All news with #threat actor tag

🔎 ESET warns that China-aligned APT groups have been exploiting the Middle East war to target maritime, energy and political organizations, while continuing global espionage aligned with Beijing’s strategic priorities. The report covers October 2025–March 2026 and highlights activity against Syria, Central and South America, and an attempted intrusion into an AI and robotics firm in South Korea. Russia-aligned actors focused on Ukraine and destructive campaigns, while Iran-aligned activity shifted to proxy and hacktivist actions amid internet disruptions.

🛡️ The FBI warns of a gang dubbed the Silent Ransom Group (SRG) that has shifted from phishing and remote access scams to in-person impersonation of IT support, gaining physical access to devices to install malware or exfiltrate data. The group, active since at least 2022, typically steals data to extort victims without using ransomware encryption. Indicators include unauthorized installs of remote-access tools, new USB or external drive activity, and unexpected data uploads to services like OneDrive or Google Drive.

🛡️ A Brazilian DDoS-mitigation firm, Huge Networks, was implicated in enabling a Mirai-based botnet that launched sustained DDoS attacks against regional Brazilian ISPs. An exposed archive contained Portuguese Python attack scripts, private SSH keys belonging to CEO Erick Nascimento, and tooling that mass-scanned for TP-Link Archer AX21 devices vulnerable to CVE-2023-1389. The CEO says the malicious activity followed a January 2026 intrusion, that affected droplets were wiped and keys rotated, and that a third-party forensics firm has been engaged.

🔍 Flare researchers examined a recent forum post in which a threat actor details a structured OPSEC framework aimed at sustaining high-volume carding operations while avoiding detection. The actor prescribes a three-tier architecture—public, operational, and extraction layers—with strict identity compartmentalization, residential IP rotation, and isolated cashout channels. The post highlights recurring failures like identity reuse, metadata leakage, and weak anti-fingerprinting, and recommends resilience measures such as time-delayed triggers and dead man's switches. For defenders, it underscores the need to link cross-platform identities, evolve behavioral detection, and monitor the full attack chain.

📱 Canadian police arrested three men for operating an SMS blaster in Toronto that impersonates cellular towers to push phishing texts to nearby phones. Investigators said Project Lighthouse began in November 2025; searches on March 31 in Markham and Hamilton recovered multiple devices. Authorities estimate about 13 million instances of network entrapment and warn SMS is insecure, advising users to avoid following text links and use encrypted channels for sensitive communications.

🔎 Researchers at Infrawatch have identified a Belarus-associated platform, ProxySmart, linked to 87 control panels across 17 countries and 94 phone farm locations. The turnkey software provides device management, automated IP rotation, customer provisioning and anti-bot measures, enabling what researchers describe as SIM Farm as a Service. ProxySmart orchestrates both physical smartphones and USB 4G/5G modems, supports multiple proxy protocols, and includes OS fingerprint spoofing, significantly lowering the technical barrier for large-scale mobile proxy operations.

🔊 A new platform called ATHR automates telephone-oriented attacks by combining AI voice agents and optional human operators to carry out vishing campaigns and harvest credentials across services including Google, Microsoft, and major crypto platforms. Researchers at Abnormal say ATHR bundles email templates, spoofing, WebRTC/Asterisk routing, and per-target customization into a dashboard that controls distribution, calls, and logging. The service is marketed on underground forums for $4,000 plus a commission and greatly lowers the skill barrier for attackers.

🛡️According to the Iranian judiciary's mouthpiece Misan, the exile news portal Iranwire was allegedly breached and a large volume of sensitive material was taken, including correspondence, staff lists, informant identities and other highly confidential records. The site displayed a maintenance notice while continuing to post on social media, and authorities blamed the hacker group Handala, which has been linked to prior operations.

🔎 Investigators have launched a worldwide manhunt for two suspects believed to be central figures in ransomware campaigns that hit 130 companies and institutions in Germany between 2019 and 2021. Authorities at the Cybercrime Center of the Karlsruhe Public Prosecutor's Office and the State Criminal Police Office of Baden-Württemberg say the men include an alleged group leader and the suspected programmer of the malware. Victims paid about €1.8 million in 25 cases, with estimated overall damage of around €35 million.

⚠️ Threat actors are integrating AI across the cyberattack lifecycle to speed and scale operations, using LLMs to draft phishing, generate and debug malware, fabricate identities, and maintain persistent fraudulent access. Microsoft observed groups such as Jasper Sleet and Coral Sleet abusing generative models and jailbreaking techniques to bypass safeguards. Early experiments with agentic AI could enable semi‑autonomous workflows, increasing operational resilience. Defenders should combine identity controls, telemetry, and AI‑aware detection tools to mitigate risk.

