digital forensics | Breaking Cybersecurity News | The Hacker News

The U.S. Department of Justice (DoJ) said it has filed a civil forfeiture complaint in federal court that targets over $7.74 million in cryptocurrency, non-fungible tokens (NFTs), and other digital assets allegedly linked to a global IT worker scheme orchestrated by North Korea. "For years, North Korea has exploited global remote IT contracting and cryptocurrency ecosystems to evade U.S. sanctions and bankroll its weapons programs," said Sue J. Bai, Head of the Justice Department's National Security Division. The Justice Department said the funds were originally restrained in connection with an April 2023 indictment against Sim Hyon-Sop, a North Korean Foreign Trade Bank (FTB) representative who is believed to have conspired with the IT workers. The IT workers, the department added, gained employment at U.S. cryptocurrency companies using fake identities and then laundered their ill-gotten gains through Sim to further Pyongyang's strategic objectives in violati...

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash. "The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information," the DoJ said . "BidenCash administrators charged a fee for every transaction conducted on the website." BidenCash launched in March 2022 to fill the void left by the shutdown of Joker's Stash a year earlier and several other carding forums like UniCC . Since the time it went operational, the illegal bazaar ("bidencash[.]asia," "bidencash[.]bd," and "bidencash[.]ws") is estimated to have supported more than 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated no less than $17 mi...

As part of the latest "season" of Operation Endgame , a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, and issued arrest warrants against 20 targets. Operation Endgame, first launched in May 2024, is an ongoing law enforcement operation targeting services and infrastructures assisting in or directly providing initial or consolidating access for ransomware. The previous edition focused on dismantling the initial access malware families that have been used to deliver ransomware. The latest iteration, per Europol, targeted new malware variants and successor groups that re-emerged after last year's takedowns such as Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE . The interaction action was carried out between May 19 and 22, 2025. "In addition, €3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

A joint law enforcement operation undertaken by Dutch and U.S. authorities has dismantled a criminal proxy network that's powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. In conjunction with the domain seizure, Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, have been charged by the U.S. Department of Justice (DoJ) for operating, maintaining, and profiting from the proxy services. The DoJ noted that users paid a monthly subscription fee, ranging from $9.95 to $110 per month, netting the threat actors more than $46 million by selling access to the infected routers. The service is believed to have been available since 2004.

AI is changing cybersecurity faster than many defenders realize. Attackers are already using AI to automate reconnaissance, generate sophisticated phishing lures, and exploit vulnerabilities before security teams can react. Meanwhile, defenders are overwhelmed by massive amounts of data and alerts, struggling to process information quickly enough to identify real threats. AI offers a way to level the playing field, but only if security professionals learn to apply it effectively. Organizations are beginning to integrate AI into security workflows, from digital forensics to vulnerability assessments and endpoint detection. AI allows security teams to ingest and analyze more data than ever before, transforming traditional security tools into powerful intelligence engines. AI has already demonstrated its ability to accelerate investigations and uncover unknown attack paths, but many companies are hesitant to fully embrace it. Many AI models are implemented with such velocity that they r...

Law enforcement authorities have announced that they tracked down the customers of the SmokeLoader malware and detained at least five individuals. "In a coordinated series of actions , customers of the Smokeloader pay-per-install botnet, operated by the actor known as 'Superstar,' faced consequences such as arrests, house searches, arrest warrants or 'knock and talks,'" Europol said in a statement. Superstar is alleged to have run a pay-per-install service that enabled its customers to gain unauthorized access to victim machines, using the loader as a conduit to deploy next-stage payloads of their choice. According to the European law enforcement agency, the access afforded by the botnet was used for various purposes such as keylogging, webcam access, ransomware deployment, and cryptocurrency mining. The latest action, part of an ongoing coordinated exercise called Operation Endgame , which led to the dismantling of online infrastructure associated with...

In one of the largest coordinated law enforcement operations, authorities have dismantled Kidflix, a streaming platform that offered child sexual abuse material (CSAM). "A total of 1.8 million users worldwide logged on to the platform between April 2022 and March 2025," Europol said in a statement. "On March 11, 2025, the server, which contained around 72,000 videos at the time, was seized by German and Dutch authorities." The European law enforcement agency described it as the largest operation undertaken to combat child sexual exploitation. It has been codenamed Operation Stream. The multi-year probe , which commenced in 2022 and involved 38 countries across the world, saw 1,393 identified globally through an analysis of payment transactions, with 79 of them arrested to date for distributing CSAM. Some of the apprehended individuals have also been accused of not only uploading and watching such content but also abused children. In addition, more than 3,000...

