Iranian Robbinhood ransomware operator pleads guilty to major US city attacks, crippling services in Baltimore, Greenville, and more since 2019.

An Iranian man has admitted his role in a major international ransomware operation that caused tens of millions of dollars in damages and severely disrupted public services across the United States.

Sina Gholinejad, 37, entered a guilty plea on Tuesday, May 27, 2025, for his part in deploying the Robbinhood ransomware. This criminal enterprise targeted cities, businesses, and healthcare organizations, locking down their computer systems and demanding ransom payments.

Starting in January 2019, Gholinejad and his co-conspirators, who operated from overseas, gained unauthorized access to the victim’s computer networks. They would then steal information and use the Robbinhood ransomware to encrypt files, making them inaccessible. To restore access, they demanded ransom, typically in Bitcoin.

The criminals also attempted to hide their tracks by using cryptocurrency mixing services, switching between different digital currencies (known as chain-hopping), and employing virtual private networks.

Robbinhood Ransomware’s ransom note (Image credit: Malwayerbytes)

The impact of these attacks was severe. The City of Baltimore, Maryland, for instance, suffered over $19 million in losses due to the damage and the prolonged shutdown of essential services. For months, residents couldn’t process property taxes, water bills, or parking citations online.

The City of Greenville, North Carolina, was also heavily affected, as were the cities of Gresham, Oregon, and Yonkers, New York. These criminals even used the disruption they caused in cities like Baltimore to threaten future victims, leveraging their notoriety to extort more money.

Regarding the Baltimore incident and other similar attacks, Hackread.com previously reported a significant link: the use of a stolen tool called EternalBlue. This was a powerful spying tool first made by the US National Security Agency (NSA) to break into computer systems.

A group called Shadow Brokers leaked it in 2017. After that, it was used in big worldwide cyberattacks like WannaCry and NotPetya. Interestingly, the attackers in these urban ransomware campaigns, including Baltimore, where NSA headquarters are located, were utilizing this very tool.

The Justice Department emphasized its commitment to prosecuting cybercriminals regardless of their location. Officials highlighted that these attacks were a direct assault on communities, disrupting lives and local governments. Gholinejad’s guilty plea is seen as a significant step towards justice for the numerous victims.

Sina Gholinejad pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He now faces a potential maximum sentence of 30 years in prison. His sentencing is scheduled for August.

The FBI’s Charlotte Field Office led the investigation, with crucial support from the FBI Baltimore Field Office and international partners in Bulgaria, who assisted in gathering evidence.

This case serves as a powerful reminder that law enforcement agencies are determined to identify and hold accountable those who exploit online infrastructure for personal gain.

Iranian Robbinhood Ransomware Operator Pleads Guilty in US City Attacks

Among all ages, Minecraft still rules the gaming scene as a preferred choice. The game provides a broad…

Among all ages, Minecraft still rules the gaming scene as a preferred choice. The game provides a broad spectrum of activities from building huge constructions and joining multiplayer servers to investigating blocky environments. But your PC configuration is more important than you would realize for seamless, lag-free gameplay.

Minecraft may seem visually basic, but depending on shaders, modifications, or custom servers it may be shockingly resource-intensive. Performance depends on your computer’s meeting of the optimal system criteria. Equally crucial, particularly in multiplayer settings, is having access to a solid good Minecraft hosting to maintain server-side gaming robust and responsive.

****Minimum against Suggested System Requirements****

Your playing style will affect Minecraft’s performance needs. Most entry-level systems let Vanilla Minecraft (unmodified) operate. The demand rises greatly, though, if you’re experimenting with high-end shaders or diving into sophisticated modpacks.

****Here’s what you should know:****

**Vanilla Minecraft’s minimum requirements:**

*   CPU: Intel Core i3-3210 / AMD A8-7600  
    
*   RAM: 4 GB  
    
*   GPU: Intel HD4000 / AMD Radeon R5 integrated graphics  
    
*   Storage: Free 2 GB  
    
*   OS: Windows 7 or anything later  
    

**For Modded or Shader-Enhanced Minecraft, recommended requirements:**

*   CPU: Intel Core i5, AMD Ryzen 5 or above  
    
*   RAM: 8 GB or above  
    
*   GPU: Specifically designed graphics (GTX 1650 / RX 570 or above)  
    
*   Storage: SSD with at least 4 GB free capacity  
    
*   OS: latest macOS/Linux or Windows 10/11  
    

Although these requirements offer a minimum, gaming may also be impacted by Java settings and background apps.

