Microsoft Threat Intelligence detected a new AI-powered phishing campaign using LLMs to hide malicious code inside SVG files disguised as business dashboards.

Forget the old, error-filled emails you could spot easily. Cybercriminals have completely upgraded their methods, using AI (Artificial Intelligence) to create a new type of phishing scam that can be hard to detect.

Microsoft Threat Intelligence recently detected and blocked a credential phishing campaign on August 18. Their analysis indicated that hackers are likely using Large Language Models (LLMs), which refer to the AI that powers common chatbots, to write complex code that dodges traditional security measures. This limited, yet significant, campaign primarily targeted US-based organisations.

****How The Attack Hides In Plain Sight****

The attack began with a fraudulent file-sharing email, sent from an already compromised small business email account. The message looked legitimate, but the attached file (23mb – PDF- 6 pages.svg) was the real trick.

While it looked like a PDF, the .svg extension means it was actually a Scalable Vector Graphic (SVG) file. Attackers possibly favour SVG files for such scams because they can easily embed dynamic, interactive code that appears harmless to users and many security tools.

Phishing email sample (Source: Microsoft)

The malicious code inside the file was uniquely disguised. Instead of using standard scrambling techniques (like encryption or random character substitution), the SVG file was structured to look like a legitimate business analytics dashboard, complete with fake elements for chart bars.

The actual, harmful payload was hidden within this trap by encoding it using a long sequence of regular business terms like “revenue,” “operations,” and “risk,” to make the file appear as standard data, disguising its true intent to redirect users to a fake sign-in page to steal their credentials.

Sequence of business-related terms (Fig. 1) and its conversion into malicious code (Fig.2) – (source: Microsoft)

****The AI vs. AI Defence****

To figure out how the attackers made the code so tricky, Microsoft used its own AI analysis tool, Security Copilot. The tool assessed that the code was “not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility,” researchers noted in the blog post. This meant the over-engineered, systematic code structure was most likely a product of an AI model, not a human programmer.

While the rise of AI-assisted attacks is worrying, this case proves they are not unbeatable. The campaign was successfully blocked by Microsoft Defender for Office 365’s own AI protection systems.

These systems look for behavioural red flags that AI cannot easily hide, such as the use of self-addressed emails with recipients hidden in the BCC field, the suspicious combination of file type and name, and the eventual redirect to a known malicious website.

The lesson here is that as attackers increasingly rely on AI to make their scams sneakier and more effective, security teams must constantly adapt and find new ways to stay ahead.

****Expert Insights****

Following Microsoft’s findings, several security experts shared their perspectives exclusively with Hackread.com. Anders Askasen, VP of Product Marketing at Radiant Logic, stated that AI-driven phishing shows that “the frontline isn’t the payload, it’s the person behind the login.”

He added that to counter this “AI-scaled deception,” organizations must focus on identity observability, unifying identity data to “see when an account behaves out of character.”

Similarly, Andrew Obadiaru, CISO at Cobalt, noted that AI is fundamentally changing the game by creating code that is “camouflage that blends seamlessly into enterprise workflows.”

He concluded that security teams must shift their focus to behavioral detection, red-teaming against AI-assisted tactics, and shortening remediation cycles. The core lesson here is that as attackers increasingly rely on AI to make their scams more secret and effective, security teams must constantly adapt and find new ways to stay ahead.

Microsoft Flags AI Phishing Attack Hiding in SVG Files

As more businesses rely on digital documents today, effective large file management has also become necessary. PDFs are…

As more businesses rely on digital documents today, effective large file management has also become necessary. PDFs are a ubiquitous file format that maintains formatting. The problem with having many PDFs is that they can become a little clunky. Combining these files online is a reasonable approach. This guide discusses how to combine large PDF files and the best tips for combining seamlessly.

****Why Merge PDFs?****

When you merge PDF online, it makes arranging the documents easy. It declutters everything and makes it more convenient to access. With the combine option, users can merge various files into one seamless document. This technique works great for reports, presentations, and portfolios.

****Choosing the Right Tool****

One of them is to choose the right tool, which is vital. There are many websites available that allow you to merge PDF files. You also want to consider UI, security, and file size limits. Here are a few tools that focus on ease of use, which makes them perfect for beginners. Some provide advanced options for more complex tasks. One can make the right choice if they evaluate these aspects.

