Paris, France, 24th October 2025, CyberNewsWire

**Paris, France, October 24th, 2025, CyberNewsWire**

Arsen, the cybersecurity company dedicated to helping organizations defend against social engineering, today introduced its new **Smishing Simulation** module: a feature designed to let companies run realistic, large-scale SMS phishing simulations across their teams.

Designed to address the growing wave of mobile-based attacks, the new module gives CISOs, MSSPs, and risk officers a practical way to assess exposure and train employees to spot and respond to malicious SMS messages.

**Realistic Training for a Rising Threat Vector**

Smishing (phishing attacks delivered via text messages) is rapidly becoming one of the most common social engineering tactics, targeting users on both professional and personal devices. Arsen’s Smishing Simulation allows organizations to:

*   Deploy SMS-based attacks at scale using pre-built or customized scenarios
*   Track behavior and response rates across different employee groups
*   Train users in a controlled, safe, and realistic environment

> “We’re happy to give our clients the opportunity to know what their attack surface looks like on the mobile side. This pairs very well with our recent vishing developments,” said **Thomas Le Coz, CEO at Arsen**.

**Smishing Simulation: Built on Arsen’s Battle-Tested Platform**

Clients benefit from Arsen’s cutting-edge infrastructure, already trusted for advanced phishing and vishing simulations.

Arsen’s new Smishing Simulation gives security teams a practical way to test how employees react to SMS-based phishing attempts. Rather than relying on theory, it lets companies create and send their own text-message campaigns safely, at scale.

The tool includes:

*   Customizable scenarios with control over content, domains, and link shorteners
*   Optional AI features to make messages feel authentic and context-aware
*   A straightforward interface that speeds up setup and simplifies reporting
*   Secure landing pages protected by an integrated web application firewall

The module runs on the same infrastructure that already powers Arsen’s phishing and vishing simulations. In practice, that means the same campaign logic, reporting accuracy, and reliability; now applied to the mobile environment.

**Raising the Standard for Mobile Threat Awareness**

After months of testing with early adopters, Arsen’s Smishing Simulation is now open to all customers. First rolled out in the summer of 2025, the tool can be used on its own or paired with the rest of Arsen’s social engineering defense suite.

With this addition, Arsen’s clients can measure their true exposure to mobile phishing, replacing guesswork with concrete insights.

Additional information about **Smishing Simulation** is available at https://arsen.co/en/platform/smishing-simulation.

**About Arsen**

Arsen is a cybersecurity startup helping organizations build resilience against social engineering threats. Its SaaS platform provides phishing, vishing, and smishing simulations that help organizations evaluate risk and train their teams to recognize real-world attacks. Trusted by security teams across multiple sectors, Arsen’s technology reinforces the human layer of defense against ever-changing cyber threats.

For media inquiries, users can contact: **\[email protected\]**

**Contact**

**CEO**  
**Thomas Le Coz**  
**Arsen**  
**\[email protected\]**

Arsen Launches Smishing Simulation to Help Companies Defend Against Mobile Phishing Threats

New Android malware Baohuo hijacks Telegram X accounts, stealing data and controlling chats. Over 58,000 devices infected, mainly in India and Brazil.

A new Android threat is spreading fast through fake versions of Telegram X, giving attackers complete control over users’ accounts. Security researchers at Doctor Web have named it Android.Backdoor.Baohuo.1.origin, describing it as one of the most advanced Android backdoors seen this year.

It starts out looking like a normal Telegram X app, a real Android app developed by Telegram, offering a faster and more experimental version of the main Telegram client. The app is available on the Google Play Store.

Original Telegram X App and Fake Version – The fake app is misusing the name Telegram FZ-LLC.

In the Baohuo malware scam, victims usually come across the fake Telegram X app through online ads that claim to offer an improved or dating-focused version of the messenger. After installation, the app appears to work normally, but in the background, it connects to remote servers and takes control of the user’s Telegram account.

Baohuo can hide unauthorised logins and erase traces of any new or deleted chats or channels. This lets attackers join, leave, or change channels without the user noticing. In effect, they gain full access to messages, contacts, and sessions, and can manage chats as if they owned the account.

