Hackers release 9GB of stolen files from the computer of an alleged North Korean hacker, revealing tools, logs,…

Hackers release 9GB of stolen files from the computer of an alleged North Korean hacker, revealing tools, logs, sensitive data and much more. The data is now available for download via DDoSecrets.

It is not often that the inner workings of a cyber-espionage operator are exposed, but that is exactly what happened when two hackers decided to publish a trove of stolen files during one of the world’s biggest hacking conferences.

The material did not surface on a cybercrime forum or through a misconfigured database. Instead, it was shared through **Phrack**, the legendary hacker publication, during its 40th anniversary issue at DEF CON in Las Vegas.

The people behind the **leak**, who go by the names Saber and cyb0rg, say they gained access to a virtual workstation and a virtual private server used by someone they call “KIM.” This individual was believed by the leakers to be linked to **Kimsuky**, a group long associated with North Korean state-backed cyber activity. Yet even with that claim, questions remain, and some security experts think it is just as possible that the operator could be based in China.

What they took and later shared offers a rare look into the operational tools and records of an advanced threat actor. The first batch of data included attack logs showing attempts to compromise South Korea’s government and its Defense Counterintelligence Command through the VPS. The second release was even more revealing, containing internal documentation, source code, stolen credentials, and command scripts from the operator’s workstation.

Independent analysts like Distributed Denial of Secrets (DDoSecrets), who reviewed the files and **indexed** the entire 8.90 GB archive on its website for free download, found that the materials appeared authentic and consistent with a real-world espionage toolkit.

Screenshot of the archive available on DDoSecrets (Image credit: Hackread.com)

However, figuring out who actually ran these systems can still be difficult. Hackers sometimes leave trails that point to the wrong country, and skilled operators can mimic another nation’s methods closely enough to mislead investigators.

For now, the leak sits as both a technical goldmine for researchers and a mystery for intelligence analysts. Phrack has said it plans to release additional download links on its site, which means more details could surface.

Nevertheless, this is not the first time that such sensitive data has gotten into the hands of a third party. Back in 2020, IBM’s X‑Force team stumbled across over **40 gigabytes of video recordings** showing Iranian cyber‑espionage operators teaching others how to hijack email accounts.

The footage, which included real-time steps, like linking Gmail accounts to Zimbra software to download inboxes, was exposed by mistake when the hackers uploaded it to an unsecured cloud server.

Hackers Leak 9GB of Data from Alleged North Korean Hacker’s Computer

North Korean hackers ScarCruft shift from spying to ransomware, using VCD malware in phishing attacks, targeting South Korea…

North Korean hackers ScarCruft shift from spying to ransomware, using VCD malware in phishing attacks, targeting South Korea with advanced tools. Discover how this new malware marks a shift from espionage to financially motivated cyberattacks.

A well-known North Korean hacking group, ScarCruft, is changing its methods, adding a new type of attack to its usual playbook of spying. Cybersecurity experts from the South Korean firm S2W recently released a report revealing that ScarCruft is now using a new ransomware called VCD.

This is a critical shift, as the group has traditionally focused on stealing information from high-profile people and government agencies in countries like South Korea, Japan, and Russia.

The group’s recent campaign, carried out by a subgroup called ChinopuNK, occurred in July and used phishing emails to target people in South Korea. These emails contained a tricky file disguised as an update for postal codes.

Once opened, this file infected the victim’s computer with more than nine different kinds of malware, including a new variant of a known malware called ChillyChino, and a backdoor that was written in the Rust programming language. Among these were information-stealing programs like LightPeek and FadeStealer, as well as a backdoor called NubSpy that let the hackers secretly control the computer.

ScarCruft Subgroup Classification (Source: S2W)

This backdoor is especially clever because it uses a real-time messaging service called PubNub to hide its malicious traffic within normal network activity. This campaign is also notable because it included the new VCD ransomware, which locks up a person’s files and demands a ransom. The ransom note is even available in both English and Korean.

