A series of fraudulent text messages impersonating state Departments of Motor Vehicles (DMVs) has spread throughout the United…

A series of fraudulent text messages impersonating state Departments of Motor Vehicles (**DMVs**) has spread throughout the United States tricking thousands of Americans into handing over sensitive personal and financial information.

According to Check Point Research, the campaign first identified in May 2025 used spoofed SMS messages and fake websites to exploit public trust in local authorities and collect data on a large scale.

****Unpaid Tolls and Threats of License Suspension****

Victims reported receiving texts warning of unpaid toll violations or legal penalties. The messages urged immediate action, threatening consequences such as license suspension. Included was a link directing recipients to what appeared to be a state DMV site. In reality, these were convincing clones, designed to match the visual identity of each targeted state.

Once on the fake site, victims were asked to pay a small fee and enter personal details including full name, address, email, phone number and credit card information. While the payment amount was often under seven dollars, the real damage came from the data collection.

****A Well-Built Scam Network****

The infrastructure behind the attack was anything but random. Most of the fraudulent sites followed a clear naming pattern that mimicked real DMV URLs. According to Check Point’s **blog post**, a large number of domains were hosted on the same IP address, 49.51.75162, which has a known history of malicious activity. The sites focused on high-population states like California, Texas, New York, and Florida. However, States directly impacted by the campaign included:

*   Texas
*   Florida
*   Georgia
*   New York
*   California
*   New Jersey
*   Pennsylvania

Despite the wide distribution of domains and hosting servers, the **phishing kit** used was consistent. Each fake DMV site loaded the same set of JavaScript, CSS, and image files. The design work, behaviour, and codebase point to a centralized development effort, not the work of independent copycats.

Examples of some of the fake DMV texts scam messages received by users

****Evidence Points to China-Based Threat Actor****

Check Point researchers have spotted several indicators linking this operation to a China-based group. All domains shared name servers from a Chinese provider alidns.com, and the SOA contact email pointed to hichina.com.

Additionally, source code comments were written in Chinese, and the phishing kit itself matched patterns found in a toolkit known as “Lighthouse,” previously used by Chinese threat actors from the **Smishing Triad** in attacks targeting US DMVs.

Although direct attribution is always difficult, the overlap in infrastructure, coding language, and phishing toolkit suggests a well-resourced operation likely running from **China** or by Chinese-speaking operators.

****Impact and Public Response****

CPR noted that the scope of this attack is among the most extensive **smishing campaigns (SMS Phishing)** in the US this year. The FBI’s Internet Crime Complaint Center (IC3) received over 2,000 related complaints in just one month. Cybersecurity researchers believe the real number of victims is much higher, as many may have dismissed the incident due to the low dollar amount involved.

The story reached national outlets including **CBS News**, causing officials to act quickly. DMV and Department of Transportation websites across multiple states issued public warnings. They reminded residents that toll-related matters are never handled via unsolicited texts and urged victims to report the scams.

****What You Can Do****

This campaign is just another example of how a malicious text message, small dollar amounts, and the appearance of government authority can still trick thousands of unsuspected users. Therefore, users and organisations must pay attention to what they are responding to and following these tips:

*   Block abuse-prone domain extensions such as .cfd and .win.
*   Proactively alert the public about scams through official channels.
*   Go directly to the official DMV website by typing the URL in your browser.
*   Do not click on links in unexpected text messages about fines or legal matters.
*   Report scam messages to 7726 (SPAM) and file complaints at reportfraud.ftc.gov.

Fake DMV Texts Scam Hit Thousands in Widespread Phishing Campaign

Russian hackers have convinced targets to share their app passwords in very sophisticated and targeted social engineering attacks.

Russian hackers have bypassed Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks, according to security researchers at Google Threat Intelligence Group (GTIG).

The hackers pulled this off by posing as US Department of State officials in advanced social engineering attacks, building a rapport with the target and then persuading them into creating app-specific passwords (app passwords).

App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Normally, when you sign in to your Google account, you use your regular password plus a second verification step like a code sent to your phone. But since some older or less secure apps and devices—like certain email clients, cameras, or older phones—are unable to handle this extra verification step, Google provides app passwords as an alternative way to sign in.

However, because app passwords skip the second verification step, hackers can steal or phish them more easily than a full MFA login.

In an example provided by CitizenLab, the attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation.

