Cybercriminals pose as IT support, using fake calls and Microsoft Teams messages to trick users into installing ransomware through email floods and remote access.

Cybersecurity researchers at Trend Micro are warning about a new scam where cybercriminals pose as tech support to gain access to victims’ computers. But this isn’t just another spam email scheme; attackers are flooding inboxes and even reaching out through Microsoft Teams to trick people into letting them in. Once inside, they deploy ransomware from groups like Black Basta and Cactus.

****Here’s how it works:****

Victims first get bombarded with a flood of emails. Shortly after, someone claiming to be from the IT department contacts them through Microsoft Teams or even a phone call. This “helper” then convinces the user to grant them remote access to their computer, often using a legitimate program called Quick Assist, which is built into Windows to allow remote tech support.

Once inside, the scammer downloads files that seem harmless at first but are secretly combined and unpacked to install a backdoor called BackConnect. Hidden in OneDrive, this backdoor gives attackers full control over the infected system.

It’s worth noting that the Black Basta gang was previously flagged in December 2024 for a similar modus operandi, using email bombing to target Microsoft Teams users. However, at that time, the group was deploying Zbot and DarkGate malware instead.

According to Trend Micro’s latest technical report, recent incidents analyzed by the company show a strong connection between this BackConnect malware and the notorious Black Basta ransomware group, which reportedly made over $100 million from victims in 2023. There’s even evidence suggesting some members of Black Basta have moved over to another ransomware gang called Cactus, as the methods used in recent Cactus attacks are strikingly similar.

These attacks have been particularly active since October 2024, primarily hitting organizations in North America, with the United States suffering the most. The manufacturing sector, followed by finance, investment consulting, and real estate, have been frequent targets for Black Basta.

Screenshot of the email address used by the attacker (Via Trend Micro)

In some cases, after establishing their backdoor, attackers have been seen using more advanced methods to spread through a network, even targeting specialized systems like ESXi hosts used for running virtual machines. They use tools like WinSCP to move files around and have been caught preparing to encrypt files before being stopped. Leaked internal chats from Black Basta reveal the group sees security tools like Trend Micro as a significant hurdle, showing they are actively trying to find ways around them.

> BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind. 😉 pic.twitter.com/6So7dl7xXn
> 
> — PRODAFT (@PRODAFT) February 20, 2025

What makes these attacks effective is not necessarily the complexity of the software used, but the way attackers manipulate people. By mixing social engineering with the abuse of genuine software and cloud services, they make their malicious actions look like normal computer activity. It highlights that cybersecurity isn’t just about having the right software, but also about being aware of how criminals try to deceive people.

****What You Should and Should NOT Do!****

If you’re a Microsoft Teams user, don’t panic if you suddenly get flooded with emails. Instead, contact your system administrator to ensure these emails are blocked immediately and your device is scanned regularly. Report any suspicious emails or calls from unknown third parties posing as “helpers” to your cybersecurity team.

Remember, you don’t need a helper if you never asked for one; especially when the ‘helper’ is the one who caused the problem in the first place.

Fake IT Support Calls Trick Microsoft Teams Users into Installing Ransomware

Auto-color: New Linux backdoor malware targeting the US and Asia. Learn about its advanced evasion, persistence, and detection…

Auto-color: New Linux backdoor malware targeting the US and Asia. Learn about its advanced evasion, persistence, and detection methods.

A newly discovered Linux malware, dubbed Auto-color, is targeting educational institutions and government entities in North America and Asia, employing advanced stealth techniques to avoid detection and removal.

Researchers at Palo Alto Networks Unit 42 identified this malware. Their investigation reveals that this malware was active between November and December 2024. Auto-color distinguishes itself by using innocuous file names, such as common words like “door” or “egg,” to disguise its initial executable.

“Although the file sizes are always the same, the hashes are different. This is because the malware author statically compiled the encrypted C2 configuration payload into each malware sample,” Unit 42’s blog post, authored by Alex Armstrong, revealed.

Upon execution, it checks its file name and, if it doesn’t match a designated name, initiates an installation phase. This phase involves embedding a malicious library implant, mimicking a legitimate system library, within the system. The malware’s behaviour varies depending on whether the user has root privileges. If root access is available, it installs a library designed to override core system functions.

Auto-color Flow diagram (Source Palo Alto Networks)

A key aspect of Auto-color’s stealth is its manipulation of the Linux system’s ld.preload file. This allows the malware to ensure its malicious library is loaded before other system libraries, enabling it to intercept and modify system functions. This technique grants the malware significant control over the system’s behaviour, including the ability to hide its network activity.  

