Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

A new phishing campaign is targeting users across **Latin America**, and at the center of it is Grandoreiro, a banking trojan known for stealing sensitive financial data. With geofencing and stealthy evasion tactics, this malware is proving difficult to catch with standard defenses.

Let’s take a closer look at the campaign, how the attack unfolds, and what makes it so effective.

****Grandoreiro Attack Overview****

Between February 19 and March 14, researchers noticed a surge in phishing activity tied to Grandoreiro, and signs show the campaign is still ongoing.

A spike of Grandoreiro was detected

Grandoreiro has been around for years, constantly evolving to stay ahead of detection. It’s designed to steal banking credentials, monitor user activity, and grant remote access to attackers.

One of the standout techniques in this campaign is geofencing. Before running, the malware checks the victim’s IP address to determine their location. If the user isn’t in a targeted Latin American country, the malware simply stops executing. This makes the campaign more focused, reduces unnecessary exposure, and helps it slip past global security monitoring.

****Grandoreiro Attack Chain****

Grandoreiro is known for slipping past traditional security tools, making it tough to detect using automated solutions alone. However, with the help of interactive sandboxes, it’s possible to observe the malware’s full behavior in real time.

Here’s a complete look at the execution chain inside a secure sandbox: 

**View sandbox analysis session**

The full execution chain of Grandoreiro is displayed inside ANY.RUN sandbox

Understanding the who, when, and how behind this campaign will help security teams proactively strengthen their defenses. Real-time threat analysis platforms not only uncover these details but also make them immediately actionable.

****Initial Access: Phishing Email****

The infection begins with a phishing page that lures the victim into clicking a link or downloading a fake PDF document. Instead of a PDF, the file is actually a compressed archive (.ZIP or .RAR) containing the Grandoreiro loader.

Phishing link with a fake PDF document displayed inside ANY.RUN sandbox

**Execution & Geofencing**

Once the file is extracted and opened, the malware sends a request to ip-apicom to determine the user’s geolocation.

If the IP address falls outside the targeted LATAM countries, the malware halts execution, but if it matches a targeted region, the attack proceeds.

Suricata rule triggered inside ANY.RUN sandbox

**DNS Evasion: Google DNS**

Grandoreiro avoids local DNS queries by sending a request to dns.google. It provides the domain name of its command-and-control (C2) server, which Google resolves to an IP address.

This step helps it bypass DNS-based blocking mechanisms and improves its chances of successful communication.

Traditional solutions often miss these evasion tricks, but ANY.RUN captures them in real time, helping teams build effective detection logic that actually reflects how modern malware behaves.

**Connection to C2**

After resolving the C2 domain, the malware sends a GET request to the retrieved IP address to establish a connection. This opens the door for the attacker to deliver additional payloads, steal credentials, or take remote control of the infected machine.

**Grandoreiro in Action: Tactics & Techniques**

Establishing a connection to the C2 server is just the beginning. Once communication is successful, Grandoreiro kicks off a series of actions designed to stay hidden, gather data, and prepare for further exploitation.

In this specific attack, ANY.RUN’s sandbox reveals a wide range of techniques triggered across multiple MITRE ATT&CK categories. You can see all of them mapped in the ATT&CK tab of the analysis session:

MITRE ATT&CK tactics and techniques used by adversaries

****Detection & Response Tips****

Detecting Grandoreiro isn’t easy; it blends in well and uses clever tricks. But here’s how you can stay one step ahead:

*   **Watch for phishing lures** posing as PDF downloads (often .ZIP or .RAR archives).

*   **Monitor external DNS requests**, especially to dns.google, right after execution.

*   **Flag geolocation lookups** to services like ip-apicom; it’s a key part of Grandoreiro’s filtering tactic.

*   **Use behavior-based analysis** to catch post-execution tactics like file deletion, credential access, or system discovery.

****Catch the Attack Before It Spreads****

The Grandoreiro campaign shows how modern threats evolve and why visibility into behavior matters more than ever.

With ANY.RUN sandbox, security teams can interact with malware in real time, uncover hidden tactics, and respond with confidence. From phishing to post-exploitation, everything is mapped, visualized, and ready for action.

Grandoreiro Strikes Again: Geofenced Phishing Attacks Target LATAM

Medusa ransomware hits NASCAR, demands $4M ransom, leaks internal files. Group also claims Bridgebank, McFarland, and Pulse Urgent Care.

The Medusa ransomware gang has added another high-profile name to its growing list of victims. Earlier today, the group listed NASCAR (National Association for Stock Car Auto Racing) on its dark web leak site, demanding a $4 million ransom and threatening to release internal data if payment isn’t made. Alongside NASCAR, the group is also claiming McFarland Commercial Insurance Services, Bridgebank Ltd, and Pulse Urgent Care as new victims.

Medusa Ransomware’s dark web leak site (Credit: Hackread.com)

As seen by Hackread.com, the hackers have already posted 37 document images related to NASCAR as proof. A review of one of the blurred images shows a mix of corporate branding materials, facility maps, spreadsheets with employee contact details, and what looks like internal notes and photographs.

A quick analysis of the leaked documents suggests some of the content includes detailed maps of raceway grounds, email addresses, names and titles of staff, and credential-related info, which suggests a real compromise of operational and logistical data.

Screenshot from the leaked sample data from the Medusa ransomware gang’s dark web leak site (Credit: Hackread.com)

The Medusa group was first spotted in the wild back in 2021, but its activity has picked up speed over the past couple of years. One of its better-known attacks was against the Minneapolis Public Schools district **in 2023**, where the group leaked sensitive student and employee data after a $1 million ransom demand went unmet. They’ve also targeted hospitals, telecom firms, and municipalities, often dumping large amounts of internal files when ransoms aren’t paid.

