FBI and Cisco warn Russian hackers are exploiting a 7-year-old Cisco Smart Install vulnerability on outdated routers and…

FBI and Cisco warn Russian hackers are exploiting a 7-year-old Cisco Smart Install vulnerability on outdated routers and switches worldwide.

Thousands of outdated Cisco devices that no longer receive security updates are now being exploited in a cyber espionage campaign, according to joint warnings from the FBI and Cisco Talos.

A Russian state-sponsored group known as Static Tundra, also tracked as Dragonfly, Energetic Bear and Berserk Bear, is taking advantage of a seven-year-old vulnerability that many organizations never patched.

The flaw, CVE-2018-0171, affects Cisco’s Smart Install feature and allows attackers to execute code or crash a device. Cisco addressed it back in 2018, but many systems remain unprotected either because they were never updated or have reached end-of-life (EOL) and no longer receive patches. Those devices, widely used in telecommunications, manufacturing and higher education, have become an easy entry point for one of Russia’s most persistent intelligence units.

Back in April 2018, Hackread.com reported that attackers exploited CVE-2018-0171 to target Cisco switches in data centers in Iran and Russia. By abusing the Smart Install feature, they hijacked the devices and replaced the IOS image with one displaying the US flag.

Screenshot from April 2018 showing an exploited Cisco switch displaying an ASCII US flag with the message “Don’t mess with our elections” after attackers replaced its IOS image. (Credit: Hackread.com)

Static Tundra is linked to Russia’s Federal Security Service (FSB) Center 16 and has been active for more than a decade. Researchers say the group has developed automation tools to scan the internet, often using services like Shodan and Censys, to identify targets still running Smart Install.

Once breached, they pull device configurations that often contain administrator credentials and details about wider network infrastructure, providing a launchpad for deeper compromises.

The FBI says it has already seen configuration data exfiltrated from thousands of US. devices across critical infrastructure sectors. In some cases, the attackers changed device settings to keep their access to the networks, showing particular interest in systems that help run industrial equipment and operations.

Static Tundra has a history of deploying SYNful Knock, a malicious implant for Cisco routers, first documented in 2015. This implant survives reboots and allows remote access through specially developed packets. In addition, the group abuses insecure SNMP community strings, sometimes even default ones like “public,” to extract more data or push new commands onto devices.

Cisco Talos researchers describe the operation as “highly sophisticated,” with evidence that compromised devices remain under the attackers’ control for years. They warn that Russia is not the only country running such operations, meaning any organization with unpatched or outdated networking gear could be at risk from multiple state actors.

“This FBI Alert underscores the importance of both maintaining a current inventory (knowing what’s available to attackers), and how important continued vigilance of patching currency and configuration management remains until the device is taken offline,” said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.

“The impacted CVE (CVE-2018-0171) is a high scoring RCE (remote code execution) exploit – while some environments (like manufacturing, telecommunications, and other critical infrastructure) may face production delays for planned patching cycles – seeing a seven year delay for this kind of vulnerability to be widely exploited is a bit surprising,” he added.

****PATCH, PATCH, PATCH****

Both the FBI and Cisco have issued strong recommendations. Organizations should immediately patch devices still running Smart Install or disable the feature if patching is no longer an option.

For older, unsupported hardware, Cisco advises planning for replacement, since these devices will never receive fixes. Cybersecurity administrators should monitor for suspicious configuration changes, unusual SNMP traffic, and unexplained TFTP activity, which are common signs of this campaign.

The FBI is also encouraging anyone who suspects their systems may have been targeted to report findings through the Internet Crime Complaint Center.

Russian State Hackers Exploit 7-Year-Old Cisco Router Vulnerability

Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming…

Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming audio and video.

Cybersecurity researchers at Doctor Web are warning about a new strain of Android malware called Android.Backdoor.916.origin. The malware has been operational since January 2025 and is capable of listening to conversations, stealing messages, streaming video, and logging keystrokes.

This is the second time in the last four months that researchers have spotted malware targeting Russian infrastructure. **In April 2022**, Doctor Web exposed a fake Alpine Quest mapping app that was spying on the Russian military.

