you’re looking for projects and contests, there are quite a few out there. And hackathons? I got you covered, fam. 

It’s also important to know that there are smaller information security conferences around the world. Perhaps the most popular and usually super local is Bsides. Check them out — their website has a calendar that might have one local to you.  

Infosec is as much a calling as it is a career. You were drawn to this space for a reason — and finding friends and colleagues who match your vibe is important to both grow as a human, but also to maintain a healthy relationship with this industry, especially one that’s notoriously capable of burning you out. We as humans are social creatures, and we need social interaction, even if it’s limited doses (I see you, introverts). Our professions are a natural magnet to pull others into our orbit. I can tell you so many of the things that I consider personal career milestones happened because I talked with fellow security practitioners over drinks or a meal, and something truly wonderful happened.  

So go find your people, lean into the things you are a total security nerd about, and enjoy the fellowship and growth. You’ll be all the better for it.

The one big thing 

Last week, Talos shared that ransomware attacks in Japan surged by about 1.4 times in the first half of 2025, with small and medium-sized companies (especially manufacturing) being the hardest hit. The Qilin group was the most active, and a new player, “Kawa4096,” also began targeting Japanese businesses. Even though some major ransomware groups were shut down, new threats are quickly taking their place. 

Why do I care? 

The ransomware landscape is always changing, and it often highlights vulnerabilities in small and mid-sized businesses in critical industries like manufacturing. With new ransomware groups like Kawa4096 emerging and techniques evolving, the risks are growing, and attackers are finding new ways to target organizations that may not have strong defenses.

So now what? 

While small- to mid-size manufacturing companies are the most targeted in Japan, it’s important for all businesses to stay updated on threats, invest in cybersecurity, and train their teams to spot suspicious activity. ClamAV detections are also available in the blog.

Top security headlines of the week 

Organizations warned of exploited Git vulnerability 
The US cybersecurity agency CISA on Monday warned that the flaw, tracked as CVE-2025-48384 (CVSS score of 8.1), is an arbitrary file write during the cloning of repositories with submodules that use a ‘recursive’ flag. (SecurityWeek

CISA updates SBOM recommendations 
The document is primarily meant for federal agencies, but CISA hopes businesses will also use it to push vendors for software bills of materials. (Cybersecurity Dive

AI-powered ransomware: “PromptLock” 
Although it has not yet been observed in active cyberattacks, the researchers said the PromptLock ransomware appears to be under development and nearly ready to be unleashed onto the threat landscape. (Dark Reading

Credential harvesting campaign targets ScreenConnect cloud administrators 
The campaign uses compromised Amazon Simple Email Service accounts to spear-phish senior IT administrators who have elevated privileges in ScreenConnect environments. (Cybersecurity Dive

Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data 
A security researcher has found over a thousand publicly exposed hobby servers run by Tesla vehicle owners that are spilling sensitive data about their vehicles, including their granular location histories. (TechCrunch)

Can’t get enough Talos? 

  • State of Identity Security Report 
    Cisco Duo’s global survey of 650 Security & Data Ops leaders shows where orgs succeed, and where they’re exposed. Download the full report now. 
  • Static Tundra exposed 
    A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.

Upcoming events where you can find Talos 

  • BlueTeamCon (Sept. 4 – 7) Chicago, IL 
  • LABScon (Sept. 17 – 20) Scottsdale, AZ 
  • VB2025 (Sept. 24 – 26) Berlin, Germany 

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details  
Typical Filename: IMG001.exe   
Claimed Product: N/A  
Detection Name: Simple_Custom_Detection 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos 

Cisco Talos Blog – ​Read More

NX build compromise detection and response | Kaspersky official blog

/in

Packages of the popular build platform and CI/CD optimization system, Nx, were compromised on the night of August 26-27. A malicious script was added to the system’s packages, which, according to npm repository statistics, have more than five million weekly downloads. Thousands of developers that use Nx to accelerate and optimize application development had their sensitive data stolen: npm and GitHub tokens, SSH keys, cryptocurrency wallets, and API keys were uploaded to the public GitHub repositories. The massive leak of secrets poses a long-term threat of supply chain attacks: even when malicious packages are removed from affected systems, attackers may still have the ability to compromise applications created by these thousands of developers.

Attack and response chronology

The attackers used a compromised token issued for one of the Nx package maintainers to publish multiple malicious versions of the Nx package and its plugins in the two hours between 22:32 UTC, August 26 and 0:37 UTC, August 27. Another two hours later, the npm platform removed all compromised versions of the packages, and another hour later, the Nx owners revoked the stolen token — so attackers lost access to the Nx repository. Meanwhile, thousands of public repositories containing data stolen by the malicious script began appearing on GitHub.

At 9:05 UTC on August 27, GitHub responded by making all leaked repositories private and unsearchable. Nevertheless, the stolen data was publicly available for more than nine hours, and was downloaded multiple times by groups of cybercriminals and researchers. A total of 19 compromised versions of Nx and plugins were released:

  • @nx, 20.9.0, 20.10.0, 20.11.0, 20.12.0, 21.5.0, 21.6.0, 21.7.0, 21.8.0
  • @nx/devkit, 20.9.0, 21.5.0
  • @nx/enterprise-cloud, 3.2.0
  • @nx/eslint, 21.5.0
  • @nx/js, 20.9.0, 21.5.0
  • @nx/key, 3.2.0
  • @nx/node, 20.9.0, 21.5.0
  • @nx/workspace, 20.9.0, 21.5.0.