****Ensuring File Security****

Security is an essential concern when using any online service. Find providers that encrypt both the upload and download stages. This guarantees that sensitive information stays secure. Furthermore, several services also delete files once they finish processing them, increasing your security. Always read the Privacy Policy to understand how data is managed.

****Understanding File Size Limitations****

Most online PDF merging tools limit the size of PDF files that can be uploaded and used. First, find out the maximum file size limit. If the files are larger than this, please zip them first. Many platforms provide compression features, and they can also reduce the size of the file while maintaining the quality. This step ensures smooth merging.

****Organizing Files Before Merging****

At the same time, a good arrangement of files is important for a uniform document. Have the PDFs already been put in the order you want to upload them? Renaming the files will help you to see the order. They give you an idea of how the final document should flow and save time when preparing the final document. This eliminates ordering post-merging, making the process more efficient as well.

****Previewing the Merged Document****

Preview the Document After Merging. This lets a user confirm that all pages are in order and no pages are missing from the files. Most tools have a preview option so that you can make changes before the final submission. This step ascertains that the document aligns with your expectations, and the possibility of errors dropping into your basket shrinks.

****Download and Save the Combined File****

Download the document and save it as soon as the merged document is to your liking. Place the file somewhere safe. Do a backup on some cloud service or external drive. This practice ensures that the document remains intact and free of data loss. Regular backups are essential to keeping a tidy digital archive and managing digital history.

****Troubleshooting Common Issues****

At times, users face obstacles while merging the process. It could be formatting, or some pages are missing. When such issues do occur, it helps to check back with the original files for inconsistencies. Re-uploading the files or using a different tool might resolve these issues. It takes time and commitment to follow through, but it gets you where you need to be.

****Exploring Additional Features****

There are plenty of other tools, like merging, available to help you manage PDFs. These may include splitting, editing, and converting PDFs. Getting familiar with these options can improve your skills in managing documents. Being experienced with so many features can help you save time and offer you flexibility while dealing with documents online.

****Conclusion****

In this age of digital documentation, merging large PDF files online is one of the most practical solutions. If users choose the correct, secure, well-structured, and organized tool, they can create seamless documents. Those are essential steps in this process, such as previewing, downloading, and troubleshooting. By following the tips outlined above, anyone can seamlessly merge PDFs and take their document management skills to the next level.

Tips for Merging Large PDF Files Online

Dutch authorities arrest two teens recruited by pro-Russian hackers for spying missions. Learn how Russia is using disposable agents for sabotage across Europe.

Two 17-year-old boys from the Netherlands have been arrested on suspicion of spying for pro-Russian hackers, Dutch authorities recently confirmed. The arrests came after a tip from the AIVD, the Dutch intelligence and security service, in what is believed to be the first case of minors being recruited by a foreign state actor in the country.

Prosecution spokesperson Brechtje van de Moosdijk  confirmed the arrests, stating the teens are suspected of links to “government-sponsored interference.”

****Recruited via Messaging App****

The teenagers were allegedly contacted by pro-Russian hackers through the messaging application Telegram. Telegram is a widely popular platform, especially among youth, making it frequently exploited by cybercriminals and state-affiliated threat actors to lure or scam unsuspecting users.

The spying activity allegedly involved one teen who was seen carrying a device known as a Wi-Fi sniffer while walking past key locations in The Hague last August 16th. For your information, a Wi-Fi sniffer is simply a device or app that can intercept nearby wireless data. This particular route covered the Canadian embassy, the Europol police service, and Eurojust.

It is worth noting that targeting Eurojust is particularly sensitive, as the agency hosts the joint investigation team that probes alleged Russian war crimes following the 2022 invasion of Ukraine.

The arrest of one of the boys was particularly dramatic, occurring while he was doing his homework. According to his father, at least eight men wearing balaclavas (face coverings) entered their home with a search warrant, seized electronic equipment, and took the boy away.

Following their court appearance, one suspect was placed under house arrest with an ankle monitor, while the other remains in custody.

****The Wider Network of Proxy Agents****

This Dutch case is part of a growing, disturbing trend where individuals are lured by Russian threat actors for mild vandalism or the filming of critical government infrastructure. In Germany, for instance, security authorities recently issued a public warning against getting recruited as “disposable agents,” and the Federal Criminal Police Office voiced concern over the increasing use of these “low-level agents” recruited via social media for espionage/sabotage.