Auto-color employs sophisticated methods to conceal its network connections. It hooks into functions within the C standard library, allowing it to filter and manipulate the system’s network connection information. By altering the contents of the /proc/net/tcp file, it effectively hides its communication with command-and-control servers, making it difficult for security analysts to detect. This manipulation is more advanced than similar techniques used by previously discovered malware, researchers observed.

The malware uses a proprietary encryption mechanism to connect to remote servers, retrieving target server details from a dynamically generated configuration file or an embedded encrypted payload. It uses a custom stream cipher for secure communication with the attackers’ infrastructure.

“A stream cipher is an encryption scheme in which the key interacts with each byte of the ciphertext,” the blog post read.

Once established, the malware exchanges encrypted messages with the server, enabling the execution of commands on the compromised system.

Auto-color discovery highlights the growing sophistication of Linux-based malware as it can manipulate core system processes and its advanced evasion techniques pose a significant threat to targeted sectors. Organizations should strengthen their security measures, including stringent privilege controls, behavioural threat detection, and continuous monitoring of Linux systems, to mitigate the risk of infection.

New Backdoor Auto-color Linux Targets Systems in US and Asia

Joe has some advice for anyone experiencing self doubt or wondering about their next career move. Plus, catch up on the latest Talos research on scams targeting sellers, and the Lotus Blossom espionage group.

Thursday, February 27, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

Hello again my friends! Geez, it’s been a year am I right? Lemons its February you say?! Oof.  

Imposter syndrome. You’ve heard the term I’m sure, but what is it? Basically: imposter syndrome is the persistent feeling of self-doubt and fear of being exposed as a fraud despite clear evidence of competence and success. In cybersecurity, and in _especially_ in Talos, you will find imposter syndrome in abundance.

In Talos you’re in rooms of incredibly bright and smart people. They are paragons of what it is to be hackers, and you cannot help but often admire the amazing quality of their work. It is truly an amazing team that does important work to help save the world from the bad guys.  

The downside? _You’re in a room of bright and smart people._ Some can reverse malware binaries while juggling chainsaws. Some are polyglots who can at length tell you the linguistic nuances of Mesopotamian verbs and loanwords and have eidetic memory of every ransomware cartel ever. I personally know one is an amazing, accredited musician and actually hacked a prison to open its jail cells on a pentest. 

How do you not compare yourself to the talents, skills, and achievements of wonderfully smart and talented people? It’s tough not to. Comparison is truly the thief of joy.  

The truth is – in cybersecurity and in places like Talos and elsewhere, you will be constantly assailing yourself with self-doubt of achievement and belonging. The anxiety, stress, and burnout from imposter syndrome are a real thig.  

So what do we do? First, look at your achievements. You are where you are because others saw value in your work. Second, challenge those negative self-thoughts. Easier said than done, I know, but hear me out. Use mentors and peer group support to help challenge those negative self-thoughts.

And lastly, _be kind to yourself._ Cybersecurity is a hard gig. It’s a gigantic amount of technical and non-technical information and we all feel the pressure to absorb, understand, and master it and all its nuances. That’s not possible of course, but we cyber folks are wired differently. If you can walk away with 1% more information than you had yesterday, that’s a win. Take it. Just be kind to yourself, ok? 

I want to take a moment to address a specific audience of readers. All the U.S.  federal workers who have been affected by reduction in force (RIFs), my heart goes out to you. This is an unearned hardship. I wish I had a magic wand to wave to alleviate the stress and trauma of a sudden event like this. I know it’s truly awful. If I can offer any guidance or mentorship for private sector cybersecurity, reach out. I may not have all the answers, but I will do what I can. Stay strong.  

**The one big thing**

Boy howdy is this a big one – scams! Look, the average person isn’t going to get smoked by Salt/Volt Typhoon, or wrestle with a financial threat actor like a ransomware cartel. But you absolutely have bought and sold things online.  We break down seller abuse – that is, ways to trick sellers into be defrauded out of money. We always picture scams as the seller doing the defrauding, but the reverse is just as true.  

**Why do I care?**

You want to keep money in your pocket, and not be the victim of a scam. They adversaries here know the systems they are manipulating quite well here and have fine tuned the art of fraud. It’s important to understand the seller experience as much as the buyer experience in order understand these kinds of frauds and thefts.

