ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…

ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail vulnerabilities and SpyPress malware.

Cybersecurity researchers at ESET have revealed a sophisticated cyber espionage campaign, codenamed RoundPress, assessing with “medium confidence” that it is orchestrated by the Russian-backed Sednit group (aka APT28, Fancy Bear). This operation is actively targeting organizations linked with the ongoing conflict in Ukraine, aiming to exfiltrate confidential data from vulnerable webmail servers like RoundCube.

The Sednit group, linked by the US Department of Justice to the 2016 Democratic National Committee (DNC) hack and tracked by Hackread.com in attacks on TV5Monde and WADA, has been employing targeted spearphishing emails in the RoundPress campaign.

These emails exploit Cross-Site Scripting (XSS) vulnerabilities in various webmail platforms to inject malicious JavaScript code, dubbed SpyPress, into the victim’s browser.

****Exploiting Known and Zero-Day Vulnerabilities in Webmail Systems****

In ESET’s blog post, shared with Hackread.com, researchers noted that over the past two years, espionage groups have targeted webmail servers like Roundcube and Zimbra for email theft due to their outdated nature and remote vulnerability triggers making targeting easier.

In 2023, researchers observed Sednit exploiting CVE-2020-35730 in Roundcube. However, in 2024, the campaign expanded to target vulnerabilities in:

*   Horde (an older XSS flaw)

*   Roundcube (CVE-2023-43770, patched on September 14, 2023)

*   Zimbra (CVE-2024-27443, also known as ZBUG-3730, patched on March 1, 2024)

*   MDaemon (CVE-2024-11182, a zero-day reported by researchers on November 1, 2024, and patched in version 24.5.1 on November 14, 2024)

Compromise Chain (Source: ESET)

ESET noted a specific spearphishing email sent on September 29, 2023, from katecohen1984@portugalmailpt exploiting CVE‑2023‑43770 in Roundcube. The emails often mimic news content to entice victims to open them, such as an email to a Ukrainian target on September 11, 2024, from kyivinfo24@ukrnet about an alleged arrest in Kharkiv, and another to a Bulgarian target on November 8, 2024, from office@terembgcom regarding Putin and Trump.

The primary targets of Operation RoundPress in 2024, as identified through ESET telemetry and VirusTotal submissions, are predominantly Ukrainian governmental entities and defence companies in Bulgaria and Romania, some of which are producing Soviet-era weapons for Ukraine.

Researchers also observed targeting of national governments in Greece, Cameroon, Ecuador, Serbia, and Cyprus (an academic in environmental studies), a telecommunications firm for the defence sector in Bulgaria and a civil air transport company and transportation state company in Ukraine.

The SpyPress malware variants (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) share obfuscation techniques and communicate with C2 servers via HTTP POST requests. However, their capabilities vary.

For instance, SpyPress.ROUNDCUBE has been observed creating Sieve rules to forward all incoming emails to an attacker-controlled address, such as srezoska@skiffcom (Skiff being a privacy-oriented email service). SpyPress.MDAEMON demonstrated the ability to create App Passwords, granting persistent access.

Researchers concluded that the ongoing exploitation of webmail vulnerabilities by groups like Sednit underscores the importance of timely patching and strong security measures to protect sensitive information from such targeted spying campaigns.

J Stephen Kowski, Field CTO at SlashNext Email Security+ commented on the latest development, stating, _“_Attacks like Operation RoundPress show how quickly hackers can shift targets, especially when they find weaknesses in popular email platforms._“_

_“_Whether you’re using paid commercial email systems or free, self-hosted open-source options like RoundCube, no solution is completely safe – self-hosted systems often give a false sense of security since they still need regular updates and expert maintenance,_“_ he warned.

_“_The best way to stay ahead is by making sure email systems are always updated and patched, using strong protections like multi-factor authentication, and having tools that can spot and block phishing emails before they reach users_,”_ Kowski advised.

Russia-Linked SpyPress Malware Exploits Webmails to Spy on Ukraine

FBI has warned about a sophisticated vishing and smishing campaign using AI-generated voice memos to impersonate senior US…

FBI has warned about a sophisticated vishing and smishing campaign using AI-generated voice memos to impersonate senior US officials and target their contacts.

The Federal Bureau of Investigation (FBI) has issued a warning regarding a growing threat where malicious individuals are using artificial intelligence (AI) to mimic the voices of high-ranking United States officials. These AI-generated voice memos, combined with deceptive text messages, are being used in attempts to target current/former government officials, and individuals in their contact lists.

According to the FBI’s announcement, since April 2025, these “malicious actors” have employed techniques known as “smishing” (using SMS or text messages) and “vishing” (using voice messages) to create memos that appear as if they originate from senior US officials. The goal is to build trust and establish a connection with the targeted individuals. The FBI explicitly stated, “If you receive a message claiming to be from a senior US official, do not assume it is authentic.”

****Tactics Used to Gain Access****

According to the FBI, once contact is made, the perpetrators try to access the personal accounts of their targets. One method involves sending malicious links within these messages, which when victims click, will move the conversation to a different, supposedly more secure messaging platform. However, in reality, these links likely lead to malicious websites designed to steal login credentials or install malware.