Attack Flow (Source: S2W)

According to S2W’s Threat Analysis and Intelligence Center (TALON), this new approach suggests that ScarCruft might be adding financially motivated goals to its spying activities. The group is part of a larger network of North Korean hackers who are known to generate money for the country’s government, which is facing many economic sanctions.

A United Nations report from last year (PDF) even stated that North Korean hackers, including groups like Lazarus and Kimsuky, had stolen around $3 billion over six years.

Mayank Kumar, founding AI engineer at the firm DeepTempo, commented on this evolution, highlighting how these attacks are becoming more complex. Sharing his comment with Hackread.com, Kumar said that ScarCruft’s use of ransomware alongside its usual spying tools shows a new trend where nation-backed hacking and criminal tactics are merging.

“Advanced persistent threat groups must expand their toolsets and blur the line between espionage and cybercrime. Defenders must prepare for campaigns where ransomware is one element in a multi-stage operation. Adaptive, deep learning–driven anomaly detection across network traffic, system events, and security logs, paired with strong segmentation, rapid containment, and visibility into both human and automated adversary activity, is essential to counter such blended threats,” Kumar suggested.

North Korean Group ScarCruft Expands From Spying to Ransomware Attacks

London, United Kingdom, 11th August 2025, CyberNewsWire

**London, United Kingdom, August 11th, 2025, CyberNewsWire**

**New** **Heimdal** **study reveals how tool sprawl creates blind spots, with over half of providers experiencing daily or weekly burnout** 

Survey of 80 North American MSPs shows fragmented security stacks drive fatigue, missed threats, and business inefficiency 

Security tools meant to protect managed service providers are instead overwhelming them. 

A new study from Heimdal and FutureSafe reveals that 89% of MSPs struggle with tool integration while 56% experience alert fatigue daily or weekly. 

The research exposes a dangerous paradox. MSPs experiencing high alert fatigue are significantly more likely to miss real threats.

The very tools deployed to enhance security are creating blind spots through exhaustion. 

**The Scale of the Problem** 

The average MSP now runs five security tools, with 20% juggling seven to ten and 12% managing more than ten. 

Only 11% report seamless integration. The remaining 89% must flip between separate dashboards and waste time on manual workflows. 

One in four security alerts prove meaningless, with some MSPs reporting that 70% of their alerts are false alarms. 

Among MSPs managing 1,000+ clients, 100% report daily fatigue. 

> “MSPs are drowning in complexity, not from threats, but from the tools meant to stop them,” said Jesper Frederiksen, CEO at Heimdal. “Every new point solution adds another agent, console, and alert stream. That noise exhausts people and quietly degrades protection.” 

**Beyond Security Operations** 

Agent fatigue extends beyond alert management. Disconnected platforms slow billing processes, complicate client onboarding, and create compliance reporting headaches. 

> “Agent fatigue isn’t just a tech issue. It’s a business risk,” said Jason Whitehurst, CEO at FutureSafe. “MSPs are juggling tool after tool, but they don’t work together.” 

**The Solution Hiding in Plain Sight** 

Despite widespread recognition of the problem, only 20% of MSPs have consolidated their security solutions. Those who have reported fewer alerts, faster response times, and happier staff. 

**Key Survey Findings** 

*   56% experience alert fatigue daily or weekly, 75% at least monthly 
*   Only 11% enjoy seamless tool connectivity 
*   MSPs using 7+ tools report nearly double the fatigue levels 
*   High false positive rates triple the chance of missing genuine incidents 
*   The 20% who consolidate report better outcomes across all metrics 

**Research Methodology** 

The State of MSP Agent Fatigue 2025 surveyed 80 North American MSPs in H1 2025, combining quantitative analysis with thematic coding of over 300 free-text responses. 