**So now what?**

Understand the threat landscape for seller/buyer fraud, and hopefully this work can help keep money in your pocket and not a victim of theft. Pay attention to URL’s you’re asked to click, and clever re-directs to scamming websites. Now you know. And as G.I. Joe said – knowing is half the battle.  

**Top security headlines of the week**

Sensitive financial and health data belonging to millions of veterans and stored on a benefits website is at risk of being stolen or otherwise compromised, according to a federal employee tasked with cybersecurity who was recently fired as part of massive government-wide cuts. (AP News) 

Attackers are wielding a novel Linux backdoor against the education and public sectors in the US and Asia that demonstrates particularly stealthy ways to avoid both detection and as well as deletion from a system. (Dark Reading) 

Hackers claim to have published a trove of sensitive data belonging to IVF patients after a cyberattack on Genea, one of Australia’s largest fertility providers. (Tech Crunch) 

****Can't get enough Talos?****

The Beers with Talos B-team comes in swinging hard on cyber security careers. I get a little spicy, and you want to hear it. Now that I know we bleep certain words, I anticipate a 50% uptake in more spicy content. You can all blame Hazel for this.

New research: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

A blueprint for protecting major events - Yuri Kramarz joins Talos Takes to discuss his experience in cybersecurity and threat hunting for some of the world's biggest sporting events.

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025)  San Francisco, CA  

CTA TIPS 2025 (May 14-15, 2025) Arlington, VA 

Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA 

**Most prevalent malware files from Talos over the past week**

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

MD5: 2915b3f8b703eb744fc54c81f4a9c67f  

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  

Typical Filename: VID001.exe  

Detection Name: Simple\_Custom\_Detection

Sellers can get scammed too, and Joe goes off on a rant about  imposter syndrome

While countries and companies are fighting over access to encrypted files and chats, our data privacy may get crushed.

Data privacy issues are a hot topic in a world where we apparently don’t know who to trust anymore.

A few weeks ago, we reported how the UK had secretly ordered Apple to provide blanket access to protected cloud backups around the world. This week, Apple decided to pull the plug on Advanced Data Protection (ADP) for UK users.

ADP is an opt-in data security tool designed to provide Apple users a more secure way to protect data stored in their iCloud accounts. Enabling ADP would ensure that even Apple could not access the data, which would mean that Apple was unable to hand over any information to law enforcement.

Something similar happened when Sweden’s law enforcement and security agencies started to push legislation which would force Signal and WhatsApp to create technical backdoors, allowing them to access communications sent over the encrypted messaging apps. The proposed bill prescribes that companies like Signal and WhatsApp need to store all messages sent using the apps.

President of the Signal Foundation, Meredith Whittaker, told Swedish SVT News that the company will leave Sweden if the bill becomes a reality.

So basically, by seeking to obtain encryption backdoors, which are not likely to remain exclusive, these governments are undermining the data privacy options of their citizens. A backdoor can and will eventually be found by those that we absolutely didn’t want to snoop around in our backups and chat logs.

It doesn’t just affect the countries at the heart of the request. The US director of national intelligence is reportedly going to investigate whether the UK broke a bilateral agreement by issuing the order that would allow the British to access backups of data in the company’s encrypted cloud storage systems,

The bilateral agreement in question is the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) Agreement, which—among other things—bars the UK from issuing demands for the data of US citizens and vice versa. The CLOUD Act primarily allows federal law enforcement to compel US-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data is stored in the US or on foreign soil. Provisions in the act state that the United Kingdom may not issue demands for data of US citizens, nationals, or lawful permanent residents, nor is it authorized to demand the data of persons located inside the US.

Globally, governments and law enforcement agencies continue to seek more control over data through new legislations and rules. States regulate data to protect national security and provide domestic firms access to user (and anonymous) data to boost competitiveness, ease law enforcement’s qualms when accessing data, and ward off foreign surveillance.

But at the end of the day, the criminals that law enforcement agencies are after, will end up using expensive private phone networks, and the general population will be left with tools that have been broken on purpose. Backdoors that have been created will be waiting for cybercriminals to find the cracks and access our “encrypted” data.

Meanwhile, privacy is recognized as a universal human right while data protection is not. And it should be. Even if we think we “have nothing to hide” cybercriminals will find a way to use that data against us, if only to make their phishing attempts more credible. Let alone, trade and economic secrets that could fall into the hands of competitors or “unfriendly” nations.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Countries and companies are fighting at the expense of our data privacy 

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

Sweden’s proposal to mandate encryption backdoors faces backlash from Signal, cybersecurity experts, and even its military over privacy and security risks.

