Palo Alto, USA, 30th January 2025, CyberNewsWire

**Palo Alto, USA, January 30th, 2025, CyberNewsWire**

SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.

**PALO ALTO, Calif., Jan. 30, 2025** — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

**Profile Hijacking**

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

**Browser Takeover**

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

**Device Hijacking**

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at **sqrx.com/research**.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses “Browser Syncjacking” , a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk

**SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.**

**PALO ALTO, Calif., Jan. 30, 2025** — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

**Profile Hijacking**

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

**Browser Takeover**

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

**Device Hijacking**

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at **sqrx.com/research**.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Unveils “Browser Syncjacking” Attack Granting Full Browser and Device Control

The FBI has seized Nulled.to, Cracked.to, Sellix.io, and StarkRDP.io in Operation Talent, targeting cybercrime forums and illicit marketplaces.…

The FBI has seized Nulled.to, Cracked.to, Sellix.io, and StarkRDP.io in Operation Talent, targeting cybercrime forums and illicit marketplaces. No arrests confirmed yet.

On January 29, 2025, **reports emerged that** the FBI had seized three major cybercrime and hacking forums: Nulled.to, Cracked.to, and Cracked.io as part of an ongoing operation targeting cybercrime facilitators. Authorities also took down three other domains: StarkRDP.io, Sellix.io, and MySellix.io and pointed their DNS records to FBI servers.

At the time, there was no official confirmation from the FBI about the seizure, nor were there any seizure notices on the affected sites. However, Hackread.com can now confirm that some of these sites are now displaying seizure notices, indicating that they were taken down as part of an operation called Operation Talent.

Those visiting these websites can see a banner displaying the _“_This website has been seized_“_ message.

_“_Operation Talent – This website, as well as the information on the customers and victims of the website, has been seized by international law enforcement partners,_“_ says the seizure notice on Nulled.to and Cracked.to.

Seizure notice on the seized sites (Screenshot credit: Hackread.com)

****What is Operation Talent?****

Operation Talent is an international law enforcement initiative led by the FBI targeting cybercrime forums and associated websites. On January 29, 2025, the operation resulted in the seizure of several domains, including Cracked.io, Nulled.to, StarkRDP.io, Sellix.io, and MySellix.io. These platforms were known for facilitating various cybercriminal activities, such as the distribution of cracked software, stolen credentials, and hacking tools.

The operation was conducted by the FBI along with its international partners including the European Union Agency for Law Enforcement Cooperation (Europol), the Australian Federal Police, Germany’s Federal Criminal Police Office, and others, highlighting the collaborative nature of this operation.

****Seizure of StarkRDP.io, Sellix.io, and MySellix.io********StarkRDP.io****

StarkRDP.io was a virtual hosting provider specializing in Windows and Linux virtual servers, offering various hosting packages with features like instant deployment and dedicated IP addresses. Their services were marketed for automatic deployment within five minutes of payment confirmation. However, the platform was also misused by malicious actors to host scams and facilitate cybercrime activities, ultimately leading to its seizure.

****Sellix.io and MySellix.io****

Sellix SRL is a gateway system that brands itself as a “Cross-Border Finance” service, operating **out of** Bologna, Italy. Hackread.com’s research reveals that the Cracked.to forum **utilized** MySellix.io’s payment services for invoicing and other payment-related transactions, indicating a connection between the two platforms in facilitating financial operations.

DNS records on Sellix.io and MySellix.io have been changed to the ones owned by the FBI (Screenshot credit: Hackread.com)

****Cracked.to’s Statement****

Cracked.to’s administrators have confirmed the seizure on their Telegram channel, calling the event “A sad day indeed for our community.”

“Now that everyone has more clarity on the situation, Cracked.io has been seized under Operation Talent with specific reasons being undisclosed. We are still waiting for the official court documentation from the data centre and the domain host. We will inform you guys further on those details once we have it,” the **announcement** said.

At the time of writing, it remains unclear whether any arrests have been made. However, since Cracked.to’s administrators are still active, it suggests that the forum may resurface under a different domain in the near future.