The recruitment network gets more sinister as The Guardian reported that Russian actors on Telegram have recruited teenagers and vulnerable individuals with offers of easy ‘odd jobs’ (like delivering a package) for cash. The packages contained improvised explosive devices, making the recruits unwitting suicide bombers targeting military or police infrastructure.

Commander Dominic Murphy, head of the London police’s Counter Terrorism Command, confirmed that authorities are seeing an increasing number of “proxies” being recruited by foreign intelligence services. This follows recent arrests in Britain for alleged spying on behalf of Russia and the conviction of a team of Bulgarians for running a spy unit for the Kremlin.

It is worth noting that the Kremlin has denied all these accusations, stating that the British and other Western governments always blame Russia for anything “bad” that happens.

Dutch Teens Arrested Over Alleged Spying for Pro-Russian Hackers

Luxury retailer Harrods confirms 430,000 customer records (names, contacts) were stolen from a third-party provider in the latest UK retail cyberattack wave.

Luxury department store Harrods has confirmed that cybercriminals have claimed to steal data from up to 430,000 customer records following a third-party IT breach. The store was contacted by the “threat actor” but has firmly stated it will not engage with the hackers, suggesting a possible ransom demand was made.

The breach, described in an email to customers on Friday, September 26, 2025, compromised basic personal information but did not include any payment details or account passwords.

****Connection to Previous Cyberattack****

This latest incident comes just months after the retailer was already on high alert from a coordinated wave of cyberattacks on the UK retail sector observed this year. As Hackread.com reported, Harrods was among the many high-profile UK retailers targeted, others including M&S and Co-op (with the notorious hacking group Scattered Spider suspected to be behind the campaign).

On May 1st, 2025, the luxury retailer confirmed it faced attempts to gain unauthorised access to its internal systems. This prompted a successful, proactive response as Harrods restricted internet access across its sites to contain the threat and stated no customer data was compromised at that time.

****The September 2025 Data Breach****

Despite their earlier successful defence, a new breach has now compromised customer data. The information was stolen from a system belonging to one of Harrods’ third-party providers, which the company chose not to name, indicating that hackers shifted their focus to a weaker link in the supply chain. The company has reiterated that this latest incident is officially unconnected to the attempts to gain unauthorised access to their internal systems in May.

“The third party has confirmed this is an isolated incident which has been contained, and we are working closely with them to ensure that all appropriate actions are being taken. We have notified all relevant authorities,” Harrods’ spokesperson stated.

****What Was Taken?****

The stolen data is limited to basic identifiers such as names and contact details, which are provided by customers. Further probing revealed that some information related to loyalty cards, marketing preferences, and tie-ins to other companies (like co-branded cards) was also taken. Harrods stressed that its own systems were not compromised.

****How to Stay Safe****

The most straightforward way to protect yourself is to monitor your accounts. Customers who have received notification that they are affected should monitor bank statements and transactions. Also, be wary of any unexpected texts, calls, or emails, which could be attempts by scammers to trick you into giving away more personal information.

The store has informed all relevant authorities and continues to cooperate with them, along with supporting its customers.

Harrods Data Breach: 430,000 Customer Records Stolen Via Third-Party Attack

eSentire TRU analyses the new DarkCloud V4.2 infostealer, rewritten in VB6. Find out how the malware steals browser data, crypto, and contacts via targeted phishing.

A recent security research from eSentire’s Threat Response Unit (TRU) has revealed the sudden rise of a dangerous information-stealing malware (Infostealer) known as DarkCloud, which cybercriminals are using to grab private data.

TRU Researchers discovered the latest version of DarkCloud Infostealer, version 4.2, during an attempted attack in September 2025 against their customer in the manufacturing industry.

DarkCloud is not new, but it has been completely rewritten using a programming language called VB6. It used to be sold on the Russian cybercrime forum XSS.is, which was shut down by law enforcement back in July 2025.

As Hackread.com reported at the time, the site was seized on July 23, 2025, after authorities arrested a suspected administrator in Ukraine. However, by July 24, the XSS forum was confirmed to be back online using its mirror and .onion domains.

Today, the malware is sold on its own website, darkcloud(.)onlinewebshop(.)net, and is also offered through the messaging app Telegram by a user known as @BluCoder.