Users can download the complete report free at: heimdalsecurity.com/msp-agent-fatigue-report  

**About Heimdal** 

Established in Copenhagen in 2014, Heimdal empowers security teams and MSPs through unified cybersecurity solutions spanning endpoint to network security, including vulnerability management, threat prevention, and ransomware mitigation. 

**About FutureSafe** 

FutureSafe is the exclusive provider of Heimdal in the United States, helping MSPs cut through tool sprawl and deliver consolidated cybersecurity.

**Contact**

**Head of Content & PR**  
**Danny Mitchell**  
**Heimdal Security**  
**\[email protected\]**

Report Reveals Tool Overload Driving Fatigue and Missed Threats in MSPs

Cary, United States, 11th August 2025, CyberNewsWire

**Cary, United States, August 11th, 2025, CyberNewsWire**

**Hands-on cybersecurity and IT training leader recognized for innovation in practical, work-ready education**

INE has been selected for Training Industry’s 2025 Top 20 Online Learning Library Companies list, recognizing the company’s leadership in cybersecurity training, cybersecurity certifications, and IT training that emphasizes hands-on, practical learning experiences.

Training Industry evaluated companies based on course quality and scope, market presence and innovation, client relationships, and business growth. INE’s selection underscores the company’s commitment to cybersecurity education that bridges the gap between theoretical knowledge and real-world application.

> “This year’s Top 20 Online Learning Library companies stood out for their expansive content libraries and the depth of features built into their platforms,” said Jalen Banks, market research analyst at Training Industry, Inc. “These providers offer timely, on-demand content supported by reinforcement tools and assessments. Their advanced technology and data capabilities enable dynamic, adaptive learning experiences that foster learner engagement, build critical skills, and ultimately drive meaningful outcomes for the organizations they serve.”

> “This recognition validates our longstanding commitment to delivering training that truly prepares professionals for the challenges they face in their roles,” said Dara Warn, CEO of INE. “We focus on creating learning experiences that go beyond traditional coursework to provide practical skills that professionals can immediately apply in their organizations. When teams complete our programs, they’re equipped to strengthen their organization’s security posture and address complex infrastructure challenges with confidence.”

INE distinguishes itself through its emphasis on the practical application of cybersecurity and IT training for organizations and individuals. The training platform features more than 700 expert-led courses, 50+ learning paths, and thousands of hands-on labs that replicate actual network environments and security scenarios. Professionals and teams engage with industry-standard tools and tackle the same challenges they encounter in enterprise environments, whether pursuing cybersecurity certifications, network security certifications, or advancing their expertise through comprehensive network certification prep.

**Building on Recent Industry Recognition**

This Training Industry honor follows a series of notable recognitions for INE in recent months. This year, G2 awarded the company more than three dozen badges, including Grid Leader designations for Cybersecurity Professional Development, Online Course Providers, and Technical Skills Development.

INE also earned placement on Training Industry’s 2023 Top 20 Online Learning Libraries list, as well as on Training Industry’s 2023 Watch Lists for Experiential Learning Capabilities and IT and Technical Training, which recognized organizations’ visibility, innovation, and impact in the IT and technical training market. Combined with multiple Global Infosec Awards, SC Media Excellence Awards, and consistent recognition as a G2 Top Training Provider, these honors reflect INE’s sustained excellence in the technical training sector.

**Addressing Industry Needs Through Practical Education**

Since its founding in 2003, INE has partnered with Fortune 500 companies to address a critical challenge in the industry: the gap between traditional training methodologies and job-ready competencies. Organizations across industries rely on INE to develop their cybersecurity and networking teams, while individual professionals leverage INE as a training partner to advance their careers. INE’s approach connects theoretical concepts with practical application, providing learners with context for when and how to apply their knowledge effectively in real-world business environments.

> “Our methodology centers on experiential learning because we believe that hands-on practice is essential for developing true expertise,” Warn explained. “Our lab environments place learners in realistic scenarios where they must identify, analyze, and remediate security issues. This approach develops the kind of practical competency that translates directly to workplace effectiveness and organizational resilience.”