As of now, neither the FBI nor any U.S. law enforcement agency has issued an official press release regarding the seizures. Hackread.com has reached out to authorities for comment and will provide updates as soon as a response is received. Stay tuned.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Nulled.IO Hacking Forum Hacked, Trove of Data Stolen**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **Genesis Market’s Clearnet domain seized; Dark Web site online**
5.  **WT1SHOP Cybercrime Market Seized by US, Portuguese Authorities**

Operation Talent: FBI Seizes Nulled.to, Cracked.to, Sellix.io and more

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data exfiltration, and advanced malware.

Bitdefender has shared its latest research with Hackread.com ahead of its release, revealing an active espionage campaign by Russia APT28-linked threat actor UAC-0063. According to Bitdefender’s investigation, the actor is specifically targeting high-value entities in Central Asia and European countries like Germany, the UK, Romania, and the Netherlands in a multi-stage attack process involving various malware components and techniques.

UAC-0063 has been active since at least 2021 and has targeted a variety of organizations, including government entities, diplomatic missions, and private companies. In this campaign, the actor employs malicious Microsoft Word documents, a HATVIBE malware loader, and custom-built malware to infiltrate networks. Their operations are characterized by persistence, focusing on maintaining long-term access to compromised systems.

The attack starts with compromised Microsoft Word documents containing malicious macros that, when enabled by the user, deliver the initial malware payload (HATVIBE loader). HATVIBE is an HTA (HTML Application) script that downloads and executes further malicious code from the attacker’s command-and-control (C2) server.

A blurred malicious MS Word document used in the attack prompts users to enable macros to reveal its contents. However, once enabled, it also allows attackers to deploy a malicious payload. (Via Bitdefender)

DownExPyer is used extensively throughout the UAC-0063 attack chain. It is deployed after the initial infection stage, likely by the HATVIBE loader or other malware components. This Python-based malware establishes persistent communication with the C2 server, receives commands, and executes malicious actions on the infected system. 

PyPlunderPlug is a separate script designed to collect files from removable drives connected to the infected system. It focuses on specific file types and copies them to a staging location for potential exfiltration.

The attackers also deploy keyloggers to capture keystrokes entered by the victim, potentially revealing sensitive information like passwords and login credentials. The stolen data is then compressed into smaller archives to facilitate exfiltration and evade detection.

Researchers noted that the actor leverages previously compromised victims to spread the infection. This means the weaponised documents exfiltrated from one victim are used to attack other targets. Moreover, they create scheduled tasks to ensure the persistence of their malware on the compromised system. These tasks automatically execute the malicious code at regular intervals.

Researchers hinted at the involvement of the Russian government in this campaign.

UAC-0063’s arsenal “featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with _potential Russian strategic interests_,” Bitdefender researchers wrote in the blog post.

To mitigate the risks posed by UAC-0063, organizations should enhance their threat intelligence by continuously monitoring feeds from reputable sources, tracking C2 domains and implementing DNS-based blocking mechanisms to prevent network traffic from reaching these malicious domains. Implementing application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) are crucial for strengthening endpoint and network security. 

1.  **Ukrainian Hackers Breach Email of APT28 Leader**
2.  **Russian Hackers Exploit Firefox 0-Days to Deploy Backdoor**
3.  **Russian Hackers Hit Mail Servers in Europe for Military Intel**
4.  **Russian APT28 Exploiting Windows Flaw with GooseEgg Tool**
5.  **Russian Hackers Shift Tactics, Target Victims with Paid Malware**

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

Nulled.to and Cracked.to, major hacking forums, appear seized by the FBI as DNS records point to FBI servers.…

Nulled.to and Cracked.to, major hacking forums, appear seized by the FBI as DNS records point to FBI servers. No official confirmation yet. Cybersecurity experts await updates.

Today, two of the most prominent hacking and cybercrime forums, Nulled.to and Cracked.to, appear to have been seized by the FBI, as indicated by recent changes in their DNS records. However, no official press release or announcement has been made by the agency, leaving both cybercrime and the cybersecurity community speculating about the situation.