****How Baohuo Works and Its Global Impact: 58,000 Devices Infected****

Baohuo uses the Xposed framework to alter app behaviour at runtime. That lets it hide chats, devices, and notifications, or display fake update popups that send users to malicious pages. It also creates “mirrors”, copies of legitimate Telegram methods, to mimic normal app actions while carrying out its own malicious tasks.

One of the malicious sites used in the scam to spread Baohuo Android malware (Image via Dr Web)

In their blog post, Doctor Web analysts say the operation began in mid-2024 and has already affected more than 58,000 Android devices, including smartphones, tablets, TV boxes, and even car systems. Most of the infections are found in India, Brazil and Indonesia, where users are targeted with localised ad templates written in Portuguese and Indonesian.

1.  India – 22.8%
2.  Brazil – 20.5%
3.  Indonesia – 9.6%
4.  Egypt – 5.5%
5.  Algeria – 4.0%
6.  Colombia – 3.1%
7.  Bangladesh – 2.2%
8.  Russia – 2.3%
9.  Iraq – 1.7%
10.  Pakistan – 1.7%
11.  Philippines – 1.7%

****A New Way of Command and Control****

The way Baohuo is controlled is another major concern. Earlier Android malware usually communicated through standard command-and-control (C2) servers. Baohuo, on the other hand, takes commands directly from a Redis database, making it the first known Android malware to use Redis for control.

This allows attackers to issue commands easily and continue operating if their main C2 server goes offline. These commands include uploading SMS messages, contacts, fetching encryption keys, pushing ads, downloading updates, or collecting detailed information about the infected device.

Worse, Baohuo can copy clipboard data. Anything copied on the phone, such as passwords or cryptocurrency wallet recovery phrases, can be intercepted and sent straight to the attacker’s server. The malware also checks in every few minutes, sending details about the user’s activity, such as whether the screen is on and what permissions the app has.

****Found in Popular Third-Party App Stores****

According to researchers, the malware has also been found in popular third-party app stores such as APKPure, ApkSum, and AndroidP. In some cases, it was listed as being uploaded by Telegram’s actual developer, even though the digital signatures didn’t match. Doctor Web says it has alerted these platforms to remove the trojanized files.

The company says its mobile antivirus products detect and remove all known versions of Baohuo, but the spread of modified Telegram apps on unofficial platforms remains a major issue. Users are advised to download Telegram only from the official Google Play Store or Telegram’s official website and to avoid installing APKs from links in ads or unverified catalogues.

Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X

Medusa ransomware leaks 186 GB of Comcast data, claiming 834 GB stolen after a $1.2M ransom demand apparently went unpaid.

The Medusa ransomware group has leaked 186.36 GB of compressed data it claimed to have stolen from Comcast Corporation, a global media and technology company. According to Hackread.com’s earlier report, the group stated that it breached Comcast in late September 2025 and obtained a total of 834 GB of data.

The leaked 186 GB archive, once decompressed, should amount to around 834 GB of data, based on the group’s claims.

The data trove was released on Sunday, October 19. The ransomware group had initially demanded $1.2 million from potential buyers to download it, the same amount it asked Comcast to pay for the data to be deleted instead of leaked or sold.

Medusa Ransomware group’s dark web leak site, where it claimed Comcast as its victim – These claims were published on Friday, September 26, 2025 (Image credit: Hackread.com)

The sample data analysed by Hackread.com during its coverage of the group’s initial claims included numerous records, such as files named Esur_rerating_verification.xlsx, Claim Data Specifications.xlsm, and various Python and SQL scripts related to auto premium impact analysis.

Hackread.com reached out to Comcast regarding the incident but did not receive a response, acknowledgement, or denial from the company. The leaked data is now available for download in 47 split files titled Comcast_FS, with 45 files sized at 4 GB each and one file measuring 2 GB.

Screenshot from the Medusa ransomware group’s dark web leak site (Credit: Hackread.com)

The Medusa ransomware group is known for targeting major organisations. On April 8, 2025, it announced an attack on NASCAR with a $4 million ransom demand. The incident was later confirmed as a data breach in July 2025, showing that the group carried out its threats when negotiations failed.

Earlier this month, Microsoft issued a security advisory warning organisations that the Medusa ransomware group was actively exploiting the GoAnywhere MFT vulnerability (CVE-2025-10035, CVSS 10.0) for unauthenticated remote code execution.

