A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach…

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach enterprise environments: picking up the phone and pretending to be IT support, simply called voice phishing (Vishing).

According to a new report from Google’s Threat Intelligence Group (GTIG), this actor has been impersonating internal tech staff in phone-based social engineering attacks. Their goal is to trick employees, mostly in English-speaking branches of multinational companies, into granting access to sensitive systems, particularly Salesforce, a widely used customer relationship management (CRM) platform.

****How the Scam Works****

UNC6040 doesn’t rely on exploits or security vulnerabilities. Instead, it counts on human error. The attackers call employees and walk them through approving a connected app inside Salesforce. But this isn’t just any app, it’s often a modified version of Salesforce’s legitimate Data Loader tool.

With this access, attackers can query and extract vast amounts of data from the targeted organization. In some cases, they disguise the tool as “My Ticket Portal,” a name aligned with the IT support theme of the scam.

Once access is granted, UNC6040 pulls data in stages. Sometimes, they start small to avoid detection, using test queries and limited batch sizes. If the initial probing goes unnoticed, they scale up the operation and begin large-volume exfiltration.

****Extortion Comes Later****

Interestingly, data theft doesn’t always lead to immediate demands. In several incidents, months passed before victims received extortion messages. During those messages, attackers claimed to be associated with the well-known hacking group ShinyHunters, a move likely aimed at increasing pressure on victims to pay up.

This delayed approach hints that UNC6040 might be working with other actors who specialize in monetizing stolen data. Whether they’re selling access or handing off the data for follow-up attacks, the long pause makes incident detection and response more complicated for security teams.

While the primary target is Salesforce, the group’s ambitions don’t end there. Once they gain credentials, UNC6040 has been observed moving laterally through corporate systems, targeting platforms like Okta and Microsoft 365. This broader access allows them to collect additional valuable data, deepen their presence, and build leverage for future extortion attempts.

Attack flow (Google)

****Protecting Against These Attacks****

GTIG advises taking a few clear steps to make these types of breaches less likely. First, limit who has access to powerful tools like Data Loader, only users who genuinely need it should have permissions, and those should be reviewed regularly. It’s also important to manage which connected apps can access your Salesforce setup; any new app should go through a formal approval process.

To prevent unauthorized access, especially from attackers using VPNs, logins and app authorizations should be restricted to trusted IP ranges. Monitoring is another key piece, platforms like Salesforce Shield can flag and react to large-scale data exports in real time. While multi-factor authentication (MFA) isn’t perfect, it still plays a major role in protecting accounts, especially when users are trained to spot tricks like phishing calls that try to get around it.

Hackers Using Fake IT Support Calls to Breach Corporate Systems, Google

Over 20 malicious apps on Google Play are stealing crypto seed phrases by posing as trusted wallets and exchanges, putting users' funds at risk.

A recent investigation by threat intelligence firm Cyble has spotted a campaign targeting cryptocurrency users through the Google Play Store with more than 20 malicious Android applications.

These apps, disguised as trusted crypto wallets like SushiSwap, PancakeSwap, Hyperliquid, and Raydium, have been found harvesting users’ 12-word mnemonic phrases, the keys that unlock their crypto funds.

These apps mimic legitimate wallet interfaces, luring users into entering sensitive recovery phrases. Once entered, the attackers can access the real wallets and empty them. While Google has removed many of these fake apps following Cyble’s report, a handful remain live on the store and have been flagged for removal.

****How the Scam Works****

According to Cyble’s report shared with Hackread.com, the fraudulent apps carry names and icons of well-known crypto platforms and appear under developer accounts that previously hosted genuine apps, including games, video downloaders, and streaming tools. These accounts, some with more than 100,000 downloads, appear to have been hijacked and repurposed to distribute the malicious apps.

Screenshot showing a developer account that previously published legitimate apps, now used for malicious activity (Credit: Cyble)

In several cases, the apps use a development tool known as the “Median framework” to quickly turn phishing websites into Android apps. The apps load these phishing pages directly inside a WebView, an embedded browser window, that asks users for their mnemonic phrase under the guise of wallet access.