****DNS Records Indicate FBI Takeover****

According to publicly available WHOIS and DNS records, both **Nulled.to** and **Cracked.to** have had their **name servers changed to FBI-controlled domains** earlier today, specifically:

****DNS Records for Nulled.to****

*   **Domain Created:** March 5, 2022
*   **Last Edited:** January 30, 2025
*   **Expires:** March 5, 2026
*   **Primary Name Server:** ns1.fbi.seized.gov
*   **Secondary Name Server:** ns2.fbi.seized.gov

****DNS Records for Cracked.to****

*   **Domain Created:** July 27, 2020
*   **Last Edited:** January 30, 2025
*   **Expires:** March 17, 2028
*   **Primary Name Server:** ns1.fbi.seized.gov
*   **Secondary Name Server:** ns2.fbi.seized.gov

These changes indicate a government seizure. However, as of now, no seizure banner is displayed on the websites, and no official press release has been issued by the FBI or any U.S. law enforcement agency.

Screenshot: Hackread.com

****What Were Nulled.to and Cracked.to?****

Both forums were widely known for facilitating various cybercrime activities, including account breaches, where leaked credentials for platforms like Netflix, Steam, and banking accounts were bought and sold. They also served as hubs for cracked software, offering pirated programs and game cheats.

Additionally, discussions on fraud and carding were prevalent, covering illegal financial activities such as credit card fraud and identity theft. Furthermore, users exchanged information and tools related to hacking and exploits, including malware, botnets, and ransomware, making these platforms a major threat to cybersecurity.

****Lack of Official Statement Echos Breach Forums Take Down****

While the DNS changes suggest law enforcement action, the lack of an official announcement brings to mind the failed seizure of BreachForums. On May 15, 2024, the FBI took control of its domain and placed a seizure notice on the homepage but never officially confirmed the action or issued a press release.

On May 17, 2024, the admin and owner of the forum, linked to the ShinyHunters hacker group, boasted about reclaiming the seized domain right under the FBI’s nose. To make things worse for the agency, by May 22, 2024, the forum was fully restored using its original domains. To this day, the FBI has not issued any statement or acknowledged its failure to retain control of the domain.

Nevertheless, historically, when the FBI seizes a website, it displays a seizure notice, as seen in the takedowns of RaidForums, BreachForums (V1), and WeLeakInfo. The absence of such a banner suggests that further action may be in progress.

Hackread.com has reached out to authorities for comment. We will provide updates as soon as we receive a response. Stay tuned.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Nulled.IO Hacking Forum Hacked, Trove of Data Stolen**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **Genesis Market’s Clearnet domain seized; Dark Web site online**
5.  **WT1SHOP Cybercrime Market Seized by US, Portuguese Authorities**

FBI Seizes Leading Hacking Forums Cracked.to and Nulled.to

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility…

IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility of selling to access rather than selling data.

**IntelBroker**, a notorious hacker linked to prior high-profile cyberattacks, has announced an alleged new data breach of Hewlett-Packard Enterprise (HPE). The hacker claims to have accessed and cloned new data from HPE’s repositories.

Although the claimed data is 500 MB in size, a relatively smaller size than usual, screenshots shared exclusively with Hackread.com provide insights into what looks like the compromised infrastructure, revealing exposed credentials, internal configurations, and proprietary source code.

This latest breach is the second time IntelBroker has targeted Hewlett Packard Enterprise. In January 2025, as **reported by Hackread.com**, IntelBroker publicly claimed responsibility for compromising HPE’s infrastructure in an earlier attack. That breach, disclosed via Breach Forums and in an exclusive conversation with Hackread.com, involved a substantial exfiltration of sensitive data.

****Latest Claims****

A quick analysis of the data tree and internal screenshots seen by Hackread.com points out at possible extraction of some sensitive data including private keys and certificates, proprietary source code for HPE products, including iLO and Zerto systems, Internal Git repositories and Docker builds.

Additionally, the data tree shows that hackers also allegedly managed to access exposed infrastructure configurations including internal services and endpoints, such as SignonService and Salesforce integrations, Internal DNS and deployment pipelines for microservices, MongoDB credentials, QIDs integrations and more.

Screenshots provided to Hackread.com by IntelBroker

****Plans to Sell Access****

In the first alleged HPE breach, IntelBroker offered the stolen data for sale, demanding payment in Monero cryptocurrency to stay anonymous. This time, however, the hacker claims they plan to release the entire data set for free and sell the access.