The FBI warns of a potential cascading effect where one successful compromise could lead to multiple others. These “bad actors” can use compromised accounts to target other US officials or their associates, and the stolen information can be used to craft convincing impersonations or launch further social engineering attacks. The FBI also cautioned that “contact information acquired through social engineering schemes could also be used to impersonate contacts to elicit information or funds.”

****Growing Trend of AI-Powered Deception****

While the FBI did not disclose the specific US officials being impersonated, their announcement indicated that most of the targets are “current or former senior US federal or state government officials and their contacts.” This suggests a widespread campaign targeting individuals with potentially sensitive information or access.

In December 2024, the FBI had concerns about the increasing use of generative AI by criminals to conduct various financial fraud schemes on a larger scale. This technology allows for the creation of realistic text, images, audio, and video, making it easier to deceive unsuspecting victims into sending money or falling prey to other scams. Moreover, experts have noted a significant rise in the use of AI-based voice cloning. According to a report by CrowdStrike, the weaponization of this technology saw a dramatic increase of 442% between the first and second halves of 2024.

Now this latest warning from the FBI highlights the continuous rise in sophisticated AI tools being weaponized for social engineering attacks, posing a significant risk to high-profile individuals and possibly national security. The agency urges vigilance when receiving unsolicited messages, especially those claiming to be from senior officials.

**Max Gannon, Intelligence Manager at Cofense** commented on the latest announcement stating, “While the IC3 alert does say ‘malicious actors typically use software to generate phone numbers that are not attributed to a specific mobile phone or subscriber,’ it is important to note that threat actors can also spoof known phone numbers of trusted organizations or people, adding an extra layer of deception to the attack._“_

“Additionally, phone filtering does not typically detect when the number is being spoofed, giving a false sense of security to users who rely on their phones to tell them when something is a scam call_,”_ Max explained.

FBI Warns of AI Voice Scams Impersonating US Govt Officials

You’ve got an important choice to make: HubSpot or Salesforce?

On the surface, both of these leading CRM platforms have a lot to offer, from AI to end-to-end tools covering every customer-facing task. But choosing the right CRM isn’t just about sorting through a checklist of features. Before you invest in Salesforce or HubSpot implementation services, you need to think about how well the system fits with your business. 

By 2032, the CRM software market will be worth more than $262.74 billion. Businesses are doubling down on customer relationships, and for good reason. Acquiring a new customer can cost five times more than keeping an existing one. With buyer journeys now stretching across multiple channels and platforms, keeping track of everything manually is impossible. 

That’s why the right CRM is a crucial catalyst for growth. All you need to decide is whether you should be investing in HubSpot’s intuitive, marketing-first system, or Salesforce’s power-packed, flexible architecture.  

****HubSpot vs Salesforce: A Quick Overview** **

Sometimes, you don’t have the time or energy to sort through endless CRM feature lists. If you want to know quickly how HubSpot and Salesforce stack up against each other, here are the basics: 

**Feature** 

**HubSpot** 

**Salesforce**  

Best for 

Startups, small-to-midsize teams 

Mid-size to large enterprises 

Ease of Use 

Incredibly user-friendly, visual 

Steeper learning curve 

Marketing Features 

Built-in, strong native tools 

Requires add-ons or integrations 

Sales Features 

Pipeline management, sales automation, email tracking, etc 

Enhanced sales forecasting, AI insights, sales automation and lead scoring.  

Customization 

Limited without coding 

Extremely flexible, developer-friendly 

Integrations 

Native integrations + app marketplace 

Extensive AppExchange ecosystem 

AI Capabilities 

AI capabilities with advanced Breeze Agent features  

Einstein AI for deep analytics and Agentforce 

Pricing Model 

Freemium base, scales with needs 

Higher upfront cost, modular pricing 

Support & Resources 

Solid, fast-growing knowledge base 

Comprehensive but sometimes slower 

****What is HubSpot? Key Features & Who It’s For**  **

HubSpot is one of the most user-friendly CRM solutions out there. It’s sleek, focused, and ideal for businesses who want to hit the ground running without spending weeks on training. 

The CRM itself is completely free to start. That alone draws a ton of startups. But that’s just the tip of the iceberg. What makes HubSpot special is its comprehensive approach.  

It has “Hubs” for everything, like the Marketing Hub, Sales Hub, Service Hub, and the very underrated CMS Hub. It’s one of the few platforms where marketing automation, blogging, SEO tools, email campaigns, and lead scoring all live under the same roof. 

You’ll get customizable sales pipelines, email templates, chatbot builders, help desk tools, and even social media scheduling options. The interface is refreshingly visual and straightforward, and most of the time, you won’t need a developer to take advantage of core features.  

Salesforce is ideal for small and mid-sized businesses, scrappy startups, and B2B or SaaS companies that want to unify sales, marketing, and customer support without the stress.  

****What is Salesforce? Core Features & Who It’s For** **

Salesforce is the grand champion of CRM providers, with the biggest market share by far. Salesforce is big. Not just in market share, but in capability. It’s the enterprise-grade CRM juggernaut for teams that want to build exactly what they need, even if that means pulling in developers, consultants, or an entire internal operations team.  

It’s modular, customizable, and endlessly extendable, especially with products like Sales Cloud, Service Cloud, Marketing Cloud, and AppExchange. Features are extensive, ranging from lead tracking to opportunity management, AI-based forecasting with Einstein, automated workflows, case resolution, analytics dashboards and so much more. 

