#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Cybercriminal | Breaking Cybersecurity News | The Hacker News

Category — Cybercriminal
TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer

TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer

Apr 11, 2024 Endpoint Security / Ransomware
A threat actor tracked as  TA547  has targeted dozens of German organizations with an information stealer called  Rhadamanthys  as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint  said . "Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM)." TA547 is a prolific, financially motivated threat actor that's known to be active since at least November 2017, using email phishing lures to deliver a variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and even Adhubllka ransomware. In recent years, the group has  evolved  into an initial access broker (IAB) for ransomware attacks. It has also been observed employing geofencing tricks to restrict payloads to specific regions. The email messages obs...
How Cybercriminals are Exploiting India's UPI for Money Laundering Operations

How Cybercriminals are Exploiting India's UPI for Money Laundering Operations

Mar 04, 2024 Cybercrime / Mobile Security
Cybercriminals are using a network of hired money mules in India using an Android-based application to orchestrate a massive money laundering scheme. The malicious application, called  XHelper , is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel  said  in a report. Details about the scam  first emerged  in late October 2023, when Chinese cyber criminals were found to take advantage of the fact that Indian Unified Payments Interface ( UPI ) service providers operate without coverage under the Prevention of Money Laundering Act (PMLA) to initiate illegal transactions under the guise of offering an instant loan. The ill-gotten proceeds from the operation are transferred to other accounts belonging to hired mules, who are recruited from Telegram in return for commissions ranging from 1-2% of the total transaction amounts. "Central to this operation are Chinese payment ga...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
New 'VietCredCare' Stealer Targeting Facebook Advertisers in Vietnam

New 'VietCredCare' Stealer Targeting Facebook Advertisers in Vietnam

Feb 21, 2024 Malware / Cyber Threat
Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed  VietCredCare  at least since August 2022. The malware is "notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance," Singapore-headquartered Group-IB  said  in a new report shared with The Hacker News. The end goal of the large-scale malware distribution scheme is to facilitate the takeover of corporate Facebook accounts by targeting Vietnamese individuals who manage the Facebook profiles of prominent businesses and organizations. Facebook accounts that have been successfully seized are then used by the threat actors behind the operation to post political content or to propagate phishing and affiliate scams for financial gain. VietCredCare is offered to other aspiring cybercriminals u...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

Feb 16, 2024 Endpoint Security / Cryptocurrency
Multiple companies operating in the cryptocurrency sector are the target of an ongoing malware campaign that involves a newly discovered Apple macOS backdoor codenamed RustDoor. RustDoor was  first documented  by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It's distributed by masquerading itself as a Visual Studio update. While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown. That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor. "Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that downl...
U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators

Feb 11, 2024 Malware / Cybercrime
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called  Warzone RAT . The domains –  www.warzone[.]ws  and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ  said . Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes. The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of "illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses." Meli is alleged to have offered malware se...
DoJ Charges 19 Worldwide in $68 Million xDedic Dark Web Marketplace Fraud

DoJ Charges 19 Worldwide in $68 Million xDedic Dark Web Marketplace Fraud

Jan 08, 2024 Financial Fraud / Cybercrime
The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace , which is estimated to have facilitated more than $68 million in fraud. In  wrapping up its investigation  into the dark web portal, the agency said the transnational operation was the result of close cooperation with law enforcement authorities from Belgium, Germany, the Netherlands, Ukraine, and Europol. Of the 19 defendants, three have been sentenced to 6.5 years in prison, eight have been awarded jail terms ranging from one year to five years, and one individual has been ordered to serve five years' probation. One among them includes Glib Oleksandr Ivanov-Tolpintsev, a Ukrainian national who was  sentenced to four years in prison  in May 2022 for selling compromised credentials on xDedic and making $82,648 in illegal profits. Dariy Pankov, described by the DoJ as one of the highest sellers by volume, offered credentials of no ...
New JinxLoader Targeting Users with Formbook and XLoader Malware

New JinxLoader Targeting Users with Formbook and XLoader Malware

Jan 01, 2024 Malware / Dark Web
A new Go-based malware loader called  JinxLoader  is being used by threat actors to deliver next-stage payloads such as  Formbook and its successor XLoader . The  disclosure  comes from cybersecurity firms Palo Alto Networks Unit 42 and Symantec, both of which highlighted multi-step attack sequences that led to the deployment of JinxLoader through phishing attacks. "The malware pays homage to League of Legends character  Jinx , featuring the character on its ad poster and [command-and-control] login panel," Symantec  said . "JinxLoader's primary function is straightforward – loading malware." Unit 42  revealed  in late November 2023 that the malware service was  first advertised  on hackforums[.]net on April 30, 2023, for $60 a month, $120 a year, or for a lifetime fee of $200. The attacks begin with phishing emails impersonating Abu Dhabi National Oil Company (ADNOC), urging recipients to open password-protected RAR archive a...
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks

Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks

Dec 29, 2023 Malware / Endpoint Security
Microsoft on Thursday said it's once again disabling the  ms-appinstaller protocol handler  by default following its abuse by multiple threat actors to distribute malware. "The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team  said . It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The  changes  have gone into effect in App Installer version 1.21.3421.0 or higher. The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google. At least four different financially motivated hacking groups have been observed taking advantage of the App I...
New Rugmi Malware Loader Surges with Hundreds of Daily Detections