A major telecommunications company located in Asia was allegedly breached by Chinese state-sponsored hackers who spent over four years inside its systems, according to a new report from incident response firm Sygnia. The cybersecurity company is tracking the activity under the name Weaver Ant , describing the threat actor as stealthy and highly persistent. The name of the telecom provider was not disclosed. "Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage," Sygnia said . "The group behind this intrusion [...] aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information." Oren Biderman, Incident Response and Digital Forensic Team Leader at Sygnia, told The Hacker News that Weaver Ant exploited a misconfiguration in a public-facing application to obtain an initial foothold into the target environment. The attack chain is said to h...

Inside the most innocent-looking image, a breathtaking landscape, or a funny meme, something dangerous could be hiding, waiting for its moment to strike. No strange file names. No antivirus warnings. Just a harmless picture, secretly concealing a payload that can steal data, execute malware, and take over your system without a trace. This is steganography, a cybercriminal's secret weapon for concealing malicious code inside harmless-looking files. By embedding data within images, attackers evade detection, relying on separate scripts or processes to extract and execute the hidden payload. Let's break down how this works, why it's so dangerous, and most importantly, how to stop it before it's too late. What is Steganography in Cybersecurity? Steganography is the practice of concealing data within another file or medium. Unlike encryption, which scrambles data to make it unreadable, steganography disguises malicious code inside harmless-looking images, videos, or audio files, makin...

This week, a 23-year-old Serbian activist found themselves at the crossroads of digital danger when a sneaky zero-day exploit turned their Android device into a target. Meanwhile, Microsoft pulled back the curtain on a scheme where cybercriminals used AI tools for harmful pranks, and a massive trove of live secrets was discovered, reminding us that even the tools we rely on can hide risky surprises. We've sifted through a storm of cyber threats—from phishing scams to malware attacks—and broken down what it means for you in clear, everyday language. Get ready to dive into the details, understand the risks, and learn how to protect yourself in an increasingly unpredictable online world. ⚡ Threat of the Week Serbian Youth Activist Targeted by Android 0-Day Exploit Chain — A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit chain developed by Cellebrite to unlock the device and likely deploy an Android spyware called NoviSpy. The flaws combined ...

A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, according to a new report from Amnesty International. "The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental organization said , adding traces of the exploit were discovered in a separate case in mid-2024. The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. A patch for the flaw was released for the Linux kernel in December 2024. It was subsequently addressed in Android earlier this month. It's believed that CVE-2024-53104 was combined with two other flaws – CVE-2024-53197 and CVE-2024-50302 – both of which have been resolved in the Linux kernel. They are yet to be included i...

The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company's CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People's Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also referred to as Jade Sleet, Slow Pisces, and UNC4899. "TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI said . "It is expected these assets will be further laundered and eventually converted to fiat currency." It's worth noting that the TraderTraitor cluster was previously implicated by Japanese and U.S. authorities in the theft of cryptocurrency worth $308 mil...

More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been published online in a leak that provides unprecedented visibility into their tactics and internal conflicts among its members. The Russian-language chats on the Matrix messaging platform between September 18, 2023, and September 28, 2024, were initially leaked on February 11, 2025, by an individual who goes by the handle ExploitWhispers , who claimed that they released the data because the group was targeting Russian banks. The identity of the leaker remains a mystery. Black Basta first came under the spotlight in April 2022, using the now-largely-defunct QakBot (aka QBot) as a delivery vehicle. According to an advisory published by the U.S. government in May 2024, the double extortion crew is estimated to have targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia. Per Elliptic and Corvus Insurance, the prolific r...

The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refining their attack methods. Below is an overview of five notable malware families, accompanied by analyses conducted in controlled environments. NetSupport RAT Exploiting the ClickFix Technique In early 2025, threat actors began exploiting a technique known as ClickFix to distribute the NetSupport Remote Access Trojan (RAT).  This method involves injecting fake CAPTCHA pages into compromised websites, prompting users to execute malicious PowerShell commands that download and run the NetSupport RAT.  Once installed, this RAT grants attackers full control over the victim's system, allowing activities such as real-time screen monitoring, file manipulation, and execution of arbitrary commands. Main technical characteristics of NetSupport RAT Attackers can view and control the victim's screen in real time. Uploads, downloads, m...