With Agentforce, companies can even tap into the benefits of customizable agentic AI solutions. The issue with Salesforce it isn’t plug-and-play. It takes a lot of effort and expertise to use properly. 

That’s why Salesforce is best suited to larger enterprises and corporations that want real customization opportunities, flexible features, and scale.  

****Salesforce vs HubSpot: Key Feature Showdown** **

Comparing Salesforce and HubSpot can be tricky. While there’s a lot of overlap between them on the surface – they’re still very different. One’s streamlined, agile, and great for beginners. The other is a powerhouse that can crush anything if you’ve got the right people running it. 

Here’s a look at some of the biggest factors side-by-side: 

****Ease of Use** **

HubSpot is cleaner, friendlier, and doesn’t make you feel like you need an IT degree to get going. The menus make sense, the UX is smooth, and the setup is fast. For smaller teams or non-technical users, it’s an ideal choice that leaves unnecessary complexity behind. 

Salesforce is powerful but dense. The interface can be a lot harder to navigate, and getting everything set up and aligned takes a lot of work. For teams with dedicated admins or consultants, that complexity is an asset, allowing for more customization, but for smaller teams, it’s a challenge.  

****Marketing Features** **

HubSpot shines from a marketing perspective. It’s one of the initial inbound marketing pioneers and offers companies tools for email workflows, landing page builders, form tracking, blog hosting, and SEO. The Marketing Hub gives you a full toolkit, with no plugins required. 

Salesforce has its Marketing Cloud, which offers a brilliant selection of tools for companies running multichannel, data-driven campaigns. You get built-in AI to help you personalize strategies and intuitive automation solutions, but there is an extra cost. 

****Sales Features**  **

Both platforms handle sales well but in different ways. HubSpot makes tasks visual and straightforward with drag-and-drop pipelines, activity timelines, call tracking, and email logging. It feels modern and human. 

Salesforce offers more heavyweight tools like opportunity scoring, advanced forecasting, territory management, and role-based access. If your team handles hundreds of leads across multiple regions, Salesforce might be the stronger option.  

****Reporting & Dashboards** **

Salesforce dominates on the data front. You can create insanely detailed reports, cross-object dashboards, and predictive forecasting. But it comes with a steep learning curve, and building reports sometimes requires custom logic or developer support. 

HubSpot offers a solid middle ground. Their dashboards are visual, pre-built templates help non-technical folks a lot, and the custom report builder is intuitive. For most teams, it’s more than enough, unless you’re in data analytics deep-dive mode 24/7. 

****AI and Automation Capabilities** **

HubSpot has strong automation for email workflows, lead nurturing, internal tasks, and custom triggers. You can build smart sequences in minutes. From an AI perspective, you get AI content writers, AI reporting assistants, and Breeze AI agents.  

Salesforce goes deeper with Process Builder and Flow, which let you automate practically anything. But it’s not plug-and-play. It requires someone who knows what they’re doing, or you’ll be staring at a flowchart in confusion. For AI, Salesforce offers a range of Einstein tools, as well as the new Agentforce system for agentic AI.  

****Integration Ecosystem and Customization**  **

HubSpot has a rapidly growing App Marketplace with 1,000+ integrations with tools like Slack, Zoom, Stripe, Shopify, you name it. Most connect in a few clicks, and HubSpot implementation can take minutes, particularly when working with a company like Routine Automation. However, you will be limited when it comes to custom integrations and configurations.  

Salesforce has an incredible AppExchange. If it exists, it probably plugs into Salesforce. But setup isn’t always seamless, and some third-party apps require development work to get humming. You do get exceptional customization options though, without limitations.  

****Pricing & Total Cost of Ownership** **

HubSpot starts with a strong freemium model, so you can grow into it. Pricing scales as you unlock features or add contacts, but it’s transparent and easy to follow.  

Salesforce, on the other hand, has a more complex pricing model. Per-user fees, product-specific costs, and potential integration fees all add up. But if you’re using the full feature set, the value is there. 

****Choosing the Right CRM For You** **

Examining the features of both platforms is just the first step. Before you can make the right decision, you need to ask a few crucial questions:  

1.  **Simplicity vs scalability, which matters most?** If you’re looking for simplicity, HubSpot is the obvious winner. However, if you want more advanced features, customization options, and scalability, Salesforce is the better choice. You’ll just need help managing the learning curve. 
2.  **What do your workflows look like?** If your reps live in their inbox and need a fast way to log calls and deals, choose HubSpot. If they’re juggling accounts across regions, reporting up to five different people, pick Salesforce. 
3.  **How much do you need to integrate?** Salesforce is virtually limitless when it comes to integration options. HubSpot offers fewer options, so if you’ve got a complicated tech stack already, you might want to consider Salesforce. 
4.  **How much support do you need?** Are you looking for end-to-end documentation, training, and a large consultant network? Salesforce could be the better bet. HubSpot has great self-help resources too, but they’re not always as in-depth. 
5.  **What’s your Budget?** HubSpot grows with you, cost-wise. Salesforce can be a heavy initial investment, but might pay off fast if you’re scaling rapidly and need those deep analytics. 

Beyond all that, remember to think about your specific needs. What kind of security and compliance standards do you need to adhere to? Should your tools be mobile-accessible? Are there any industry-specific features that matter to you? 