More recently, Medusa made the news **just a couple of weeks ago** for using stolen digital certificates to disable anti-malware tools on infected systems. That tactic, which was flagged in a March 25 report, allowed them to operate within networks and avoid detection.

On March 13 2025, the FBI and CISA **issued a joint advisory** urging organizations to strengthen their defenses. The advisory specifically recommended enabling two-factor authentication and monitoring systems for signs of unauthorized certificate use, clearly concerned about the direction Medusa’s attacks were heading.

NASCAR **pulls** in hundreds of millions of dollars in revenue each year, so it’s not surprising that the Medusa ransomware gang would go after them. But what this really highlights is that no matter how much money a company makes, strong cybersecurity still often takes a backseat.

Nevertheless, for now, it’s unclear if NASCAR plans to negotiate or pay the ransom. But given Medusa’s track record, more data leaks are likely if the ransom isn’t paid within the timeframe set by the attackers.

Medusa Ransomware Claims NASCAR Breach in Latest Attack

If you use WhatsApp Desktop on Windows, listen up! A flaw in WhatsApp for Windows (CVE-2025-30401) let attackers disguise malicious files as safe ones. Update to version 2.2450.6 or later to stay secure.

A recent security advisory from Facebook Security highlights a spoofing vulnerability tracked as CVE-2025-30401 affecting WhatsApp for Windows. The flaw could have allowed hackers to send malicious attachments to unsuspecting users. These files would appear harmless at first but could run malicious code if opened within the WhatsApp app.

This vulnerability impacts all versions before 2.2450.6 and poses a major risk to users who frequently interact with file attachments through WhatsApp for Windows. For users not interested in technical details, the issue started with a weird mismatch in how WhatsApp for Windows worked.

WhatsApp would show users the attachment based on what it claimed to be, like a picture or a document, using its MIME type. But when they clicked to open it inside WhatsApp, the app would choose what program to launch based on the file’s extension (like .jpg or .exe), not what it said it was.

Imagine someone sends you a file named “image.jpg.exe.” WhatsApp might show it as a picture because the MIME type says it’s an image. But if you clicked to open it inside the app, WhatsApp would notice the “.exe” ending and open it like an actual program. That means a harmless-looking file could end up running malicious code without the user realizing anything was wrong.

Nico Chiaraviglio, Chief Scientist at Zimperium, a mobile security solutions provider, pointed out that this vulnerability highlights a bigger problem: attachments are still a super common way for bad guys to deliver viruses, spyware and other malicious content.

Chiaraviglio recommends a layered defense strategy to mitigate such risks. This includes attachment scanning to detect potentially harmful files, behavioral analysis to identify suspicious activities, and user education to raise awareness about the dangers of opening unsolicited file attachments.

“This vulnerability highlights a broader issue that applies across all platforms: attachments remain one of the most common vectors for delivering malicious content. While this specific case involves WhatsApp for Windows, mobile platforms are not exempt,” explained Chiaraviglio.

“Attackers regularly leverage file attachments to bypass user trust and deliver malware, phishing payloads, or exploit vulnerabilities. Security teams should adopt a layered defense strategy, including attachment scanning, behavioral analysis, and user education across both desktop and mobile environments,” he advised.

The good news is that WhatsApp has fixed this issue. If you’re using WhatsApp Desktop on Windows, make sure you’re on version 2.2450.6 or later. If not, update it pronto!

WhatsApp for Windows Flaw Could Let Hackers Sneak In Malicious Files

HellCat ransomware hits 4 companies by exploiting Jira credentials stolen through infostealer malware, continuing their global attack spree.

Cybersecurity researchers at Hudson Rock have identified a new wave of cyber attacks by the HellCat ransomware group, this time targeting four companies across the United States and Europe. The common thread? Stolen Jira credentials, extracted by **infostealer malware** long before the actual breaches took place.

****Who Got Hit****

On April 5, 2025, HellCat posted proof of the breaches to their leak site, complete with countdown timers and their signature **“Jiraware < < 3!!”** tagline. According to their posts, they’ve stolen internal files, emails, and financial records, and they’re threatening to leak or sell the data if the companies don’t meet their demands.

The new victims include:

*   **Asseco Poland (Poland)** – a major IT solutions provider
*   **HighWire Press (USA)** – a platform serving scholarly publishers
*   **Racami (USA)** – a firm focused on customer communications tech
*   **LeoVegas Group (Sweden)** – an online gaming and betting company

****How They Got In****

According to Hudson Rock’s **report** shared with Hackread.com, the company traced every one of these breaches back to the same root cause: Jira credentials stolen by infostealer malware. These malware variants, **StealC**, **Raccoon, Redline**, and **Lumma Stealer**, harvested login info from infected employee machines months (sometimes years) before the actual attacks.

Once HellCat got their hands on those credentials, they logged into each company’s **Atlassian Jira environment**. From there, they moved through internal systems, grabbed sensitive data, and kicked off their typical ransomware process.

This isn’t a new tactic for them. HellCat has previously used the same method to breach Jaguar Land Rover, Telefonica, Schneider Electric, and Orange, among others. It’s a pattern: find credentials in infostealer logs, access Jira, exfiltrate data, and demand ransom.

Compromised infrastructure of US-based firm Racami (Screenshot: Hudson Rock)

It’s also worth pointing out that a **recent report** from Hudson Rock also revealed how infostealers, some sold for as little as $10, have compromised critical infrastructure worldwide. Even more concerning, the affected systems include employee machines at the FBI, Lockheed Martin, Honeywell, and branches of the US military.

****Why Jira?****

Jira is more than just a project management tool. In many companies, it’s the main system connected to development workflows, customer data, internal documentation, and system access controls. If attackers can get into Jira, they can often get into just about everything else.

That’s exactly what makes it such a high-value target for ransomware groups like HellCat. And because many organizations don’t treat Jira accounts with the same level of security as, say, email or VPN access, it becomes an easy win for attackers.

