Jun 14, 2025Ravie LakshmananMalware / Threat Intelligence A new malware campaign is exploiting a weakness in Discord's invitation system to deliver an information stealer called Skuld and the AsyncRAT remote access trojan. "Attackers hijacked the links through vanity link registration, allowing them to silently redirect users from trusted sources to malicious servers," Check Point said in a technical report. "The attackers combined the ClickFix phishing technique, multi-stage loaders, and time-based evasions to stealthily deliver AsyncRAT, and a customized Skuld Stealer targeting crypto wallets." The issue with Discord's invite mechanism is that it allows attackers to hijack expired or deleted invite links and secretly redirect unsuspecting users to malicious servers under their control. This also means that a Discord invite link that was once trusted and shared on forums or social media platforms could unwittingly lead users to malicious sites. Details of the campaign come a little over a month after the cybersecurity company revealed another sophisticated phishing campaign that hijacked expired vanity invite links to entice users into joining a Discord server and instruct them to visit a phishing site to verify ownership, only to have their digital assets drained upon connecting their wallets. While users can create temporary, permanent, or custom (vanity) invite links on Discord, the platform prevents other legitimate servers from reclaiming a previously expired or deleted invite. However, Check Point found that creating custom invite links allows the reuse of expired invite codes and even deleted permanent invite codes in some cases. This ability to reuse Discord expired or deleted codes when creating custom vanity invite links opens the door to abuse, allowing attackers to claim it for their malicious server. "This creates a serious risk: Users who follow previously trusted invite links (e.g., on websites, blogs, or forums) can unknowingly be redirected to fake Discord servers created by threat actors," Check Point said. The Discord invite-link hijacking, in a nutshell, involves taking control of invite links originally shared by legitimate communities and then using them to redirect users to the malicious server. Users who fall prey to the scheme and join the server are asked to complete a verification step in order to gain full server access by authorizing a bot, which then leads them to a fake website with a prominent "Verify" button. This is where the attackers take the attack to the next level by incorporating the infamous ClickFix social engineering tactic to trick users into infecting their systems under the pretext of verification. Specifically, clicking the "Verify" button surreptitiously executes JavaScript that copies a PowerShell command to the machine's clipboard, after which the users are urged to launch the Windows Run dialog, paste the already copied "verification string" (i.e., the PowerShell command), and press Enter to authenticate their accounts. But in reality, performing these steps triggers the download of a PowerShell script hosted on Pastebin that subsequently retrieves and executes a first-stage downloader, which is ultimately used to drop AsyncRAT and Skuld Stealer from a remote server and execute them. At the heart of this attack lies a meticulously engineered, multi-stage infection process designed for both precision and stealth, while also taking steps to subvert security protections through sandbox security checks. AsyncRAT, which offers comprehensive remote control capabilities over infected systems, has been found to employ a technique called dead drop resolver to access the actual command-and-control (C2) server by reading a Pastebin file. The other payload is a Golang information stealer that's downloaded from Bitbucket. It's equipped to steal sensitive user data from Discord, various browsers, crypto wallets, and gaming platforms. Skuld is also capable of harvesting crypto wallet seed phrases and passwords from the Exodus and Atomic crypto wallets. It accomplishes this using an approach called wallet injection that replaces legitimate application files with trojanized versions downloaded from GitHub. It's worth noting that a similar technique was recently put to use by a rogue npm package named pdf-to-office. The attack also employs a custom version of an open-source tool known as ChromeKatz to bypass Chrome's app-bound encryption protections. The collected data is exfiltrated to the miscreants via a Discord webhook. The fact that payload delivery and data exfiltration occur via trusted cloud services such as GitHub, Bitbucket, Pastebin, and Discord allows the threat actors to blend in with normal traffic and fly under the radar. Discord has since disabled the malicious bot, effectively breaking the attack chain. Check Point said it also identified another campaign mounted by the same threat actor that distributes the loader as a modified version of a hacktool for unlocking pirated games. The malicious program, also hosted on Bitbucket, has been downloaded 350 times. It has been assessed that the victims of these campaigns are primarily located in the United States, Vietnam, France, Germany, Slovakia, Austria, the Netherlands, and the United Kingdom. The findings represent the latest example of how cybercriminals are targeting the popular social platform, which has had its content delivery network (CDN) abused to host malware in the past. "This campaign illustrates how a subtle feature of Discord's invite system, the ability to reuse expired or deleted invite codes in vanity invite links, can be exploited as a powerful attack vector," the researchers said. "By hijacking legitimate invite links, threat actors silently redirect unsuspecting users to malicious Discord servers." "The choice of payloads, including a powerful stealer specifically targeting cryptocurrency wallets, suggests that the attackers are primarily focused on crypto users and motivated by financial gain." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Why it matters: It's somewhat ironic that arguably the biggest piracy enabler today is a device that comes from Amazon, a $2 trillion tech giant with a streaming service. According to a new report, jailbroken Amazon Fire Sticks are used to watch billions of dollars worth of pirated streams, and Google, Meta and Microsoft are exacerbating the situation. A report from Enders Analysis, titled "Video piracy: Big tech is clearly unwilling to address the problem," looks at the issue of illegal streams. Driving the piracy epidemic, particularly in Europe, is the sports broadcasting industry. The BBC reports that the overall value of media rights for this business passed $60 billion last year, which means fans are paying increasingly higher prices to watch sports on TV, especially if they pay for multiple services. UK soccer fans had to pay around $1,171 in the 23/24 season if they wanted to watch all televised Premier League games. The same is also true for mainstream streamers such as Netflix and Disney Plus, which keep raising their subscription costs and clamping down on account sharing. Paying so much in these economically uncertain times has pushed more people into canceling their legitimate streaming services and turning to pirated alternatives. The report notes that Tom Burrows, head of global rights at the world's largest European soccer streamer, DAZN, called streaming piracy "almost a crisis for the sports rights industry." // Related Stories Comcast-owned European TV giant Sky Group echoed the warnings. It said piracy was costing the company "hundreds of millions of dollars" in revenue. Many high-profile events, such as major games, can draw tens of thousands of viewers away from legal services and toward the many pirated streams showing the same content at a fraction of the price – or free. Most people are familiar with jailbroken Amazon Fire Sticks being used to access illegal streaming services – the report calls the device a "piracy enabler." According to Sky, 59% of people who watched pirated material in the UK over the last year did so using a Fire Stick. The report says that the device enables "billions of dollars in piracy" overall. Would you pirate this pirate show? "People think that because it's a legitimate brand, it must be OK. So they give their credit card details to criminal gangs. Amazon is not engaging with us as much as we'd like," said Sky Group COO Nick Herm. As with all forms of piracy, there are risks associated with this trend. Providing credit card details and email addresses to those behind the services isn't exactly safe, and there have been cases of jailbroken, malware-infested pirate streaming devices – not just Fire Sticks – being sold on eBay, Craigslist, and the dark web. There has been a crackdown on the sale of hacked Fire Sticks in the UK recently. Last year saw a man given a two-year suspended sentence for selling the devices, while another was jailed. Just using these sticks or illegal IPTV subscriptions is breaking the law. It's not just Amazon that is being blamed. The report highlights Facebook's lack of action to stop ads for illegal streams running on the platform. Google and Microsoft are also called out for the "continued deprecation" of their respective DRM systems, Widevine and PlayReady; the report says they "are now compromised across various security levels." Microsoft's last update to PlayReady was December 2022. "Over twenty years since launch, the DRM solutions provided by Google and Microsoft are in steep decline," reads the report. "A complete overhaul of the technology architecture, licensing, and support model is needed. Lack of engagement with content owners indicates this a low priority." Amazon says it is working with industry partners and relevant authorities to combat piracy and protect customers from the risks associated with pirated content. The company has taken (or is about to take) steps to make turning Fire TV-branded devices into piracy boxes more difficult. These include raising the technical bar (ADB over local network disabled, tighter DRM), and adding warning messages about legality. Moreover, Amazon is switching Fire TV devices from Android to the Linux-based Vega OS later this year, which doesn't run Android APKs at all.