Although the invitation came from a Gmail account, it CCed four @state.gov accounts, giving a false sense of security and making the target believe that other people at the State Department had monitored the email conversation.

Most likely, the attacker fabricated those email addresses, knowing that the State Department’s email server accepts all messages and does not send a bounce response even if the addresses do not exist.

As the conversation unfolded and the target showed interest, they received an official looking document with instructions to register for an “MS DoS Guest Tenant” account. The document outlined the process of  “adding your work account… to our MS DoS Guest Tenant platform,” which included creating an app password to “enable secure communications between internal employees and external partners.”

So, while the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account.

The targets of this campaign, which ran for months, were prominent academics and critics of Russia, and was set up with so much attention for details and skill that the researchers suspect the attacker was a Russian state-sponsored entity.

**Be safe, avoid app passwords**

Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future. Here’s how to stay safe:

*   Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch.
*   The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords.
*   Regularly educate yourself and others about recognizing phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing.
*   Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. And limit those logins where possible.
*   Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don’t have to remember yourself.
*   Use security software that can block malicious domains and recognize scams.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Gmail&#8217;s multi-factor authentication bypassed by  hackers to pull off targeted attacks 

Malware hidden in fake Minecraft Mods on GitHub is stealing passwords and crypto from players. Over 1,500 devices may be affected, researchers warn.

A new malware campaign has been targeting Minecraft players through fake mod downloads, according to recent findings from Check Point Research (CPR). Shared through GitHub and disguised as popular **Minecraft cheat mods**, the files carry a layered infection that can steal everything from saved passwords to cryptocurrency.

**Malware Hidden Inside Mods**

The campaign, which surfaced in March 2025, focused on active players using mods to enhance their gameplay. Mods like Oringo and Taunahi, widely known in the Minecraft cheat community, were mimicked to attract downloads. But instead of extra features, these files installed malware in three stages.

According to CPR’s **blog post**, first came a Java-based downloader. After confirming the user was running Minecraft and not a sandboxed or virtual environment, it dropped the download of a second-stage stealer which harvested login credentials and other sensitive files.

The final payload, a more advanced spyware tool, dug even deeper. It scanned for data in Discord, Steam, Telegram, web browsers and **crypto wallets.** It could also take screenshots and collect technical details from the infected machine. Data stolen through this campaign was then sent out over Discord, making the exfiltration hard to detect.

****Russian-Speaking Attacker Suspected****

Hints from the malware’s code, including Russian-language comments and UTC+3-based activity patterns, point to a Russian-speaking threat actor. The operation was linked to a group Check Point referred to as the Stargazers Ghost Network, a malware delivery system that uses a distribution-as-a-service model. The same system was **previously seen in July 2024** distributing malware through more than 3,000 fake GitHub accounts.

In the latest Minecraft scam, CPR’s research also traced the campaign across several GitHub repositories, each posing as legitimate mod tools. This helped the malware gain reach while avoiding immediate suspicion. Based on internal traffic analysis, the researchers estimate that at least 1,500 devices may have been compromised so far.

Malicious GitHub repositories (Image via CPR)

****Why Minecraft Was the Perfect Target****

Minecraft’s global popularity makes it a prime target for these kinds of attacks. With over 200 million monthly active users and more than a million modders, the game has built an extensive infrastructure of user-created content. Many players are young and may not be well-equipped to spot fake downloads, especially when they’re presented as performance boosters or cheats.

The modding community thrives on open sharing, but that openness has become a vulnerability. Attackers are betting that users won’t double-check the origin of a mod if it looks familiar.

This is why in October 2021, Minecraft was identified as **the most malware-infected game** after researchers found 44,335 compromised devices and over 300,000 malware cases targeting its players.

****What Players Should Do****

This attack is just another example of how familiar online platforms, especially those used by younger audiences, are being turned into distribution channels for malware. If you’re a Minecraft player or a parent of one, now’s a good time to check your devices and habits:

*   Stick to mods from well-known and verified platforms.
*   Make sure your antivirus and security updates are current.
*   Avoid any mod claiming to offer hacks, cheats or automation.
*   Monitor accounts linked to Discord, gaming platforms or crypto wallets for suspicious activity.