INE’s comprehensive IT training programs serve both organizations seeking to develop their teams and individual professionals advancing their careers. Companies use INE’s enterprise solutions to upskill existing teams, mitigate cybersecurity risk, and build more resilient IT operations. Recent program additions include the Mobile Application Penetration Testing certification (eMAPT) and the Certified Threat Hunting Professional certification (eCTHP), both designed around authentic scenarios that reflect current industry challenges and organizational needs.

**About INE**

INE is an award-winning, premier provider of online networking and cybersecurity education, including cybersecurity training and certification. INE is trusted by Fortune 500 companies and IT professionals around the globe. Leveraging a state-of-the-art hands-on lab platform, advanced technologies, a global video distribution network, and instruction from world-class experts, INE sets the standard for high-impact, career-advancing technical education.

**Contact**

**Director of Global Strategic Communications and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Named to Training Industry’s 2025 Top 20 Online Learning Library List

A cyberattack on Bouygues Telecom exposed data for 6.4 million customers. Find out what information was compromised and…

A cyberattack on Bouygues Telecom exposed data for 6.4 million customers. Find out what information was compromised and what you need to do to protect yourself from scams, as the company warns customers to be on high alert.

French telecommunications giant Bouygues Telecom has confirmed a cyberattack that resulted in the personal information of 6.4 million customers being exposed. The company, which serves nearly 27 million mobile users across France, discovered the security breach on August 4th.

****What Was Compromised?****

An investigation by the company revealed that hackers gained access to a variety of customer details. This includes contact information, contract details, and, for many, their International Bank Account Number (IBAN). An IBAN is a unique number that identifies a bank account and is used to process transactions like direct deposits or transfers.

Bouygues has confirmed that more sensitive data, like passwords and credit card numbers, were not affected in this breach. Both individual and business customers were impacted by the attack. The company promptly reported the incident to French authorities and is alerting all affected customers via email or text message.

Hackers planning to leak Bouygues Telecom data soon (Image credit: Hackread.com)

****What Should Customers Do?****

In response to the breach, Bouygues is urging its customers to be extremely cautious of potential scams. Customers should watch for any suspicious emails or phone calls from people pretending to be from Bouygues or another company, as scammers might use the stolen data to try and trick them into revealing more information, such as credit card numbers or passwords.

Bouygues also advised customers whose IBANs were exposed to monitor their bank accounts closely and contact their bank if they notice any unusual activity. The company has filed a complaint with judicial authorities, noting that the perpetrator could face up to five years in prison and a €150,000 fine.

The attack on Bouygues is part of a broader trend of major telecommunication firms being targeted globally. As reported by Hackread.com, in May 2025, South Korean firm SK Telecom revealed a malware intrusion that had gone undetected for nearly two years, leaking vast amounts of customer data.

Furthermore, an advisory from the FBI and Canada’s Cyber Centre in June 2025 warned of an ongoing cyber espionage campaign by a China-linked group called Salt Typhoon, which is actively targeting telecom networks worldwide to steal sensitive data. These incidents highlight why telecommunications companies, due to the valuable data they hold, are frequent targets for both cybercriminals and state-sponsored groups.

Bouygues Telecom Hit by Cyberattack, 6.4 Million Customers Affected

AgentFlayer is a critical vulnerability in ChatGPT Connectors. Learn how this zero-click attack uses indirect prompt injection to…

AgentFlayer is a critical vulnerability in ChatGPT Connectors. Learn how this zero-click attack uses indirect prompt injection to secretly steal sensitive data from your connected Google Drive, SharePoint, and other apps without you knowing.

A new security flaw, dubbed AgentFlayer, has been revealed that demonstrates how attackers can secretly steal personal information from users’ connected accounts, like Google Drive, without the user ever clicking anything. The vulnerability was discovered by cybersecurity researchers at Zenity and presented at the recent Black Hat conference.