An anonymous reader quotes a report from the BBC: A lack of action by big tech firms is enabling the "industrial scale theft" of premium video services, especially live sport, a new report says. The research by Enders Analysis accuses Amazon, Google, Meta and Microsoft of "ambivalence and inertia" over a problem it says costs broadcasters revenue and puts users at an increased risk of cyber-crime. Gareth Sutcliffe and Ollie Meir, who authored the research, described the Amazon Fire Stick -- which they argue is the device many people use to access illegal streams -- as "a piracy enabler." [...] The device plugs into TVs and gives the viewer thousands of options to watch programs from legitimate services including the BBC iPlayer and Netflix. They are also being used to access illegal streams, particularly of live sport. In November last year, a Liverpool man who sold Fire Stick devices he reconfigured to allow people to illegally stream Premier League football matches was jailed. After uploading the unauthorized services on the Amazon product, he advertised them on Facebook. Another man from Liverpool was given a two-year suspended sentence last year after modifying fire sticks and selling them on Facebook and WhatsApp. According to data for the first quarter of this year, provided to Enders by Sky, 59% of people in UK who said they had watched pirated material in the last year while using a physical device said they had used a Amazon fire product. The Enders report says the fire stick enables "billions of dollars in piracy" overall. [...] The researchers also pointed to the role played by the "continued depreciation" of Digital Rights Management (DRM) systems, particularly those from Google and Microsoft. This technology enables high quality streaming of premium content to devices. Two of the big players are Microsoft's PlayReady and Google's Widevine. The authors argue the architecture of the DRM is largely unchanged, and due to a lack of maintenance by the big tech companies, PlayReady and Widevine "are now compromised across various security levels." Mr Sutcliffe and Mr Meir said this has had "a seismic impact across the industry, and ultimately given piracy the upper hand by enabling theft of the highest quality content." They added: "Over twenty years since launch, the DRM solutions provided by Google and Microsoft are in steep decline. A complete overhaul of the technology architecture, licensing, and support model is needed. Lack of engagement with content owners indicates this a low priority." Read more of this story at Slashdot.

Enders Analysis Amazon Fire Sticks enable “billions of dollars” worth of streaming piracy Research firm blames outdated DRM tech, Facebook ads, Amazon hardware, and more. Scharon Harding – May 30, 2025 5:18 pm | 114 An Amazon Fire Stick and remote. Credit: Amazon An Amazon Fire Stick and remote. Credit: Amazon Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Amazon Fire Sticks are enabling “billions of dollars” worth of streaming piracy, according to a report today from Enders Analysis, a media, entertainment, and telecommunications research firm. Technologies from other media conglomerates, Microsoft, Google, and Facebook, are also enabling what the report’s authors deem an “industrial scale of theft." The report, "Video piracy: Big tech is clearly unwilling to address the problem," focuses on the European market but highlights the global growth of piracy of streaming services as they increasingly acquire rights to live programs, like sporting events. Per the BBC, the report points to the availability of multiple, simultaneous illegal streams for big events that draw tens of thousands of pirate viewers. Enders' report places some blame on Facebook for showing advertisements for access to illegal streams, as well as Google and Microsoft for the alleged “continued depreciation” of their digital rights management (DRM) systems, Widevine and PlayReady, respectively. Ars Technica reached out to Facebook, Google, and Microsoft for comment but didn’t receive a response before publication. The report echoes complaints shared throughout the industry, including by the world’s largest European soccer streamer, DAZN. Streaming piracy is “almost a crisis for the sports rights industry,” DAZN’s head of global rights, Tom Burrows, said at The Financial Times’ Business of Football Summit in February. At the same event, Nick Herm, COO of Comcast-owned European telecommunication firm Sky Group, estimated that piracy was costing his company “hundreds of millions of dollars” in revenue. At the time, Enders co-founder Claire Enders said that the pirating of sporting events accounts for “about 50 percent of most markets.” Jailbroken Fire Sticks Friday's Enders report named Fire Sticks as a significant contributor to streaming piracy, calling the hardware a “piracy enabler.” Enders’ report pointed to security risks that pirate viewers face, including providing credit card information and email addresses to unknown entities, which can make people vulnerable to phishing and malware. However, reports of phishing and malware stemming from streaming piracy, which occurs through various methods besides a Fire TV Stick, seem to be rather limited. Still, at the February Financial Times event, Herm said that Fire Sticks account “for about half of the piracy in the UK.” “People think that because it’s a legitimate brand, it must be OK. So they give their credit card details to criminal gangs. Amazon is not engaging with us as much as we’d like," he said. In the UK, there has been a push to crack down on illegal usage of Fire Sticks. For example, in November 2024, a man received a three-year, four-month sentence for hacking Fire Sticks. In June 2024, another man got a two-year suspended sentence after a police raid found jailbroken Fire Sticks in his home. In the US, however, there aren’t nearly as many publicized efforts to combat illegal streaming on Amazon devices. While Enders’ report accuses Amazon of contributing to the piracy problem, as the owner of its own streaming service, Prime Video, Amazon has an incentive to fight piracy. Amazon’s streaming business includes selling streaming hardware, but the business is more centered on getting people to sign up for Amazon services (like Prime Video), data collection, and ad sales. When reached for comment, an Amazon spokesperson told Ars Technica: Pirated content violates our policies regarding intellectual property rights and compromises the security and privacy of our customers. We work with industry partners and relevant authorities to combat piracy and protect customers from the risks associated with pirated content. Our Appstore prohibits apps that infringe upon the rights of third parties, and we warn customers of the risks associated with installing or using apps from unknown sources. Amazon’s representative also told Ars that Amazon works with industry partners to break up piracy networks and has assisted law enforcement efforts, including the Police Intellectual Property Crime Unit in London and UK IP Crime Group. DRM limitations Enders’ report also blamed poorly updated DRM systems, especially from Google and Microsoft, for contributing to streaming piracy. Google’s Widevine and Microsoft’s PlayReady "are now compromised across various security levels,” the report said, pointing to a lack of upkeep. Microsoft issued its most recent big update to PlayReady, version 4.6, in December 2022. The report authors wrote: Over twenty years since launch, the DRM solutions provided by Google and Microsoft are in steep decline. A complete overhaul of the technology architecture, licensing, and support model is needed. Lack of engagement with content owners indicates this a low priority. Outside of Enders' report, Google was criticized by the Italian government earlier this year for allegedly failing to block pirate websites identified by Italy’s communication regulator, AGCOM. In March, the Court of Milan ordered Google to poison its public DNS servers with the goal of blocking illegal soccer streams. And beyond the aforementioned tech giants, earlier this month, France ordered five VPN providers (NordVPN, ExpressVPN, Surfshark, Proton VPN, and CyberGhost) to block illegal sports streaming sites. Unsurprisingly, the move has been slammed by VPN providers as setting “a dangerous precedent," per i2Coalition, an Internet infrastructure trade association that manages the international VPN Trust Initiative consortium of VPN providers. A growing problem As the Internet solidifies its position as the primary method for watching shows, movies, and, increasingly, live events, it presents new challenges to content distributors and owners seeking to curb online piracy. In the case of sports, especially, the distribution of sports rights across various linear networks and streaming services often means signing up for multiple services in order to watch a single team’s season. For some fans—including NFL players themselves—that's financially and/or logistically impractical. Simultaneously, anti-piracy advocates argue that piracy could lead to higher subscription fees for streaming services. As legislation and rights holders become more stringent about piracy, we can expect more effort from tech providers and law enforcement to block piracy, while hackers also seek new ways to enable illegal streams. Scharon Harding Senior Technology Reporter Scharon Harding Senior Technology Reporter Scharon is a Senior Technology Reporter at Ars Technica writing news, reviews, and analysis on consumer gadgets and services. She's been reporting on technology for over 10 years, with bylines at Tom’s Hardware, Channelnomics, and CRN UK. 114 Comments