Fake Minecraft Mods on GitHub Found Stealing Player Data

It sure is a hard time to be a SOC analyst. 
Every day, they are expected to solve high-consequence problems with half the data and twice the pressure. Analysts are overwhelmed—not just by threats, but by the systems and processes in place that are meant to help them respond. Tooling is fragmented. Workflows are heavy. Context lives in five places, and alerts never slow down. What started as a

How AI-Enabled Workflow Automation Can Help SOCs Reduce Burnout

Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems.
"Unlike direct prompt injections, where an attacker directly inputs malicious commands into a prompt, indirect prompt injections

Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks

Zyxel users beware: A critical remote code execution flaw (CVE-2023-28771) in Zyxel devices is under active exploitation by a Mirai-like botnet. GreyNoise observed a surge on June 16, targeting devices globally.

A serious security vulnerability, tracked as CVE-2023-28771, is affecting Zyxel networking devices. Security researchers at GreyNoise noticed a sudden sharp rise, and a concentrated effort by attackers to exploit this flaw on June 16th.

The vulnerability allows for remote code execution, which means attackers can run their own programs on vulnerable devices from a distance. This particular weakness is found in how Zyxel devices handle specific internet messages, called Internet Key Exchange (IKE) packets coming through the UDP port 500.

****The Sudden Surge and Its Reach****

While attacks targeting this Zyxel flaw had been minimal, June 16th brought a significant spike in activity. GreyNoise recorded 244 different internet addresses trying to exploit the issue within a single day.

Source: GreyNoise

These attacks are aimed at devices in various countries, with the following being the most targeted:

*   India
*   Spain
*   Germany
*   United States
*   United Kingdom

Interestingly, a review of these 244 attacking addresses showed they had not been involved in any other suspicious network activity in the two weeks leading up to this sudden burst.

****Tracing the Source****

An investigation into the attacking internet addresses revealed they were all registered under Verizon Business infrastructure and appeared to originate from the United States. However, because the attacks use UDP port 500, which allows for spoofing (faking the sender’s address), the true source might be hidden, noted GreyNoise researchers in their blog post shared with Hackread.com.

Further analysis by GreyNoise, supported by checks from VirusTotal, found signs that these attacks might be linked to variants of the Mirai botnet, a type of malicious software that takes over devices.

In response to these active threats, security experts are urging immediate action. It is advised to block all 244 identified malicious IP addresses and to check if any internet-connected Zyxel devices have the necessary security patches for CVE-2023-28771.

Device owners should also watch for any unusual activity after an exploit attempt, as this could lead to further compromise or the device being added to a botnet. Finally, it’s recommended to limit any unnecessary exposure of IKE/UDP port 500 by applying network filters.

It’s important to note that Zyxel devices have faced security challenges in the past. For instance, Hackread.com reported in June 2024, about Zyxel NAS devices being targeted by a Mirai-like botnet exploiting a different recent vulnerability (CVE-2024-29973), highlighting a recurring pattern of issues for the company’s products.

“This was added to the CISA Known Exploited vulnerabilities list on May 31, 2023, requiring agencies to have it resolved before June 21 that same year. The activity observed appears to be the Mirai botnet activity,” said Martin Jartelius, CISO at cybersecurity company Outpost24.

“As the vulnerability has been extensively targeted before, for someone to fall victim now, they would have had to obtain a vulnerable device, deploy it without updates, and expose it to the internet, even though it’s in a known vulnerable state,” explained Martin.

“One would almost say that the chain of incompetence needed to be victimized at this point is borderline impressive, but of course, it can happen. This, however, is not the vulnerability we should all wake up and worry about today. In fact, if you were worried about it, you would have fixed it years ago.”

Zyxel Devices Hit by Active Exploits Targeting CVE-2023-28771 Vulnerability

Unmanned vehicles are increasingly becoming essential weapons of war. But with a potential conflict with China looming large, Taiwan is scrambling to build a domestic drone industry from scratch.

In the span of just a few years, drones have become instrumental in warfare. Conflicts in Ukraine, Iran, Nagorno-Karabakh, Sudan, and elsewhere have shown how autonomous vehicles have become a quintessential part of modern combat.

It’s a fact that Taiwan knows all too well. The island nation, fearing imminent invasion from China, has both the need, know-how, and industry necessary to build a robust and advanced drone program.

Yet Taiwan, which has set an ambitious target of producing 180,000 drones per year by 2028, is struggling to create this industry from scratch. Last year, it produced fewer than 10,000.

“Taiwan definitely has the ability to make the best drones in the world,” says Cathy Fang, a policy analyst at the Research Institute for Democracy, Society, and Emerging Technology (DSET).