DarkCloud website (Source: eSentire)

****Phishing Lure****

eSentire TRU explained that the attack began with a phishing email that looked like it was about financial information and had a malicious compressed file attached. The email was sent by “procure@bmuxitq(.)shop” and was themed with the subject “Swift Message MT103 Addiko Bank ad: FT2521935SVT.” The malicious compressed file attached was named “Swift Message MT103 FT2521935SVT.zip.”

Malicious email (Source: eSentire)

This shows that “phishing emails continue to remain a key vector for malware distribution,” researchers noted in the blog post shared with Hackread.com. This means that these fake emails are still one of the main ways this software gets onto a system. Researchers caught the spam emails and stopped the DarkCloud Infostealer delivery for their client in September 2025.

****What Does DarkCloud Infostealer Steal?****

This malware is designed to steal various kinds of sensitive information. This includes browser passwords, credit card numbers, website cookies, login details for FTP, what you type (keystrokes), and even content from your clipboard.

It also targets files such as documents and spreadsheets (including extensions like .txt, .pdf, .doc, and .xls), cryptocurrency wallets, and extracts contact information from email clients, including Thunderbird, MailMaster, and eM Client. All of this stolen data is then sent to the criminals using channels like Telegram, FTP, email, or even a Web Panel using PHP scripts.

****Fight DarkCloud Infostealer****

eSentire TRU has not only analysed the threat but also released two helpful programs to help other security researchers. One tool can pull out the setup details of the malware, and the other is a Python-based script that can unjumble its secret code. To protect yourself from threats like this, researchers recommend using email protection that blocks suspicious files like compressed folders with executable programs inside.

DarkCloud Infostealer Relaunched to Grab Credentials, Crypto and Contacts

As the digital asset market matures and regulators worldwide work to set clear standards, one fact has become…

As the digital asset market matures and regulators worldwide work to set clear standards, one fact has become obvious: Compliance is not a burden; it is a business advantage. For cryptocurrency entrepreneurs, the choice of jurisdiction can determine how quickly you scale, how confidently you attract capital, and how much trust you earn. Increasingly, many find that the smart move is Canada.

****Why Canada Stands Out****

Launching a crypto venture often feels like navigating an obstacle course. In some regions, rules are unclear, regulators remain distant, and even basic tasks like opening a bank account can be a struggle. Canada offers a different experience.

*   **Clear but adaptable rules** – Its licensing framework is rigorous enough to inspire confidence while remaining flexible enough to adjust as technology evolves.

*   **Constructive regulator dialogue** – Authorities are known to engage with businesses, shaping policy around operational realities rather than imposing outdated rules.

This balanced approach has earned Canada a reputation as one of the most credible and forward-looking jurisdictions for digital assets. Entrepreneurs spend less time guessing what regulators expect and more time building.

****Turning Compliance Into an Edge****

Scepticism around crypto is still widespread. Investors hesitate, banks remain cautious, and potential partners demand reassurance. A Canadian crypto license cuts through that hesitation and demonstrates trustworthiness.

That credibility brings tangible benefits:

*   **Banking access** – Licensed operators are more likely to secure accounts and relationships that remain out of reach for unlicensed startups.

*   **Investor confidence** – Institutional capital flows more easily toward regulated businesses, from venture firms to corporate treasuries.

*   **Market trust** – A license signals to partners and users alike that the business is built for the long term.

****Scaling in a Sophisticated Market****

Canada is not just regulation-friendly, it is also a prime market in its own right. As the world’s tenth-largest economy, with a digitally savvy population and a thriving fintech ecosystem, it provides a strong base of engaged users.

For many companies, a Canadian license becomes a springboard into North America and other global markets. The process is often more streamlined and cost-effective than in competing jurisdictions, which means faster entry and fewer delays. In an industry where every month of waiting is a lost chance for growth, speed matters.

****Staying Ahead of Global Regulation****

From Europe to Asia to the Americas, new digital asset rules are being introduced, many of them echoing Canada’s measured approach. By getting licensed in Canada, businesses align early with the direction global regulation is heading.

Advantages include:

*   **Established regulator relationships** – Channels of communication that make adapting to new frameworks smoother.

*   **Defined boundaries** – Clear compliance standards reduce the risk of sudden, disruptive enforcement.