****Implementing HubSpot or Salesforce the Right Way** **

HubSpot or Salesforce? The right answer depends less on which has the flashiest features and more on which one fits your team. One’s built for speed, simplicity, and marketing-driven growth. The other is a customizable powerhouse for complex workflows and big-picture visibility. 

The truth is, the results you get from either CRM, Salesforce or HubSpot, depend on how you set your technology up. Implementation matters. And doing it right doesn’t just mean turning things on. You’ll need to configure pipelines to match your sales processes, automate the right tasks, set up dashboards, and make sure everything is aligned.  

This is where a partner steps in. Someone who understands not just the tools, but how to make them work for your team. Don’t just pick a CRM platform and hope for the best. Make sure your technology works for you, with the right implementation partner.  

(Image by TyliJura from Pixabay)

HubSpot vs Salesforce: Which CRM Fits Your Business? 

The beginning of Pwn2Own Berlin 2025, hosted at the OffensiveCon conference, has concluded its first two days with…

The beginning of Pwn2Own Berlin 2025, hosted at the OffensiveCon conference, has concluded its first two days with notable achievements in cybersecurity research. A total of $695,000 has been awarded for 39 unique **zero-day vulnerabilities**, with the final day scheduled for Saturday, May 17.

****Day One: Major Exploits and AI Category Debut****

On May 15, the competition commenced with 11 exploit attempts, including the first-ever AI category. Researchers earned $260,000 for successful demonstrations across various platforms.

****Key Highlights:****

*   **Windows 11:** Chen Le Qi of STAR Labs SG combined a use-after-free and integer overflow to escalate privileges to SYSTEM, earning $30,000 and 3 Master of Pwn points.

*   **Red Hat Linux**: Pumpkin from the DEVCORE Research Team exploited an integer overflow for privilege escalation, securing $20,000 and 2 points.

*   **Oracle VirtualBox:** Team Prison Break achieved a virtual machine escape via an integer overflow, receiving $40,000 and 4 points.

*   **Docker Desktop:** Billy and Ramdhan of STAR Labs demonstrated a container escape using a Linux kernel vulnerability, earning $60,000 and 6 points.

*   **AI Category:** Sina Kheirkhah of Summoning Team exploited the Chroma AI application database, marking the first success in this category and earning $20,000 and 2 points.

Additional awards were given for other successful exploits, including a type confusion bug in Windows 11 by Hyeonjin Choi of Out Of Bounds, who earned $15,000 and 3 points.

****Day Two: Continued Success and High-Value Exploits****

The second day, May 16, saw researchers uncovering 20 unique zero-day vulnerabilities, resulting in $435,000 in awards.

*   **Microsoft SharePoint:** Dinh Ho Anh Khoa of Viettel Cyber Security combined an authentication bypass and insecure deserialization to exploit SharePoint, earning $100,000 and 10 points.

*   **VMware ESXi:** Synacktiv demonstrated a successful exploit, securing $80,000 and 8 points.

*   **NVIDIA Triton Inference Server:** Mohand Acherir and Patrick Ventuzelo of FuzzingLabs earned $15,000 and 1.5 points for their exploit, which was a known but unpatched vulnerability.

Other successful exploits included attacks on Firefox, Redis, and additional AI systems.  
SecurityWeek

> Wrapping up Day Two of #Pwn2Own Berlin 2025. We’ve awarded $695,000 for 20 unique 0-days, with one more day to go! pic.twitter.com/x2oBfaSfKS
> 
> — Trend Zero Day Initiative (@thezdi) May 16, 2025

****Day Three: Anticipated Final Challenges****

The final day, Saturday, May 17, is expected to feature remaining scheduled attempts, including further AI category exploits and other high-profile targets. With $695,000 already awarded, the total prize pool is projected to surpass $1,000,000.

****Master of Pwn Standings****

As of the end of Day Two, STAR Labs SG leads the Master of Pwn standings, having demonstrated multiple successful exploits across various categories. The final standings will be determined after the conclusion of Day Three.

Pwn2Own Berlin 2025 has showcased the growing **challenges in cybersecurity**, highlighting the importance of proactive vulnerability research. The introduction of the AI category reflects the growing focus on securing emerging technologies.

_Note: The above information is based on the latest available data from the Pwn2Own Berlin 2025 event. For detailed results and updates, refer to the Zero Day Initiative’s **official blog**._

Pwn2Own Berlin 2025: Windows 11, VMware, Firefox and Others Hacked

Ivanti EPMM users urgently need to patch against actively exploited 0day vulnerabilities (CVE-2025-4427, CVE-2025-4428) that enable pre-authenticated remote…

Ivanti EPMM users urgently need to patch against actively exploited 0day vulnerabilities (CVE-2025-4427, CVE-2025-4428) that enable pre-authenticated remote code execution, warns watchTowr.

Cybersecurity researchers at watchTowr have shared details of two security vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, identified as CVE-2025-4427 and CVE-2025-4428 that can be combined to gain complete control over affected systems and are actively exploited by attackers.

Ivanti EPMM is a Mobile Device Management (MDM) solution system, crucial for enterprise security, acting as a central point to control software deployment and enforce policies on employee devices. However, the abovementioned flaws are turning this management tool into a potential entry point for malicious actors. watchTowr’s analysis, shared with Hackread.com, indicates that exploiting these vulnerabilities is surprisingly straightforward.

