Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to…

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to healthcare security and patient data.

Forescout’s Vedere Labs’ latest investigation, shared with Hackread.com, reveals that the notorious Chinese advanced persistent threat (APT) group, Silver Fox, has launched a sophisticated new campaign in which the group is exploiting DICOM (Digital Imaging and Communications in Medicine), commonly used for patient medical imaging, to distribute malicious software. 

The Silver Fox group has been active since at least 2024 and Hackread.com has followed its activities ever since. Initially, it focused on Chinese-speaking victims, distributing malware through various channels like SEO poisoning and social media usually disguised as AI applications or VPN software.

Over time, their targets broadened to include government institutions, cybersecurity companies, e-commerce, finance, and even gaming applications. Recent research suggests the group’s expansion into the healthcare sector, with malware samples originating from the US and Canada.

The current campaign uses trojanised versions of the Philips DICOM viewer‘s (PDF) executable file, which acts as a first-stage payload, checks connectivity to its command and control (C2) server using standard Windows commands, and uses PowerShell scripts to weaken Windows Defender’s defences. It then downloads encrypted payloads disguised as image files from an Alibaba Cloud storage bucket, which includes tools to disable antivirus software, auxiliary files, and shellcode.

The downloaded components are decrypted and a second-stage malicious executable is created, designed to persist on the system through scheduled tasks. This second stage disables security software and downloads another encrypted file, which after decryption reveals the core payload: the ValleyRAT backdoor.  

“During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used to gain control of victim computers,” researchers noted in the blog post.

ValleyRAT provides attackers with extensive control over the compromised machine, potentially allowing access to sensitive hospital networks.  In addition to the backdoor, the malware also installs a keylogger to capture user input and a cryptominer to generate digital currency for the attackers. All these components are designed to persist on the system, ensuring continued operation even after reboot.

The Multi-Stage Infection Process (Source: Forescout)

The malware uses various techniques to evade detection and analysis, including obfuscation methods like API hashing and indirect retrieval, long sleep intervals, system fingerprinting, and masked DLL loading. The addition of random bytes complicates detection. Researchers found Alibaba Cloud storage buckets accessible during analysis, despite the C2 server being offline.

Researchers warn that compromised DICOM viewers pose a grave risk to healthcare delivery organizations (HDOs), as infected devices could provide an entry point into hospital networks. To mitigate these risks, HDOs should avoid downloading software from untrusted sources, restrict file loading from patient devices, implement robust network segmentation, maintain up-to-date endpoint protection, monitor network traffic, and actively search for malicious activity.

Malware Alert Icon Via Flaticon/Kliwir Art

Silver Fox APT Hides ValleyRAT in Trojanized Medical Imaging Software

Cary, NC, 25th February 2025, CyberNewsWire

**Cary, NC, February 25th, 2025, CyberNewsWire**

 INE, the leading provider of networking and cybersecurity training and certifications, today announced its recognition as an enterprise and small business leader in online course providers and cybersecurity professional development, along with its designation as the recipient of G2’s 2025 Best Software Awards for Education Products. This category of awards ranks the world’s top 50 software education products based on authentic reviews from more than 100 million G2 users. 

> “We are thrilled to be recognized for a second consecutive year by G2’s Best Software Awards,” said Dara Warn, CEO of INE. “This is not only a testament to INE’s robust educational offerings but also underscores our dedication to empowering enterprise teams and professionals with the skills they need to thrive in a challenging digital landscape. We are proud to set the standard for quality and effectiveness in cybersecurity and technical education, as evidenced by the success of our students.”

G2’s Best Software Awards rank the world’s best software companies and products based on verified user reviews and publicly available market presence data. Fewer than 1% of vendors listed on G2 are named to the list. 

> “The 2025 Best Software Award winners represent the very best in the industry, standing out for their exceptional performance and customer satisfaction. The stakes for choosing the right business software are higher than ever,” said Godard Abel, co-founder & CEO at G2. “With over 180,000 software products and services listings and 2.8 million verified user reviews in the G2 marketplace, we’re proud to help companies navigate these critical choices with insights rooted in authentic customer feedback. Congratulations to this year’s honorees!”

