A new variant of the hello pervert emails claims that the target's system is infected with njRAT and spoofs the victims email address

In a new version of the old “Hello pervert”  emails, scammers are relying on classic email spoofing techniques to try and convince victims that they have lost control of their email account and computer systems.

Email spoofing basically comes down to sending emails with a false sender address, a method in use in various ways by scammers. Obviously, pretending to be someone else can have its advantages, especially if that someone else holds a position of power or trust with regards to the receiver.

But sending a message to the victim’s from their _own_ email address might convince the victim that they have lost access over their own account.

The text of the email roughly looks like this:

> “As you may have noticed, I sent you an email from your email account
> 
> This means I have full access to your account
> 
> I’ve been watching you for a few months
> 
> The thing is, you got infected with a njrat through an adult site you visited
> 
> If you don’t know about this, let me explain
> 
> The njrat gives me full access and control over your device.
> 
> This means I can see everything on your screen, turn on the camera and microphone, but you don’t know it
> 
> I also have access to all your contacts and all your correspondence.
> 
> On the left half of the screen, I made a video showing how you satisfied yourself, on the right half you see the video you watched.
> 
> With a click of a mouse I can send this video to all your emails and contacts on social networks
> 
> I can also see access to all your communications and messaging programs that you use.
> 
> If you want to avoid this,
> 
> Transfer the amount of 1200 USD to my bitcoin address (“write buy bitcoin or find for bitcoin exchange if you don’t know”)
> 
> My Bitcoin address (BTC wallet): 1FJg6nuRLLv4iQLNFPTpGwZfKjHJQnmwFs
> 
> After payment is received, I will delete the video and you will not hear from me again
> 
> I’m giving you 48 hours to pay
> 
> Do not forget that I will see you when you open the message, the counter will start
> 
> If I see you’ve shared this message with someone else, the video will be posted immediately”

If the victim decides to search for “njrat” they’ll find that it’s a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, upload/download files, view the victim’s desktop, and more.

Scary stuff, and it supports the claims the scammer makes.

But, as with all sextortion scams, this threat is an entirely empty one. There is more than likely no lurid video, no “njrat,” no list of contacts. Instead, there is just a threat which is meant to drive panic which is meant to drive payment.

When we checked, we were happy to see that the scammers’ Bitcoin wallet is empty, although they could have set up a separate one for each victim.

**How to recognize sextortion emails**

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

*   The emails often look as if they came from one of your own email addresses.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email, the scammer claims to have used “Pegasus” or some Trojan to spy on you through your own computer.
*   The scammer says they know “your password” or compromised your account.
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**What to do when you receive an email like this**

First of all, even if it’s only to reassure yourself, scan your computer with an anti-malware solution that can detect and remove njRAT (if present).

Second, if your computer is clean, check if your email account has not been compromised. Change the password and enable 2FA if possible.

Don’t respond to the scammer, since that will confirm that the email address is in use and the mail is read. This could invoke more emails from scammers.

Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.

Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.

For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

 “I sent you an email from your email account,” sextortion scam claims 

Hertz confirms data breach linked to Cleo software flaw; Cl0p ransomware group leaked stolen data, exposing names, driver’s…

Hertz confirms data breach linked to Cleo software flaw; Cl0p ransomware group leaked stolen data, exposing names, driver’s licenses, and credit card details.

Car rental company Hertz has announced that some of its customers’ private details were accessed without permission. This happened because of vulnerabilities in Cleo Communications US, LLC (Cleo), a company that provides software services to Hertz.  

It is worth noting that in December 2024, the Cl0p ransomware group claimed responsibility for exploiting vulnerabilities in Cleo’s managed file transfer software, leading to the theft of large amounts of corporate data. A few days later, the group published the stolen Hertz data archive on its dark web leak site.

Cl0p ransomware gang on its dark web leak site (Image credit: Hackread.com)

In its official press release (PDF), Hertz, which also owns Dollar and Thrifty car rental brands, explained that Cleo runs a system that Hertz uses to send files for specific tasks. On February 10, 2025, Hertz found out that some of its data was taken by an unauthorised individual, who Hertz believes took advantage of weaknesses, called zero-day vulnerabilities, in its software and were exploited in October 2024 and December 2024.

Right after detecting suspicious activity, Hertz launched an investigation to understand what happened and what information could be exposed. This investigation concluded on April 2, 2025, revealing that accessed data may include names, contact details, birth dates, credit card numbers, and driver’s license information.

“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims,” may also be impacted, the company explained.

Hertz confirmed that Cleo is investigating the issue and fixing the software problems, and that they have already reported this data breach to the police and other government agencies. To be extra careful, Hertz is offering two years of free identity monitoring or dark web monitoring services to people who might be affected, through a company called Kroll.  

Notably, a data breach notification filed with the Maine Attorney General reveals that 3,409 residents of Maine were affected by this data breach. Because this number exceeds 1,000, Hertz has notified consumer reporting agencies, as required by law in Maine. The breach is categorised as an “External system breach (hacking),” according to the Maine Attorney General’s filing, providing a clearer understanding of the nature of the security incident.