****What Affects Minecraft Performance?****

Especially in single-player or slightly modified gameplay, Minecraft mostly depends on CPU and RAM rather than GPU. But when you include shaders or higher-resolution texture packs, GPU capability becomes crucial. Storage also plays a part; loading worlds on SSDs is clearly faster than on conventional hard disks.

New performance requirements are presented by server-based games. Stuttering, latency, or crashes might result from hosting your own server on the same system you are using for play. Many players thus choose outside solutions that guarantee a better experience for the host and users by providing solid Minecraft hosting with 24/7 uptime, mod support, and DDoS protection.

****Single-Player Versus Multiplayer: Hardware Division****

Running Minecraft in single-player mode mostly runs on resources from your machine, but adding multiplayer alters the dynamic. Even a little server calls for more RAM and CPU when hosted. Particularly if your environment has farms, redstone contraventions, or modified material, more players mean an exponentially increasing burden.

Separating your games from your hosting will help to ensure the best performance. While the hosting provider manages world data and multiplayer traffic, using an outside host lets your computer concentrate on producing your game.

****Essential Items to Give Minecraft Top Priority****

Here’s the only list you should concentrate on whether you are constructing or updating your PC for Minecraft:

*   **CPU:** Pick a high-performance CPU – AMD Ryzen 5/7 or Intel i5/i7. Particularly with add-ons, Minecraft uses CPU heavily.  
    
*   **RAM:** Try a minimum of 8 GB. Should you be modifying, use the launcher to allot 4–6 GB to Minecraft.  
    
*   **GPU:** Shaders and HD textures call for this. A GTX 1650 or above will offer a smooth ride.  
    
*   **Storage:** For rapid startup times and speedy world loading, use an SSD.  
    
*   **Cooling:** Minecraft may be taxing over long sessions; excellent ventilation helps to reduce overheating.  
    

This configuration guarantees both performance and long-term dependability so you may enjoy every feature of Minecraft free from restrictions.

****Tips for Optimizing Performance: Tweaks****

Changing in-game settings will help to increase performance even with a good machine. FPS may be much improved by cutting render distance, turning off fancy visuals, and decreasing particle count. Another great approach to improving graphic quality and keeping smooth gameplay is installing OptiFine. It also provides sophisticated shader support and visual settings.

Simple actions that increase stability and speed are allocating more RAM through the launcher and maintaining Java runtime updated for your drivers.

****Considerations for Hosting Multiple Player Servers****

If you intend to operate a Minecraft server, especially one available to friends or the public, you should give some thought to an outside hosting provider. While it’s possible to host locally, your performance and security may suffer.

A well-reviewed Minecraft server hosting provider can make all the difference. From one-click modpack installations to reliable support, hosted services ensure that your server remains online, optimized, and protected. It also frees up your personal computer for gameplay instead of acting as both client and server.

****Conclusion: Build Smart, Play Smooth****

Minecraft offers limitless creativity, but your PC’s hardware determines how enjoyable the experience is. From exploring vast modded worlds to managing thriving multiplayer servers, having the right specifications can transform gameplay from sluggish to seamless.

Choosing high-quality components and pairing them with good Minecraft hosting not only enhances your in-game experience but also ensures your community remains connected and lag-free. And if you’re diving into server management, don’t overlook the importance of selecting reliable Minecraft server hosting to handle the backend with efficiency and speed.

Photo by Oberon Copeland @veryinformed.com on Unsplash

Maximize Your Minecraft: Optimal PC Setup and Server Hosting Essentials

Checkmarx uncovers cross-ecosystem attack: fake Python and NPM packages plant backdoor on Windows and Linux, enabling data theft plus remote control.

New research from Checkmarx Zero has unveiled a unique malicious software campaign that targets Python and NPM users on both Windows and Linux systems.

Security researcher Ariel Harush at Checkmarx Zero has identified this troubling new trend in cyberattacks. According to their research, shared with Hackread.com, attackers are using typosquatting and name-confusion techniques to trick users into downloading harmful software.