****Fake Anti-Virus Android App with Fake Results****

Doctor Web’s team believes it is not a mass infection attempt aimed at everyday Android owners, but a tool created to target Russian business representatives. The distribution method backs this theory as attackers are pushing the malware through direct messages in messengers, disguising it as an anti-virus called GuardCB.

The fake app uses a disguise to trick victims. Its icon resembles the emblem of the Russian Central Bank placed on a shield, making it look trustworthy. Once installed, it runs what looks like an antivirus scan, complete with fake detection results that are randomly generated to appear convincing.

_“_This is confirmed by other detected modifications with names like “SECURITY\_FSB”, “ФСБ” (FSB), and others, which cybercriminals are trying to pass off as security-related programs that are supposedly related to Russian law enforcement agencies,_“_ noted Dr Web researchers in their **blog post**.

Once installed, the backdoor requests a list of permissions, from geolocation and audio recording to camera access and SMS data. It also demands device administrator rights and access to Android’s Accessibility Service, which lets it act like a keylogger and intercept content from popular apps, including the following:

*   Gmail
*   Telegram
*   WhatsApp
*   Yandex Browser
*   Google Chrome

Malware asking for permissions in the Russian language (Via Doctor Web)

****Livestreaming Audio and Broadcast Video****

Doctor Web researchers explain that the malware is designed for persistence. It launches its own background services, checks if they are running every minute, and restarts them if needed. It also communicates with multiple command-and-control servers, capable of switching between as many as 15 hosting providers if attackers want to keep the infrastructure alive.

The list of available commands, available in Doctor Web’s report, shows the extent of its spying capabilities. It can livestream audio from a microphone, broadcast video from the camera, steal text as users type it, and upload contacts, SMS, images, and call history. Additionally, it even has the ability to stream a device’s screen in real time.

****Exploiting Android’s Accessibility Service****

The malware also takes advantage of Android’s Accessibility Service as a way to protect itself. This feature is abused not only to steal keystrokes but also to block attempts to remove the malware if attackers issue such a command. That self-protection capability means even if victims realize their device is compromised, removal can be difficult without dedicated security software.

Doctor Web notes that while the malware is advanced, it is also highly localized. Its interface is available only in Russian, supporting the view that it was built with a specific group of targets in mind.

If you are an Android user in Russia, only download apps from trusted sources and avoid letting Android’s open-source nature become an open invitation for hackers.

Fake Antivirus App Spreads Android Malware to Spy on Russian Users

Frankfurt am Main, Germany, 20th August 2025, CyberNewsWire

**Frankfurt am Main, Germany, August 20th, 2025, CyberNewsWire**

Link11, a Germany-based global IT security provider, has released insights into the evolving cybersecurity threat landscape and announced the capabilities of its Web Application and API Protection (WAAP) platform, designed to provide multi-layered defenses against modern digital threats.

The rapid pace of digital transformation has expanded the opportunities for organizations across industries. However, every new web application and API also broadens the attack surface, leaving businesses increasingly exposed. Cybercriminals are employing sophisticated tactics that target all levels of application infrastructure, rendering traditional point solutions insufficient.

**Key Threats Facing Digital Platforms:**

**DDoS attacks at the application layer**

Distributed denial-of-service (DDoS) attacks have traditionally been associated with overwhelming data floods. Increasingly, attackers use more subtle methods at the application level (Layer 7), simulating legitimate traffic to disrupt resource-intensive services such as login pages, search functions, or APIs. A recent example occurred when the website of an Israeli city council was hit by approximately 18 million HTTP requests in just minutes, temporarily disrupting operations.

**Malicious bots**

Automated traffic continues to account for a significant share of web activity, with malicious bots responsible for credential stuffing, content scraping, inventory theft, and fraud. Reseller bots, for example, often purchase large volumes of limited products such as concert tickets or designer items, leaving genuine customers unable to access them.