Herts claims that at the moment, there is no evidence that anyone’s information has been used to commit fraud. The company also recommends checking account statements and credit reports regularly and has provided a phone number, 866-408-8964, to call if you have more questions.

You can also put a fraud alert on their credit file for free, the company notes. An initial alert lasts for one year. To set up a fraud alert, you need to contact Equifax, Experian, or TransUnion. 

Another option is to put a “credit freeze” on your credit report. This stops credit bureaus from sharing information without the person’s permission. This can help prevent new credit accounts from being opened in someone’s name without their knowledge. However, Hertz warns that a credit freeze might delay or prevent the approval of new loans or credit if you need them quickly.

Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development, stating:

“It’s incredibly unfortunate that customers had their sensitive information compromised in such an attack. Data is a form of currency for cybercriminals, and therefore, it is essential that all organisations harbouring sensitive information manage their software risk by taking measures to improve their cybersecurity posture to prevent a compromise like this from happening again.”

Hertz Confirms Data Breach After Hackers Stole Customer PII

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how this scam works and how to protect yourself.

Cybersecurity researchers at CloudSEK have a new campaign exploiting the popularity of PDFCandy.com, an online file conversion tool used by over two and a half million people, including over half a million from India alone.

As per their research, shared with Hackread.com, attackers are distributing ArechClient2 malware to steal private information like browser usernames and passwords. It is a SectopRAT family malware active since 2019 and is spread through deceptive online advertising via Google Ads or fake software updates.

Reportedly, attackers have created a fake PDF to DOCX converter that is similar to the legitimate pdfcandy.com. They have gone to great lengths to copy the look and feel of the real website. Such as they use similar web addresses to trick unsuspecting users and have “meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users,” CloudSEK’s researchers noted in the blog post.

Once a user lands on one of these fake sites, they are immediately asked to upload a PDF file for conversion, playing on a common need of many internet users. It even shows a fake loading animation as if a real conversion is happening, probably to build trust.

Then, unexpectedly, it presents a CAPTCHA verification, similar to what legitimate websites use for security. This marks a critical step in the attack where “social engineering transitions to system compromise,’ the report reads. This means the attack relies on manipulating how users typically interact with websites.

The Malicious Trap (Source: CloudSEK)

Introducing CAPTCHA serves two purposes: making the fake site appear more real and allowing users to click without thinking. Next, the website instructs users to run a command using Windows’ built-in tool PowerShell, leading to a system compromise. The command analysis reveals a series of redirects, starting with an innocent link and leading to a file named “adobe.zip,” hosted on 1728611543, which has been flagged as malicious by multiple security services.

The file contains a folder called “SoundBAND” with a dangerous executable file called “audiobitexe.” The attacker launches a multi-stage attack using a legitimate Windows program and a Windows tool, launching ArechClient2 information-stealing malware.

Fake PDFCandy websites involved in the scam (Screenshot: CloudSEK)

It is worth noting that the FBI warned on March 17, 2025, about malicious online file converters being used to distribute harmful software, so this threat is not new.

“Cybercriminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool,” the agency explained.

To protect against such threats, you should be cautious when using online file conversion services, verify website legitimacy before uploading files, pay attention to URLs, and be wary of unexpected prompts.

Fake PDFCandy File Converter Websites Spread Malware

AI code tools often hallucinate fake packages, creating a new threat called slopsquatting that attackers can exploit in…

AI code tools often hallucinate fake packages, creating a new threat called slopsquatting that attackers can exploit in public code repositories, a new study finds.

A new study by researchers from the University of Texas at San Antonio, the University of Oklahoma, and Virginia Tech has shown that AI tools designed to write computer code frequently make up software package names, a problem called “package hallucinations.”

It leads to recommendations for convincing-sounding but non-existent software package names, which can mislead developers into believing they are real and potentially push them to search for the non-existent packages on public code repositories.

This could allow attackers to upload malicious packages with those same hallucinated names to popular code repositories, where unsuspecting developers will assume they’re legitimate and incorporate them into their projects.

This new attack vector, called slopsquatting, is similar to traditional **typosquatting attacks**, with the only difference being that instead of subtle misspellings, it uses AI-generated hallucinations to trick developers.

Researchers systematically examined package hallucinations in code-generating Large Language Models (**LLMs**), including both commercial and open-source models and found that a significant percentage of generated packages are fictitious. For your information, LLMs are a type of artificial intelligence that can generate human-like text and code.

The universities analysed around 16 widely used code-generating LLMs and two prompt datasets to understand the scope of the package hallucination problem. Some 576,000 code samples were generated in Python and JavaScript. According to the research, shared exclusively with Hackread.com, “package hallucinations were found to be a pervasive phenomenon across all 16 models tested.”

Also, this issue was prevalent across both commercial and open-source models, and commercial LLMs like GPT-4 hallucinate less often than open-source models. “GPT series models were found to be 4 times less likely to generate hallucinated packages compared to open-source models,” researchers **noted** (PDF).

Another observation was that the way LLMs are configured can influence the rate of hallucinations. Specifically, lower temperature settings in LLMs reduce hallucination rates, while higher temperatures dramatically increase them.

What’s even more concerning is that LLMs tend to repeat the same invented package names because “58% of the time, a hallucinated package is repeated more than once in 10 iterations,” the research indicates. This means the problem isn’t just random errors but a consistent behaviour, making it easier for hackers to exploit.

