Cybercriminals use malicious AI models to write malware and phishing scams Cisco Talos warns of rising threats from uncensored and custom AI tools.

New research from Cisco Talos reveals a rise in cybercriminals abusing Large Language Models (LLMs) to enhance their illicit activities. These powerful AI tools, known for generating text, solving problems, and writing code, are, reportedly, being manipulated to launch more sophisticated and widespread attacks.

For your information, LLMs are designed with built-in safety features, including alignment (training to minimize bias) and guardrails (real-time mechanisms to prevent harmful outputs). For instance, a legitimate LLM like ChatGPT would refuse to generate a phishing email. However, cybercriminals are actively seeking ways around these protections.

Talos’s investigation, shared with Hackread.com highlights three primary methods used by adversaries:

**Uncensored LLMs**: These models, lacking safety constraints, readily produce sensitive or harmful content. Examples include OnionGPT and WhiteRabbitNeo, which can generate offensive security tools or phishing emails. Frameworks like Ollama allow users to run uncensored models, such as Llama 2 Uncensored, on their own machines.

**Custom-Built Criminal LLMs**: Some enterprising cybercriminals are developing their own LLMs specifically designed for malicious purposes. Names like GhostGPT, WormGPT, DarkGPT, DarkestGPT, and FraudGPT are advertised on the dark web, boasting features like creating malware, phishing pages, and hacking tools.

**Jailbreaking Legitimate LLMs**: This involves tricking existing LLMs into ignoring their safety protocols through clever prompt injection techniques. Methods observed include using encoded language (like Base64), appending random text (adversarial suffixes), role-playing scenarios (e.g., DAN or Grandma jailbreak), and even exploiting the model’s self-awareness (meta prompting).

The dark web has become a marketplace for these malicious LLMs. FraudGPT, for example, advertised features ranging from writing malicious code and creating undetectable malware to finding vulnerable websites and generating phishing content.

However, the market isn’t without its risks for criminals themselves; Talos researchers found that the alleged developer of FraudGPT, CanadianKingpin12, was scamming potential buyers out of cryptocurrency by promising a non-existent product.

Image via Cisco Talos

Beyond direct illicit content generation, cybercriminals are leveraging LLMs for tasks similar to legitimate users, but with a malicious twist. In December 2024, Anthropic, developers of Claude LLM, noted programming, content creation, and research as top uses for their model. Similarly, criminal LLMs are used for:

*   Programming: Crafting ransomware, remote access Trojans, wipers, and code obfuscation.

*   Content Creation: Generating convincing phishing emails, landing pages, and configuration files.

*   Research: Verifying stolen credit card numbers, scanning for vulnerabilities, and even brainstorming new criminal schemes.

LLMs are also becoming targets themselves. Attackers are distributing backdoored models on platforms like Hugging Face, embedding malicious code that runs when downloaded. Furthermore, LLMs that use external data sources (Retrieval Augmented Generation or RAG) can be vulnerable to data poisoning, where attackers manipulate the data to influence the LLM’s responses.

Cisco Talos anticipates that as AI technology continues to advance, cybercriminals will increasingly adopt LLMs to streamline their operations, effectively acting as a “force multiplier” for existing attack methods rather than creating entirely new “cyber weapons.”

Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos

Forcepoint’s X-Labs reveals Remcos malware using new tricky phishing emails from compromised accounts and advanced evasion techniques like…

Forcepoint’s X-Labs reveals Remcos malware using new tricky phishing emails from compromised accounts and advanced evasion techniques like path bypass to infiltrate systems, steal credentials, and maintain long-term control. Learn how to spot the signs.

Cybersecurity experts at Forcepoint’s X-Labs are warning about the continued activity of Remcos malware, a sophisticated threat that consistently adapts to bypass security measures and maintain a hidden presence on infected computers. This malware, often delivered through convincing phishing attacks, allows attackers to establish long-term access.

Reportedly, campaigns observed between 2024-2025 show Remcos malware remains highly active, continually adapting to stay hidden, researchers noted in the blog post shared with Hackread.com.

The initial infection typically begins with a deceptive email originating from compromised accounts of small businesses or schools. These are legitimate accounts that have been hacked, making the emails appear trustworthy and less likely to be flagged as suspicious.

Malicious Email (Source: Forcepoint)

These emails carry malicious Windows shortcut (.LNK) files, disguised and hidden inside compressed archive attachments. Once a user falls for the trick and opens the malicious file, Remcos quietly installs itself, creating hidden folders on the victim’s computer.

What makes these folders particularly tricky is that they are “spoofed Windows directories by exploiting path-parsing bypass techniques like prefixing paths with \\\\?.” This technique, which involves using a special NT Object Manager path prefix, allows the malware to mimic legitimate system directories like C:\Windows\SysWOW64, making it incredibly difficult for security tools to spot.

