Frankfurt am Main, Germany, 20th August 2025, CyberNewsWire

**Frankfurt am Main, Germany, August 20th, 2025, CyberNewsWire**

Link11, a Germany-based global IT security provider, has released insights into the evolving cybersecurity threat landscape and announced the capabilities of its Web Application and API Protection (WAAP) platform, designed to provide multi-layered defenses against modern digital threats.

The rapid pace of digital transformation has expanded the opportunities for organizations across industries. However, every new web application and API also broadens the attack surface, leaving businesses increasingly exposed. Cybercriminals are employing sophisticated tactics that target all levels of application infrastructure, rendering traditional point solutions insufficient.

**Key Threats Facing Digital Platforms:**

**DDoS attacks at the application layer**

Distributed denial-of-service (DDoS) attacks have traditionally been associated with overwhelming data floods. Increasingly, attackers use more subtle methods at the application level (Layer 7), simulating legitimate traffic to disrupt resource-intensive services such as login pages, search functions, or APIs. A recent example occurred when the website of an Israeli city council was hit by approximately 18 million HTTP requests in just minutes, temporarily disrupting operations.

**Malicious bots**

Automated traffic continues to account for a significant share of web activity, with malicious bots responsible for credential stuffing, content scraping, inventory theft, and fraud. Reseller bots, for example, often purchase large volumes of limited products such as concert tickets or designer items, leaving genuine customers unable to access them.

**Limitations of traditional WAFs**

Web Application Firewalls (WAFs) remain widely used but often rely on signature-based rules, which can fail to detect newer attack methods while generating false positives. Such gaps leave applications vulnerable to modern “low-and-slow” attacks and zero-day exploits, as well as to familiar threats like SQL injection or cross-site scripting (XSS).

**API vulnerabilities**

APIs are central to digital ecosystems, yet frequently underprotected. Unmonitored “shadow APIs” can unintentionally expand the attack surface. Attacks on API endpoints can lead to service disruptions, data theft, and account takeovers, underscoring the need for more advanced defenses.

**The Link11 WAAP Platform**

Link11’s WAAP platform has been developed to address these challenges through an integrated, real-time security framework.

*   **Unified all-in-one platform**: Consolidates multiple protection functions into a single interface to simplify management.
*   **Real-time multi-layered protection**: Detects and mitigates malicious traffic while ensuring seamless access for legitimate users.
*   **Flexible deployment**: Compatible with diverse infrastructures, protecting web applications and APIs regardless of hosting environment.
*   **24/7 managed support**: Backed by round-the-clock monitoring from Link11’s global Security Operations Centers (SOCs).
*   **Data security and compliance**: Operates on a wholly Link11-owned cloud platform, ensuring GDPR compliance and eliminating non-EU access risks.

**About Link11**

Link11 is a specialized IT security provider headquartered in Germany with offices worldwide. The company delivers enterprise-grade cybersecurity solutions, including protection for critical infrastructures. Link11 is ISO 27001 certified and recognized by the German Federal Office for Information Security (BSI) as a qualified provider for critical infrastructure protection.

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 Highlights Growing Cybersecurity Risks and Introduces Integrated WAAP Protection Platform

A new report from Red Canary reveals a clever Linux malware called DripDropper that exploits a flaw and…

A new report from Red Canary reveals a clever Linux malware called DripDropper that exploits a flaw and then patches it to prevent other hackers from getting in. Learn how this tactic works.

A new report by cybersecurity firm Red Canary reveals that hackers are exploiting a critical vulnerability and then patching it to lock out other attackers. The research from the Red Canary Threat Intelligence team, provided to Hackread.com, exposes a new piece of Linux malware, which the company named DripDropper, and details how adversaries are using it to gain and maintain hidden access on cloud servers.

The attack starts with exploiting a well-known security flaw, CVE-2023-46604, in a widely used piece of software called Apache ActiveMQ. This program is a “message broker,” which is a fancy term for a tool that helps different computer systems talk to each other. Although a patch has been available for some time, many systems are still vulnerable, and hackers are taking advantage of this weakness to get initial access.

“Even though the critical vulnerability exploited in ActiveMQ here is nearly three years old, adversaries are still exploiting the vulnerability to execute payloads such as Godzilla Webshell, and Ransomhub ransomware, resulting in a 94.44% likelihood of being exploited in the next 30 days, according to its EPSS score,” researchers noted.