What makes this campaign especially unusual is its _cross-ecosystem_ approach. The malicious packages, uploaded to PyPI (Python Package Index), mimic the names of legitimate software from two different programming ecosystems: colorama (a popular Python tool for adding color to text in terminals) and colorizr (a similar JavaScript package found on NPM, the Node Package Manager). This means an attacker is using a name from one platform to target users of another, a rarely seen tactic.

The packages uncovered by Checkmarx Zero carried highly risky payloads, designed to give attackers lasting remote access and remote control over both desktops and servers. This allows them to “harvest and exfiltrate sensitive data,” meaning they can steal important information.

On Windows systems, the malware even attempts to bypass antivirus software to avoid being detected. Checkmarx also linked some of the Windows payloads to a GitHub account: githubcom/s7bhme.

For Linux users, the malicious packages were found to contain advanced backdoors that could establish encrypted connections, steal information, and maintain a hidden, long-term presence on affected systems.

The campaign, likely designed to attack specific targets, is currently untraceable due to the lack of clear attribution data, leaving it unclear whether it is linked to a well-known adversary.

Thankfully, these specific malicious packages have been removed from public software repositories, which has limited their immediate potential for causing damage. Although the immediate threat has been contained, Checkmarx advises organizations to be ready for similar attacks.

Query results for ‘coloramapkgs’ retrieved via the Checkmarx Threat Intelligence API

“By combining typo-squatting and related name confusion attacks, cross-ecosystem baiting, and multi-platform payloads, this attack serves as a reminder of how opportunistic and sophisticated open-source supply chain threats have become,” Checkmarx researchers noted in their blog post.

Researchers suggest checking all active and ready-to-use application code for any signs of these malicious package names. It is also crucial to inspect private software storage areas, like Artifactory, to remove any harmful packages and prevent their future installation.

Furthermore, companies should ensure that these types of dangerous packages aren’t installed on developer computers or in testing environments. These steps are vital for defending against such sophisticated open-source supply chain attacks.

Backdoors in Python and NPM Packages Target Windows and Linux

As more businesses face pressure to do more with fewer resources, automation platforms like Flowable are becoming central…

As more businesses face pressure to do more with fewer resources, automation platforms like Flowable are becoming central to digital strategy. Forrester’s The Digital Process Automation (DPA) Landscape, Q2 2025 report acknowledges 37 vendors, including Flowable, whose strength focuses on driving transformation through flexibility, compliance, and system integration.

As businesses look to do more with fewer resources, many are turning to automation to reduce delays, cut costs, and simplify operations. Forrester’s recent report reflects these priorities and points to the growing need for tools that can manage everyday tasks and more complex, unpredictable work. Flowable’s platform helps meet this need by combining process design, case handling, and automation in one place. 

Flowable makes it easier for companies to organize their work, whether that involves employees, software, or customer services. It’s used to improve processes like loan approvals, insurance claims, service requests, and internal workflows, especially in highly compliant industries including banking, healthcare, insurance, and government. 

“We’re proud to be recognized in this Forrester report,” said Tijs Rademakers, vice president of engineering at Flowable. “Our platform continues to evolve to help companies run smoother operations and solve problems faster while staying in control of their processes.” 

****Helping Businesses Stay Organized and Flexible** **

The Forrester report highlights how the market is shifting from basic task automation to smarter, more connected systems. Today’s businesses need tools that not only automate work but also allow teams to respond when things don’t go as planned. Flowable supports this shift with features that help track progress, manage exceptions and keep teams aligned. 

Flowable stands out for its ability to bring people, software and digital tools together in a single system. Teams can create custom workflows, decide when certain actions should happen using automation and adjust processes as needed. 

It also provides tools to keep track of what decisions were made, when they were made and who made them which is important for teams that need to follow strict rules or reporting standards, or are pursuing optimization. 

The platform is based on open industry standards, which makes it easier to connect with other systems that a company already uses. This helps businesses avoid building from scratch or relying on multiple tools that don’t work well together. 

Forrester’s digital process automation landscape report offers a clear view of enterprise automation options out there today. And insights into the key business value that automation leaders are achieving with digital process automation right now.  

