### Impact
Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless.

### Patches

### Workarounds
Disabling http-based inputs and allow only authenticated pull-based inputs.

### References

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-30373

**Graylog's Authenticated HTTP inputs ingest message even if Authorization header is missing or has wrong value**

Moderate severity GitHub Reviewed Published Apr 7, 2025 in Graylog2/graylog2-server • Updated Apr 7, 2025

**Package**

maven org.graylog2:graylog2-server (Maven)

**Affected versions**

\>= 6.1.0, < 6.1.9

**Description**

**Impact**

Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless.

**Patches****Workarounds**

Disabling http-based inputs and allow only authenticated pull-based inputs.

**References****References**

*   GHSA-q7g5-jq6p-6wvx
*   https://nvd.nist.gov/vuln/detail/CVE-2025-30373
*   Graylog2/graylog2-server@31bc13d

Published to the GitHub Advisory Database

Apr 7, 2025

**EPSS score**

GHSA-q7g5-jq6p-6wvx: Graylog's Authenticated HTTP inputs ingest message even if Authorization header is missing or has wrong value

USA secures extradition of criminals from 9 countries, including two brothers behind Rydox, a dark web market for stolen data and hacking tools.

The United States has successfully extradited a group of fugitives from nine countries to face charges ranging from murder and child abuse to running dark web cybercrime marketplaces and drug trafficking rings. The extradited fugitives came from the following countries:

1.  Israel
2.  Spain
3.  Mexico
4.  Kosovo
5.  Canada
6.  Thailand
7.  Colombia
8.  Germany
9.  Honduras

The extradited individuals include fugitives who’d evaded capture for over a decade, as well as newer suspects accused of exploiting the anonymity of the dark web. Here’s a breakdown of the most notable cases:

**Ardit and Jetmir Kutleshi, 26 and 28** (Kosovo → Pennsylvania): The brothers are accused of running Rydox, a dark web marketplace that sold stolen credit cards, hacked social media accounts, and tools for identity theft. Their platform allegedly fueled millions in fraud losses before law enforcement shut it down.

**Roberto Avina-Casillas, 30** (Mexico → Ohio): After 11 years on the run, Avina-Casillas now faces murder charges.

**Justin David Lanoue, 44** (Canada → Utah): A Canadian fugitive wanted since 2015 for child abuse charges in Utah.

**Dominik Rydz, 24** (Germany → Michigan): A Polish national accused of sexually assaulting a woman at a party in Michigan in 2023 and imprisoning her against her will. Rydz initially fled to Poland, then Germany, where he was nabbed via an Interpol Red Notice.

**Olof Kyros Gustafsson, 31** (Spain → California): Dubbed “El Silencio,” this Swedish entrepreneur allegedly ran a bizarre online scam: selling fake Pablo Escobar-branded flamethrowers, cellphones, and other nonexistent products to investors worldwide. Prosecutors say he pocketed millions by exploiting the late drug lord’s notorious reputation.

**Tien Vy Tai Truong, 46** (Thailand → California): A suspected kingpin in a methamphetamine trafficking ring, Truong allegedly tried to broker a deal with an undercover DEA agent to ship 200 pounds of meth to Australia. His arrest in Thailand marks a rare win in disrupting Asia-Pacific drug pipelines.

****Rydox Dark Web Marketplace****

Rydox was a cybercrime marketplace operating on the dark web from approximately February 2016 until its seizure in December 2024. It functioned as a platform for the sale of stolen personal information, access devices, and various cybercrime tools.

Over its operational period, Rydox facilitated more than 7,600 transactions, generating at least $230,000 in revenue. The marketplace offered over 321,000 products to a user base exceeding 18,000 individuals.

Items available for purchase included personally identifiable information (PII) such as names, addresses, and Social Security numbers; stolen credit card details; login credentials; and cybercrime tools like scam pages and spamming tutorials.

In December 2024, an international law enforcement operation led by the U.S. Department of Justice, in collaboration with authorities from Kosovo, Albania, and Malaysia, resulted in the seizure of Rydox’s domain and the arrest of its administrators. Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo and faced extradition to the United States to face charges, including identity theft and money laundering.