****The Bigger Problem: Infostealers****

Researchers believe that HellCat’s modus operandi only works because infostealer malware infect user devices and steal saved logins, cookies, session tokens, and more. The data is either **sold on dark web markets** or used directly by groups like HellCat.

Hudson Rock’s own data, based on over 30 million infected systems, shows that thousands of companies have Jira-related credentials stored in infostealer logs. In these latest cases, the stolen credentials were just sitting there, unmonitored and unchanged, giving HellCat all the time it needed to prepare the breach.

****What Companies Should Be Doing****

There are some steps companies can take to reduce the risk of attacks like these. First, it’s important to monitor for infostealer infections using tools that can flag stolen credentials before they’re used. If any signs of malware show up, compromised logins should be reset immediately, access reviewed, and suspicious activity tracked closely.

Jira, in particular, needs to be locked down with multi-factor authentication, restricted access, and proper network segmentation to limit how far an attacker can get if they break in. And since many of these infections start with phishing or bad downloads, regular employee training goes a long way in preventing them in the first place.

Nevertheless, HellCat isn’t doing anything out of the box because they don’t have to. As long as organizations leave stolen credentials unchecked and keep using single-layer authentication for tools like Jira, groups like HellCat will keep taking over.

HellCat Ransomware Hits 4 Firms using Infostealer-Stolen Jira Credentials

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over…

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over the world to immerse themselves in **virtual worlds**, participate in competitive matches, or simply relax with friends.

However, while gaming offers exciting experiences, it also exposes players to a range of cybersecurity threats and privacy risks. The risks are real, from data breaches and identity theft to malware infections and in-game scams.

This article will explore the common cybersecurity risks in online gaming and provide practical strategies to avoid them.

****Why Online Gaming Is a Target for Cybercriminals****

The online gaming industry has grown exponentially in recent years, with global revenues expected to reach $200 billion by 2025. This massive audience makes it an attractive target for cybercriminals.

Hackers and scammers exploit **vulnerabilities in gaming platforms**, user accounts, and in-game assets to make illicit gains. Gamers often store sensitive information, such as credit card details, addresses, and personal identifiers, which can be used for malicious purposes if compromised.

Furthermore, the popularity of multiplayer games and the constant online interaction provide ample opportunities for social engineering attacks and the spread of malware.

****Common Cybersecurity Risks in Online Gaming********Phishing Scams****

Phishing is one of the most common types of attacks targeting online gamers. Cybercriminals often impersonate game developers, customer support teams, or even fellow players to trick individuals into revealing sensitive information, such as login credentials or financial details.

****How to Avoid Phishing Scams:****

*   **Be cautious with emails and messages**: Always verify the sender’s email address or message source before clicking on any links or attachments. Legitimate gaming companies rarely ask for sensitive information via email.

*   **Check website URLs**: Before logging into any gaming platform, ensure that the website’s URL is correct and starts with “https://” to confirm it’s secure.

*   **Enable two-factor authentication (2FA)**: Most major gaming platforms offer 2FA, which provides an extra layer of security by requiring a second form of verification (such as a code sent to your phone) when logging in.

****Account Hacking and Credential Stuffing****

Many gamers use the same login credentials across multiple sites, making them easy targets for hackers who can obtain this information in a breach.

Credential stuffing attacks occur when hackers use previously leaked usernames and passwords from one breach to access accounts on other platforms.

****How to Avoid Account Hacking:****

*   **Use unique passwords**: Create strong, unique passwords for each gaming account to make it harder for hackers to gain access.

*   **Utilize password managers**: Password managers can generate and store complex passwords for all your accounts, reducing the risk of password reuse.

*   **Enable two-factor authentication (2FA)**: As mentioned earlier, 2FA is essential for protecting your accounts from unauthorized access.

****Malware and Ransomware****

Malware can be introduced into gaming systems in several ways, such as through malicious links, downloads, or third-party applications. Cybercriminals can **disguise malware as a legitimate game** or cheat tool to gain control of a gamer’s device, steal information, or lock it until a ransom is paid.

****How to Avoid Malware:****

*   **Download games from trusted sources**: Always download games and updates from official sources like the game developer’s website or recognized gaming platforms (e.g., Steam, PlayStation Store, Xbox Live).

*   **Use antivirus software**: Install reliable antivirus software that can detect and block harmful files and applications before they infect your system.

*   **Avoid third-party tools**: Be cautious when using third-party mods, cheat tools, or unofficial game servers, as they can often contain malware.

****In-Game Scams and Fraud****

Online gaming environments are ripe for scams, especially in multiplayer games with virtual economies. Scammers often target players by promising rare **in-game items**, currency, or cheats in exchange for real money, but once the transaction is made, the scammer disappears.

****How to Avoid In-Game Scams:****

*   **Stick to official transaction platforms**: Only buy in-game items or currency through trusted, official sources such as the game’s marketplace.

*   **Beware of “too good to be true” offers**: If someone promises rare items for an unreasonably low price, it’s likely a scam.

*   **Report suspicious behavior**: Many games have built-in reporting systems for fraudulent players. Always report suspicious activity to the developers or moderators.

****Social Engineering and Doxxing****

Social engineering attacks exploit a player’s trust, often through manipulation and deceit, to gain access to private information.

One of the more alarming risks is doxxing, where cybercriminals gather personal details about a gamer (such as real names, addresses, and phone numbers) and publish them online with malicious intent.

****How to Avoid Social Engineering and Doxxing:****

*   **Limit personal information sharing**: Avoid sharing personal details (like full name, address, or phone number) in online gaming communities, forums, or chat rooms.

*   **Review privacy settings**: Adjust privacy settings on gaming platforms and social media accounts to restrict who can access your information.

*   **Be cautious of friend requests**: Only accept friend requests or direct messages from people you know or trust in the game.