🔍 New analysis from Orange Cyberdefence of 418 law‑enforcement actions between 2021 and mid‑2025 shows profit-driven, midcareer criminals — especially those aged 35–44 — constitute the largest share of cyber offenders. Teenagers and young adults remain present (12–17: 5%; 18–24: 21%), but activity shifts toward organised extortion, malware and money laundering with age. Experts say modern operations resemble illicit tech firms that require project management, recruitment and financial expertise.

🔎 This article analyzes public evidence tying the alleged Kimwolf botmaster—known online as Dort and by earlier handles like CPacket and M1ce—to accounts, emails and domain registrations linked to an Ottawa-based Jacob Butler. It reviews GitHub and forum footprints (jay.miner232@gmail.com / MemeClient), ties to SIM Land and LAPSUS$ activity, and allegations that Dort sold disposable-email and CAPTCHA-bypass tools. After KrebsOnSecurity published research in January 2026 that disrupted Kimwolf’s spread, Dort allegedly mounted doxing, DDoS, email-flooding and swatting campaigns against researchers and the author.

🔒 Positive Technologies reports that the UnsolicitedBooker cluster has shifted from Saudi targets to telecommunications firms in Kyrgyzstan and Tajikistan, deploying two backdoors named LuciDoor and MarsSnake. The intrusions relied on phishing with malicious Microsoft Office documents that prompt users to enable macros, dropping C++ loaders (LuciLoad and MarsSnakeLoader) to deploy the payloads. In some cases attackers used LNK-based chains, hacked routers for C2, and infrastructure mimicking Russian systems while leveraging rare tools of Chinese origin.

🔒 A threat actor calling themselves LuneBF is claiming to have stolen data belonging to more than 27,000 employees of the RTL Group and its subsidiaries, including Fremantle and M6. The attacker posted a 100-record sample allegedly taken from RTL’s intranet that contains names, emails, postal addresses and phone numbers. RTL has confirmed the incident and said it is investigating; it believes customer data is unlikely to be affected. Security experts warn the exposed contact details could enable targeted phishing, social engineering and pose particular risks to investigative journalists.

💸 Chainalysis reports that cryptocurrency inflows linked to human trafficking surged 85% year-on-year, generating hundreds of millions in revenue. The analysis identifies four crypto-driven trafficking types—international escort services, labor placement agents, prostitution networks and CSAM vendors—often coordinated via Telegram and Chinese-language money laundering (CMLN) networks. Key indicators include large stablecoin conversions, cross-border transfers and concentrated fund flows to trafficking hubs.

🔍 Cisco Talos reports that threat actor UAT-9921 has deployed the modular VoidLink framework in campaigns targeting technology and financial organizations. The post-compromise toolkit—built in Zig, C, and Go—supports compile-on-demand plugins, stealthy persistence, and runtime evasion. Operators install SOCKS proxies and use open-source scanners for internal reconnaissance and lateral movement, and evidence suggests a Windows implant and role-based access controls are present.

🚨 Researchers warn of a massive, worm-driven campaign by TeamPCP that began around December 25, 2025, systematically compromising cloud-native environments. The group abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and a critical React2Shell vulnerability (CVE-2025-55182) to deploy proxy, scanning, and C2 infrastructure. Compromised hosts are used for persistence, data exfiltration, extortion, crypto-mining, and proxy/C2 relays, with tooling tailored to Kubernetes and AWS/Azure deployments.

🚨 Hungarian and Romanian police arrested four young men accused of orchestrating Discord-based SWATting and doxing campaigns that triggered hoax bomb threats and endangered targeted individuals. Law enforcement released video of coordinated raids in which computers, phones and other digital evidence were seized as investigators traced anonymous calls to spoofed numbers. Suspects, aged 16 to 20, face investigations and charges including misuse of personal data and public endangerment; authorities stress these actions are serious crimes with potentially life‑threatening consequences.

⚖️ Google has filed a lawsuit against the scraping company SerpApi, alleging it circumvented security measures to copy and resell copyrighted content that appears in Google Search. The complaint says SerpApi cloaks its bots, rotates false crawler identities, and bombards sites with large bot networks, overriding websites' directives. Google states it follows industry-standard crawling protocols and uses legal action as a last resort to stop malicious scraping.

🛡️ A 49-year-old Malaysian national, Cheoh Hai Beng, has been sentenced in Singapore to five-and-a-half years' imprisonment and fined S$3,608 after admitting he produced detailed video tutorials showing criminals how to deploy the Spymax Android RAT. Between February and May 2023 he is reported to have recorded about 20 step‑by‑step videos demonstrating installation, remote control, credential theft, camera hijack, contact harvesting and GPS tracking. Authorities say these tutorials were circulated on criminal networks and used to facilitate financial fraud against victims who were tricked into installing the malware.