****Strategy for Persistence****

After gaining a foothold, the hackers install two main tools. The first is a malicious software called Sliver, a tool that gives them secret, unrestricted control over the compromised computer.

They then use a downloader (DripDropper) that connects to a Dropbox account controlled by the attacker. This malware is an encrypted file that requires a password to run, making it tough for security analysts to examine.

But the most surprising part of the attack comes next. After establishing their control, the hackers use a common internet command to download a legitimate patch for the very vulnerability they just exploited.

By patching the system, they essentially close the door they used to get in, preventing other criminals from exploiting the same weakness. This clever move ensures their grip remains exclusive and makes it harder for defenders to trace the attack back to the original entry point.

To ensure long-term access, the DripDropper malware modifies system files to allow root logins and keep itself running. The malware also drops a second file with a random, eight-character name, which also contacts the attackers’ Dropbox for further instructions.

Researchers noted that using public platforms like Dropbox is a common tactic also used by other malware families such as CHIMNEYSWEEP, Mustang Panda, and WhisperGate.

These findings highlight that a clean vulnerability scan doesn’t always mean a system is secure. A scan might show a system is patched, but it won’t reveal how or by whom. This means, a multi-layered security approach is needed, including consistent patching and careful monitoring of cloud logs. The report also recommends using resources like CISA’s Known Exploited Vulnerabilities (KEV) catalogue to help prioritize which flaws to fix first.

_“_I’m not sure I’ve heard of automated malware that patched the vulnerability it used to break in, except maybe once before back in the 1990s, when two computer virus groups were battling it out for global control using the same software vulnerability. I have, however, been involved in a few consulting engagements over the years where human hackers broke in and patched the exploits,_“_ said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

“Once, when I was with Microsoft, I was hired to help consult with a customer who was mad that Microsoft was applying a patch that they had configured NOT to apply. It was a controversial patch at the time (it disabled the otherwise default autorun feature in Microsoft Windows when mobile media was inserted into a computer),” he explained.

_“_A lot of customers were mad that Microsoft was disabling autoruns, so Microsoft configured the patch to not automatically deploy if a particular related registry entry was enabled. Well, for this particular customer, the patch kept applying. They would then uninstall the patch, make sure the related registry entry was made, and then come back the next day to find the patch re-applied. Boy, they were mad_.”_

“When I showed up, I quickly discovered that a hacker group had broken in using the vulnerability, and they were trying to apply the patch to disable the autoruns feature to prevent other groups. Boy, was that client feeling mea culpa.”

“I said it then, and I’ll say it now, “If hackers are doing your patching faster than you are, you aren’t doing it right!” This is yet another argument for default auto-patching without admin involvement. We’ve yet again seen serious vulnerabilities that have not been patched years later. It’s all too common,” Roger added.

New DripDropper Malware Exploits Linux Flaw Then Patches It Lock Rivals Out

Scammers have been spotted abusing AI site builder Lovable to mimic trusted brands, steal credentials, drain crypto wallets,…

Scammers have been spotted abusing AI site builder Lovable to mimic trusted brands, steal credentials, drain crypto wallets, and spread malware.

Cybersecurity researchers at Proofpoint report that cybercriminals are abusing Lovable, an AI-powered website builder, to spin up fraudulent sites in minutes that mimic trusted brands and distribute malware.

Lovable was designed as a user-friendly tool for anyone with limited web development experience. Users simply type a description of the website they want, and the service generates a working site, hosted under the lovable.app domain.

The site offers creating free accounts that come with hosting and a visible “Edit with Lovable” badge, while paid users can hide the badge and attach custom domains. For legitimate users, it is a shortcut to publishing websites quickly. For threat actors, it has become an opportunity to scam unsuspecting people.

Proofpoint has tracked campaigns where Lovable-hosted sites distribute credential phishing kits such as Tycoon, payment data harvesters, and even cryptocurrency wallet drainers.

To test it in detail, researchers found no restrictions when attempting to build their own phishing site using Lovable, including functionality to mimic enterprise login portals. They reported hundreds of thousands of malicious Lovable URLs detected in email data each month since February 2025, with campaigns increasing gradually.

In one campaign from February 2025, attackers used lovable.app URLs to direct victims through a CAPTCHA page before loading a fake Microsoft login. The setup was powered by Tycoon, a Phishing-as-a-Service platform capable of stealing credentials, tokens, and session cookies. Later campaigns imitated HR messages about employee benefits to trick recipients into entering their corporate login details.