Comcast now joins the growing list of companies targeted by ransomware groups. In 2023, its Xfinity brand suffered a major breach caused by a critical vulnerability in Citrix software, which affected more than 35.9 million user accounts.

Medusa Ransomware Leaks 834 GB of Comcast Data After $1.2M Demand

Operant AI reveals Shadow Escape, a zero-click attack using the MCP flaw in ChatGPT, Gemini, and Claude to secretly steal trillions of SSNs and financial data. Traditional security is blind to this new AI threat.

A new security, dubbed Shadow Escape, is creating major concerns after a report from the research firm Operant AI revealed an unseen risk to consumer privacy.

This new type of attack can steal massive amounts of private information like Social Security Numbers (SSNs), medical records, and financial details from businesses that use popular AI assistants, all without the user ever clicking a suspicious link or making a mistake.

****The Danger Hiding in Plain Sight****

The issue lies within a technical standard called the Model Context Protocol (MCP), which companies use to connect large language models (LLMs) like ChatGPT, Claude, and Gemini to their internal databases and tools. The Shadow Escape attack exploits this connection.

For your information, previous attacks often needed a user to be tricked, usually through a phishing email. However, this zero-click attack is much more dangerous because it uses instructions hidden inside harmless-looking documents, such as an employee onboarding manual or a PDF downloaded from the internet. When an employee uploads this file to their work AI assistant for convenience, the hidden instructions tell the AI to quietly start gathering and sending out private customer data.

_“_Because Shadow Escape is easily perpetrated through standard MCP setups and default MCP permissioning, the scale of private consumer and user records being exfiltrated to the dark web via Shadow Escape MCP exfiltration right now could easily be in the trillions,_“_ researchers noted in the blog post shared with Hackread.com.

The system is designed to be helpful, and it will automatically cross-reference multiple databases, exposing everything from full names and addresses to credit card numbers and medical identifiers.

Operant AI even released a video demonstration that shows how a simple chat prompt about customer details quickly escalates to the AI revealing and secretly sending the entirety of sensitive records to a malicious server without being caught.

****Why Standard Security Can’t Stop It****

Operant AI’s research estimates that trillions of private records are now at risk because of this flaw. It must be noted that this isn’t a problem with just one AI provider; any system that uses MCP can be exploited with the same technique.

“The common thread isn’t the specific AI Agent, but rather the Model Context Protocol (MCP) that grants these agents unprecedented access to organisational systems. Any AI assistant using MCP to connect to databases, file systems, or external APIs can be exploited through Shadow Escape,” wrote Priyanka Tembey, Co-founder and CTO of Operant AI.

The main problem is that the data theft happens inside the company’s secure network and firewall. The AI assistant has legitimate access to the data, so when it starts sending records out, it looks like normal traffic, making it invisible to traditional security tools.

Further probing revealed that the malicious data is transferred to an external server by the AI, which masks the activity as routine performance tracking. The employee or the IT department never sees it happen.

The research team is urging all organisations that rely on AI agents to immediately audit their systems, as the next major data breach might not come from a hacker, but from a trusted AI assistant.

Shadow Escape 0-Click Attack in AI Assistants Puts Trillions of Records at Risk

Palo Alto, California, 23rd October 2025, CyberNewsWire

**Palo Alto, California, October 23rd, 2025, CyberNewsWire**

SquareX released critical research exposing a new class of attack targeting AI browsers. The AI Sidebar Spoofing attack leverages malicious browser extensions to impersonate trusted AI sidebar interfaces, which is used to trick users into executing dangerous commands that can lead to credential theft, device hijacking, and password exfiltration.

The research demonstrates how attackers can exploit users’ trust in AI browser sidebars – the primary interface through which users interact with AI browsers like Comet, as well as consumer browsers with AI features like Brave and Edge. By creating pixel-perfect replicas of legitimate AI sidebars, malicious extensions return AI-generated responses that include harmful instructions that unsuspecting users follow.

> “AI has become an essential tool for millions of users to learn new skills and complete tasks. Unfortunately, this has created a dangerous dynamic where people blindly follow AI-generated instructions without the expertise to identify security risks,” explains Vivek Ramachandran, Founder and CEO of SquareX. “With no visual or workflow difference, the AI Sidebar Spoofing attack exploits the trust users place on these AI interfaces, tricking them into performing malicious tasks that they may not fully understand or are aware of.”

