All news with #threat actor tag

🔒 Bitdefender researchers report that the threat actor Curly COMrades enabled Windows Hyper-V on compromised hosts to run a lightweight Alpine Linux VM (≈120MB disk, 256MB RAM). The hidden VM hosted custom tooling, notably the C++ reverse shell CurlyShell and the reverse proxy CurlCat. By isolating execution inside a VM the attackers evaded many host-based EDRs and maintained persistent, encrypted command channels.

🚨 Threat actors are targeting freight brokers and carriers with malicious emails and compromised load-board posts to deliver remote monitoring and management tools (RMM) such as ScreenConnect, NetSupport, and PDQ Connect. Once installed, attackers gain remote control to alter bookings, block notifications, harvest credentials, and impersonate carriers to reroute and physically steal high-value shipments. Proofpoint tracked dozens of campaigns since January, primarily in North America, exploiting social engineering and legitimate RMM functionality.

🛡️ Hezi Rash is a Kurdish nationalist hacktivist collective formed in 2023 that has escalated to coordinated DDoS campaigns targeting entities perceived as hostile to Kurdish or Muslim communities. Their public rhetoric mixes nationalism, religion, and activism, and they have claimed attacks in response to symbolic provocations such as an anime scene depicting a burning Kurdish flag. Targets reported include anime platforms, media outlets, NGOs, and government services, causing intermittent service disruptions and demonstrating growing technical sophistication.

🔐 Since late 2023, Mandiant and the Google Threat Intelligence Group tracked UNC5142, a financially motivated cluster that compromises vulnerable WordPress sites to distribute information stealers. The actor's CLEARSHORT JavaScript loader uses Web3 to query smart contracts on the BNB Smart Chain that store ABIs, encrypted landing pages, AES keys, and payload pointers. By employing a three-contract Router-Logic-Storage design and abusing legitimate hosting (Cloudflare Pages, GitHub, MediaFire), operators can rotate lures and update payload references on-chain without changing injected scripts, enabling resilient, low-cost campaigns that GTIG found on ~14,000 injected pages by June 2025 and which showed no on-chain updates after July 23, 2025.

🔒 Two 17-year-old suspects were arrested in Bishop's Stortford on suspicion of blackmail and computer misuse after an investigation into the doxing of children following a ransomware attack on a chain of London nurseries. The incident aligns with a September 25 breach affecting Kido nurseries, where a group known as Radiant Group claimed to have stolen sensitive data and photos of over 1,000 children. Attackers posted some images and addresses on a dark web leak site and later removed the files on October 2 after failing to extort the company and making threatening calls to parents. Nursery software provider Famly said its infrastructure was not breached, while UK authorities described the case as deeply distressing and said investigations continue.

🔒 North Korean-linked hackers stole an estimated $2 billion in cryptocurrency in 2025, the largest annual total on record and lifting confirmed thefts to over $6 billion. Blockchain firm Elliptic attributes much of the total to the February Bybit breach (~$1.46 billion) and linked 30 crypto-heists to North Korean actors using blockchain analysis and intelligence. Analysts note a shift to social engineering targeting individuals and exchange staff and increasingly complex laundering—mixers, cross-chain transfers, obscure chains and custom tokens—though blockchain transparency still aids tracing.

🛡️ Infoblox, together with Guardio and Confiant, has identified Vane Viper (also known as Omnatuor) as an adtech platform that has enabled malvertising, ad fraud, and malware distribution for more than a decade. The operator used a web of shell companies and subsidiaries reportedly linked to PropellerAds and AdTech Holding to broker malicious traffic and to run its own campaigns. Researchers describe persistence tactics such as abusing browser push-notification permissions and service workers to spawn headless browser processes that continue to redirect users. Infoblox estimates Vane Viper generated roughly 1 trillion DNS queries across about half of its customer networks over the past year.

🔍 The Atlantic Council’s second annual report, Mythical Beasts, maps the global spyware market and documents a substantial uptick in US-based investors in 2024, which made the United States the largest investor in this sampled dataset despite ongoing policy actions. The authors also emphasize the opaque, central role of resellers and brokers, whose intermediary activity obscures vendor–buyer ties and complicates oversight. Overall, the report highlights a clear enforcement and transparency gap and urges targeted research and coordinated policy responses.

🔁 In May 2025 the EU sanctioned Moldova-based PQ Hosting and its owners, the Neculiti brothers, for alleged links to Kremlin hybrid warfare. Recorded Future and KrebsOnSecurity reporting show Stark Industries quickly rebranded to the[.]hosting under Dutch WorkTitans BV on 24 June 2025 while key address space and assets moved to PQ Hosting Plus S.R.L. Netherlands-based MIRhosting appears to host and manage the new entities, suggesting the sanctions achieved little lasting disruption.

🔌The article profiles DSLRoot, a long-running residential proxy operator that pays U.S. residents to host laptops and mobile devices and then leases those IPs as dedicated proxies. It traces the service's origins on underground forums and links multiple aliases, domains and registration records to a small network operator. The piece highlights technical risks, including vendor-targeted exploits, remote device control and WiFi enumeration, and warns of potential misuse by nation-state actors and criminal groups.

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.