****DDoS Attacks****

Distributed Denial-of-Service (**DDoS**) attacks involve overwhelming a gaming server or player’s network with massive amounts of traffic, causing disruptions, lag, or crashes.

These attacks can also be used as a form of extortion, with hackers threatening to shut down a server unless a ransom is paid.

****How to Avoid DDoS Attacks:****

*   **Use VPN services**: A VPN can help mask your IP address and prevent attackers from targeting your network.

*   **Play on secure servers**: Opt for gaming platforms and servers that implement strong anti-DDoS measures.

*   **Monitor traffic patterns**: If you manage a gaming server, regularly monitor traffic and set up intrusion detection systems (IDS) to detect unusual activities.  
    

****How to Protect Yourself and Your Data in Online Gaming****

To safeguard your data and protect your gaming experience, here are some additional proactive measures you can take:

****Stay Updated****

Game developers frequently release patches and security updates to address vulnerabilities. Always keep your game software, gaming platforms, and operating systems up to date.

****Use a VPN for Gaming****

A **VPN for gaming** can significantly enhance your online security by masking your IP address and encrypting your internet connection. This helps prevent DDoS attacks and protects your personal information from being exposed to malicious players.

Additionally, a VPN allows you to bypass geo-restrictions, ensuring that you can access games and content from around the world securely.

****Use Secure Payment Methods****

When making in-game purchases, consider using secure payment methods like credit cards, PayPal, or trusted digital wallets instead of debit cards or direct bank transfers. These methods often provide better fraud protection.

****Educate Yourself on Cyber Hygiene****

Good cyber hygiene habits go a long way in securing your online presence. Regularly change passwords, check for unusual account activity, and avoid reusing passwords across different platforms.

****Practice Good Online Behavior****

Always exercise caution when interacting with other players online. Avoid clicking on suspicious links, be careful when downloading files, and never share personal information during gameplay.

****Protecting Yourself****

The thrill of online gaming should not come at the expense of your privacy and security. Cybersecurity risks, such as phishing, malware, account hacking, and in-game scams, are prevalent in the gaming world.

However, you can reduce your exposure to these threats by following best practices like enabling two-factor authentication, using strong passwords, avoiding suspicious links, and exercising caution when interacting with others.

Top/Featured Image by Tyler Lagalo on Unsplash!

Online Gaming Risks and How to Avoid Them

A new Neptune RAT variant is being shared via YouTube and Telegram, targeting Windows users to steal passwords and deliver additional malware components.

Cybersecurity researchers from CYFIRMA have revealed a new version of Neptune RAT, a remote administration tool targeting Windows devices. Marketed on platforms like GitHub, Telegram, and YouTube with claims of being the “Most Advanced RAT,” the malware is attracting both newcomers to cybercrime and seasoned hackers looking for a ready-made tool.

****What Is Neptune RAT?****

Neptune RAT is written in Visual Basic .NET and is designed to take control of a victim’s Windows computer. Although its creator says the software is provided for “educational and ethical purposes,” the tool’s capabilities suggest otherwise.

Designed to steal user credentials, replace cryptocurrency wallet addresses, and even lock files with ransomware features, Neptune RAT gives attackers comprehensive control over an infected system.

****How It Spreads****

The malware is distributed freely on social platforms. Rather than releasing the source code, the developer hides the executable file, making the analysis more complicated. Some of the malicious code even replaces parts of its strings with Arabic characters and emojis, which complicates reversing efforts by researchers. In its free version, Neptune RAT automatically generates PowerShell commands to download and run additional components hosted on file hosting service such as catbox.moe.

****Dangerous Capabilities****

Neptune RAT comes with a mix of modules that work together to compromise Windows computers, including the following:

*   **Credential Theft and Clipboard Hijacking:** The malware includes a password grabber that extracts login details from applications and popular web browsers. It also monitors the clipboard to detect cryptocurrency wallet addresses, replacing them with the attacker’s own.

Screenshot from NaptuneRAT’s official website (Credit: Hackread.com)

*   **Ransomware and System Damage:** Once activated, the RAT can encrypt files on the victim’s computer, extending their extensions to “.ENC, ”and drop an HTML file with ransom information. It may even corrupt system components like the Master Boot Record if an attacker wishes to render the system unusable.

*   **Evasion and Persistence:** To avoid being removed, the malware modifies registry values and adds itself to the Windows Task Scheduler. It also checks if it’s running in a virtual environment and stops execution if a virtual machine is detected. This combination of techniques helps it maintain a persistent foothold on the system.

*   **Additional Modules:** Separate DLL files add further capabilities, including bypassing user account controls, stealing data from various email and browser applications, and even enabling live screen monitoring.

Screenshot from NaptuneRAT’s official website shows the full list of its capabilities (Credit: Hackread.com)

****Protecting Your System****

Since Neptune RAT uses different strategies, both individuals and organizations need to act quickly to protect themselves. The best approach starts with some simple practices: only download software from sources you trust, make sure Windows and all your programs, especially security tools, are kept up to date, and regularly back up any important data.

It’s also a good idea to use anti-virus software that can keep an eye on both file changes and network activity, giving you better protection against anything suspicious.

****Expert Insight****

Satish Swargam, Principal Security Consultant at Black Duck in Burlington, Massachusetts, offered his perspective on Neptune RAT’s evolution. He explained that the malware uses advanced techniques to extract sensitive data from users, spreading through platforms like GitHub, Telegram, and YouTube in ways that slip past standard security tools.

“This tool is especially concerning because it can deploy ransomware to lock your files, leading to major interruptions for businesses until the ransom is paid. It also lets hackers spy on screens in real time and even swap clipboard contents with their own cryptocurrency wallet addresses,” Swargam noted.