SquareX illustrates the AI Sidebar Spoofing attacks with three main case studies, but warns that we will likely see many variants of the attack develop. In one example, the user asks the AI sidebar how to withdraw cryptocurrency from their account. The fake AI Sidebar returns what looks like legitimate instructions but replaces the Binance login page URL with a phishing link. Thinking it was instructions generated by Comet, the user enters their credentials in the phishing site, which the attacker then uses to login to the victim’s account to access their cryptocurrency. In other examples, users were given false instructions to execute malicious commands that allowed attackers to exfiltrate passwords and hijack their device and execute ransomware attacks remotely.

The researchers also showed that other AI browsers and consumer browsers implementing AI sidebars like Edge, Firefox and Safari are equally vulnerable to the AI Sidebar Spoofing Attack. This means that even if organizations restrict the use of AI browsers, users are still subject to these attacks as it can be operated on any browser with an AI sidebar. 

Surprisingly, these attacks require only basic browser extension permissions, commonly found in popular extensions like Grammarly and password managers, making them difficult to detect by simply looking at permission analysis. In fact, the AI Sidebar Spoofing extension can remain dormant, providing legitimate responses, until they see an opportunity to trick users into doing something malicious based on their prompt. Thus, it is absolutely critical that enterprises have both the ability to perform dynamic analysis on extension behavior at run time, as well as granular browser-native guardrails to warn and block users from following malicious instructions. 

For more information, users can refer to the technical blog.

**About SquareX**

SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. More information about SquareX’s research-led innovation at www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

AI Sidebar Spoofing Attack: SquareX Uncovers Malicious Extensions that Impersonate AI Browser Sidebars

Massive Synthient Stealer Log leak adds 183 million stolen usernames and passwords to Have I Been Pwned, exposing new victims worldwide.

A huge collection of stolen usernames and passwords, totalling over 183 million, has been added to a website called Have I Been Pwned (HIBP). This big pile of data, named the “Synthient Stealer Log Threat Data,” is not a regular leak from just one company but a massive collection of information stolen directly from people’s computers over time using malicious software commonly known as infostealers.

****Who Found the Data?****

The stolen data was gathered by a college student named Benjamin Brundage (Ben), who works with a cybersecurity company called Synthient LLC in Seattle. Ben and Synthient spent about a year building a system to monitor and collect this data from the places where cybercriminals trade it.

According to Ben’s own blog post, the team had to process massive amounts of information to create this clean, usable data set for victims. At its peak, their system recorded as many as 600 million stolen credentials in a single day, and they indexed a total of 30 billion Telegram messages from channels where logs were shared.

The project’s initial prototype (Source: Synthient)

****What Was Stolen?****

The threat actors used an infostealer malware, which secretly copied information as people used their infected computers. This malware is very dangerous because it steals more than just your login information. When the data was checked on October 21, 2025, it confirmed 183 million unique accounts.

For people who check HIBP, the leak lists the email address, the website they were logging into, and the actual password they used. Most importantly, the data set included 16.4 million email addresses that had never shown up in any security leak before.

Because the information was stolen from your own computer, the cybercriminals might also have: Active Session Cookies (which let them log in without a password), Credit Card Details (any bank or credit card numbers you saved in your web browser), and Cryptocurrency Wallet Info (logins and keys for digital currency wallets).

Email sent by Have I Been Pwned (Image credit: Hackread.com)

The widespread concern about stolen passwords is clear. Just days before this new data was added, on October 18, 2025, HIBP founder Troy Hunt shared on social media that his Pwned Passwords service had processed a massive 17.45 billion requests in just 30 days. This shows how many people are checking if their passwords have been exposed, with the service handling an average of 6,733 requests per second and hitting peaks of 42,000 requests per second.

****Your To-Do List Right Now****

If your email address is in this leak, act fast. Cybercriminals likely have your password and may even have the keys to your accounts. You must immediately change your passwords on all exposed websites and turn on 2-Step Verification for important accounts (like email and banking). This stops a threat actor from logging in, even with your old password.

Also, stop saving passwords in your browser; use a secure password manager app instead. Finally, run a full scan with a good antivirus program to check your computer for any leftover malware.