After initial installation, Remcos sets up ways to stay on the system for a long time without being detected. It achieves this by creating scheduled tasks and other stealthy methods, ensuring it can keep a backdoor open for attackers. The malware even tries to weaken Windows’ User Account Control (UAC) by changing a registry setting, allowing it to run with higher privileges without the usual secure prompts.

Remcos attack chain (Source: Forcepoint)

The malicious LNK files themselves contain hidden PowerShell code, which downloads a .dat file containing an executable program in Base64 format – a method of encoding data to make it look like regular text, often used by malware to bypass detection.

This file then decodes into an executable program, typically disguised with a PDF icon but using a .pif extension, an unusual and rarely used shortcut file type. This executable then creates copies of itself, a .URL shortcut file, and four heavily disguised batch files with special symbols and meaningless foreign text, all designed to bypass antivirus detection.

Once fully operational, Remcos gives attackers complete control, enabling them to steal passwords, capture screenshots, copy files, and monitor user activity, including checking internet connection, system language, and country codes to refine their targeting.

Organizations and individuals are urged to be alert, looking out for unusual shortcuts, strange file paths, and changes in folder names, as these can be indicators of a Remcos infection.

New Stealthy Remcos Malware Campaigns Target Businesses and Schools

Tech Transparency Project warns Chinese-owned VPNs like Turbo VPN and X-VPN remain on Apple and Google app stores, raising national security concerns.

A recent report by the Washington, D.C.-based Tech Transparency Project (TTP) reveals that numerous free Virtual Private Network (VPN) apps, despite earlier warnings, continue to be available on both Apple’s App Store and Google’s Play Store, posing major privacy and national security risks.

According to the organisation’s claims, these apps, many with hidden ties to Chinese companies, could be exposing sensitive user data to the Chinese government. For your information, VPNs are tools designed to create a secure, encrypted connection over the internet, masking a user’s identity and online activity.

However, some users express concern about VPN services owned by Chinese companies due to privacy and data security considerations. Under Chinese national security laws (PDF), companies can be compelled to hand over user data to the government. This is particularly concerning because VPNs have access to a user’s entire web activity, making the data highly sensitive.

TTP’s initial report from April 1, 2025, revealed that over 20 of the top 100 free VPNs on the US Apple App Store in 2024 were linked to Chinese ownership. Many of these apps intentionally concealed their origins through shell companies.

It is worth noting that several apps were connected to Qihoo 360, a Chinese cybersecurity firm that the US has sanctioned due to its alleged links with China’s People’s Liberation Army.

One notable instance involves Autumn Breeze Pte. Ltd., listed as Snap VPN developer on Google Play Store. It asserts “no affiliation with Qihoo 360,” emphasizing a strict “no-log policy.” However, TTP’s research reveals Qihoo 360 acquired Autumn Breeze Pte. Ltd in 2020, and sold it to undisclosed parties after US sanctions. Corporate records for Autumn Breeze continue to list a Chinese director, whose name matches a Chinese national who’d led Qihoo 360’s mobile security unit.

Despite some apps, like Thunder VPN and Snap VPN, being removed from Apple’s App Store after media inquiries, TTP’s follow-up check in early May 2025 confirmed that many Chinese-owned VPNs remain available.

For instance, Turbo VPN and VPN Proxy Master, both linked to Qihoo 360, continue to be offered on Apple’s platform. The Google Play Store also hosts several Qihoo 360-connected apps, including Snap VPN and Signal Secure VPN, alongside other Chinese-owned VPNs like X-VPN and VPNify.

The report further suggests that Apple and Google may be financially benefiting from these potentially risky applications. Many of these free VPNs offer in-app purchases or display advertisements, from which both tech giants take a percentage of revenue (Apple typically charges 30% or 15%, while Google charges 15% up to $1 million in sales and 30% thereafter).

This suggests a financial incentive for the platforms to continue hosting these apps, despite the privacy implications for American users, researchers noted in their blog post shared with Hackread.com.

Screenshot via TTP

Neither Apple nor Google have responded to TTP’s requests for comment on these findings or their policies regarding data sharing by VPNs. Users are advised to exercise caution and thoroughly research the ownership and privacy policies of any VPN service they intend to use.

_“_Let’s think about how TikTok’s story unfolded: massive reach, secret ownership, and extensive data collection, which may have left U.S. soil but these VPN apps are even more concerning as they don’t just track your preferences; they monitor everything you do online,_“_ said Chad Cragle, Chief Information Security Officer at Deepwatch.

_“_When owned by Chinese companies and hidden behind layers of shell companies, it becomes a serious concern. Apple advocates for protecting our privacy, yet these apps are still accessible. Google? They often allow nearly any app on their store,_“_ claimed Chad.

_“_It’s time for the platforms to take responsibility and set the example. You can’t claim to prioritize privacy if you’re letting other parties control the playbook. If they don’t properly scrutinize these apps, they’re not just passively allowing it, they’re helping to create the problem. And let’s be honest, this isn’t just about privacy; it’s about national security, too,_“_ he emphasised.

Researchers Warn Free VPNs Could Leak US Data to China

FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.