****Chained Exploits Lead to Full System Compromise****

The first vulnerability, CVE-2025-4427, is an authentication bypass flaw, which allows attackers to access protected parts of the Ivanti EPMM system without needing proper login credentials. The second vulnerability, CVE-2025-4428, is a remote code execution (RCE) flaw, which, if exploited, can let attackers run their own malicious code on the server.

Ivanti itself has acknowledged the severity when these issues are combined, stating that “successful exploitation could lead to unauthenticated remote code execution.” They have also reported awareness of a “very limited number of customers who have been exploited” since the vulnerabilities were disclosed.

This suggests that while the attacks might be targeted currently, they could become more widespread. watchTowr notes that once such targeted attacks become public, it’s common for attackers to start mass exploitation to find any remaining vulnerable systems.

Interestingly, Ivanti stated that the vulnerabilities are not in their own code but are “associated with two open-source libraries integrated into EPMM.” They emphasized that using open-source code is a standard practice in the tech industry.

****Technical Details and Exploitation****

watchTowr discovered an RCE vulnerability (CVE-2025-4428) in the hibernate-validator library, allowing attackers to inject malicious code through a parameter called “format” in API requests. watchtower successfully demonstrated this vulnerability by sending a simple web request that executed a calculation, proving code injection was possible. Moreover, they could execute system commands, like creating a file on the server.

The authentication bypass (CVE-2025-4427) is an “order of operations” issue rather than a traditional bypass. A crafted “format” parameter in a request to the /api/v2/featureusage_history endpoint triggers the vulnerable validation process before the authentication check, allowing an unauthenticated attacker to trigger the code execution vulnerability. The presence of the parameter changes the processing order, eliminating the need to log in first.

watchTowr successfully chained these two vulnerabilities in the Ivanti EPMM server by sending a crafted web request to the /rs/api/v2/featureusage endpoint with a malicious “format” parameter, allowing them to execute system commands without logging in, thus, creating a pre-authenticated RCE scenario.

These vulnerabilities pose a critical risk to organizations using affected versions. Patches are available for versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0 and organizations using older unpatched versions are advised to update immediately

Ivanti EPMM Hit by Two Actively Exploited 0day Vulnerabilities

ReversingLabs discovers dbgpkg, a fake Python debugger that secretly backdoors systems to steal data. Researchers suspect a pro-Ukraine…

ReversingLabs discovers dbgpkg, a fake Python debugger that secretly backdoors systems to steal data. Researchers suspect a pro-Ukraine hacktivist group is behind the attack on the PyPI repository especially those used by Russian developers.

Cybersecurity researchers at ReversingLabs (RL) have discovered a new malicious Python package, named dbgpkg, that masquerades as a debugging tool but instead installs a backdoor on developers’ systems. This backdoor allows attackers to run malicious code and steal sensitive information. By analysing the techniques used, RL suspects a hacktivist group known for targeting Russian interests in support of Ukraine may be involved.

****Sophisticated Backdoor Uses Sneaky Python Tricks****

Reportedly, the dbgpkg package, detected on Tuesday by the RL threat research team, contained no actual debugging features. Instead, it was designed to trick developers into installing a backdoor, effectively turning their development machines into compromised assets.

What made “dbgpkg” particularly noteworthy was its sophisticated method of implanting the backdoor. Upon installation, the package’s code cleverly modifies the behaviour of standard Python networking tools (_requests_ and _socket_ modules) using a technique called “function wrapping” or “decorators.” This allows the malicious code to remain hidden until these networking functions are used by the developer.

Source: ReversingLabs

As per RL’s investigation, shared with Hackread.com, the malicious wrapper code first checks for a specific file, likely to see if the backdoor is already present. If not, it executes three commands. The first downloads a public key from the online Pastebin service.

The second installs a tool called Global Socket Toolkit, designed to bypass firewalls, and uses the downloaded key to encrypt a secret needed to connect to the backdoor. The third command then sends this encrypted secret to a private online location. This multi-stage process, along with using function wrappers on trusted modules, makes the malicious activity harder to detect.

****Links to Previous Pro-Ukraine Activity****

RL researchers found similarities between the dbgpkg backdoor and malware previously employed by the Phoenix Hyena hacktivist group, which has been active since 2022 and is known for targeting Russian entities.

This group typically steals and leaks confidential information on their Telegram channel “DumpForums.” One notable incident linked to this group was the alleged breach of the Russian cybersecurity firm Dr. Web in September 2024.

Another similarity was an earlier malicious package involved in the same campaign, discordpydebug (discovered in early May by Socket), which had the same backdoor as an earlier version of dbgpkg. Discordpydebug, posing as a debugging tool for Discord bot developers, was uploaded shortly after Russia invaded Ukraine in March 2022. Another package, requestsdev, also part of this campaign and uploaded by the same likely impersonated author (\[email protected\], mimicking popular developer Cory Benfield), contained the same malicious payload.

However, RL researchers couldn’t definitively attribute this campaign to Phoenix Hyena based on backdooring techniques as it could be a copycat’s work too. Nevertheless, the timeline of related malicious packages suggests a politically motivated operation by a persistent threat actor.

“And, with a campaign driven by geopolitical tensions and the continuing hostility between Russia and Ukraine, RL researchers believe that more malicious packages are almost certain to be created as part of this campaign,” researchers concluded.

