Hacker claims breach of Israeli cybersecurity firm Check Point, offering network access and sensitive data for sale; company denies any recent incident.

A hacker operating under the alias “CoreInjection” is claiming responsibility for the breach of Israeli cybersecurity company **Check Point**, alleging access to sensitive internal data and network systems.

The hacker published their claims on Breach Forums on Sunday, March 30, 2025, and announced the sale of the stolen content for a price of 5 Bitcoin ($434,570). The hacker emphasized that the price is “firm and non-negotiable,” with cryptocurrency being the only accepted form of payment. Interested parties were directed to make contact via the TOX messaging platform.

In the forum listing, CoreInjection said the data for sale includes:

*   **Internal project documentation**

*   **User credentials, both hashed and in plaintext**

*   **Internal network maps and architecture diagrams**

*   **Source code and compiled binaries of proprietary software**

*   **Employee contact details, including phone numbers and email addresses**

The screenshot shows what the hacker (CoreInjection) is offering. (Screenshot credit: Hackread.com)

**Check Point Responds**

Shortly after the post gained attention, Check Point issued a statement denying any recent breach of this scale. According to the company, the claim relates to an “old, known and very pinpointed event” that affected a limited number of organizations and did not touch any core systems.

“This was handled months ago and didn’t include the description detailed on the dark forum message,” Check Point said in a statement. “These organisations were updated and handled at that time, and this is not more than the regular recycling of old information.”

The company insists there was no security threat to its customers, infrastructure, or internal operations. They clarified that the affected portal did not involve production environments or systems containing sensitive architecture.

Screenshots shared by the hacker show what they are offering and what can be accessed (Screenshot credit: Hackread.com)

**Who is CoreInjection?**

CoreInjection is a relatively new player in cybercrime but has quickly made a name for itself by targeting critical infrastructure and high-profile networks, particularly in Israel. The hacker’s first appearance on Breach Forums was on March 15, 2025, and since then, they’ve posted five listings offering network access to various companies.

Their earliest post was for access to an industrial machinery and equipment admin panel for a U.S.-based company, priced at $100,000. But the pattern that emerged shortly after points to a specific geographic focus: Israel.

On March 16, CoreInjection claimed to be selling access to the network and management emails of an Israel-based international car company. According to the listing, the access includes “full control over the company’s Israeli network infrastructure,” with a price tag of $50,000.

Two days later, on March 18, another listing surfaced, this time offering “Full System Access to a Prominent Digital Screen Company” based in Israel. Priced at $100,000, the listing described access to a central server responsible for managing a large inventory of digital displays across shopping malls. The post highlighted that the access allowed “instantaneous content and propagation,” effectively enabling real-time control over public display systems.

That detail alone raises flags for cybersecurity experts. Groups linked to Iran, Hezbollah, and Palestinian hacktivists have a **history** of targeting **CCTV cameras**, **television feeds** and public-facing screens, often defacing them with political messages. If CoreInjection’s claim is accurate, the sale of such access could open the door to similar high-visibility attacks.

On March 20, another listing followed; this time for an Israeli company in the electrical products sector. CoreInjection claimed to have an “exclusive and up-to-date customer and order database” from the firm, with the asking price set at $30,000.

Other posts from the hacker show what they are offering to interested parties.  
(Screenshot credit: Hackread.com)

Altogether, CoreInjection’s listings suggest a focused campaign with a clear pattern: high-value access, **critical systems**, and a strong interest in Israeli infrastructure. Whether operating independently or as part of a broader effort, the hacker’s activities have drawn attention in both underground forums and the cybersecurity community.

****Questions Remain****

Despite the company’s reassurance, the hacker’s detailed description of the alleged stolen materials has raised concerns. The mention of internal network diagrams, plaintext credentials, and proprietary software could point to deeper access than Check Point admits if the data is genuine.

Several questions are still unanswered. If this is indeed an old event, why was it never publicly disclosed at the time it happened? Transparency is expected, especially from a cybersecurity vendor of Check Point’s size. The lack of details about how the incident occurred also leaves a gap in understanding **the nature of the breach**. Was it a misconfigured portal, a credential compromise, an insider threat, or something else entirely?

Furthermore, Check Point hasn’t addressed whether they’ve identified the method of breach or if they have any suspects linked to the event. Without that information, it’s difficult to assess whether the threat has been fully contained or if there’s an ongoing threat.

This incident comes at a time when cybercriminals are increasingly **targeting cybersecurity vendors** themselves, often exploiting smaller missteps to escalate into bigger breaches. Whether CoreInjection’s claims hold weight or not, the situation shows that even firms specializing in defense aren’t safe from threat actors.