Authorities in the United States have charged a British national, Kai Logan West, widely known online as “**IntelBroker**“, with a series of high-profile data breaches that collectively caused at least $25 million in damages to companies worldwide. The 23-year-old was arrested in France in February 2025 and now faces extradition to the United States to stand trial in the Southern District of New York.

As **reported** by Hackread.com, IntelBroker’s arrest was followed by several others, including four individuals linked to the ShinyHunters hacker group. Both IntelBroker and members of ShinyHunters were **involved** in administering and moderating the cybercrime and data breach forum BreachForums.

The **unsealed complaint** (PDF), dated February 2025, lays bare the FBI’s two-year investigation into West’s cybercrime operations, connecting him to dozens of data breaches, sales of stolen data, and the leadership of a hacking collective operating on clear and dark web forums.

****Who Is IntelBroker?****

Using aliases like “IntelBroker” and “Kyle Northern”, West built a reputation on a clear and dark web forum known in the indictment as “Forum‑1” ( BreachForums). Operating under the banner of a hacking crew called CyberN (formerly “The Boys”), IntelBroker offered hacked databases from government agencies, healthcare providers, telecommunications firms, and internet service providers.

Between 2023 and early 2025, West authored at least 158 threads offering stolen data on Forum‑1, with 41 of them involving US companies. The FBI notes that at least $2 million worth of **Monero cryptocurrency** was solicited for the stolen information.

In 2024, IntelBroker was listed as the “owner” of Forum‑1, and his fame skyrocketed as he gave away some data leaks for free to boost credibility, gather a following, and attract buyers.

****How the FBI Tracked Down IntelBroker****

What West didn’t know was that FBI agents were watching closely. The bureau deployed undercover officers posing as buyers on Forum‑1. On at least two occasions, agents purchased stolen data directly from IntelBroker.

In January 2023, one agent bought an API key and login credentials for a company dubbed “Victim‑7.” Although the credentials were limited in value, the transaction became a key element in tracking his identity when IntelBroker asked for payment in Bitcoin (instead of Monero) and provided a wallet address that could be traced on the blockchain.

FBI blockchain analysts followed the money and found that:

*   The Bitcoin wallet used for the transaction had been seeded from another wallet linked to an account on a financial platform called Ramp.
*   That Ramp account was registered using a UK provisional driving license issued to Kai Logan West.
*   The same identity, Kai West, also owned a Coinbase account under the alias Kyle Northern, but with KYC verification; confirming it was the same individual.

Provisional driving licence of Kai West (Image via US Justice Department complaint)

Further connecting the dots, both accounts were linked to a Gmail address used by West for personal matters, including:

*   Cloud-stored selfies
*   Receipts and ID documents
*   UK University Housing and Tuition communications
*   Videos showcasing networking tools like “GPRS Smash”

The email also included a student certificate showing West was enrolled in a Cyber Security program.

****Online Footprints and Forum Activity****

West didn’t just transact carelessly, he also exposed himself by linking his online activity to personal behaviour. His IntelBroker posts on Forum‑1 often referenced YouTube videos that he had just viewed from his personal email account, and he regularly updated his signature block to list members of his hacking group, which made it easier to trace his involvement across multiple threads.

When Forum‑1 was **seized and shut down in 2024** and relaunched, all old posts inherited the updated signature, creating a consistent trail of West’s activity and affiliations dating back to early 2023.

One of the YouTube videos posted by IntelBroker on BreachForums (Image via US Justice Department complaint)

****The Victim List: Telecoms, Healthcare, ISPs****

The indictment outlines at least six victims, referred to only as Victim‑1 through Victim‑6. Victim‑1, a telecom provider, had data exfiltrated and deleted from a hosting server in Manhattan, resulting in damage estimated in the hundreds of thousands.

Victim‑3, a municipal healthcare provider, had the personal and health data of over 56,000 individuals stolen, which West later sold to an undercover FBI agent for $1,000 in Monero. Victim‑6, an internet service provider, was compromised using information from previous leaks to breach an internal server.

In each case, West publicly offered proof samples, negotiated sales via private messages, and accepted only Monero to maintain anonymity, though the paper trail caught up.

However, since Hackread.com exclusively reported on IntelBroker’s data breaches, here is a comprehensive list of data breaches and leaks claimed by the hacker:

Here is the list sorted from shortest to longest by character count:

1.  **AMD**
2.  **Apple**
3.  **Cisco**
4.  **Nokia**
5.  **US DoD**
6.  **Europol**
7.  **T-Mobile**
8.  **Robert Half**
9.  **Space Eyes**
10.  **Home Depot**
11.  **Tech in Asia**
12.  **General Electric**
13.  **LA Intl. Airport**
14.  **HSBC & Barclays Bank**
15.  **Facebook Marketplace**
16.  **Weee! Grocery Service**
17.  **UAE’s Lulu Hypermarket**
18.  **US Federal Contractor Acuity**
19.  **Hewlett Packard Enterprise (HPE)**
20.  **MIT Technology Review Magazine**
21.  **An unnamed but “Top” Cybersecurity Firm**

****Criminal Charges****

West has been charged with four federal offences:

1.  Wire fraud
2.  Conspiracy to commit wire fraud
3.  Conspiracy to commit computer intrusions
4.  Accessing a protected computer to defraud and obtain value

Each carries the potential for several years in prison, particularly when involving health data or affecting critical infrastructure.