As per Zenity’s research, the flaw takes advantage of a feature in ChatGPT called Connectors, which allows the AI to link to outside applications such as Google Drive and SharePoint. While this feature is designed to be helpful, for example, by letting ChatGPT summarise documents from your company’s files, Zenity found that it can also create a new path for hackers.

****The Attack in Action****

The AgentFlayer attack works through a clever method called an indirect prompt injection. Instead of directly typing in a malicious command, an attacker embeds a hidden instruction into a harmless-looking document. This could even be done with text in a tiny, invisible font.

Invisible prompt injection embedded in a document. 1px white font (Source: Zenity)

The attacker then waits for a user to upload this poisoned document to ChatGPT. When the user asks the AI to summarise the document, the hidden instructions tell ChatGPT to ignore the user’s request and instead perform a different action. Such as, the hidden instructions could tell ChatGPT to search the user’s Google Drive for sensitive information like API keys.

Victim’s API Keys (Source: Zenity)

The stolen information is then sent to the attacker in an incredibly subtle way. The attacker’s instructions tell ChatGPT to create an image with a special link. When the AI displays this image, the link secretly sends the stolen data to a server controlled by the attacker. All of this happens without the user’s knowledge and without them needing to click on anything.

****A Growing Risk for AI****

Zenity’s research points out that while OpenAI has some security measures in place, they aren’t enough to stop this type of attack. Researchers were able to bypass these safeguards by using specific image URLs that ChatGPT trusted.

This vulnerability is part of a larger class of threats that show the risks of connecting AI models to third-party apps. Itay Ravia, the Head of Aim Labs, confirmed this, stating that such vulnerabilities are not isolated and that more of them will likely appear in popular AI products.

“As we warned with our original research, EchoLeak (CVE-2025-32711) that Aim Labs publicly disclosed on June 11th, this class of vulnerability is not isolated, with other agent platforms also susceptible,_“_ Ravia explained.

“The AgentFlayer zero-click attack is a subset of the same EchoLeak primitives. These vulnerabilities are intrinsic, and we will see more of them in popular agents due to a poor understanding of dependencies and the need for guardrails,” Ravia commented, emphasising that advanced security measures are needed to defend against these kinds of sophisticated manipulations.

AgentFlayer 0-click exploit abuses ChatGPT Connectors to Steal 3rd-party app data

A Nigerian man has been extradited from France to face hacking, identity theft, and fraud charges in the…

A Nigerian man has been extradited from France to face hacking, identity theft, and fraud charges in the US. He and his co-conspirators allegedly used spearphishing to steal customer data, filing fraudulent tax returns and disaster relief claims worth millions of dollars.

In a much-awaited legal move, Nigerian man Chukwuemeka Victor Amachukwu, a/k/a “Chukwuemeka Victor Eletuo” and “So Kwan Leung,” was recently extradited from France to the United States to face charges related to hacking, fraud, and identity theft.

The extradition, announced by the FBI and the Department of Justice, marks the culmination of extensive teamwork between US and French law enforcement agencies and is a major step in the ongoing case.

According to statements from US Attorney Jay Clayton and FBI Assistant Director Christopher G. Raia, Amachukwu is a key figure in a scheme that has allegedly stolen millions of dollars. The charges against him and his co-conspirators include a sophisticated plan to hack into tax businesses across the US, including locations in New York and Texas.

The alleged fraud began around 2019, when Amachukwu and his partners, including a person named Kinglsey Uchelue Utulu, used deceptive emails to gain access to the computer systems of tax preparation businesses. These types of emails, known as spearphishing, are highly targeted messages designed to trick specific individuals into revealing sensitive information or granting system access. Once inside, the group stole personal and tax information from thousands of customers.

