< ciso
brief />
Tag Banner

All news with #threat actor tag

38 articles · page 2 of 2

Cyberattack Claims: Personal Data of 27,000 RTL Staff

🔒 A threat actor calling themselves LuneBF is claiming to have stolen data belonging to more than 27,000 employees of the RTL Group and its subsidiaries, including Fremantle and M6. The attacker posted a 100-record sample allegedly taken from RTL’s intranet that contains names, emails, postal addresses and phone numbers. RTL has confirmed the incident and said it is investigating; it believes customer data is unlikely to be affected. Security experts warn the exposed contact details could enable targeted phishing, social engineering and pose particular risks to investigative journalists.
read more →

Crypto Payments Fueling Human Trafficking Networks

💸 Chainalysis reports that cryptocurrency inflows linked to human trafficking surged 85% year-on-year, generating hundreds of millions in revenue. The analysis identifies four crypto-driven trafficking types—international escort services, labor placement agents, prostitution networks and CSAM vendors—often coordinated via Telegram and Chinese-language money laundering (CMLN) networks. Key indicators include large stablecoin conversions, cross-border transfers and concentrated fund flows to trafficking hubs.
read more →

UAT-9921 Deploys VoidLink Malware Targeting Tech and Finance

🔍 Cisco Talos reports that threat actor UAT-9921 has deployed the modular VoidLink framework in campaigns targeting technology and financial organizations. The post-compromise toolkit—built in Zig, C, and Go—supports compile-on-demand plugins, stealthy persistence, and runtime evasion. Operators install SOCKS proxies and use open-source scanners for internal reconnaissance and lateral movement, and evidence suggests a Windows implant and role-based access controls are present.
read more →

TeamPCP Worm Targets Cloud Native Infrastructure at Scale

🚨 Researchers warn of a massive, worm-driven campaign by TeamPCP that began around December 25, 2025, systematically compromising cloud-native environments. The group abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and a critical React2Shell vulnerability (CVE-2025-55182) to deploy proxy, scanning, and C2 infrastructure. Compromised hosts are used for persistence, data exfiltration, extortion, crypto-mining, and proxy/C2 relays, with tooling tailored to Kubernetes and AWS/Azure deployments.
read more →

Four Arrested in Discord SWATting and Doxing Crackdown

🚨 Hungarian and Romanian police arrested four young men accused of orchestrating Discord-based SWATting and doxing campaigns that triggered hoax bomb threats and endangered targeted individuals. Law enforcement released video of coordinated raids in which computers, phones and other digital evidence were seized as investigators traced anonymous calls to spoofed numbers. Suspects, aged 16 to 20, face investigations and charges including misuse of personal data and public endangerment; authorities stress these actions are serious crimes with potentially life‑threatening consequences.
read more →

Google Sues SerpApi for Circumventing Search Protections

⚖️ Google has filed a lawsuit against the scraping company SerpApi, alleging it circumvented security measures to copy and resell copyrighted content that appears in Google Search. The complaint says SerpApi cloaks its bots, rotates false crawler identities, and bombards sites with large bot networks, overriding websites' directives. Google states it follows industry-standard crawling protocols and uses legal action as a last resort to stop malicious scraping.
read more →

Instructor jailed for teaching criminals to use Spymax

🛡️ A 49-year-old Malaysian national, Cheoh Hai Beng, has been sentenced in Singapore to five-and-a-half years' imprisonment and fined S$3,608 after admitting he produced detailed video tutorials showing criminals how to deploy the Spymax Android RAT. Between February and May 2023 he is reported to have recorded about 20 step‑by‑step videos demonstrating installation, remote control, credential theft, camera hijack, contact harvesting and GPS tracking. Authorities say these tutorials were circulated on criminal networks and used to facilitate financial fraud against victims who were tricked into installing the malware.
read more →

Hackers Use Hyper-V to Hide Linux VM and Evade EDR

🔒 Bitdefender researchers report that the threat actor Curly COMrades enabled Windows Hyper-V on compromised hosts to run a lightweight Alpine Linux VM (≈120MB disk, 256MB RAM). The hidden VM hosted custom tooling, notably the C++ reverse shell CurlyShell and the reverse proxy CurlCat. By isolating execution inside a VM the attackers evaded many host-based EDRs and maintained persistent, encrypted command channels.
read more →

Hackers Use RMM Tools to Breach Freighters and Steal Cargo

🚨 Threat actors are targeting freight brokers and carriers with malicious emails and compromised load-board posts to deliver remote monitoring and management tools (RMM) such as ScreenConnect, NetSupport, and PDQ Connect. Once installed, attackers gain remote control to alter bookings, block notifications, harvest credentials, and impersonate carriers to reroute and physically steal high-value shipments. Proofpoint tracked dozens of campaigns since January, primarily in North America, exploiting social engineering and legitimate RMM functionality.
read more →