****Threat to Cybersecurity****

The massive Synthient Stealer Log data set shows that the trade in stolen passwords is still going strong. Every exposed login adds to the problem, fueling more attacks, eroding digital trust, and stretching out the impact of each breach.

Commenting on this, Darren Guccione, CEO and Co-Founder at Keeper Security, told Hackread.com that the underground market for stolen credentials has evolved from isolated leaks into a complex network where billions of usernames and passwords are traded and reused across platforms.

He explained that this system endures because passwords remain one of the most common yet weakest forms of authentication. According to him, a mix of human mistakes, password reuse and AI-driven automation enables attackers to compromise accounts faster than traditional defences can respond.

Guccione added that modern security now requires identity to be the foundation of every cybersecurity strategy. He emphasised the need for zero-trust and zero-knowledge frameworks that verify every access request and secure credentials through end-to-end encryption.

He also pointed to passwordless authentication methods such as passkeys, biometrics and hardware security keys as effective ways to reduce exposure by replacing static passwords with cryptographic verification.

Where passwords still must be used, Guccione recommended automation to manage and rotate them regularly, reducing long-term risks. He further noted that password management and dark web monitoring play a vital role in detecting compromised credentials early, allowing users or organisations to act before attackers can exploit them.

In addition, he said, enabling multi-factor authentication ensures that even if one credential is stolen, it cannot be used to gain unauthorised access. He concluded by stressing that reducing dependence on passwords, strengthening authentication, and protecting identities through zero-knowledge encryption are key steps toward closing one of the most persistent security gaps. Doing so, he said, will help restore trust and safety across the digital space.

183 Million Synthient Stealer Credentials Added to Have I Been Pwned

SentinelLABS’ research reveals PhantomCaptcha, a highly coordinated, one-day cyber operation on Oct 8, 2025, targeting the International Red Cross, UNICEF, and Ukraine government groups using fake emails and a Remote Access Trojan (RAT) linked to Russian infrastructure.

A recent, highly coordinated cyberattack, codenamed “PhantomCaptcha,” targeted several major humanitarian and government groups supporting war relief efforts in Ukraine, according to new research from SentinelLABS.

The organisations targeted in this cyber attack included the International Red Cross, UNICEF, the Norwegian Refugee Council, and Ukrainian government administrations in regions like Donetsk and Dnipropetrovsk, among others.

The research, conducted in collaboration with the Digital Security Lab of Ukraine, reveals a clever operation launched on October 8th, 2025. The attackers spent six months preparing infrastructure for an attack that was only active for a single day.

Such rapid setup and shutdown suggest very skilled operators trying hard to avoid detection. Researchers noted the attack chain has similarities with the activity of COLDRIVER, a threat group linked to Russia’s FSB intelligence agency.

****Fake Emails and a Tricky Trap****

The attack began with official-looking emails from the Ukrainian President’s Office, which included a malicious PDF. Clicking a link in the PDF directed victims to zoomconference.app, a domain appearing as a legitimate Zoom site. This domain, hosted on a Russian-provider-owned server in Finland, presented a fake Cloudflare captcha page. This was a trap to trick people into downloading a secret spying tool.

PDF Document and Infection Path (Via SentinelLABS)

Further probing revealed that users were instructed in Ukrainian to copy a “token” and paste it into the Windows Run box to execute a hidden command. This technique, sometimes called Paste and Run or ClickFix, is dangerous because it makes the user unknowingly run the malicious code, often bypassing regular security software.

The spying tool is a multi-stage WebSocket-based remote Access Trojan (RAT) hosted on infrastructure linked to Russia, capable of giving attackers remote control over the victim’s computer to steal data.

****Long Planning, Short Operation****

The attackers’ planning was quite meticulous, showing a “high level of operational planning,” as SentinelLABS researchers explained in the blog post shared exclusively with Hackread.com. The main attack lasted only 24 hours, with user-facing websites quickly taken down. However, the command-and-control (C2) servers remained active to maintain control of any compromised systems.

Such “highly targeted, short-lived” campaigns, the researchers note, show that cyber operations against relief groups are persistent and constantly growing, aiming to collect sensitive information. The preparation and swift takedown point to an operator who understands both attack and evasion techniques.