The seized Rydox dark web marketplace

A third individual, Shpend Sokoli, was arrested in Albania and was expected to be prosecuted there. Additionally, servers hosting the Rydox marketplace were seized in Kuala Lumpur, Malaysia, and approximately $225,000 in cryptocurrency linked to the defendants was confiscated.

The extradition of the Kutleshi brothers signals that law enforcement is stepping up its game in targeting the administrators of these illegal marketplaces, not just the end users. Additionally, the Gustafsson case shows how cybercriminals can exploit trust and celebrity culture (in this case, the Pablo Escobar brand) to deceive victims. This goes on to show why users must verify the legitimacy of online investments and products, especially when they seem too good to be true.

Brothers Behind Rydox Dark Web Market Extradited to US

Langflow versions prior to 1.3.0 are susceptible to code injection in the `/api/v1/validate/code` endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-c995-4fw3-j39m: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint

This week on the Lock and Code podcast, we speak with Lena Cohen about whether our phones are really listening to us to deliver ads.

_This week on the Lock and Code podcast…_

It has probably happened to you before.

You and a friend are _talking_—not texting, not DMing, not FaceTiming—but _talking_, physically face-to-face, about, say, an upcoming vacation, a new music festival, or a job offer you just got.

And then, that same week, you start noticing some eerily specific ads. There’s the Instagram ad about carry-on luggage, the TikTok ad about earplugs, and the countless ads you encounter simply scrolling through the internet about laptop bags.

And so you think, “Is my phone listening to me?”

This question has been around for years and, today, it’s far from a conspiracy theory. Modern smartphones can and do listen to users for voice searches, smart assistant integration, and, obviously, phone calls. It’s not too outlandish to believe, then, that the microphones on smartphones could be used to listen to other conversations without users knowing about it.

Recent news stories don’t help, either.

In January, Apple agreed to pay $95 million to settle a lawsuit alleging that the company had eavesdropped on users’ conversations through its smart assistant Siri, and that it shared the recorded conversations with marketers for ad targeting. The lead plaintiff in the case specifically claimed that she and her daughter were recorded without their consent, which resulted in them receiving multiple ads for Air Jordans.

In agreeing to pay the settlement, though, Apple denied any wrongdoing, with a spokesperson telling the BBC:

“Siri data has never been used to build marketing profiles and it has never been sold to anyone for any purpose.”

But statements like this have done little to ease public anxiety. Tech companies have been caught in multiple lies in the past, privacy invasions happen thousands of times a day, and ad targeting feels extreme entirely because it is.

Where, then, does the truth lie?

Today, on the Lock and Code podcast with David Ruiz, we speak with Electronic Frontier Foundation Staff Technologist Lena Cohen about the most mind-boggling forms of corporate surveillance—including an experimental ad-tracking technology that emitted ultrasonic sound waves—specific audience segments that marketing companies make when targeting people with ads, and, of course, whether our phones are really listening to us.

> “Companies are collecting so much information about us and in such covert ways that it really feels like they’re listening to us.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Is your phone listening to you? (Lock and Code S06E07) 

Want to know the most notable findings in Talos' Year in Review directly from our report's authors? Watch our two part video series.

Monday, April 7, 2025 09:51

**🎥 Talos Year in Review 2024: Part 1 & 2 – Watch Now!**

Another year, another mountain of malicious telemetry to sift through. I spoke with a few of Talos' Year in Review authors, freshly out of the sandbox, to discuss the how's and why's of our biggest findings.

👉 **Part 1:** The major theme of 2024, top vulnerabilities, email threats and adversary tooling

  
👉 **Part 2:** Ransomware groups, and why we're seeing more identity attacks

Whether you’re here for the hard data or the dry humor, we’ve got you covered. We break down what mattered most in 2024 — and what’s on the radar for 2025.

Download Talos' full 2024 Year in Review today.

Year in Review: In conversation with the report's authors

Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel.
"'Fast flux' is a technique used to obfuscate the locations of malicious servers through rapidly changing Domain Name System (DNS)

CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks

Austin, TX, USA, 7th April 2025, CyberNewsWire

**Austin, TX, USA, April 7th, 2025, CyberNewsWire**

Deep visibility into malware-siphoned data can help close gaps in traditional defenses before they evolve into major cyber threats like ransomware and account takeover

SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections occur on devices with endpoint security solutions installed. SpyCloud offers integrations with leading endpoint detection and response (EDR) products, such as Crowdstrike Falcon and Microsoft Defender, that close this detection gap.