Hezi Rash: Kurdish Hacktivist DDoS Campaigns Rising

🛡️ Hezi Rash is a Kurdish nationalist hacktivist collective formed in 2023 that has escalated to coordinated DDoS campaigns targeting entities perceived as hostile to Kurdish or Muslim communities. Their public rhetoric mixes nationalism, religion, and activism, and they have claimed attacks in response to symbolic provocations such as an anime scene depicting a burning Kurdish flag. Targets reported include anime platforms, media outlets, NGOs, and government services, causing intermittent service disruptions and demonstrating growing technical sophistication.
read more →

UNC5142 EtherHiding: Smart-Contract Malware Distribution

🔐 Since late 2023, Mandiant and the Google Threat Intelligence Group tracked UNC5142, a financially motivated cluster that compromises vulnerable WordPress sites to distribute information stealers. The actor's CLEARSHORT JavaScript loader uses Web3 to query smart contracts on the BNB Smart Chain that store ABIs, encrypted landing pages, AES keys, and payload pointers. By employing a three-contract Router-Logic-Storage design and abusing legitimate hosting (Cloudflare Pages, GitHub, MediaFire), operators can rotate lures and update payload references on-chain without changing injected scripts, enabling resilient, low-cost campaigns that GTIG found on ~14,000 injected pages by June 2025 and which showed no on-chain updates after July 23, 2025.
read more →

London police arrest teenagers after nursery data doxing

🔒 Two 17-year-old suspects were arrested in Bishop's Stortford on suspicion of blackmail and computer misuse after an investigation into the doxing of children following a ransomware attack on a chain of London nurseries. The incident aligns with a September 25 breach affecting Kido nurseries, where a group known as Radiant Group claimed to have stolen sensitive data and photos of over 1,000 children. Attackers posted some images and addresses on a dark web leak site and later removed the files on October 2 after failing to extort the company and making threatening calls to parents. Nursery software provider Famly said its infrastructure was not breached, while UK authorities described the case as deeply distressing and said investigations continue.
read more →

North Korean Hackers Stole Over $2 Billion in Crypto 2025

🔒 North Korean-linked hackers stole an estimated $2 billion in cryptocurrency in 2025, the largest annual total on record and lifting confirmed thefts to over $6 billion. Blockchain firm Elliptic attributes much of the total to the February Bybit breach (~$1.46 billion) and linked 30 crypto-heists to North Korean actors using blockchain analysis and intelligence. Analysts note a shift to social engineering targeting individuals and exchange staff and increasingly complex laundering—mixers, cross-chain transfers, obscure chains and custom tokens—though blockchain transparency still aids tracing.
read more →

Vane Viper Exposed as Major Malvertising Adtech Actor

🛡️ Infoblox, together with Guardio and Confiant, has identified Vane Viper (also known as Omnatuor) as an adtech platform that has enabled malvertising, ad fraud, and malware distribution for more than a decade. The operator used a web of shell companies and subsidiaries reportedly linked to PropellerAds and AdTech Holding to broker malicious traffic and to run its own campaigns. Researchers describe persistence tactics such as abusing browser push-notification permissions and service workers to spawn headless browser processes that continue to redirect users. Infoblox estimates Vane Viper generated roughly 1 trillion DNS queries across about half of its customer networks over the past year.
read more →

Surveying the Global Spyware Market: 2024 Investment Shifts

🔍 The Atlantic Council’s second annual report, Mythical Beasts, maps the global spyware market and documents a substantial uptick in US-based investors in 2024, which made the United States the largest investor in this sampled dataset despite ongoing policy actions. The authors also emphasize the opaque, central role of resellers and brokers, whose intermediary activity obscures vendor–buyer ties and complicates oversight. Overall, the report highlights a clear enforcement and transparency gap and urges targeted research and coordinated policy responses.
read more →

Stark Industries Rebrands to Evade EU Sanctions, Persists

🔁 In May 2025 the EU sanctioned Moldova-based PQ Hosting and its owners, the Neculiti brothers, for alleged links to Kremlin hybrid warfare. Recorded Future and KrebsOnSecurity reporting show Stark Industries quickly rebranded to the[.]hosting under Dutch WorkTitans BV on 24 June 2025 while key address space and assets moved to PQ Hosting Plus S.R.L. Netherlands-based MIRhosting appears to host and manage the new entities, suggesting the sanctions achieved little lasting disruption.
read more →

DSLRoot Proxies: Origins, Abuse Risks and 'Legal Botnets'

🔌The article profiles DSLRoot, a long-running residential proxy operator that pays U.S. residents to host laptops and mobile devices and then leases those IPs as dedicated proxies. It traces the service's origins on underground forums and links multiple aliases, domains and registration records to a small network operator. The piece highlights technical risks, including vendor-targeted exploits, remote device control and WiFi enumeration, and warns of potential misuse by nation-state actors and criminal groups.
read more →

ClickFix Campaign Delivers CORNFLAKE.V3 Backdoor via Web

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.
read more →