**Limitations of traditional WAFs**

Web Application Firewalls (WAFs) remain widely used but often rely on signature-based rules, which can fail to detect newer attack methods while generating false positives. Such gaps leave applications vulnerable to modern “low-and-slow” attacks and zero-day exploits, as well as to familiar threats like SQL injection or cross-site scripting (XSS).

**API vulnerabilities**

APIs are central to digital ecosystems, yet frequently underprotected. Unmonitored “shadow APIs” can unintentionally expand the attack surface. Attacks on API endpoints can lead to service disruptions, data theft, and account takeovers, underscoring the need for more advanced defenses.

**The Link11 WAAP Platform**

Link11’s WAAP platform has been developed to address these challenges through an integrated, real-time security framework.

*   **Unified all-in-one platform**: Consolidates multiple protection functions into a single interface to simplify management.
*   **Real-time multi-layered protection**: Detects and mitigates malicious traffic while ensuring seamless access for legitimate users.
*   **Flexible deployment**: Compatible with diverse infrastructures, protecting web applications and APIs regardless of hosting environment.
*   **24/7 managed support**: Backed by round-the-clock monitoring from Link11’s global Security Operations Centers (SOCs).
*   **Data security and compliance**: Operates on a wholly Link11-owned cloud platform, ensuring GDPR compliance and eliminating non-EU access risks.

**About Link11**

Link11 is a specialized IT security provider headquartered in Germany with offices worldwide. The company delivers enterprise-grade cybersecurity solutions, including protection for critical infrastructures. Link11 is ISO 27001 certified and recognized by the German Federal Office for Information Security (BSI) as a qualified provider for critical infrastructure protection.

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 Highlights Growing Cybersecurity Risks and Introduces Integrated WAAP Protection Platform

A new report from Red Canary reveals a clever Linux malware called DripDropper that exploits a flaw and…

A new report from Red Canary reveals a clever Linux malware called DripDropper that exploits a flaw and then patches it to prevent other hackers from getting in. Learn how this tactic works.

A new report by cybersecurity firm Red Canary reveals that hackers are exploiting a critical vulnerability and then patching it to lock out other attackers. The research from the Red Canary Threat Intelligence team, provided to Hackread.com, exposes a new piece of Linux malware, which the company named DripDropper, and details how adversaries are using it to gain and maintain hidden access on cloud servers.

The attack starts with exploiting a well-known security flaw, CVE-2023-46604, in a widely used piece of software called Apache ActiveMQ. This program is a “message broker,” which is a fancy term for a tool that helps different computer systems talk to each other. Although a patch has been available for some time, many systems are still vulnerable, and hackers are taking advantage of this weakness to get initial access.

“Even though the critical vulnerability exploited in ActiveMQ here is nearly three years old, adversaries are still exploiting the vulnerability to execute payloads such as Godzilla Webshell, and Ransomhub ransomware, resulting in a 94.44% likelihood of being exploited in the next 30 days, according to its EPSS score,” researchers noted.

****Strategy for Persistence****

After gaining a foothold, the hackers install two main tools. The first is a malicious software called Sliver, a tool that gives them secret, unrestricted control over the compromised computer.

They then use a downloader (DripDropper) that connects to a Dropbox account controlled by the attacker. This malware is an encrypted file that requires a password to run, making it tough for security analysts to examine.

But the most surprising part of the attack comes next. After establishing their control, the hackers use a common internet command to download a legitimate patch for the very vulnerability they just exploited.

By patching the system, they essentially close the door they used to get in, preventing other criminals from exploiting the same weakness. This clever move ensures their grip remains exclusive and makes it harder for defenders to trace the attack back to the original entry point.

To ensure long-term access, the DripDropper malware modifies system files to allow root logins and keep itself running. The malware also drops a second file with a random, eight-character name, which also contacts the attackers’ Dropbox for further instructions.

Researchers noted that using public platforms like Dropbox is a common tactic also used by other malware families such as CHIMNEYSWEEP, Mustang Panda, and WhisperGate.