The campaign isn’t only widespread in scale but also coordinated in its infrastructure. One phishing domain found by Cyble was linked to over 50 similar domains, all part of the same broader effort to compromise wallet security.

Cyble’s researchers also noticed a pattern in how these fake apps operate. Many of them include links in their privacy policies that actually lead to phishing websites designed to steal users’ wallet recovery phrases. The apps also tend to follow similar naming styles, which points to the use of automated tools to quickly create and publish them.

On top of that, several apps are connected to the same servers or websites, showing they’re part of a larger, organized effort. Some of the fake domains linked to these apps include:

*   bullxnisbs
*   hyperliqwsbs
*   raydifloydcz
*   sushijamessbs
*   pancakefentfloydcz

These domains impersonate various wallet providers and serve pages meant to trick users into handing over their seed phrases. Meanwhile, the partial list of malicious apps, courtesy of Cyble, is available below:

1.  Raydium
2.  SushiSwap
3.  Suiet Wallet
4.  Hyperliquid
5.  BullX Crypto
6.  Pancake Swap
7.  Meteora Exchange
8.  OpenOcean Exchange
9.  Harvest Finance Blog

Despite efforts to remove the apps, the campaign is ongoing. As of this report, a few remain active on the Play Store. The quick replication of these apps using off-the-shelf frameworks suggests the attackers could easily spin up more fake apps if not quickly blocked.

This poses a serious risk. Unlike traditional banking, there is no safety net for crypto theft. Once a wallet is drained, the funds are nearly impossible to recover.

Cyble has shared detailed indicators of compromise (IOCs) including app names, package identifiers, and phishing domains, which security professionals can use to block or investigate further.

This campaign goes on to show how attackers continue to target the already vulnerable crypto space through official channels like app stores. While app platforms are working to catch malicious uploads, users remain on the receiving end of these cybersecurity threats. Therefore, users are urged to watch out and follow these steps to protect themselves:

Watch for red flags like low review counts, recently republished apps, or links to strange domains in privacy policies.

*   Avoid downloading and installing unnecessary apps.

*   Enable Google Play Protect to help identify potentially harmful apps.

*   Use biometric security and two-factor authentication where available.

*   Always watch out while downloading apps from third-party as well as official stores.

*   Never enter your 12-word phrase into any app or website unless you’re certain it’s legitimate.

Over 20 Malicious Apps on Google Play Target Users for Seed Phrases

Plus: A 22-year-old former intern gets put in charge of a key anti-terrorism program, threat intelligence firms finally wrangle their confusing names for hacker groups, and more.

Since it’s already chaos out there, this week, we thought we’d lean into the madness by envisioning the future threats that you’re not ready for. From cyberattacks on the US grid to GPS blackouts, rampant deepfake scams, AI-powered super hackers, and widespread communication system collapse, there’s a whole spectrum of scenarios that could take things from bad to worse.

All is not lost, however—at least if you’re Ross Ulbricht. The creator of the Silk Road dark web market, who was pardoned by President Donald Trump earlier this year, received a mysterious $31 million bitcoin donation last weekend. Crypto-tracing firm Chainalysis now suspects the lavish gift may have come from a vendor at another now-defunct black market, AlphaBay.

A trove of public records reviewed by WIRED this week reveal a years-long effort by a farming industry group to get the FBI to treat animal rights activists as a “bioterrorist” threat. The Animal Agriculture Alliance (AAA) was repeatedly in contact with the bureau’s Weapons of Mass Destruction Directorate about the activities of groups like Direct Action Everywhere, or DxE. The records show that AAA fed intelligence about DxE to the FBI and used corporate spies to infiltrate the group’s activities.

Immigration and Customs Enforcement recently updated its guidance for agents who carry out courthouse raids and other “enforcement actions” in and nearby court houses, according to an agency document reviewed by WIRED. The updated policy removes language that explicitly instructed agents to ensure they followed local and state laws.

Anyone who was trying to play a new video game on Christmas Day in 2014 likely remembers the infamous Lizardsquad hack of Xbox Live and Playstation Network. Now, more than a decade later, we finally have the full story.