How this attack was possible

For a short time starting from August 21, the Nx code used a vulnerable workflow (GitHub action workflow) that allowed arbitrary code injection. Attackers took advantage of this to modify publish.yml on August 24 and extract an npm token that grants rights to publish packages. Although the vulnerability was patched, the token leak was not noticed until it was exploited in an attack on August 26.

Malware features and targets

The Nx packets were trojanized using a malicious post-installation script called telemetry.js. It targets development environments on macOS and *nix (when run on Windows, the malicious script immediately terminates).

Once run, the script searches the affected system for the following types of data:

  • MetaMask, Electru, Ledger, Trezor, Exodus, Phantom, Solflare key storages and crypto wallets
  • Random key storage files (*key, *keystore.json, UTC–, IndexedDB)
  • GitHub personal authentication tokens
  • Access tokens for npm
  • .env files
  • RSA private keys (id_rsa).

It’s noteworthy that popular LLMs running via command line tools were used for the searches. If Anthropic Claude, Amazon Q or Google Gemini CLI tools were installed on the system, script made an insecure query that required finding all the listed data types.

All found data was uploaded to GitHub in obfuscated form — encoded in base64 multiple times. To do this, the malware used stolen GitHub tokens, created a publicly accessible s1ngularity-repository, s1ngularity-repository-0, or s1ngularity-repository-1 on behalf of the victim, and uploaded a single results.b64 file there.

The attackers probably aim to quickly exploit the stolen data; after all, the malicious script hasn’t tried to be stealthy, but instead tried to aggressively isolate the victim from accessing working systems. To do this, it added the sudo shutdown command to~ /.bashrc and ~/.zshrc, resulting in new terminal sessions immediately initiating a system shutdown.

How to test your systems

Organizations using Nx should check their package versions, and audit their GitHub accounts and logs.

  1. Check the Nx package versions in use with the npm ls nx command
  2. Check for any Nx packages in package-lock.json
  3. Check for security events in the GitHub logs.

If repositories named s1ngularity-repository* are found, download the results.b64 files from them for further investigation, and remove them from GitHub.

When malicious repositories are detected:

  1. Remove node_modules completely: rm -rf node_modules
  2. Clean the npm cache: npm cache clean –force
  3. Check and clean out extraneous commands from ~/.bashrc and ~/.zshrc
  4. Make an archive copy for investigation and delete the /tmp/inventory.txt and /tmp/inventory.txt.bak files from the system
  5. Remove malicious package versions from package-lock.json
  6. Reinstall the safe versions of the packages.

The most critical and urgent action for compromised systems is to update all secrets that the malware may have accessed by the malware (GitHub PATs, npm tokens, SSH keys, API keys in .env files and Claude, Gemini and Q keys).

You should also continue to monitor your GitHub repositories. First, even after all these steps, there may still be Trojanized versions of Nx on compromised systems that will continue to download stolen information. Second, if attackers have already managed to use the stolen tokens before they rotate them, this will most likely manifest itself in unauthorized commits or malicious changes to GitHub actions.

Kaspersky official blog – ​Read More

Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities

/in

Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed ten vulnerabilities in BioSig Libbiosig, nine in Tenda AC6 Router, eight in SAIL, two in PDF-XChange Editor, and one in a Foxit PDF Reader.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Libbiosig vulnerabilities

Discovered by Mark Bereza and Lilith >_> of Cisco Talos.

BioSig is an open source software library for biomedical signal processing. The aim of the BioSig project is to foster research in biomedical signal processing by providing free and open source software tools for many different application areas. BioSig for C/C++ provides command line tools for data conversion, a library to access a number of data formats (libbiosig), and some experimental code for network transfer of biosignal data.

Talos discovered ten vulnerabilities in libbiosig, affecting both version 3.9.0 of the stable release and the latest commit on the Master Branch at the time of disclosure to the vendor, grouped here by vulnerability type:

Integer overflow:

  • TALOS-2025-2231 (CVE-2025-53518) exists in the ABF parsing functionality. A specially crafted ABF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
  • TALOS-2025-2233 (CVE-2025-52581) exists in the GDF parsing functionality. A specially crafted GDF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Stack-based buffer overflow:

  • TALOS-2025-2234 (CVE-2025-54480-54494) and TALOS-2025-2236 (CVE-2025-46411) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Heap-based buffer overflow:

  • TALOS-2025-2232 (CVE-2025-53853) exists in the ISHNE parsing functionality. A specially crafted ISHNE ECG annotations file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
  • TALOS-2025-2235 (CVE-2025-53557) and TALOS-2025-2237 (CVE-2025-53511) exist in the MFER parsing functionality. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 
  • TALOS-2025-2239 (CVE-2025-54462) exists in the Nex parsing functionality. A specially crafted .nex file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
  • TALOS-2025-2240 (CVE-2025-48005) exists in the RHS2000 parsing functionality. A specially crafted RHS2000 file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Out-of-bounds read:

  • TALOS-2025-2238 (CVE-2025-52461) exists in the Nex parsing functionality. A specially crafted .nex file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

Tenda vulnerabilities

Discovered by Lilith >_> of Cisco Talos.

The Tenda AC6 is a popular and affordable dual-band gigabit WiFi Router available online, especially on Amazon. All vulnerabilities were found in Tenda AC6 V5.0 V02.03.01.110.