> _“I am not sure about selling the data, maybe I will just leak it for free this time, I don’t know yet but my team could be selling the access we have to HPE infrastructure, to interested parties.”_
> 
> IntelBroker told Hackread.com.

Nevertheless, the claims of the new HPE data breach show the urgency for organizations to secure their infrastructure, regularly audit access controls, and monitor for suspicious activity. If validated, this breach represents a major incident for HPE, with long-term implications for their operations and customer trust.

****HPE is NOT HP Inc.****

Hewlett-Packard Enterprise (HPE) and HP Inc. are two separate entities that originated from the **split** of Hewlett-Packard in 2015. HPE focuses on enterprise-level IT solutions, including servers, storage, networking, cloud computing, and software services tailored for businesses.

In contrast, HP Inc. specializes in personal computing devices and printers, targeting consumers and small businesses. While they share a common origin, their operations and focus areas are entirely different.

Hackread.com has reached out to HPE for a statement. Any response from the company will be added to this article as soon as it is received. Stay tuned for updates!

1.  **Hacker Leak Over 10,000 DELL Employee Details**
2.  **Acer Data Breach: Hacker Sells 160GB of Stolen Data**
3.  **Dell Discloses Data Breach As Hacker Sells 49M User Data**
4.  **3 Billion National Public Data Records with SSNs Dumped Online**
5.  **Trello Data Breach: Hacker Dumps Personal Info of Millions of Users**

Hackers Claim 2nd Breach at HP Enterprise, Plan to Sell Access

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via…

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via .tgz attachments. All by leveraging PureCrypter and TOR network for stealthy C2.

A malicious campaign, discovered by Cisco Talos in July 2024, targeted users primarily in Poland and Germany through phishing emails containing malicious attachments disguised as.tgz files. These emails impersonate financial institutions and businesses, often with themes like money transfer confirmations or order receipts. They are primarily written in Polish and German and contain compressed.tgz files.

According to Cisco Talos’ research, shared with Hackread.com ahead of its publishing on Tuesday 28, the actor has deployed other payloads as well, including “Agent Tesla, Snake Keylogger and a new undocumented backdoor, which researchers dubbed TorNet. 

Phishing email in Polish and German language (Via: Cisco Talos)

When a user extracts an attachment from a file, a.NET executable file appears, which downloads the next stage of the attack, the PureCrypter malware, from a remote server or within the loader itself (decrypted using the AES algorithm and loaded into the targeted device’s memory). 

The PureCrypter malware is a Windows dynamic-link library obfuscated with Eziriz’s.NET Reactor obfuscator. It contains encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL, and the TorNet backdoor.

PureCrypter employs various evasion techniques, including disconnecting the victim’s machine from the network before dropping payloads, checking for a virtual machine, sandbox environment, or debugger status, and modifying Windows Defender settings. It ensures persistence by creating a scheduled task that runs every few minutes, even on low battery, and adding entries to the Windows registry to ensure the loader runs on startup. 

Moreover, it drops the TorNet backdoor, which is a relatively new .NET backdoor used in this attack to connect to a C2 server over the TOR network for stealthy communication. It anonymizes the communication with the C2 server, making detection harder. After establishing a connection, it sends identifying information and allows attackers to carry out remote code execution by sending arbitrary.NET assemblies to the C2 server, hence, expanding the attack surface substantially.

Attack flow (Via Cisco Talos)

The campaign uses advanced techniques like network disconnections, Tor network exploitation, and multi-stage payloads. The use of the Tor network further hinders tracking/disruption. This campaign highlights the need for continuous caution and network monitoring to address attackers’ growing threat tactics.

1.  **New WarmCookie Malware in Espionage Campaign**
2.  **23% of Tor browser relays found to be stealing Bitcoin**
3.  **Kronos Variant banking trojan spotted using Tor network**
4.  **Fake Tor Browser Installer Spreading Malware Via YouTube**
5.  **BlackByte Ransomware Exploits VMware Flaw in VPN Attacks**

New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack

McAfee Labs uncovers malicious GitHub repositories distributing Lumma Stealer malware disguised as game hacks and cracked software. Learn…

McAfee Labs uncovers malicious GitHub repositories distributing Lumma Stealer malware disguised as game hacks and cracked software. Learn how to protect yourself.