He added that as the malware continues to add new features, similar to those shared online under the banner of educational software, organizations need to maintain constant monitoring, deploy strong endpoint defenses, and implement active threat detection measures to reduce the risk of compromise.

Neptune RAT Variant Spreads via YouTube to Steal Windows Passwords

USA secures extradition of criminals from 9 countries, including two brothers behind Rydox, a dark web market for stolen data and hacking tools.

The United States has successfully extradited a group of fugitives from nine countries to face charges ranging from murder and child abuse to running dark web cybercrime marketplaces and drug trafficking rings. The extradited fugitives came from the following countries:

1.  Israel
2.  Spain
3.  Mexico
4.  Kosovo
5.  Canada
6.  Thailand
7.  Colombia
8.  Germany
9.  Honduras

The extradited individuals include fugitives who’d evaded capture for over a decade, as well as newer suspects accused of exploiting the anonymity of the dark web. Here’s a breakdown of the most notable cases:

**Ardit and Jetmir Kutleshi, 26 and 28** (Kosovo → Pennsylvania): The brothers are accused of running Rydox, a dark web marketplace that sold stolen credit cards, hacked social media accounts, and tools for identity theft. Their platform allegedly fueled millions in fraud losses before law enforcement shut it down.

**Roberto Avina-Casillas, 30** (Mexico → Ohio): After 11 years on the run, Avina-Casillas now faces murder charges.

**Justin David Lanoue, 44** (Canada → Utah): A Canadian fugitive wanted since 2015 for child abuse charges in Utah.

**Dominik Rydz, 24** (Germany → Michigan): A Polish national accused of sexually assaulting a woman at a party in Michigan in 2023 and imprisoning her against her will. Rydz initially fled to Poland, then Germany, where he was nabbed via an Interpol Red Notice.

**Olof Kyros Gustafsson, 31** (Spain → California): Dubbed “El Silencio,” this Swedish entrepreneur allegedly ran a bizarre online scam: selling fake Pablo Escobar-branded flamethrowers, cellphones, and other nonexistent products to investors worldwide. Prosecutors say he pocketed millions by exploiting the late drug lord’s notorious reputation.

**Tien Vy Tai Truong, 46** (Thailand → California): A suspected kingpin in a methamphetamine trafficking ring, Truong allegedly tried to broker a deal with an undercover DEA agent to ship 200 pounds of meth to Australia. His arrest in Thailand marks a rare win in disrupting Asia-Pacific drug pipelines.

****Rydox Dark Web Marketplace****

Rydox was a cybercrime marketplace operating on the dark web from approximately February 2016 until its seizure in December 2024. It functioned as a platform for the sale of stolen personal information, access devices, and various cybercrime tools.

Over its operational period, Rydox facilitated more than 7,600 transactions, generating at least $230,000 in revenue. The marketplace offered over 321,000 products to a user base exceeding 18,000 individuals.

Items available for purchase included personally identifiable information (PII) such as names, addresses, and Social Security numbers; stolen credit card details; login credentials; and cybercrime tools like scam pages and spamming tutorials.

In December 2024, an international law enforcement operation led by the U.S. Department of Justice, in collaboration with authorities from Kosovo, Albania, and Malaysia, resulted in the seizure of Rydox’s domain and the arrest of its administrators. Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, were apprehended in Kosovo and faced extradition to the United States to face charges, including identity theft and money laundering.

The seized Rydox dark web marketplace

A third individual, Shpend Sokoli, was arrested in Albania and was expected to be prosecuted there. Additionally, servers hosting the Rydox marketplace were seized in Kuala Lumpur, Malaysia, and approximately $225,000 in cryptocurrency linked to the defendants was confiscated.

The extradition of the Kutleshi brothers signals that law enforcement is stepping up its game in targeting the administrators of these illegal marketplaces, not just the end users. Additionally, the Gustafsson case shows how cybercriminals can exploit trust and celebrity culture (in this case, the Pablo Escobar brand) to deceive victims. This goes on to show why users must verify the legitimacy of online investments and products, especially when they seem too good to be true.

Brothers Behind Rydox Dark Web Market Extradited to US

Austin, TX, USA, 7th April 2025, CyberNewsWire

**Austin, TX, USA, April 7th, 2025, CyberNewsWire**

Deep visibility into malware-siphoned data can help close gaps in traditional defenses before they evolve into major cyber threats like ransomware and account takeover

SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections occur on devices with endpoint security solutions installed. SpyCloud offers integrations with leading endpoint detection and response (EDR) products, such as Crowdstrike Falcon and Microsoft Defender, that close this detection gap.

EDRs play a vital role in detecting, protecting against, and responding to threats on enterprise devices. Despite advanced AI detection and telemetry analysis offered in today’s EDR solutions, modern infostealer malware is designed to evade even the most sophisticated defenses, using tactics like polymorphic malware, memory-only execution, and exploitation of zero-day vulnerabilities or outdated software. The data speaks for itself: nearly one in two corporate users were already the victim of a malware infection in 2024, and in the year prior, malware was the cause of 61% of all breaches. 

SpyCloud’s findings underscore that while EDR and antivirus (AV) tools are essential and block a wide range of security threats, no security solution can block 100% of attacks. Organizations need to take a layered approach to close the gaps before attacks progress deeper into their environments, resulting in events like ransomware and account takeover.  

> “When a malware infection goes undetected, the consequences can be catastrophic,” said Damon Fleury, Chief Product Officer at SpyCloud. “We are in an arms race at the endpoint, where attackers are constantly evolving their tactics to skirt detection. SpyCloud provides a critical line of defense – uncovering infostealer infections that evade EDRs and AVs, detecting when stolen data begins circulating in the criminal underground, and automatically feeding that intelligence back to the EDR to quarantine the device and begin the post-infection remediation process.”