While competitors scramble to interpret shifting rules, licensed operators in Canada move forward with certainty.

****The Real Risk: Inaction****

For crypto entrepreneurs, the greatest risk is not regulation but waiting too long to engage with it. Without a license, obstacles multiply: banks decline accounts, investors hesitate, and partners gravitate toward more credible competitors.

A Canadian crypto license offers what businesses need most today: trust, access, and a platform for sustainable growth.

****Final Word****

Compliance has moved from a checkbox to a competitive advantage. Canada has built one of the world’s most supportive regulatory environments for cryptocurrency, giving entrepreneurs the clarity, credibility, and reach to succeed on a global stage.

For those serious about building ventures that last, Canada is more than a safe choice; it is a strategic one. Now is the time to act and secure the foundation that separates businesses that scale from those that stall.

(Image by WorldSpectrum from Pixabay)

Accelerate Crypto Success: Why a Canadian Crypto License Is Your Launchpad to Growth

Singapore, Singapore, 29th September 2025, CyberNewsWire

**Singapore, Singapore, September 29th, 2025, CyberNewsWire**

*   Analyzing over 14 billion cyber-attack records daily, ThreatBook ATI is a global solution enriched with granular, local insights; and can offer organizations a truly APAC perspective.
*   Boasting low false positive rates, the solution is highly compatible with existing security stacks.
*   ThreatBook ATI provides actionable insights for threat detection and response, enabling organizations to accelerate their intelligence analysis, and make more informed decisions. 

ThreatBook, a global leader in cyber threat intelligence, detection and response, today announced the worldwide launch of ThreatBook Advanced Threat Intelligence (“ThreatBook ATI”). Spearheaded from its offices in Singapore and Hong Kong, the new service offers unique industry insights for threat intelligence platforms (TIPs), security operation centers (SOCs) and cybersecurity analysts globally.

Of note, ThreatBook ATI is able to capture new, difficult-to-detect threats emanating from within Asia, where coverage from many global vendors remains limited. It is also able to better identify Western attackers targeting Asian organizations as well. ThreatBook ATI’s capabilities are particularly timely, with 34% of cyber-attacks worldwide taking place within the Asia Pacific (APAC).

A further noteworthy feature of ThreatBook ATI are its low false positive rates. ThreatBook’s proprietary intelligence collection systems, which operate globally and in real time, employs dozens of analysis engines to deeply mine enormous raw datasets. False positives are filtered through AI-based models, followed by cross-verification by professional security analysts. ATI also applies AI to classify and label threat reports, transforming unstructured intelligence into structured insights, and features a built-in assistant that can rapidly correlate data to answer analysts’ questions. This layered process ensures the intelligence remains highly accurate and reliable. Over 14 billion attack records are identified daily, including over 80 million malicious inbound internet protocols (IPs), more than six billion malware files, over 7,000 high risk vulnerabilities, and more than 600 zero-day vulnerabilities. 

> “With several billion attack records from all corners of the world analyzed daily, ThreatBook ATI is a truly global solution enriched with granular, local insights,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook.

> “We are of the opinion that Asia Pacific-centric threat intelligence matters, as tactics, techniques, and procedures (TTPs), tooling, language, command and control (C&C) infrastructure, and targeting patterns differ by region – and ATI can offer organizations a truly APAC perspective. We have a track record of exclusive discovery when it comes to cybercriminals, including advanced persistent threat (APT) groups; and at the end of the day, local context quickens threat detection and reduces dwell time.”

Integration with existing security stacks is key. Studies repeatedly find that a single unified platform, which provides a centralized view of cyber risks across the entire organization, is a priority for cybersecurity teams around the world. ThreatBook ATI is highly compatible with existing security stacks. Its output is available in both machine-readable and human-readable formats, making integration straight-forward.

Customer access is hassle-free. For TIPs, ThreatBook ATI can be purchased through platform marketplaces, or can be integrated through feeds or application programming interfaces (APIs). For SOCs, ThreatBook ATI feeds integrate easily with security information and event management (SIEM) solutions, firewalls and other security tools. While for cybersecurity analysts, ThreatBook ATI is accessible globally via a web portal.