Flowable’s strengths in helping automation leaders today include: 

*   Providing tools to log decisions and track changes 
*   Coordinating tasks across teams, software, and digital systems 
*   Supporting both structured routines and flexible work processes 
*   Connecting smoothly with existing technology using open standards 

****Supporting a Wide Range of Teams** **

Flowable is used by different teams across an organization, each with their own goals: 

*   **Operations teams** use it to reduce delays and eliminate repetitive tasks 
*   **Compliance and audit teams** rely on it to keep records and follow policies 
*   **IT and digital teams** use it to automate processes launch new tools faster, and keep systems connected 
*   **Customer support and finance teams** improve service by speeding up common processes like account setup, claims, and approvals 

Because Flowable lets both technical and non-technical users build and update workflows, it’s a useful tool for businesses that want to move quickly without depending only on developers. 

Flowable also helps companies stay flexible. As rules, markets or technologies change, teams can adjust how their processes work without needing to rebuild everything from the ground up. 

****A Strong Option for Long-Term Automation Goals** **

Forrester’s Digital Process Automation Landscape report is a solid resource for companies that are choosing tools to support their growth and digital strategy. The 2025 report outlines how platforms like Flowable are helping businesses stay on track by making their operations faster, clearer, and more consistent. The report arrives at a transformational moment when organizations increase focus on AI agent innovation and the eventuating possibilities within end-to-end business automation.  

Flowable believes its recognition in Forrester’s 2025 DPA Landscape shows its commitment to supporting the evolving needs and expectations of today’s enterprises. Organizations interested in learning more about how Flowable supports business automation, case management, and digital operations.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change.

****About Flowable** **

Flowable is a leading provider of business process automation and case management software. Its flexible, low-code platform enables organizations to design, manage, and optimize workflows that connect teams, systems, and data. Flowable serves enterprises across industries such as finance, healthcare, insurance, and the public sector. 

****Media Contact** **

Violet Diamanti-Race 

Senior Product Marketing Manager 

\[email protected\] 

+41 31 329 09 00 

**Website**: flowable.com

Flowable’s Smart Automation Tools Are Reshaping How Enterprises Operate in 2025

Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.

Cybersecurity firm Quorum Cyber has uncovered two new versions of malicious software known as NodeSnake. This discovery highlights a possible shift in targets for the Interlock ransomware group, which is believed to be behind these attacks.

Quorum Cyber’s Threat Intelligence team has been tracking NodeSnake and strongly believes it is connected to Interlock ransomware. This connection is based on the shared online infrastructure used by the attackers.

The team noticed similar malicious code used in attacks on two universities in the United Kingdom within two months. The same attackers likely placed both NodeSnake RATs at these universities. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements.

A screenshot from Interlock ransomware gang’s dark web leak site shows a UK country being listed as a victim (Image credit: Hackread.com)

According to Quorum Cyber’s research, shared with Hackread.com, NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs.

Interlock ransomware, first seen in September 2024, has typically focused on large or valuable organizations across North America and Europe. This group is known for double-extortion tactics, where they encrypt data and threaten to release it unless a ransom is paid.

Interlock Ransomware gang’s ransom note (Image credit: Quorum Cyber)

Unlike many other ransomware groups, Interlock doesn’t operate as a service for others and has no known partners. It can attack both Linux and Windows computer systems, giving it a wide range of targets.

However, recent activity suggests Interlock is now also targeting local government bodies and higher education institutions. In April 2025, Hackread.com reported Interlock stole a staggering 20 terabytes (TB) of sensitive patient data from DaVita Healthcare, a major healthcare provider specializing in kidney dialysis treatment.

This shift in targets is concerning. As Paul Caiazzo, Chief Threat Officer at Quorum Cyber, explained, “We have observed threat actors increasingly targeting universities this year to exfiltrate valuable intellectual property, including research data, and possibly to test and hone new tactics, techniques, and procedures before potentially applying them in other sectors.”

Caiazzo added that the theft of research data points to a motivation related to espionage. Quorum Cyber continues to monitor Interlock and NodeSnake to help organizations protect their important information. The company is offering a detailed technical analysis and recommendations to lessen the impact of the malware in its NodeSnake report available here.

Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks

Alleged TikTok Breach: Threat actor “Often9” claims to sell 428M user records, including emails, phones, and account details on dark web forum.