Pro-Ukraine Group Targets Russian Developers with Python Backdoor

Hackers from the Scattered Spider group, known for UK retail attacks, are now targeting US retailers, Google cybersecurity…

Hackers from the Scattered Spider group, known for UK retail attacks, are now targeting US retailers, Google cybersecurity experts have warned.

The notorious cybercriminal group Scattered Spider is now actively targeting retail companies in the United States, following a string of disruptive attacks against similar businesses in the United Kingdom.

This warning comes directly from cybersecurity experts at Google Threat Intelligence Group (GTIG) and Google subsidiary Mandiant, who highlight the group’s effectiveness at bypassing even strong security measures.

“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” John Hultquist, Google’s cybersecurity analyst, stated. 

It is worth noting that Scattered Spider (aka UNC3944) is the primary suspect in the recent attacks on UK retain giants Harrods, Co-op, and M&S, but UK’s National Cyber Security Centre (NCSC), Mandiant and Google have not formally attributed them to any specific actor as yet. However, GTIG researchers suggest that the hackers targeting US retailers share similar techniques and procedures as the culprits behind the British incidents.

Researchers noted a _possible_ link between DragonForce ransomware operators and Scattered Spider. The former took responsibility for attempted recent attacks on several UK retailers, using tactics similar to Scattered Spider. Moreover, both were associated with the now\-defunct RaaS platform RansomHub.

However, GTIG could not confirm the link between UNC3944/DragonForce and rising retail data leaks. Still, the increasing presence of retail victims on data leak sites (11% in 2025, up from previous years) suggests that threat actors find this sector attractive due to large PII/financial data holdings and their willingness to pay ransom to maintain transaction processing.

As per Hackread.com’s past reporting, Scattered Spider is a financially motivated threat actor known for using social engineering techniques. They gained notoriety for hacking casino giants MGM Resorts International and Caesars Entertainment in 2023. They initially targeted telecommunications companies for SIM swapping and later started deploying ransomware to extort victims.

They are also known for phishing attempts and MFA bombing, where they bombard targets with multi-factor authentication requests. Typically, UNC3944 goes after established enterprises, specifically organizations with large help desks and outsourced IT departments, as these are more vulnerable to their sophisticated social engineering techniques.

GTIG’s analysis reveals that since early 2023 UNC3944 has targeted a diverse range of sectors, including Technology, Telecommunications, Financial Services, Business Process Outsourcing (BPO), Gaming, Hospitality, Retail, and Media & Entertainment organizations. Geographically, their primary targets have been even more diverse, including the US, Canada, the UK, Australia, Singapore and India.

Image: Google

The Retail & Hospitality ISAC, an information-sharing group that includes major players like Albertsons, Costco, McDonald’s, and Lowe’s, has acknowledged the threat and is working with Google to provide its members with detailed briefings and guidance on how to strengthen their defences against this evolving threat. The warning from Google serves as a clear signal for US retailers to be on high alert and to review their security protocols.

Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform:

_“_Scattered Spider (UNC3944) uses sophisticated social engineering to infiltrate and deploy ransomware. To defend against this group, secure privileged accounts, implement phishing-resistant MFA, and verify every help-desk identity request._“_

_“_Retailers are particularly vulnerable, as they handle large amounts of payment data, manage intricate supply chains, and operate under significant uptime pressure that often encourages ransom payments,_“_ Chad warned. _“_However, organizations with valuable data and critical availability needs are equally at risk._“_

Hackers Now Targeting US Retailers After UK Attacks, Google

Coinbase insider breach: Bribed overseas agents stole user data; company rejects ransom, offers $20M reward, boosts security, and…

Coinbase insider breach: Bribed overseas agents stole user data; company rejects ransom, offers $20M reward, boosts security, and cooperates with law enforcement.

Coinbase, the largest US-based cryptocurrency exchange, has disclosed a major data breach involving bribed overseas customer support agents who stole sensitive customer information. The attackers demanded a $20 million ransom, which Coinbase refused to pay. Instead, the company has offered a $20 million reward for information leading to the arrest and conviction of the perpetrators.

****What Happened****

Cybercriminals targeted Coinbase’s external customer support agents, bribing a small group to access internal systems. These insiders extracted data from less than 1% of Coinbase’s monthly transacting users, including the following:

*   Masked bank account info
*   Some internal Coinbase documents
*   Last 4 digits of Social Security numbers
*   Government ID images (like driver’s licenses)
*   Names, addresses, phone numbers, and emails
*   Account balance snapshots and transaction history

According to Coinbase’s blog, the attackers used the information to impersonate Coinbase support and deceive customers into transferring their cryptocurrency. They then attempted to extort Coinbase for $20 million to prevent the release of the stolen data.

The good news is that the attackers could not get their hands on the following critical information:

*   Login info
*   2FA codes
*   Private keys
*   Coinbase Prime account data
*   Access to any crypto wallets or customer funds

****Coinbase’s Response****

In response to the breach, Coinbase has taken a series of actions aimed at minimizing damage and preventing future incidents. The company refused to pay the $20 million ransom demanded by the attackers and instead set up a $20 million reward fund for information leading to their arrest.

Customers who were deceived into transferring funds as a result of the attack will be reimbursed. To strengthen internal security, Coinbase is opening a new support center in the United States, rolling out enhanced security protocols, and increasing investment in insider threat detection and automated response systems.