TALOS-2025-2161 (CVE-2025-31355) is a firmware update vulnerability in the Firmware Signature Validation functionality of Tenda. A specially crafted malicious file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Two unencrypted transmission of credentials vulnerabilities were found: TALOS-2025-2162 (CVE-2025-27564) exists in the web portal authentication functionality, while TALOS-2025-2167 (CVE-2025-31646) is in the Session Authentication Cookie functionality. Specially crafted network packets can lead to arbitrary authentication or authentication bypass, respectively. An attacker can sniff network traffic to trigger these vulnerabilities.

TALOS-2025-2163 (CVE-2025-24322) is an unsafe default authentication vulnerability in the Initial Setup Authentication functionality of Tenda. A specially crafted network request can lead to arbitrary code execution. An attacker can browse to the device to trigger this vulnerability.

TALOS-2025-2164 (CVE-2025-24496) is an information disclosure vulnerability in the /goform/getproductInfo functionality of Tenda. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2165 (CVE-2025-27129) is an authentication bypass vulnerability in the HTTP authentication functionality of Tenda. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2166 (CVE-2025-30256) is a denial of service vulnerability in the HTTP Header Parsing functionality of Tenda. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability.

TALOS-2025-2168 (CVE-2025-32010) is a stack-based buffer overflow vulnerability in the Cloud API functionality of Tenda. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability.

TALOS-2025-2178 (CVE-2025-31143) is a cleartext transmission vulnerability that exists in the Tenda App Router Authentication functionality of Tenda. An attacker can send information gleaned from sniffing network traffic to trigger this vulnerability, which can lead to arbitrary authentication.

SAIL vulnerabilities

Discovered by a member of Cisco Talos.

SAIL is a format-agnostic image decoding library supporting all popular image formats. It provides a C/C++ API for end-users and works on Windows, macOS, and Linux platforms.

Talos found eight memory corruption vulnerabilities in SAIL Image Decoding Library v0.9.8.

TALOS-2025-2215 (CVE-2025-46407) exists in the BMPv3 Palette Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur which will cause a heap-based buffer to overflow when reading the palette from the image. These conditions can allow for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2216 (CVE-2025-32468) exists in the BMPv3 Image Decoding functionality. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2217 (CVE-2025-35984) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .pcx file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2218 (CVE-2025-53510) exists in the PSD Image Decoding functionality. When loading a specially crafted .psd file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2219 (CVE-2025-53085) exists in the PSD RLE Decoding functionality. When decompressing the image data from a specially crafted .psd file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2220 (CVE-2025-50129) exists in the PCX Image Decoding functionality. When decoding the image data from a specially crafted .tga file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2221 (CVE-2025-52930) exists in the BMPv3 RLE Decoding functionality. When decompressing the image data from a specially crafted .bmp file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

TALOS-2025-2224 (CVE-2025-52456) exists in the WebP Image Decoding functionality. When loading a specially crafted .webp animation an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

PDF-XChange out-of-bounds read vulnerabilities

Discovered by KPC of Cisco Talos.

PDF-XChange Editor allows the creation, editing, manipulation, and conversion of PDF files, conforming to international ISO specifications for PDF files.

TALOS-2025-2171 (CVE-2025-27931) and TALOS-2025-2203 (CVE-2025-47152) are out-of-bounds read vulnerabilities in the EMF functionality of PDF-XChange Editor version 10.5.2.395. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

Foxit memory corruption vulnerability

Discovered by KPC of Cisco Talos.

Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

TALOS-2025-2202 (CVE-2025-32451) is a memory corruption vulnerability in Foxit Reader 2025.1.0.27937. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Cisco Talos Blog – ​Read More

BadCam attack: malicious firmware in “clean” webcams

/in

Computer webcams have long been suspected of peeping on folks; nothing unusual about that. But now they’ve found a new role in conventional cyberattacks. At the recent BlackHat conference in Las Vegas, researchers presented the BadCam attack, which allows an attacker to reflash a webcam and execute malicious actions on the computer it’s connected to. Essentially, it’s a variation of the well-known BadUSB attack; the key difference is that with BadCam attackers don’t need to prepare a malicious device in advance — they can use a “clean” webcam already connected to the computer. Another unwelcome novelty is that the attack can be carried out completely remotely. Although the research was conducted by ethical hackers, and BadCam hasn’t yet been observed in real-world attacks, it won’t be difficult for criminals to figure it out and reproduce the necessary steps. That’s why organizations should understand how BadCam works and implement protective measures.

The return of BadUSB

It was also at BlackHat that BadUSB was unveiled to the world — back in 2014. It works by taking a seemingly harmless device (say, a USB stick) and reprogramming its firmware. When it connects to a computer, the malicious gadget presents itself as a composite USB device with multiple components, such as a flash drive, keyboard, or network adapter. Its storage functions work normally, so the user interacts with the flash drive as usual. Meanwhile, a hidden firmware component impersonating a keyboard sends commands to the computer — for example, a key combination to launch PowerShell and enter commands to download malware from the internet, or to open a tunnel to the attackers’ server. BadUSB techniques are still widely used in red team exercises — often implemented via specialized hacker multitools like Hak5 Rubber Ducky or Flipper Zero.

From BadUSB to BadCam

Researchers at Eclypsium managed to replicate this firmware-rewriting trick on Lenovo 510 FHD and Lenovo Performance FHD webcams. Both use a SigmaStar SoC, which has two interesting features. First, the webcam software is Linux-based and supports USB Gadget extensions. This Linux kernel feature allows the device to present itself as a USB peripheral such as a keyboard or network adapter. Second, the webcam’s firmware update process lacks cryptographic protection — it’s enough to send a couple of commands and a new memory image over the USB interface. Reflashing can be carried out by running software on the computer with standard user privileges. With this altered firmware, Lenovo webcams turn into a keyboard-camera hybrid capable of sending predefined commands to the computer.