Via Proofpoint

According to Proofpoint’s report shared with Hackread.com ahead of publishing on Wednesday, 20, 2025, cybercriminals are also using Lovable to mimic logistics firms and payment services.

In June 2025, Proofpoint spotted a campaign impersonating UPS, with nearly 3,500 messages leading to a fake UPS website that harvested credit card details and personal information, then sent them directly to Telegram. The project template used for this scam was publicly “remixable” on Lovable, meaning anyone could adapt it for new attacks with little effort.

One campaign impersonated DeFi service Aave, tricking victims into connecting their wallets to fraudulent sites created through Lovable. Researchers also identified other cryptocurrency-themed apps built with the tool that appeared designed to steal credit card details or siphon funds from connected wallets.

****Not Just Phishing****

In July 2025, Proofpoint discovered a campaign in German that used Lovable to host a fake invoice download page. Victims who clicked the link were served a trojanized file loader that ultimately delivered the remote access trojan zgRAT. Similar campaigns were later observed in English with minor adjustments to target different organizations.

****Lovable Alerted****

Proofpoint disclosed its findings to Lovable, which responded by correlating the data with its own investigations. According to the company, one phishing cluster with hundreds of domains was taken down in the same week.

Lovable also said it has rolled out AI-driven safeguards, including real-time detection of malicious prompts and daily scanning of published projects, with additional protections for account abuse planned for later this year.

AI Website Builder Lovable Abused for Phishing and Malware Scams

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Phishing is no longer about badly written emails asking you to “click here.” Today’s attacks are business-grade, powered by AI and packaged in ready-to-use phishing kits. That means cybercriminals can now launch believable spearphishing campaigns in hours.

For companies, this raises the stakes. A single successful phishing email can expose confidential data, disrupt operations, and damage reputation. The question for managers is no longer whether phishing will target your organization, but how fast your team can detect and stop it.

****Why Modern Phishing is Harder to Catch****

Attackers have leveled up, and traditional filters struggle to keep up.

*   **AI-driven precision**: Attackers now generate flawless, personalized messages with no spelling or grammar mistakes, making them harder to spot by humans and machines.
*   **Phishkits for everyone**: These pre-built toolkits allow even inexperienced criminals to create convincing campaigns quickly.
*   **Advanced evasion**: Links hidden in QR codes, fake CAPTCHAs, and multi-step **redirect chains** slip past email filters and secure gateways.

Even well-equipped SOC teams find it challenging to separate real threats from the noise. And delays in detection create costly risks: longer investigation times, higher chances of compromise, and increased business impact.

****The Solution to Stopping Modern Phishing****

The most effective way companies are preventing data theft today is through interactive analysis. Unlike traditional tools that only scan for known indicators, interactive analysis simulates the entire attack journey as if a real user were engaging with the email or file.

This means hidden tricks, whether they involve layered redirects, fake login pages, or other evasive steps, are exposed in full. Security teams gain clear visibility into the entire execution chain, from the initial lure to the final payload.

Spearphishing attack caught inside ANY.RUN sandbox

That’s why more and more organizations are turning to interactive sandboxes like ANY.RUN. They provide teams with the insight needed to understand exactly how an attack unfolds, making it possible to block threats before they lead to data loss.

Visibility is powerful, but what makes the difference for modern teams is **automation**. This is where sandboxes like ANY.RUN excel, turning interactive analysis into a fully automated process that integrates seamlessly with existing SOC stacks. 

Let’s look at how this works in practice with a real-world phishing attempt aimed at Hitachi Energy employees.

Real Case: A Multi-Stage Phishing Attack Against Hitachi

The attack began with what looked like a normal HR email from “Hitachi Energy”, asking employees to review a new company policy. Polished design, urgent tone, even a security reminder; everything about it was convincing enough to slip past traditional filters and catch employees off guard.

With the help of automation, ANY.RUN was able to fully unravel this attack in a safe environment.

Fast verdict of malicious behaviour with relevant tags exposed inside ANY.RUN sandbox

**Malicious PDF Detected**

The attachment appeared harmless but contained a QR code instead of a clickable link; a tactic specifically designed to evade email security systems. ANY.RUN’s sandbox automatically flagged the suspicious behavior.