Hacker Claims Breach of Check Point Cybersecurity Firm, Sells Access

Massive Twitter (X) data breach exposes details of 2.8 billion users; alleged insider leak surfaces with no official response from the company.

A data leak involving a whopping 2.87 billion **Twitter (X)** users has surfaced on the infamous Breach Forums. According to a post by a user named ThinkingOne, the leak is the result of a disgruntled X employee who allegedly stole the data during a period of **mass layoffs**. If true, this would be the largest social media data breach in history, but surprisingly, neither X nor the broader public appears to be aware of it.

****What We Know About the Breach****

The original post by ThinkingOne states that the data, around 400GB worth, was likely exfiltrated during messy layoffs at X. The poster claims that they tried contacting X through multiple methods but received no response.

Frustrated with the lack of acknowledgment from X and the general public, they took matters into their own hands and decided to merge the newly leaked data with another infamous **breach from January 2023**.

Screenshot from Breach Forums shows what ThinkingOne has posted about the alleged breach (Credit: Waqas/Hackread.com)

****The 2023 Breach Recap****

To understand the full scope of what was leaked, looking at the 2023 X data breach that affected around 209 million users is important. That breach exposed:

*   **Email addresses**

*   **Display names and usernames (handles)**

*   **Followers count and account creation dates**

At the time, **X downplayed the leak**, stating that it consisted of publicly available data. Despite the massive exposure of email addresses, they insisted that no sensitive or private information was involved. However, security experts warned that the combination of emails and public data could enable phishing and identity theft on a large scale.

****What’s Inside the Alleged 2025 Breach?****

The 2025 breach, however, is a completely different beast. Unlike the 2023 leak, it doesn’t contain email addresses, but it does hold a goldmine of profile metadata, including:

*   **Account creation dates**.

*   **User IDs and screen names**.

*   **Profile descriptions and URLs**.

*   **Location and time zone settings**.

*   **Display names (current and from 2021).**

*   **Followers count from both 2021 and 2025**.

*   **Tweet count and timestamps of the last tweet**.

*   **Friends count, listed count, and favorites count**.

*   **Source of the last tweet (such as TweetDeck or X Web App).**

*   **Status settings (like whether the profile is verified or protected)**.

The data gives a detailed snapshot of users’ profiles and activity over time, including bios, follower counts from different years, tweet history, and even the app used for the last tweet. But the one thing it doesn’t include is the most sensitive bit: email addresses.

Data analyzed by the Hackread.com research team (Credit: Waqas/Hackread.com)

****The Data Mashup****

ThinkingOne, a well-known figure on Breach Forums for their skill in analyzing data leaks, decided to combine the 2025 leak with the 2023 one, producing a single 34GB CSV file (9GB compressed) containing 201 million merged entries. To be clear, the merged data only includes users that appeared in both breaches, creating a confusion of public and semi-public data.

This messy combination led many to believe that the 2025 leak also contained email addresses, but that’s not the case. The emails shown in the merged file are from the 2023 breach. The presence of emails in the merged dataset has given the wrong impression that the contents of the 2025 leak also include email addresses.

****Why 2.8 Billion Doesn’t Add Up****

As of Jan 2025, X (formerly Twitter) had around **335.7 million users**, so how is it possible that data from 2.8 billion users has been leaked? One possible explanation is that the dataset includes aggregated or historical data, such as bot accounts that were created and later banned, inactive or deleted accounts that still lingered in historical records, or old data that was merged with newer data, increasing the total number of records.

Additionally, some entries might not even represent real users but could include non-user entities like API accounts, developer bots, deleted or banned profiles that remained logged somewhere, or organization and brand accounts that aren’t tied to individual users.

Another possibility is that the leaked data wasn’t exclusively obtained from Twitter itself but rather scraped from multiple public sources and merged together, including archived data from older leaks or information from third-party services linked to Twitter accounts.

****Who Is ThinkingOne, and How Did They Get the Data?****

One of the biggest mysteries is how ThinkingOne managed to obtain the 2025 breach data in the first place. Unlike typical hackers, they are not known for breaching systems themselves but are highly regarded for analyzing and interpreting leaked datasets. Whether they received the data from another source or conducted some sophisticated data aggregation is still unclear.

Their theory that a disgruntled employee leaked the data during the layoffs remains unconfirmed, and there’s no concrete evidence to support it; it is only a plausible hypothesis given the timing and internal mess at X.

****Why the Silence from X?****

If the claims are true, this is not just a massive breach in size but also a blow to user privacy and corporate security practices. Yet, X remains silent, and the general public remains largely unaware.