These findings highlight that a clean vulnerability scan doesn’t always mean a system is secure. A scan might show a system is patched, but it won’t reveal how or by whom. This means, a multi-layered security approach is needed, including consistent patching and careful monitoring of cloud logs. The report also recommends using resources like CISA’s Known Exploited Vulnerabilities (KEV) catalogue to help prioritize which flaws to fix first.

_“_I’m not sure I’ve heard of automated malware that patched the vulnerability it used to break in, except maybe once before back in the 1990s, when two computer virus groups were battling it out for global control using the same software vulnerability. I have, however, been involved in a few consulting engagements over the years where human hackers broke in and patched the exploits,_“_ said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

“Once, when I was with Microsoft, I was hired to help consult with a customer who was mad that Microsoft was applying a patch that they had configured NOT to apply. It was a controversial patch at the time (it disabled the otherwise default autorun feature in Microsoft Windows when mobile media was inserted into a computer),” he explained.

_“_A lot of customers were mad that Microsoft was disabling autoruns, so Microsoft configured the patch to not automatically deploy if a particular related registry entry was enabled. Well, for this particular customer, the patch kept applying. They would then uninstall the patch, make sure the related registry entry was made, and then come back the next day to find the patch re-applied. Boy, they were mad_.”_

“When I showed up, I quickly discovered that a hacker group had broken in using the vulnerability, and they were trying to apply the patch to disable the autoruns feature to prevent other groups. Boy, was that client feeling mea culpa.”

“I said it then, and I’ll say it now, “If hackers are doing your patching faster than you are, you aren’t doing it right!” This is yet another argument for default auto-patching without admin involvement. We’ve yet again seen serious vulnerabilities that have not been patched years later. It’s all too common,” Roger added.

New DripDropper Malware Exploits Linux Flaw Then Patches It Lock Rivals Out

Scammers have been spotted abusing AI site builder Lovable to mimic trusted brands, steal credentials, drain crypto wallets,…

Scammers have been spotted abusing AI site builder Lovable to mimic trusted brands, steal credentials, drain crypto wallets, and spread malware.

Cybersecurity researchers at Proofpoint report that cybercriminals are abusing Lovable, an AI-powered website builder, to spin up fraudulent sites in minutes that mimic trusted brands and distribute malware.

Lovable was designed as a user-friendly tool for anyone with limited web development experience. Users simply type a description of the website they want, and the service generates a working site, hosted under the lovable.app domain.

The site offers creating free accounts that come with hosting and a visible “Edit with Lovable” badge, while paid users can hide the badge and attach custom domains. For legitimate users, it is a shortcut to publishing websites quickly. For threat actors, it has become an opportunity to scam unsuspecting people.

Proofpoint has tracked campaigns where Lovable-hosted sites distribute credential phishing kits such as Tycoon, payment data harvesters, and even cryptocurrency wallet drainers.

To test it in detail, researchers found no restrictions when attempting to build their own phishing site using Lovable, including functionality to mimic enterprise login portals. They reported hundreds of thousands of malicious Lovable URLs detected in email data each month since February 2025, with campaigns increasing gradually.

In one campaign from February 2025, attackers used lovable.app URLs to direct victims through a CAPTCHA page before loading a fake Microsoft login. The setup was powered by Tycoon, a Phishing-as-a-Service platform capable of stealing credentials, tokens, and session cookies. Later campaigns imitated HR messages about employee benefits to trick recipients into entering their corporate login details.

Via Proofpoint

According to Proofpoint’s report shared with Hackread.com ahead of publishing on Wednesday, 20, 2025, cybercriminals are also using Lovable to mimic logistics firms and payment services.

In June 2025, Proofpoint spotted a campaign impersonating UPS, with nearly 3,500 messages leading to a fake UPS website that harvested credit card details and personal information, then sent them directly to Telegram. The project template used for this scam was publicly “remixable” on Lovable, meaning anyone could adapt it for new attacks with little effort.

One campaign impersonated DeFi service Aave, tricking victims into connecting their wallets to fraudulent sites created through Lovable. Researchers also identified other cryptocurrency-themed apps built with the tool that appeared designed to steal credit card details or siphon funds from connected wallets.