QR code with a hidden malicious URL detected by ANY.RUN

This early detection helps prevent employees from unknowingly scanning QR codes that lead to hidden threats.

**Hidden Link Extraction**

Once automated interactivity was enabled, the sandbox scanned the QR code, extracted the hidden URL, and opened it inside a browser, continuing the attack chain without analyst involvement.

  
**Bypassing CAPTCHA**

The attackers added another layer of defense: a Cloudflare CAPTCHA, meant to stop automated tools. ANY.RUN solved it automatically, just like a human would, and continued the investigation.

CAPTCHA verified automatically, saving time and effort

As a result, security teams don’t get stuck at roadblocks, saving hours of manual testing and guaranteeing deeper visibility.

**Credential Harvesting Page Exposed**

The final stop was a fake Microsoft login page, designed to steal employee credentials. A well-crafted replica that many people would likely trust. By exposing the fake login page safely, the sandbox provided teams with a clear malicious verdict before any real credentials could be compromised.

Fake Microsoft page designed to steal credentials

**IOC Collection and Reporting**

Along the way, ANY.RUN gathered all IOCs (indicators of compromise), mapped the attacker’s processes, and generated a detailed report ready for sharing across the SOC.

Well-structured report for sharing between team members

These IOCs can be fed directly into SIEM/SOAR systems to strengthen detection rules, train employees, and build a strategy that prevents similar data theft attempts in the future.

****How Automation Strengthens Phishing Response****

Modern phishing campaigns aren’t just technical challenges but also operational ones. Attacks like the Hitachi case are designed to drain time, mislead staff, and slip through traditional defenses. Automation changes the equation, giving organizations the ability to handle phishing with speed and confidence.

*   **Faster, Reliable Decisions:** Move from a suspicious email to a clear, evidence-backed verdict in minutes. Faster decisions mean less downtime, lower risk of data theft, and reduced financial exposure.
*   **Reduced Operational Costs:** With automation handling phishing detection end-to-end, fewer staff hours are wasted on repetitive checks. Your team can cover more ground without increasing headcount.
*   **Optimized Talent Use:** Junior staff can confidently handle phishing triage with automated support, while senior analysts dedicate their time to higher-value activities like threat hunting and strategy.
*   **Lower Business Risk:** By exposing full attack chains, including hidden redirects and fake login pages, managers get assurance that threats are caught before credentials or sensitive data are stolen.
*   **Proven Efficiency Gains:** Organizations using ANY.RUN have reported up to **3x faster phishing detection and response times**, translating to fewer escalations, stronger compliance, and lower incident costs.

****Expose Phishing Tricks Before Data is Stolen****

  
Phishing attacks are becoming harder to spot, but with ANY.RUN, organizations don’t have to rely on guesswork or slow manual checks. By automating interactive analysis, the sandbox reveals every hidden step, so teams can act before data is compromised. 

With clear reports, ready-to-use IOCs, and seamless SOC integration, ANY.RUN helps businesses cut investigation time, reduce analyst workload, and strengthen defenses where it matters most.

How to Automate Phishing Detection to Prevent Data Theft

Australian ISP iiNet confirms data breach as hackers stole 280,000 email accounts, phone numbers and user data using…

Australian ISP iiNet confirms data breach as hackers stole 280,000 email accounts, phone numbers and user data using stolen employee credentials, TPG says.

Australian internet provider iiNet has confirmed a data breach in its order management system, with parent company TPG Telecom reporting that customer information was accessed using stolen employee credentials.

The breach was detected on Saturday, 16 August 2025, after attackers used stolen employee credentials to gain access to the system. According to TPG, the information exposed was limited in scope compared with other recent corporate breaches, but the details are still sensitive enough to cause problems for customers.

Initial investigations show that around 280,000 active iiNet email addresses were exposed, along with 20,000 landline numbers and about 10,000 usernames, street addresses, and phone numbers. A smaller but significant set of roughly 1,700 modem setup passwords was also compromised.

While the company says that no financial records, identity documents, or payment details were included, cybersecurity experts warn that personal contact information is often valuable to criminals who launch phishing and social engineering attacks.

TPG Telecom said it acted quickly once the breach was confirmed. The company disabled the compromised accounts, brought in external security specialists, and informed the Australian Cyber Security Centre, the National Office of Cyber Security, and the Office of the Australian Information Commissioner. This shows the seriousness of the case, since coordination with government agencies is only triggered in incidents considered significant.