Whether it’s due to a lack of awareness on their part or an intentional attempt to downplay the incident, the absence of any official response raises serious questions about corporate transparency and accountability.

Despite the large scale of the alleged breach, the lack of public acknowledgment from X is worrisome. Whether this was an **inside job** or not, users are left with more questions than answers: How much of their data has been compromised? Who was behind the leak? And why hasn’t X issued any statements about it?

Twitter (X) Hit by Data Leak of 2.8 Billion Users; Allegedly an Insider Job

Palo Alto, USA, 29th March 2025, CyberNewsWire

**Palo Alto, USA, March 28th, 2025, CyberNewsWire**

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats to plague enterprises. Chainalysis estimates that corporations spend nearly $1 billion dollars on ransom each year, but the greater cost often comes from the reputational damage and operational disruption caused by the attack.

Ransomware attacks typically involve tricking victims into downloading and installing the ransomware, which copies, encrypts, and/or deletes critical data on the device, only to be restored upon the ransom payment. Traditionally, the primary target of ransomware has been the victim’s device. However, thanks to the proliferation of the cloud and SaaS services, the device no longer holds the keys to the kingdom. Instead, the browser has become the primary way through which employees conduct work and interact with the internet. In other words, the browser is becoming the new endpoint.

SquareX has been disclosing major browser vulnerabilities like Polymorphic Extensions and Browser Syncjacking, and is now issuing a strong warning on the emergence of browser-native ransomware. 

> SquareX’s founder, Vivek Ramachandran cautions, “With the recent surge in browser-based identity attacks like the one we saw with the Chrome Store OAuth attack, we are beginning to see evidence of the ‘ingredients’ of browser-native ransomwares being used by adversaries. It is only a matter of time before one smart attacker figures out how to put all the pieces together. While EDRs and Anti-Viruses have played an unquestionably vital role in defending against traditional ransomware, the future of ransomware will no longer involve file downloads, making a browser-native solution a necessity to combat browser-native ransomwares.”

Unlike traditional ransomware, browser-native ransomware requires no file download, rendering them completely undetectable by endpoint security solutions. Rather, this attack targets the victim’s digital identity, taking advantage of the widespread shift toward cloud-based enterprise storage and the fact that browser-based authentication is the primary gateway to accessing these resources. In the case studies demonstrated by SquareX, these attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.

One potential scenario involves social engineering a user into granting a fake productivity tool access to their email, through which it can identify all the SaaS applications the victim is registered with. It can then systematically reset the password of these apps with AI agents, logging the users out on their own and holding enterprise data stored on these applications hostage. 

Similarly, the attacker can also target file-sharing services like Google Drive, Dropbox and OneDrive, using the victim’s identity to copy out and delete all files stored under their account. Critically, attackers can also gain access to all shared drives, including those shared by colleagues, customers and other third parties. This significantly expands the attack surface of browser-native ransomware – where the impact of most traditional ransomware is confined to a single device, all it takes is one employee’s mistake for attackers to gain full access to enterprise-wide resources.

As fewer and fewer files are being downloaded, it is inevitable for attackers to follow where work and valuable data are being created and stored. As browsers become the new endpoint, it is crucial for enterprises to reconsider their browser security strategy – just as EDRs were critical to defend against file-based ransomware, a browser-native solution with a deep understanding of client-side application layer identity attacks will become essential in combating the next generation of ransomware attacks.

To learn more about this security research, users can visit https://sqrx.com/browser-native-ransomware

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) solution helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time. In addition to browser ransomware, SquareX also protects against various browser threats including identity attacks, malicious extensions, advanced spearphishing, GenAI DLP, and insider threats.

The browser-native ransomware disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking and Polymorphic Extensions. 

To learn more about SquareX’s BDR, users can contact \[email protected\].

For press inquiries on this disclosure or the Year of Browser Bugs, users can email \[email protected\]. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities…

A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities for years to conduct highly effective phishing campaigns.

According to researchers, this operation utilizes a phishing-as-a-service (**PhaaS**) platform, enabling both technical and non-technical cybercriminals to launch targeted attacks.

The platform is equipped with tools to bypass security systems, including the exploitation of open redirects on adtech servers, redirection through **compromised WordPress websites**, and the use of DNS MX records to identify victim email service providers. Also, they use mass spam delivery and dynamic content tailoring to evade traditional security measures.

“We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands,” researchers noted in the **blog pos**t, shared with Hackread.com ahead of its release.

Regarding the distribution of spam emails, the platform’s primary attack vector, researchers observed a distinct centralization pattern, with a considerable portion originating from servers hosted by iomart (United Kingdom) and HostPapa (United States), indicating a unified network rather than dispersed activity from multiple independent entities.