Although the researchers tested only Lenovo webcams, they note that other Linux-based USB devices may be similarly vulnerable.

Cyber-risks of the BadCam attack

Potential attack vectors for BadCam against an organization include:

  • A new camera sent by the attacker
  • A camera temporarily disconnected from a corporate computer and connected to the attacker’s laptop for reflashing
  • A camera that was never disconnected from the organization’s computer, and compromised remotely via malware

Detecting this malware through behavior analysis can be tricky, since it doesn’t need to make suspicious changes to the registry, files, or network — it only has to communicate with the webcam. If the first phase of the attack succeeds, the malicious firmware can then send keyboard commands to:

  • disable security tools;
  • download and execute additional malware;
  • launch legitimate tools for a Living Off the Land (LotL) attack;
  • respond to system prompts, for example for elevating privileges;
  • exfiltrate data from the computer over the network.

At the same time, standard software scans won’t detect the threat, and even a full system reinstall won’t remove the implant. System logs will show that the malicious actions were performed from the logged-in user’s keyboard. For this reason, such attacks will most likely be deployed for persistence in the compromised system — although in the MITRE ATT&CK matrix, BadUSB techniques are listed under T1200 (Hardware Additions) and assigned to the Initial Access phase.

How to defend against BadCam attacks

The attack can be stopped at several stages using standard security tools that block trojanized peripherals and make LotL attacks more difficult. We recommend that you:

  • Configure your EDR/EPP solution to monitor connected HID devices. In Kaspersky Next, this feature is called BadUSB Attack Prevention. When a device with keyboard functionality is connected, the user must enter a numeric code displayed on the screen, without which the new keyboard can’t control the system.
  • Configure your SIEM and XDR solutions to collect and analyze detailed telemetry for HID device connections and disconnections.
  • Set up USB port control in your MDM/EMM solution. Depending on its capabilities, you can disable USB ports altogether or create an allowlist of devices (by VID/PID identifiers) permitted to connect to the computer.
  • Where possible, enforce an application allowlist on employee computers so that only approved software can run and all other applications are blocked.
  • Regularly update not only the software but also the firmware of standard equipment. For example, Lenovo has released patches for the two camera models used in the research, making malicious firmware updates more difficult.
  • Apply the Principle of Least Privilege, ensuring each employee has only the access rights strictly necessary for their role.
  • Include BadUSB and BadCam in employee security-awareness training, with simple guidance on what to do if a USB device behaves unexpectedly — for example, if it starts typing commands on its own.

Kaspersky official blog – ​Read More

MSSP Growth Guide: Scaling Threat Detection for Expanding Client Base 

/in

 An MSSP leader is no stranger to the relentless pressure of growth. With an expanding client base comes the daunting task of scaling threat detection capabilities: without compromising quality, speed, or your bottom line. The challenge that rises above all is how to grow while maintaining the balance between human potential and organizational demands.

Human Dilemma: Analysts Under Pressure 

Hiring more analysts isn’t always possible. The global cybersecurity talent shortage makes it difficult. And even if talent were available, inflating staff costs could ruin the business model. Yet, overloading existing teams creates its own risks such as burnout, alert fatigue, and costly mistakes. 

At the core of MSSP growth lies a paradox: human talent is your most valuable asset, but also your most limited resource. 

Threat analysts are the backbone of MSSPs. But their daily work is often filled with repetitive tasks, cognitive overload, and stress from high expectations. Without the right support, even the most capable teams risk crumbling under pressure. 

Analyst Burnout Crisis: Where Efficiency Goes to Die

Why won’t adding more analysts solve your scaling problem? Each additional team member inherits these same systemic issues, multiplying your operational costs without proportionally increasing your detection effectiveness. 

Work Aspect  Associated Challenge 
Alert triage and prioritization  Decision fatigue   Constant high-stakes choices lead to poor judgment and delayed responses 
Repetitive false positive investigation  Learned helplessness  
Analysts become skeptical of all alerts, missing genuine threats 
Context switching between multiple client environments  Cognitive overload  
Mental energy wasted on remembering different tools, processes, and threat landscapes 
Manual threat intelligence gathering  Research rabbit holes  
Time spent hunting for IOCs that may not even be relevant 
Escalation decision-making under time pressure  Imposter syndrome  
Fear of making wrong calls leads to over-escalation and confidence erosion 
24/7 monitoring demands  Chronic stress and alert fatigue  Physical and mental exhaustion compromising analytical quality 
Lack of closure on investigated incidents  Psychological incompleteness 
 
Never knowing outcomes creates job dissatisfaction and turnover 

The danger? Analysts become reactive instead of proactive, struggling to keep up rather than driving MSSP growth. 

The Force Multiplier Approach: Amplifying Human Intelligence 

Scaling effectively doesn’t mean hiring more people — it means enabling the people you already have to work smarter. This approach allows you to: 

  • Reduce analyst burnout while improving job satisfaction. 
  • Maintain high-quality threat detection as you onboard new clients. 
  • Build a competitive advantage through superior efficiency. 

This is where ANY.RUN’s Threat Intelligence solutions step in. By combining automation with analyst-driven insight, they give MSSPs the edge to scale without compromise. 