> “High quality threat intelligence enhances existing security tools, which often rely on vulnerable rule-based signals, making them more reliable and accurate, and leading to less false positives across the stack,” added Mr. Xue. “By providing actionable insights for threat detection and response, organizations are able to accelerate their intelligence analysis, and make more informed decisions to better manage today’s myriad of cyber risks.”

ThreatBook ATI is a timely addition to the company’s acclaimed suite of cybersecurity solutions. Since 2015, thousands of enterprise organizations globally have placed their trust in Threatbook across the entire threat lifecycle — from detection to analysis, response and protection; all powered by the company’s proprietary intelligence core.

In 2025 alone, leading analyst firms have recognized ThreatBook, featuring the company in Forrester’s Network Analysis And Visibility Solutions Landscape, Q2 2025 report, and the inaugural Gartner Magic Quadrant for Network Detection and Response (NDR). In both instances, ThreatBook was one of a limited number of vendors recognized.

**About ThreatBook**

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, users can visit www.threatbook.io or follow them on LinkedIn.

ThreatBook ATI is not available in mainland China.

https://www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index

https://www.msspalert.com/native/the-strategic-shift-toward-unified-cybersecurity-platforms

**Contact**

**Belmont Communications on behalf of ThreatBook**  
**\[email protected\]**

ThreatBook Launches Best-of-Breed Advanced Threat Intelligence Solution

Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings.

The **Medusa** ransomware group is claiming responsibility for a ransomware attack on Comcast Corporation, a global media and technology company best known for its broadband, television, and film businesses.

According to the group’s dark web leak site, they exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. The same sum has been set as ransom for Comcast if the company wants the data deleted rather than leaked or sold.

To back its claims, Medusa has posted around 20 screenshots allegedly showing internal Comcast files. The group also shared a massive file listing of 167,121 entries, suggesting access to actuarial reports, product management data, insurance modelling scripts, and claim analytics.

The sample paths include files such as Esur_rerating_verification.xlsx, Claim Data Specifications.xlsm, and Python, as well as SQL scripts related to auto premium impact analysis.

Medusa Ransomware group’s dark web leak site claiming Comcast as its victim – These claims were published on Friday, September 26, 2025 (Image credit: Hackread.com)

****Comcast and Cybersecurity****

For your information, Comcast owns NBCUniversal, which operates NBC, Telemundo, Universal Pictures, Sky (in Europe), and a wide range of TV networks, film studios, and streaming platforms like Peacock.

Although the company has not been in news over large-scale cyber attacks, a 2015 report published by Hackread.com revealed that over 200,000 Comcast user credentials were leaked on the dark web.

At the time, Comcast stated the data likely came from credential aggregation rather than a direct breach of its systems. The case underscored how previously exposed information can resurface years later, complicating efforts to separate legacy leaks from fresh intrusions.

Medusa ransomware is known for publishing file listings and partial screenshots as proof of compromise while holding back the bulk of the data to increase ransom pressure. In this case, the nature of the files points toward actuarial and financial datasets, some of which appear to involve insurance calculations, customer data processing, and claim management systems.

****Medusa Aims At Top American Firms****

Past Medusa incidents have shown that the group tends to release portions of data if demands are not met, increasing the pressure on victims to negotiate. The cyber criminal group has also been behind several high-profile attacks this year.

On April 8, 2025, the group announced it had **targeted NASCAR** with a $4 million ransom demand. That incident was later **confirmed** as a data breach in July 2025, showing the group had followed through on previous threats when negotiations failed.

At the time of writing, Comcast has not publicly confirmed or denied the breach. The company may face regulatory scrutiny if sensitive customer or financial data is involved, particularly given the sheer size of the alleged leak.

Hackread.com has reached out to Comcast for comment and will continue monitoring the situation for updates on the company’s response and any further releases from Medusa.

Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M

Hackers are sending fake invoice emails with malicious Office files that install the XWorm RAT on Windows systems, allowing full remote access and data theft. Learn how the shellcode and process injection are used to steal data, and how to stay safe from this persistent threat.

A new wave of email attacks is on the rise, tricking people with fake invoice documents to install the dangerous **XWorm RAT** (Remote Access Trojan), capable of quietly stealing sensitive information from your computer, reveals the latest research from Forcepoint X-Labs.

The scam starts with an email, often pretending to be about “Facturas pendientes de pago” (Pending Invoices for Payment) from someone named Brezo Sánchez. The email includes an attached Office file that has the extension .xlam.