Top 10 Popular ISPs (Source: Infoblox)

Morphing Meerkat uses a dynamic serving of fake login pages customized to the victim’s email service provider by querying **DNS MX records** using Cloudflare DoH or Google Public DNS. The platform maps these records to corresponding phishing HTML files, featuring over 114 unique brand designs, ensuring a personalized phishing experience and increasing the likelihood of successful credential theft.

The operation has evolved significantly since its detection in January 2020. Initially, it targeted only five email brands (Gmail, Outlook, AOL, Office 365, and Yahoo) and lacked translation capabilities. By July 2023, it had integrated DNS MX records-based dynamic loading of phishing pages and now supports dynamic translation into over a dozen languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese.

To harvest stolen credentials, they utilize several methods, including email delivery via EmailJS, **PHP scripts**, **AJAX** requests, and communication with Telegram channels using web API hooks. The platform also implements anti-analysis measures, such as disabling keyboard shortcuts and mouse right-clicks and obfuscating code to hinder security researchers.

 As Infoblox points out, “moderately advanced internet users and security researchers often verify the malicious state of a phishing webpage by examining its HTML code.” Morphing Meerkat counters this by actively blocking such inspection.

Morphing Meerkat Attack Chain (Source: Infoblox)

The use of **open redirect vulnerabilities** on adtech platforms, particularly DoubleClick, allows the threat actors to bypass email security systems by leveraging the domain’s high reputation. The platform also employs cloaking techniques, redirecting users to legitimate login pages and inflating code with non-functional elements, complicating threat analysis.

Considering the platform’s potential to exploit security blind spots through open redirects, DoH communication, and file-sharing services, it is essential that organizations strengthen DNS security, restrict DoH communication, and limit access to non-essential infrastructure to prevent exploitation.

New Morphing Meerkat Phishing Kit Exploits DNS to Spoof 100+ Brands

Let’s face it: Rolling out new software across an entire organization can feel like herding cats. Between data…

Let’s face it: Rolling out new software across an entire organization can feel like herding cats. Between data migration, staff training, and system integration, it’s easy to hit roadblocks before you even get started. But when it comes to computerized maintenance management software, the payoff is worth it and then some.

In fact, a report from McKinsey & Company found that digitizing maintenance operations can reduce equipment downtime by up to 30% and cut maintenance costs by 20%, a serious win for any organization. The key? Start with a solid plan. In this guide, we’ll walk through every step of the process, from evaluating your needs to tracking long-term success so your team can hit the ground running and get real results faster.

****Understanding CMMS Software****

To implement this, understanding computerized maintenance management software should be in place. It is used to manage maintenance, track work orders, and organize asset information. Digitizing these processes helps companies work efficiently and minimize downtime. Understanding the value makes it easier to win over stakeholders.

****Assess the Needs of the Organization****

Since there are specific needs unique to every organization, analyzing your exact requirements is the key. Internal audit helps you understand how maintenance is conducted every day, spot potential developments, and prioritize them. This evaluation assists in choosing a CMMS that meets the needs of the organization.

****Selecting the Right CMMS****

There are many variables to consider when selecting the right software. Prioritize features based on the organization’s needs identified earlier. This includes important features such as being easy to use, the ability to scale with your business, and the ability to integrate with the rest of the system that already exists. Getting feedback from other users or expert opinions can help you figure it out, too.

****Building a Dedicated Team****

Teamwork is needed to make the software integration successful. The team should include a mixture of people across departments, such as IT and maintenance. Their expertise will make for a smooth implementation. Clearly defined roles and responsibilities should help maintain focus and test ownership during each step in the process.

****Scheduling the Relevancy Phases****

You also need to have a realistic timeline for when you think things should happen. That way, each phase gets proper care and attention. Organize it around major milestones, software installation, data migration, and training sessions, leaving room for the unexpected. It is important to review progress regularly to keep the project on track.

****Data Migration and Data Integration****

Moving data from current systems to your new CMMS needs to be planned out well. Without correct and complete data migration, it will not be effective. Take into account the complexity and amount of data to decide how this transfer will be done to guarantee easy functionality with other systems of the organization.

****Training and Support****

To successfully adopt these tools, offices must ensure that staff is trained with all the required skills. Conduct extensive training sessions on every aspect of the software. You can enhance confidence with practicals done through hands-on practice experiences. When users have access to ongoing support, which is made available through various support channels, they can transition to the new tool or system while receiving assistance whenever they require it.