Threat Intelligence Feeds: Fresh Fuel for Proactive Defense 

Key features of ANY.RUN’s TI Feeds, data sources, integration options 

ANY.RUN’s TI Feeds represent a paradigm shift from traditional threat intelligence. Instead of static, aging IOCs, TI Feeds deliver fresh threat indicators extracted from real-time analysis sessions where malware samples are analyzed for behavior, tactics, techniques, and procedures (TTPs). 

These feeds are accurate, comprehensive, and timely, enriched with contextual details like threat relationships and campaign associations. They come in industry-standard formats such as STIX and MISP for seamless integration into your existing SIEM, EDR, or other security systems.  
 
Key features include real-time updates from thousands of daily analyses, coverage of network-based IOCs (e.g., malicious IPs, domains), file hashes, and behavioral indicators, all sourced from a global community of over 15,000 organizations analyzing the latest threats. 
 
Here’s how TI Feeds empower your MSSP team to be more effective and efficient 

  • Automated Threat Enrichment: Automatically correlate incoming alerts with fresh IOCs, reducing manual triage time and minimizing false positives, so analysts can prioritize real dangers. 
  • Proactive Detection at Scale: Feed real-time indicators into your tools to block emerging threats before they hit clients, allowing your team to handle more volume without overload. 
  • Contextual Insights for Faster Decisions: Provide enriched data on threat behaviors and TTPs, enabling analysts to understand attacks deeply and respond with precision, cutting investigation hours. 
  • Cost-Effective Integration: Easy plug-and-play with existing infrastructure means no steep learning curves or additional hires, optimizing resource use across growing client bases. 
  • Reduced Alert Fatigue: By filtering out noise with high-quality, verified IOCs, analysts stay sharp and engaged, boosting morale and retention. 

Make your team and business more efficient with TI Feeds:
improve detection and reduce alert fatigue  



Contact ANY.RUN to start integration


Threat Intelligence Lookup: Your On-Demand Threat Intelligence Powerhouse

TI Lookup acts as a search engine for threats — allowing analysts to quickly investigate suspicious IOCs, files, domains, and hashes. Instead of digging through multiple sources or waiting for reports, they can instantly connect the dots. 

How TI Lookup works: check a potential IOC like an IP address get an instant verdict and more IOCs

Key Benefits for MSSPs 

  • Faster investigations: Cut down on time-to-insight when analyzing client incidents. 
  • Single source of actionable data: Access a unified database of malware samples and indicators. 
  • Empowered analysts: Give junior analysts the same depth of insight as seasoned experts. 
  • Reduced stress: Analysts can confirm or rule out threats quickly, lowering mental load. 
  • Client trust: Deliver fast, evidence-backed answers to customers. 

Building Your Scaling Strategy: People First, Technology Second 

Successful MSSP scaling starts with understanding that your analysts are force multipliers, not just cost centers. By providing them with superior solutions like ANY.RUN’s TI Feeds and TI Lookup, you can: 

  1. Increase capacity without increasing headcount – Each analyst can effectively monitor more clients when equipped with efficient threat intelligence products.  
  1. Improve retention through job satisfaction – Analysts prefer challenging, high-value work over repetitive alert triage. Better tools enable more strategic thinking and less grunt work. 
  1. Deliver superior client outcomes – Faster, more accurate threat detection translates directly to improved client satisfaction and retention. 
  1. Build competitive differentiation – While competitors struggle with scaling challenges, you can confidently take on new clients knowing your team has the tools to succeed. 

The MSSP market will continue to grow, and client expectations will only increase. The organizations that thrive will be those that recognize the critical importance of human talent and invest in services that amplify rather than replace human intelligence. 

ANY.RUN’s threat intelligence solutions provide the foundation for this approach. When your analysts have access to fresh, contextual threat intelligence at their fingertips, they transform from reactive alert processors into proactive threat hunters.

Scale threat detection without scaling your team   



Contact us to unlock real-time IOC streams


About ANY.RUN  

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.  

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.  

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.  


Try ANY.RUN to strengthen your proactive defense 

The post MSSP Growth Guide: Scaling Threat Detection for Expanding Client Base  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

How to remove your information from personal data brokers’ databases | Kaspersky official blog

/in

Data brokers compile extensive dossiers on you to resell later. They’re interested in all of us — hundreds of millions of folks worldwide — and they don’t ask for our permission or pay us any compensation. Most of these companies aren’t well known, and you’ve likely never had any direct contact with them. But there are around a thousand of them in the U.S. alone, and five times as many worldwide. This market was estimated at nearly $300 billion last year. Data brokers’ clients include banks checking credit history, retailers looking for new customers, intelligence agencies, and many other organizations that need detailed data on individuals.

What do data brokers collect, and where from?

Data brokers collect anything and everything they can get their hands on. Most often:

  • Personal information: full names, physical addresses, dates of birth, phone numbers, email addresses, identification numbers (passports, driver’s licenses, social security numbers, etc.)
  • Age, gender, origin, marital and financial status, level and type of education
  • Number and type of pets
  • Car make and mileage
  • Geolocation data: likely places of work and residence, favorite stores, entertainment spots
  • Details on online and offline purchases, membership in retailer loyalty programs, favorite brands
  • Detailed financial information: creditworthiness, number and types of accounts, deposits, investments, mortgages, credit card habits, bankruptcy data
  • Online behavior data: favorite websites, types of content frequently viewed on social media, hobbies, recently viewed ads, etc.
  • Health information, including data on medication purchases, online symptom searches, data from fitness apps
  • Habits, interests, political and religious beliefs, favorite media outlets
  • Social connections: family members, coworkers, friends

To compile such an intimidatingly detailed file, brokers download any publicly available data (social media profiles, business registries, real estate registries, online classified ads), request information from credit bureaus, and buy data from each other. They also purchase data from loyalty programs, and analytics from gadget vendors. And they collaborate with online advertising and tracking firms — especially those that place ads in mobile apps.