If you are an iiNet customer, change any passwords linked to iiNet services, especially if the same credentials are used across multiple platforms. Remain alert for suspicious emails or calls that may try to exploit the exposed information.

****Second TGP Data Breach Since 2022****

This is not the first time TPG and iiNet have faced cybersecurity incidents. In December 2022, as reported by Hackread.com, hackers breached TPG Telecom’s email service and accessed client data.

This incident adds iiNet to the growing list of Australian companies that have been hit by cyberattacks in recent years. In September 2022, Optus, the country’s second-largest telecom firm, suffered a data breach that exposed the personal details of millions of customers. The incident also led the company to issue a public apology.

TPG has begun notifying both impacted and non-impacted customers as a precaution, offering resources to help them secure their accounts.

Australian ISP iiNet Reports Data Breach, Customer Accounts Stolen

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster…

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster that are controlled by a single company and use dangerous security practices, including hard-coded passwords and weak encryption.

A new research paper titled “Hidden Links: Analyzing Secret Families of VPN Apps” has exposed how some popular Virtual Private Network (VPN) providers intentionally hide their true ownership and share security flaws.

The paper was co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall and published by Citizen Lab. Their study involved a deep analysis of apps from the Google Play Store, looking at everything from code similarities and network communications to business filings.

Researchers identified three families of VPNs that are secretly operated by the same entity. The most notable group includes Innovative Connecting, Autumn Breeze, and Lemon Clove, which have over 700 million downloads combined.

These companies distribute apps such as Turbo VPN, VPN Monster, and Snap VPN, and are linked to a Chinese national security firm, Qihoo 360, which has been sanctioned by the US government.

It is worth noting that Turbo VPN and Snap VPN were also named in the Tech Transparency Project’s June 2025 report, which cited national security concerns related to the possibility of these VPNs transferring US data to China.

A second family of providers, with over 380 million downloads, included MATRIX MOBILE PTE LTD and ForeRaya Technology Limited. A third family included Fast Potato Pte. Ltd and Free Connected Limited.

Further probing revealed that many of these VPNs use a specific technology called Shadowsocks, which was originally created to bypass internet censorship in China, not to provide privacy. The apps used outdated and unsafe methods for encryption, making them easier to hack. Some apps were also caught collecting a user’s location and sending it to a server, even though their privacy policies promised they wouldn’t.

Another key finding (PDF)was that these apps share not only code but also serious security vulnerabilities. For example, two of the families used a single, hard-coded password for their VPN apps. For your information, a hard-coded password is a secret key permanently built into an app, which means it’s the same for every single user. This allows anyone who discovers the password to decrypt the traffic of all users of that app, making their private information visible to eavesdroppers.

Researchers were able to use these shared passwords to confirm that different-looking VPN services were actually sharing the same servers. They also noted three other apps from VPN Super Inc., Miczon LLC, and Secure Signal Inc. that did not appear to have these hidden links.

Nonetheless, the shared security flaws mean that if one app in a family is vulnerable, so are all the others. These findings highlight that what appear to be distinct VPN apps are often part of a single, malicious network, putting millions of users at risk.

This is why it’s so important for users to know who is really behind their VPN service. The study emphasizes the critical need for transparency from VPN providers and calls on app stores like Google Play to improve how they verify the identity of app developers and audit app security.

Citizen Lab Reports Hidden VPN Networks Sharing Ownership and Security Flaws

The UK’s South Yorkshire Police lost 96,000 bodycam videos in a data transfer mishap, impacting 126 cases. Poor…

The UK’s South Yorkshire Police lost 96,000 bodycam videos in a data transfer mishap, impacting 126 cases. Poor backups and IT failures led to the deletion.

South Yorkshire Police (SYP) has been officially reprimanded by the Information Commissioner’s Office (ICO) after an investigation revealed the force deleted over 96,000 pieces of body-worn video (BWV) evidence. The incident, which happened on July 26, 2023, was a result of serious failures in the force’s IT systems and record-keeping.

In its official statement, the ICO, the UK’s data protection regulator, announced it had reprimanded SYP because the force “did not have the appropriate technical and organisational measures in place to keep the evidence secure.”

The investigation highlighted several key issues, including a delay in creating IT backup policies and poor record-keeping, which made it impossible for SYP to confirm exactly how many videos were permanently lost.