The company is also working with law enforcement to press criminal charges against both the internal and external individuals involved. Financially, the breach may cost Coinbase between $180 million and $400 million, and the company’s stock fell 6% following the announcement, reflecting investor concerns.

****Customer Guidance****

Coinbase advises customers to remain alert against phishing attempts and social engineering scams. The company emphasizes that it will never ask for passwords, two-factor authentication codes, or request fund transfers to new addresses. Customers are encouraged to enable withdrawal allow-listing and use hardware-based two-factor authentication for added security.

****Experts Weigh In****

Ishpreet Singh, Chief Information Officer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the incident stating, _“_While it’s promising to see that Coinbase isn’t currently planning to pay the $20M ransom, there are steps they can take to ensure further scenarios such as this don’t transpire._“_

_“_I’d recommend implementing just-in-time access controls such as device fingerprinting and session auditing,_“_ he added. _“_Additionally, conducting regular risk reviews and strengthening vendor risk management and oversight can reduce third-party access to personally identifiable information._“_

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), also commented on the insider job, stating, _“_Coinbase’s decision to publicly counter-extort with a $20 million bounty is an interesting reversal of the usual playbook, transforming breach response into what could turn into a global manhunt._“_

_“_This move shifts the narrative from victimhood to proactive offence weaponizing transparency and financial incentives against cybercriminals. It also signals to users and adversaries alike that extortion will not quietly succeed, potentially reframing how future attacks may be responded to. Perhaps risk is escalation,_“_ Jasin added. _“_Adversaries may double down or target exchanges with even greater aggression._“_

This story is developing, stay tuned!

Coinbase Customer Info Stolen by Bribed Overseas Agents

Reddit Struggles After Google's New Focus on Expertise

A wave of Google algorithm changes in 2025 has hit Reddit hard, cutting deep into its organic traffic. Although Reddit’s core user base remains stable, the loss of search-driven visitors is affecting the platform’s reach, engagement, and even its financial results.

The search giant’s focus on Expertise, Authoritativeness, and Trustworthiness (E-A-T) standards is fundamentally reshaping who wins and loses in the digital space and Reddit is now feeling the consequences.

****What We Know About the Traffic Drop****

The traffic impact stems from a series of Google updates rolled out throughout early 2025. The updates specifically target low-authority, community-driven content that doesn’t meet newly enforced quality thresholds.

While Reddit has historically been a powerhouse for long-tail search queries, especially for user advice, discussions, and opinions, the latest changes sharply reduced Reddit’s visibility in Google search results.

Threads and subreddits that used to dominate the SERPs for countless queries have seen their rankings plunge, especially when competing against official websites, expert blogs, and high-authority publications.

****Stable Core Users, But Shrinking External Reach****

Despite the drop in organic search traffic, Reddit’s registered users, those who are logged in, have remained active. Internal engagement metrics such as posts, comments, and community participation have not shown a significant decline.

However, the real problem lies with external search visitors, users who find Reddit posts through Google searches without being logged in. This audience is critical because they represent new users, new sessions, and fresh ad impressions that drive advertising revenue.

Without this continuous influx of external traffic, Reddit’s growth engine slows down, and its overall business performance risks stagnation.

****Financial Impact: Fewer Eyes, Lower Revenue****

Reddit’s advertising model heavily relies on page views and session length. With the decline in search-driven visits, the number of ad impressions served across the platform has dropped noticeably.

This is especially concerning at a time when Reddit has been attempting to scale its ad business aggressively and position itself as a major player in digital advertising against giants like Google, Meta, and TikTok.

The bottom line: less traffic from Google means less revenue, fewer opportunities for monetization, and increased financial pressure.

****Google’s E-A-T Standards Are Reshaping the Internet****

At the heart of Reddit’s struggles is Google’s renewed emphasis on E-A-T. The algorithm now systematically prefers content produced by recognizable experts or trustworthy institutions.

Here’s why Reddit was vulnerable:

1.  Moderation standards vary across subreddits.
2.  User-generated content is inherently diverse and unpredictable.
3.  Authority and expertise are not consistently verifiable across posts.

While Reddit excels in community knowledge and crowd-sourced advice, it doesn’t consistently guarantee factual accuracy or expert credibility — two critical factors in Google’s revamped ranking system.

In Google’s new search model, structured, curated, expert-authored content wins.

Anonymous forum discussions lose.

****Why Did This Happen?********User-Generated Content Faces Tougher Scrutiny****

UGC platforms like Reddit depend on quantity and variety, not necessarily structured expertise. However, Google’s 2025 updates elevate quality, not quantity.

Even if a Reddit thread has thousands of comments, it won’t outrank a single authoritative page from a trusted source anymore unless it demonstrates clear expertise and reliability.

****Low-Quality Content and Spam Detection****

Google’s AI-driven systems are now better at detecting low-value discussions, spammy posts, and duplicate advice.

On a platform as large as Reddit, even a small percentage of low-quality content being indexed can damage overall domain-level trust signals, pulling down entire sections of the site in rankings.

In short: Google no longer trusts platforms purely because of volume.

Trust must be earned through consistent quality and verifiable authority.

****What This Means for Reddit****

Reddit’s leadership now faces a strategic crossroads:

1.  Improve content moderation across key subreddits.
2.  Highlight authoritative voices within communities.
3.  Foster partnerships with verified experts and institutions.
4.  Rethink SEO strategies to align with Google’s E-A-T criteria.