McAfee Labs, the threat research arm of cybersecurity giant McAfee, has recently uncovered a disturbing trend: the exploitation of popular platforms like GitHub to distribute malware. Their research reveals a network of malicious repositories offering seemingly legitimate content such as game hacks, cracked software, and free cryptocurrency tools, all designed to lure unsuspecting users into downloading and executing harmful code.

These repositories, often disguised with professional-looking features like distribution licenses and screenshots, leverage the trust and accessibility of GitHub to deceive users. Attackers strategically target individuals seeking an edge in popular games like Minecraft, Roblox, and Call of Duty, or those looking for free access to premium software like Spotify and Adobe Express.

Attack vector (Via McAfee)

The Lumma Stealer is the primary type of malware being distributed through these repositories. Promises of game hacks, cracked software, or free cryptocurrency tools lure users. Once on the repository, they are instructed to download and execute a file disguised as the promised software.

The downloaded file is typically a variant of the Lumma Stealer malware, which then collects sensitive information, including login credentials, cryptocurrency wallet information, browser history, cookies, and personally identifiable information, and extracts the stolen data to command-and-control servers controlled by the attackers.

“Every week, a new set of repositories with a new malware variant is released, as the older repositories are detected and removed by GitHub. These repositories also include distribution licenses and software screenshots to enhance their appearance of legitimacy,” McAfee’s Aayush Tyagi explained in a blog post.

To further lure users, these repositories often instruct victims to disable their antivirus software, claiming it will interfere with the downloaded program. This crucial step effectively disarms the user’s primary line of defence, allowing the malware to operate undetected and steal sensitive information such as login credentials, cryptocurrency wallet data, and browsing history.

Children and young adults, particularly avid gamers, are prime targets for these attacks. The allure of game hacks, offering advantages like aimbots and speed hacks, and that the package includes an advanced Anti-Ban system to prevent account suspension, are highly appealing, making them more susceptible to falling victim to these deceptive tactics.

Google search shows the malicious GitHub repository and a YouTube video where scammers are using descriptions to spread the repository (Via McAfee)

****McAfee’s Response and Recommendations:****

McAfee Labs is actively mitigating this threat by blocking malicious URLs, detecting and blocking downloaded malware, and providing comprehensive security solutions to protect users. The company recommends enhancing your security posture, such as keeping antivirus and anti-malware software up-to-date and practising cautious online behaviour. Regular system updates with the latest security patches are also crucial.

1.  **Fake League of Legends Download Ads Spread Lumma Stealer**
2.  **Banshee Stealer Hits macOS Users via Fake GitHub Repositories**
3.  **Hackers Use Excel Files to Drop Remcos RAT Variant on Windows**
4.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**
5.  **YouTube Channels Hacked, Drop Lumma Stealer via Cracked Software**

Lumma Stealer Found in Fake Crypto Tools and Game Mods on GitHub

Subaru STARLINK flaw exposed a critical security vulnerability, enabling unauthorized access to vehicle tracking, remote control, and sensitive…

Subaru STARLINK flaw exposed a critical security vulnerability, enabling unauthorized access to vehicle tracking, remote control, and sensitive customer data.

A vulnerability was recently discovered by cybersecurity researchers Shubham Shah and Sam Curry in Subaru’s STARLINK-connected vehicle system, enabling them to remotely start, stop, and track vehicles. The vulnerability in Subaru’s Starlink in-vehicle service, allowed attackers to remotely control and track connected vehicles. 

The vulnerability, an arbitrary account takeover flaw in the Starlink admin portal, enabled the duo to compromise a Subaru employee account. This flaw could let them target vehicles and customer accounts across the United States, Canada, and Japan.

Exploiting this flaw, Curry and Shah could gain unauthorized access to sensitive customer and vehicle data, and even remotely control targeted vehicles. According to a blog post published by researchers, the issue originated from a flaw in the Subaru STARLINK admin portal, a system intended for employee use.

This portal had a critical vulnerability that allowed attackers to reset employee passwords without requiring any confirmation. This meant that by simply knowing an employee’s email address, an attacker could gain access to their account.