The FBI’s Special Agent Carson Hughes and US Attorney Jay Clayton emphasized the global reach and danger of IntelBroker’s operations. The FBI called the case “a warning” to cybercriminals who believe online anonymity shields them from consequences.

****Did IntelBroker Work for the UK’s National Crime Agency?****

Kai West presented himself professionally as a cybersecurity researcher and operated under two separate identities on LinkedIn, one as Kyle Northern and the other as K West. This was first flagged by **Nathaniel Fried**, Co-founder and CEO at 0xbowio, who shared details of West’s dual profiles with Hackread.com.

Notably, the Kyle Northern profile claimed he worked as a Security Researcher Trainee at the UK’s National Crime Agency (NCA) from September to October 2019. If accurate, this role could have involved access to classified systems, as the NCA deals with serious organized crime and national security. While the NCA affiliation remains unverified, West’s claimed background in cybersecurity and his academic path suggest the possibility shouldn’t be dismissed outright.

Kai Logan West on LinkedIn (Screenshot credit: Hackread.com)

West remains in French custody, and US officials are actively **seeking** extradition. If convicted, he could face decades behind bars. Meanwhile, Forum‑1 has been offline since April 2025, **reportedly** due to a MyBB zero-day vulnerability. Many of its members have since migrated to other platforms, including DarkForums and the Russian-language cybercrime forum XSS.

The exposure of IntelBroker stands out as a major cybercrime takedown. What made it possible was a mix of undercover FBI work, cryptocurrency tracking, and even old-school email evidence, all of which helped track one of the most well-known figures on cybercrime forums.

How an Email, Crypto Wallet and YouTube Activity Led the FBI to IntelBroker

ZURICH, Switzerland – Zurich-based automation platform Flowable has been recognized as a Representative Vendor in the Gartner newly released…

**ZURICH, Switzerland** – Zurich-based automation platform Flowable has been recognized as a Representative Vendor in the Gartner newly released Market Guide for Business Process Automation (BPA), which we feel reinforces its role in delivering AI-enhanced, standards-driven workflow solutions for complex enterprise environments.

As enterprise environments become increasingly dynamic, automation platforms must support varied use cases across departments and systems. Modern BPA solutions now integrate intelligent agents, rule engines, and human-led decisions to improve speed, consistency, and adaptability. Our key takeaway from this report is that it recommends evaluating platforms that integrate these inputs into a single system governed for visibility and accountability.

We feel that Flowable meets this guidance by offering an open framework that supports regulatory needs while enabling fast, process-driven outcomes.

****Flowable’s Role in Intelligent Automation****

In our view, Flowable’s inclusion in the Market Guide acknowledges its unified platform’s ability to coordinate AI models, people, and business logic through a low-code, open-standards framework.

This approach directly supports enterprise teams managing high-stakes processes like claims handling, customer onboarding, and risk management.

The platform allows users to manage both predictable tasks and unstructured work in the same environment. Insurance claims, loan origination, and service escalations, for instance, can all be addressed without jumping between tools or sacrificing oversight.

****Championing Agentic AI for Adaptive Business Processes****

Flowable is a front-runner in “agentic” automation, a method of embedding AI agents, systems, and people into a single operational layer. Businesses today require platforms that connect diverse endpoints, AI models, RPA bots, and human input, into coordinated, auditable flows.

Flowable’s approach is grounded in dynamic case management, allowing organizations to manage both routine operations and irregular scenarios in the same interface, driving operational clarity and flexibility.

****Focused Governance and Built-in Transparency****

Flowable integrates oversight directly into process design. Its system includes model tracking, rule enforcement, version control, and auditing features that are vital for industries like banking and healthcare.

Every decision can be traced and evaluated, allowing organizations to meet stringent internal standards and regulatory demands without slowing down operations. This is in direct response to industry demand for transparent, governed automation, where oversight cannot be compromised.

****Integration Without Vendor Lock-in****

By supporting global automation standards of BPMN, CMMN, and DMN, Flowable aligns with open enterprise connectivity and avoids proprietary constraints. Its architecture is designed to connect with existing infrastructure, allowing organizations to expand automation without overhauling what already works. This approach ensures that companies can scale automation projects while maintaining flexibility in technology decisions.

****Delivering Business Value to Key Decision Makers****

Choosing the right enterprise automation platform impacts every area of an organization. Flowable reflects practical benefits for operations, transformation, risk, and finance leaders across large enterprises.