G2 badges, released quarterly, recognize INE’s strong performance compared to competitors in specific areas, including its enterprise cybersecurity training and certification offerings, the depth and breadth of its online learning library, and global impact. INE earned the following G2 badges for Winter 2025:

*   **Fastest Implementation, Online Course Providers**
*   **Leader, Cybersecurity Professional Development**
*   **Leader, Online Course Providers**
*   **Leader, Technical Skills Development**
*   **Enterprise Leader, Online Course Providers**
*   **Small Business Leader, Online Course Providers**
*   **Leader, Asia Online Course Providers**
*   **Leader, Asia Pacific Online Course Providers**
*   **Momentum Leader, Technical Skills Development**
*   **Momentum Leader, Online Course Providers**
*   **Small Business High Performer, Technical Skills Development**
*   **High Performer, India Online Course Providers**
*   **High Performer, Europe Online Course Providers**
*   **High Performer, Asia Technical Skills Development**

INE was recently named to Security Boulevard’s list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications. The list showcases some of the best ethical hacking certifications for cybersecurity professionals. 

In reviewing the eCPPT, reviewers noted: 

*   The realistic experience
*   A robust training program
*   Its credentials to boost employability in Europe (specifically noted as “remarkable”). 

In reviewing the eWPTX, reviewers applaud: 

*   The challenging nature of the exam
*   Requiring advanced methodologies and skills in creating exploits that “modern tools couldn’t fathom.” 

With a suite of the best cybersecurity certifications and training programs designed for teams and individuals, INE continues to lead in developing cybersecurity professionals equipped with real-time, hands-on experience to manage cyber threats and security incidents. Our award-winning cybersecurity software and comprehensive training in network security, cloud security, and risk management, prepare learners to become certified ethical hackers (CEH), certified information systems security professionals (CISSP), and more, solidifying our reputation as the trusted partner in cybersecurity excellence and threat intelligence.

**About INE:** 

INE is the premier provider of online technical training for the IT industry. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE is the top training choice for Fortune 500 companies worldwide, and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE is committed to delivering the most advanced technical training on the planet, while also lowering the barriers worldwide for those looking to enter and excel in an IT career. 

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Secures Spot in G2’s 2025 Top 50 Education Software Rankings

A botnet of 130,000 devices is launching a Password-Spraying attack on Microsoft 365, bypassing MFA and exploiting legacy authentication to access accounts.

A new botnet-powered cyber attack is putting Microsoft 365 users at risk. Security researchers at SecurityScorecard have reported that over 130,000 compromised devices are being used to launch coordinated password-spraying attacks against Microsoft 365 accounts.

****What’s Happening?****

Instead of relying on the usual login mechanisms that trigger alerts through repeated failed attempts, the attackers are using non-interactive sign-ins for their campaigns. This method is normally meant for automated processes or background services and does not invoke the usual MFA checks. As a result, suspicious activities may go unnoticed by security monitoring systems that focus on standard user log-ins.

What’s more, attackers are making systematic attempts using stolen credentials from infostealer logs. Their approach targets a wide range of Microsoft 365 tenants, affecting organizations from financial services, healthcare, government, technology firms, and educational institutions.

****How the Attack Works****

*   **Non-Interactive Sign-Ins:** The attackers perform sign-in attempts that do not trigger immediate account lockouts or alerts. Since these log-ins are not interactive, they often escape the notice of standard monitoring tools.

*   **Basic Authentication Abuse:** By exploiting legacy Basic Authentication protocols, attackers send user credentials without encryption. This leaves accounts more exposed compared to modern authentication methods.

*   **Command and Control Coordination:** Evidence shows that attackers are coordinating their efforts through six command-and-control (C2) servers. These servers communicate with thousands of infected devices and are supported by proxy services from well-known cloud providers with ties to China. Analysis of the network traffic has revealed several open ports on these servers, which are likely used for tasks such as managing the botnet and sending instructions to the compromised devices.

According to SecurityScorecard’s report, this is concerning for organizations relying on Microsoft 365, as they face multiple risks. Unauthorized account access can expose sensitive emails, documents, and collaboration tools to attackers. Service disruptions may occur due to repeated login attempts, leading to account lockouts that interrupt daily operations.

Additionally, once in control, cybercriminals can misuse compromised accounts for phishing campaigns or move laterally within the organization, further escalating security threats. Because the attack exploits non-interactive sign-ins, teams that monitor just the usual interactive log-in events might miss these suspicious activities. Updating security monitoring to include non-interactive log events is an important step for organizations using Microsoft 365.

