UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails…

UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails containing password-protected archives to deploy SmokeLoader malware, enabling data theft and unauthorized access.  

A **phishing campaign** is underway, targeting customers of PrivatBank, Ukraine’s largest state-owned bank. Cybersecurity researchers at CloudSEK have linked this activity to the financially motivated threat actor group UAC-0006.

The campaign, active since at least November 2024, utilizes deceptive emails containing password-protected archives (such as invoice-related PDFs) disguised as legitimate documents like payment instructions or scanned copies of personal identification. 

For example, one phishing lure contains a JavaScript file named Плaтiжнa iнcтpyкцiя №187-ФГ вiд 19.12.2024p.pdf.js (translated as “Payment instruction No. 187-FY dated 19.12.2024p.pdf.js”), appearing as a legitimate payment document. Their purpose is to deliver malicious payloads designed to compromise victims’ systems and around 2 dozen unique instances have been detected in the wild so far.  

According to CloudSEK’s **blog post**, shared with Hackread.com, in this campaign, the attackers have employed versatile techniques to evade detection, including password-protecting the archives and using legitimate system binaries in the infection chain.

Malicious PDF used in the campaign (Via CloudSEC)

The attack typically starts with a phishing email containing an attached password-protected ZIP or RAR file.  Upon opening the attachment and entering the password, a malicious JavaScript file is extracted and executed, and this file then injects code into a legitimate Windows process. In turn, it runs an encoded PowerShell command.  

The PowerShell script performs two key functions: it displays a **decoy PDF document** to the victim, masking the malicious activity, and it contacts the attacker’s command-and-control (C2) server to download and execute the SmokeLoader malware. Researchers assessed that the threat actors have begun using LNK files as lures as well, which directly execute PowerShell scripts to retrieve and run the malware hosted on their C2 servers.

UAC-0006 displays a clear preference for phishing lures with malicious capabilities and extensive use of PowerShell in their attacks with the use of JavaScript, VBScript, and LNK files.  Their persistent targeting of PrivatBank customers strongly suggests a focus on financial gain.  

Also, researchers observed overlaps in their TTPs with EmpireMonkey and the infamous Russia-linked FIN7 group, indicating a connection with Russian APT activity.  For your information, FIN7 **has links to** the Black Basta ransomware operation.

It is also worth noting that SmokeLoader, has been actively used in campaigns targeting Ukraine, often attributed to Russian threat actors for espionage and financial gain. 

Hackread.com previously **reported** Fortinet discovering a campaign delivering SmokeLoader malware targeting Taiwanese companies in manufacturing, healthcare, and IT sectors, using phishing emails with malicious attachments. According to Trend Micro’s **recent research**, Russian threat actors exploited a zero-day vulnerability in the 7-Zip archiving utility to execute malicious code and deploy SmokeLoader. These instances indicate the seriousness of the threat posed by **SmokeLoader**.

The recent campaign is crucial as it can result in compromising sensitive personal and financial data, credential harvesting and espionage, and reputational damage to the organization. It also introduces the risk of supply chain attacks, potentially affecting various associated organizations.

Ukraine’s largest bank PrivatBank Targeted with SmokeLoader malware

The gaming industry has grown into a massive global market, with millions of players engaging in online multiplayer…

The gaming industry has grown into a massive global market, with millions of players engaging in online multiplayer games, digital transactions, and virtual economies. However, as gaming technology evolves, so do the cybersecurity risks.

Cybercriminals are constantly looking for ways to exploit vulnerabilities, targeting both players and developers. From data breaches and hacking to in-game fraud and cheating, cybersecurity is now a critical part of game development.

This article explores the major cybersecurity threats in gaming and the steps developers can take to protect their games and players.

****Why Cybersecurity Matters in Gaming********1\. The Rise of Online Gaming and Cyber Threats****

Online multiplayer games have transformed the gaming experience, allowing players to interact, trade, and compete in real time. However, this connectivity also creates security risks. Hackers often target game servers, looking for ways to steal accounts, manipulate in-game economies, or gain access to sensitive user data.

One of the most well-known cases was the Fortnite account hacking scandal, where cybercriminals stole login credentials and sold them on the black market, leading to unauthorized transactions and financial losses for players. This highlights why strong cybersecurity measures must be a priority for game developers.

****2\. Securing In-Game Economies****

Many modern games now have digital economies where virtual items hold real-world value. Games like Counter-Strike: Global Offensive (CS:GO) allow players to trade skins and weapons, making in-game assets attractive targets for cybercriminals.