By closing this visibility gap, SpyCloud EDR integrations provide a new and powerful protection mechanism. Once malware exfiltrates credentials, personally identifiable information (PII), or session cookies, that stolen data becomes a launchpad for further entrenchment and compromise. SpyCloud helps stop cybercrime before it happens by identifying these identity risks early, mapping them back to impacted users, devices, and applications, and sending actionable intelligence to an organization’s EDR for response and remediation.  

> “As identity becomes the security perimeter, organizations need more than device-level protection; they need insight into what their endpoint solutions are missing,” added Fleury. “SpyCloud’s expertise in accessing malware logs before they’re broadly circulated among criminals enables faster, more targeted responses needed to address infections, prevent lateral movement, and block disruptive follow-on activities like admin lockout and ransomware deployment.”

To learn more about how SpyCloud can augment endpoint security strategy and remediate malware infections that EDRs and AVs may miss, users can **register to join SpyCloud’s upcoming virtual event on April 10**, where experts will walk through the data, explain the attack chain in detail, and demo how SpyCloud’s EDR integrations work in real-world scenarios. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Research Shows that Endpoint Detection and Antivirus Solutions Miss Two-Thirds (66%) of Malware Infections

New Xanthorox AI hacking platform spotted on dark web with modular tools, offline mode, and advanced voice, image, and code-based cyberattack features.

A sophisticated new artificial intelligence (AI) platform tailored for offensive cyber operations, named Xanthorox AI, has been identified by cybersecurity firm SlashNext. First appearing in late Q1 2025, Xanthorox AI is reportedly circulating within cybercrime communities on darknet forums and encrypted channels.

According to SlashNext’s investigation, shared with Hackread.com ahead of its publishing on Monday, Xanthorox stands out from previous malicious AI tools like WormGPT, FraudGPT and EvilGPT due to its independent, multi-model framework. The system is based on five distinct AI models optimized for specific cyber operations.

These models are hosted on private servers under the seller’s control rather than public cloud infrastructure or openly accessible APIs. This unique setup sets Xanthorox AI apart from previous malicious tools that often relied on existing large language models (LLMs).

Xanthorox AI is a fully custom-built platform that uses “fully custom-built language models” instead of established models like LLaMA or Claude. It is promoted as a modular system capable of code generation, vulnerability exploitation, data analysis, and integrated voice and image processing, enabling automated and interactive attacks.

Its modular design allows for future updates or the replacement of specific functionalities. Xanthorox AI also has built-in voice and image handling modules. It can perform live internet search scraping using over 50 engines, offering up-to-date information. It also offers offline functionality, allowing users to use it without a constant network connection. The platform also emphasizes data containment to eliminate third-party AI data collection risks.

The toolkit includes the Xanthorox Coder, which automates tasks such as code creation and script development, while Xanthorox Vision adds visual intelligence by allowing users to upload images or screenshots for analysis. Reasoner Advanced aims to replicate human-like decision-making, supporting tasks requiring logical consistency and persuasive communication.

The platform also facilitates voice-based interaction through real-time voice calls and asynchronous voice messaging, allowing hands-free command and control. Overall, Xanthorox AI offers a versatile hacking assistant representing a significant advancement in cyberattack capabilities, enabling more precise and scalable phishing campaigns and malware creation.

Screenshot: SlashNext

“Xanthorox AI presents itself as a comprehensive, all-in-one hacking tool, powered by a modular architecture designed to support a wide range of cybercrime operations. From an attacker’s perspective, Xanthorox AI hits most of the marks needed for a versatile hacking assistant,” researchers wrote in their blog post.

Its emergence highlights the importance of adopting advanced AI-powered detection technologies, including AI-powered threat detection platforms capable of behavioural anomaly analysis and signature-less malware identification, email security solutions employing AI-based content and intent analysis, and network security measures incorporating AI-driven intrusion detection and prevention systems.

Casey Ellis, Founder at Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, called it “a fascinating development,” noting that the cybercriminal ecosystem works like any service industry, with specialized groups and “startups” creating competitive advantages. He highlighted the thought and R&D behind the toolkit, the local model tuning that avoids reliance on major vendors, and praised the expert mix as the most effective way to build a flexible AI-powered attack platform.

Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant

Crypto software wallets are invincible in the micro range. If you own multiple crypto assets, you need safe and reliable wallets, too.

Crypto wallets offer an extra layer of security against **malicious attacks** targeting everyday users. It’s not always easy to open your online crypto account every time you want to make a payment, and many merchants still don’t support direct crypto transactions. That’s where digital wallets step in. They make payments easier, but in 2025, the biggest concern around crypto wallets is safety.

That’s why it makes sense to focus on wallets that are both cost-effective and secure. Before choosing one, it’s important to understand how its security system works. At the same time, the wallet should be flexible enough to let you buy, sell, or stake crypto without hassle.

There are over a hundred crypto wallets available this year, but we’re going to focus on 10 that stand out as some of the safest options.

****1: Zengo****

The wallet has more than 380 coins. As you can do frequent transactions, we would categorize it as a hot wallet. Meanwhile, it is not a hardware-compatible wallet. The cost of maintaining the wallet is 19.99 every month. However, the annual subscription is only $129. 

They claim that they have been providing services to over 1.5 million customers and “0 wallets” have been hacked.

****Special features** **

It is the best wallet for security-conscious users. The strong and integrated security design can stop any kind of phishing crimes or bad entry gates. 

The company says that there are 1.5 billion customers who have had zero wallet attacks to date. 

****Benefits** **

Firstly, you get a secure infrastructure with this wallet. Moreover, you will get weekly software updates. You can easily buy or sell Crypto from the wallet. Therefore, it is a good option to keep your fiat currency in it. 

****Limitations** **

The price of the wallet is slightly on the higher side. Moreover, no hardware devices are compatible with it. Lastly, it allows only third-party access for withdrawals. 

Understandably, this measure is important from a security point of view. But it is stunted from the utility point of view. 