EDRs play a vital role in detecting, protecting against, and responding to threats on enterprise devices. Despite advanced AI detection and telemetry analysis offered in today’s EDR solutions, modern infostealer malware is designed to evade even the most sophisticated defenses, using tactics like polymorphic malware, memory-only execution, and exploitation of zero-day vulnerabilities or outdated software. The data speaks for itself: nearly one in two corporate users were already the victim of a malware infection in 2024, and in the year prior, malware was the cause of 61% of all breaches. 

SpyCloud’s findings underscore that while EDR and antivirus (AV) tools are essential and block a wide range of security threats, no security solution can block 100% of attacks. Organizations need to take a layered approach to close the gaps before attacks progress deeper into their environments, resulting in events like ransomware and account takeover.  

> “When a malware infection goes undetected, the consequences can be catastrophic,” said Damon Fleury, Chief Product Officer at SpyCloud. “We are in an arms race at the endpoint, where attackers are constantly evolving their tactics to skirt detection. SpyCloud provides a critical line of defense – uncovering infostealer infections that evade EDRs and AVs, detecting when stolen data begins circulating in the criminal underground, and automatically feeding that intelligence back to the EDR to quarantine the device and begin the post-infection remediation process.”

By closing this visibility gap, SpyCloud EDR integrations provide a new and powerful protection mechanism. Once malware exfiltrates credentials, personally identifiable information (PII), or session cookies, that stolen data becomes a launchpad for further entrenchment and compromise. SpyCloud helps stop cybercrime before it happens by identifying these identity risks early, mapping them back to impacted users, devices, and applications, and sending actionable intelligence to an organization’s EDR for response and remediation.  

> “As identity becomes the security perimeter, organizations need more than device-level protection; they need insight into what their endpoint solutions are missing,” added Fleury. “SpyCloud’s expertise in accessing malware logs before they’re broadly circulated among criminals enables faster, more targeted responses needed to address infections, prevent lateral movement, and block disruptive follow-on activities like admin lockout and ransomware deployment.”

To learn more about how SpyCloud can augment endpoint security strategy and remediate malware infections that EDRs and AVs may miss, users can **register to join SpyCloud’s upcoming virtual event on April 10**, where experts will walk through the data, explain the attack chain in detail, and demo how SpyCloud’s EDR integrations work in real-world scenarios. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections

Heavy incoming traffic: A new wave of toll fee scams are sweeping America.

Back in August 2024, we warned about a relatively new type of SMS phishing (or smishing) scam that was doing the rounds.

Now a new wave of toll fee scams are working their way round the US. These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, like E-ZPass, The Toll Roads, SunPass, or TxTag.

The texts usually create a sense of urgency—a common tactic of scammers, by telling you there is only a limited time left to act or there will be dire consequences.

The phishing sites are typically out to steal personal information and/or payment details. Reportedly, some users get up to 7 such messages in a day.

Many state departments are issuing warnings. For example, the Wisconsin Department of Transportation (WisDOT) Division of Motor Vehicles (DMV) recently warned consumers of reported phishing attempts via text, and the Arizona Department of Transportation even published a reminder that the state highway system doesn’t have toll roads, because of these scams.

A typical text message might look like this:

> “Your toll payment for E-ZPass Lane must be settled by {a date in the very near future}. To avoid fines and the suspension of your driving privileges, kindly pay by the due date.
> 
> Pay here: {malicious link}
> 
> (Please reply with “Y”, then exit the text message. Open it again, click the link, or copy it into your browser and open it.)”

 The malicious links are often fabricated to look legitimate by including an existing domain name before the actual domain name. E.g. e-zpass.com- roadioe\[.\]cc.

**How to avoid falling for toll fee scams**

*   Check the phone number that the text message comes from. Some of the scams we saw were easy to dismiss because they came from telephone numbers outside the US.
*   Look for the actual site that handles the alleged toll fees and compare the domain name. Sometimes there is only a small difference, so inspect it carefully.
*   If you decided to pay, make sure you receive confirmation of payment. Official toll agencies will send confirmation after collecting payments. If you don’t receive that, call the toll service to check.
*   Never interact with the scammer in any way. Every reaction provides them with information, even if it’s only that the phone number is in use.
*   If you think the toll fee is feasible because you have indeed travelled in that area, check on the official toll service’s website or call their customer service number.
*   The FBI asks that if you receive a suspicious message, contact the FBI Internet Crime Complaint Center at ic3.gov. Be sure to include the phone number from where the text originated, and the website listed within the text.