Furthermore, it was discovered that LLMs are more likely to hallucinate when prompted with recent topics or packages and generally struggle to identify their own hallucinations.

The screenshot shows the exploitation of package hallucination (Credit: arxiv)

Researchers agree that package hallucinations are a novel form of package confusion attack, asserting that code-generating LLMs should adopt a more “conservative” approach in suggesting packages, sticking to a smaller set of well-known and reliable ones.

These findings highlight the importance of addressing package hallucinations to enhance the reliability and security of AI-assisted software development. Researchers have developed several strategies to reduce package hallucinations in code-generating LLMs.

These include Retrieval Augmented Generation (RAG), self-refinement, and fine-tuning. They also emphasize showing commitment to open science by making their source code, datasets, and generated code publicly available, except for the master list of hallucinated package names and detailed test results.

**Casey Ellis**, Founder of Bugcrowd, commented on the rise of AI-assisted development, noting that while it boosts speed, it often lacks the matching rise in quality and security. He warned that over-trusting LLM outputs and rushing development can lead to issues like slopsquatting, where speed trumps caution. “Developers aim to make things work, not necessarily to prevent what shouldn’t happen,” Ellis said, adding that this misalignment, amplified by AI, naturally leads to these types of vulnerabilities.

New “Slopsquatting” Threat Emerges from AI-Generated Code Hallucinations

This week, our Year in Review spotlight is on ransomware—where low-profile tactics led to high-impact consequences. Download our 2 page ransomware summary, or watch our 55 second video.

Tuesday, April 15, 2025 05:50

This week, our _Year in Review_ spotlight is on **ransomware**—where low-profile tactics led to high-impact consequences.

Ransomware operators often prioritized stealth over complexity for initial access. They also focused on slipping past defenses with minimal noise—uninstalling security tools, creating new firewall rules for remote access, and using common, freely available tools.

The ransomware-as-a-service landscape also paints an interesting picture. A new player quickly rose through the ranks, becoming the second most prolific operator by targeting large payouts.

Something that hasn't really changed over the years is the sectors that ransomware actors target most heavily - favouring industries that typically have lower security budgets, irregular monitoring, but highly sensitive data.

We’ve pulled together the most significant insights in a **quick, 2-page PDF**:

If you only have 55 seconds? Watch this video:

For the full analysis, download Talos' 2024 Year in Review.

Year in Review: The biggest trends in ransomware

President Trump last week revoked security clearances for Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs's employer SentinelOne, comes as CISA is facing huge funding and staffing cuts.

**President Trump** last week revoked security clearances for **Chris Krebs**, the former director of the **Cybersecurity and Infrastructure Security Agency** (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs’s employer **SentinelOne**, comes as CISA is facing huge funding and staffing cuts.

Chris Krebs. Image: Getty Images.

The extraordinary April 9 memo directs the attorney general to investigate Chris Krebs (no relation), calling him “a significant bad-faith actor who weaponized and abused his government authority.”

The memo said the inquiry will include “a comprehensive evaluation of all of CISA’s activities over the last 6 years and will identify any instances where Krebs’ or CISA’s conduct appears to be contrary to the administration’s commitment to free speech and ending federal censorship, including whether Krebs’ conduct was contrary to suitability standards for federal employees or involved the unauthorized dissemination of classified information.”

CISA was created in 2018 during Trump’s first term, with Krebs installed as its first director. In 2020, CISA launched Rumor Control, a website that sought to rebut disinformation swirling around the 2020 election.

That effort ran directly counter to Trump’s claims that he lost the election because it was somehow hacked and stolen. The Trump campaign and its supporters filed at least 62 lawsuits contesting the election, vote counting, and vote certification in nine states, and nearly all of those cases were dismissed or dropped for lack of evidence or standing.

When the Justice Department began prosecuting people who violently attacked the U.S. Capitol on January 6, 2021, President Trump and Republican leaders shifted the narrative, claiming that Trump lost the election because the previous administration had censored conservative voices on social media.

Incredibly, the president’s memo seeking to ostracize Krebs stands reality on its head, accusing Krebs of promoting the censorship of election information, “including known risks associated with certain voting practices.” Trump also alleged that Krebs “_falsely and baselessly denied that the 2020 election was rigged and stolen_, including by inappropriately and categorically dismissing widespread election malfeasance and serious vulnerabilities with voting machines” \[emphasis added\].

Krebs did not respond to a request for comment. SentinelOne issued a statement saying it would cooperate in any review of security clearances held by its personnel, which is currently fewer than 10 employees.

Krebs’s former agency is now facing steep budget and staff reductions. **The Record** reports that CISA is looking to remove some 1,300 people by cutting about half its full-time staff and another 40% of its contractors.

“The agency’s National Risk Management Center, which serves as a hub analyzing risks to cyber and critical infrastructure, is expected to see significant cuts, said two sources familiar with the plans,” The Record’s **Suzanne Smalley** wrote. “Some of the office’s systematic risk responsibilities will potentially be moved to the agency’s Cybersecurity Division, according to one of the sources.”