Hackers often use phishing scams and unauthorized access to steal valuable in-game items. In response, developers have implemented security measures like multi-factor authentication (MFA) and encryption technologies to protect transactions and player accounts.

****Major Cybersecurity Threats in Game Development********1\. DDoS Attacks on Game Servers****

Distributed Denial-of-Service (DDoS) attacks overwhelm game servers with excessive traffic, causing lag, downtime, and crashes. Competitive online games like League of Legends and Overwatch have suffered major DDoS attacks, disrupting esports tournaments and frustrating players.

To combat these attacks, game developers are implementing traffic monitoring systems, automatic response mechanisms, and improved server security to handle unexpected traffic spikes.

****2\. Game Code Vulnerabilities****

Security flaws in game code can lead to cheating exploits, hacking tools, and unauthorized system access. Games like PUBG and Valorant have struggled with players using aimbots, wallhacks, and other cheats, often exploiting weaknesses in game files.

To reduce these risks, developers must regularly update their code, conduct security audits, and use advanced anti-cheat systems to detect suspicious behavior.

****3\. Phishing Scams Targeting Players****

Cybercriminals frequently pose as game companies, tricking players into entering their login credentials on fake websites. Fake Steam login pages have scammed thousands of players, resulting in lost accounts and stolen in-game items.

Game developers are now educating players on how to identify phishing scams, while also implementing secure authentication technologies to prevent unauthorized access.

****4\. Data Breaches and Privacy Risks****

Gaming companies store massive amounts of user data, from personal details to payment information. A single security breach can put millions of players at risk of identity theft and financial fraud.

One of the biggest breaches was the 2011 Sony PlayStation Network (PSN) hack, where over 77 million accounts were compromised. This incident exposed the urgent need for strong encryption, secure storage practices, and strict data protection policies in the gaming industry.

****How Game Developers Can Strengthen Cybersecurity********1\. Secure Coding Practices****

Developers must follow **secure coding guidelines** to minimize vulnerabilities, including:

*   Conducting **regular security audits** of game code.
*   Using **trusted libraries and frameworks** for secure development.
*   Encrypting **sensitive player data** to prevent unauthorized access.
*   Running extensive security testing before game releases.

****2\. Strengthening Authentication and User Security****

To protect player accounts, developers should integrate:

*   **Multi-factor authentication (MFA)** – Adds an extra layer of security beyond passwords.
*   **Biometric authentication** – Fingerprint or facial recognition for secure logins.
*   **Re-authentication mechanisms** – Verifies user identity during critical actions.

****3\. Anti-Cheat Systems for Fair Play****

Cheating ruins the gaming experience and can lead to financial losses in esports competitions. Developers are fighting back with:

*   **Server-side cheat detection** – Monitors player behavior for irregularities.
*   **Behavioral analytics** – Uses AI to detect unusual in-game activities.
*   **Machine learning algorithms** – Analyzes historical data to improve cheat detection.

****4\. Secure Payment and Transaction Systems****

In-game purchases and microtransactions are major revenue streams, but they must be secured. Developers should:

*   Use **SSL/TLS encryption** for secure transactions.
*   Partner with **trusted payment processors** to handle financial data.
*   Explore **blockchain technology** for fraud-resistant transactions.

****The Future of Cybersecurity in Game Development****

As the gaming industry continues to grow, cybersecurity will evolve to counter new threats. Some emerging trends include:

*   **AI-Powered Security Solutions** – Machine learning will enhance fraud prevention and cheat detection.
*   **Blockchain for Secure Transactions** – Decentralized ledgers can improve security in virtual economies.
*   **Cloud Gaming Security Enhancements** – As cloud gaming rises, data protection in cloud platforms will become more critical.
*   **Stronger Cybersecurity Regulations** – Governments are enforcing stricter online security laws for gaming companies.

****Conclusion****

Cybersecurity is no longer optional in game development, it’s a necessity. From protecting player data and securing in-game economies to preventing cheating and DDoS attacks, developers must stay ahead of cyber threats. By implementing strong security measures, educating players, and continuously updating game protection strategies, the gaming industry can create a safer and more trustworthy experience for everyone.

The Impact of Cybersecurity on Game Development

A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data.

Mobile devices have become a prime target for financial fraud, as the availability of digital payments and interception of OTPs (one-time passwords) for authentication make them vulnerable. Threat actors’ latest targets are Indian bank users, forced to reveal sensitive financial/personal data in a sophisticated mobile malware campaign, uncovered by the Zimperium zLabs research team. 