****Not Just Phishing****

In July 2025, Proofpoint discovered a campaign in German that used Lovable to host a fake invoice download page. Victims who clicked the link were served a trojanized file loader that ultimately delivered the remote access trojan zgRAT. Similar campaigns were later observed in English with minor adjustments to target different organizations.

****Lovable Alerted****

Proofpoint disclosed its findings to Lovable, which responded by correlating the data with its own investigations. According to the company, one phishing cluster with hundreds of domains was taken down in the same week.

Lovable also said it has rolled out AI-driven safeguards, including real-time detection of malicious prompts and daily scanning of published projects, with additional protections for account abuse planned for later this year.

AI Website Builder Lovable Abused for Phishing and Malware Scams

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Phishing is no longer about badly written emails asking you to “click here.” Today’s attacks are business-grade, powered by AI and packaged in ready-to-use phishing kits. That means cybercriminals can now launch believable spearphishing campaigns in hours.

For companies, this raises the stakes. A single successful phishing email can expose confidential data, disrupt operations, and damage reputation. The question for managers is no longer whether phishing will target your organization, but how fast your team can detect and stop it.

****Why Modern Phishing is Harder to Catch****

Attackers have leveled up, and traditional filters struggle to keep up.

*   **AI-driven precision**: Attackers now generate flawless, personalized messages with no spelling or grammar mistakes, making them harder to spot by humans and machines.
*   **Phishkits for everyone**: These pre-built toolkits allow even inexperienced criminals to create convincing campaigns quickly.
*   **Advanced evasion**: Links hidden in QR codes, fake CAPTCHAs, and multi-step **redirect chains** slip past email filters and secure gateways.

Even well-equipped SOC teams find it challenging to separate real threats from the noise. And delays in detection create costly risks: longer investigation times, higher chances of compromise, and increased business impact.

****The Solution to Stopping Modern Phishing****

The most effective way companies are preventing data theft today is through interactive analysis. Unlike traditional tools that only scan for known indicators, interactive analysis simulates the entire attack journey as if a real user were engaging with the email or file.

This means hidden tricks, whether they involve layered redirects, fake login pages, or other evasive steps, are exposed in full. Security teams gain clear visibility into the entire execution chain, from the initial lure to the final payload.

Spearphishing attack caught inside ANY.RUN sandbox

That’s why more and more organizations are turning to interactive sandboxes like ANY.RUN. They provide teams with the insight needed to understand exactly how an attack unfolds, making it possible to block threats before they lead to data loss.

Visibility is powerful, but what makes the difference for modern teams is **automation**. This is where sandboxes like ANY.RUN excel, turning interactive analysis into a fully automated process that integrates seamlessly with existing SOC stacks. 

Let’s look at how this works in practice with a real-world phishing attempt aimed at Hitachi Energy employees.

Real Case: A Multi-Stage Phishing Attack Against Hitachi

The attack began with what looked like a normal HR email from “Hitachi Energy”, asking employees to review a new company policy. Polished design, urgent tone, even a security reminder; everything about it was convincing enough to slip past traditional filters and catch employees off guard.

With the help of automation, ANY.RUN was able to fully unravel this attack in a safe environment.

Fast verdict of malicious behaviour with relevant tags exposed inside ANY.RUN sandbox

**Malicious PDF Detected**

The attachment appeared harmless but contained a QR code instead of a clickable link; a tactic specifically designed to evade email security systems. ANY.RUN’s sandbox automatically flagged the suspicious behavior.

QR code with a hidden malicious URL detected by ANY.RUN

This early detection helps prevent employees from unknowingly scanning QR codes that lead to hidden threats.

**Hidden Link Extraction**

Once automated interactivity was enabled, the sandbox scanned the QR code, extracted the hidden URL, and opened it inside a browser, continuing the attack chain without analyst involvement.

  
**Bypassing CAPTCHA**

The attackers added another layer of defense: a Cloudflare CAPTCHA, meant to stop automated tools. ANY.RUN solved it automatically, just like a human would, and continued the investigation.

CAPTCHA verified automatically, saving time and effort

As a result, security teams don’t get stuck at roadblocks, saving hours of manual testing and guaranteeing deeper visibility.