CNN reports the Trump administration is also advancing plans to strip civil service protections from 80% of the remaining CISA employees, potentially allowing them to be fired for political reasons.

The **Electronic Frontier Foundation** (EFF) urged professionals in the cybersecurity community to defend Krebs and SentinelOne, noting that other security companies and professionals could be the next victims of Trump’s efforts to politicize cybersecurity.

“The White House must not be given free reign to turn cybersecurity professionals into political scapegoats,” the EFF wrote. “It is critical that the cybersecurity community now join together to denounce this chilling attack on free speech and rally behind Krebs and SentinelOne rather than cowering because they fear they will be next.”

However, **Reuters** said it found little sign of industry support for Krebs or SentinelOne, and that many security professionals are concerned about potentially being targeted if they speak out.

“Reuters contacted 33 of the largest U.S. cybersecurity companies, including tech companies and professional services firms with large cybersecurity practices, and three industry groups, for comment on Trump’s action against SentinelOne,” wrote **Raphael Satter** and **A.J. Vicens**. “Only one offered comment on Trump’s action. The rest declined, did not respond or did not answer questions.”

**CYBERCOM-PLICATIONS**

On April 3, President Trump fired **Gen. Timothy Haugh**, the head of the **National Security Agency** (NSA) and the **U.S. Cyber Command**, as well as Haugh’s deputy, **Wendy Noble**. The president did so immediately after meeting in the Oval Office with far-right conspiracy theorist Laura Loomer, who reportedly urged their dismissal. Speaking to reporters on Air Force One after news of the firings broke, Trump questioned Haugh’s loyalty.

Gen. Timothy Haugh. Image: C-SPAN.

Virginia **Senator Mark Warner**, the top Democrat on the Senate Intelligence Committee, called it inexplicable that the administration would remove the senior leaders of NSA-CYBERCOM without cause or warning, and risk disrupting critical ongoing intelligence operations.

“It is astonishing, too, that President Trump would fire the nonpartisan, experienced leader of the National Security Agency while still failing to hold any member of his team accountable for leaking classified information on a commercial messaging app – even as he apparently takes staffing direction on national security from a discredited conspiracy theorist in the Oval Office,” Warner said in a statement.

On Feb. 28, The Record’s **Martin Matishak** cited three sources saying Defense Secretary **Pete Hegseth** ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions. The following day, **The Guardian** reported that analysts at CISA were verbally informed that they were not to follow or report on Russian threats, even though this had previously been a main focus for the agency.

A follow-up story from **The Washington Post** cited officials saying Cyber Command had received an order to halt active operations against Russia, but that the pause was intended to last only as long as negotiations with Russia continue.

The Department of Defense responded on Twitter/X that Hegseth had “neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority.”

But on March 19, Reuters reported several U.S. national security agencies have halted work on a coordinated effort to counter Russian sabotage, disinformation and cyberattacks.

“Regular meetings between the National Security Council and European national security officials have gone unscheduled, and the NSC has also stopped formally coordinating efforts across U.S. agencies, including with the FBI, the Department of Homeland Security and the State Department,” Reuters reported, citing current and former officials.

**TARIFFS VS TYPHOONS**

President’s Trump’s institution of 125% tariffs on goods from China has seen Beijing strike back with 84 percent tariffs on U.S. imports. Now, some security experts are warning that the trade war could spill over into a cyber conflict, given China’s successful efforts to burrow into America’s critical infrastructure networks.

Over the past year, a number of Chinese government-backed digital intrusions have come into focus, including a sprawling espionage campaign involving the compromise of at least nine U.S. telecommunications providers. Dubbed “Salt Typhoon” by Microsoft, these telecom intrusions were pervasive enough that CISA and the FBI in December 2024 warned Americans against communicating sensitive information over phone networks, urging people instead to use encrypted messaging apps (like Signal).

The other broad ranging China-backed campaign is known as “Volt Typhoon,” which CISA described as “state-sponsored cyber actors seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

Responsibility for determining the root causes of the Salt Typhoon security debacle fell to the Cyber Safety Review Board (CSRB), a nonpartisan government entity established in February 2022 with a mandate to investigate the security failures behind major cybersecurity events. But on his first full day back in the White House, President Trump dismissed all 15 CSRB advisory committee members — likely because those advisers included Chris Krebs.

Last week, **Sen. Ron Wyden** (D-Ore.) placed a hold on Trump’s nominee to lead CISA, saying the hold would continue unless the agency published a report on the telecom industry hacks, as promised.

“CISA’s multi-year cover up of the phone companies’ negligent cybersecurity has real consequences,” Wyden said in a statement. “Congress and the American people have a right to read this report.”

**The Wall Street Journal** reported last week Chinese officials acknowledged in a secret December meeting that Beijing was behind the widespread telecom industry compromises.

“The Chinese official’s remarks at the December meeting were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan,” The Journal’s **Dustin Volz** wrote, citing a former U.S. official familiar with the meeting.

Meanwhile, China continues to take advantage of the mass firings of federal workers. On April 9, the **National Counterintelligence and Security Center** warned (PDF) that Chinese intelligence entities are pursuing an online effort to recruit recently laid-off U.S. employees.