****How the Data Was Lost****

The issue started in May 2023 after an IT system upgrade. The main system, which officers used to upload their BWV footage, began to struggle with the data. To fix this, a temporary solution was put in place where the videos were stored on a local drive.

However, a few months later, on August 7, 2023, an SYP IT manager noticed a huge number of files were missing. A deeper inspection found that the mass deletion of 96,174 original video files had happened on July 26, 2023.

The deletion was part of a data transfer being done by a third-party company. While some of the footage had been copied to a new system (95,033 pieces), the police force’s poor record-keeping meant they couldn’t confirm exactly how many files were permanently lost.

An example of a South Yorkshire bodycam video

****Impact and Recommendations****

The lost data was connected to 126 criminal cases, but only three of those cases were directly affected. SYP stated that one case might have gone to court if the video evidence had been available.

The Information Commissioner’s Office has given SYP several recommendations to prevent this from happening again, including making sure they have a good backup solution and improving how they handle data with outside companies. SYP has since stated that they have implemented all of the recommendations.

According to Sally Anne Poole, the Head of Investigations at the ICO, this incident is a major lesson for all police forces using this type of technology. She emphasized that the public expects police forces to protect the personal information they handle. As Poole stated, “This incident highlights the importance of having detailed policies and procedures in place to mitigate against the loss of evidence.”

The full reprimand can be read here (PDF).

96,000 UK Police Bodycam Videos Lost After Data Transfer Mishap

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks…

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks exploiting a Windows zero-day.

Cybersecurity researchers at Microsoft discovered a new backdoor called PipeMagic while investigating attacks that abused a zero-day flaw in Windows CLFS (CVE-2025-29824). What makes this backdoor dangerous is how it poses as a legitimate open-source ChatGPT desktop application while delivering a framework for running ransomware operations.

PipeMagic relies on a modular design that loads different components as needed. These modules handle everything from command-and-control communication to payload execution, all while staying hidden through encrypted named pipes and in-memory operations. By separating its functions this way, the backdoor makes it far more difficult for defenders to detect or analyze.

It is worth noting that the ChatGPT Desktop project on GitHub mentioned by Microsoft (available here) is not malicious. What happened is that attackers used a trojanized copy of this app, since it’s open source, modified with hidden code, to deliver the PipeMagic backdoor. The legitimate version remains safe, but downloading from unofficial or compromised sites carries the risk of infection.

> _“The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.”_
> 
> Microsoft

****PipeMagic Attributed to Storm-2460****

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. In recent campaigns, the group used it alongside CVE-2025-29824, a privilege escalation vulnerability, to move from initial access to ransomware deployment.

The attacks have not been limited to one industry or geography, with victims identified targeting financial and real estate organizations in the United States, Europe, South America, and the Middle East.

Researchers examining PipeMagic found that it manages payloads through a set of linked lists that act like internal queues. Some lists hold modules waiting to be executed, others manage network communication, while one list remains unexplained but appears to be used dynamically by loaded payloads. This structure allows Storm-2460 to update or replace components on the fly, giving them flexibility without having to redeploy the entire backdoor.

According to Microsoft’s long technical blog post, the communication layer of PipeMagic is equally sophisticated. Instead of connecting directly to its command server, the backdoor loads a dedicated networking module that establishes a WebSocket-style connection with its operators.

This design keeps network traffic isolated from the rest of the backdoor, limiting detection opportunities. Once a secure channel is active, PipeMagic sends detailed system information, including bot ID, domain details, process integrity, and user context, before receiving instructions on what modules to run or which data to exfiltrate.

Storm-2460 can also insert new modules, update existing ones, gather hashes, enumerate processes, and even rename the backdoor executable for self-deletion. Therefore, Microsoft has released detections across Microsoft Defender products and is urging organizations to review their security.

PipeMagic shows just how far backdoors have evolved. By using a zero-day exploit with a modular backdoor, Storm-2460 built a tool that easily bypasses detection. The full Microsoft analysis goes deep into its internal structures and also offers mitigation guidance.

Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft

Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links and…

Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links and DLL side-loading to steal data.

A new, highly advanced cyber threat is on the rise, using fake copyright claims to trick businesses into downloading dangerous software. According to a new report from cybersecurity firm Morphisec, this malware is an upgraded version of the Noodlophile Stealer, which is now targeting companies in the US, Europe, Baltic countries, and the Asia-Pacific region.