*   **Operational Efficiency**: Flowable automates entire departmental processes, reducing manual hand-offs and errors. Operations leaders gain a unified view of workflows, improve productivity, and enable teams to focus on high-value work while the platform manages routine and exception-driven tasks.
*   **Agility and Continuous Improvement**: Transformation directors and CXOs benefit from the platform’s flexibility. New AI tools or policy changes can be incorporated quickly, allowing rapid response to evolving business needs without extensive retraining or redevelopment.
*   **Governance and Compliance**: Every automated decision is fully traceable, auditable, and governed, meeting the rising need for “new forms of management and governance” recently identified by Forrester. Audit trails, policy enforcement, and approval checkpoints are embedded into workflows to meet internal and regulatory standards.
*   **Customer Experience and Financial ROI**: Coordinated automation helps deliver better outcomes at lower operating costs. Tasks like customer onboarding, account updates, and claims can be resolved faster through consistent, AI-personalized processes that operate 24/7 across omnichannel touchpoints.

Flowable empowers enterprises to move faster, operate smarter, and maintain governance at scale. Its enterprise automation platform focuses its design on transparency, adaptability, and real-world value.

****Gartner disclaimers****

Gartner, Market Guide for Business Process Automation Tools, 20 May 2025, Tushar Srivastava, et. Al. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.

Gartner’s research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

****About:****

Flowable is a global provider of enterprise automation software, headquartered in Zurich, Switzerland. Since 2010, it has helped organizations coordinate business automation, people, and processes through a unified platform built on open standards. It serves leading enterprises across sectors where adaptability and accountability are essential. 

****Media Contact****

Violet Diamanti-Race  
Senior Product Marketing Manager  
\[email protected\]  
+41 31 329 09 00  
Website: flowable.com

Flowable Named in the latest Gartner® Market Guide for BPA Tools

Four alleged ShinyHunters members arrested, IntelBroker exposed as British national Kai West in global crackdown linked to BreachForums and major data breaches.

In a major development against global cybercrime, French authorities have apprehended several key individuals believed to be instrumental in operating BreachForums, a notorious online marketplace where stolen data is bought and sold.

The arrests, executed by France’s Cybercrime Brigade (BL2C) earlier this week, target figures deeply entrenched in high-profile data breaches and persistent attempts to revive the illicit forum after previous takedowns.

A press release from the Paris Public Prosecutor’s Office confirms that four individuals, identified by their online handles ShinyHunters, Hollow, Noct, and Depressed, all in their twenties, were detained on Monday.

These apprehensions are a follow-up to an earlier operation in February 2025, which saw the arrest of another prominent suspect known as IntelBroker, a British national, and are particularly significant as the individuals are suspected of pulling off major data breaches against prominent French entities, including the retail giant Boulanger, telecom provider SFR, the employment agency France Travail, and the French Football Federation.

The breach targeting France Travail alone is estimated to have compromised the sensitive personal details of a staggering 43 million individuals.

The names ShinyHunters and IntelBroker have been linked to numerous major cybercrime incidents. ShinyHunters has been associated with large-scale data breaches, including those affecting Salesforce, PowerSchool, and the Snowflake attacks which impacted companies like Santander, Ticketmaster, and AT&T. This alias is believed to represent a group of threat actors rather than a single individual.

AT&T database on BreachForums (Screenshot: Hackread.com)

IntelBroker rose to prominence through highly publicized breaches targeting organizations such as Facebook Marketplace, Europol, General Electric, AMD, Apple HSBC & Barclays Bank, Space Eyes, Home Depot, UAE’s Lulu Hypermarket and US Contractor Acuity, and T-Mobile data breach among others.

****IntelBroker Unmasked: Kai West Faces US Charges****

IntelBroker alias has now been formally identified as Kai West. As per the US Department of Justice’s unsealed four-count criminal Indictment and Complaint against West, he is accused of orchestrating a years-long hacking scheme that involved infiltrating numerous computer networks, stealing sensitive data, and then selling it.

These activities are alleged to have caused over $25 million in damages to dozens of victims across the globe. Prosecutors allege that West conspired with an online group named “CyberN\*\*\*\*\*\*” to steal data from a wide array of entities, including a telecommunications company and a municipal healthcare provider, subsequently putting the data for sale for over $2 million.

****BreachForums: A Tumultuous History****

BreachForums, a central platform for trading/selling hacked data and tools for illicit digital activities faced disruption in 2023 following the arrest of its original founder, Conor Fitzpatrick, who operated under the alias “pompompurin,” in the United States. Fitzpatrick was subsequently convicted of multiple criminal offences and is awaiting resentencing on July 8 in a Virginia federal court.  

In May 2024, ShinyHunters regained control of BreachForums’ domains after an administrator’s arrest, removing an FBI seizure notice. More recently, in April 2025, the forum unexpectedly went offline, with administrators attributing the shutdown to a MyBB 0day vulnerability. These latest arrests highlight ongoing international efforts to combat organized cybercrime.