****2: Coinbase** **

This wallet can support more than 5500 cryptocurrencies. It is a hot wallet for sure. Like the previous one, it has no hardware wallet compatibility. But the best part is that it is a free wallet. This is the reason why it is more popular among users. Moreover, Coinbase has over **90 govt crypto assets** too. 

****Why should beginners use it?****

Beginners can use it for practice. It has easy navigation. You can use it on the website as well. Meanwhile, you can easily download it from various platforms and start using it without any concern. But it is the best option for the low-cost beginners. 

The company charges 0 network fees either. Plus, you can customize and minimize the wallet anytime. If you check the **BTC heatmap, you’ll see that Bitcoin has most of the investors’ shares**. Hence, you need a free wallet source for Bitcoin investors. 

****Benefits** **

It is the best option for beginners. Moreover, it is a low-cost platform with various amenities. You can trade more than 5500 coins over it. 

****Limitations** **

The wallet code is not an open-source code. You cannot generateay new address for every single transaction. It is not comfortable with the hardware assets. However, you can connect your ledger wallet to transfer assets. 

****3: Exodus****

The coin supports more than 281 currencies. It is a hot wallet for sure. However, the best part is that it is hardware-compatible. It is free of cost, too. 

****Why choose it?****

You can choose it as it makes slots to manage individual digital currencies on your mobile platform itself. The fiat payment methods are also separate. You can find them easily in your wallet. 

Lastly, you can use it to purchase or sell your coins. At the same time, you can swap or stake the coins easily. But the best part is that you can do all of these directly from your mobile phone. 

****Benefits** **

The platform offers intuitive integration across mobile and desktop. It also offers the same to and from any browser platform. The software wallet is compatible with hardware wallets like Trezor.

So, it is an exceptional quality which premium wallets also don’t offer often. 

****Limitations** **

Customer support is very limited. It is available through email only. There is no in-house exchange policy with this wallet. Lastly, it is not an open-source option.

****4: Electrum****

It is a bitcoin-only wallet. On that note, it is one of the major downsides of this wallet. However, you can treat it as a hot as well as a cold wallet. Moreover, it is hardware-compatible. But the best part is that it is free of cost.

****Why Should You Choose It?****

You should choose a wallet that’s tailored to secure your Bitcoin. And that’s Electrum for you. Moreover, the Electrum app is available over a range of platforms. 

****Benefits****

Firstly, it is a free and downloadable wallet option. At the same time, it is well compatible with all the hardware wallets. Lastly, its source code is auditable. You may also peer review the codes and send suggestions. 

****Limitations** **

The biggest drawback of the platform is that it does not have the best trading features. So, buying, selling, and staking are not options you can pursue on this platform. You may simply keep your Bitcoin safe here. 

Moreover, there are no customer support options here. You will get community support at best. Lastly, you need genuine technical expertise to develop your wallet. 

This wallet is widely used for managing Ethereum and ERC-20 tokens. It is a hot wallet and works as a browser extension or mobile app. While it doesn’t support hardware wallet integration by default, it can be connected to devices like Ledger. One major reason for its popularity is its simple interface and easy access to decentralized apps.

****Why Should You Choose It?****

If you’re working mostly with Ethereum and related tokens, MetaMask is a smart choice. It’s user-friendly, supports quick access to decentralized apps, and works smoothly across both mobile and browser platforms.

****Benefits****

MetaMask is free to use and easy to install on both desktop and mobile devices. It offers seamless access to Ethereum-based dApps, supports custom tokens, and can be connected to hardware wallets like Ledger for added security. It’s also open-source, so developers can review and contribute to its code.

****Limitations****

MetaMask is limited to Ethereum and ERC-20 tokens, so it’s not ideal if you deal with a wide range of cryptocurrencies. It doesn’t offer built-in options for staking or advanced trading. Customer support is minimal, and new users might find the interface a bit technical at first.

****6: Trust Wallet****

The wallet supports more than 10,000 cryptocurrencies, including all major tokens and coins. It is a hot wallet designed for frequent on-the-go transactions. Trust Wallet is not tied to any specific hardware wallet by default, but it does support hardware integration through third-party connections. The wallet is free to download and use, with no monthly subscription costs.

It’s owned by Binance, which adds a layer of credibility. The wallet has been downloaded over 60 million times and has maintained a strong track record with no major security breaches reported.

****Special features****

Trust Wallet is known for its built-in Web3 browser that lets users interact with decentralized apps (dApps) directly from within the wallet. It also supports staking of various coins and offers a secure backup feature using a single recovery phrase.

The wallet runs with a strong emphasis on user privacy. No personal data or KYC is needed to set up or use it.

****Benefits****

Trust Wallet is a beginner-friendly wallet that supports a huge range of assets. It includes built-in staking, token swapping, and direct access to dApps. It’s available on both Android and iOS platforms, and it also supports NFTs across multiple blockchains.

Since it’s backed by Binance, there’s strong ongoing development, regular security updates, and integration with popular tools.

****Limitations****

The wallet doesn’t come with its own in-house customer support; users rely on community forums or Binance channels for help. Although it can connect with Ledger, it’s not fully optimized for hardware wallet security. Also, as a mobile-only wallet, it may not suit users looking for a full desktop experience.

Lastly, being owned by Binance may raise concerns for users looking for more decentralized control.

The Crypto.com DeFi Wallet supports over 1000 cryptocurrencies and is designed as a hot wallet, allowing users to make frequent transactions with ease. It’s non-custodial, meaning users have full control over their private keys. While it isn’t tied directly to a hardware wallet, it can integrate with Ledger devices for added security. The wallet is completely free to use with no subscription or maintenance costs.

The wallet is part of the broader Crypto.com ecosystem, which has tens of millions of users globally. It is separate from the centralized Crypto.com app, giving users the option to keep their assets fully decentralized.