Swedish law enforcement and security agencies are advocating for legislation that would compel encrypted messaging services, such as Signal and WhatsApp, to implement backdoors.

This measure aims to grant authorities access to users’ communications for criminal investigations. However, this proposal has met with strong resistance from both the service providers and Sweden’s own military.

Meredith Whittaker, President of the Signal Foundation, has unequivocally stated that Signal would withdraw from the Swedish market rather than compromise its encryption standards. In an interview with SVT Nyheter, Whittaker emphasized that introducing a backdoor would undermine the app’s entire security architecture, stating, “If you create a vulnerability based on Swedish wishes, it would create a way to undermine our entire network.”

She further stated that Signal’s commitment to user privacy and data protection is paramount, and the organization would not acquiesce to demands that jeopardize this principle.

> Signal has announced that it will “leave Sweden” if the Swedish government mandates encryption backdoors. Many are celebrating this as a bold act of resistance. But what does it actually mean?
> 
> Signal has no offices or legal presence in Sweden. Will they block Swedish IP… https://t.co/ffkD1pyz9n
> 
> — Nadim Kobeissi (@kaepora) February 25, 2025

Interestingly, the Swedish Armed Forces, which have recently adopted Signal for secure, non-classified communications, have also expressed concerns regarding the proposed legislation. In a letter to the government, military officials cautioned that mandating backdoors could introduce vulnerabilities exploitable by malicious actors, thereby compromising national security. This stance highlights a discord between Sweden’s defence priorities and the objectives of its law enforcement agencies.

Justice Minister Gunnar Strömmer has defended the proposal, arguing that it is essential for law enforcement to effectively access electronic communications in the fight against serious crimes. The bill, which could be presented to the Riksdag (Swedish Parliament) as early as March next year, seeks to balance the needs of national security with individual privacy rights, a balance that is proving contentious.

William Wright, CEO of Closed Door Security, criticized the move, stating:

_“Building backdoors into software is akin to deliberately creating vulnerabilities. Once embedded, threat actors will focus on finding and exploiting them, putting millions at risk. History has shown that even government-backed backdoors, like those exploited in the Salt Typhoon attack, can be turned against the very institutions that created them. The long-term risks far outweigh any short-term benefits for law enforcement.”_

This development in Sweden is similar to debates in other countries. Notably, the United Kingdom recently demanded that Apple provide access to encrypted iCloud accounts. In response, Apple chose to remove the option for British users to protect their accounts with end-to-end encryption rather than compromise its security protocols.

These situations highlight the constant struggle between governments wanting access to private data for security reasons and the need to protect people’s privacy. As Sweden debates this proposal, the final decision could have a major impact, not just on encrypted messaging within the country but also on global conversations about privacy and digital security.

Signal Threatens to Exit Sweden Over Government’s Backdoor Proposal

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to…

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to healthcare security and patient data.

Forescout’s Vedere Labs’ latest investigation, shared with Hackread.com, reveals that the notorious Chinese advanced persistent threat (APT) group, Silver Fox, has launched a sophisticated new campaign in which the group is exploiting DICOM (Digital Imaging and Communications in Medicine), commonly used for patient medical imaging, to distribute malicious software. 

The Silver Fox group has been active since at least 2024 and Hackread.com has followed its activities ever since. Initially, it focused on Chinese-speaking victims, distributing malware through various channels like SEO poisoning and social media usually disguised as AI applications or VPN software.

Over time, their targets broadened to include government institutions, cybersecurity companies, e-commerce, finance, and even gaming applications. Recent research suggests the group’s expansion into the healthcare sector, with malware samples originating from the US and Canada.

The current campaign uses trojanised versions of the Philips DICOM viewer‘s (PDF) executable file, which acts as a first-stage payload, checks connectivity to its command and control (C2) server using standard Windows commands, and uses PowerShell scripts to weaken Windows Defender’s defences. It then downloads encrypted payloads disguised as image files from an Alibaba Cloud storage bucket, which includes tools to disable antivirus software, auxiliary files, and shellcode.

The downloaded components are decrypted and a second-stage malicious executable is created, designed to persist on the system through scheduled tasks. This second stage disables security software and downloads another encrypted file, which after decryption reveals the core payload: the ValleyRAT backdoor.  