Security teams are encouraged to review sign-in logs carefully. Paying attention to non-interactive log entries and suspicious login attempts can help spot this kind of unwanted activity.

Organizations should audit background service accounts by identifying those using Basic Authentication and updating any exposed credentials found in non-interactive sign-in logs. It’s also crucial to review authentication methods and transition from legacy protocols to modern authentication practices that fully support MFA.

Additionally, monitoring for unusual traffic, such as abnormal login patterns or connections from IP addresses associated with command and control servers, can help detect and mitigate potential security threats.

With Microsoft planning to fully retire certain Basic Authentication protocols later this year, now is a good time for organizations to strengthen their protection against these kinds of covert attacks.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), offers valuable insights into securing non-interactive logins in Microsoft 365.

“Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations,” Soroko explains. “They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.”

Unlike interactive user authentication, Multi-Factor Authentication (MFA) isn’t typically applicable to non-interactive logins. “Instead, these automated logins should use alternative secure mechanisms such as certificates, or other forms of non-shared managed identities,” Soroko advises. “Organizations should better secure non-interactive access with conditional access policies, strict credential management, and continuous monitoring.”

Microsoft 365 offers configurations to restrict non-interactive logins. “Administrators can enforce stronger authentication via conditional access policies and block legacy protocols that facilitate these silent sign-ins,” Soroko notes. “However, such restrictions must be applied thoughtfully to avoid disrupting legitimate automated processes.”

Botnet of 130K Devices Targets Microsoft 365 in Password-Spraying Attack

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its…

A new information-stealing malware, ACRStealer, is leveraging legitimate platforms like Google Docs and Steam to carry out its attacks, according to research from the AhnLab Security Intelligence Center (ASEC). This malware, which initially appeared in mid-2024 as a beta version, has seen a significant increase in distribution since 2025, with February’s volume mirroring January’s and indicating a potential surge.

It is worth noting that, according to Hudson Rock’s report, infostealers have become the biggest threat to critical infrastructure. The report reveals that computers belonging to the US Army, Navy, and even the FBI have been compromised, with stolen data available on the dark web for as little as $10.

In the ongoing campaign, ASEC’s monitoring confirms that ACRStealer is spread through software cracks and key generators, commonly used for software piracy, and the malware is frequently disguised as these illegal programs. 

While Lumma Stealer and Vidar have been dominant infostealers distributed this way, researchers observed that ACRStealer’s presence is growing rapidly. According to their report, the distribution trend of ACRStealer from June 2024 to February 2025 indicates a dramatic rise in 2025.

Platforms used to distribute the infostealer disguised as a crack (Screenshot via AhnLab).

ACRStealer boasts a range of malicious capabilities. It can detect installed antivirus solutions, steal cryptocurrency wallets and login credentials, extract browser data, harvest FTP credentials, and read all text files. This stolen information allows cybercriminals to target financial assets and personal accounts. Stolen credentials grant access to email, social media, and banking services. This data can also be used for identity theft or sold on dark web markets.

A key feature is ACRStealer’s C2 server communication. Instead of embedding the server’s IP, it uses a Dead Drop Resolver (DDR). This method involves the malware contacting a legitimate service, such as Google Docs or Steam, to retrieve the C2 server’s domain. ASEC has identified several platforms used as intermediary C2s, including Steam, telegra.ph, and various forms of Google Docs (Forms and Presentations).

This approach allows attackers to easily change the C2 domain if it is compromised without needing to update the malware itself. They simply modify the information within the intermediary C2. 

The actual C2 domain, retrieved from the intermediary C2, is combined with a hardcoded UUID (Universally Unique Identifier) to create the URL for downloading encrypted configuration data. This data contains crucial information like target programs, additional malware URLs, file extensions, and target extension IDs.

The configuration file specifies a wide range of data to be stolen, including browser data, text files, cryptocurrency wallets, FTP information, chat program information, email client information, remote program information, terminal program information, VPN information, password manager information, database (DB) information, and browser extension plugin information. 

Also, it targets numerous programs, from browsers like Chrome and Firefox to cryptocurrency wallets like Binance and Electrum, chat programs like Telegram and Signal, and various browser plugins. Collected files are often compressed before transmission.   