According to the company, banking trojans are targeting Indian banks and government institutions, and live phone numbers are used to intercept and redirect SMS messages, putting sensitive data at risk. This campaign is believed to be the work of a single threat actor and targets mobile devices running the Android OS. The researchers have dubbed the actor as “FatBoyPanel.”

This “coordinated effort” utilizes over 1,000 malicious Android applications designed to steal financial and personal data, researchers noted in the blog post shared with Hackread.com ahead of publishing on Wednesday. 

These apps, disguised as legitimate banking and government tools, are distributed primarily through WhatsApp. Victims are tricked into revealing Aadhaar and PAN card details, ATM PINs, and mobile banking credentials.

The most frequently impersonated banks are:

*   ICICI: 15.2%
*   SBI: 10.5%
*   RBL: 11.9%
*   PNB: 12.9%

Unlike traditional malware campaigns, this one employs a more innovative approach towards OTP theft. As observed by Zimperium researchers, instead of relying solely on command-and-control servers, the malware intercepts and redirects SMS messages in real-time using live phone numbers.  This method, however, leaves a traceable digital trail and may aid law enforcement in identifying the perpetrators.  

ZLas researchers have identified around 900 malware samples and approximately 1,000 phone numbers involved in this operation. Around 63% of these numbers were registered in West Bengal, Bihar, and Jharkhand.

*   Bihar: 22.6% of victims
*   Jharkhand: 10.0% of victims
*   West Bengal: 30.2% of victims

The scope of this campaign is substantial.  Analysis of the malicious apps reveals shared code, user interface elements, and app logos, indicating a centralized operation.  Furthermore, researchers discovered over 222 unprotected Firebase storage buckets containing 2.5 gigabytes of stolen data.  This exposed information, including bank details, card information, government IDs, and SMS messages, affects an estimated 50,000 victims.

The phishing UI used within the app to steal sensitive information, along with the admin dashboard view of the C&C servers managed by the threat actors (Via Zimperium zLabs)

The malware operates in three distinct variants: SMS Forwarding, Firebase-Exfiltration, and a Hybrid approach.  All variants intercept and exfiltrate SMS messages, including OTPs, enabling unauthorized transactions.  Evasion techniques include hiding its icon, resisting uninstallation, and using code obfuscation and packing.  

The top sources of distribution of SMS messages based on their sender are:

*   Jio Payments: 47.4%
*   Airtel Payments Bank: 18.5%

Hardcoded phone numbers within the malware and the Firebase endpoints act as exfiltration points for stolen data. The administrative dashboard for this platform even contained a “WhatsApp Admin” button, suggesting a multi-user environment and facilitating direct communication among the threat actors.

To protect yourself from mobile malware, download apps from official app stores and avoid downloading APK files from websites, messaging apps or untrusted sources. Verify app details before installing and avoid apps that request excessive permissions for a secure mobile experience.

Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims

Silver Spring, Maryland, 5th February 2025, CyberNewsWire

**Silver Spring, Maryland, February 5th, 2025, CyberNewsWire**

Aembit, the non-human identity and access management (IAM) company, today announced that Michael Trites has joined the company as senior vice president of global sales. In this role, Trites will lead Aembit’s global sales strategy, driving adoption of its industry-first Workload IAM Platform.

Trites brings over two decades of experience scaling sales organizations at high-growth security companies. He previously served as executive vice president of global sales at Dig Security, a provider of data security posture management, where he helped drive the company’s expansion and go-to-market strategy, leading to its acquisition by Palo Alto Networks.

> “Michael’s track record spearheading adoption in emerging cybersecurity markets makes him the ideal leader to accelerate Aembit’s growth,” said David Goldschlag, co-founder and CEO of Aembit. “His expertise will be essential as we help organizations recognize the importance of securing and managing their rapidly growing mix of client workloads, AI agents, and service accounts.”

Prior to Dig, Trites held sales executive roles at CyCognito, BigID (recognized by Deloitte as one of North America’s fastest-growing companies from 2020 to 2024), and Zimperium, where he helped expand market reach and drive revenue growth. He also spent more than a decade at Riverbed Technology, where he advanced through multiple sales leadership roles, ultimately overseeing sales for the Americas East region. Most recently, he led global sales at MineOS, focusing on data privacy and compliance solutions.