It is worth noting that the researchers also found a potential link to a separate mobile campaign involving fake Android apps. Some were disguised as adult entertainment (like the “Princess Men’s Club” theme) or cloud storage, designed to steal a wide range of personal information, including users’ location, SIM card details, contacts, photos, and a list of installed apps.

zoomconference(.)click HTTPS response data matching princess-mens(.)click (Source: SentinelLABS)

Attacks like this show relief organisations are direct targets. Staff should treat unexpected messages as malicious. Never paste unknown tokens into the Run box. If a machine behaves oddly, take it offline and have it examined.

Report incidents to your national CERT and partners, rotate any exposed credentials, and run full scans and forensic checks. Tighten basic controls such as multi-factor authentication and limited admin rights. These steps stop many attacks before they can spread.

PhantomCaptcha RAT Attack Targets Aid Groups Supporting Ukraine

GlassWorm, a self-propagating malware, infects VS Code extensions through the OpenVSX marketplace, stealing credentials and using blockchain for control.

A new malware campaign named GlassWorm has been uncovered, targeting developers who use Visual Studio Code extensions through the OpenVSX marketplace. The threat, identified by Koi Security, spreads automatically across developer environments by hijacking trusted extensions and using stolen credentials to infect others.

This worm hides inside everyday development tools, not in end-user software. Instead of attacking applications directly, it works by taking over the extensions that developers depend on.

Once active, the malware steals credentials from NPM, GitHub, and Git, drains funds from 49 different cryptocurrency wallets, and deploys hidden VNC and SOCKS proxies to maintain access and control.

One of the malicious extensions of the marketplace (Image via Koi)

Researchers found that GlassWorm hides its malicious payload using invisible Unicode variation selectors, which make the harmful code practically invisible to human reviewers and even many automated security scanners. This trick lets the malware pass regular code reviews without raising suspicion, giving attackers more time to spread it to other extensions.

Its command-and-control operations are also highly unconventional. Instead of using a standard remote server, GlassWorm communicates through the Solana blockchain, making it difficult to track or shut down. If Solana stops working, the attackers can use Google Calendar as an alternate command channel, giving them another way to keep control.

Malicious Google Calendar invite (Image via Koi)

Koi Security reported that over 35,800 installations have already been affected, and at least ten compromised extensions remain active on the OpenVSX marketplace as of this week. The investigation continues as teams work to identify and remove all infected components.

Dale Hoak, Chief Information Security Officer at RegScale, said the incident highlights deeper compliance challenges across the open-source ecosystem. “Software supply chain attacks no longer target only the end product; they exploit the very tools and dependencies developers trust most,” he explained. Hoak emphasised that organisations must move toward continuous monitoring and automation across their build pipelines to detect unauthorised changes in real time.

He added that compliance cannot be treated as a one-time checkbox exercise. “Controls governing software supply chain integrity should be built into CI/CD pipelines, with continuous validation and provenance tracking as standard practice,” Hoak said. “When threats like GlassWorm appear, teams should already have evidence of ongoing compliance and the ability to respond immediately.”

GlassWorm’s spread through OpenVSX shows developers have become a prime target for attackers. Therefore, they must verify every extension, audit dependencies regularly, and watch for unusual network or credential activity.

GlassWorm Malware Targets Developers Through OpenVSX Marketplace

South Asian hacking group Bitter (APT-Q-37) is deploying a C# backdoor using two new methods: a WinRAR flaw and malicious Office XLAM files, targeting government and military sectors.

A cyber-espionage group known as Bitter (APT-Q-37), widely thought to operate from South Asia, is using new, sneaky methods to install a malicious backdoor program on computers belonging to high-value targets.

This group has a long history of stealing sensitive information from organisations, especially those in the government, electric power, and military industries in countries like China and Pakistan.

The Qi’anxin Threat Intelligence Centre recently exposed these new attacks, which aim to deploy a single C# backdoor that can remotely download and run other harmful software (EXE files) on the victim’s machine.

****Two New Ways to Sneak In****

According to researchers, Bitter APT is using at least two different methods to deploy this backdoor, including a fake conference file and an archive file.

****Fake Conference File (Mode 1)****

The first method uses a special Microsoft Office file, in this case named Nominated Officials for the Conference.xlam. When the victim enables the built-in instructions (macros), a fake error message saying “File parsing failed, content corrupted,” is displayed to fool the user.