But that’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Mysterious iPhone Crashes Hint at a Chinese Hacks. Apple Denies It**

The security firm iVerify this week brought to light a series of suspicious iPhone crashes that researchers say might just indicate a stealthy, unprecedented Chinese zero-click hacking campaign victimizing American phones, including even those of staffers for the Harris-Walz presidential campaign. Or it’s a random, not-particularly-dangerous bug that Apple has already squashed.

In a report released Thursday, iVerify assessed with “moderate confidence” that China-linked hackers may have targeted a series of iPhones with a sophisticated exploit, going after activists and dissidents critical of China, an EU government official, tech executives at AI firms competing with Chinese ones, and US political staffers—revealed by NBC News to be employees of the Harris-Walz campaign. iVerify didn’t have a sample of the malware that might have infected those phones or other definitive proof that any hacking occurred. But it pointed to signs that seem like more than coincidences: The staffers whose phones had experienced the crashes had also been warned by the FBI that they’d already been targeted in China’s Salt Typhoon hacking campaign against US telecoms. Another owner of the devices that crashed in the same way was later warned by Apple itself that he or she had been targeted by sophisticated hackers.

All of that would represent a serious threat to national security. Except that, strangely, Apple flatly denies it happened. “We strongly disagree with the claims of a targeted attack against our users,” Apple’s head of security engineering, Ivan Krstić, wrote in a statement to WIRED. Apple has patched the issue that iVerify highlighted in its report, which caused iPhones to crash in certain cases when a message sender changed their own nickname and avatar. But it calls those crashes the result of a “conventional software bug,” not evidence of a targeted exploitation. (That blanket denial certainly isn’t Apple’s usual response to confirmed iPhone hacking. The company has, for instance, sued hacking firm NSO group for its targeting of Apple customers.)

The result is that what might have been a four-alarm fire in the counterintelligence world is reduced—for now—to a very troubling enigma.

**A 22-Year-Old Is Running a Key US Anti-Terrorism Program**

A 22-year-old former intern at the Heritage Foundation with no national security experience has reportedly been appointed to a key Department of Homeland Security role overseeing a major program designed to combat domestic terrorism.

According to Propublica, Thomas Fugate last month assumed leadership of the Center for Programs and Partnerships (CP3), a DHS office tasked with funding nationwide efforts to prevent politically motivated violence—including school shootings and other forms of domestic terrorism.

Fugate, a 2024 graduate of the University of Texas at San Antonio, replaced the former CP3 director, Bill Braniff, an Army veteran with 20 years of national security experience who resigned in March following staff cuts ordered by the Trump administration.

According to CP3’s most recent report to Congress, the office has funded more than 1,100 initiatives aimed at disrupting violent extremism. In recent months, the US has seen a string of high-profile targeted attacks, including a car bombing in California and the shooting of two Israeli Embassy aids in Washington, DC. Its $18 million grant program, designed to support local prevention efforts, is reportedly now under Fugate’s supervision.

**Threat Intelligence Firms (Finally) Agree to a Glossary of Hacker Group Names**

Hacker group names have long been an unavoidable absurdity in the cybersecurity industry. Every threat intelligence company, in a scientifically defensible attempt to not make any assumption that they’re tracking the same hackers as another firm, comes up with their own code name for any group they observe. The result is a somewhat silly profusion of overlapping naming systems based on elements, weather, and zoology: “Fancy Bear” is “Forest Blizzard” is “APT28” is “Strontium.” Now, several major threat intelligence players, including Google, Microsoft, CrowdStrike, and Palo Alto Networks, have finally shared enough of their internal research to agree to a glossary that confirms that they’re referring to the same entities. The companies did _not,_ however, agree to consolidate their naming systems into a single taxonomy. So this agreement doesn’t mean the end of sentences in security reporting such as “the hacker group Sandworm, also known as Telebots, Voodoo Bear, Hades, Iron Viking, Electrum, or Seashell Blizzard.” It just means we cybersecurity reporters can write that sentence with a little more confidence.