****Testing and Feedback****

Tests help identify potential issues before rolling out on a full scale. They allow the team to check on the software’s performance and identify any hiccups for the pilot run. You can use this stage to refine your app with user feedback. By practicing this way, you lower the risk of disruption during the actual launch itself.

****Monitoring and Evaluation****

Following implementation, regular monitoring is critical. Assess system performance periodically to determine if it continues to align with organizational requirements. Decide how you are going to measure success; in other words, create KPIs. Reviewing these metrics allows the identification of areas for improvement and guides future strategic decision-making.

****Continuous Improvement****

Your work doesn’t end after the implementation is done. Your commitment to continuous improvement must remain unchanging. Solicit user feedback to track any changing requirements. Keeping the software updated helps keep it aligned with organizational objectives. Your action-minded strategy is the recipe for success.

****Conclusion****

CMMS signals a substantial improvement in the operation of maintenance throughout an organization. Businesses can transition into the software smoothly by learning the software, identifying needs, and using a process to migrate. The software’s effectiveness is also ensured through continuous evaluation and improvement. Those organizations that embrace this change set themselves up for quicker and more productive changes.

Image by EstudioWebDoce from Pixabay.

How to Implement CMMS Software in Your Organization

While inundated with ideas, you also need to consider how to present them effectively and structure the course…

While inundated with ideas, you also need to consider how to present them effectively and structure the course to engage your learners. One challenge educators face is capturing students’ attention while ensuring they learn something. When course material is in methodical order, students tend to stay more focused and energized, which instructors can achieve through course outlining.

****Understand the Audience****

Understanding your audience is essential when using an AI course creator to develop digital courses. Before diving into content creation, consider who your learners are, what they need, and what prior knowledge they bring. Conducting surveys or interviews can offer valuable insights into their preferences and learning styles, ensuring a more engaging and effective course.

****Clear Learning Objectives****

Course objectives have been clearly defined and are a guiding light for the course path. These objectives should describe what the students can achieve by the end of the course. Learners with clear goals can easily avoid distractions due to purpose and direction. Learning objectives also aid in tracking progress and changing course or pedagogical strategies when needed.

****Organizing Content****

Well-organized content helps to create better transitions between topics. Chunking the material into smaller pieces avoids overloading the learners. Again, each section should leverage prior knowledge, reinforcing learning while keeping the reader engaged. Using multimedia, such as videos, quizzes, and infographics, can facilitate understanding and hold students’ attention.

****Interactive Elements****

These interactive elements are key to keeping the students engaged. Discussion boards, group work, and peer-review assignments promote engagement. Such activities encourage cooperation and critical thinking, ensuring course materials create a dynamic learning experience. Students can also use interactive elements as opportunities to apply knowledge, reinforcing concepts within a real context.

****Flexible Learning Pace****

Different learners require varying learning paces, and providing them with a flexible option can significantly enhance their engagement. Students also rarely have the exact schedules or are committed to other activities, so allowing them to move at their own pace encourages them to be more engaged. Asynchronous or pre-recorded modules enable students to study when their schedule allows. This method also relieves stress and allows for a more positive learning atmosphere.

****Feedback and Assessment****

An engaging course has regular feedback and assessment. Students can identify their strengths and areas for improvement only when teachers provide them with constructive feedback. Use more quizzes or assignments, as your feedback keeps you going and allows you to self-evaluate. Course assessments must be based on course objectives so learners can measure their current position and enjoy success.

A strong sense of community fosters student engagement. Promoting engagement using forums for discussions, live sessions, or group projects creates a collaborative atmosphere. When a learning environment is supportive, the learner has the opportunity to share experiences that will help others learn, ask questions, and seek guidance from both peers and instructors. A sense of belonging helps students stay on track with their learning.

****Real-world Examples****

One of the best ways to apply abstract concepts is through real-world example explanations. The research will show you that when course content takes on an applied nature by integrating case studies, current events, or actual industry scenarios, it reflects the practical application of dry theoretical knowledge. Understanding the real-life applications of the course material adds value to students’ learning experiences, making the course intriguing and fun.

****Adapting to Feedback****

This responsiveness to student needs is crucial. Consistent feedback helps instructors improve and adjust course material. When students feel like you listen to their suggestions, it gives them a feeling of ownership and creates a conducive atmosphere for learning. Incorporating feedback shows a commitment to creating a high-quality learning experience.

****Conclusion****

Creating a course involves more than transferring content from your brain to your students. Tips to deliver the best presentation include knowing your audience, setting appropriate goals, and using an interactive approach. Flexibility, community building, and responsiveness to feedback promote student engagement. These can help teachers develop breakthrough courses that can prove to be unforgettable learning experiences for the learners.