Now at Aembit, he is focused on helping organizations secure non-human identities by authenticating client workloads, enforcing access rights, and issuing short-lived credentials – eliminating static secrets and reducing an attack surface increasingly implicated in high-profile data breaches.

> “Aembit’s approach to non-human identity management fills a major gap in modern security,” Trites said. “Many solutions highlight the risk, but almost none actually solve it. Unlike tools that only provide visibility into service accounts, Aembit enforces policy-based, secretless access and removes the need for developers to build authentication into applications. That lets companies move faster and build with confidence. I’m excited to help bring this model to more organizations.”

For more information about Aembit, users can visit www.aembit.io.

**About Aembit**

Aembit is the leading provider of workload identity and access management solutions, designed to secure non-human identities like applications, AI agents, and service accounts across on-premises, SaaS, cloud, and partner environments. Aembit’s no-code platform enables organizations to enforce access policies in real time, ensuring the security and integrity of critical infrastructure. Users can visit the official website aembit.io and LinkedIn.

**Contact**

Apurva Davé

\[email protected\]

Aembit on LinkedIn

Website 

**Contact**

**CMO**  
**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Michael Trites Joins Aembit as Senior Vice President of Global Sales

Canadian man charged in $65 million DeFi hack. Exploited KyberSwap, Indexed Finance smart contracts, laundered funds, and attempted extortion. Faces 20 years.

A 22-year-old Canadian man, Andean Medjedovic, is facing federal charges in the U.S. for allegedly exploiting **smart contract vulnerabilities** in two decentralized finance (DeFi) protocols, KyberSwap and Indexed Finance, fraudulently obtaining around $65 million from investors between 2021 and 2023.

The **indictment** (PDF), unsealed in a New York federal court accuses Medjedovic of taking advantage of the vulnerabilities and allegedly borrowing massive amounts of digital tokens, then using them to carry out “deceptive trades.”

These trades manipulated the smart contracts into incorrectly calculating key financial metrics. As a result, Medjedovic was able to withdraw millions of dollars in investor funds at inflated prices, effectively wiping out the value of their investments.

Prosecutors further Medjedovic of attempting to cover his tracks through a sophisticated money laundering operation. He allegedly used various techniques, including swap transactions, “bridging transactions,” and a **digital currency “mixer”** to obscure the origin and ownership of the stolen funds. He is also accused of using fake and borrowed identities to open accounts on cryptocurrency exchanges.

According to the DoJ’s **press release**, Following the KyberSwap exploit in November 2023, Medjedovic allegedly attempted to extort the victims. He proposed a bogus settlement, demanding complete control of the KyberSwap platform and its governing decentralized autonomous organization (DAO) in return for half of the stolen digital assets.

Medjedovic now faces a five-count indictment including wire fraud, unauthorized damage to a protected computer, attempted extortion, money laundering conspiracy, and money laundering. If found guilty on all counts, he could face up to 20 years in prison for each charge except the computer damage charge, which carries a maximum 10-year sentence.

The final sentence will be determined by a federal judge. The investigation involved multiple agencies including the IRS, Homeland Security Investigations, and the FBI, with international cooperation from authorities in the Netherlands.

This case goes on to show the ongoing **risks associated with DeFi platforms** and the vulnerabilities that can be exploited by malicious actors. It also underlines the increasing focus of law enforcement on cryptocurrency-related crimes and their commitment to pursuing those who attempt to profit from these schemes.

Canadian Charged in $65M KyberSwap, Indexed Finance DeFi Hack

A global phishing campaign is actively exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organizations.

A global phishing campaign is underway, exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organizations.

A sophisticated phishing campaign is exploiting vulnerabilities in Microsoft’s Active Directory Federation Services (ADFS) to compromise user accounts and bypass multi-factor authentication (MFA), as revealed in research by Abnormal Security.

The attackers employ a combination of social engineering and technical manipulation. Phishing emails, mimicking legitimate notifications, lure victims to spoofed ADFS login pages. These emails often use urgent tones, warn of supposed updates or policy changes, and incorporate legitimate branding, logos, and even contact information to appear genuine. 

One of the phishing pages was sent to a targeted company (Via Abnormal Security)

URL obfuscation and shortened links further conceal the malicious destination.  It is worth noting that the attackers personalize the phishing pages to match the target organization’s specific MFA setup, such as tailoring prompts for push notifications, and mechanisms like Microsoft Authenticator, Duo Security, and SMS verification. 