“During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used to gain control of victim computers,” researchers noted in the blog post.

ValleyRAT provides attackers with extensive control over the compromised machine, potentially allowing access to sensitive hospital networks.  In addition to the backdoor, the malware also installs a keylogger to capture user input and a cryptominer to generate digital currency for the attackers. All these components are designed to persist on the system, ensuring continued operation even after reboot.

The Multi-Stage Infection Process (Source: Forescout)

The malware uses various techniques to evade detection and analysis, including obfuscation methods like API hashing and indirect retrieval, long sleep intervals, system fingerprinting, and masked DLL loading. The addition of random bytes complicates detection. Researchers found Alibaba Cloud storage buckets accessible during analysis, despite the C2 server being offline.

Researchers warn that compromised DICOM viewers pose a grave risk to healthcare delivery organizations (HDOs), as infected devices could provide an entry point into hospital networks. To mitigate these risks, HDOs should avoid downloading software from untrusted sources, restrict file loading from patient devices, implement robust network segmentation, maintain up-to-date endpoint protection, monitor network traffic, and actively search for malicious activity.

Malware Alert Icon Via Flaticon/Kliwir Art

Silver Fox APT Hides ValleyRAT in Trojanized Medical Imaging Software

Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.

Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.

****ZachXBT Uncovers Lazarus Group’s Crypto Trail****

On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.

The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address **(**0x33d057af74779925c4b2e720a820387cb89f8f65**)** where funds from both hacks had been commingled, effectively proving the same entity was responsible.

****On-Chain Evidence of Lazarus Group’s Activity********Bybit Hack Transactions (Feb 22, 2025):****

*   0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
*   0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

****Phemex Hack Transactions (Feb 20, 2025):****

*   0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.

> Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
> 
> Overlap address:  
> 0x33d057af74779925c4b2e720a820387cb89f8f65
> 
> Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
> 
> — ZachXBT (@zachxbt) February 22, 2025

****New Findings Connect Bybit Hack to BingX Hack****

Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.

****Overlap Address:****

*   0xd555789b146256253cd4540da28dcff6e44f6e50

****Bybit Hack Transaction:****

*   0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e

****BingX Hack Transaction:****

*   0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c

> Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
> 
> Overlap  
> 0xd555789b146256253cd4540da28dcff6e44f6e50
> 
> Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
> 
> — ZachXBT (@zachxbt) February 22, 2025

****Investigators Publish 920+ Addresses Linked to the Hack****

On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.

Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”

****Bybit Resumes Operations and Warns of Scammers****

Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.

“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.

****Coordinated Effort Freezes $42.89M in Stolen Funds****

A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.

****Funds Frozen by Various Entities:****

*   **ChangeNOW:** Froze 34 ETH
*   **Circle:** Assisted with crucial clues
*   **THORChain:** Blocked the blacklist
*   **FixedFloat:** Froze 120K USDC + USDT
*   **Avalanche (AVAX):** Froze 0.38755 BTC
*   **Bitget:** Blocked the blacklist and froze 84 USDT
*   **Tether:** Flagged an address and froze 181K USDT
*   **CoinEx:** Blocked the blacklist and provided key insights

Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.

****Who is the Lazarus Group?****

The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.

Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.

The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.

Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.

With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.

1.  **North Korean Hackers Team Up with Play Ransomware**
2.  **Lazarus Group Exploits Chrome 0-Day for Crypto Theft**
3.  **KnowBe4 Tricked into Hiring North Korean Hacker as IT Pro**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **North Korean APT37 Unleashes Dolphin Backdoor on South Korea**

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

Plus: Apple turns off end-to-end encrypted iCloud backups in the UK after pressure to install a backdoor, and two spyware apps expose victim data—and the identities of people who installed the apps.

As the so-called Department of Government Efficiency continues to rampage through the United States government by making sweeping cuts to the federal workforce, numerous ongoing lawsuits allege that the group’s access to sensitive data violates the Watergate-inspired Privacy Act of 1974 and that it needs to halt its activity. Meanwhile, DOGE cut staff this week at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and gained access to CISA’s digital systems after the agency had already frozen its eight-year-old election security initiatives late last week.

The National Institute of Standards and Technology was also bracing this week for roughly 500 staffers to be fired, which could have serious impacts on NIST’s cybersecurity standards and software vulnerability tracking work. And cuts last week at the US Digital Service included the cybersecurity lead for the central Veterans Affairs portal, VA.gov, potentially leaving VA systems and data more vulnerable without someone in his role.