“Foreign intelligence entities, particularly those in China, are targeting current and former U.S. government (USG) employees for recruitment by posing as consulting firms, corporate headhunters, think tanks, and other entities on social and professional networking sites,” the alert warns. “Their deceptive online job offers, and other virtual approaches, have become more sophisticated in targeting unwitting individuals with USG backgrounds seeking new employment.”

Image: Dni.gov

**ELECTION THREATS**

As Reuters notes, the FBI last month ended an effort to counter interference in U.S. elections by foreign adversaries including Russia, and put on leave staff working on the issue at the Department of Homeland Security.

Meanwhile, the U.S. Senate is now considering a House-passed bill dubbed the “**Safeguard American Voter Eligibility (SAVE) Act**,” which would order states to obtain proof of citizenship, such as a passport or a birth certificate, in person from those seeking to register to vote.

Critics say the SAVE Act could disenfranchise millions of voters and discourage eligible voters from registering to vote. What’s more, documented cases of voter fraud are few and far between, as is voting by non-citizens. Even the conservative **Heritage Foundation** acknowledges as much: An interactive “election fraud map” published by Heritage lists just 1,576 convictions or findings of voter fraud between 1982 and the present day.

Nevertheless, the GOP-led House passed the SAVE Act with the help of four Democrats. Its passage in the Senate will require support from at least seven Democrats, Newsweek writes.

In February, CISA cut roughly 130 employees, including its election security advisors. The agency also was forced to freeze all election security activities pending an internal review. The review was reportedly completed in March, but the Trump administration has said the findings would not be made public, and there is no indication of whether any cybersecurity support has been restored.

Many state leaders have voiced anxiety over the administration’s cuts to CISA programs that provide assistance and threat intelligence to election security efforts. **Iowa Secretary of State Paul Pate** last week told the **PBS** show I**owa Press** he would not want to see those programs dissolve.

“If those (systems) were to go away, it would be pretty serious,” Pate said. “We do count on a lot those cyber protections.”

Pennsylvania’s **Secretary of the Commonwealth Al Schmidt** recently warned the CISA election security cuts would make elections less secure, and said no state on its own can replace federal election cybersecurity resources.

The **Pennsylvania Capital-Star** reports that several local election offices received bomb threats around the time polls closed on Nov. 5, and that in the week before the election a fake video showing mail-in ballots cast for Trump and Sen. Dave McCormick (R-Pa.) being destroyed and thrown away was linked to a Russian disinformation campaign.

“CISA was able to quickly identify not only that it was fraudulent, but also the source of it, so that we could share with our counties and we could share with the public so confidence in the election wasn’t undermined,” Schmidt said.

According to CNN, the administration’s actions have deeply alarmed state officials, who warn the next round of national elections will be seriously imperiled by the cuts. A bipartisan association representing 46 secretaries of state, and several individual top state election officials, have pressed the White House about how critical functions of protecting election security will perform going forward. However, CNN reports they have yet to receive clear answers.

Nevada and 18 other states are suing Trump over an executive order he issued on March 25 that asserts the executive branch has broad authority over state election procedures.

“None of the president’s powers allow him to change the rules of elections,” Nevada Secretary of State **Cisco Aguilar** wrote in an April 11 op-ed. “That is an intentional feature of our Constitution, which the Framers built in to ensure election integrity. Despite that, Trump is seeking to upend the voter registration process; impose arbitrary deadlines on vote counting; allow an unelected and unaccountable billionaire to invade state voter rolls; and withhold congressionally approved funding for election security.”

The order instructs the **U.S. Election Assistance Commission** to abruptly amend the voluntary federal guidelines for voting machines without going through the processes mandated by federal law. And it calls for allowing the administrator of the so-called **Department of Government Efficiency** (DOGE), along with DHS, to review state voter registration lists and other records to identify non-citizens.

The Atlantic’s **Paul Rosenzweig** notes that the chief executive of the country — whose unilateral authority the Founding Fathers most feared — has literally no role in the federal election system.

“Trump’s executive order on elections ignores that design entirely,” Rosenzweig wrote. “He is asserting an executive-branch role in governing the mechanics of a federal election that has never before been claimed by a president. The legal theory undergirding this assertion — that the president’s authority to enforce federal law enables him to control state election activity — is as capacious as it is frightening.”

Trump Revenge Tour Targets Cyber Leaders, Elections

ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.

**TL;DR – ReversingLabs has identified a malicious npm package, “pdf-to-office,” that targets Atomic and Exodus crypto wallet users by silently patching local software to hijack transactions. The malware swaps recipient wallet addresses and remains persistent even after removal.**

Cybersecurity firm ReversingLabs (RL) has uncovered a new tactic threat actors are employing to target cryptocurrency users. Their latest research, shared with Hackread.com, reveals that cybercriminals are leveraging the **npm** (Node Package Manager) network to inject malicious code into locally installed cryptocurrency wallet software, specifically targeting Atomic Wallet and Exodus.

This attack involves the malicious patching of legitimate software files, allowing attackers to intercept cryptocurrency transfers by silently swapping recipient wallet addresses.

****Fake Package and Malicious Injection****

RL researchers discovered a malicious npm package named “pdf-to-office” that falsely appeared as a utility for converting PDF files to **Microsoft Office documents**. However, upon execution, it deployed a malicious payload to modify key files within Atomic Wallet and Exodus installation directories.