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum yesterday (May 29, 2025), promises a dataset containing detailed user information such as:

*   Email addresses
*   Mobile phone numbers
*   Biography, avatar URLs, and profile links
*   TikTok user IDs, usernames, and nicknames
*   Account flags like private\_account, secret, verified, and ttSeller status.
*   Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

Screenshot of the Often9’s post (Image credit: Hackread.com)

****Why This Might Be Serious****

The inclusion of non-public fields such as email addresses, mobile phone numbers, and internal account flags is not something that can be casually scraped from TikTok’s public-facing website or mobile app. If these details are verified by TikTok to be accurate and recent, it suggests access to either internal TikTok systems or an exposed **third-party database**.

Adding to the weight of the claim, the threat actor is willing to work through a middleman, a common approach on criminal forums when large-scale data sales require third-party verification to build buyer trust.

Sample data screenshot (Image credit: Hackread.com)

****But Here’s Why Skepticism Is Warranted****

Despite the attention-grabbing sales pitch from the threat actor, several red flags cast doubt on the validity of the claim. Importantly, a significant number of sample entries show empty or generic fields for emails and phone numbers, raising the possibility that this dataset was put together from **scraped public profiles** and organised using old breach data or guesswork.

The threat actor is a new account on the forum, having joined only days ago, with no reputation, neither positive nor negative. In the cybercrime world, reputation is currency; major breach sellers typically have years of verified history or past successful sales.

The forum itself has a recent history of inflated or false breach claims. Notably, the same platform was used last week to promote a so-called “1.2 billion Facebook user” data sale, which was later exposed as fake in an **exclusive Hackread.com investigation**, leading to the seller’s ban.

A closer look at the sample data reveals that many fields, user IDs, usernames, profile links, and follower metrics, are publicly accessible and could be obtained through large-scale scraping operations. While scraping at scale can still pose risks (like phishing or spam campaigns), it does not equate to a breach of internal systems.

****Cross-Checking Email Addresses with HaveIBeenPwned****

Hackread.com also cross-checked the email addresses in the sample data against records on HaveIBeenPwned, and most were found in fewer than two previous data breaches. This is alarming and adds some legitimacy to the uniqueness of the data. However, a 1,200-line sample from a supposedly 428 million record breach is not enough to establish legitimacy.

For now, this claim should be treated with caution. As tempting as the sales numbers may be, reputationless sellers on cybercrime forums often exaggerate or fabricate to make a quick profit or attract attention.

****Not The First Time****

This is not the first time a threat actor has claimed to breach TikTok’s data. In September 2022, a hacker claimed to have **acquired 2 billion TikTok records**, including internal statistics, source code, 790 GB of user data, and more, a claim that was later denied by the company.

Nevertheless, Hackread.com has reached out to TikTok for comment. This article will be updated accordingly.

Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale

Victoria’s Secret website was down due to a ‘security incident’ impacting online and some in-store services. Get the…

Victoria’s Secret website was down due to a ‘security incident’ impacting online and some in-store services. Get the latest on the lingerie giant’s efforts to restore operations and what customers need to know.

Lingerie giant Victoria’s Secret shut down its US website and some in-store services for three days due to an unspecified security incident. Customers attempting to access the Victoria’s Secret website were met with a message explaining the service disruption.

“Valued customer, we identified and are taking steps to address a security incident. We have taken down our website and some in-store services as a precaution. Our team is working around the clock to fully restore operations. We appreciate your patience during this process.”

****Impact and Timeline****

The company announced the measure on Thursday, May 29, 2025, stating it was a precaution and that their team is “working around the clock to fully restore operations.”

While the company has not provided a specific timeline for when services will be fully restored, a FAQ page suggests the issue may have begun on or after Monday, May 26.

Some customers on online forums like Reddit reported experiencing problems as early as Sunday night. The company also confirmed that it is working to fulfil orders placed before Monday. Although online operations are affected, physical Victoria’s Secret and PINK brand stores remain open.

However, some in-store services, like processing online returns, were unavailable, as were online customer care services. A note to employees from Victoria’s Secret CEO Hillary Super reveals that “recovery is going to take a while.” This suggests a complex cleanup process is underway.

The company has engaged third-party experts to help resolve the issue. Following this incident, shares of Victoria’s Secret & Co., reportedly, saw a decline of around 10%. The company’s lack of clear communication about the incident, including no updates on social media, has heightened uncertainty, likely led to this decline.