AhnLab’s research highlights ACRStealer’s adaptable approach, constantly changing platforms and the locations of C2 information within them. It operates as Malware-as-a-Service (MaaS), making infection tracking difficult. 

However, preventative measures can be taken. This involves avoiding websites distributing cracks and key generators, and downloading software only from official sources. Additionally, be cautious with links and attachments in unsolicited communications, enable multi-factor authentication (MFA) for added security, and maintain an active anti-malware solution.

Hackers Use Google Docs and Steam to Spread ACRStealer Infostealer

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing…

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing security.

****How Does Payment Orchestration Work?****

A Payment Orchestration Platform (POP) functions as an intelligent intermediary between merchants and multiple payment service providers (PSPs). It facilitates seamless payment transactions by dynamically selecting the best route for each payment, optimizing approval rates, reducing costs, and enhancing security.

By leveraging real-time analytics and machine learning, POPs improve transaction efficiency by identifying the most reliable and cost-effective payment pathway. Additionally, advanced security protocols, such as tokenization and AI-driven fraud detection, protect customer data. With payment orchestration, businesses can scale efficiently while maintaining high-security standards and minimizing transaction failures.

****Core Functions of Payment Orchestration Services****

According to Akurateco, a payment orchestration service, core functions of payment orchestration services offer several functions:

*   **Multi-Provider Connectivity**: Payment orchestration platforms seamlessly integrate with multiple PSPs, acquirers, and alternative payment methods. Instead of requiring businesses to establish individual connections, the platform offers a single integration point that enables access to various payment providers. This flexibility ensures firms can easily expand into new markets without undergoing extensive technical adjustments.

*   **Intelligent Transaction Routing**: Dynamic payment routing directs each transaction to the optimal payment provider based on predefined parameters such as transaction amount, geographical region, historical approval rates, and real-time risk assessment. Businesses can enhance approval rates and reduce unnecessary payment processing fees by routing transactions through the most reliable and cost-effective channels.

*   **Security & Compliance**: Security remains a top priority in digital transactions. Payment orchestration platforms employ multiple layers of protection, including:
    *   **Tokenization and encryption** to safeguard sensitive payment information.
    *   **AI-powered fraud detection** to identify and mitigate suspicious transactions in real-time.
    *   **Multi-factor authentication (MFA)** for added security.
    *   **Compliance with global regulations,** such as PCI DSS 3.2 and GDPR, ensures businesses meet legal and industry standards.

*   **Automated Retry & Failover Mechanisms**: If a transaction fails due to provider issues, a Payment Orchestration Platform automatically retries the transaction with an alternative acquirer or PSP. This ensures continuity in payment processing, minimizes failed transactions and improves overall revenue retention. The automated failover mechanism is particularly beneficial for subscription-based businesses and eCommerce merchants, where transaction reliability directly impacts customer experience and retention rates.

*   **Real-Time Analytics & Reporting**: Payment orchestration platforms provide businesses with actionable insights through advanced analytics dashboards. Companies can track approval rates, monitor payment trends, and identify cost-saving opportunities in real time. This level of transparency allows merchants to optimize their financial strategies and make data-driven decisions to improve profitability.

****Business Benefits of Payment Orchestration****

*   **Increased Approval Rates**: By leveraging intelligent transaction routing and failover mechanisms, payment orchestration platforms significantly improve approval rates. Payments are directed to providers with the highest probability of success, reducing declines and enhancing customer satisfaction.

*   **Lower Payment Processing Costs**: Businesses can minimize transaction fees by selecting the most cost-effective payment service providers for each transaction. Competitive acquirer selection helps reduce unnecessary expenses, ultimately increasing profitability.

*   **Faster Market Expansion**: Supporting multiple payment providers and localized payment methods allows businesses to enter new markets without the technical challenges of integrating with multiple PSPs. This accelerates global expansion and ensures a seamless payment experience for international customers.

*   **Enhanced Customer Experience**: A smooth, frictionless payment process improves the overall customer journey. Businesses can foster trust and long-term customer relationships with reduced transaction failures, secure payments, and support for various payment options.

****Akurateco: A Leader in Payment Orchestration****

Akurateco is a cutting-edge white-label Payment Orchestration Platform designed to simplify and optimize payment processing. Offering strong fraud prevention, multi-acquirer support, and advanced analytics, Akurateco helps businesses manage their transactions efficiently and securely.