Malicious Package (Source: RevesingLabs)

The malware overwrites legitimate files with trojanised versions, secretly altering the destination address for outgoing cryptocurrency transactions. This allows attackers to remain undetected for an extended period, as the wallet’s core functionality appears unchanged to the user.

ReversingLabs’ automated Spectra Assure platform flagged this package as suspicious because it exhibited behaviours consistent with previous npm-based malware campaigns. An obfuscated Javascript file was also found within the package, revealing malicious intent.

The payload targeted the "atomic/resources/app.asar" archive in **Atomic Wallet**‘s directory and the "src/app/ui/index.js" file in **Exodus**.

“Atomic Wallets weren’t the only target of this malicious package, either. RL also detected a malicious payload that tried to inject a trojanised file inside a legitimate, locally-installed Exodus wallet as well,” wrote ReversingLabs’ Software Threat Researcher Lucija Valentić in a **blog post**.

The attackers targeted specific Atomic Wallet versions (2.91.5 and 2.90.6), indicating sophistication in their targeting. The malicious files were named accordingly, overwriting the correct file regardless of the installed version.

“We also observed what appears to be an effort by the malicious actors to cover their tracks and thwart incident response efforts, or simply to exfiltrate even more information,” the researcher explained.

****Persistence and Impact****

A particularly problematic part of this campaign is its persistence. Research indicates that even if the malicious “pdf-to-office” package is removed from the victim’s system, the compromised cryptocurrency wallet software remains infected.

Moreover, the trojanised files within Atomic Wallet and Exodus continue to operate, silently redirecting funds to the attackers’ Web3 wallet. The only effective way to eliminate the threat is a complete removal and re-installation of the affected wallet software.

The good news is that the official Atomic Wallet and Exodus Wallet installers remain unaffected, but the compromise occurs after the malicious “pdf-to-office” package is installed and executed.

It is worth noting that this campaign is similar to a previous one RL **reported in late March**, which used two malicious npm packages, "ethers-provider2" and "ethers-providerz" to deliver a payload that patched the legitimate “ethers” package to serve a reverse shell.

The cryptocurrency sector is, therefore, facing increasing risks from software supply chain attacks. These attacks are becoming more sophisticated and frequency-driven, requiring increased vigilance from software producers and end-user organizations.

npm Malware Targets Atomic and Exodus Wallets to Hijack Crypto Transfers

Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries to execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack.
The newly discovered package, named pdf-to-office, masquerades as a utility for converting PDF files to Microsoft Word documents. But, in

Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

A new phishing campaign is targeting users across **Latin America**, and at the center of it is Grandoreiro, a banking trojan known for stealing sensitive financial data. With geofencing and stealthy evasion tactics, this malware is proving difficult to catch with standard defenses.

Let’s take a closer look at the campaign, how the attack unfolds, and what makes it so effective.

****Grandoreiro Attack Overview****

Between February 19 and March 14, researchers noticed a surge in phishing activity tied to Grandoreiro, and signs show the campaign is still ongoing.

A spike of Grandoreiro was detected

Grandoreiro has been around for years, constantly evolving to stay ahead of detection. It’s designed to steal banking credentials, monitor user activity, and grant remote access to attackers.

One of the standout techniques in this campaign is geofencing. Before running, the malware checks the victim’s IP address to determine their location. If the user isn’t in a targeted Latin American country, the malware simply stops executing. This makes the campaign more focused, reduces unnecessary exposure, and helps it slip past global security monitoring.

****Grandoreiro Attack Chain****

Grandoreiro is known for slipping past traditional security tools, making it tough to detect using automated solutions alone. However, with the help of interactive sandboxes, it’s possible to observe the malware’s full behavior in real time.

Here’s a complete look at the execution chain inside a secure sandbox: 

**View sandbox analysis session**

The full execution chain of Grandoreiro is displayed inside ANY.RUN sandbox

Understanding the who, when, and how behind this campaign will help security teams proactively strengthen their defenses. Real-time threat analysis platforms not only uncover these details but also make them immediately actionable.

****Initial Access: Phishing Email****

The infection begins with a phishing page that lures the victim into clicking a link or downloading a fake PDF document. Instead of a PDF, the file is actually a compressed archive (.ZIP or .RAR) containing the Grandoreiro loader.

Phishing link with a fake PDF document displayed inside ANY.RUN sandbox

**Execution & Geofencing**

Once the file is extracted and opened, the malware sends a request to ip-apicom to determine the user’s geolocation.

If the IP address falls outside the targeted LATAM countries, the malware halts execution, but if it matches a targeted region, the attack proceeds.

Suricata rule triggered inside ANY.RUN sandbox

**DNS Evasion: Google DNS**

Grandoreiro avoids local DNS queries by sending a request to dns.google. It provides the domain name of its command-and-control (C2) server, which Google resolves to an IP address.

This step helps it bypass DNS-based blocking mechanisms and improves its chances of successful communication.

Traditional solutions often miss these evasion tricks, but ANY.RUN captures them in real time, helping teams build effective detection logic that actually reflects how modern malware behaves.