Image by Mohamed Hassan from Pixabay.

Engaging Online Learning: Strategies to Keep Students Focused and Motivated

The phishing campaign is highly sophisticated!

Silent Push uncovers an alleged Russian intelligence phishing campaign impersonating the CIA, targeting Ukraine supporters, anti-war activists and informants.

Cybersecurity researchers at Silent Push have discovered a complex and extensive phishing operation, allegedly launched by Russian Intelligence Services or a similarly motivated entity, targeting individuals who support Ukraine and oppose the Russian government.

The campaign, which surfaced in early 2025, employed fake website lures to gather personal information from Russian citizens and informants. This was a particularly sensitive endeavour given the illegality of anti-war activities within the Russian Federation.

The phishing sites collected user input using a combination of static HTML and JavaScript. Data exfiltration was often facilitated through simple POST requests to threat-actor-controlled servers or through the abuse of Google Forms.

Researchers identified four distinct phishing clusters, each impersonating a prominent organization: the US Central Intelligence Agency (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and Hochuzhit, an appeals hotline for Russian service members operated by Ukrainian intelligence.

It is worth noting that the CIA has also been actively encouraging Russian citizens to share secret information with the agency through its official darknet site, offering a secure and anonymous way to communicate.

As for the latest campaign, despite their well-planned impersonations, these clusters share a common objective: the illicit collection of personal data. As noted by the legitimate Liberty of Russia Legion in a March 14, 2024, X post, “We remind you that the only official telegram channel of the Legion is listed on our website: hxxps://legionlibertyarmy. Do not be fooled by fakes. Do not fall into the traps of the security forces of the Putin regime!”

The threat actors utilized a bulletproof hosting provider, Nybula LLC (ASN 401116), to host phishing pages designed to mimic the official websites of these organizations. This tactic, along with the use of Google Forms and website forms to gather data, reveals a sophisticated attempt to deceive and extract sensitive information from unsuspecting victims.

The campaign’s infrastructure analysis revealed interconnectedness across the four clusters, with shared technicalities such as the WHOIS organization name “Semen Gerda,” similar metadata, and common registration through the NiceNIC registrar.

The phishing pages employed various tactics to lure victims. For instance, the rusvolcorpsnet domain lured users with a “Join Here” button, leading to a Google Form requesting detailed personal information. Similarly, the legionlibertytop domain used a blue “Join” button to direct users to a legitimate Google Form, while a green button led to a form controlled by the threat actors.

CIA impersonation involved the creation of domains like ciagovicu and jagotovoffcom, which featured suspicious web forms and embedded illegitimate .onion links. The threat actors even manipulated YouTube content, replacing official CIA links with their phishing domains.

Conversely, the Hochuzhit cluster, targeting Russian service members seeking to surrender, utilized domains like hochuzhitlifecom and hochuzhitlife. Silent Push Threat Analysts, in collaboration with security researcher Artem Tamoian, uncovered additional domains and infrastructure, including legionllbertyarmy, which was hosted on Cloudflare.

Silent Push’s attribution to Russian intelligence services is based on several factors, including the campaign’s focus on targets of strategic interest to the Russian government, the observed TTPs that align with known Russian state-sponsored actor behaviour, and the persistent impersonation of the CIA for intelligence gathering purposes.

Researchers concluded that all domains associated with this Russian Intelligence Agency campaign pose massive privacy and security risks, highlighting the importance of caution and stronger cybersecurity measures.

Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters

Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has…

Disney’s latest Snow White movie, with a 1.6/10 IMDb rating, isn’t just the biggest flop the company has ever released. It’s such an embarrassment that the movie isn’t even available on Disney’s own streaming platform, Disney+.

According to cybersecurity researchers at Veriti, scammers are exploiting the situation by offering pirated versions of Snow White, specifically targeting torrent users and tricking them into downloading malware.

Screenshot credit: Hackread.com via IMDb

****The Lure of a Pirated Download****

On March 20th, what initially appeared to be a legitimate blog post on the website “TeamEsteem” (teamesteemmethodcom) offered a pirated version of the 2025 Snow White movie. The post provided a magnet torrent link that appeared safe but was actually a trap. Researchers identified the torrent file as a malicious campaign designed to compromise users’ devices.

According to the company’s blog post shared with Hackread.com, the torrent link led to a package of three files. While it might have seemed like a standard movie download, it was anything but. Veriti found that 45 people were already sharing or “seeding” the file, which could include both unsuspecting victims and attackers working to spread the trap faster.