**Credential Harvesting Page Exposed**

The final stop was a fake Microsoft login page, designed to steal employee credentials. A well-crafted replica that many people would likely trust. By exposing the fake login page safely, the sandbox provided teams with a clear malicious verdict before any real credentials could be compromised.

Fake Microsoft page designed to steal credentials

**IOC Collection and Reporting**

Along the way, ANY.RUN gathered all IOCs (indicators of compromise), mapped the attacker’s processes, and generated a detailed report ready for sharing across the SOC.

Well-structured report for sharing between team members

These IOCs can be fed directly into SIEM/SOAR systems to strengthen detection rules, train employees, and build a strategy that prevents similar data theft attempts in the future.

****How Automation Strengthens Phishing Response****

Modern phishing campaigns aren’t just technical challenges but also operational ones. Attacks like the Hitachi case are designed to drain time, mislead staff, and slip through traditional defenses. Automation changes the equation, giving organizations the ability to handle phishing with speed and confidence.

*   **Faster, Reliable Decisions:** Move from a suspicious email to a clear, evidence-backed verdict in minutes. Faster decisions mean less downtime, lower risk of data theft, and reduced financial exposure.
*   **Reduced Operational Costs:** With automation handling phishing detection end-to-end, fewer staff hours are wasted on repetitive checks. Your team can cover more ground without increasing headcount.
*   **Optimized Talent Use:** Junior staff can confidently handle phishing triage with automated support, while senior analysts dedicate their time to higher-value activities like threat hunting and strategy.
*   **Lower Business Risk:** By exposing full attack chains, including hidden redirects and fake login pages, managers get assurance that threats are caught before credentials or sensitive data are stolen.
*   **Proven Efficiency Gains:** Organizations using ANY.RUN have reported up to **3x faster phishing detection and response times**, translating to fewer escalations, stronger compliance, and lower incident costs.

****Expose Phishing Tricks Before Data is Stolen****

  
Phishing attacks are becoming harder to spot, but with ANY.RUN, organizations don’t have to rely on guesswork or slow manual checks. By automating interactive analysis, the sandbox reveals every hidden step, so teams can act before data is compromised. 

With clear reports, ready-to-use IOCs, and seamless SOC integration, ANY.RUN helps businesses cut investigation time, reduce analyst workload, and strengthen defenses where it matters most.

How to Automate Phishing Detection to Prevent Data Theft

Australian ISP iiNet confirms data breach as hackers stole 280,000 email accounts, phone numbers and user data using…

Australian ISP iiNet confirms data breach as hackers stole 280,000 email accounts, phone numbers and user data using stolen employee credentials, TPG says.

Australian internet provider iiNet has confirmed a data breach in its order management system, with parent company TPG Telecom reporting that customer information was accessed using stolen employee credentials.

The breach was detected on Saturday, 16 August 2025, after attackers used stolen employee credentials to gain access to the system. According to TPG, the information exposed was limited in scope compared with other recent corporate breaches, but the details are still sensitive enough to cause problems for customers.

Initial investigations show that around 280,000 active iiNet email addresses were exposed, along with 20,000 landline numbers and about 10,000 usernames, street addresses, and phone numbers. A smaller but significant set of roughly 1,700 modem setup passwords was also compromised.

While the company says that no financial records, identity documents, or payment details were included, cybersecurity experts warn that personal contact information is often valuable to criminals who launch phishing and social engineering attacks.

TPG Telecom said it acted quickly once the breach was confirmed. The company disabled the compromised accounts, brought in external security specialists, and informed the Australian Cyber Security Centre, the National Office of Cyber Security, and the Office of the Australian Information Commissioner. This shows the seriousness of the case, since coordination with government agencies is only triggered in incidents considered significant.

If you are an iiNet customer, change any passwords linked to iiNet services, especially if the same credentials are used across multiple platforms. Remain alert for suspicious emails or calls that may try to exploit the exposed information.