****Why Businesses Trust Akurateco****

*   **Smart Routing & AI Optimization** – Advanced algorithms analyze transaction patterns and direct payments to the most successful processing routes, improving approval rates and minimizing costs.

*   **Global Payment Method Support** – Seamless integration with leading international and local PSPs ensures businesses can accept payments across diverse markets without additional complexity.

*   **Advanced Fraud Prevention** – AI-powered fraud detection and risk assessment tools minimize fraudulent activities, protecting both businesses and customers.

*   **Scalable & Customizable Solutions** – Whether a startup or an enterprise, Akurateco offers tailored solutions that adapt to unique business needs, ensuring maximum flexibility and scalability.

*   **Seamless Integration & Real-Time Reporting** – The platform provides a single integration point, reducing technical overhead while offering comprehensive transaction insights to drive informed business decisions.

****Final Thoughts****

Adopting a Payment Orchestration Platform is crucial for businesses looking to simplify payment processing, reduce costs, and increase revenue. By consolidating payment providers, automating transaction routing, and enhancing security, payment orchestration platforms empower businesses to achieve seamless financial operations.

A leading provider like Akurateco offers innovative and secure payment solutions that enable companies to unlock new growth opportunities while ensuring reliable and secure transactions. Businesses that invest in payment orchestration today will be well-positioned to succeed in the competitive digital market of tomorrow.

Featured Image via Pixabay/Megan RX

How Payment Orchestration Enhances Business Efficiency

A VPN enhances online privacy, encrypts data, and secures devices. Essential for remote work, it protects against cyber threats and ensures safer internet use.

A VPN has become an essential tool for those looking to enhance their online privacy and improve the security of their devices. In today’s age, it’s incredibly rare not to use our devices to connect to the internet. The web provides us with the ability to do almost anything, whether it be obtaining forms of entertainment, shopping online, or for educational purposes.

It’s also become a way in which many work, allowing many to work from home as they can connect to a network and do the roles their job description requires of them. However, as we continue to use the web, the need to remain secure has been emphasized.

Cybersecurity has become extremely important, especially for those handling sensitive data. Hackers will look to exploit vulnerabilities within security networks because of the information or funds that could be acquired. They may use it for their gains, whether financially or for other reasons. As a result, it has become a requirement for some firms to ensure their employees (remote or on their networks) use the best proxy server and VPN tools to protect themselves at all times.

****What benefits does using a VPN provide remote workers and promote safety?****

A VPN can be extremely useful for employees using the internet for their work, whether in an office on a network connection or when working remotely. Sometimes, they may have to connect to an intranet, which may require a VPN to access and ensure they have a secure network connection that can’t be penetrated.

Most will recognize or understand what a VPN can accomplish. At a basic level, many will associate it with being able to hide/mask the IP address being used, thus allowing them to access content being blocked in a certain location.

However, they offer so much, such as encryption technologies. In addition to masking the IP address, it will encrypt all of the data being used and traveling to and from your device when using the internet, creating an additional layer of security on top. Among the many advantages available, a VPN can:

*   **Encrypt all data**: As noted, all data transferred from a used device to the internet (and vice versa) is encrypted. This makes the tool extremely secure.

*   **The device is protected fully**: A VPN will provide overall protection across the entire device. This can be better as it will leave any potential security vulnerabilities that may be unknown unbreachable.

*   **Anonymity**: VPNs hide your IP address, making it harder to track your online activities. This can add a level of security to an individual who is looking to keep their information private.

****How should a VPN be used safely?****

Using a VPN today is a very simple task. Almost anyone can do so without guidance. Those who do need a little guidance (perhaps because they aren’t familiar with the tool) can also use them effectively with a helping hand.

Several key points should be thought of and followed to ensure the best and maximum protections are in place:

*   **Using a reliable and reputable service:** Many VPNs are available. As security is a priority, it can be a very good idea to take a look at each one’s security features and compare them. Reading reviews and using those that have a positive reputation with other users should be considered. These can be trusted more so than other options that might be available.

*   **Installing it correctly:** To ensure security, it’s important to install the tool correctly and ensure it works as designed. It is highly advisable to connect to a location as soon as you start web browsing, and it is also beneficial to connect the application to every device on the network; this can eliminate any potential vulnerabilities that skilled hackers may be able to exploit.