**Phone-Hacking Firm Corellium Acquired for $200 Million—After Trump Pardons Its Founder**

Chris Wade, the founder and CTO of mobile device reverse-engineering company Corellium, has had a wild last few decades: In 2005, he was convicted on criminal charges of enabling spammers by providing them proxy servers, and agreed to work undercover for law enforcement while avoiding prison. Then in 2020, he mysteriously received a pardon from President Donald Trump. He also settled a major copyright lawsuit from Apple. Now his company, which creates virtual images of Android and iOS devices so that customers can find ways to break into them, is being acquired by phone-hacking firm Cellebrite, a major law enforcement contractor, for $200 million—a significant payday for a hacker who has found himself on both sides of the law.

The Mystery of iPhone Crashes That Apple Denies Are Linked to Chinese Hacking

In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy” services that cover their tracks by making it look like everyday online activity.

For years, gray-market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia, today, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.

Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together. And while the technology isn't new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.

“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,” Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED ahead of his talk. “That's the magic of a proxy service—you cannot tell who’s who. It's good in terms of internet freedom, but it's super, super tough to analyze what’s happening and identify bad activity.”

The core challenge of addressing cybercriminal activity hidden by proxies is that the services may also, even primarily, be facilitating legitimate, benign traffic. Criminals and companies that don't want to lose them as clients have particularly been leaning on what are known as “residential proxies,” an array of decentralized nodes that can run on consumer devices—even old Android phones or low-end laptops—offering real, rotating IP addresses assigned to homes and offices. Such services offer anonymity and privacy, but can also shield malicious traffic.

By making malicious traffic look like it comes from trusted consumer IP addresses, attackers make it much more difficult for organizations' scanners and other threat detection tools to spot suspicious activity. And, crucially, residential proxies and other decentralized platforms that run on disparate consumer hardware reduce a service provider's insight and control, making it more difficult for law enforcement to get anything useful from them.

“Attackers have been ramping up their use of residential networks for attacks over the last two to three years,” says Ronnie Tokazowski, a longtime digital scams researcher and cofounder of the nonprofit Intelligence for Good. “If attackers are coming from the same residential ranges as, say, employees of a target organization, it's harder to track.”

Criminal use of proxies isn't new. In 2016, for example, the US Department of Justice said that one of the obstacles in a years-long investigation of the notorious “Avalanche” cybercriminal platform was the service's use of a “fast-flux” hosting method that concealed the platform's malicious activity using constantly changing proxy IP addresses. But the rise of proxies as a gray-market service rather than something attackers must develop in-house is an important shift.

“I don’t know yet how we can improve the proxy issue,” Team Cymru's Seret told WIRED. “I guess law enforcement could target known malicious proxy providers like they did with bulletproof hosts. But in general, proxies are whole internet services used by everyone. Even if you take down one malicious service, that doesn't solve the larger challenge.”

Cybercriminals Are Hiding Malicious Web Traffic in Plain Sight

iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU high-value individuals…

iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU high-value individuals including political figures, media pros and executives from AI companies.

iVerify, a leading mobile EDR security platform, has revealed the discovery of a previously unknown zero-click vulnerability in Apple’s iMessage service. Dubbed NICKNAME, this flaw can compromise an iPhone without any user interaction, and it appears to be part of a sophisticated mobile spyware campaign, potentially backed by China, targeting important individuals in the US and Europe.

According to iVerify’s report, shared with Hackread.com, they observed unusual activity on iPhones of prominent entities in the US and the European Union in late 2024 and early 2025. This included rare crashes that made up only 0.0001% of crash logs from a sample of 50,000 iPhones, typical of advanced zero-click iMessage attacks.

Through forensic analysis, the NICKNAME vulnerability was detected on devices belonging to high-value individuals of interest to the Chinese Communist Party (CCP). These targets include political figures, media professionals, and executives from artificial intelligence companies. Notably, some affected individuals had previously been targeted by Salt Typhoon, a known cyber operation

The exploit leverages a weakness in the imagent process on iPhones, believed to be triggered by a rapid series of nickname updates sent through iMessage. This action results in a use-after-free memory corruption, creating an opening for attackers to gain control.

iVerify’s highly in-depth technical investigation has identified six devices believed to be targeted, with four showing clear NICKNAME signatures and two indicating successful exploitation. These victims consistently had connections to activities of interest to the CCP, such as prior targeting by Salt Typhoon, business dealings contrary to CCP interests, or activism against the regime.