****A Fake Codec That “Spells” Trouble****

When users downloaded the torrent, they didn’t get a movie. Instead, they got a bundle of files, including a README document and a suspicious file named “xmph_codec.exe.” The README claimed the codec file was necessary to play the movie, a common trick used in the early days of online piracy to fool users into installing malicious software.

However, in this case, running the “codec” file triggered a chain of malicious actions on the user’s device, including the following:

*   **Disables Security:** It shuts down Windows Defender and other built-in protections, leaving the device wide open to more attacks.

*   **Installs Malware:** The file was flagged as malicious by 50 out of 73 security tools on VirusTotal, a popular platform for analyzing suspicious files.

*   **Drops More Threats:** It quietly adds additional harmful files to the system, setting the stage for further damage.

*   **Installs TOR Browser:** It downloads and installs the TOR browser, a tool often used to access the Dark Web, without the user’s knowledge.

*   **Connects to the Dark Web:** The malware communicates with a hidden server on the Dark Web (using a .onion address), making it hard for security tools to track or block it.

In short, what looked like a free movie exposes users to data theft or possibly ransomware.

The malicious post on TeamEsteem blog and File breakdown inside the torrent package (Screenshots via: Veriti)

****What’s The Connection with TeamEsteem?****

TeamEsteemMethod.com is the official website of Team Esteem, LLC, a US-based organization founded by Jamie Levine, dedicated to assisting parents, schools, and educators in addressing various childhood challenges.

Veriti’s team believes the attackers behind this campaign managed to get their malicious blog post onto the TeamEsteem website in one of two ways: either by exploiting a vulnerability in the outdated version of the Yoast SEO plugin or by using stolen admin credentials to access the website.

The vulnerability in question is CVE-2023-40680, found in the outdated version of the Yoast SEO plugin, a popular SEO tool used by over 10 million WordPress websites. Alternatively, the attackers may have logged into the site using stolen admin credentials to post the fake blog entry themselves.

Either way, the attackers used the site as a medium to trick users into downloading their malware, banking on the hype around Snow White to draw in victims.

****Not The First Time****

This isn’t the first time cybercriminals have used pirated movies as bait, and it won’t be the last. High-profile releases like Snow White are prime targets because they attract huge interest, especially when legal options are limited. With no streaming release on platforms like Disney+, many fans turn to torrent sites, hoping to save money or time. But as this campaign shows, there’s no such thing as a “free lunch.”

In the past, attackers have exploited the popularity of movies like John Wick 3, Contagion, Black Widow, Joker, Ford v Ferrari, Pirates of the Caribbean, and many others to distribute malware and ransomware.

The good news? You can still avoid falling into traps by avoiding piracy, being cautious with malicious torrents, keeping your anti-malware updated to detect the latest threats, and using common sense.

Fake Snow White Movie Torrent Infects Devices with Malware

OpenAI Bug Bounty program boosts max reward to $100,000, expanding scope and offering new incentives to enhance AI security and reliability.

OpenAI is prioritizing security with a major bug bounty program increase and new AI security research grants. Find out how they’re collaborating with researchers and experts to protect their AI platforms from emerging threats

OpenAI is enhancing its security infrastructure, focusing on a forward-looking approach towards AI, by expanding security initiatives across grant programs, bug bounties, and internal defences.

In its latest **blog post**, OpenAI has unveiled a suite of new cybersecurity initiatives, signalling a bold push towards artificial general intelligence (AGI). A key element of this strategic move is a substantial increase in the maximum reward offered through its bug bounty program, now reaching $100,000 for critical findings.

As previously **reported** by HackRead.com, OpenAI launched its bug bounty program in April 2023 in partnership with Bugcrowd. This program initially focused on **finding flaws** in ChatGPT AI chatbot to enhance its security and reliability, with rewards starting at $200 for low-severity findings and reaching $20,000 for exceptional discoveries.

Now, OpenAI has confirmed that this program is seeing a significant overhaul with the maximum pay-out increased from $20,000 to $100,000 and the scope of program being broadened substantially, a move OpenAI states reflects its commitment to ensuring users’ trust in its systems.

“This increase reflects our commitment to rewarding meaningful, high-impact security research that helps us protect users and maintain trust in our systems,” the company noted in the announcement.

To further incentivize participation, OpenAI is introducing limited-time bonus promotions, with the first focusing on IDOR access control vulnerabilities. This promotion, running from March 26th to April 30th, 2025, also increases the baseline bounty range for these types of vulnerabilities.

The company also plans to expand its Cybersecurity Grant Program, which has already funded 28 research projects focused on both offensive and defensive security strategies. These projects have explored areas such as autonomous cybersecurity defenses, secure code generation, and prompt injection. The grant program is now seeking proposals for five new research areas: software patching, model privacy, detection and response, security integration, and agentic AI security.