BreachForums: ShinyHunters Members Arrested, IntelBroker Identified as Kai West

Your business operates in an online environment where unauthorized encryption of data isn’t just possible, it’s probable. The…

Your business operates in an online environment where unauthorized encryption of data isn’t just possible, it’s probable. The financial impact can be devastating, with ransomware attacks costing organizations an average of $4.54 million per incident. While traditional security measures provide a foundation, they fall short against today’s sophisticated threats.

Let’s explore how zero-trust architectures and AI-driven solutions can transform your security posture before the next attack occurs.

Cybersecurity threats continue evolving, and the cost of unauthorized data encryption has reached alarming levels. Effective ransomware protection strategies have become essential as your business now faces average breach costs of $4.88 million in 2024, a 10% annual increase showing no signs of slowing.

Risk exposure varies dramatically by industry:

*   Healthcare and finance face double the risk
*   Healthcare entities see breach costs approaching $10 million
*   60% of SMBs close within six months after a serious incident

The UnitedHealth Group ransomware attack in early 2024 illustrated this vulnerability when hackers demanded $22 million after successfully exploiting security weaknesses.

Your organization is battling against a wave of cybercrime projected to exceed $10.5 trillion annually by 2025. These financial implications aren’t just budget concerns, they determine your business’s survival in an increasingly hostile digital environment.

****Zero Trust Policies: Your Strongest Defense****

Zero Trust policies offer powerful protection against the staggering breach costs mentioned above. By implementing strategic security layers, you’ll build formidable defences:

1.  Multi-factor authentication with contextual verification
2.  Phased implementation protecting high-value assets first
3.  Continuous identity monitoring to prevent session hijacking

Start with a strategic approach: secure your most valuable assets, create pilots in specific business units, and maximize existing tools to extend protection capabilities. This implementation minimizes disruption while maximizing effectiveness.

Strengthen your infrastructure through network micro-segmentation to limit lateral movement within your systems. Deploy end-to-end encryption and real-time traffic analysis to identify unusual patterns before they become costly breaches. Financial services firms can expect savings of approximately $4.88 million by avoiding data breaches through Zero Trust security adoption.

Support these technical measures with executive buy-in and cross-departmental collaboration. Regular security awareness training turns your team into active participants in your protection system rather than potential vulnerability points.

****Access Control Best Practices for Financial Services****

Financial institutions face exceptional scrutiny when securing data, breaches can destroy client trust and trigger severe regulatory penalties. To protect your financial organization:

*   Enforce MFA across all critical systems
*   Automate user provisioning following the least privilege principles
*   Maintain strict de-provisioning protocols for role changes or departures
*   Conduct regular risk assessments identifying authentication vulnerabilities

Perform quarterly access reviews to eliminate permission creep and maintain detailed audit logs for compliance and investigations. Layer your defences with network segmentation and advanced monitoring to detect unusual authentication patterns.

Remember that sophisticated access controls aren’t just regulatory requirements, they’re essential shields against evolving threats targeting financial data. Incorporating an effective Incident Response Plan ensures business continuity following attacks while supporting compliance with financial regulations.

****Healthcare Information Protection Against Ransomware****

Healthcare organizations face an unprecedented ransomware crisis evolving beyond traditional encryption attacks. With 69% of compromised patient records stemming from ransomware (despite representing only 11% of breaches), the threat landscape demands immediate action.

To strengthen your protection strategy:

*   Establish continuous monitoring for network anomalies
*   Train staff to recognize sophisticated phishing attempts
*   Implement multifactor authentication for all VPN connections
*   Enforce phishing-resistant MFA to significantly reduce unauthorized access

Patient data protection requires multiple defensive layers: prioritize patch management for legacy systems, develop robust incident response protocols, and scrutinize third-party vendor security practices.

The industry now faces double extortion methods and direct patient extortion, making prevention more critical than ever, especially as attackers increasingly target critical care systems directly impacting patient outcomes.

****AI-Driven Security Solutions for SMBs****

While large enterprises historically dominated advanced cybersecurity adoption, small and medium businesses now have unprecedented access to AI-driven security that levels the playing field. Currently, 47% of SMBs are upgrading their security posture, with 38% already leveraging AI tools.

Cloud-based AI security platforms offer your business enterprise-grade protection without costly infrastructure investments. These systems:

*   Process millions of data points in milliseconds
*   Identify patterns human analysts might miss
*   Provide continuous monitoring across your digital footprint
*   Detect threats from AI-generated phishing to deepfake scams

Consider implementing consolidated solutions that combine firewall capabilities, threat detection, and network controls in streamlined dashboards. Select AI automation tools aligned with your specific needs while training staff to effectively interpret security alerts.

About 25% of forward-thinking businesses already enhance their cybersecurity with AI-powered tools, so joining this group positions your organization to stay ahead of emerging threats.