> _“It appeared that there was a “resetPassword.json” endpoint that would reset employees’ accounts without a confirmation token. If this worked how it was written in the JavaScript, then an attacker could simply enter any valid employee email and take over their account.”_
> 
> Sam Curry

Researchers further bypassed two-factor authentication (2FA) by manipulating the website’s code, effectively disabling the security measure. With unauthorized access to the admin portal, the researchers demonstrated the ability to, start, stop, lock, and unlock any Subaru vehicle, and access a year’s worth of detailed location history for any vehicle, including stops and engine starts, providing precise locations with updates every time the engine started. 

Furthermore, they could retrieve the personal information of any customer, including contact details, addresses, billing information (partially masked), and vehicle PINs. They could also add themselves as authorized users to other vehicles, effectively taking control of them without the owner’s knowledge.

Researchers reported this vulnerability to Subaru on November 20, 2024, and the company in response promptly addressed the issue, patching it within 24 hours. The findings were publicly disclosed on January 23, 2025.

****Previous Hacks by the Duo****

Sam Curry and Shubham Shah are well-known for their creative and innovative methods of uncovering security vulnerabilities and responsibly disclosing them to companies.

One of their notable discoveries involved exploiting vulnerabilities in the globally used Points.com loyalty system. This flaw allowed unauthorized access to sensitive user data, including names, addresses, email addresses, phone numbers, and transaction details.

In December 2022, Sam Curry identified a critical app flaw that compromised Honda and Nissan vehicles through their VINs. Attackers could exploit this vulnerability to unlock doors, honk horns, and flashlights, and even start the vehicle remotely.

In September 2024, Sam Curry and three other security researchers found a way to control Kia vehicles by exploiting vulnerabilities linked to their license plates.

1.  **How Hackers Can Remotely Unlock/Start Honda Cars**
2.  **Cybercriminals Exploit CAN Injection Hack to Steal Cars**
3.  **Critical Intel chip flaw left cars and IoT devices vulnerable**
4.  **Self-driving cars can be fooled by displaying virtual objects**
5.  **Tesla cars can be remotely hacked using drone, WIFI dongle**

Subaru STARLINK Flaw Enabled Remote Tracking and Control of Vehicles

The popularity of the TF2 gaming and trading scene attracts scammers with phishing, fake trades, and malicious tools.…

The popularity of the TF2 gaming and trading scene attracts scammers with phishing, fake trades, and malicious tools. Stay safe with verified trades, Steam Guard, 2FA, and market price checks.

Team Fortress 2 (TF2) has appealed to millions of players worldwide. It features a dynamic society and an exclusive trading ecosystem. Regarding TF2, from collectable hats to rare weapons, the in-game economy often functions similarly to real markets, so fraudsters are drawn to it as the scamming locale.

TF2 is a community infested with hackers and scammers who use extremely advanced methods to steal valuable items and accounts. In fact, security experts have seen the emergence of counterfeit gaming accessories embedded with malware and phishing links as additional risks.

This article concisely explains TF2 item scams, their operation, and users’ insights into staying safe.

****Tips for Safe Buying and Trading in TF2****

As a buyer, implementing good security practices and being watchful is the key to evading such scams. You can use the actionable tips:

****1\. Always Verify The Trading System****

According to TF2 Trading, fake seller profiles are the biggest scam these days. That’s why, when buying items, the buyer should see the seller’s profile. You should mainly look for a high number of positive reviews, a stable trading history, and community members’ support. Be ready to spurn new profiles or those with fewer activities.

The buyer should see the seller’s profile. You should mainly look for a high number of positive reviews, a stable trading history, and community members’ support. Be ready to spurn new profiles or those with fewer activities.

****2\. Avoid Links from Unverified Sources****

If the permission to a trade attaches to a link, operate under the feel of dread. Let the URL be in line with the official Steam site or any other trustable site. Linking drives to phishing pages mostly.

****3\. Enable Steam Guard and Two-Factor Authentication (2FA)****

Turning on two-factor authentication will significantly enhance the security of your Steam account. Even if someone finds out your password, 2FA weakens their access by a lot.

****4\. Research Market Prices****

Those who do not know the price of an item are the ones usually cheated by scammers. Verify the market prices at the moment by using reliable platforms to prevent going over the top and being fooled by “deals” that are too good to be true.