The phishing landing page replicates the organization’s ADFS portal, dynamically pulling logos and design elements, creating a convincing counterfeit. While some client-side validation might exist, the page does not verify credentials against the organization’s systems since any username and password combination is accepted.  

The next step involves capturing the user’s second-factor authentication. Phishing templates are designed to collect various MFA factors, including codes from authenticator apps, SMS messages, or even push notifications. This information, coupled with the stolen credentials, is relayed to the attackers.

To complete the deception, the victim is redirected to the genuine ADFS login page after submitting their information, reinforcing the illusion of a successful login. With the stolen credentials and MFA details, the attackers proceed with account takeover (ATO), often using VPNs to mask their location.  Post-compromise activity typically includes internal reconnaissance, setting up mail filter rules to conceal their presence, and launching lateral phishing attacks.

Lateral phishing, sent from the compromised account, leverages established trust relationships within the organization. These emails often mimic legitimate communication patterns, targeting colleagues and associates. The mail filter rules, often with deceptive names and obfuscated keywords (e.g., “Hish” for “Phish”), help the attackers remain undetected.

“This approach leverages nuanced psychological tactics to exploit human vulnerabilities and reinforce a false sense of legitimacy,” Abnormal Security’s report read.

A fake Microsoft ADFS used in the campaign (Via Abnormal Security)

Research reveals that this campaign has targeted over 150 organizations in various sectors. The education sector is most impacted with 50% of attacks followed by healthcare (14.8%), government (12.5%), technology (6.3%), and transportation (3.4%).  Geographically, the attacks are largely focused on the United States, but incidents have also been reported in Canada, Australia, and Europe.

The report suggests that attackers are exploiting the fact that many organizations have not switched to Microsoft’s modern identity platform, Entra. ADF reliance is particularly prevalent in sectors with slower technology adoption, emphasizing the need for prioritizing migration to modern solutions and employing a multi-layered security approach.

Roger Grimes, a data-driven defence evangelist at KnowBe4, commented on the issue, telling Hackread.com that this is the first time they have heard about fake ADFS login pages hinting at the sophistication of this campaign.

_“_I’m a 36-year cybersecurity expert and author of 15 books (one on hacking MFA and over 1,500 articles. This is the first time I’ve read about fake ADFS login pages, but ADFS has been involved in bypassing MFA authentication before, so it’s not completely new to use in the hacker scene._“_

_“_All users should use phishing-resistant MFA whenever they can,_“_ Roger warned. _“_Unfortunately, most of today’s most popular MFA solutions, including Microsoft Authenticator, Google Authenticator, Duo, push-based MFA, OTP, and SMS-based MFA are very phishable and subject to the exact type of attack reported here._“_

Hackers Using Fake Microsoft ADFS Login Pages to Steal Credentials

Morphisec uncovers a new ValleyRAT malware variant with advanced evasion tactics, multi-stage infection chains, and novel delivery methods…

Morphisec uncovers a new ValleyRAT malware variant with advanced evasion tactics, multi-stage infection chains, and novel delivery methods targeting systems.

Cybersecurity researchers at Morphisec Threat Lab have discovered a new version of the sophisticated ValleyRAT malware distributed through various channels including phishing emails, instant messaging platforms and compromised websites. ValleyRAT is a multi-stage malware, linked to the notorious **Silver Fox APT** group.

According to Morphisec’s investigation, shared with Hackread.com, the key targets of this campaign are high-value individuals within organizations, especially those in finance, accounting, and sales, and the objective is to steal sensitive data.

Infection Chain (Via Morphisec)

Earlier ValleyRAT versions utilized PowerShell scripts disguised as legitimate software installers, which often employed DLL hijacking to inject their payload into signed executables from programs like WPS Office and even Firefox. In August 2024, Hackread.com **reported** about a ValleyRAT version using shellcode to inject malware components directly into the memory. 

Conversely, the current version uses a fake Chinese telecom company “Karlos” website (karlostclub/) to distribute the malware, which downloads a series of files, including a .NET executable that checks for administrator privileges and downloads additional components, including a DLL file.

“Interestingly, the actor reused the same URL for both the older and newer versions of their attack,” researchers wrote in the **blog post**.

According to researchers, a fake Chrome browser download from anizomcom/ is the initial infection vector in the attack chain, tricking the victim into downloading and executing the malware. The sscronet.dll file, deliberately named with a legitimate-sounding identifier to avoid suspicion, injects code into the legitimate svchost.exe process, acting as a monitor, terminating any processes on a predefined exclusion list to prevent interference with the malware’s operation. 