**Indicators of Compromise (IoCs)**

Domains involved in toll fee scams:

com-roadioe\[.\]cc

uoshxkdhkz\[.\]top

com-zgoupbb\[.\]top

forfeitzm\[.\]top

sunpass-verification\[.\]top

com-tollbilljhy\[.\]top

com-etc-bbzj\[.\]vip

com-tollbilltid\[.\]vip

com-tollbilltwd\[.\]vip

paytollrbzx\[.\]vip

com-ticketvb\[.\]xin

com-emzwepr\[.\]xin

com-ustolls\[.\]xin

com-tollbilaz\[.\]xin

etc-tollad\[.\]xin

roadetctre\[.\]xin

Did you know that Malwarebytes for mobile scans your texts for scams and blocks known malicious sites?

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Toll fee scams are back and heading your way 

New Xanthorox AI hacking platform spotted on dark web with modular tools, offline mode, and advanced voice, image, and code-based cyberattack features.

A sophisticated new artificial intelligence (AI) platform tailored for offensive cyber operations, named Xanthorox AI, has been identified by cybersecurity firm SlashNext. First appearing in late Q1 2025, Xanthorox AI is reportedly circulating within cybercrime communities on darknet forums and encrypted channels.

According to SlashNext’s investigation, shared with Hackread.com ahead of its publishing on Monday, Xanthorox stands out from previous malicious AI tools like WormGPT, FraudGPT and EvilGPT due to its independent, multi-model framework. The system is based on five distinct AI models optimized for specific cyber operations.

These models are hosted on private servers under the seller’s control rather than public cloud infrastructure or openly accessible APIs. This unique setup sets Xanthorox AI apart from previous malicious tools that often relied on existing large language models (LLMs).

Xanthorox AI is a fully custom-built platform that uses “fully custom-built language models” instead of established models like LLaMA or Claude. It is promoted as a modular system capable of code generation, vulnerability exploitation, data analysis, and integrated voice and image processing, enabling automated and interactive attacks.

Its modular design allows for future updates or the replacement of specific functionalities. Xanthorox AI also has built-in voice and image handling modules. It can perform live internet search scraping using over 50 engines, offering up-to-date information. It also offers offline functionality, allowing users to use it without a constant network connection. The platform also emphasizes data containment to eliminate third-party AI data collection risks.

The toolkit includes the Xanthorox Coder, which automates tasks such as code creation and script development, while Xanthorox Vision adds visual intelligence by allowing users to upload images or screenshots for analysis. Reasoner Advanced aims to replicate human-like decision-making, supporting tasks requiring logical consistency and persuasive communication.

The platform also facilitates voice-based interaction through real-time voice calls and asynchronous voice messaging, allowing hands-free command and control. Overall, Xanthorox AI offers a versatile hacking assistant representing a significant advancement in cyberattack capabilities, enabling more precise and scalable phishing campaigns and malware creation.

Screenshot: SlashNext

“Xanthorox AI presents itself as a comprehensive, all-in-one hacking tool, powered by a modular architecture designed to support a wide range of cybercrime operations. From an attacker’s perspective, Xanthorox AI hits most of the marks needed for a versatile hacking assistant,” researchers wrote in their blog post.

Its emergence highlights the importance of adopting advanced AI-powered detection technologies, including AI-powered threat detection platforms capable of behavioural anomaly analysis and signature-less malware identification, email security solutions employing AI-based content and intent analysis, and network security measures incorporating AI-driven intrusion detection and prevention systems.

Casey Ellis, Founder at Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, called it “a fascinating development,” noting that the cybercriminal ecosystem works like any service industry, with specialized groups and “startups” creating competitive advantages. He highlighted the thought and R&D behind the toolkit, the local model tuning that avoids reliance on major vendors, and praised the expert mix as the most effective way to build a flexible AI-powered attack platform.

Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day.
Hackers don’t need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough.
This week,

Latest News