**Connection to C2**

After resolving the C2 domain, the malware sends a GET request to the retrieved IP address to establish a connection. This opens the door for the attacker to deliver additional payloads, steal credentials, or take remote control of the infected machine.

**Grandoreiro in Action: Tactics & Techniques**

Establishing a connection to the C2 server is just the beginning. Once communication is successful, Grandoreiro kicks off a series of actions designed to stay hidden, gather data, and prepare for further exploitation.

In this specific attack, ANY.RUN’s sandbox reveals a wide range of techniques triggered across multiple MITRE ATT&CK categories. You can see all of them mapped in the ATT&CK tab of the analysis session:

MITRE ATT&CK tactics and techniques used by adversaries

****Detection & Response Tips****

Detecting Grandoreiro isn’t easy; it blends in well and uses clever tricks. But here’s how you can stay one step ahead:

*   **Watch for phishing lures** posing as PDF downloads (often .ZIP or .RAR archives).

*   **Monitor external DNS requests**, especially to dns.google, right after execution.

*   **Flag geolocation lookups** to services like ip-apicom; it’s a key part of Grandoreiro’s filtering tactic.

*   **Use behavior-based analysis** to catch post-execution tactics like file deletion, credential access, or system discovery.

****Catch the Attack Before It Spreads****

The Grandoreiro campaign shows how modern threats evolve and why visibility into behavior matters more than ever.

With ANY.RUN sandbox, security teams can interact with malware in real time, uncover hidden tactics, and respond with confidence. From phishing to post-exploitation, everything is mapped, visualized, and ready for action.

Grandoreiro Strikes Again: Geofenced Phishing Attacks Target LATAM

A Minnesota cybersecurity and computer forensics expert whose testimony has featured in thousands of courtroom trials over the past 30 years is facing questions about his credentials and an inquiry from the Federal Bureau of Investigation (FBI). Legal experts say the inquiry could be grounds to reopen a number of adjudicated cases in which the expert's testimony may have been pivotal.

A Minnesota cybersecurity and computer forensics expert whose testimony has featured in thousands of courtroom trials over the past 30 years is facing questions about his credentials and an inquiry from the **Federal Bureau of Investigation** (FBI). Legal experts say the inquiry could be grounds to reopen a number of adjudicated cases in which the expert’s testimony may have been pivotal.

One might conclude from reading Mr. Lanterman’s LinkedIn profile that has a degree from Harvard University.

**Mark Lanterman** is a former investigator for the U.S. Secret Service Electronics Crimes Task Force who founded the Minneapolis consulting firm **Computer Forensic Services** (CFS). The CFS website says Lanterman’s 30-year career has seen him testify as an expert in more than 2,000 cases, with experience in cases involving sexual harassment and workplace claims, theft of intellectual property and trade secrets, white-collar crime, and class action lawsuits.

Or at least it did until last month, when Lanterman’s profile and work history were quietly removed from the CFS website. The removal came after **Hennepin County Attorney’s Office** said it was notifying parties to ten pending cases that they were unable to verify Lanterman’s educational and employment background. The county attorney also said the FBI is now investigating the allegations.

Those allegations were raised by **Sean Harrington**, an attorney and forensics examiner based in Prescott, Wisconsin. Harrington alleged that Lanterman lied under oath in court on multiple occasions when he testified that he has a Bachelor of Science and a Master’s degree in computer science from the now-defunct **Upsala College**, and that he completed his postgraduate work in cybersecurity at **Harvard University**.

Harrington’s claims gained steam thanks to digging by the law firm **Perkins Coie LLP**, which is defending a case wherein a client’s laptop was forensically reviewed by Lanterman. On March 14, Perkins Coie attorneys asked the judge (PDF) to strike Lanterman’s testimony because neither he nor they could substantiate claims about his educational background.

Upsala College, located in East Orange, N.J., operated for 102 years until it closed in 1995 after a period of declining enrollment and financial difficulties. Perkins Coie told the court that they’d visited **Felician University**, which holds the transcripts for Upsala College during the years Lanterman claimed to have earned undergraduate and graduate degrees. The law firm said Felician had no record of transcripts for Lanterman (PDF), and that his name was absent from all of the Upsala College student yearbooks and commencement programs during that period.

Reached for comment, Lanterman acknowledged he had no way to prove he attended Upsala College, and that his “postgraduate work” at Harvard was in fact an eight-week online cybersecurity class called **HarvardX**, which cautions that its certificates should not be considered equivalent to a Harvard degree or a certificate earned through traditional, in-person programs at Harvard University.

Lanterman has testified that his first job after college was serving as a police officer in Springfield Township, Pennsylvania, although the Perkins Coie attorneys noted that this role was omitted from his resume. The attorneys said when they tried to verify Lanterman’s work history, “the police department responded with a story that would be almost impossible to believe if it was not corroborated by Lanterman’s own email communications.”

As recounted in the March 14 filing, Lanterman was deposed on Feb. 11, and the following day he emailed the Springfield Township Police Department to see if he could have a peek at his old personnel file. On Feb. 14, Lanterman visited the Springfield Township PD and asked to borrow his employment record. He told the officer he spoke with on the phone that he’d recently been instructed to “get his affairs in order” after being diagnosed with a grave heart condition, and that he wanted his old file to show his family about his early career.