the fastest one 2025 Chevrolet Corvette ZR1 first drive: Engineered for insane speed Now that Chevrolet can fit turbos to the Corvette, it's gone and done just that. Michael Teo Van Runkle – May 30, 2025 10:00 am | 0 Chevrolet has given its latest Corvette variant a four-figure power output to go with a six-figure price tag. Credit: Michael Teo Van Runkle Chevrolet has given its latest Corvette variant a four-figure power output to go with a six-figure price tag. Credit: Michael Teo Van Runkle Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Chevrolet provided flights from Los Angeles to Austin and accommodation so Ars could drive the ZR1. Ars does not accept paid editorial content. AUSTIN, Texas—By just my third lap in the top-spec 2025 Chevrolet Corvette ZR1, I glanced down at the speedometer toward the end of the Circuit of the Americas' long back straight and spied 181 mph (291 km/h) displayed for a split second. Not bad for Chevy’s newest flagship sports car, especially given that the $174,995 ZR1’s twin-turbocharged V8 pumps all 1,064 horsepower to the rear wheels only. The US’s only purpose-built F1 track made for an excellent setting to taste Corvette’s latest; the ZR1 also commanded your attention while conquering the steep uphill toward the first corner, then winding through a series of challenging corners with plenty of elevation change. Luckily, the car itself is an engineering marvel, and Chevy brought along a team of engineers to explain exactly how the total package comes together to enable such a breathtaking pace, as well as how Chevy can responsibly sell such a powerful car to the general public at all. The entire point of switching the Corvette’s eighth generation to a mid-engine layout was to improve weight distribution and allow the Corvette to compete against much more exotic competition from European OEMs like Ferrari. The front-engined car's engine bay also lacked the width to add a pair of turbos, due to the suspension and tire orientation, which dictated the use of a supercharger that kept peak power to “just” 755 hp (563 kW) in the last Corvette to wear the ZR1 badge. It's a tight fit in there. Credit: Michael Teo Van Runkle COTA reveals the ZR1's excellent balance, especially when specced with the optional aero package, carbon fiber wheels, and Michelin’s Cup 2 R tires. The tires—in effect, grooved slicks—allow for improved lateral acceleration but also the ability to consistently put the four-figure horsepower down to the asphalt. Yet Chevy’s engineers readily admitted the original target for ZR1 was just 850 hp (634 kW), until 1,000 came into sight and required some serious creativity to reach reliably. Biggest turbos ever The ZR1’s engine, dubbed LT7, shares much with the 5.5 L naturally aspirated LT6 engine in the less-powerful, cheaper Z06. It’s still a flat-plane crank with dry-sump oiling, even if clever eyes inspecting an LT6 might have noticed that the dry-sump oil tank allowed for the placement of turbos all along. The dual 74-millimeter turbos, the largest ever fitted to a production car, required new intake routing, and computer control of the wastegate actuation maintains an anti-lag boost of 6 to 7 psi even under a closed throttle. Turbo speed sensors allow the turbines to spin closer to maximum speed before the vanes physically break apart—a mechanical system typically needs to maintain a 7 percent margin of error, but the ZR1’s is more like 2–3 percent. That's a massive turbocharger, and there are two of them. Credit: Michael Teo Van Runkle The eventual power output actually wound up breaking two of Chevrolet’s dynos during early testing, we're told. So the C8’s eight-speed dual-clutch transmission also needed beefing up with physically wider gears that were shot-peened for additional strength, plus a revised lubrication system. The engine, meanwhile, creates enormous cooling demands when running at full throttle, which plays hand in hand with the downforce requirements of hitting such high speeds. Consequently, the ZR1 sacrifices its usable frunk in favor of a massive radiator, while the hood’s heat extractor also releases trapped air and feeds it over the roofline. This freed up more space for additional cooling via the front fascia, which further benefits from canard spat dive planes. On the sides, an additional inlet on the side strakes complements the enormously wide scoops that debuted on the Z06. Coupes then get a split rear window—which harks back to Corvettes of old, while releasing hot air from the engine bay—plus new shoulder NACA intakes that directly feed the air box with cooler oxygen that even creates a ram air effect akin to mild supercharging. Cooling for the ZR1 became an even higher priority, because the LT6 and LT7 employ extremely tight tolerances between the crankshaft and connecting rods, which mandates keeping the 5W-50 oil below 120° C (248° F) at all times. And the system simply works, as even on a hot and humid Texas day, I only noticed oil temperatures cresting above 104° C (220° F) occasionally. The interior is better than any prior generation of Corvette, but it feels prosaic compared to the cockpits of its more exotic mid-engined rivals. Michael Teo Van Runkle The interior is better than any prior generation of Corvette, but it feels prosaic compared to the cockpits of its more exotic mid-engined rivals. Michael Teo Van Runkle Lightweight carbon-fiber wheels are mounted with the stickiest road-legal tires Chevy could fit. Michael Teo Van Runkle Lightweight carbon-fiber wheels are mounted with the stickiest road-legal tires Chevy could fit. Michael Teo Van Runkle The ZR1 gets added cooling and more wings. Michael Teo Van Runkle The ZR1 gets added cooling and more wings. Michael Teo Van Runkle Lightweight carbon-fiber wheels are mounted with the stickiest road-legal tires Chevy could fit. Michael Teo Van Runkle The ZR1 gets added cooling and more wings. Michael Teo Van Runkle The hardtop convertible ZR1 lacks the split-engine venting and shoulder intakes, while cutting into headroom so much that I skipped out while wearing a helmet. Other journalists noticed a drop-off in performance for the convertibles, and probably more so than the mild weight gains of just about 100 lbs (45 kg) might suggest. Instead, temperatures probably came into play, as the ECU drew back timing and instead allowed mild overboost of 24–25 psi to compensate for the Texas day. Even so, an engineer admitted he thought the engine was probably down 5–10 percent on power. The fact that I hit my highest-ever top speed despite the ZR1 potentially giving up somewhere between 53 to 106 hp (40–80 kW) only makes this Corvettes sound even more insane. But I essentially wound up driving the turbos, since the DCT’s gear ratios carry over from the Stingray and therefore drop out of peak power when shifting from second to third and third to fourth. I suspect nothing short of an F1 racecar feels this fast on a circuit of this size. A track designed for corner exit speeds double my pace in the ZR1 helps explain why Chevrolet declined to set us loose on public roads behind the wheel. We drove it on track—will owners cope with this much power on the street? Credit: Michael Teo Van Runkle That’s a concern for potential buyers, though, and why the ZR1’s electronics undoubtedly ratchet back the insanity. Chevy still uses Bosch’s ninth-generation traction control, which debuted on C7 and operates on a 10-millisecond loop, even if the ABS runs at 5 milliseconds—while the ESC is at 20 milliseconds. I suspect this computerized nannying slowed me down a fair amount, in addition to the torque-by-gear restrictions in first and second that purposefully protect driveline components. We’ve probably reached peak internal-combustion Corvette, which is something of a hint about the all-too-real question of where Chevy can go from here. If so, this car reaches a new level of unfathomable American ingenuity, combined with a newfound level of refinement and traction management that attempts to belie the undeniable absurdity to a minimal, arguably necessary, extent. 0 Comments

Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late. For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise. What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested. ⚡ Threat of the Week Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot. Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information. More uniquely, though, DanaBot has also been used for hacking campaigns that appear to be linked to Russian state-sponsored interests. All of that makes DanaBot a particularly clear example of how commodity malware has been repurposed by Russian state hackers for their own goals. In tandem, about 2,300 domains that acted as the command-and-control (C2) backbone for the Lumma information stealer have been seized, alongside taking down 300 servers and neutralizing 650 domains that were used to launch ransomware attacks. The actions against international cybercrime in the past few days constituted the latest phase of Operation Endgame. Get the Guide ➝ 🔔 Top News Threat Actors Use TikTok Videos to Distribute Stealers — While ClickFix has become a popular social engineering tactic to deliver malware, threat actors have been observed using artificial intelligence (AI)-generated videos uploaded to TikTok to deceive users into running malicious commands on their systems and deploy malware like Vidar and StealC under the guise of activating pirated version of Windows, Microsoft Office, CapCut, and Spotify. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware," Trend Micro said. APT28 Hackers Target Western Logistics and Tech Firms — Several cybersecurity and intelligence agencies from Australia, Europe, and the United States issued a joint alert warning of a state-sponsored campaign orchestrated by the Russian state-sponsored threat actor APT28 targeting Western logistics entities and technology companies since 2022. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the agencies said. The attacks are designed to steal sensitive information and maintain long-term persistence on compromised hosts. Chinese Threat Actors Exploit Ivanti EPMM Flaws — The China-nexus cyber espionage group tracked as UNC5221 has been attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software (CVE-2025-4427 and CVE-2025-4428) to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The intrusions leverage the vulnerabilities to obtain a reverse shell and drop malicious payloads like KrustyLoader, which is known to deliver the Sliver command-and-control (C2) framework. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," EclecticIQ said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. Links to these browser add-ons are hosted on specially crafted sites to which users are likely redirected to via phishing and social media posts. While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Several of these extensions have been taken down by Google. CISA Warns of SaaS Providers of Attacks Targeting Cloud Environments — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that SaaS companies are under threat from bad actors who are on the prowl for cloud applications with default configurations and elevated permissions. While the agency did not attribute the activity to a specific group, the advisory said enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." GitLab AI Coding Assistant Flaws Could Be Used to Inject Malicious Code — Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. The attack could also leak confidential issue data, such as zero-day vulnerability details. All that's required is for the attacker to instruct the chatbot to interact with a merge request (or commit, issue, or source code) by taking advantage of the fact that GitLab Duo has extensive access to the platform. "By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes," Legit Security said. One variation of the attack involved hiding a malicious instruction in an otherwise legitimate piece of source code, while another exploited Duo's parsing of markdown responses in real-time asynchronously. An attacker could leverage this behavior – that Duo begins rendering the output line by line rather than waiting until the entire response is generated and sending it all at once – to introduce malicious HTML code that can access sensitive data and exfiltrate the information to a remote server. The issues have been patched by GitLab following responsible disclosure. ‎️‍🔥 Trending CVEs Software vulnerabilities remain one of the simplest—and most effective—entry points for attackers. Each week uncovers new flaws, and even small delays in patching can escalate into serious security incidents. Staying ahead means acting fast. Below is this week's list of high-risk vulnerabilities that demand attention. Review them carefully, apply updates without delay, and close the doors before they're forced open. This week's list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (RomethemeKit For Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779 (pfSense), CVE-2025-41229 (VMware Cloud Foundation), CVE-2025-4322 (Motors WordPress theme), CVE-2025-47934 (OpenPGP.js), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GitLab), CVE-2025-36535 (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (BIND DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-2025-37899 (Linux Kernel), CVE-2025-26817 (Netwrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (Canon Printers), and CVE-2025-4978 (NETGEAR). 📰 Around the Cyber World Sandworm Drops New Wiper in Ukraine — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. "The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations," ESET Director of Threat Research, Jean-Ian Boutin, said. Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. Signal Says No to Recall — Signal has released a new version of its messaging app for Windows that, by default, blocks the ability of Windows to use Recall to periodically take screenshots of the app. "Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that's displayed within privacy-preserving apps like Signal at risk," Signal said. "As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option." Microsoft began officially rolling out Recall last month. Russia Introduces New Law to Track Foreigners Using Their Smartphones — The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. This includes gathering their real-time locations, fingerprint, face photograph, and residential information. "The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said. "If migrants change their actual place of residence, they will be required to inform the Ministry of Internal Affairs (MVD) within three working days." A proposed four-year trial period begins on September 1, 2025, and runs until September 1, 2029. Dutch Government Passes Law to Criminalize Cyber Espionage — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. Under the amended law, leaking sensitive information that is not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges. "Foreign governments are also interested in non-state-secret, sensitive information about a particular economic sector or about political decision-making," the government said. "Such information can be used to influence political processes, weaken the Dutch economy or play allies against each other. Espionage can also involve actions other than sharing information." Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it's making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. "This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments," Microsoft said. "By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure." New Malware DOUBLELOADER Uses ALCATRAZ for Obfuscation — The open-source obfuscator ALCATRAZ has been seen within a new generic loader dubbed DOUBLELOADER, which has been deployed alongside Rhadamanthys Stealer infections starting December 2024. The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP address (185.147.125[.]81) stored within the binary. "Obfuscators such as ALCATRAZ end up increasing the complexity when triaging malware," Elastic Security Labs said. "Its main goal is to hinder binary analysis tools and increase the time of the reverse engineering process through different techniques; such as hiding the control flow or making decompilation hard to follow." New Formjacking Campaign Targets WooCommerce Sites — Cybersecurity researchers have detected a sophisticated formjacking campaign targeting WooCommerce sites. The malware, per Wordfence, injects a fake but professional-looking payment form into legitimate checkout processes and exfiltrates sensitive customer data to an external server. Further analysis has revealed that the infection likely originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a Simple Custom CSS and JS plugin (or something similar) that allows administrators to add custom code. "Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site's design and payment workflow, making it particularly difficult for site owners and users to detect," the WordPress security company said. "The malware author repurposed the browser's localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page." E.U. Sanctions Stark Industries — The European Union (E.U.) has announced sanctions against 21 individuals and six entities in Russia over its "destabilising actions" in the region. One of the sanctioned entities is Stark Industries, a bulletproof hosting provider that has been accused of acting as "enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber attacks against the Union and third countries." The sanctions also target its CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries was previously spotlighted by independent cybersecurity journalist Brian Krebs, detailing its use in DDoS attacks in Ukraine and across Europe. In August 2024, Team Cymru said it discovered 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities and that it had been working with Stark Industries for several months to identify and reduce abuse of their systems. The sanctions have also targeted Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming in Baltic states and disrupting civil aviation. The Mask APT Unmasked as Tied to the Spanish Government — The mysterious threat actor known as The Mask (aka Careto) has been identified as run by the Spanish government, according to a report published by TechCrunch, citing people who worked at Kaspersky at the time and had knowledge of the investigation. The Russian cybersecurity company first exposed the hacking group in 2014, linking it to highly sophisticated attacks since at least 2007 targeting high-profile organizations, such as governments, diplomatic entities, and research institutions. A majority of the group's attacks have targeted Cuba, followed by hundreds of victims in Brazil, Morocco, Spain, and Gibraltar. While Kaspersky has not publicly attributed it to a specific country, the latest revelation makes The Mask one of the few Western government hacking groups that has ever been discussed in public. This includes the Equation Group, the Lamberts (the U.S.), and Animal Farm (France). Social Engineering Scams Target Coinbase Users — Earlier this month, cryptocurrency exchange Coinbase revealed that it was the victim of a malicious attack perpetrated by unknown threat actors to breach its systems by bribing customer support agents in India and siphon funds from nearly 70,000 customers. According to Blockchain security firm SlowMist, Coinbase users have been the target of social engineering scams since the start of the year, bombarding with SMS messages claiming to be fake withdrawal requests and seeking their confirmation as part of a "sustained and organized scam campaign." The goal is to induce a false sense of urgency and trick them into calling a number, eventually convincing them to transfer the funds to a secure wallet with a seed phrase pre-generated by the attackers and ultimately drain the assets. It's assessed that the activities are primarily carried out by two groups: low-level skid attackers from the Com community and organized cybercrime groups based in India. "Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there's been 'unauthorized access' or 'suspicious withdrawals' on the user's account," SlowMist said. "They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or 'recovery links.'" Delta Can Sue CrowdStrike Over July 2024 Mega Outage — Delta Air Lines, which had its systems crippled and almost 7,000 flights canceled in the wake of a massive outage caused by a faulty update issued by CrowdStrike in mid-July 2024, has been given the green light to pursue to its lawsuit against the cybersecurity company. A judge in the U.S. state of Georgia stating Delta can try to prove that CrowdStrike was grossly negligent by pushing a defective update to its Falcon software to customers. The update crashed 8.5 million Windows devices across the world. Crowdstrike previously claimed that the airline had rejected technical support offers both from itself and Microsoft. In a statement shared with Reuters, lawyers representing CrowdStrike said they were "confident the judge will find Delta's case has no merit, or will limit damages to the 'single-digit millions of dollars' under Georgia law." The development comes months after MGM Resorts International agreed to pay $45 million to settle multiple class-action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023. Storm-1516 Uses AI-Generated Media to Spread Disinformation — The Russian influence operation known as Storm-1516 (aka CopyCop) sought to spread narratives that undermined the European support for Ukraine by amplifying fabricated stories on X about European leaders using drugs while traveling by train to Kyiv for peace talks. One of the posts was subsequently shared by Russian state media and Maria Zakharova, a senior official in Russia's foreign ministry, as part of what has been described as a coordinated disinformation campaign by EclecticIQ. The activity is also notable for the use of synthetic content depicting French President Emmanuel Macron, U.K. Labour Party leader Keir Starmer, and German chancellor Friedrich Merz of drug possession during their return from Ukraine. "By attacking the reputation of these leaders, the campaign likely aimed to turn their own voters against them, using influence operations (IO) to reduce public support for Ukraine by discrediting the politicians who back it," the Dutch threat intelligence firm said. Turkish Users Targeted by DBatLoader — AhnLab has disclosed details of a malware campaign that's distributing a malware loader called DBatLoader (aka ModiLoader) via banking-themed banking emails, which then acts as a conduit to deliver SnakeKeylogger, an information stealer developed in .NET. "The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said. SEC SIM-Swapper Sentenced to 14 Months for SEC X Account Hack — A 26-year-old Alabama man, Eric Council Jr., has been sentenced to 14 months in prison and three years of supervised release for using SIM swapping attacks to breach the U.S. Securities and Exchange Commission's (SEC) official X account in January 2024 and falsely announced that the SEC approved Bitcoin (BTC) Exchange Traded Funds (ETFs). Council Jr. (aka Ronin, Agiantschnauzer, and @EasyMunny) was arrested in October 2024 and pleaded guilty to the crime earlier this February. He has also been ordered to forfeit $50,000. According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account." FBI Warns of Malicious Campaign Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) is warning of a new campaign that involves malicious actors impersonating senior U.S. federal or state government officials and their contacts to target individuals since April 2025. "The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts," the FBI said. "One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform." From there, the actor may present malware or introduce hyperlinks that lead intended targets to an actor-controlled site that steals login information. DICOM Flaw Enables Attackers to Embed Malicious Code Within Medical Image Files — Praetorian has released a proof-of-concept (PoC) for a high-severity security flaw in Digital Imaging and Communications in Medicine (DICOM), predominant file format for medical images, that enables attackers to embed malicious code within legitimate medical image files. CVE-2019-11687 (CVSS score: 7.8), originally disclosed in 2019 by Markel Picado Ortiz, stems from a design decision that allows arbitrary content at the start of the file, otherwise called the Preamble, which enables the creation of malicious polyglots. Codenamed ELFDICOM, the PoC extends the attack surface to Linux environments, making it a much more potent threat. As mitigations, it's advised to implement a DICOM preamble whitelist. "DICOM's file structure inherently allows arbitrary bytes at the beginning of the file, where Linux and most operating systems will look for magic bytes," Praetorian researcher Ryan Hennessee said. "[The whitelist] would check a DICOM file's preamble before it is imported into the system. This would allow known good patterns, such as 'TIFF' magic bytes, or '\x00' null bytes, while files with the ELF magic bytes would be blocked." Cookie-Bite Attack Uses Chrome Extension to Steal Session Tokens — Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite that employs custom-made malicious browser extensions to steal "ESTAUTH" and "ESTSAUTHPERSISTNT" cookies in Microsoft Azure Entra ID and bypass multi-factor authentication (MFA). The attack has multiple moving parts to it: A custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to a remote collection point; and a complementary extension to inject the captured cookies into the attacker's browser. "Threat actors often use infostealers to extract authentication tokens directly from a victim's machine or buy them directly through darkness markets, allowing adversaries to hijack active cloud sessions without triggering MFA," Varonis said. "By injecting these cookies while mimicking the victim's OS, browser, and network, attackers can evade Conditional Access Policies (CAPs) and maintain persistent access." Authentication cookies can also be stolen using adversary-in-the-middle (AitM) phishing kits in real-time, or using rogue browser extensions that request excessive permissions to interact with web sessions, modify page content, and extract stored authentication data. Once installed, the extension can access the browser's storage API, intercept network requests, or inject malicious JavaScript into active sessions to harvest real-time session cookies. "By leveraging stolen session cookies, an adversary can bypass authentication mechanisms, gaining seamless entry into cloud environments without requiring user credentials," Varonis said. "Beyond initial access, session hijacking can facilitate lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing permissions or misconfigured roles." 