< ciso
brief />
Tag Banner

All news with #threat actor tag

38 articles

US Sanctions VPN and Malware Providers Linked to Ransomware

🔒 The U.S. Treasury's OFAC sanctioned virtual private network provider First VPN Service (1VPNS), its administrator Dmytro Rashevskyi, and a Belarusian cryptor vendor, Yegeniy Silayev, for enabling ransomware operations. Authorities say 1VPNS marketed no-logs service to cybercriminals and used false identities to obtain infrastructure, while Silayev sold tools to evade malware detection. The action follows a multinational takedown and server seizures tied to widespread cybercrime.
read more →

Convicted Operators Run Controversial Cybersecurity Startup

🛡️ A cybersecurity startup called IRIS C2, linked to Calvexa Group LLC, is publicly recruiting researchers and offering large payouts for zero-day exploits. The venture is tied to convicted felons and far-right activists Jack Burkman and Jacob Wohl, who have a history of fake intelligence firms, robocall schemes, and legal penalties. IRIS C2 claims to sell offensive capabilities to governments and says it hires junior talent regardless of formal credentials.
read more →

New Iran-linked hacking group targets Israeli IT

🛡️ Check Point Research has identified a new Iran-linked cyber threat group, dubbed Cavern Manticore, targeting Israeli government and IT organizations since early 2026. The group leverages abused RMM tools and browser-based remote desktop features for initial access and persistence, often deploying malicious updates via SysAid. Researchers observed a previously undocumented modular .NET-based C2 framework composed of a persistent Cavern agent and specialized Cavern modules, designed to evade detection and hinder forensic analysis.
read more →

Armored Likho targets governments and utilities

🛡️ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more →

Cybercriminals Worried AI Will Displace Roles

🔎 Sophos CTU research finds cybercriminals debating the risks and benefits of AI tools across underground forums, marketplaces and messaging apps. Sellers are offering AI kits for phishing, malware automation, deepfake creation and social engineering, while some threat actors fear losing work to automated toolsets. The research highlights divided views, a spike in discussion after the release of Claude Mythos Preview, and advice for defenders to prioritize patching, MFA and visibility.
read more →

Analysis: The Gentlemen ransomware group's evolution

🔎 A new PRODAFT report traces The Gentlemen (aka Phantom Mantis) from an affiliate of multiple RaaS families to an independent, enterprise-focused extortion operation led by a Russian-speaking actor tracked as LARVA-368. Active since March 2025 and claiming 478 victims, the group uses AI, diverse tooling, multi-platform ransomware, and aggressive affiliate incentives while targeting VPNs, firewalls, VMware, and other internet-facing systems.
read more →

Interpol operation dismantles long‑running PhaaS platform

🛡️ An Interpol-led operation, Operation Ramz, targeted cybercrime across 13 MENA countries from October 2025 to February 2026, yielding 201 arrests and the seizure of 53 servers. Group-IB disclosed that the crackdown resulted in the takedown of the SniperDz phishing-as-a-service platform and the arrest of its primary developer in Algeria. SniperDz operated since at least 2015, offering phishing kits and hosting, and was linked to tens of thousands of fake domains and hundreds of thousands of phishing pages. Investigators attributed the platform through OpSec failures, social media traces and shared intelligence that enabled law enforcement disruption.
read more →

Chinese-linked Hackers Exploit Middle East Conflict

🔎 ESET warns that China-aligned APT groups have been exploiting the Middle East war to target maritime, energy and political organizations, while continuing global espionage aligned with Beijing’s strategic priorities. The report covers October 2025–March 2026 and highlights activity against Syria, Central and South America, and an attempted intrusion into an AI and robotics firm in South Korea. Russia-aligned actors focused on Ukraine and destructive campaigns, while Iran-aligned activity shifted to proxy and hacktivist actions amid internet disruptions.
read more →

FBI: Physical tech-support scams target law firms

🛡️ The FBI warns of a gang dubbed the Silent Ransom Group (SRG) that has shifted from phishing and remote access scams to in-person impersonation of IT support, gaining physical access to devices to install malware or exfiltrate data. The group, active since at least 2022, typically steals data to extort victims without using ransomware encryption. Indicators include unauthorized installs of remote-access tools, new USB or external drive activity, and unexpected data uploads to services like OneDrive or Google Drive.
read more →

Anti-DDoS Firm Accused of Enabling Attacks on ISPs

🛡️ A Brazilian DDoS-mitigation firm, Huge Networks, was implicated in enabling a Mirai-based botnet that launched sustained DDoS attacks against regional Brazilian ISPs. An exposed archive contained Portuguese Python attack scripts, private SSH keys belonging to CEO Erick Nascimento, and tooling that mass-scanned for TP-Link Archer AX21 devices vulnerable to CVE-2023-1389. The CEO says the malicious activity followed a January 2026 intrusion, that affected droplets were wiped and keys rotated, and that a third-party forensics firm has been engaged.
read more →

Inside an OPSEC Playbook: How Actors Evade Detection

🔍 Flare researchers examined a recent forum post in which a threat actor details a structured OPSEC framework aimed at sustaining high-volume carding operations while avoiding detection. The actor prescribes a three-tier architecture—public, operational, and extraction layers—with strict identity compartmentalization, residential IP rotation, and isolated cashout channels. The post highlights recurring failures like identity reuse, metadata leakage, and weak anti-fingerprinting, and recommends resilience measures such as time-delayed triggers and dead man's switches. For defenders, it underscores the need to link cross-platform identities, evolve behavioral detection, and monitor the full attack chain.
read more →