So why doesn’t it?

**Designing a Hellscape**

Fang and her colleagues published a lengthy report on June 16 that reveals just how sluggish Taiwan’s drone industry has been. According to their research, the country has produced between 8,000 and 10,000 unmanned aerial vehicles (UAVs) over the past year, with “structural challenges” standing in the way of the current rate and the ambitious goal. Their study found that Taiwan’s drone production has been stymied by “high manufacturing costs, low domestic procurement, and minimal foreign government orders.”

Fang and other DSET researchers briefed WIRED on the details of their report in their Taipei offices in May.

Taiwan has lived under the threat of Chinese invasion for decades, but recent years have turned it into a more immediate possibility. Beijing has made clear that it intends to complete its aggressive modernization of the People’s Liberation Army by 2027; Taiwanese officials say invasion could come that early but almost certainly before Premier Xi Jinping’s current term in office ends in 2029.

While there are competing views about what form, exactly, Chinese military aggression could take, military analysts in Taiwan fear it could be a full combined arms onslaught: From air and sea at first, followed by a full land invasion.

That means Taiwan has an imperative to come up with innovative solutions to defend itself, and fast. As one American commander remarked in 2023, Taiwan’s self-defense will mean turning the Taiwan Strait into a “hellscape”—bombarding incoming Chinese ships and planes with swarms of uncrewed aerial and naval vehicles. This strategy doesn’t need to destroy the considerable Chinese navy and air force outright, but it does need to frustrate Beijing’s advances long enough for Taiwan’s allies to rally to its defense.

Taipei is already doing some of this right. In 2022, the government launched the Drone National Team, a program meant to match government and industry to scale up the nascent field. In particular, the team was dispatched to learn lessons from Ukraine, whose defensive strategy has relied heavily on small, tactical, cheap UAVs capable of carrying out multiple missions and integrating closely with ground units. Today, the country boasts a massive domestic drone industry, with Kyiv planning to buy 4.5 million small drones this year, on top of its long-range uncrewed missile program, its autonomous land vehicles, and its uncrewed naval drones.

But Ukraine also shows the disadvantage at which Taiwan finds itself. In a secret workshop in Kyiv, a Ukrainian drone maker told WIRED that he had no choice but to source his antennas and chips from China. Taiwanese chips were too expensive.

**Competing With DJI**

“We are not able to compete with DJI,” Fang says, referring to the massive Chinese drone manufacturer.

Other countries that have scaled up their drone programs recently have accepted Chinese technology in their supply chain—either as an asset or a necessary evil. But Taiwan, for obvious reasons, is leery of including any Chinese tech.

That makes drone manufacturing hard. China maintains a massive advantage in producing certain critical pieces of these UAVs—including the gimbals, optical sensors, and antennas. To buy that equipment, Taiwan needs to find allied suppliers, often at considerable cost.

Taiwan has even had difficulty leveraging its advantages. The country has an advanced battery industry, for example—but it’s heavily reliant on Chinese critical minerals. The island nation also boasts the world’s most impressive semiconductor industry: It produces 60 percent of the world’s semiconductors and 90 percent of the advanced semiconductors. But, Fang says, Taiwan does not produce any chips specifically for use on drones.

“Taiwanese drone makers are buying chips from Qualcomm and Nvidia, but those chips are not specifically for drones,” she says. “Those are communication chips, sensor chips, those are for more general use.” And even those general chips are significantly more expensive than their Chinese competitors, sometimes by a factor of 10.

“We definitely have the ability to make them,” Fang adds. “But the reason why these companies are not involved in this market is because the scale is just too small.”

It’s a catch-22: Taiwanese companies can’t increase production and reduce costs until they get more orders, but they can’t get more orders because their costs are too high.

“We need more government procurement from Taiwan itself,” Fang says. Thus far, the nation’s defense ministry has ordered fewer than 4,000 drones, although it plans to purchase tens of thousands more in the years to come. It owes to the fact, analysts say, that financing the kind of defense spending that Taiwan needs remains politically difficult. Earlier this year, opposition lawmakers in the Legislative Yuan passed a budget that slashed planned defense spending.

If Taiwan’s industry has any hope of growing by the scale the country needs, Fang says there’s a clear answer: America.

**Building an Army of Drones**

DSET has a number of recommendations, both for Taiwan and America, on how to establish this ambitious new industry. For starters, they argue, America needs to start actually supporting Taiwan’s local industry.