*   **Update regularly:** As technology continues to evolve, it’s important to try to stay ahead at all times. Security firms can often provide updates as they tackle cybersecurity threats. VPNs may occasionally require updating, as hackers often look to bypass or expose weak links within the connections. By updating regularly, you can keep them at bay.

Companies that deal with sensitive data and have a team of remote workers may already have VPN policies because of the nature of the information they handle. If they don’t already, they should look to introduce them to give themselves the best chance of ensuring everyone is on the same page and can reduce any possible threat that may exist. At the same time, offering training and guidance on using one can also limit the potential chances of misuse or incorrect use.

Staying safe is of the utmost importance, and with cybercrime continuing to rise as technology becomes more advanced, VPNs can be a company’s best friend.

Featured Image Via: Rawpixel/Freepik

1.  Proxy or VPN?
2.  Tools for Testing Your Proxy Servers
3.  Can You Secure Your Smartphone with a Proxy?
4.  Everything you need to know about VPN tracking
5.  What Is a Personal VPN? Features, Benefits and How It Works

How to utilize VPN for safe work and remote work environments

Crypto wallets are essential in keeping your cryptocurrency safe. There are different types of wallets available and choosing…

Crypto wallets are essential in keeping your cryptocurrency safe. There are different types of wallets available and choosing one can be confusing for so many investors. The three commonly used are mobile, desktop, and hardware wallets. 

Mobile and desktop wallets are called hot wallets, which means they are connected to the internet. Hardware wallets, on the other hand, are cold and thus don’t require Wi-Fi. However, all these wallets are non-custodial. You have the full responsibility of protecting your keys.

In this article, we will look at mobile, desktop, and hardware wallets to help you determine the best option for your investment. 

****Hardware Wallet****

Hardware crypto wallets offer offline protection. These are physical devices used to store your private keys. Since they are not connected to the internet or any other devices, hardware wallets are typically considered more secure, but they can be a little complicated to use. 

Modern hardware wallets are more refined. For example, if we look at the Tangem wallet review, you will learn that these devices are designed similarly to modern credit cards and use smartphone displays, making them convenient to carry around. 

Hardware wallets are ideal for large investments since they are highly secure and less susceptible to online attacks. It is best to buy these wallets from authorized dealers or the main company to avoid getting a counterfeit one. 

****Mobile Wallets****

Mobile crypto wallets are apps you can download on your phone to manage your cryptocurrency. It can be on your main phone or another mobile device. These wallets are very portable, enabling you to make transactions on the go. Most mobile wallets have a PIN and a recovery phrase to increase security. 

The major downside is walking around with your wallet is risky. You can easily lose your phone, which makes your wallet vulnerable to hacking. However, some people are adopting to use of a second phone as their mobile wallet which is more secure. The phone is often disconnected from WiFi and may even not include a plan. You only switch it on when making a transaction. 

Generally, mobile wallets are ideal for people who use crypto often, especially in small transactions. It is also a good option for beginners who don’t have a large investment. 

****Desktop Crypto Wallets****

Desktop wallets are software or programs you can install on your computer. Most wallets are compatible with common operating systems like Windows, Linux, and Mac. These are very similar to desktop wallets but some providers offer extra advantages. 

For example, some software wallets allow you to keep your keys offline on a USB drive, essentially functioning like hybrid crypto wallets. Desktop wallets are more secure than mobile ones but are not portable since it is not quite convenient to carry your desktops everywhere. 

The main risk is that if your device gets infected by a virus or malware, your crypto could be jeopardized. Desktop wallets are a good alternative for anyone looking for a secure wallet that is not for everyday use.

****Conclusion****

Choosing the best crypto wallet depends on your use and the size of the investment. For those who use crypto daily, mobile wallets are the best choice. If you want a foolproof, secure wallet, opt for hardware. However, if you are using browser-generated wallets watch out for security vulnerabilities like Randstorm which is currently impacting billions in crypto assets worldwide.