****Second TGP Data Breach Since 2022****

This is not the first time TPG and iiNet have faced cybersecurity incidents. In December 2022, as reported by Hackread.com, hackers breached TPG Telecom’s email service and accessed client data.

This incident adds iiNet to the growing list of Australian companies that have been hit by cyberattacks in recent years. In September 2022, Optus, the country’s second-largest telecom firm, suffered a data breach that exposed the personal details of millions of customers. The incident also led the company to issue a public apology.

TPG has begun notifying both impacted and non-impacted customers as a precaution, offering resources to help them secure their accounts.

Australian ISP iiNet Reports Data Breach, Customer Accounts Stolen

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster…

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster that are controlled by a single company and use dangerous security practices, including hard-coded passwords and weak encryption.

A new research paper titled “Hidden Links: Analyzing Secret Families of VPN Apps” has exposed how some popular Virtual Private Network (VPN) providers intentionally hide their true ownership and share security flaws.

The paper was co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall and published by Citizen Lab. Their study involved a deep analysis of apps from the Google Play Store, looking at everything from code similarities and network communications to business filings.

Researchers identified three families of VPNs that are secretly operated by the same entity. The most notable group includes Innovative Connecting, Autumn Breeze, and Lemon Clove, which have over 700 million downloads combined.

These companies distribute apps such as Turbo VPN, VPN Monster, and Snap VPN, and are linked to a Chinese national security firm, Qihoo 360, which has been sanctioned by the US government.

It is worth noting that Turbo VPN and Snap VPN were also named in the Tech Transparency Project’s June 2025 report, which cited national security concerns related to the possibility of these VPNs transferring US data to China.

A second family of providers, with over 380 million downloads, included MATRIX MOBILE PTE LTD and ForeRaya Technology Limited. A third family included Fast Potato Pte. Ltd and Free Connected Limited.

Further probing revealed that many of these VPNs use a specific technology called Shadowsocks, which was originally created to bypass internet censorship in China, not to provide privacy. The apps used outdated and unsafe methods for encryption, making them easier to hack. Some apps were also caught collecting a user’s location and sending it to a server, even though their privacy policies promised they wouldn’t.

Another key finding (PDF)was that these apps share not only code but also serious security vulnerabilities. For example, two of the families used a single, hard-coded password for their VPN apps. For your information, a hard-coded password is a secret key permanently built into an app, which means it’s the same for every single user. This allows anyone who discovers the password to decrypt the traffic of all users of that app, making their private information visible to eavesdroppers.

Researchers were able to use these shared passwords to confirm that different-looking VPN services were actually sharing the same servers. They also noted three other apps from VPN Super Inc., Miczon LLC, and Secure Signal Inc. that did not appear to have these hidden links.

Nonetheless, the shared security flaws mean that if one app in a family is vulnerable, so are all the others. These findings highlight that what appear to be distinct VPN apps are often part of a single, malicious network, putting millions of users at risk.

This is why it’s so important for users to know who is really behind their VPN service. The study emphasizes the critical need for transparency from VPN providers and calls on app stores like Google Play to improve how they verify the identity of app developers and audit app security.

Citizen Lab Reports Hidden VPN Networks Sharing Ownership and Security Flaws

The UK’s South Yorkshire Police lost 96,000 bodycam videos in a data transfer mishap, impacting 126 cases. Poor…

The UK’s South Yorkshire Police lost 96,000 bodycam videos in a data transfer mishap, impacting 126 cases. Poor backups and IT failures led to the deletion.

South Yorkshire Police (SYP) has been officially reprimanded by the Information Commissioner’s Office (ICO) after an investigation revealed the force deleted over 96,000 pieces of body-worn video (BWV) evidence. The incident, which happened on July 26, 2023, was a result of serious failures in the force’s IT systems and record-keeping.

In its official statement, the ICO, the UK’s data protection regulator, announced it had reprimanded SYP because the force “did not have the appropriate technical and organisational measures in place to keep the evidence secure.”

The investigation highlighted several key issues, including a delay in creating IT backup policies and poor record-keeping, which made it impossible for SYP to confirm exactly how many videos were permanently lost.