X-Labs researchers mention that when you open the file, it may look blank or corrupted, but the damage has already started.

Malicious Email (Source: Forcepoint)

****Understanding the Attack Chain****

As we know it, cyberattacks generally follow a chain of steps, and this one is highly detailed. Inside the attached Office file is a hidden component called oleObject1.bin, which contains an encrypted code, called shellcode. This shellcode is a small program that immediately downloads the next part of the attack.

The shellcode reaches out to a specific web address, hxxp://alpinreisan1com/UXOexe, to download the main malicious program, an executable file named UXO.exe. This program then starts the second stage- loading another harmful DLL file into the computer’s memory (DriverFixPro.dll).

This loading happens using reflective DLL injection (a sneaky way to load a harmful program directly into the computer’s memory without saving it as a regular file first). This DLL ultimately performs a process injection, which involves forcing the malicious code to run inside a normal, harmless program on your computer. This final injected code belongs to the XWorm **RAT** family.

****XWorm: A Persistent Threat****

Forcepoint’s senior researcher, Prashant Kumar, explains in the **blog post** that XWorm’s capabilities allow it to take full **remote control** over an infected system, from stealing files to logging keystrokes.

Through process injection, the malware runs secretly within a trusted application and successfully maintains persistence while avoiding detection. Lastly, the XWorm program connects to a Command & Control (C2) server, specifically 158.94.209180, to send all the victim’s stolen data to the attackers.

This important research on the multi-stage attack was shared exclusively with Hackread.com. However, it is worth noting that this is not the first time the XWorm threat has been seen this year.

In January 2025, Hackread.com **reported** an XWorm campaign that compromised over 18,459 devices globally, stealing browser passwords and Discord tokens. Then, in March 2025, Veriti’s **research** revealed that XWorm was using trusted platforms like Amazon Web Services (AWS) S3 storage to distribute its harmful files.

To protect yourself from such attacks, be cautious with attachments, especially those ending in .xlam or .bin, verify unexpected invoices by calling the sender, and regularly update your operating system and security software.

Hackers Use Fake Invoices to Spread XWorm RAT via Office Files

Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.

A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations, security researchers warn.

This ongoing campaign, tracked by Bitdefender Labs for the past year, has reportedly moved from Meta’s Facebook Ads to appear across both Google Ads and YouTube, putting many more users at risk.

This campaign was previously reported by Hackread.com for exploiting Facebook Ads using fake crypto sites and celebrity images to spread malware, but has now evolved its tactics.

****How the Scam Works****

Research reveals that the cyber criminals behind this attack are highly organised, using over 500 different website addresses and publishing thousands of malicious ads every day in different languages (mostly English, Vietnamese and Thai).

They run their ads by taking control of legitimate, verified business accounts on Google and YouTube, including the hijacked Google advertiser account of a design agency in Norway. For your information, TradingView Premium is a paid service that offers advanced tools and features for financial trading analysis.

Fake ad and the hijacked accounts used in the attack (Via Bitdefender Labs)

To appear real, the scammers hijack a verified YouTube channel, delete all its original content, and rebrand it to look exactly like the official TradingView page, including the correct logos and banner art. They even copy playlists from the real channel so that the fake one appears active, abusing the verified badge to trick users into assuming authenticity.

They then use paid ads to push special videos that are hidden from public view, called unlisted videos, to avoid detection. One such video, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” gathered over 182,000 views in just a few days through this aggressive advertising.

However, close inspection reveals red flags, such as a different channel handle (not @TradingView) and a low overall registered view count, which would be impossible for the popular trading platform.

Attack Flow (Image Credit: Bitdefender Labs)

****The Threat****

This campaign’s core objective seems to be to get users to download a dangerous file disguised as the free premium app. This file is actually a type of spyware called Trojan.Agent.GOSL, which can remotely control a victim’s computer. This program is designed to steal highly sensitive information, including passwords, personal data, and cryptocurrency wallet details.

Shared with Hackread.com, this research warns content creators that having their business accounts compromised not only damages their reputation but also allows scammers to take over the connected, verified YouTube channel and use it as a weapon.

That’s why you should always download software from official websites. Bitdefender advises users to carefully check the channel handle and subscriber count, and consider any ad promising free premium access to an app that is normally paid a major red flag.

Source

HackRead