They then used this stolen data to file fraudulent tax returns with the IRS and state tax authorities, seeking approximately $8.4 million and successfully obtaining around $2.5 million. The scheme didn’t stop there. The group also reportedly used the stolen identities to file fake claims with the Small Business Administration’s Economic Injury Disaster Loan program, securing an additional $819,000 in fraudulent payouts. This program is designed to provide financial relief to businesses affected by disasters.

In a separate scheme, Amachukwu is also accused of running a fake investment program. He allegedly promised victims valuable standby letters of credit that didn’t actually exist, and instead, “pocketed millions of dollars of his victims’ money,” according to US Attorney Clayton.

Amachukwu, 39, faces several serious charges, including conspiracy to commit computer intrusions, multiple counts of wire fraud, and aggravated identity theft (PDF). If convicted, these charges could lead to a lengthy prison sentence. He was presented before US Magistrate Judge Robert W. Lehrburger, with the case now assigned to US District Judge Paul G. Gardephe.

The FBI praised the work of its international partners, including the Justice Department’s Office of International Affairs and the French National Gendarmerie, for their help in the arrest and extradition. As is customary, the defendant is presumed innocent until proven guilty in a court of law.

Nigerian man extradited from France to US over hacking and fraud allegations

Critical WinRAR flaw CVE-2025-8088 exploited by Russia-linked hackers to spread RomCom malware, update to version 7.13 now to…

Critical WinRAR flaw CVE-2025-8088 exploited by Russia-linked hackers to spread RomCom malware, update to version 7.13 now to stay protected. Learn how a Russia-linked group is using this vulnerability and why you must manually update to WinRAR 7.13 now to stay safe.

WinRAR, a popular tool used by millions to manage compressed files, has been found to have a serious security weakness that was being actively exploited by hackers. The flaw, officially named CVE-2025-8088, allowed attackers to trick the program into installing malware on users’ computers without their knowledge. Security researchers at the firm ESET discovered and disclosed the issue, which has since been patched by WinRAR in a new update.

****How the Attack Worked****

The vulnerability is a type of _path traversal_ bug. This means a malicious file could be designed to make WinRAR save a file in a different location than where the user intended, such as the computer’s Startup folder. This enabled attackers to execute their own code.

According to a tweet from CVE (@CVEnew), this vulnerability was exploited to run what’s known as arbitrary code on a victim’s computer. The hackers’ goal was to deliver a malicious software called RomCom backdoor through specially crafted archive files sent in phishing emails.

These deceptive emails tricked people into opening the harmful attachments. For your information, RomCom malware is known for its ability to steal sensitive data and install other harmful programs, creating a serious security risk for anyone affected.

CVE on X

****The Russian Link****

Researchers from ESET, including Anton Cherepanov, Peter Košinár, and Peter Strýček, identified that the group behind this attack is a cyberespionage team suspected of being linked to Russia. This group has been known to carry out similar attacks in the past, targeting users in Europe and North America with different types of malware.

In late 2024, as reported by Hackread.com, they were exposed for exploiting a vulnerability in popular browsers like Mozilla Firefox and Tor Browser, which allowed them to run malicious code just by a user visiting a specific webpage.

Fortunately, there is a simple fix. WinRAR has released an update, version 7.13, which closes this dangerous security loophole. However, WinRAR does not automatically update itself, so it is up to each individual user to take action. To protect yourself from this threat, you must manually download and install the new version of WinRAR. Users who do not update will remain vulnerable to this specific attack.

WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom Malware

A new report by VulnCheck exposes a critical command injection flaw (CVE-2025-53652) in the Jenkins Git Parameter plugin.…

A new report by VulnCheck exposes a critical command injection flaw (CVE-2025-53652) in the Jenkins Git Parameter plugin. Find out how this vulnerability, initially rated as medium, could allow hackers to achieve remote code execution and compromise thousands of unauthenticated Jenkins servers.

A new security analysis from the firm VulnCheck has revealed that a vulnerability in the popular Jenkins automation server is more dangerous than previously thought. The flaw, officially identified as CVE-2025-53652, was initially rated as a medium-level threat but has been found to allow for a severe type of attack known as command injection. This could potentially let hackers take complete control of a server.