****How the Data Was Lost****

The issue started in May 2023 after an IT system upgrade. The main system, which officers used to upload their BWV footage, began to struggle with the data. To fix this, a temporary solution was put in place where the videos were stored on a local drive.

However, a few months later, on August 7, 2023, an SYP IT manager noticed a huge number of files were missing. A deeper inspection found that the mass deletion of 96,174 original video files had happened on July 26, 2023.

The deletion was part of a data transfer being done by a third-party company. While some of the footage had been copied to a new system (95,033 pieces), the police force’s poor record-keeping meant they couldn’t confirm exactly how many files were permanently lost.

An example of a South Yorkshire bodycam video

****Impact and Recommendations****

The lost data was connected to 126 criminal cases, but only three of those cases were directly affected. SYP stated that one case might have gone to court if the video evidence had been available.

The Information Commissioner’s Office has given SYP several recommendations to prevent this from happening again, including making sure they have a good backup solution and improving how they handle data with outside companies. SYP has since stated that they have implemented all of the recommendations.

According to Sally Anne Poole, the Head of Investigations at the ICO, this incident is a major lesson for all police forces using this type of technology. She emphasized that the public expects police forces to protect the personal information they handle. As Poole stated, “This incident highlights the importance of having detailed policies and procedures in place to mitigate against the loss of evidence.”

The full reprimand can be read here (PDF).

96,000 UK Police Bodycam Videos Lost After Data Transfer Mishap

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks…

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks exploiting a Windows zero-day.

Cybersecurity researchers at Microsoft discovered a new backdoor called PipeMagic while investigating attacks that abused a zero-day flaw in Windows CLFS (CVE-2025-29824). What makes this backdoor dangerous is how it poses as a legitimate open-source ChatGPT desktop application while delivering a framework for running ransomware operations.

PipeMagic relies on a modular design that loads different components as needed. These modules handle everything from command-and-control communication to payload execution, all while staying hidden through encrypted named pipes and in-memory operations. By separating its functions this way, the backdoor makes it far more difficult for defenders to detect or analyze.

It is worth noting that the ChatGPT Desktop project on GitHub mentioned by Microsoft (available here) is not malicious. What happened is that attackers used a trojanized copy of this app, since it’s open source, modified with hidden code, to deliver the PipeMagic backdoor. The legitimate version remains safe, but downloading from unofficial or compromised sites carries the risk of infection.

> _“The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.”_
> 
> Microsoft

****PipeMagic Attributed to Storm-2460****

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. In recent campaigns, the group used it alongside CVE-2025-29824, a privilege escalation vulnerability, to move from initial access to ransomware deployment.

The attacks have not been limited to one industry or geography, with victims identified targeting financial and real estate organizations in the United States, Europe, South America, and the Middle East.

Researchers examining PipeMagic found that it manages payloads through a set of linked lists that act like internal queues. Some lists hold modules waiting to be executed, others manage network communication, while one list remains unexplained but appears to be used dynamically by loaded payloads. This structure allows Storm-2460 to update or replace components on the fly, giving them flexibility without having to redeploy the entire backdoor.

According to Microsoft’s long technical blog post, the communication layer of PipeMagic is equally sophisticated. Instead of connecting directly to its command server, the backdoor loads a dedicated networking module that establishes a WebSocket-style connection with its operators.

This design keeps network traffic isolated from the rest of the backdoor, limiting detection opportunities. Once a secure channel is active, PipeMagic sends detailed system information, including bot ID, domain details, process integrity, and user context, before receiving instructions on what modules to run or which data to exfiltrate.

Storm-2460 can also insert new modules, update existing ones, gather hashes, enumerate processes, and even rename the backdoor executable for self-deletion. Therefore, Microsoft has released detections across Microsoft Defender products and is urging organizations to review their security.

PipeMagic shows just how far backdoors have evolved. By using a zero-day exploit with a modular backdoor, Storm-2460 built a tool that easily bypasses detection. The full Microsoft analysis goes deep into its internal structures and also offers mitigation guidance.

Source

HackRead