While Apple released a patch for this vulnerability in iOS 18.3.1, iVerify cautions that NICKNAME may be just one component of a larger, active exploit chain. The company stresses the critical need for organizations, including government bodies, to adapt their mobile security models to counter these advanced modern threats.

The CCP’s direct attribution is not definitively proven, but circumstantial is compelling. Furthermore, as per iVerify, evidence from independent iOS security experts, including Patrick Wardle from the Objective-By-The-Sea foundation, supports mobile compromise as a real threat in the US.

This discovery is important as it could be the first systematic detection of iMessage zero-click exploitation in the United States. Such attacks are particularly dangerous because they bypass even highly secure messaging applications like Signal.

Once a device is compromised, all private conversations and data, regardless of the application used, become accessible to attackers. This is particularly important given events like SignalGate, which show that no communication channel is truly private if compromised.

NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of proxy and anonymity services nested at some of America's largest Internet service providers (ISPs).

Image: Mark Rademaker, via Shutterstock.

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service providers (ISPs).

The findings come in a report examining how the Russian invasion has affected Ukraine’s domestic supply of **Internet Protocol Version 4** (IPv4) addresses. Researchers at **Kentik**, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven’t changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.

For example, Ukraine’s incumbent ISP **Ukrtelecom** is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik’s **Doug Madory** they were forced to sell many of their address blocks “to secure financial stability and continue delivering essential services.”

“Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began,” Ukrtelecom told Madory.

Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs — **Amazon** (AS16509), **AT&T** (AS7018), and **Cogent** (AS174).

Another Ukrainian Internet provider — **LVS** (AS43310) — in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T.

IP addresses routed over time by Ukrainian provider LVS (AS43310) shows a large chunk of it being routed by AT&T (AS7018). Image: Kentik.

Ditto for the Ukrainian ISP **TVCOM**, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and **Microsoft**.

The Ukrainian ISP **Trinity** (AS43554) went offline in early March 2022 during the bloody siege of Mariupol, but its address space eventually began showing up in more than 50 different networks worldwide. Madory found more than 1,000 of Trinity’s IPv4 addresses suddenly appeared on AT&T’s network.

Why are all these former Ukrainian IP addresses being routed by U.S.-based networks like AT&T? According to **spur.us**, a company that tracks VPN and proxy services, nearly all of the address ranges identified by Kentik now map to commercial proxy services that allow customers to anonymously route their Internet traffic through someone else’s computer.

From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer. These services can be used for several business purposes, such as price comparisons, sales intelligence, web crawlers and content-scraping bots. However, proxy services also are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

IPv4 address ranges are always in high demand, which means they are also quite valuable. There are now multiple companies that will pay ISPs to lease out their unwanted or unused IPv4 address space. Madory said these IPv4 brokers will pay between $100-$500 per month to lease a block of 256 IPv4 addresses, and very often the entities most willing to pay those rental rates are proxy and VPN providers.

A cursory review of all Internet address blocks currently routed through AT&T — as seen in public records maintained by the Internet backbone provider **Hurricane Electric** — shows a preponderance of country flags other than the United States, including networks originating in Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia, and Ukraine.

AT&T’s IPv4 address space seems to be routing a great deal of proxy traffic, including a large number of IP address ranges that were until recently routed by ISPs in Ukraine.

Asked about the apparent high incidence of proxy services routing foreign address blocks through AT&T, the telecommunications giant said it recently changed its policy about originating routes for network blocks that are not owned and managed by AT&T. That new policy, spelled out in a February 2025 update to AT&T’s terms of service, gives those customers until Sept. 1, 2025 to originate their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T’s is AS7018).

“To ensure our customers receive the best quality of service, we changed our terms for dedicated internet in February 2025,” an AT&T spokesperson said in an emailed reply. “We no longer permit static routes with IP addresses that we have not provided. We have been in the process of identifying and notifying affected customers that they have 90 days to transition to Border Gateway Protocol routing using their own autonomous system number.”