To date, no Taiwanese drone manufacturer has secured access to the Department of Defense’s “blue list”—its roster of trusted drone suppliers. Earning a spot on that list could mean millions or billions of dollars in orders from the Pentagon.

There has been some trade in the other direction. The US has supplied Taiwan with about 1,000 drones, mostly the smaller AeroVironment Switchblade loitering munition as well as a small number of the MQ-9 Reaper long-range drones.

The US has also been shipping some novel technology to Taiwan, including access to its Replicator Initiative: an autonomous drone swarm capability designed to find and destroy targets at sea.

But, DSET argues, some of these capabilities have been more a product of what the US thinks Taiwan needs. Washington could be more effective if it developed partnerships with Taiwanese industry, DSET contends, and make longer-term decisions about what Taipei needs for its self-defense. Finally, DSET writes, Washington should drop its tariffs—on Taiwanese UAVs, at the very least.

Taiwan itself has even more work to do. DSET recommends establishing a more detailed roadmap for what capabilities it wants and needs and how it intends to get there. While plenty of focus will be on the small, first-person-view drones—the kind increasingly ubiquitous in conflicts worldwide—Taiwan will need to expand into other kinds of technology.

While Taipei has identified a wide range of capabilities it hopes to acquire, DSET found it has been mostly procuring smaller surveillance drones.

Both Russia and Iran have recently shown how long-range uncrewed vehicles can be made at scale and significantly cheaper than traditional missiles. Perhaps more importantly, the DSET report argues, Taiwan needs to be able to plug into American needs and procurement programs—and America prioritizes longer-range systems.

The preponderance of these drones has also heightened the need for defenses, particularly around electronic warfare. Taipei is investing in anti-drone systems, Fang says, but it remains an “emerging concept.” (A defense analyst told WIRED that Taiwan is simply “not prepared to fight in a complex electromagnetic environment.”)

One of the weak points in China’s invasion will be its landing crafts. Beijing has been feverishly building a fleet of barges that would be able to transport troops and tanks across the Taiwan Strait. Taiwan has been developing domestically made submarines with the hope of sinking those barges before they arrive—that capability would be augmented significantly by autonomous or uncrewed submersibles.

Ukraine has pioneered its own models of semiautonomous uncrewed naval vehicles, which have successfully sunk Russian warships and damaged the Kerch Bridge in Crimea.

As Western nations get ambitious about how to mass-produce cost-effective and high-impact defense strategies, many are looking toward uncrewed vehicles as a silver bullet. But, as Taiwan shows, this is all easier said than done.

If Taiwan gets this wrong, DSET argues, “Taiwan risks falling into a gray zone of limited interoperability and unscalable production.” Meanwhile, “the US risks failing to develop trusted regional manufacturing capacity at the speed required to compete with China's drone diplomacy and defense exports.”

It may seem like an insurmountable challenge, especially for a nation facing an existential threat from a much bigger neighbor. But, as Fang points out, Ukraine was in the same situation. “Ukraine? They didn’t even imagine that kind of capacity three years ago,” she says. But a “sense of survival” kicked in, and Kyiv stood up the world’s most impressive indigenous drone manufacturing industry.

Taipei “is, right now, in low mode,” Fang says. “Because we are still not at war. But I don't want to underestimate our capacity, even though we are in a peacetime.”

Taiwan Is Rushing to Make Its Own Drones Before It's Too Late

Not every risk looks like an attack. Some problems start as small glitches, strange logs, or quiet delays that don’t seem urgent—until they are. What if your environment is already being tested, just not in ways you expected?
Some of the most dangerous moves are hidden in plain sight. It’s worth asking: what patterns are we missing, and what signals are we ignoring because they don’t match old

⚡ Weekly Recap: Chrome 0-Day, 7.3 Tbps DDoS, MFA Bypass Tricks, Banking Trojan and More

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

June 23, 2025 - Russian hackers have convinced targets to share their app passwords in very sophisticated and targeted social engineering attacks.

June 19, 2025 - Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.

June 19, 2025 - Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

June 18, 2025 - Several Instagram ads have been found impersonating banks, including the usage of deepfake videos to defraud consumers.

June 18, 2025 - These five communication channels are favored by scammers to try and trick victims at least once a week—if not more.

 A week in security (June 15 &#8211; June 21) 

In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware are not rendered in the interactive user interface.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

Latest News