🎥 Cybersecurity Webinars Non-Human Identities: The AI Backdoor You're Not Watching → AI agents rely on Non-Human Identities (like service accounts and API keys) to function—but these are often left untracked and unsecured. As attackers shift focus to this hidden layer, the risk is growing fast. In this session, you'll learn how to find, secure, and monitor these identities before they're exploited. Join the webinar to understand the real risks behind AI adoption—and how to stay ahead. Inside the LOTS Playbook: How Hackers Stay Undetected → Attackers are using trusted sites to stay hidden. In this webinar, Zscaler experts share how they detect these stealthy LOTS attacks using insights from the world's largest security cloud. Join to learn how to spot hidden threats and improve your defense. 🔧 Cybersecurity Tools ScriptSentry → It is a free tool that scans your environment for dangerous logon script misconfigurations—like plaintext credentials, insecure file/share permissions, and references to non-existent servers. These overlooked issues can enable lateral movement, privilege escalation, or even credential theft. ScriptSentry helps you quickly identify and fix them across large Active Directory environments. Aftermath → It is a Swift-based, open-source tool for macOS incident response. It collects forensic data—like logs, browser activity, and process info—from compromised systems, then analyzes it to build timelines and track infection paths. Deploy via MDM or run manually. Fast, lightweight, and ideal for post-incident investigation. AI Red Teaming Playground Labs → It is an open-source training suite with hands-on challenges designed to teach security professionals how to red team AI systems. Originally developed for Black Hat USA 2024, the labs cover prompt injections, safety bypasses, indirect attacks, and Responsible AI failures. Built on Chat Copilot and deployable via Docker, it's a practical resource for testing and understanding real-world AI vulnerabilities. 🔒 Tip of the Week Review and Revoke Old OAuth App Permissions — They're Silent Backdoor → You've likely logged into apps using "Continue with Google," "Sign in with Microsoft," or GitHub/Twitter/Facebook logins. That's OAuth. But did you know many of those apps still have access to your data long after you stop using them? Why it matters: Even if you delete the app or forget it existed, it might still have ongoing access to your calendar, email, cloud files, or contact list — no password needed. If that third-party gets breached, your data is at risk. What to do: Go through your connected apps here: Google: myaccount.google.com/permissions Microsoft: account.live.com/consent/Manage GitHub: github.com/settings/applications Facebook: facebook.com/settings?tab=applications Revoke anything you don't actively use. It's a fast, silent cleanup — and it closes doors you didn't know were open. Conclusion Looking ahead, it's not just about tracking threats—it's about understanding what they reveal. Every tactic used, every system tested, points to deeper issues in how trust, access, and visibility are managed. As attackers adapt quickly, defenders need sharper awareness and faster response loops. The takeaways from this week aren't just technical—they speak to how teams prioritize risk, design safeguards, and make choices under pressure. Use these insights not just to react, but to rethink what "secure" really needs to mean in today's environment. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

May 23, 2025Ravie LakshmananCryptocurrency / Malware The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware." Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024. Incidentally, the malware is one among the many malicious software to suffer an operational setback as part of Operation Endgame, which took down 300 servers worldwide and neutralized 650 domains related to Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE between May 19 and 22, 2025. In the latest set of Latrodectus attacks observed by Expel in May 2025, unsuspecting users are tricked into copying and executing a PowerShell command from an infected website, a tactic that has become a prevalent method to distribute a wide range of malware. "When run by a user, these commands will attempt to install a file located at the remote URL using MSIExec, and then execute it in memory," Expel said. "This keeps the attacker from having to write the file to the computer and risk being detected by the browser or an antivirus that might detect it on disk." The MSI installer contains a legitimate application from NVIDIA, which is used to sideload a malicious DLL, which then uses curl to download the main payload. To mitigate attacks of this type, it's advised to disable the Windows Run program using Group Policy Objects (GPOs) or turn off the "Windows + R" hot key via a Windows Registry change. From ClickFix to TikTok The disclosure comes as Trend Micro revealed details of a new engineering campaign that instead of relying on fake CAPTCHA pages employs TikTok videos likely generated using artificial intelligence (AI) tools to deliver the Vidar and StealC information stealers by instructing users to run malicious commands on their systems to activate Windows, Microsoft Office, CapCut, and Spotify. These videos have been posted from various TikTok accounts such as @gitallowed, @zane.houghton, @allaivo2, @sysglow.wow, @alexfixpc, and @digitaldreams771. These accounts are no longer active. One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly" has amassed nearly 500,000 views, with over 20,000 likes and more than 100 comments. The campaign marks a new escalation of ClickFix in that users searching for ways to activate pirated apps are verbally and visually guided to open the Windows Run dialog by pressing the "Windows + R" hot key, launch PowerShell, and run the command highlighted in the video, ultimately compromising their own systems. "Threat actors are now using TikTok videos that are potentially generated using AI-powered tools to socially engineer users into executing PowerShell commands under the guise of guiding them to activate legitimate software or unlock premium features," security researcher Junestherry Dela Cruz said. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware." Fake Ledger Apps Used to Steal Mac Users' Seed Phrases The findings also follow the discovery of four different malware campaigns that leverage a cloned version of the Ledger Live app to steal sensitive data, including seed phrases, with the goal of draining victims' cryptocurrency wallets. The activity has been ongoing since August 2024. The attacks make use of the malicious DMG files that, when launched, launches AppleScript to exfiltrate passwords and Apple Notes data, and then download a trojanized version of Ledger Live. Once the app is opened, it warns users of a supposed account problem and that it requires their seed phrase for recovery. The entered seed phrase is sent to an attacker-controlled server. Moonlock Lab, which shed light on the campaign, said the rogue apps make use of macOS stealer malware like Atomic macOS Stealer (AMOS) and Odyssey, the latter of which introduced the novel phishing scheme in March 2025. It's worth noting that the activity overlaps with a macOS infostealer campaign that targets Ledger Live users through PyInstaller-packed binaries, as revealed by Jamf this month. "On dark web forums, chatter around anti-Ledger schemes is growing. The next wave is already taking shape," MacPaw's cybersecurity division noted. "Hackers will continue to exploit the trust crypto owners place in Ledger Live." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Who owns what? Why console makers can legally brick your game console "If the ability [to brick a console] is there, someone will want to 'see how it goes.'" Kyle Orland – May 22, 2025 6:09 pm | 13 The martial artist is a console maker. The brick is your console. Credit: Getty Images The martial artist is a console maker. The brick is your console. Credit: Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Earlier this month, Nintendo received a lot of negative attention for an end-user license agreement (EULA) update granting the company the claimed right to render Switch consoles "permanently unusable in whole or in part" for violations such as suspected hacking or piracy. As it turns out, though, Nintendo isn't the only console manufacturer that threatens to remotely brick systems in response to rule violations. And attorneys tell Ars Technica that they're probably well within their legal rights to do so. Sony's System Software License Agreement on the PS5, for instance, contains the following paragraph of "remedies" it can take for "violations" such as use of modified hardware or pirated software (emphasis added). If SIE Inc determines that you have violated this Agreement's terms, SIE Inc may itself or may procure the taking of any action to protect its interests such as disabling access to or use of some or all System Software, disabling use of this PS5 system online or offline, termination of your access to PlayStation Network, denial of any warranty, repair or other services provided for your PS5 system, implementation of automatic or mandatory updates or devices intended to discontinue unauthorized use, or reliance on any other remedial efforts as reasonably necessary to prevent the use of modified or unpermitted use of System Software. The same exact clause appears in the PlayStation 4 EULA as well. The PlayStation 3 EULA was missing the "disabling use... online or offline" clause, but it does still warn that Sony can take steps to "discontinue unauthorized use" or "prevent the use of a modified PS3 system, or any pirated material or equipment." Microsoft, if anything, is even more straightforward in its Xbox Software License Agreement. Efforts to "install Unauthorized Software" or "defeat or circumvent any... technical limitation, security, or anti-piracy system" can mean that "your Xbox Console, Kinect Sensor or Authorized Accessory may stop working permanently at that time or after a later Xbox Software update," the company writes. While it's unclear how far back in history this legal clause goes, the mention of the now-defunct Kinect sensor suggests it dates back at least to the Xbox One era. A prototype SX Core device soldered to a Nintendo Switch motherboard. Credit: Team Xeceuter A prototype SX Core device soldered to a Nintendo Switch motherboard. Credit: Team Xeceuter While console makers routinely ban players and consoles from online play and services, remotely bricking a game console's offline capabilities for EULA violations seems exceedingly rare in practice. Even when cases of public console hacking have led to protracted legal fights—such as George Hotz's saga with the PS3 or Team Xecuter's Switch jailbreaks—console makers don't seem to have used technical means to completely disable offline functions for specific consoles. In 2015, Microsoft even went so far as to actively deny reports that it had bricked a console associated with a leak of an early Gears of War beta. "To be clear, if a console is suspended from Xbox Live for a violation of the Terms of Use, it can still be used offline," Microsoft said at the time. "Microsoft enforcement action does not result in a console becoming unusable." That said, it appears console makers sometimes take steps to remotely brick consoles after they've been reported stolen. It's not hard to find online reports of people buying used consoles only to find that they had been rendered entirely useless due to a prior theft. As always with secondhand hardware, let the buyer beware. They have the (legal) power Just because the major console makers don't tend to make use of the "brick switch" on their hardware doesn't mean they don't have the legal right to do so. "Although users own the hardware, the software that's needed to run it is subject to a license agreement," attorney Jon Loiterman told Ars. "If you violate the license terms, Nintendo has the right to revoke your access to that software. It's less common for software makers to revoke access to software in a way that disables hardware you bought from them, but the principle is the same." While these kinds of "bricking" clauses haven't been tested in court, lawyers who spoke to Ars felt they would probably hold up to judicial review. That's especially true if the facts of the "bricking" case centered around software piracy or some other method of getting around digital rights protections baked into the console itself. Consoles like these may get banned from Nintendo's online services, but they tend to still work offline. Credit: Kate Temkin / ReSwitched Consoles like these may get banned from Nintendo's online services, but they tend to still work offline. Credit: Kate Temkin / ReSwitched "Unfortunately, 'bricking' personal devices to limit users’ rights and control their behavior is nothing new," Electronic Frontier Foundation attorney Victoria Noble told Ars Technica. "It would likely take selective enforcement to rise to a problematic level [in court]," attorney Richard Hoeg said. Last year, a collection of 17 consumer groups urged the Federal Trade Commission to take a look at the way companies use the so-called practice of "software tethering" to control a device's hardware features after purchase. Thus far, though, the federal consumer watchdog has shown little interest in enforcing complaints against companies that do so. "Companies should not use EULAs to strip people of rights that we normally associate with ownership, like the right to tinker with or modify their own personal devices," Noble told Ars. "[Console] owners deserve the right to make otherwise legal modifications to their own devices without fear that a company will punish them by remotely bricking their [systems]." The court of public opinion In the end, these kinds of draconian bricking clauses may be doing their job even if the console makers involved don't invoke them. "In practice, I expect this kind of thing is more about scaring people away from jailbreaking and modifying their systems and that Nintendo is unlikely to go about bricking large volumes of devices, even if they technically have the right to," Loiterman said. "Just because they put a remedy in the EULA doesn’t mean they will certainly use it either," attorney Mark Methenitis said. "My suspicion is this is to go after the people who eventually succeeded in jailbreaking the original Switch and try to prevent that for the Switch 2." The threat of public backlash could also hold the console makers back from limiting the offline functionality of any hacked consoles. After citing public scrutiny that companies like Tesla, Keurig, and John Deere faced for limiting hardware via software updates, Methenitis said that he "would imagine Nintendo would suffer similar bad publicity if they push things too far." That said, legal capacities can sometimes tend to invite their own use. "If the ability is there, someone will want to 'see how it goes.'" Hoeg said. Kyle Orland Senior Gaming Editor Kyle Orland Senior Gaming Editor Kyle Orland has been the Senior Gaming Editor at Ars Technica since 2012, writing primarily about the business, tech, and culture behind video games. He has journalism and computer science degrees from University of Maryland. He once wrote a whole book about Minesweeper. 13 Comments

Sora Shimazaki / Pexels In another stark reminder of the constant threats online, cybersecurity researcher Jeremiah Fowler recently uncovered a massive, unsecured database containing over 184 million login credentials from Microsoft, Apple, Facebook, Discord, Google, PayPal and others. The trove amounted to approximately 47.42 GB of data, was discovered on a misconfigured cloud server and is believed to have been amassed using infostealer malware – malicious software designed to extract sensitive information from compromised devices. Recommended Videos A global breach with far-Reaching implications According to Jeremiah, the database also contained over 220 email addresses associated with government domains from at least 29 countries, such as the United Stated, United Kingdom, Australia, and Canada. The breadth underscores the potential national security risks posed by such breaches. Fowlers analysis of a 10,000-record sample revealed that the data included plaintext usernames and passwords, with some entries linked to financial terms like “bank” and “wallet,” indicating a heightened risk of financial fraud. The presence of such sensitive information in an unprotected database amplifies concerns about identity theft, unauthorized access and other malicious activities. Hackread.com has some images from the database provided by Jeremiah. The role of infostealer malware Infostealer malware operates by infiltrating devices through phishing emails, malicious websites, or comes bundled with pirated software. Once installed, it can harvest a variety of data, including login credentials, cookies, autofill information and even cryptocurrency wallet details. The data is then transmitted to command-and-control servers operated by cybercriminals. The discovery of this database suggests a coordinated effort to collect and potentially exploit vast amounts of personal and institutional data. The lack of identifiable ownership or metadata within the database further complicates efforts to trace its origins or intended use. Hosting companies likely do not know that they are fostering these databases to begin with. Immediate actions and recommendations Upon discovering the database, Fowler promptly notified the hosting provider, World Host Group, which subsequently took the server offline. However, the duration for which the data remained exposed and wither it was accessed by unauthorized parties before its removal remains uncertain. I would advise users to: Change your passwords, yet again: Immediately update your passwords for all online accounts, especially if the same passwords are being re-used across multiple platforms Enable two-factor authentication (2FA): This generally requires a text verification code to your phone, or a secondary email address Monitor your accounts: Regularly check your financial accounts and other sensitive accounts for suspicious activity Use reputable security software: Anti-virus and malware software from reputable companies usually help, make sure they are updated. You can check out our antivirus and malware reviews Be cautious with emails and downloads: Avoid clicking on suspicious links or downloading attachments from unknown sources