All this information is cross-referenced using recurring identifiers (email addresses, phone numbers, names and addresses, ID numbers) to enrich each profile.

What’s so bad about data collection?

Collected and resold data has an invisible yet significant impact on your life. Why were you denied a loan, or why did your insurance premium go up? How come real estate agents have your phone number when you only decided to buy a house yesterday? According to a U.S. Senate committee investigation, some data brokers’ collections are clearly designed to exploit people’s difficult circumstances. The names of these datasets speak for themselves: “Rural and Barely Making It”, “Retiring on Empty: Singles”, and “Tough Start: Young Single Parents”. Information like this is often purchased by payday loan providers. Other collections are ominously named too, such as “Individuals who recently visited abortion clinics”.

In an extreme example from 2025, a killer bought data on victims’ residential addresses from publicly available data broker websites to track and assassinate political targets in the U.S.

The same Senate investigation highlights that brokers usually operate in secrecy. They collect data without directly interacting with consumers, often hide their data sources, and prohibit their buyers from revealing where contact lists were obtained.

Note that data brokers, like any other companies, are vulnerable to cyberattacks. When they’re breached, the data they’ve collected falls into the hands of true cybercriminals. The scale of the consequences for victims of a data breach can be illustrated with just one case: last year, hackers stole a database containing 2.7 billion records from a company named National Public Data. The records included full names, addresses, dates of birth, phone numbers, and social security numbers (SSNs). It’s believed that the breach affected every US citizen or resident with an SSN!

The challenges of getting your data removed

While the world is gradually introducing legislation to force data brokers to comply with user requests to find and remove personal information, the process can be quite challenging in practice.

  • There’s no centralization. You have to search for your own data on each data broker’s website and make separate removal requests.
  • Even locating data brokers — not to mention the page on their website where you can make a request — can be fraught with difficulty. According to a recent study by The Markup, in California alone — where local legislation mandates centralized registration of data brokers and requires data removal upon a user request under the CCPA — 35 out of 499 registered data brokers prohibited search engines from indexing and displaying their data removal pages. The removal link itself is often buried deep in the website’s footer or elsewhere (in one case it was found on page 15 of the privacy policy).
  • Information removal requests are often complex and consist of multiple steps. They may even require more personal data from you to prove that you are indeed you, and you have the right to submit a request. A study by UC Irvine highlighted some exotic methods of identity verification, such as providing your zodiac sign or your monthly car loan payment amount. If the request isn’t worded correctly or the verification data isn’t provided, the request is ignored.
  • The same study found that, out of 454 information removal requests submitted, 195 (43%) were ignored.

How to actually remove yourself from data brokers’ databases

If you’re up for a challenge, arm yourself with both patience and a spreadsheet (in Excel or similar), and follow our instructions:

  • First, identify the data brokers you want to contact. You can find a full up-to-date list from the Privacy Rights Clearinghouse, but it’s heavily focused on U.S.-based companies. While they’re the biggest players in the market, be sure to find brokers specific to your region as well.
  • Create and save a standard template for your removal request email. The message should include your key personal details and reference the applicable laws in your case: CCPA for California residents; GDPR for the EU; UK-GDPR for the UK; LGPD for Brazil; 152-FZ for Russia. Even if you don’t live in one of these regions, you can still reference CCPA or GDPR — some providers will honor the request without verifying if the law directly applies to you.
  • For each data broker, locate the page for submitting a request, which might be named “Opt Out”, “Do Not Sell”, “Privacy Request”, “Right to Delete”, “Right to Be Forgotten”, or something along those lines. Your best bet is to start by looking for small-print links in the footer of the web page. If you can’t find anything there, check the privacy policy section. You can also try a Google search.
  • Carefully review the broker’s specific requirements. If they require you to send a request via email, simply send your template to the provided address. If an online form is required, fill in the fields using snippets from the same template.
  • In your spreadsheet, indicate the name of the broker, the date you submitted the request, and the URL of the request page (so you don’t have to search for it again).
  • Be patient — a response (if you get one at all) could take up to six weeks. This is where your spreadsheet comes in handy — you can use it to track response times and send follow-up requests as needed.
  • For those who lack the time or patience, there are paid services that can automatically send these requests for you.
  • Most importantly, this isn’t a one-time process. Data about you is constantly being collected and sold to brokers, so you should go through the same list again every three to six months.

How to stay off data brokers’ lists in the first place

It’s near impossible to avoid getting noticed by data brokers altogether, but you can minimize the amount of data they collect.

  • Use multiple email addresses and phone numbers. One for communicating with friends, family, banks, and government agencies. A different one for online stores and non-essential services. You can even use more than two email addresses.
  • Provide minimal information to loyalty programs.
  • Go through the settings in your online banking apps and on your favorite e-commerce sites. Make sure you’ve turned off all permissions in sections like “Marketing Data”, “Advertising Preferences”, and “Partner Offers”. Feeding data to brokers is often disguised under phrases like “Show me ads based on my interests”.
  • Turn off and reset advertising IDs on your smartphone.
  • Disable location tracking for most of your apps.
  • Use the privacy settings in social networks and messaging apps.
  • Use a private browser or an app that protects against online tracking. Special privacy features are available in Kaspersky Premium.
  • Take advantage of our free Privacy Checker service to adjust your privacy settings everywhere — from social networks to operating systems.
  • Subscribe to our read our Telegram channel to be the first to learn about new threats to your privacy and how to combat them. For example, we’ll soon be publishing detailed instructions on how to minimize and clean up your digital footprint (for both adults and minors).