1.  Benefits of Using an Anonymous Bitcoin Wallet
2.  Biggest Crypto Scam Tactics and How to Avoid Them
3.  Power Plants to eWallets: ZTNA’s Role in the Gig Economy
4.  Study Finds AI Guesses Crypto Seed Phrases in 0.02 Seconds
5.  The Growing Importance of Secure Crypto Payment Gateways

Hardware Crypto Wallets vs. Mobile vs. Desktop: Which Should You Choose?

Bitdefender warns CS2 fans of scams using hijacked YouTube channels, fake giveaways, and crypto fraud. Protect your Steam account and avoid phishing traps.

Bitdefender Labs has uncovered a series of scams targeting the Counter-Strike 2 (CS2) community, exploiting major esports events like IEM Katowice 2025 and PGL Cluj-Napoca 2025.

According to Bitdefender’s investigation, shared with Hackread.com, cybercriminals are hijacking YouTube channels and impersonating popular professional players such as s1mple, NiKo, and donk to trick fans into fraudulent giveaways. These scams have several stages and aim to steal Steam accounts, cryptocurrency, and valuable in-game items.

First, scammers hack YouTube accounts, often those with established subscriber bases.  They then rebrand these channels to mimic well-known CS2 pros, removing original content.  

Next, they broadcast fake livestreams, using looped gameplay footage to create the illusion of a live event. These fake streams promote fake giveaways of CS2 skins, cases, or cryptocurrency, often using QR codes or malicious links to direct viewers to malicious websites. 

Fake CS2 impersonations, fraudulent skin giveaways, and hacked YouTube channels streaming deceptive livestreams (Source: Bitdefender).

These websites prompt victims to either log in with their Steam accounts, leading to inventory theft, or send cryptocurrency with promises of doubled returns, resulting in direct theft of digital assets. To appear more legitimate, scammers often post about the fake giveaways in the community section of the hijacked channel, disabling comments except for their own deceptive messages.

Bitdefender’s report found that scammers are also running cryptocurrency-doubling schemes. In these scams, they entice victims to send Bitcoin or Ethereum with the promise of doubling their investment. These schemes often use fake endorsements from CS.MONEY or professional players, falsely advertising substantial prize pools.

Some red flags include promises of doubling deposits, requests to send cryptocurrency up front, and a lack of verifiable association with legitimate esports organizations. These scams are strategically timed to coincide with major esports events like IEM Katowice and PGL Cluj-Napoca to maximize their reach.

“Scammers, tactics are evolving to exploit the hype surrounding major esports events. Whether they are stealing Steam inventories or cryptocurrency deposits, their goal is always financial gain at the expense of unsuspecting players. If there’s one thing gamers should remember is that in the world of CS2 and esports, nothing valuable comes for free!” they concluded.

Therefore, gamers should verify YouTube channels’ legitimacy by checking for content beyond livestreams and recent uploads and avoid clicking on suspicious links and QR codes. They also advise against CS2 giveaways, as legitimate ones are rare and typically hosted by official esports organizations.

Bitdefender also warns content creators, including those streaming esports and CS2, about potential phishing threats. Moreover, to protect your Steam account, enable Steam Guard Mobile Authenticator and Steam’s Multi-Factor Authentication. Regularly review login activity for unauthorized access, report suspicious activity or livestreams to YouTube and warn other gaming communities. 

1.  **Hackers Using Fake YouTube Links to Steal Login Data**
2.  **Malware in Fake Business Proposals Hits YouTube Creators**
3.  **New YouTube phishing scam using authentic email address**
4.  **“Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets**
5.  **Hacked YouTube Channels Use Trump Assassination for Crypto Scam**

Hackers Hijack YouTube Channels to Target CS2 Fans with Fake Giveaways

Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.

Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.

****ZachXBT Uncovers Lazarus Group’s Crypto Trail****

On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.

The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address **(**0x33d057af74779925c4b2e720a820387cb89f8f65**)** where funds from both hacks had been commingled, effectively proving the same entity was responsible.

****On-Chain Evidence of Lazarus Group’s Activity********Bybit Hack Transactions (Feb 22, 2025):****

*   0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
*   0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

****Phemex Hack Transactions (Feb 20, 2025):****

*   0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.

> Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
> 
> Overlap address:  
> 0x33d057af74779925c4b2e720a820387cb89f8f65
> 
> Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
> 
> — ZachXBT (@zachxbt) February 22, 2025

****New Findings Connect Bybit Hack to BingX Hack****

Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.