Multiple US government departments are now considering bans on China-made TP-Link routers following recent aggressive Chinese digital espionage campaigns. (The company denies any connection to cyberattacks.) A WIRED investigation found that users of Google’s ad tech can target categories that shouldn’t be available under the company’s policies, including people with chronic diseases or those in debt. Advertisers could also target national security “decision makers” and people involved in the development of classified defense technology.

Google researchers warned this week that hackers tied to Russia have been tricking Ukrainian soldiers with fake QR codes for Signal group invites that exploited a flaw to allow the attackers to spy on target messages. Signal has rolled out updates to stop exploitation. And a WIRED deep dive examines how difficult it can be for even the most connected web users to have nonconsensual intimate images and videos of themselves removed from the web.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Running a cryptocurrency exchange is a risky business, as hacking victims like Mt. Gox, Bitfinex, FTX, and plenty of others can attest. But never before has a platform for buying and selling crypto lost a 10-figure dollar sum in a single heist. That new record belongs to ByBit, which on Friday revealed that thieves hacked its Ethereum-based holdings. The hackers made off with a sum that totals to $1.4 billion, according to an estimate by cryptocurrency tracing firm Elliptic—the largest crypto theft of all time by some measures.

ByBit CEO Ben Zhou wrote on X that the hackers had used a “musked transaction”—likely a misspelling of “masked transaction”—to trick the exchange into cryptographically signing a change in the code of the smart contract controlling a wallet holding its stockpile of Ethereum. “Please rest assured that all other cold wallets are secure,” Zhou wrote, suggesting that the exchange remained solvent. “All withdraws are NORMAL.” Zhou later added in another note on X that the exchange would be able to cover the loss, which if true suggests that no users will lose their funds.

The theft dwarfs other historic hacks of crypto exchanges like Mt. Gox and FTX, each of which lost sums of cryptocurrency that were worth hundreds of millions of dollars at the time the thefts were discovered. Even the stolen loot from the 2016 Bitfinex heist, which was worth close to $4.5 billion at the time the thieves were identified and the majority of the funds recovered in 2022, was only worth $72 million at the time of the theft. ByBit’s $1.4 billion is by that measure a far bigger loss and, considering that all crypto thefts in 2024 totaled to $2.2 billion, according to blockchain analysis firm Chainalysis, a stunning new benchmark in crypto crime.

**Bowing to a Government Demand, Apple Disables iCloud End-to-End Encryption in the UK**

The British government earlier this month raised privacy alarms worldwide when it demanded that Apple give it access to users’ end-to-end encrypted iCloud data. That data had been protected with Apple’s Advanced Data Protection feature, which encrypts stored user information such that no one other than the user can decrypt it—not even Apple. Now Apple has caved to the UK’s pressure, disabling that end-to-end encryption feature for iCloud across the country. Even as it turned off that protection, Apple expressed its reluctance in a statement: "Enhancing the security of cloud storage with end-to-end-encryption is more urgent than ever before," the company said. "Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in future in the UK." Privacy advocates worldwide have argued that the move—and the UK’s push for it—will weaken the security and privacy of British citizens and leave tech companies vulnerable to similar surveillance demands from other governments around the world.

**Cocospy and Spyic Stalkerware Apps Expose Millions of Victims’ Data Online**

The only thing worse than the scourge of stalkerware apps—malware installed on phones by snooping spouses or other hands-on spies to surveil virtually all of the victim’s movements and communications—is when those apps are so badly secured that they also leak victims’ information onto the internet. Stalkerware apps Cocospy and Spyic, which appear to have been developed by someone in China and largely share the same source code, left data stolen from millions of victims exposed, thanks to a security vulnerability in both apps, according to a security researcher who discovered the flaw and shared information about it with TechCrunch. The exposed data included messages, call logs, and photos, TechCrunch found. In a karmic twist, it also included millions of email addresses of the stalkerware’s registered users, who had themselves installed the apps to spy on victims.

$1.4 Billion Stolen From ByBit in Biggest Crypto Theft Ever

Apple is removing its Advanced Data Protection (ADP) feature for iCloud from the United Kingdom with immediate effect following government demands for backdoor access to encrypted user data.
The development was first reported by Bloomberg.
ADP for iCloud is an optional setting that ensures that users' trusted devices retain sole access to the encryption keys used to unlock data stored in its

Tag

#backdoor