****Practical Steps to Implement Today****

Begin strengthening your defences with these actionable measures:

1.  Conduct a security assessment identifying your most vulnerable data assets
2.  Implement MFA across all critical systems, starting with financial applications
3.  Train employees monthly on recognizing sophisticated phishing attempts
4.  Develop an incident response plan with clear recovery procedures
5.  Evaluate AI-driven security solutions appropriate for your organization’s size

Each step builds upon the previous one, creating layers of protection against unauthorized encryption threats.

****Securing Your Digital Future****

Your business data’s security isn’t something you can afford to leave to chance. By implementing multi-factor authentication, zero trust policies, and AI-driven monitoring, you’ll build resilient defences against unauthorized encryption threats.

Remember that proactive security investments consistently cost less than breach recovery. Continuously assess your security posture and adapt your strategies to stay ahead of emerging vulnerabilities, before they compromise your most valuable digital assets.

(Image by Pete Linforth from Pixabay)

Protecting Business Data From Unauthorized Encryption Threats

Wordfence exposes a sophisticated WordPress malware campaign using a rogue WordPress Core plugin. Active since 2023, it steals credit cards and credentials with advanced anti-detection.

Cybersecurity researchers have discovered a highly advanced malware campaign targeting WordPress websites, capable of stealing credit card details, user logins, and even profiling victims.

Discovered on May 16, 2025, by the Wordfence Threat Intelligence Team, this malware is packaged as a deceptive WordPress plugin and uses never-before-seen anti-detection methods. A particularly innovative tactic involves hosting a live management system directly on the infected websites, making it harder to spot.

****A Long-Running and Growing Threat****

This sophisticated operation has been active since at least September 2023, reveals Wordfence’s official blog post. Researchers analyzed over 20 samples of the malware, revealing shared traits across all versions, including code scrambling, techniques to avoid analysis, and ways to detect developer tools.

For example, the malware cleverly avoids running on administrator pages to stay hidden and only activates on checkout screens. Newer versions even create fake payment forms and imitate Cloudflare security checks to trick users. Stolen information is often sent out disguised as image web addresses.

Cloudflare brand impersonation (Image via Wordfence)

Beyond just stealing payment information, researchers found three other versions of this malware, each with different goals. One version tampered with Google Ads to show fake advertisements to mobile users. Another was designed to steal WordPress login details.

A third version spreads more malware by changing legitimate links on websites to malicious ones. Despite these varied functions, the core software framework remained consistent, adapting its features for each specific attack. Some versions even used the messaging app Telegram to send stolen data in real-time and track user actions.

> _“One sample inspected also included a surprisingly complete fake human verification challenge, dynamically injected as a fullscreen and multi-language screen, intended to serve both as a user deception device and as an anti-bot filter. This includes incredibly advanced features for malware, like text localized in multiple languages, CSS support for RTL languages and dark mode, interactive elements like animations and spinning SVGs, and a definite Cloudflare brand impersonation, revealing a complexity rarely encountered before.”_
> 
> Paolo Tresso – Wordfence

****The Rogue WordPress Core Plugin****

A key discovery was a fake WordPress plugin named _WordPress Core_. While appearing harmless, it contained hidden JavaScript code for skimming and PHP scripts that allowed attackers to manage stolen data directly from the compromised website.

This rogue plugin also used specific features of WooCommerce, a popular e-commerce platform, to mark fraudulent orders as complete, helping delay detection. Its hidden management system stores stolen payment data directly within WordPress, categorized under a custom “messages” section.

To protect against this threat, website administrators should look for signs of compromise, including specific domain names linked to the attackers such as api-service-188910982.website and graphiccloudcontent.com. Wordfence has already released detection signatures for this malware between May 17 and June 15, 2025, to its premium users, with free users receiving them after a standard 30-day delay.

New WordPress Malware Hides on Checkout Pages and Imitates Cloudflare

Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.

Cybersecurity researchers at Kaspersky have reported a new spyware operation, dubbed SparkKitty, that has infected apps available on both the official Apple App Store and Google Play.

This spyware aims to steal all images from users’ mobile devices, with a suspected focus on finding cryptocurrency information. The campaign has been active since early 2024, mainly targeting users in Southeast Asia and China.

SparkKitty spyware infiltrates devices through applications that look harmless, often disguised as modified versions of popular apps like **TikTok**. In the case of the malicious TikTok versions, they even included a fake TikToki Mall online store within the app that accepted cryptocurrency for consumer goods, often requiring an invitation code for access.

Installation process on iPhone showing how the malicious TikTok app uses a configuration profile (Source: Kaspersky)

****Targeting iOS Devices****

According to Kaspersky’s **report**, for iOS devices, the attackers use a special Enterprise provisioning profile from Apple’s Developer Program. This allows them to install certificates on iPhones that make the malicious apps appear trustworthy, bypassing the usual App Store review process for direct distribution.

Furthermore, threat actors embedded their malicious code by modifying open-source networking libraries like AFNetworking.framework and Alamofire.framework, and also disguised it as libswiftDarwin.dylib.