New Rugmi Malware Loader Surges with Hundreds of Daily Detections

Dec 28, 2023 Malware / Cyber Threat
A new malware loader is being used by threat actors to deliver a wide range of  information stealers  such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and  Rescoms . Cybersecurity firm ESET is tracking the trojan under the name  Win/TrojanDownloader.Rugmi . "This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk," the company  said  in its Threat Report H2 2023. Telemetry data gathered by the company shows that detections for the Rugmi loader spiked in October and November 2023, surging from single digit daily numbers to hundreds per day. Stealer malware is typically sold under a malware-as-a-service (MaaS) model to other threat actors on a subscription basis. Lumma Stealer, for instance, is advertised in underground forums for $250 a mo...
Behind the Scenes of Matveev's Ransomware Empire: Tactics and Team

Behind the Scenes of Matveev's Ransomware Empire: Tactics and Team

Dec 19, 2023 Ransomware / Russian Hackers
Cybersecurity researchers have shed light on the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national who was  indicted by the U.S. government  earlier this year for his alleged role in launching thousands of attacks across the world. Matveev, who resides in Saint Petersburg and is known by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is alleged to have played a crucial part in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020. "Wazawaka and his team members prominently exhibit an insatiable greed for ransom payments, demonstrating a significant disregard for ethical values in their cyber operations," Swiss cybersecurity firm PRODAFT  said  in a comprehensive analysis shared with The Hacker News. "Employing tactics that involve intimidation through threats to leak sensitive files, engaging in dishonest practices, and persisting in retaining...
Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide

Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide

Dec 19, 2023 Ransomware / Threat Intelligence
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia," authorities  said . Also called Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812) to breach enterprises and deploy file-encrypting malware. It's worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 20...
New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam

New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam

Dec 12, 2023 Cryptocurrency / Cyber Attack
A phishing campaign has been observed delivering an information stealer malware called  MrAnon Stealer  to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin  said . "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions." There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried. Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash. Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which i...
U.S. Treasury Sanctions Sinbad Cryptocurrency Mixer Used by North Korean Hackers

U.S. Treasury Sanctions Sinbad Cryptocurrency Mixer Used by North Korean Hackers

Nov 30, 2023 Hacking / Cryptocurrency
The U.S. Treasury Department on Wednesday imposed sanctions against  Sinbad , a virtual currency mixer that has been put to use by the North Korea-linked  Lazarus Group  to launder ill-gotten proceeds. "Sinbad has processed millions of dollars' worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists," the department said . "Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces." In addition to the sanctions, Sinbad had its website seized as part of a coordinated law enforcement action between agencies in the U.S., Finland, and the Netherlands. The development builds on prior actions undertaken by governments in Europe and the U.S. to blockade mixers such as  Blender ,  Tornado Cash , and  ChipMixer , all of which have been...
Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground

Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground

Jul 18, 2023 Cybersecurity / Cyber Attacks
Discover stories about threat actors' latest tactics, techniques, and procedures from Cybersixgill's threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT credentials flood dark web markets Over the past year, 100,000 stolen credentials for ChatGPT were advertised on underground sites, being sold for as little as $5 on dark web marketplaces in addition to being offered for free. Stolen ChatGPT credentials include usernames, passwords, and other personal information associated with accounts. This is problematic because ChatGPT accounts may store sensitive information from queries, including confidential data and intellectual property. Specifically, companies increasingly incorporate ChatGPT into daily workflows, which means employees may disclose ...
Interpol Seized $130 Million from Cybercriminals in Global "HAECHI-III" Crackdown Operation

Interpol Seized $130 Million from Cybercriminals in Global "HAECHI-III" Crackdown Operation

Nov 25, 2022
Interpol on Thursday  announced  the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering. The international police operation, dubbed  HAECHI-III , transpired between June 28 and November 23, 2022, resulting in the arrests of 975 individuals and the closure of more than 1,600 cases. This comprised two fugitives wanted by South Korea for their supposed involvement in a Ponzi scheme to embezzle €28 million from 2,000 victims. Another instance pertained to a call center scam based out of India, wherein a group of criminals impersonated Interpol and Europol officers to trick victims in Austria into transferring funds. The call centers operated from New Delhi and Noida. The illegal activity informed the victims that their "identities were stolen and crime pertaining to narcotics drugs were committed in their names," forcing them to make a money transfer. "In order to clear themselve...
FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva

FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva

Nov 17, 2022
A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus . Vyacheslav Igorevich Penchukov, who went by online pseu­do­nyms "tank" and "father," is alleged to have been involved in the day-to-day operations of the group. He was apprehended in Geneva on October 23, 2022, and is pending extradition to the U.S. Details of the arrest were  first reported  by independent security journalist Brian Krebs. Penchukov, along with Ivan Viktorovich Klepikov (aka "petrovich" and "nowhere") and Alexey Dmitrievich Bron (aka "thehead"), was originally charged in the District of Nebraska in August 2012. According to court documents released by the U.S. Department of Justice (DoJ) in 2014, Penchukov and eight other members of the cybercriminal group  infected  ...
Suspected REvil Ransomware Affiliates Arrested in Global Takedown

Suspected REvil Ransomware Affiliates Arrested in Global Takedown

Nov 09, 2021
Romanian law enforcement authorities have  announced  the arrest of two individuals for their roles as affiliates of the REvil ransomware family, dealing a severe blow to one of the most prolific cybercrime gangs in history. The suspects are believed to have  orchestrated  more than 5,000 ransomware attacks and extorted close to $600,000 from victims, according to Europol. The arrests, which happened on November 4, are part of a coordinated operation called GoldDust , which has resulted in the arrest of three other REvil affiliates and two suspects connected to GandCrab in Kuwait and South Korea since February 2021. This also includes a 22-year-old Ukrainian national, Yaroslav Vasinskyi, who was arrested in early October and has been accused of perpetrating the  devastating attack  on Florida-based software firm Kaseya in July 2021, affecting up to 1,500 downstream businesses. In all, the seven suspects linked to the two ransomware families are said to ...
Expert Insights / Articles Videos
Cybersecurity Resources