****Another Retailor Hit by Cyber Attack?****

This incident at Victoria’s Secret comes amidst a recent rise in cyberattacks targeting major retailers. As Hackread.com earlier reported, companies such as Marks and Spencer, Harrods, and Co-op have faced similar security challenges this year.

Two weeks ago, Dior reported a cybersecurity incident where unknown attackers accessed data on some of its Fashion and Accessories customers. Last week, the German shoe and clothing giant, Adidas, also reported an unauthorized external party obtaining consumer data, primarily contact information, through a third-party customer service provider.

The methods behind these attacks often involve social engineering, where cybercriminals trick individuals associated with a company into providing access to sensitive systems.

A notorious cybercrime group, Scattered Spider, has been identified as responsible for the VS incident as it has been targeting major retail brands in the UK and the US. These attacks can lead to significant disruptions, as seen with Marks & Spencer halting online orders for weeks due to a cyber incident. Experts advise consumers to be cautious after such incidents, as fraudsters may try to exploit the situation with fake promotions or by using compromised personal data.

At the time of writing, the Victoria’s Secret website for the US was restored and available for customers.

Ben Hutchison, Associate Principal Consultant at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the incident, stating, “Once attackers succeed in a sector, others often follow, making similar targets ‘victims of the moment.’ With rising attacks on retail, these businesses should treat this as a wake-up call to strengthen cybersecurity and digital resilience.”

Victoria’s Secret US Website Restored After Security Incident

A Chinese-language PhaaS platform Haozi is making cybercrime easy with no tech skills needed. Discover how this plug-and-play service facilitated over $280,000 in illicit transactions.

A new report from cybersecurity firm Netcraft reveals a rise in a Chinese-language Phishing-as-a-Service (PhaaS) known as Haozi. This service makes it incredibly easy for criminals, even those without technical skills, to launch sophisticated phishing attacks. Rob Duncan, a security researcher at Netcraft, discovered this surge over the past five months.

According to Netcraft’s blog post, shared with Hackread.com, Haozi stands out for its user-friendliness, marketing itself with a cartoon mouse and emphasizing ease of use and strong support. Unlike older methods that require coding knowledge, Haozi provides a simple web panel.

Haozi phishing administration panel screenshot (Source: Netcraft)

Once a criminal buys a server and puts in the details, the phishing kit sets itself up automatically. This plug-and-play approach even surpasses other modern PhaaS tools that still require some command-line actions. Netcraft has found Haozi control panels on thousands of phishing websites, indicating its widespread use.

****An Attractive Business Model for Bad Actors****

Beyond just offering phishing kits, Haozi operates like a full-fledged business. It sells advertising space to connect phishing kit buyers with other services, such as those that send text messages. Haozi also acts as a middleman in these deals. The digital wallet used for these advertisements and intermediary services, which uses Tether (USDT), has taken in over $280,000.

Recently, withdrawals from this wallet have often been in the thousands of dollars. The service also offers dedicated customer support through Telegram channels, providing tutorials, answering questions, and even allowing users to request custom phishing pages.

(Source: Netcraft)

This strong support system, combined with the automated setup, makes Haozi highly attractive to those new to cybercrime. The original Haozi Telegram community had almost 7,000 members before it was shut down, but since April 28, 2025, a new community has quickly gained over 1,700 followers. Haozi charges around $2,000 for a yearly subscription, with options for shorter terms.

****Understanding Phishing-as-a-Service (PhaaS)****

Phishing-as-a-Service (PhaaS) refers to online platforms that provide all the tools and support needed to carry out phishing attacks, often through a subscription model. Phishing itself is a type of cyberattack where criminals try to trick individuals into giving up sensitive information, like passwords or credit card details, by pretending to be a trustworthy entity.

Hackread.com has also highlighted this growing threat of PhaaS networks. In January 2025, we reported on Sneaky 2FA, a PhaaS targeting Microsoft 365 through a Telegram bot. In March 2025 Morphing Meerkat, a sophisticated operation using DNS vulnerabilities for years, was discovered and in April 2025, Netcraft warned about the Darcula-Suite upgrade, which now uses AI to create multilingual scam pages.

The rise of PhaaS like Haozi shows how easy it has become to commit cybercrime. While companies are improving their security, attackers are increasingly using social engineering and phishing because these methods don’t require breaking through protected infrastructure. All it requires is a human error, which shows the urgent need for employee cybersecurity training.