****Targeting Android Devices****

On the Android side, Kaspersky found SparkKitty spyware hidden in various cryptocurrency and casino applications. One such app, a messaging tool with crypto features, was downloaded over 10,000 times from **Google Play** before being removed.

Another infected Android app spread outside official stores had a similar version that slipped into the App Store. Both directly included the malicious code within the app itself, not just as a separate component.

Once installed, SparkKitty spyware’s main goal is to access and steal all photos from a device’s gallery. While it broadly collects images, it appears linked to older spyware called SparkCat, which used Optical Character Recognition (**OCR**), a technology that _reads_ text from images – to specifically find and steal details like cryptocurrency wallet recovery phrases from screenshots.

Some versions of SparkKitty also use OCR for this purpose, leveraging the Google **ML Kit library** for this function, particularly in apps distributed via shady web pages resembling scams and **Ponzi schemes**.

SparkKitty spyware apps on Google Play (left) and App Store (right)

****Connected Campaigns and Targets****

Kaspersky believes SparkKitty spyware is directly connected to the earlier SparkCat campaign, **discovered** in January 2025, sharing similar distribution methods through both official and unofficial app marketplaces. Both threats also seem focused on cryptocurrency theft. The attackers behind SparkKitty spyware specifically targeted users in Southeast Asia and China, often through modified gambling and adult games, as well as the **fake TikTok apps**.

While downloading apps from third-party stores is always risky, this discovery shows that even trusted sources like official app stores can no longer be considered fully reliable. Users in the affected regions, and indeed globally, should remain cautious about app permissions and consider the legitimacy of any app asking for unusual access, especially to photo galleries.

SparkKitty Spyware on App Store and Play Store, Steals Photos for Crypto Data

New CloudSEK findings show Androxgh0st botnet evolving. Academic institutions, including UC San Diego, hit. Discover how this sophisticated…

New CloudSEK findings show Androxgh0st botnet evolving. Academic institutions, including UC San Diego, hit. Discover how this sophisticated threat uses RCE and web shells, and steps to protect against it.

A recent investigation by CloudSEK shared with Hackread.com, reveals a major evolution in the Androxgh0st botnet’s operations, demonstrating a sharp increase in its ability to compromise systems. The botnet, first observed in early 2023, is now leveraging a wider array of initial access methods, including the exploitation of misconfigured servers belonging to academic institutions.

Notably, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued a security advisory in January 2024, raising awareness about Androxgh0st’s expansion.

****Key Targets and Tactics****

CloudSEK’s findings indicate that the botnet has expanded its arsenal of attack vectors by approximately 50% since an earlier report in 2024. A concerning discovery was a command-and-control (C2) logger panel hosted on a subdomain of the University of California, San Diego (“USArhythms”). It is associated with content for the USA Basketball Men’s U19 National Team.

Androxgh0st botnet’s (C&C) (Via CloudSEK)

This shows a trend where botnet operators utilize legitimate, yet vulnerable, public domains to host their malicious infrastructure, making detection more challenging. Previously, CloudSEK also reported the botnet hosting its logger on a Jamaican events aggregator platform.

The Androxgh0st botnet exploits well-known vulnerabilities in popular software frameworks such as Apache Shiro and Spring Framework, along with issues in WordPress plugins and Lantronix IoT devices. These exploits have serious consequences, including the ability to run unauthorized code, steal sensitive information, and even initiate cryptocurrency mining on compromised systems.

CloudSEK had predicted in its first report that Androxgh0st operators would introduce new malicious programs into their toolkit by mid-2025, a prediction that now appears to be unfolding.

****Understanding the Threat****

According to the company’s report, the Androxgh0st botnet gains initial access through various Initial Access Vectors (IAVs), which are the pathways into a system. Once inside, attackers communicate with compromised devices via Command-and-control (C2) servers. A key goal is Remote Code Execution (RCE), enabling them to run their own code on distant computers.

This is often achieved using complex methods like JNDI Injection and OGNL Injection, particularly effective against Java-based applications. These advanced techniques allow Androxgh0st to bypass security and maintain persistent control, frequently by installing webshells.

****Protecting Against Androxgh0st****

In light of these developments, organizations, especially academic institutions and those using the affected software are urged to take immediate action. CloudSEK recommends patching all systems vulnerable to the identified CVEs, such as those affecting Spring4Shell and Apache Shiro.

Restricting outbound network traffic for certain protocols like RMI, LDAP, and JNDI is also crucial. Regularly auditing website plugins, like _Popup Maker_ in WordPress, and monitoring for unusual file activity are also vital steps in preventing and detecting Androxgh0st compromises.

“Shifting from its earlier focus on Chinese-linked mass surveillance campaigns to a much broader exploitation strategy, we now observe the botnet aggressively incorporating a wider array of high-impact vulnerabilities including JNDI injection, OGNL exploitation, including CVEs tied to frameworks like Apache Shiro, Spring, and Fastjson,” said Koushik Pal, Threat Research, CloudSEK.

Source

HackRead