Canada Arrests Three Over SMS Blaster Phishing Device

📱 Canadian police arrested three men for operating an SMS blaster in Toronto that impersonates cellular towers to push phishing texts to nearby phones. Investigators said Project Lighthouse began in November 2025; searches on March 31 in Markham and Hamilton recovered multiple devices. Authorities estimate about 13 million instances of network entrapment and warn SMS is insecure, advising users to avoid following text links and use encrypted channels for sensitive communications.
read more →

ProxySmart Platform Found Powering 90+ SIM Farms Globally

🔎 Researchers at Infrawatch have identified a Belarus-associated platform, ProxySmart, linked to 87 control panels across 17 countries and 94 phone farm locations. The turnkey software provides device management, automated IP rotation, customer provisioning and anti-bot measures, enabling what researchers describe as SIM Farm as a Service. ProxySmart orchestrates both physical smartphones and USB 4G/5G modems, supports multiple proxy protocols, and includes OS fingerprint spoofing, significantly lowering the technical barrier for large-scale mobile proxy operations.
read more →

ATHR: AI Voice Agents Enable Fully Automated Vishing

🔊 A new platform called ATHR automates telephone-oriented attacks by combining AI voice agents and optional human operators to carry out vishing campaigns and harvest credentials across services including Google, Microsoft, and major crypto platforms. Researchers at Abnormal say ATHR bundles email templates, spoofing, WebRTC/Asterisk routing, and per-target customization into a dashboard that controls distribution, calls, and logging. The service is marketed on underground forums for $4,000 plus a commission and greatly lowers the skill barrier for attackers.
read more →

Hackers Target Iranwire Exile Portal, Judiciary Reports

🛡️According to the Iranian judiciary's mouthpiece Misan, the exile news portal Iranwire was allegedly breached and a large volume of sensitive material was taken, including correspondence, staff lists, informant identities and other highly confidential records. The site displayed a maintenance notice while continuing to post on social media, and authorities blamed the hacker group Handala, which has been linked to prior operations.
read more →

Manhunt for Suspects in Ransomware Attacks in Germany

🔎 Investigators have launched a worldwide manhunt for two suspects believed to be central figures in ransomware campaigns that hit 130 companies and institutions in Germany between 2019 and 2021. Authorities at the Cybercrime Center of the Karlsruhe Public Prosecutor's Office and the State Criminal Police Office of Baden-Württemberg say the men include an alleged group leader and the suspected programmer of the malware. Victims paid about €1.8 million in 25 cases, with estimated overall damage of around €35 million.
read more →

AI as Tradecraft: How Threat Actors Operationalize AI

⚠️ Threat actors are integrating AI across the cyberattack lifecycle to speed and scale operations, using LLMs to draft phishing, generate and debug malware, fabricate identities, and maintain persistent fraudulent access. Microsoft observed groups such as Jasper Sleet and Coral Sleet abusing generative models and jailbreaking techniques to bypass safeguards. Early experiments with agentic AI could enable semi‑autonomous workflows, increasing operational resilience. Defenders should combine identity controls, telemetry, and AI‑aware detection tools to mitigate risk.
read more →

Middle-Aged Professionals Now Dominate Cybercrime Roles

🔍 New analysis from Orange Cyberdefence of 418 law‑enforcement actions between 2021 and mid‑2025 shows profit-driven, midcareer criminals — especially those aged 35–44 — constitute the largest share of cyber offenders. Teenagers and young adults remain present (12–17: 5%; 18–24: 21%), but activity shifts toward organised extortion, malware and money laundering with age. Experts say modern operations resemble illicit tech firms that require project management, recruitment and financial expertise.
read more →

Investigating Dort: The Alleged Kimwolf Botmaster's Identity

🔎 This article analyzes public evidence tying the alleged Kimwolf botmaster—known online as Dort and by earlier handles like CPacket and M1ce—to accounts, emails and domain registrations linked to an Ottawa-based Jacob Butler. It reviews GitHub and forum footprints (jay.miner232@gmail.com / MemeClient), ties to SIM Land and LAPSUS$ activity, and allegations that Dort sold disposable-email and CAPTCHA-bypass tools. After KrebsOnSecurity published research in January 2026 that disrupted Kimwolf’s spread, Dort allegedly mounted doxing, DDoS, email-flooding and swatting campaigns against researchers and the author.
read more →

UnsolicitedBooker Targets Central Asian Telecoms via Malware

🔒 Positive Technologies reports that the UnsolicitedBooker cluster has shifted from Saudi targets to telecommunications firms in Kyrgyzstan and Tajikistan, deploying two backdoors named LuciDoor and MarsSnake. The intrusions relied on phishing with malicious Microsoft Office documents that prompt users to enable macros, dropping C++ loaders (LuciLoad and MarsSnakeLoader) to deploy the payloads. In some cases attackers used LNK-based chains, hacked routers for C2, and infrastructure mimicking Russian systems while leveraging rare tools of Chinese origin.
read more →