Chinese Phishing Service Haozi Resurfaces, Fueling Criminal Profits

Cisco Talos uncovers CyberLock ransomware, Lucky_Gh0$t, and Numero malware masquerading as legitimate software and AI tool installers. Learn…

Cisco Talos uncovers CyberLock ransomware, Lucky\_Gh0$t, and Numero malware masquerading as legitimate software and AI tool installers. Learn how these fake installers exploit businesses in sales, tech, and marketing.

Cybersecurity researchers at Cisco Talos have revealed that the increasing presence of Artificial Intelligence (AI) in the business world has opened new opportunities for cybercriminals. Threat actors are hiding malicious software within fake installers for AI tools, tricking businesses into downloading malware. This new wave includes ransomware like CyberLock and Lucky\_Gh0$t, and destructive malware called Numero.

According to researchers, these fake AI tool installers are distributed via various online channels, through SEO poisoning (manipulating search engine rankings) so that the fake websites appear at the top of search results. Additionally, social media and messaging platforms like Telegram are used to spread their malicious links.

Businesses, especially those in sales, technology, and marketing, are prime targets because they frequently use legitimate AI tools for automation, data analysis, and customer engagement.

As detailed by Cisco Talos’ report shared with Hackread.com ahead of its publishing on Thursday, May 29, when unsuspecting users download seemingly harmless installers, they unknowingly invite malware onto their systems, putting sensitive business data and financial assets at risk, and eroding trust in genuine AI solutions.

****Cisco Talos Exposes Several Threats********CyberLock Ransomware****

This ransomware, observed as early as February 2025, poses as a lead monetization AI platform called NovaLeadsAI. Its operators have created a fake website, ‘novaleadsaicom,’ to mimic the real ‘novaleads.app.’ They even offered deceptive “free access” for the first year to lure victims.

Fake Website Offering the AI Tool (Source: Cisco Talos)

Once downloaded, a file named ‘NovaLeadsAI.exe’ deploys the CyberLock ransomware. This ransomware, written in PowerShell and embedded with CSharp code, encrypts various file types, including documents, spreadsheets, images, and videos, and demands a $50,000 ransom in Monero (XMR) cryptocurrency.

As a manipulative tactic, cybercriminals falsely claim the ransom will support humanitarian aid in regions like Palestine, Ukraine, Africa, and Asia. CyberLock also attempts to wipe free space on the hard drive via a built-in Windows tool ‘cipher.exe’., making it harder to recover deleted files.

****Lucky\_Gh0$t Ransomware****

This Yashma ransomware variant (part of the Chaos ransomware series) is distributed through fake ChatGPT installers, usually as ‘ChatGPT 4.0 full version – Premium.exe’. This malicious installer includes a file called ‘dwn.exe’ which is the ransomware, along with legitimate Microsoft AI tools, likely to avoid detection.

Lucky\_Gh0$t encrypts files smaller than 1.2GB and also has destructive behaviour for larger files, overwriting them with a single character. Victims are given a personal ID and instructed to use a secure messenger platform for communication.

****Numero Malware****

This newly discovered destructive malware imitates the installer for InVideo AI, a popular online video creation tool. Compiled in January 2025, it is a window manipulator malware that continuously runs on a victim’s machine, making Windows systems unusable by interfering with their graphical interface. It avoids being detected by checking for common malware analysis tools like IDA, x64 debugger, and OllyDbg.

Fake Installer Running Numero Payload (Source: Cisco Talos)

Given these evolving threats, organizations and individuals must be extremely careful. Always verify the source of AI tools and only download software from trusted vendors.

Fake ChatGPT and InVideo AI Downloads Deliver Ransomware

PALO ALTO, California, 29th May 2025, CyberNewsWire

**PALO ALTO, California, May 29th, 2025, CyberNewsWire**

Today, SquareX released new threat research on an advanced Browser-in-the-Middle (BitM) attack targeting Safari users. As highlighted by Mandiant, adversaries have been increasingly using BitM attacks to steal credentials and gain unauthorized access to enterprise SaaS apps. BitM attacks work by using a remote browser to trick victims into interacting with an attacker-controlled browser via a pop-up window in the victim’s browser. A common BitM attack involves displaying the legitimate login page of an enterprise SaaS app, deceiving victims into divulging credentials and other sensitive information thinking that they are conducting work on a regular browser window.