Fake Chrome browser download (Via Morphisec)

Next, the malware utilizes a modified version of the Douyin (Chinese TikTok) executable for DLL side-loading and a legitimate Tier0.dll from Valve games (specifically Left 4 Dead 2 and Killing Floor 2) to execute code hidden within the nslookup.exe process. This process retrieves and decrypts the main ValleyRAT payload from mpclient.dat. 

The decrypted payload uses the **Donut shellcode** to execute the malware in memory, bypassing traditional disk-based detection methods. It also tries to disable security mechanisms like AMSI and ETW.

For your information, ValleyRAT is a C++-based remote access trojan with basic **RAT functionalities** such as accessing the WinSta0 window station for screen, keyboard, and mouse interaction and monitoring the victim’s screen. It incorporates extensive anti-VMware checks to evade detection in virtualized environments and connects with its C2 server using IP addresses and ports that are initialized within its code during installation.

“If the malware does not detect that it is running inside a virtual machine (VM), it attempts to establish a connection to baidu.com as part of its network communication check,” researchers noted.

The Silver Fox APT group’s changing tactics/evasion techniques show the growing sophistication of new attacks. Organizations should adopt a proper security strategy, including stricter endpoint protection, **employee training**, and continuous monitoring, to mitigate risks.

New ValleyRAT Malware Variant Spreading via Fake Chrome Downloads

Austin, TX, USA, 4th February 2025, CyberNewsWire

**Austin, TX, USA, February 4th, 2025, CyberNewsWire**

SpyCloud’s Identity Threat Protection solutions spearhead a holistic identity approach to security, illuminating correlated hidden identity exposures and facilitating fast, automated remediation.

SpyCloud, a leading identity threat protection company, announced key innovations in its portfolio, pioneering the shift to holistic identity threat protection. By operationalizing its vast collection of darknet data with automated identity analytics that correlate malware, phishing, and breach exposures across individuals’ past and present work and personal personas, SpyCloud enables security and fraud prevention teams to comprehensively uncover hidden identity assets, rapidly remediate exposures, and better protect their businesses from previously unseen threats.  

Identity security vendors have focused narrowly on securing corporate accounts, leaving organizations vulnerable to cybercriminals exploiting the broader identity exposures of employees, consumers, and suppliers. A shift to an identity-centric perspective is needed, particularly as the scope of identity exposures continues to grow. SpyCloud research reveals that the average individual has as many as 52 unique usernames/emails and 221 passwords exposed on the darknet across their online personal and professional identities. 

The impact of these exposures is evident: nearly a quarter of data breaches resulted from compromised identity data. Credential attacks led to $4.81 million in related costs per breach and took the longest to identify and contain. 

SpyCloud’s holistic identity threat protection addresses these challenges by encompassing the full spectrum of an individual’s online presence. This innovative approach empowers security teams to proactively protect against previously unseen risks, including the darknet exposures of identity and authentication data stolen about employees, consumers, and suppliers that have been beyond their visibility to date. 

> “The cybersecurity industry has spent years and billions of dollars securing accounts, but criminals have moved far beyond account-level access,” said **Ted Ross, SpyCloud’s CEO and Co-Founder**. “The dirty secret of the identity security industry is that efforts to lock down the perimeter fail because they focus on accounts, while bad actors target the full scope of users’ holistic identities. These sprawling identities, exposed through breaches, infostealer infections, and phishing attacks, create shadow data that traditional tools simply can’t address. ”

> Ross continued, “SpyCloud changes the dynamic by providing unmatched visibility into the same data criminals are exploiting, enabling organizations to remediate exposures across the entirety of users’ online personas. This shifts the advantage back to security leaders, empowering them to act on threats that were previously beyond their reach.”