Other posts about how your personal data is collected and how to fight back:

Kaspersky official blog – ​Read More

Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA

/in

Phishing kits and stealers didn’t slow down this August, and neither did we. ANY.RUN analysts tracked some of the month’s most dangerous campaigns, from a 7-stage Tycoon2FA phishing chain to Rhadamanthys delivered via ClickFix, and the discovery of Salty2FA, a brand-new PhaaS framework linked to Storm-1575

All were analyzed inside ANY.RUN’s Interactive Sandbox, revealing full execution chains, decrypted traffic, and behavior missed by static tools. Combined with Threat Intelligence Lookup, these insights help SOC teams turn raw IOCs into actionable detection rules and cut investigation time when it matters most. 

Let’s explore how these attacks worked, what they targeted, and the insights SOC teams can take away. 

Tycoon2FA: New 7-Stage Phishing Attack Beats Top Security Systems 

Post on X 

ANY.RUN analysts uncovered a multi-stage Tycoon2FA campaign that takes phishing beyond the usual fake login page. Instead, it runs victims through a seven-step execution chain packed with CAPTCHAs, button-hold checks, and validation screens; each designed to wear down humans and outsmart automated security tools. By the time the final phishing panel appears, most defenses have already failed. 

Unlike mass phishing kits that cast a wide net, Tycoon2FA is highly selective. It goes after accounts that unlock access to critical systems and sensitive data, not just ordinary inboxes. 

Key industries targeted by Tycoon2FA 

Recent campaigns have zeroed in on government and military agencies, as well as financial institutions ranging from global banks to regional insurers. Activity has been observed across the US, UK, Canada, and Europe, where a single stolen login can cause major financial losses or even disrupt national operations. 

ANY.RUN data shows that 26% of Tycoon2FA cases analyzed in our sandbox involved the banking sector; clear evidence that attackers are deliberately aiming at high-value targets. 

7-Stage Execution Flow Exposed inside ANY.RUN 

In a recent ANY.RUN analysis, Tycoon2FA unfolded in this order: 

Check Real Case: Multi-Stage Tycoon2FA Attack 

Execution chain of multi-stage Tycoon2FA campaign 
  1. Phishing email link → The attack begins with a voicemail-themed phishing email containing a malicious link to lure the victim. 
  1. PDF attachment → Clicking the link triggers a fake PDF download, masking the next redirection step. 
  1. Link inside PDF → The PDF itself hides another embedded hyperlink, pushing the victim deeper into the chain. 
  1. Cloudflare Turnstile CAPTCHA → A CAPTCHA challenge filters out automated scanners by requiring human interaction. 
  1. “Press & Hold” anti-bot check → A second verification forces a hold-and-release gesture, further blocking automation. 
  1. Email validation page → The victim is asked to “verify” their email, confirming they are real and a worthwhile target. 
  1. Final phishing panel → At the end, a fake Microsoft login page is revealed, ready to steal the victim’s credentials. 

With ANY.RUN’s Automated Interactivity, analysts can replicate each click and CAPTCHA, exposing the entire chain in minutes. This delivers not just IOCs, but also behavioral indicators that SOC teams can fold directly into detection rules and SOAR playbooks, reducing investigation time and keeping attacks like Tycoon2FA from slipping through. 

See decrypted traffic and examine the full threat context: Tycoon2FA Analysis Session.

Detailed analysis of Tycoon 2FA attack inside ANY.RUN’s Sandbox 

Check out the following TI Lookup search query to track Tycoon campaigns and adjust detection rules accordingly: threatName:”tycoon” 

ANY.RUN Sandbox analyses with Tycoon  

Gathered IOCs: 

  • *[.]filecloudonline[.]com  
  • vnositel-bg[.]com  
  • culturabva[.]es  
  • spaijo[.]es  
  • dvlhpbxlmmi[.]es  
  • pyfao[.]es 

Rhadamanthys Stealer Delivered via ClickFix with PNG Steganography 

Post on X 

A new wave of phishing campaigns shows how attackers are pairing ClickFix social engineering flows with advanced malware families. This time, the target is Rhadamanthys Stealer a C++ infostealer known for extensive data theft capabilities and advanced evasion. 

Earlier ClickFix campaigns primarily deployed NetSupport RAT or AsyncRAT. The switch to Rhadamanthys signals a step up in stealth and payload sophistication, as threat actors blend social engineering and technical obfuscation to bypass defenses. 

In the observed case inside ANY.RUN sandbox, a phishing domain initiates a ClickFix flow (MITRE T1566), leading the user to download and execute a malicious MSI payload. 

View real case with Rhadamanthys delivered via ClickFix 

ClickFix flow analyzed inside ANY.RUN sandbox 

The chain unfolds as: 

ClickFix ➡ msiexec ➡ EXE file ➡ compromised system file ➡ PNG-stego payload 

Detailed Rhadamanthys attack chain 
  • The MSI is executed silently in memory (T1218.007) and installs Rhadamanthys into a disguised directory under the user profile. 
  • Anti-VM checks (T1497.001) are performed to evade analysis. 
  • A compromised system file initiates TLS connections directly to IPs, bypassing DNS monitoring. 
  • Attackers use self-signed TLS certificates with mismatched Issuer/Subject fields, leaving unique hunting artifacts. 
  • Additional payloads are delivered via an obfuscated PNG using steganography (T1027.003)

To stop Rhadamanthys, SOC teams need to look beyond static IOCs. Detecting ClickFix flows and steganography payloads requires behavioral visibility, while TLS anomaly hunting helps expose the mismatched certificates attackers use for covert traffic.  