****Special features****

One of the standout features is the ability to stake and earn rewards on various assets directly from the wallet. It also includes token swapping, DeFi access, and NFT storage. Users get full control over their keys, with backup options via a recovery phrase.

The wallet is also open-source, which means its code is publicly auditable, a major plus for transparency and community trust.

****Benefits****

The wallet provides access to decentralized finance without sacrificing usability. You can connect it easily with the Crypto.com exchange or app for seamless transfers. There’s a built-in swap function that supports multiple chains, and the app is available on both iOS and Android.

Another benefit is the ability to stake coins directly from the wallet and earn passive income. The user interface is clean and intuitive, especially for users already familiar with Crypto.com’s services.

****Limitations****

Although the wallet offers Ledger integration, it’s not natively built for hardware security, so users must go through extra steps to sync. There’s no desktop version of the wallet; it’s mobile only, which might not suit all users.

Also, as with most DeFi wallets, there’s no way to recover your funds if you lose your recovery phrase. And while support exists, it may not be as responsive as that of fully centralized platforms.

****8: BitBox02****

BitBox02 is a hardware wallet that supports major cryptocurrencies like Bitcoin, Ethereum, and Litecoin, along with ERC-20 tokens. It’s a cold wallet, which means it stores your assets offline for maximum protection. Unlike hot wallets, it’s not meant for frequent daily transactions. It is a paid device, with a one-time cost of around $129, depending on where you buy it.

Developed by Shift Crypto, a Swiss company, BitBox02 is known for its strong focus on privacy, security, and open-source principles. It’s available in two versions: Bitcoin-only and multi-coin, giving users the option to choose based on their needs.

****Special features****

BitBox02 comes with a built-in screen and touch sensors for transaction confirmation, and it uses a microSD card for backup instead of the traditional 12 or 24-word recovery phrase. This makes backup and restoration more straightforward and secure for some users.

The wallet’s firmware and companion app are open-source, which allows for public audits and community contributions, a solid trust factor for security-focused users.

****Benefits****

As a cold wallet, BitBox02 offers high-end security. Your private keys never touch an internet-connected device. The use of a microSD card for encrypted backups is a unique feature that enhances safety and user convenience.

The device is lightweight, portable, and works with Windows, macOS, and Linux. It also supports Tor for added privacy, and users can verify all addresses on the device screen before sending transactions.

****Limitations****

BitBox02 isn’t ideal for those looking for a wallet for everyday use; it’s designed for long-term holding and security, not frequent trading. The supported coins list is more limited compared to some multi-coin software wallets.

It also doesn’t support mobile use; it must be connected to a computer. Finally, while the microSD backup system is secure, it’s a less familiar method that could confuse users accustomed to seed phrases.

****9: SafePal S1****

The SafePal S1 is a hardware wallet supporting over 10,000 cryptocurrencies, including Bitcoin (BTC), Ethereum (ETH), Binance Coin (BNB), and various ERC-20 tokens. As a cold storage device, it keeps assets offline, enhancing security. The wallet operates independently without direct integration with other hardware wallets. Priced at $49.99, it offers a cost-effective solution for secure crypto storage.

****Special Features****

The SafePal S1 employs a 100% air-gapped signing mechanism, ensuring complete offline operation without Bluetooth, Wi-Fi, NFC, or USB connections. It features an EAL 5+ independent secure element, a true random number generator, multiple layers of security sensors, and an anti-tampering self-destruct mechanism. Additionally, its compact design, comparable to a credit card, enhances portability.

****Benefits****

Users benefit from managing unlimited tokens within a single device, with support for over 100 blockchains and continuous additions. The wallet integrates seamlessly with the SafePal App, providing access to decentralized applications (DApps) and facilitating cross-chain swaps and trades. Its user-friendly interface supports 15 languages, catering to a global audience.

****Limitations****

While the SafePal S1 offers robust security features, it lacks direct USB connectivity, relying solely on QR code scanning for transactions, which may be less convenient for some users. Additionally, as a hardware wallet, it requires physical possession for access, which might not suit users who prefer software-based solutions. Furthermore, being a relatively newer entrant in the hardware wallet market, it may not have the same extensive track record as some established competitors.

****10: Ledger Nano X****

The Ledger Nano X is a hardware wallet that supports over 5,500 cryptocurrencies, including major assets like Bitcoin (BTC), Ethereum (ETH), and Binance Coin (BNB). As a cold storage device, it keeps your private keys offline, providing enhanced security. The Nano X is compatible with both desktop and mobile devices via Bluetooth connectivity. Priced at $149, it offers a comprehensive solution for managing a diverse crypto portfolio.

****Special Features****

The Nano X features Bluetooth Low Energy (BLE) connectivity, allowing users to manage their crypto assets on the go through the Ledger Live app on smartphones. It incorporates a Secure Element (SE) chip, ensuring that private keys remain isolated and protected from potential threats. The device can install up to 100 apps simultaneously, accommodating a wide range of cryptocurrencies.

****Benefits****

The Ledger Nano X offers extensive support for a vast array of cryptocurrencies, making it suitable for users with diverse portfolios. Its Bluetooth functionality enhances user experience by enabling wireless management of assets via mobile devices. The integration with the Ledger Live app provides a unified platform for buying, selling, swapping, and staking various cryptocurrencies. Additionally, the device’s robust security features, including the Secure Element chip and custom operating system, offer peace of mind to users.

****Limitations****

While Bluetooth connectivity adds convenience, some users may have concerns about potential security risks associated with wireless connections. However, Ledger emphasizes that only non-sensitive data is transmitted via Bluetooth, and private keys never leave the device. The device’s price point of $149 may be considered high compared to other hardware wallets. Additionally, the battery is not replaceable, which could affect the device’s longevity.

Source

HackRead