Despite this, one flaw that BitM attacks always had was the fact that the parent window would still display the malicious URL, making the attack less convincing to a security-aware user. However, as part of the Year of Browser Bugs (YOBB) project, SquareX’s research team highlights a major Safari-specific implementation flaw using the Fullscreen API. When combined with BitM, this vulnerability can be exploited to create an extremely convincing Fullscreen BitM attack, where the BitM window opens up in fullscreen mode such that no suspicious URLs from the parent window is seen. Safari users are especially vulnerable to this attack as there is no clear visual indicator of users entering fullscreen. We have disclosed this vulnerability to Safari and were regrettably informed that there is no plan to address the issue.

The current Fullscreen API specifies that “the user has to interact with the page or a UI element in order for this feature to work.” However, what the API does not specify is what kind of interaction is required to trigger fullscreen mode. Consequently, attackers can easily embed any button – such as a fake login button – in the pop-up that calls the Fullscreen API when clicked. This triggers a fullscreen BitM window that perfectly mimics a legitimate login page, including the URL displayed on the address bar.

> “The Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the Fullscreen API,” says the researchers at SquareX, “Users can unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari where there is no notification when the user enters fullscreen mode. Users that typically rely on URLs to verify the legitimacy of a site will have zero visual cues that they are on an attacker-controlled site. With how advanced BitM is becoming, it is critical for enterprises to have browser-native security measures to stop attacks that can no longer be visually identified by even the most security aware individuals.”

While BitM attacks have primarily been used to steal credentials, session tokens and SaaS application data, the fullscreen variant has the potential to lead to even more damage by making the attack imperceptible for most ordinary enterprise users. For instance, the landing site may have a button that claims to link to a government resource and opens up to a fake government advisory page to spread misinformation and even gather sensitive company and personally identifiable information (PII). The victim can even subsequently open additional tabs in the attacker-controlled window, allowing adversaries to fully monitor the victim’s browsing activity.

Fullscreen BitM window displaying legitimate Figma login page and URL in the address bar (Disclaimer: Figma is used as an illustrative example)

**Are other browsers vulnerable to Fullscreen BitM attacks too?**

Unlike Safari, Firefox, Chrome, Edge and other Chromium-based browsers display a user message whenever the full-screen mode is toggled. However, this notification is extremely subtle and momentary in nature – most employees may not notice or register this as a suspicious sign. Additionally, the attacker can also use dark modes and colors to make the notification even less noticeable. By contrast, Safari does not have a messaging requirement – the only visual sign of entering fullscreen mode is a “swipe” animation. Thus, while the attack shows no clear visual cues in Safari browsers, other browsers are also exposed to the same Fullscreen API vulnerability that makes the Fullscreen BitM attack possible.

**Existing security solutions fail to detect Fullscreen BitM attacks**

Unfortunately, EDRs have zero visibility into the browser and are proven to be obsolete when it comes to detecting any BitM attack, much less its more advanced fullscreen variant. Additionally, orchestrating the attack with technologies such as remote browser and pixel pushing will also allow it to bypass SASE/SSE detection by eliminating any suspicious local traffic. As a result, without access to rich browser metrics, it is impossible for security tools to detect and mitigate Fullscreen BitM attacks. Thus, as phishing attacks become more sophisticated to exploit architectural limitations of browser APIs that are either unfixable or will take significant time to fix by browser providers, it is critical for enterprises to rethink their defense strategy to include advanced attacks like Fullscreen BitM in the browser.

To learn more about this security research, users can visit https://sqrx.com/fullscreen-bitm.

SquareX’s research team is also holding a webinar on June 5th, 10am PT/1pm ET to dive deeper into the full attack chain. To register, users can click here.

**About SquareX**

SquareX is a pioneering Browser Detection and Response (BDR) that empowers organizations to proactively detect, mitigate, and effectively threat-hunt client-side web attacks. SquareX provides critical protection against a wide range of browser security threats, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Users can find out more on www.sqrx.com.

The Fullscreen BitM Attack disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking, Polymorphic Extensions and Browser-Native Ransomware.

To learn more about SquareX’s BDR, users can contact SquareX at \[email protected\]. For press enquiries on this disclosure or the Year of Browser Bugs, users can email at \[email protected\]. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Source

HackRead