With ANY.RUN’s Interactive Sandbox, analysts can replicate user actions, uncover hidden execution in memory, and turn these insights into actionable rules and automated response playbooks, cutting investigation time and strengthening SOC workflows. 

Get instant access to ANY.RUN’s live threat analysis  



Sign up with business email 


Track similar campaigns in TI Lookup and enrich IOCs with live attack data from threat investigations across 15K SOCs

ANY.RUN Sandbox analyses with ClickFix social engineering flows 
IOCs for the threat detection and research 
– 84.200[.]80.8 
– 179.43[.]141.35
194.87[.]29.253
flaxergaurds[.]com
– temopix[.]com
zerontwoposh[.]live
loanauto[.]cloud
wetotal[.]net 

Salty2FA: New Phishing Framework from Storm-1575 Targeting US and EU 

Post on X 

Detailed breakdown of Salty2FA 

ANY.RUN analysts uncovered Salty2FA, a new Phishing-as-a-Service (PhaaS) framework engineered to bypass nearly all known 2FA methods. First spotted in June 2025, it has since evolved into an active campaign targeting Microsoft 365 accounts across the US, Canada, Europe, and global holdings

The kit is named for its distinctive “salting” of source code, a tactic that disrupts both static and manual analysis. It unfolds through a multi-stage execution chain delivered via phishing emails and links (MITRE T1566). Infrastructure relies on a recurring pattern: compound .??.com subdomains paired with .ru domains (T1583), supported by chained servers and resilient C2 communication (T1071.001). 

Salty2FA also implements adversary-in-the-middle techniques (T1557), enabling it to intercept phone app push notifications, OTP codes, SMS messages, and even two-way voice calls. This gives attackers access well beyond stolen credentials. 

Salty2FA phishing kit execution chain 

Attribution and Targets 

Infrastructure and IOCs overlap with the Storm-1575 group, the actor behind the Dadsec phishing kit, though some traits suggest possible ties to Storm-1747 (Tycoon2FA). Whatever its origin, Salty2FA remains a distinct framework, now actively deployed against industries including: 

  • Finance and Insurance 
  • Energy and Manufacturing 
  • Healthcare and Telecom 
  • Government, Education, and Logistics 

Salty2FA proves that modern PhaaS is about persistent, adaptive frameworks built to evade detection. Static IOCs alone are unreliable; spotting this threat requires behavioral analysis of its execution chain and continuous monitoring of domain patterns. 

With ANY.RUN’s Interactive Sandbox, analysts can replicate user interaction to reveal hidden flows and extract high-fidelity indicators. Combined with TI Lookup queries, SOC teams can track evolving Salty2FA infrastructure, enrich detection logic, and cut MTTR by acting before intrusions escalate

Check an example of analysis session to examine Salty2FA behavior, download actionable report, and collect IOCs. 

Fake Microsoft page exposed inside ANY.RUN’s Sandbox 

Further investigate Salty2FA, track campaigns, and enrich IOCs with live attack data using TI Lookup: 

ANY.RUN Sandbox analyses with Salty2FA 

Gathered IOCs: 

  • innovationsteams[.]com  
  • marketplace24ei[.]ru  
  • nexttradeitaly[.]it[.]com  
  • frankfurtwebs[.]com[.]de  
  • hxxps[://]telephony[.]nexttradeitaly[.]com/SSSuWBTmYwu/  
  • hxxps[://]parochially[.]frankfurtwebs[.]com[.]de/ps6VzZb/  
  • hxxps[://]marketplace24ei[.]ru//  
  • hxxps[://]marketplace24ei[.]ru/790628[.]php  
  • 153[.]127[.]234[.]4  
  • 51[.]89[.]33[.]171  
  • 191[.]96[.]207[.]129  
  • 153[.]127[.]234[.]5  
  • izumi [at] yurikamome[.]com 

View July’s top threats analysis to spot recurring tactics and compare how attacker trends evolved month to month 

Equip Your SOC to Outpace Threat Actors 

This month’s attacks show how far phishing kits and stealers have evolved; from multi-stage deception chains to ClickFix flows with steganography. Stopping them takes more than static IOCs; it demands behavioral visibility and live threat intelligence

With ANY.RUN’s Interactive Sandbox, SOC teams can replicate real user actions, expose hidden payloads, and cut investigation time from hours to minutes. Paired with Threat Intelligence Lookup, analysts can track infrastructure, enrich detection rules, and feed high-fidelity data into SIEMs, SOARs, and XDR workflows. 

In practice, this delivers faster triage, reduced MTTR, and stronger defenses against evolving threats, all with intelligence that scales across the business. 

About ANY.RUN 

ANY.RUN helps more than 15,000 organizations worldwide, from banking and healthcare to telecom, retail, and technology, build stronger cybersecurity operations and respond to threats with confidence. 

Built for speed and clarity, our solutions combine interactive malware analysis with real-time threat intelligence, giving SOC teams the visibility they need to cut investigation time and stop attacks earlier. 

Integrate ANY.RUN’s Threat Intelligence suite into your workflows to reduce investigation time, prevent costly breaches, and strengthen long-term resilience.  

Sign up with your business email to get started 

The post Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More