**Key Innovations Underpinning SpyCloud’s Holistic Identity Threat Protection** 

*   **Refined analytics driving actionability on exposed identities:** SpyCloud applies advanced data science and proprietary technology to dynamically correlate billions of recaptured darknet data points, providing a broader and more accurate view of identities. By connecting authentication data, financial data, and personally identifiable information (PII), SpyCloud uncovers hidden relationships across seemingly unrelated accounts, continuously and at scale.
*   **Automated remediation in <15 minutes:** SpyCloud’s holistic identity portfolio now enables rapid, automated remediation within enterprise security ecosystems, including EDR, IdP, SOAR, and SIEM tools. This allows security teams to neutralize threats in less than 15 minutes of discovery, reducing risk without straining resources or operational bandwidth.
*   **Malware reverse engineering to combat ransomware:** SpyCloud specializes in the tracking and analyzing of malware – with deep insights into pervasive infostealers such as Lumma C2, Redline Stealer, Vidar, and more – as they are often a precursor to ransomware. Through its advanced malware reverse analysis, SpyCloud provides comprehensive visibility into malware-exposed data, helping organizations identify compromised devices, users, and applications and closes critical security gaps, including those stemming from unmanaged or under-managed devices used by employees, contractors, and vendors.
*   **Accelerated cybercrime investigations:** SpyCloud’s Investigations solution, used by cyber threat intelligence (CTI) teams, security operations, fraud and risk prevention analysts, and law enforcement globally, includes automated identity analytics to uncover the full scope of digital identity exposures, accelerating complex cybercrime investigations into threat actor attribution, insider risk (including potential hiring fraud), and supply chain risk analysis from days or hours to minutes.

**SpyCloud’s Capabilities Set a New Standard for Identity Security**

SpyCloud champions the transition to holistic identity security, backed by nearly a decade of experience and the industry’s largest repository of recaptured breach, malware-exfiltrated, and successfully phished data. Its holistic identity lens reveals a comprehensive view of exposed identity information – from credentials and PII to financial data and sensitive digital artifacts.

> “SpyCloud’s innovative identity threat protection is about as important as it gets in cyber; identity is **everything**,” said **John N. Stewart, SpyCloud Board Member and former Chief Security and Trust Officer of Cisco.** “By making it possible to view and act on the world’s best source for identity exposures, SpyCloud raised the bar to the top for proactive defense against all types of identity-driven cyber exploitation.”

> “We are redefining identity security by making holistic protection practical and achievable for our customers,” added **Damon Fleury, SpyCloud’s Chief Product Officer.** “SpyCloud has a long history of leading the way in understanding the cybercrime ecosystem, from our early days in world-class ATO prevention to continuing to build solutions that empower organizations to proactively protect against threats stemming from infostealer malware, phished and breach data.” 

> Fleury continued, “This evolution to make holistic identity threat protection a reality for enterprises is critical to our mission of disrupting cybercrime. We aim to stop identity-based threats once and for all.”

To learn more, users can contact SpyCloud or view the following resources:

*   The Holistic Identity Frontier: Why Shift from account-centric Security to holistic identity threat protection
*   Stop identity-based cybercrimes once and for all

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated holistic identity threat protection solutions leverage advanced analytics to proactively prevent ransomware and account takeover, safeguard employee and consumer accounts, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights, users can visit spycloud.com.

**Contact**

**Public Relations**  
**Emily Brown**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Pioneers the Shift to Holistic Identity Threat Protection

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users…

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users into installation.

A new version of North Korean malware called ‘FlexibleFerret’ is making rounds, specifically targeting macOS devices and developers. This malware, linked to the ‘Contagious Interview’ campaign, uses tricky methods to infect systems, even disguising itself as legitimate software.

****The ‘Contagious Interview’ Trick****

The campaign begins with a **social engineering tactic**. Hackers lure their targets, often job seekers, into downloading malware through fake job interview processes. They send a link that appears to require a software update, like a fake virtual meeting application.

It is worth noting that the ‘Ferret’ malware family was originally discovered in September 2024 targeting Blockchain professionals with fake video conferencing and job scams. The latest variant, ‘FlexibleFerret,’ was discovered by SentinelLabs, and shows that hackers constantly change their methods to avoid detection.

Interestingly, Apple recently strengthened its XProtect security tool to deal with threats like “Ferret,” and other macOS malware. However, despite new security protocols, according to SentinelLabs’ **blog post** shared with Hackread.com, FlexibleFerret remained undetected, at least initially.

****How FlexibleFerret Works****

‘FlexibleFerret’ uses a dropper, which is essentially a package that installs the malware onto the system. This particular dropper contains several components, including fake applications and scripts.

After installation, the malware begins executing several malicious actions. It places and runs hidden components in the computer’s temporary folders, ensuring its presence remains unnoticed. At the same time, it creates a **fake Zoom application** that secretly connects to a suspicious domain.

To further trick victims, it displays a fake error message, making it seem like the installation failed while actually continuing to install itself in the background. Once embedded, it establishes persistence, allowing it to automatically run even after the system is restarted.