Meanwhile, the macro silently builds the C# backdoor code using local computer tools (like those from the .NET framework) to turn it into a working program (vlcplayer.dll). Furthermore, the attackers set up a scheduled task using a script to ensure the backdoor stays active on the computer, connecting to a web address associated with the group to retrieve more commands.

****Tricky Archive File (Mode 2)****

This is the sneakier method of the two, involving a compressed file (RAR archive) that exploits an older, unpatched flaw in the WinRAR software, the exact vulnerability of which remains unclear at the time of writing.

This malicious RAR file (titled Provision of Information for Sectoral for AJK.rar) contains a harmless-looking Word file along with a hidden, malicious template file called Normal.dotm.

If a user extracts this archive, the flaw allows Normal.dotm to replace the real template file in their system. When the victim opens any Word document, the program loads the tampered template, which then connects to a remote server to run the final backdoor program (winnsc.exe), which performs the same harmful actions as the one in Mode 1.

Attack Chain (Source: Qi’anxin Threat Intelligence)

****Common Goal: Stealing Data****

It is worth noting that both attacks ultimately install the same C# backdoor to collect basic device information. Researchers note that the infrastructure used in these two separate attacks, including domain names registered in April this year, strongly points to the Bitter group.

“The above two attacks ultimately use the same C# backdoor, and the C&C server of the backdoor communication points to the sub-domain of esanojinjasvc.com, which was registered in April this year, so we can assume that these samples come from the same attack group,” researchers noted in the blog post.

To stay safe, the Centre urges users to be very careful with unknown email attachments, keep software like WinRAR up to date, disable macros, monitor network traffic for suspicious activity, and use specialised tools like a sandbox to safely inspect untrusted files.

Bitter APT Exploiting Old WinRAR Vulnerability in New Backdoor Attacks

Rival hackers expose the alleged operators behind Lumma Stealer, a major data-theft malware, causing leaks and internal chaos that have slowed its growth.

A major gang that sells a secret data-stealing tool called Lumma Stealer, a highly adaptable Malware-as-a-Service (MaaS) marketed since 2022 to steal everything from passwords and credit card numbers to crypto wallets, is now in deep trouble.

According to a recent report by the research firm Trend Micro, which tracked the group as Water Kurita, rival criminals launched a campaign to expose its members. This internal fight among cybercriminals has caused a huge, sudden drop in Lumma Stealer’s observed activity since September 2025.

****Identities Exposed****

The trouble started between late August and early October 2025 when a “doxxing” campaign began publishing sensitive personal and operational details of five people, allegedly the masterminds of the Lumma Stealer operation.

The exposed details, which were shared on a website called “Lumma Rats,” reportedly included sensitive data like passport numbers, financial records, and emails of those involved in both the administrative and technical sides, such as those responsible for ‘crypter development,’ which means hiding the malware code to avoid detection.

Alleged Lumma Stealer threat actors doxed on the “Lumma Rats” website (Image credit: Trend Micro)

Trend Micro’s research revealed that this was likely driven by competitors, especially after a coordinated law enforcement attempt to shut down Lumma Stealer in May 2025 failed to stop it completely.

This disruption, which was reported by Hackread.com, followed reports of Lumma’s global infection patterns in North America, Europe, and Asia, and involved Microsoft and global partners seizing over 2,300 domains.

The intensity of the recent leaks suggests either insider knowledge or access to compromised accounts. The situation worsened on September 17, 2025, when the group’s official Telegram accounts were also compromised, severely hurting their ability to talk to their clients.

Lumma Stealer representative posting about their Telegram accounts being stolen (Image credit: Trend Micro)

****Customers Shift to New Options****

As Lumma Stealer’s command-and-control (C2) infrastructure (the network that tells the malware what to do) began to fail, its customers started looking for new places to get their malware.

This sudden instability has triggered aggressive competition, as other malware developers try to capture the market. The primary replacement choices gaining popularity are MaaS platforms called Vidar and StealC.

In fact, other related services, like the pay-per-install (PPI) service Amadey, which criminals use to deliver infostealer malware to victims’ computers, have also seen reduced demand. This shows just how much this internal fight has shaken up the entire cybercrime community, proving that even the most dominant players can fall victim to the very unpredictable nature of the underground market.

Source

HackRead