Macworld Streaming services have become the most popular way to watch movies and TV on a Mac. But rising prices and the number of services now available can make it hard to afford all the subscriptions required to deliver the content you want to watch. That means it’s tempting when you come across websites like MyFlixer, which offers loads of AAA titles at no cost. Of course, there’s no such thing as a free lunch, and you should always be deeply suspicious of sites that contain free versions of premium content. MyFlixer has already been banned or blocked in several countries, but mirror sites reappear quickly, making it hard to stop people accessing the portal. It’s not just the fact that the content is provides is very likely pirated, but more importantly you could soon find yourself with intrusive ads or even malware on your system that puts your personal information at risk. If you are going to continue to use MyFlixer or the like, here’s how to protect yourself and your Mac from the dangers that lurk on free streaming sites. PROMOTIONCleanMyMac: Total Cleanup and Protection CleanMyMac’s advanced malware protection safeguards your Mac from viruses, miners, keyloggers, Trojans, and other threats. MacPaw, the developer behind CleanMyMac, regularly updates its custom-built malware database to ensure your Mac machine is always protected against the latest and emerging threats. Get CleanMyMac What is the MyFlixer virus? Just visiting the MyFlixer site shouldn’t immediately infect your Mac with malware. But you’ll very quickly be prompted to accept new content alerts, push notifications or browser extensions. If you do this, you’ll then be pestered by adware to download things like companion apps, which will most likely turn out to be malware. The approaches differ for each mirror-site, but the method of getting an infection onto your system is usually similar. If you’ve already fallen for the tricks the sites employ, then you’ll need to clean up your browser prompts, remove any extensions or apps, and use anti-virus software to restore your machine back to full health. We’ll cover all these steps below so that you fix the problems that can be caused by using MyFlixer. How to remove the MyFlixer browser extension It’s quite easy to remove the MyFlixer extension from your browser. Here’s the methods needed for some of the most popular browers on macOS. How to remove the MyFlixer Safari browser extension Removing the MyFlixer Safari extension is easy and is the same way you’d remove any extension from the browser. Here’s the steps: Open Safari Go to Safari > Settings then select the Extensions tab. In the left column, click on the Extension you want to remove Click Uninstall Screenshot Martyn Casserly How to remove the MyFlixer Chrome browser extension To remove the extension on your Chrome browser, here’s what you’ll need to do: Open Chrome Click on the Extensions icon in the toolbar (looks like a puzzle piece) Find the extension you want to remove, then click the three dots to the right of its name Click Remove from Chrome You’ll be asked to confirm your decision, so click Remove to finish. Screenshot Martyn Casserly How to remove the MyFlixer Firefox browser extension If you prefer to use Firefox, here’s what’s required to remove the extension: Open Firefox Click on the Extensions icon in the tool bar (looks like a puzzle piece) Click the Settings icon (Cog) to the right of the extension you want to remove Select Remove Extension Confirm your choice by clicking Remove Screenshot Martyn Casserly How to stop push notifications from MyFlixer With the extension removed, you’ll still need to deal with the push notifications that will flood you with adware and potential malware. Here’s the steps to take on the most popular browsers. How to remove MyFlixer push notifications on Safari To stop notifications from MyFlixer, here’s what you’ll need to do: Open Safari Select the Websites tab In the left column select Notifications In the main pane, select the MyFlixter option and set the drop-down menu to Deny Next, select the Pop-up Windows option from the left column Again, find the MyFlixer site and this time set the drop-down menu to Block Screenshot Martyn Casserly How to remove MyFlixer push notifications on Chrome The instructions are a little different on Chrome: Open Chrome Click the three dots icon in the top right corner Select Settings > Privacy and security Scroll down and select Site settings Find the MyFlixer site and click on it Adjust all the settings to Block Go back to the Site settings page and select Pop-up and Redirects In the ‘Not allowed to send pop-ups or use redirects’ section, click Add Enter the web address that’s sending you notifications and click Add Screenshot Martyn Casserly How to remove MyFlixer push notifications on Firefox Open Firefox Click on the three lines in the top right corner Select Settings From the left column choose Privacy & Security Scroll down to Permissions and click on the Settings button for Notifications Select the Block option for the MyFlixer website Click Save Changes Screenshot Martyn Casserly How to find and remove MyFlixer malware Clearing a virus or malware off your system isn’t something you can really do yourself, so if you think your system may be compromised then you’ll need to use an antivirus program. You’ll see plenty of free ones around, but most of these only scan for infection and won’t remove anything until you move to the paid version – which makes sense as it is providing a professional service. We recommend taking a look at our Best Mac Antivirus Software chart to see the products that we’ve tested and found to be the most reliable. A prime example is Intego Mac Security X9, which tops the chart at the time of writing. You can find out more in our Intego Mac Security X9 review. Using this software should locate and remove any malware from your Mac that MyFlixer (or any other site) has managed to install on your system. You can read a more detailed explanation of the process in our How to remove a virus from your Mac tutorial. Petter Ahrnstedt While the immediate threat is dealt with by antivirus, there can still be files and other junk left behind, so we’d also recommend you use a Mac Cleaner app to completely return your Mac to a pristine state. CleanMyMac is an excellent option, with a friendly and easy to understand interface that allows you to know what needs fixing without bombarding you with confusing information. You can find out more in our CleanMyMac review. Once you have these apps on your Mac, it’s a good idea to run them periodically to ensure your data is safe and that your system is running to its full potential. How to avoid the MyFlixer virus While free streaming sites might seem incredibly tempting, there’s often a hidden cost involved…and it can be nasty. Basically, if you’re being offered something that you know you’d normally have to pay for, then the chances are it’s some kind of scam or delivery method for malware. So, to stay safe, don’t visit those sites and certainly don’t download anything from them. That’s just asking for trouble. If you really want to enjoy movies and TV shows on your Mac, then the safest way is through a paid service. It means you’re not ripping off the people that work hard to create the content and aren’t playing into the hands of cybercriminals that want to steal your data. You don’t have to sign up to all of them at the same time though. Most services offer free trials, so you could always work your way through those first. When you’ve exhausted those, simply sign up to one and binge what you want, then cancel your subscription and repeat the process on the next one. This way you minimise what you have to pay, while ensuring you don’t get any dangerous malware on your computer. FAQ 1. What is MyFlixer? A site that offers free TV and movie streaming, often of pirated content from other studios. 2. Is MyFlixer safe? No, MyFlixer is not safe. There are usually prompts for notifications, extensions and downloads that can contain adware and malware. If you decide to use MyFlixer then you should take steps to ensure your computer and your data is protected. 3. Is MyFlixer legal? Distrubuting content for which the site doesn’t have copyright is illegal. This is why the site has been banned or blocked in various countries. 4. How to block MyFlixer ads? Change the settings in your browser to block pop-up ads and notifications. 5. How to protect your Mac from MyFlixer virus? Install and use a quality antivirus app and run a Mac Cleaner app afterwards to remove any remaining artifacts from your system.