For your information, Jenkins is a powerful open-source tool companies use for automating tasks in software development. The vulnerability specifically affects a feature called the Git Parameter plugin, which is used to allow developers to easily select and use different versions or branches of code directly within their automated tasks.

According to VulnCheck’s report, shared with Hackread.com, around 15,000 Jenkins servers on the internet currently have their security settings turned off, making them easy targets for this kind of attack.

Of the more than 100,000 internet-facing Jenkins servers, 15,000 have authentication turned off- FOFA (Source: VulnCheck)

The problem lies in how the Git Parameter plugin handles information given to it by users. When a user enters a value, the plugin uses it directly in a command without properly checking if it’s safe. This allows a skilled attacker to inject malicious commands into the system.

VulnCheck’s team confirmed that they could use this flaw to run their own code on the server, a dangerous type of attack called remote code execution (RCE). They were able to use this method to gain control of a test server and even access sensitive information, such as a master key.

Even though the official fix for the vulnerability has been released, VulnCheck warns that the patch can be manually disabled by a system administrator. This means that a server could still be vulnerable even if it has been updated. As a result, the security firm has created a special rule to help companies detect any attempts to exploit this weakness.

While the firm doesn’t believe the flaw will be widely exploited, they note that it’s the kind of weakness that skilled attackers value for specific, targeted attacks or for moving deeper into a company’s network.

15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652)

A new, coordinated cybercrime campaign called "GreedyBear" has stolen over $1 million from crypto users. Learn how the group uses malicious extensions, malware, and fake websites in an industrial-scale attack uncovered by Koi Security.

A sophisticated and large-scale cybercrime campaign, named GreedyBear, has been exposed for stealing at least a million dollars from cryptocurrency users. The research, carried out by cybersecurity firm Koi Security and shared with Hackread.com, reveals a highly organised operation that goes far beyond typical online scams.

Instead of focusing on a single type of attack, the criminals behind GreedyBear are using a coordinated mix of malicious browser extensions, malicious software, and fake websites. This strategy allows them to attack from multiple angles at the same time, making their operation incredibly effective.

****How They Do It: Three Attack Methods****

One of the main ways GreedyBear operates is through malicious browser extensions. The group has created over 150 fake extensions for the Firefox marketplace, pretending to be popular crypto wallets like MetaMask, TronLink, Exodus, and Rabby Wallet.

Exodus Wallet risk report from Koidex risk engine (Source: Koi Security)

The attackers use a clever trick called “Extension Hollowing” to evade security checks. They first upload harmless extensions and, after building credibility with fake positive reviews, they hollow out the extensions by changing their names and icons and injecting malicious code, all while keeping the positive review history.

The second method involves almost 500 malicious programs, or executables, found on sites offering pirated software. These harmful programs include credential stealers, which are designed to steal your login information, and ransomware, which locks your files and demands a payment. The variety of these tools shows the group is not just a one-trick pony but has a wide range of methods to target victims.

Thirdly, the group has set up dozens of fake websites that look like legitimate crypto services or wallet repair tools. These sites are designed to trick users into entering personal information and wallet details.

****The Core Finding****

A key detail Koi Security’s research has revealed is that all of these attacks, the fake extensions, the malware, and the scam websites, are all connected to a single central server (185.208.156.66). This central hub allows the attackers to manage their large-scale operation with great efficiency.

Researchers note that this campaign, which started as a smaller effort known as Foxy Wallet, has now grown into a major multi-platform threat, with signs that it could soon expand to other browsers like Chrome and Edge.

Connection graph for 185.208.156.66 (Source: Koi Security)

Researchers also noted that this type of large-scale, automated crime is likely made possible by new AI tools, making it faster and easier than ever for criminals to launch attacks. This new reality means that relying on old security methods is no longer enough to stay safe online.

Source

HackRead