OpenAI is also introducing microgrants in the form of API credits to facilitate rapid prototyping of innovative cybersecurity ideas. Furthermore, it plans to engage in open-source security research, collaborating with experts from academic, government, and commercial labs to identify vulnerabilities in open-source software code.

This shift is aimed at improving the ability of OpenAI’s AI models to find and patch security flaws. The company plans to release security disclosures to relevant open-source parties as vulnerabilities are discovered.

In addition, OpenAI is integrating its own AI models into its security infrastructure to enhance real-time threat detection and response. To strengthen its defences, the company has established a new red team partnership with SpecterOps, a cybersecurity firm. This collaboration will involve laborious, simulated attacks across **OpenAI’s infrastructure**, including corporate, cloud, and production environments.

As OpenAI’s user base expands, now serving over 400 million weekly active users, the company acknowledges its growing responsibility to safeguard user data and systems. While it focuses on developing advanced AI agents, the company is also addressing the unique security challenges associated with these technologies. This includes defending against prompt injection attacks, implementing advanced access controls, comprehensive security monitoring, and cryptographic protections, reinforcing their dedication to building secure and trustworthy AI.

OpenAI Bug Bounty Program Increases Top Reward to $100,000

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including…

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including DLL sideloading and LOTL abuse, and explores the group’s evolving cybercriminal activities.

Bitdefender Labs has revealed a shift in the operational tactics of the long-standing cyber threat group known as **RedCurl**. This group, also known as Earth Kapre or Red Wolf, has historically maintained a low profile, relying heavily on covert data exfiltration. It has now been linked to a novel ransomware campaign, marking a dramatic change in their activities. This new ransomware strain, dubbed QWCrypt, targets hypervisors, effectively crippling infrastructure while maintaining a stealthy presence.

“This new ransomware…is previously undocumented and distinct from known ransomware families,” the **report** states.

This discovery prompts a reevaluation of RedCurl’s operational model, which has remained largely puzzling since their emergence in 2018. The group’s targeting patterns further complicates their classification.

While telemetry data points to victims primarily in the United States, with additional targets in Germany, Spain, and Mexico, other researchers have reported targets in Russia, a broad geographical scope atypical for state-sponsored actors. The absence of any historical evidence of RedCurl selling stolen data, a common practice in ransomware operations, adds to the mystery.

****Living-off-the-Land (LOTL)****

The group uses sophisticated techniques, including DLL sideloading and the abuse of **Living-off-the-Land** (LOTL) strategies, all while avoiding the use of public leak sites, a critical shift from typical ransomware operations.

The initial access vector used by RedCurl in their ransomware deployment remains consistent with their previous campaigns: phishing emails containing IMG files disguised as CV documents. These files, when opened, execute a malicious screensaver file, which in turn loads a malicious DLL. This DLL then downloads the final payload, using encrypted strings and legitimate Windows tools to evade detection. 

Once inside the network, RedCurl employs lateral movement techniques, utilizing WMI and other built-in Windows tools to gather intelligence and escalate access. The group’s use of a modified wmiexec tool, which bypasses SMB connections, and Chisel, a TCP/UDP tunneling tool, highlights their sophisticated approach.

The ransomware deployment itself is highly targeted. RedCurl uses batch files to disable endpoint security and launch the ransomware’s GO executable, rbcw.exe, which encrypts virtual machines using **XChaCha20-Poly1305** encryption and excludes network gateways.

The file also includes a hardcoded personal ID for victim identification.  The ransom note, researchers claim, is not original, but rather a compilation of sections from other ransomware groups. Additionally, the absence of a dedicated data leak site further complicates the understanding of RedCurl’s motives.Bitdefender

****Bitdefender’s Hypotheses****

Bitdefender proposes two potential hypotheses to explain RedCurl’s unconventional behaviour. The first suggests they may operate as “gun-for-hire” cyber mercenaries, explaining their diverse victimology and inconsistent operational patterns.

The second hypothesis posits that RedCurl prioritizes discreet, direct negotiations with victims, avoiding public attention to maintain extended, low-profile operations. This theory is supported by the group’s targeting of hypervisors while maintaining network gateways, suggesting an attempt to limit disruption and confine the attack to IT departments.

In conclusion, Bitdefender recommends a multilayered defense strategy, enhanced detection and response capabilities, and a focus on preventing LOTL attacks to mitigate the risks posed by groups like RedCurl. They also emphasize the importance of data protection, resilience, and advanced threat intelligence.