****Overlap Address:****

*   0xd555789b146256253cd4540da28dcff6e44f6e50

****Bybit Hack Transaction:****

*   0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e

****BingX Hack Transaction:****

*   0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c

> Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
> 
> Overlap  
> 0xd555789b146256253cd4540da28dcff6e44f6e50
> 
> Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
> 
> — ZachXBT (@zachxbt) February 22, 2025

****Investigators Publish 920+ Addresses Linked to the Hack****

On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.

Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”

****Bybit Resumes Operations and Warns of Scammers****

Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.

“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.

****Coordinated Effort Freezes $42.89M in Stolen Funds****

A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.

****Funds Frozen by Various Entities:****

*   **ChangeNOW:** Froze 34 ETH
*   **Circle:** Assisted with crucial clues
*   **THORChain:** Blocked the blacklist
*   **FixedFloat:** Froze 120K USDC + USDT
*   **Avalanche (AVAX):** Froze 0.38755 BTC
*   **Bitget:** Blocked the blacklist and froze 84 USDT
*   **Tether:** Flagged an address and froze 181K USDT
*   **CoinEx:** Blocked the blacklist and provided key insights

Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.

****Who is the Lazarus Group?****

The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.

Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.

The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.

Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.

With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.

1.  **North Korean Hackers Team Up with Play Ransomware**
2.  **Lazarus Group Exploits Chrome 0-Day for Crypto Theft**
3.  **KnowBe4 Tricked into Hiring North Korean Hacker as IT Pro**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **North Korean APT37 Unleashes Dolphin Backdoor on South Korea**

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from…

In a major cybersecurity incident, Bybit, the world’s 2nd-largest crypto exchange suffered a $1.4 billion ETH hack from a cold wallet breach.

Bybit, the world’s second-largest cryptocurrency exchange, has confirmed today that it suffered a major security breach resulting in the theft of approximately $1.4 billion worth of Ethereum. The stolen funds were taken from one of the exchange’s cold wallets, which are designed to store cryptocurrency offline and are generally considered highly secure.

Bybit CEO Ben Zhou addressed the situation in a statement, acknowledging the incident and confirming that the company is currently conducting a thorough investigation to determine the exact cause of the breach and the extent of the damage.

While the details of the attack remain undisclosed pending the investigation, Zhou reassured users that Bybit has the financial capacity to cover the losses and that customer funds remain safe. He emphasized that trading and other platform operations are continuing as normal.

> Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.
> 
> — Ben Zhou (@benbybit) February 21, 2025

The scale of the theft has, understandably, triggered widespread anxiety among Bybit users and the cryptocurrency market. Questions are being raised about how such a massive amount of cryptocurrency could be stolen from a cold wallet, which is typically isolated from the internet to protect against online attacks.

Questions are being raised regarding the potential involvement of sophisticated hacking techniques, insider threats, or a combination of both. The incident underscores the persistent security challenges facing the cryptocurrency industry, despite advancements in technology and security measures.

This massive hack comes at a time when the cryptocurrency market is already grappling with volatility and uncertainty. The news of the Bybit breach has further eroded investor confidence and has the potential to trigger a broader market downturn. The timing couldn’t be worse for Bybit, which has been striving to establish itself as a leading player in the competitive cryptocurrency exchange market.

****Involvement of the Lazarus Group****

According to ZachXBT, a crypto scam investigator, the hack has been linked to the notorious North Korean Lazarus Group, known for stealing Bitcoin on behalf of the government.  

> BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT
> 
> At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP.
> 
> His submission included a detailed analysis of test transactions and connected wallets used ahead of… https://t.co/O43qD2CM2U pic.twitter.com/jtQPtXl0C5
> 
> — Arkham (@arkham) February 21, 2025

Nevertheless, Bybit offers a vast selection of over 753 cryptocurrencies, including major ones like Bitcoin (BTC), Ethereum (ETH), Solana (SOL), and XRP. On top, over 40 million people use the exchange. Therefore, the investigation into the hack is expected to be complex and lengthy, involving cybersecurity experts and potentially law enforcement agencies.

The outcome of this investigation will not only impact Bybit’s reputation but also have significant implications for the future of cryptocurrency security and investor trust in the digital asset space. This incident clearly shows the risks of investing in cryptocurrency and why crypto exchanges require strong security measures.

Source

HackRead