Ironically, the co-mingling of Ukrainian IP address space with proxy providers has resulted in many of these addresses being used in cyberattacks against Ukraine and other enemies of Russia. Earlier this month, the European Union sanctioned **Stark Industries Solutions Inc.**, an ISP that surfaced two weeks before the Russian invasion and quickly became the source of large-scale DDoS attacks and spear-phishing attempts by Russian state-sponsored hacking groups. A deep dive into Stark’s considerable address space showed some of it was sourced from Ukrainian ISPs, and most of it was connected to Russia-based proxy and anonymity services.

According to Spur, the proxy service IPRoyal is the current beneficiary of IP address blocks from several Ukrainian ISPs profiled in Kentik’s report. Customers can chose proxies by specifying the city and country they would to proxy their traffic through. Image: Trend Micro.

Spur’s Chief Technology Officer **Riley Kilmer** said AT&T’s policy change will likely force many proxy services to migrate to other U.S. providers that have less stringent policies.

“AT&T is the first one of the big ISPs that seems to be actually doing something about this,” Kilmer said. “We track several services that explicitly sell AT&T IP addresses, and it will be very interesting to see what happens to those services come September.”

Still, Kilmer said, there are several other large U.S. ISPs that continue to make it easy for proxy services to bring their own IP addresses and host them in ranges that give the appearance of residential customers. For example, Kentik’s report identified former Ukrainian IP ranges showing up as proxy services routed by **Cogent** **Communications** (AS174), a tier-one Internet backbone provider based in Washington, D.C.

Kilmer said Cogent has become an attractive home base for proxy services because it is relatively easy to get Cogent to route an address block.

“In fairness, they transit a lot of traffic,” Kilmer said of Cogent. “But there’s a reason a lot of this proxy stuff shows up as Cogent: Because it’s super easy to get something routed there.”

Cogent declined a request to comment on Kentik’s findings.

Proxy Services Feast on Ukraine’s IP Address Exodus

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government.
That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis.
"Their diverse toolset shows consistent coding patterns across malware families, particularly in

Researchers Detail Bitter APT’s Evolving Tactics as Its Geographic Scope Expands

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these sophisticated attacks trick users into running malware and what to watch out for.

Cybersecurity experts at Cofense Intelligence are warning hotel chains and other businesses in the food and accommodation sector about an email scam that mimics Booking.com. These deceptive emails are part of attack campaigns known as ClickFix, which aims to trick users into running malicious software.

The ClickFix campaign has been steadily gaining traction since November 2024, with a notable acceleration in recent months. According to Cofense’s analysis, a staggering 47% of the total campaign volume was observed in March 2025 alone.

The firm’s active threat reports (ATRs) indicate that 75% of all incidents involving fake CAPTCHAs utilized Booking.com-themed ClickFix templates. While Booking.com impersonations are most common, Cofense also noted less frequent variations, including those spoofing Cloudflare Turnstile and cookie consent banners.

****How the Scam Works****

The scam begins with an email containing a link to a fake CAPTCHA website. A CAPTCHA is usually a test designed to tell humans and computers apart, like typing distorted letters. In this case, however, the fake CAPTCHA is a trick. Instead of a real verification code, clicking on it delivers a harmful script to the user’s computer.

These ClickFix websites then instruct users to press specific keyboard shortcuts, typically Windows key + R, followed by Ctrl + V, and then Enter. This sequence opens the Run command in Windows, pastes the hidden malicious script, and then executes it. The malicious script often includes extra characters that look like a _verification code_ to hide the real harmful commands.

These sites are cleverly designed to look like legitimate pages from well-known brands such as Booking.com and Cloudflare. Interestingly, the scam only targets Windows computers, and if accessed on other devices, the fake CAPTCHA sites will display a message indicating they only work on Windows.

****What Malware is Being Delivered?****

Once the malicious script is run, it can install various types of dangerous software. The most common payload seen in these attacks is XWorm RAT, a type of Remote Access Trojan (RAT). For your information, RATs allow attackers to secretly control a victim’s computer from a distance.

Other frequently observed malware include Pure Logs Stealer and DanaBot, which are information stealers designed to swipe sensitive data. In some instances, both RATs and information stealers have been delivered in a single attack.