****A Signed Threat Against Job Seekers and Developers****

Unlike some older versions, ‘FlexibleFerret’ was initially signed with a valid Apple Developer signature. This helped it bypass some security checks, making it appear more legitimate. Security experts used this signature to discover even more related malware samples. That certificate has since been revoked, but a trail of other signed files has turned up.

The hackers behind ‘FlexibleFerret’ aren’t just focusing on job seekers anymore. They’re also targeting developers directly, using **fake bug reports or comments** on websites like GitHub to trick them into downloading the malware.

A threat actor tricking users into installing FlexibleFerret malware (Via SentinelLabs)

****Links to ChromeUpdate Malware****

FlexibleFerret includes a binary labeled “Mac-Installer.InstallerAlert,” which strongly matches code previously spotted in “**ChromeUpdate**,” an older piece of malware involved in these job interview lures. While Apple’s updated rules catch ChromeUpdate, they currently overlook this newer malware, indicating that attackers have changed minor elements to sneak past protections.

> _“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required.”_
> 
>   
> SentinelLabs

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **KnowBe4 Tricked into Hiring a North Korean Hacker as IT Pro**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!**
6.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**
7.  **Fake PoC Script Tricked Researchers into Downloading VenomRAT**

N. Korean ‘FlexibleFerret’ Malware Hits macOS with Fake Zoom, Job Scams

Malicious DeepSeek packages on PyPI spread malware, stealing sensitive data like API keys. Learn how this attack targeted developers and how to protect yourself.

Cybersecurity researchers at the Positive Technologies Expert Security Center (PT ESC) have found a sneaky malware campaign targeting the Python Package Index (PyPI), a popular online repository for **Python software**. The attack focused on developers, machine learning engineers, and AI enthusiasts who might integrate DeepSeek AI into their projects.

It all began on January 29, 2025, when a suspicious user named “bvk,” whose account had been inactive since its creation in June 2023, uploaded two malicious packages: deepseeek or deepseekai. These packages were designed to mimic legitimate integrations with DeepSeek but contained malicious code aimed at stealing sensitive information from users’ systems.

Malicious DeepSeek packages (Via PT ESC)

Once installed, the harmful packages executed commands that collected system information and stole environment variables. These variables often contain critical data, such as credentials for cloud storage, database access, or other infrastructure resources. The stolen information was then sent to a command-and-control (C2) server hosted on Pipedream, a developer integration platform.

Interestingly, according to PT ESC’s **blog post** shared with Hackread.com, the attackers appeared to use an AI-powered assistant to write their malicious script, as evidenced by the code’s comments explaining its functionality. **AI-generated content** and codes have become a significant cybersecurity threat, with experts warning that the risk is only growing.

****Quick Action****

After discovering the malicious packages, Positive Technologies immediately alerted PyPI administrators, who quarantined and deleted the packages within an hour. However, during that short window, the packages had already been downloaded 222 times across various tools and methods in the following countries:

*   **US**: 117 downloads

*   **China**: 36 downloads

*   **Russia**: 12 downloads

*   Other countries, including Germany, Canada, and Hong Kong, also reported downloads.

****Exploiting DeepSeek’s Popularity****

Although the attack was contained before causing large-scale harm, it presents important questions about the security of open-source repositories. Cybercriminals frequently monitor emerging trends and exploit them to trick unsuspecting users. In this example, the **popularity of DeepSeek** likely attracted malicious actors seeking to exploit its growing user base.

In a comment to Hackread.com, **Jason Soroko**, Senior Fellow at Sectigo, emphasized the impact of this incident stating, “This report underscores how attackers exploit trusted naming conventions and the reliance on authentic package sources within the open-source ecosystem. While the threat was neutralized quickly, it serves as a reminder of the growing risks associated with software supply chains.”

****Protecting Yourself from Similar Threats****

This incident is a good sign to be careful when downloading and installing software, especially from public repositories like PyPI. Here are a few quick tips to help you stay safe:

*   **Security Tools**: Use services like Positive Technologies’ PyAnalysis, which monitors PyPI for malicious activity in real-time.

*   **Verify Package Sources**: Only download well-established packages with a strong reputation. Be cautious of newly uploaded tools, especially those with names similar to popular projects.

*   **Scan Dependencies**: Use tools to analyze the code of packages before installing them.

*   **Monitor Environment Variables**: Keep an eye on sensitive data stored in your system and limit its exposure where possible.

Source

HackRead