Without serious internal changes, Reddit risks continuing to lose search visibility, meaning fewer users, slower growth, and intensified competition from newer platforms that better fit Google’s evolving definition of value.

****Lessons for Other UGC Platforms****

If you operate a platform built on user-generated content, Reddit’s struggle is your warning sign.

Key lessons:

1.  Encourage verified, expert participation in discussions.
2.  Invest in moderation systems to ensure consistent content quality.
3.  Build trust signals into your website architecture (author bios, fact-checking, transparent sourcing).
4.  Diversify traffic sources beyond search engines to protect long-term growth.

The old era of “any content ranks” is over.

Only authentic, high-quality, verifiable content will survive.

“The recent algorithm changes from Google are a clear indication that the digital landscape is evolving, and platforms like Reddit must adapt.

In my experience, user-generated content alone is no longer enough to maintain high search visibility. The algorithm increasingly favours content that is authentic, well-structured, and authoritative.

For platforms that thrive on UGC, like Reddit, the future lies in implementing better content moderation and incorporating expert-driven insights into discussions.

This is not just about adapting to Google’s algorithms, it’s about future-proofing your platform by creating real value for your users.

At Serpzilla, we are advising our clients to focus on building trust and improving content quality to stay competitive in an increasingly demanding digital environment.”

****Conclusion****

Reddit’s situation is a case study of how dramatically Google’s search priorities have shifted. If community-driven platforms fail to evolve, they risk becoming invisible in the modern search prospect.

Trust, authority, and structured expertise are the new keys to visibility.

Those who adapt will grow.

Those who don’t will fade away.

Google Algorithm Slashes Reddit Traffic: What It Means for UGC Platforms

A new wave of attacks uses PowerShell and LNK files to secretly install Remcos RAT, enabling full remote…

A new wave of attacks uses PowerShell and LNK files to secretly install Remcos RAT, enabling full remote control and surveillance of infected systems.

Cybersecurity experts at the Qualys Threat Research Unit (TRU) have recently uncovered a sophisticated cyberattack that utilizes the scripting language PowerShell to secretly install Remcos RAT (Remote Access Trojan).

This method allows attackers to operate undetected by many traditional antivirus programs because the malicious code runs directly in the computer’s memory, leaving very few traces on the hard drive. 

For your information, Remcos RAT is a powerful tool that cybercriminals use to gain complete control over infected computers. Once installed, it allows them to spy on victims, steal data, and perform other harmful actions.

According to the Qualys TRU analysis, the attack begins when a user opens a harmful file inside a ZIP archive, new-tax311.ZIP, which contains a shortcut file ‘new-tax311.lnk.’ Clicking this .LNK file doesn’t open a normal program. Instead, it uses a Windows tool called ‘mshta.exe’ to run a confusing (obfuscated) PowerShell script.

This script prepares the computer to get infected with Remcos RAT. First, it tries to weaken Windows Defender by telling it to ignore the “C:/Users/Public/” folder. It also changes PowerShell settings to allow unsafe scripts to run without warning and tries to run secretly. To make sure the Remcos RAT starts every time the computer is turned on, the script adds information to the Windows Registry.

Attack Flow (Source: Qualys TRU)

The script also downloads several files to the "C:/Users/Public/" folder. One might be a fake harmless file like pp1.pdf. It also downloads two key files: 311.hta (set to run at start-up and similar to ‘xlab22.hta’) and ‘24.ps1.’ The ‘24.ps1 file is the main, hidden PowerShell script that contains the Remcos RAT. This script uses special Windows functions (Win32 APIs) to load and run Remcos RAT directly in the computer’s memory, avoiding detection by file-based security.

The Remcos RAT TRU researchers analysed is a 32-bit V6.0.0 program designed to be stealthy and give attackers control over infected computers. It is a modular design, which means it has different parts that can perform different tasks. The program also stores encrypted data, which it decrypts when needed. 

This encrypted data contains the remote server’s address that it connects to (readysteaurantscom on port 2025 using a secure connection called TLS), the malware’s name (Remcos), and a special code (Rmc-7SY4AX) it uses to identify if the computer is already infected.

Remcos can perform various harmful actions, including keylogging, copying clipboard content, taking screenshots, recording from microphones and webcams, and stealing user information. It also tries to prevent security programs from analysing it.

In their research, Qualys TRU team emphasized that users should activate PowerShell logging and AMSI monitoring (a Windows feature that helps detect malicious scripts) to be turned on, and to use a strong EDR (Endpoint Detection and Response) solution for better protection.

In a comment to Hackread.com, Xiaopeng Zhang, IPS Analyst and Security Researcher with Fortinet’s FortiGuard Labs, stated _“_The attackers behind Remcos are evolving their tactics. Instead of exploiting the CVE-2017-0199 vulnerability through malicious Excel attachments, they now use deceptive LNK files disguised with PDF icons to lure victims into executing a malicious HTA file._“_

Xiaopeng warned that _“_PowerShell continues to play a role in the campaign. However, the latest variant adopts a fileless approach, using PowerShell to parse and execute Remcos directly in memory via the CallWindowProc() API. This marks a shift from previous methods, where Remcos was downloaded as a file before execution._“_

Source

HackRead