According to Perkins Coie, Lanterman left the Springfield Township PD with his personnel file, and has not returned it as promised.

“It is shocking that an expert from Minnesota would travel to suburban Philadelphia and abscond with his decades-old personnel file to obscure his background,” the law firm wrote. “That appears to be the worst and most egregious form of spoliation, and the deception alone is reason enough to exclude Lanterman and consider sanctions.”

Harrington initially contacted KrebsOnSecurity about his concerns in late 2023, fuming after sitting through a conference speech in which Lanterman shared documents from a ransomware victim and told attendees it was because they’d refused to hire his company to perform a forensic investigation on a recent breach.

“He claims he was involved in the Martha Stewart investigation, the Bernie Madoff trial, Paul McCartney’s divorce, the Tom Petters investigation, the Denny Hecker investigation, and many others,” Harrington said. “He claims to have been invited to speak to the Supreme Court, claims to train the ‘entire federal judiciary’ on cybersecurity annually, and is a faculty member of the United States Judicial Conference and the Judicial College — positions which he obtained, in part, on a house of fraudulent cards.”

In an interview this week, Harrington said court documents reveal that at least two of Lanterman’s previous clients complained CFS had held their data for ransom over billing disputes. In a declaration (PDF) dated August 2022, the co-founder of the law firm **MoreLaw Minneapolis LLC** said she hired Lanterman in 2014 to examine several electronic devices after learning that one of their paralegals had a criminal fraud history.

But the law firm said when it pushed back on a consulting bill that was far higher than expected, Lanterman told them CFS would “escalate” its collection efforts if they didn’t pay, including “a claim and lien against the data which will result in a public auction of your data.”

“All of us were flabbergasted by Mr. Lanterman’s email,” wrote MoreLaw co-founder **Kimberly Hanlon**. “I had never heard of any legitimate forensic company threatening to ‘auction’ off an attorney’s data, particularly knowing that the data is comprised of confidential client data, much of which is sensitive in nature.”

In 2009, a Wisconsin-based manufacturing company that had hired Lanterman for computer forensics balked at paying an $86,000 invoice from CFS, calling it “excessive and unsubstantiated.” The company told a Hennepin County court that on April 15, 2009, CFS conducted an auction of its trade secret information in violation of their confidentiality agreement.

“CFS noticed and conducted a Public Sale of electronic information that was entrusted to them pursuant to the terms of the engagement agreement,” the company wrote. “CFS submitted the highest bid at the Public Sale in the amount of $10,000.”

Lanterman briefly responded to a list of questions about his background (and recent heart diagnosis) on March 24, saying he would send detailed replies the following day. Those replies never materialized. Instead, Lanterman forwarded a recent memo he wrote to the court that attacked Harrington and said his accuser was only trying to take out a competitor. He has not responded to further requests for comment.

“When I attended Upsala, I was a commuter student who lived with my grandparents in Morristown, New Jersey approximately 30 minutes away from Upsala College,” Lanterman explained to the judge (PDF) overseeing a separate ongoing case (PDF) in which he has testified. “With limited resources, I did not participate in campus social events, nor did I attend graduation ceremonies. In 2023, I confirmed with Felician University — which maintains Upsala College’s records — that they could not locate my transcripts or diploma, a situation that they indicated was possibly due to unresolved money-related issues.”

Lanterman was ordered to appear in court on April 3 in the case defended by Perkins Coie, but he did not show up. Instead, he sent a message to the judge withdrawing from the case.

“I am 60 years old,” Lanterman told the judge. “I created my business from nothing. I am done dealing with the likes of individuals like Sean Harrington. And quite frankly, I have been planning at turning over my business to my children for years. That time has arrived.”

Lanterman’s letter leaves the impression that it was his decision to retire. But according to an affidavit (PDF) filed in a Florida case on March 28, Mark Lanterman’s son Sean said he’d made the difficult decision to ask his dad to step down given all the negative media attention.

**Mark Rasch**, a former federal cybercrime prosecutor who now serves as counsel to the New York cybersecurity intelligence firm Unit 221B, said that if an expert witness is discredited, any defendants who lost cases that were strongly influenced by that expert’s conclusions at trial could have grounds for appeal.

Rasch said law firms who propose an expert witness have a duty in good faith to vet that expert’s qualifications, knowing that those credentials will be subject to cross-examination.

“Federal rules of civil procedure and evidence both require experts to list every case they have testified in as an expert for the past few years,” Rasch said. “Part of that due diligence is pulling up the results of those cases and seeing what the nature of their testimony has been.”

Perhaps the most well-publicized case involving significant forensic findings from Lanterman was the 2018 conviction of **Stephen Allwine**, who was found guilty of killing his wife two years earlier after attempts at hiring a hitman on the dark net fell through. Allwine is serving a sentence of life in prison, and continues to maintain that he was framed, casting doubt on computer forensic evidence found on 64 electronic devices taken from his home.

On March 24, Allwine petitioned a Minnesota court (PDF) to revisit his case, citing the accusations against Lanterman and his role as a key witness for the prosecution.

Tag

#pdf