****5\. Inspect Trade Offers Carefully****

Scammers may offer you a trade deal with a few underhanded methods. Always re-read the item descriptions, the prospects, and the values before you accept a trade. Spot for details like fancy names or absent items.

****The Anatomy of a TF2 Scam****

It is crucial to know how scams are executed to be able to prevent them. The following are the most frequent scams that TF2 players are exposed to:

****1\. Phishing Scams****

Even though phishing is still the number one strategy, it is also one of the methods that dominate worldwide. Scammers may send links that display from the links that spam the item. 

The terrible things that are causing mayhem in the trade are the fake Steam login pages the scammer sent players to, and on these malicious pages, the players’ credentials are stolen.

****2\. Fake Trades****

To be fair, almost everyone has been fooled, as sellers have also been faked innumerable times. The tricksters can access your account when you click on the link or type in your credentials on a fake web page.

**3\. Duplication Promises**

The “item duplication” scam has been around for years. Scammers claim they can duplicate rare items and ask buyers to send their valuable items first. Of course, the items are never returned.

****4\. Counterfeit Marketplaces****

Larcenous third-party marketplaces are professional in looking like genuine ones. These sites may offer unbeatable deals at the cost of user data or just take your money and run.

****5\. Malicious Tools and Software****

Our partner’s researchers noticed a profound surge in counterfeited tools and/or software, which falsely suggests a heightened gaming experience and increased performance in trades. Many of these have harmful software comprising personal and financial information.

****6\. Overpayment Scams****

On their heads, these are scams where the buyer says: “I am going to overpay for an item. Therefore, can I get a refund, or should I get something else as a bonus?” Then, they are gone getting you out of your money or they have just canceled the transaction.

****Advanced Strategies****

False reviews made by scammers are a widespread fraud method. Make sure that the reviews are from real users and match the profiles to ensure that they are not imitations.

Scammers very often mislead potential buyers with trade offers that sound too impressive to refuse. It is requested that trades are where the other party offers an additional amount of money that is not the value of the item.

Refrain from sharing your Steam account information, email, or payment details with other gamers. Fraudsters may manipulate you psychologically using social engineering techniques to further their cause.

****Broader Security Practices for Gamers****

It must be noted that the TF2 scams form only a tiny dot under a larger cyberattack direction of fraudsters toward gamers. With the constant increase in online gaming communities, there is an equally roaring nature of cyber risks that come with them. Here are general security tips for staying safe across all gaming platforms:

*   **Keep Your Software Updated:** Frequently, updates of your operating system, antivirus software, and Steam client can fix vulnerabilities that scammers and hackers exploit.
*   **Use Strong and Unique Passwords:** The golden rule is to avoid copying the same password across all accounts. Instead, consider using a password manager, which generates and saves complex, unique passwords for each platform.
*   **Install Anti-Malware Protection:** One way to prevent the device from being infected with the virus is to use reliable anti-malware software, which will block malicious downloads, phishing attempts, and spyware.
*   **Regularly Check Account Activity:** Check your Steam account for unauthorized logins or grim trade activity. Review the issues you find with Steam Support.
*   **Educate Yourself and Others:** Along with fellow players, share tips and resources to form a more informed and resilient group. Scam awareness and common sense are the most powerful defense tools.

****Signs of a Scam to Watch Out For****

*   Pushy salesmen that force you into making quick decisions.
*   Errors in grammar in the messages that are sent to you.
*   Transactions off Steam’s built-in mechanisms only.
*   Sellers are not committed to verifying their identity or reputation
*   They may falsely claim an item’s value is higher even though the only right price is listed on the most trustful marketplaces.

****What to Do If You’re Scammed****

*   Report the Scammer: Using Steam’s reporting tools, flag the scammer account that way.
*   Change Your Passwords: Make your Steam and email accounts safe by changing the passwords immediately.
*   Enable Account Recovery: Contact the Steam support center to restore control of compromised accounts.
*   Warn the Community: Share your experience to stop others from becoming victims of the same scam.

1.  **Secure Gaming During the Holidays**
2.  **Guntech 2.5 to Launch in Upland’s Gaming Ecosystem**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **The Rise of Blockchain Gaming and Secure Marketplaces**
5.  **Gaming Firms + Community Members Hit by Dark Frost Botnet**

Source

HackRead