Sample Attack Chain (Source: Cofense)

This ClickFix method is a concerning new tactic because it manipulates users into activating the malware themselves, without needing to download any files directly. It highlights the importance of being cautious about suspicious emails, even those that appear to be from trusted sources like Booking.com, and to always double-check the legitimacy of any verification steps or prompts that ask you to run commands on your computer.

For more detailed information on how to spot these ClickFix attacks, refer to Hackread.com’s guide on the techniques used to trick users and how to stay safe.

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

Artificial intelligence (AI) and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware.

In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead monetization service Nova Leads, the enormously popular Chat GPT, and an AI-empowered video tool called InVideo AI.

As small businesses quickly adopt AI tools—a recent survey from the US Chamber of Commerce and the strategy firm Teneo revealed that 98% of small businesses already use at least one AI-powered product and 40% use generative AI—these cybercriminal lures pose the next, big threat to sole proprietors and boutique shops.

According to the researchers at Cisco Talos, the threat is twofold.

“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Talos said. “This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”

In the first potential online attack, Talos found that cybercriminals created a fake website that closely resembled that of the legitimate company Nova Leads. The company helps businesses with lead monetization through acquisition, conversion, and content creation. But rather than simply copying the look and feel of Nova’s website, the cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”

On the malicious website, users were prompted to download Nova Leads AI for ”free access” for 12 months. If users downloaded and installed the fake software, the ransomware CyberLock was instead deployed. Researchers at Talos analyzed how CyberLock moved throughout a network and retrieved the ransom note left behind by the cybercriminals. In it, the ransomware gang claimed, falsely, that their attacks were altruistic.

“We want to assure you that your payment does not go to us,” the ransomware gang said in its note. “It will instead go to support affected women and children in Palestine, Ukraine, Africa, Asia, and other regions where injustices are a daily reality.”

In the note, victims are directed to pay $50,000 in cryptocurrency. The ransomware campaign is particularly dangerous as cybercriminals managed to manipulate SEO practices to rank their malicious website near the top of relevant online searches. This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites.

In a second potential attack, Talos found that a software installer labeled “ChatGPT 4.0 full version – Premium.exe” was actually hiding the ransomware Lucky\_Gh0$t. Interestingly, the files contained within the installer also contained legitimate open-source AI tools from Microsoft, likely as an evasion technique to ward off any antivirus tools inspecting the package for malware.

Though the Lucky\_Gh0$t ransom note did not include a specific dollar amount, the cybercriminals displayed a starkly different attitude from CyberLock’s alleged humanitarianism:

> “We are not a politically motivated group and we do not need anything other than your money.”

In the last potential attack, Talos found a new malware that the team dubbed “Numero.” Though it is not officially a form of ransomware, Talos found that, once deployed, it effectively renders systems “completely unusable.”

Talos discovered that the malware’s internal data co-opted the product and organizations names of the service InVideo AI, an AI-powered video generation service that can be used for marketing, content, and more.

While cybercriminals have long disguised their malware under popular brands, the emergence of AI—and its popularity for small businesses—highlight the dangers that small shops face simply for trying to do business online. But there is help at hand.

****How to protect your small business from ransomware****

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 Ransomware hiding in fake AI, business tools 

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

Title: ABB Cylon Aspect 3.08.04 (DeploySource) Unauthenticated Remote Code Execution  
Advisory ID: ZSL-2025-5954  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 04.06.2025

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the AuthenticatedHttpServlet within its application server, enabling remote attackers to bypass authentication by setting the Host: 127.0.0.1 header. This deceives the server into processing requests as if they originate from localhost, granting unauthorized access to privileged operations. This bypass grants access to privileged functionality, including the DeploymentServlet, which is vulnerable to directory traversal. By leveraging this, an attacker can write arbitrary PHP files outside the intended directory scope. When combined, these issues allow remote attackers to upload a malicious PHP shell and execute system commands with the privileges of the web server, leading to full system compromise.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.04

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[21.05.2025\] No response from the vendor.  
\[04.06.2025\] Public security advisory released.

**PoC**

abb\_aspect\_rce28.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

N/A

**Changelog**

\[04.06.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

Tag

#intel