Morphisec’s latest threat analysis, exclusively shared with Hackread.com, describes how the threat has evolved from its earlier method of using fake AI platforms to a more sophisticated approach. The diagram illustrates the step-by-step process of the attack, from the initial lure to the final data theft.

Attack Flow (Source: Morphisec)

Researchers found that this new attack uses highly personalized phishing emails disguised as official copyright infringement notices. The messages, which can be in multiple languages, are sent to key employees or the general company inboxes and often contain specific details about the company’s Facebook page, such as its unique ID.

This makes the emails appear genuine and creates a sense of urgency. The goal is to pressure a recipient into clicking a link to “view evidence” of the supposed violation, which is actually a download link for the malicious software.

One of the phishing emails disguising itself as a legal notice (Image via Morphisec)

****Delivery Method****

According to Morphisec’s blog post shared with Hackread.com, published ahead of publishing on Monday, 18, 2025, instead of fake websites, the malware is delivered via a Dropbox link that downloads a compressed archive like a ZIP file. This archive contains a legitimate application that has been tampered with to load a hidden malicious file, a technique known as DLL side-loading.

This method tricks trusted software (like PDF readers) into unknowingly running the malware. The final malicious code is disguised and uses the messaging app Telegram to evade detection by security tools.

****Stolen Data and Future Threat****

Once executed, the malware focuses on stealing a wide range of sensitive data from web browsers, including login credentials, credit card numbers, and autofill information. It also collects computer details like usernames and operating system versions.

Researchers note that the malware’s code contains placeholder functions, indicating that its creators plan to add more dangerous capabilities in the future, such as keylogging and capturing screenshots.

A key part of the process is bypassing security features in browsers like Chrome, allowing it to steal saved login data. The process of getting the final malware onto the computer is also heavily disguised, with files renamed to look like documents or images.

Considering the evolving nature of this threat, businesses must carefully monitor suspicious emails and inspect even those that appear to be from a trusted source to protect their valuable data.

Fake Copyright Notices Drop New Noodlophile Stealer Variant

A cyberattack on Manpower’s Michigan office compromised data for 144,000 people. Meanwhile, Workday reveals a data breach in…

A cyberattack on Manpower’s Michigan office compromised data for 144,000 people. Meanwhile, Workday reveals a data breach in a widespread scam. Read about these incidents and the growing threat of social engineering.

Two major companies, global staffing agency Manpower and business software provider Workday, have recently disclosed that they were victims of cyberattacks. These separate incidents affected the personal information of thousands of individuals and highlight the growing threat of data breaches to both businesses and their customers.

****Manpower Breach****

Manpower, a leading staffing firm, announced that a cyberattack on one of its franchise offices in Lansing, Michigan, exposed the personal data of 144,189 people. The company discovered the unauthorized access on January 20th, 2025, after an IT outage.

A subsequent investigation found that a hacker had been in their network from late December 2024 to mid-January 2025. Although the company did not name the attackers, a group called RansomHub claimed responsibility for the breach.

While Manpower is a part of ManpowerGroup, a spokesperson confirmed that the franchise operates on its own data platform, making the incident isolated and not affecting the larger corporate network.

To help those affected, Manpower is providing free credit monitoring and identity theft protection for one year. The company has also informed the FBI and plans to cooperate fully in holding the culprits responsible.

****Workday Breach****

Separately, business software giant Workday revealed a data breach related to a third-party Customer Relationship Management (CRM) platform, a software used to manage customer interactions. The company stated that the breach was part of a “social engineering campaign” targeting many large organizations.

For your information, social engineering is a way of tricking people into giving up information, often by pretending to be someone trustworthy, like an IT person. In this case, hackers got access to basic business contact details like names, emails, and phone numbers. Workday says there’s no sign that customer data was accessed.

“There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” Workday’s statement reads.

The attack is similar to a wider series of breaches linked to the notorious ShinyHunters group. Hackread.com has previously covered this group’s activities, which have been targeting employees with fake calls, impersonating IT support to access corporate databases.

Its recent targets include well-known firms like Google, LVMH, Chanel, and Adidas. Google’s threat intelligence group, which had been investigating ShinyHunters, recently confirmed that their own Salesforce database was breached by the group.

Source

HackRead