New investigation exposes a China-based ring that sold over 6,500 fake United States and Canadian IDs using well-planned covert packaging. Learn how this operation threatens national security and enables financial crime.

A recent investigation by cybersecurity firm CloudSEK has exposed a major operation based in China that is selling high-quality, counterfeit US and Canadian driver’s licenses and Social Security cards. The company has dubbed the operation “ForgeCraft.”

According to the research white paper, which was shared with Hackread.com, the extensive network has already sold over 6,500 fake IDs to more than 4,500 buyers across North America, generating over $785,000 in revenue.

****Tactics and Consequences****

The investigation, led by CloudSEK’s STRIKE team, exposed a sophisticated operation. The group used a large network of over 83 websites to sell its products. The fake IDs were designed to look just like real documents, complete with scannable barcodes, holograms, and special UV markings.

Nearly 60% (3,800) of buyers were over the age of 25. A specific case study revealed a buyer who purchased 42 counterfeit commercial driver’s licenses linked to two trucking companies with a history of regulatory issues.

These fake IDs can now be used to put unauthorised drivers on the road, engage in illicit activities, pass banking verification, create social media accounts, and even bypass age verification measures to access restricted adult sites.

Currently, according to World Population Review’s data, several US states have either implemented or are in the process of implementing a UK-style online age verification system, and these fake ID cards can enable teens to bypass those restrictions.

The fake IDs also threaten national security by bypassing border and law enforcement checks, may enable financial fraud, including SIM swaps and account takeovers, and can be used to exploit election integrity through voter fraud.

Credit: CloudSEK

****Covert Delivery and Global Reach****

To avoid detection, the group used a clever method of “covert packaging” when shipping the fake IDs through major couriers like FedEx and USPS. The licenses were concealed inside everyday items like purses, toys, or within the layers of cardboard shipping boxes. CloudSEK researchers even obtained a tracking number for a package sent from China to Canada, confirming that the fake IDs were successfully delivered to customers.

To help buyers find the hidden documents, the group also provided tutorial videos on how to tear open the packaging and retrieve the cards. One such video led to an exact match with a customer’s details found in the group’s database, proving the network was active and fulfilling orders.

Social media platforms like TikTok, Facebook, Telegram, and YouTube were used to promote these services with ads that openly boasted about illegal uses like bypassing age restrictions or police checks. The counterfeit IDs were sold for as low as $65 each in bulk. The money was collected through various payment channels, including PayPal, LianLian Pay, and cryptocurrencies like Bitcoin and Ethereum.

Using a combination of human intelligence and online research, CloudSEK could pinpoint the main operator’s location in Xiamen, Fujian, China. Researchers even captured a facial image of the individual through their webcam.

Credit: CloudSEK

This detailed evidence has been shared with authorities in the hopes of disrupting the operation. The firm is urging law enforcement to seize the domains and encouraging courier services like FedEx and DHL to be more watchful in detecting the covert packaging methods.

Ibrahim Saify, a security analyst at CloudSEK, commented on the findings, stating, “This case demonstrates the critical importance of comprehensive threat intelligence in combating sophisticated criminal operations. Without visibility across social media, dark web, and infrastructure channels, investigations of this depth would be nearly impossible.”

Chinese Network Selling Thousands of Fake US and Canadian IDs

New York, New York, 19th September 2025, CyberNewsWire

**New York, New York, September 19th, 2025, CyberNewsWire**

**BreachLock**, the global leader in offensive security, has been recognized as a Sample Vendor for Penetration Testing as a Service (PTaaS) in the 2025 Gartner Hype Cycle for Application Security. The company was also recognized as a sample vendor for Adversarial Exposure Validation (AEV) in the Gartner report, “From Defense to Offense: How to Champion Proactive Cybersecurity.”

This recognition from Gartner, following BreachLock’s designation as a Sample Vendor in multiple other 2025 Hype Cycle reports earlier this year, underscores BreachLock’s commitment to delivering more scalable, flexible, and efficient penetration testing and offensive security solutions for modern security teams.

> Commenting on the recognition, BreachLock Founder & CEO, Seemant Sehgal, expressed, “It’s an honor to be recognized by Gartner so consistently over the years as BreachLock continues to innovate and raise the bar not only in penetration testing, but now in adversarial exposure validation.” He added, “Our growing impact and leadership in the market is a direct reflection of our team’s genuine passion for listening and adapting to our clients’ needs, whether it’s more flexibility, scalability, better vulnerability prioritization, support, or innovative new solutions.” 

BreachLock’s flexible PTaaS delivery model empowers enterprises to test their full-stack attack surface as broadly and frequently as needed, whether that’s periodically or continuously, by combining the power of human expertise, AI efficiency, and automated scalability into a single solution. With BreachLock PTaaS, security teams can identify their vulnerabilities in real-time, visualize attack paths, and easily prioritize remediation based on actual risk so they can be remediated faster and more effectively. 

BreachLock Adversarial Exposure Validation, its Gen AI-powered autonomous red teaming engine, enables enterprises to launch their own unlimited, multi-step attack scenarios in just a few clicks on demand or continuously. AEV thinks and moves like a real attacker, leveraging live threat intelligence, pivoting, and moving laterally to reveal where defenses succeed or fail. With BreachLock AEV, security teams can scale coverage without adding headcount and focus remediation efforts on validated risks that could lead to high-impact breaches. 

Gartner highlights in the Hype Cycle for Application Security that “PTaaS overlaps with adversarial exposure validation (AEV), which is an adjacent market, yet they are different in terms of adoption and operation. AEV focuses on continuous, real-world attack simulations, while PTaaS emphasizes human expertise and integration with development processes for on-demand or continuous testing,” citing this as an obstacle. While PTaaS and AEV are at different stages and do have some overlap, BreachLock offers both solutions in a single platform, simplifying adoption and implementation for customers. 

Looking ahead to the coming years, BreachLock will continue innovating in the offensive security space to help organizations take control of their attack surface, reduce operational complexity, and strengthen defenses as threats evolve. BreachLock remains committed to delivering forward-thinking solutions that empower security teams to safeguard their organizations with confidence. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

**About BreachLock**

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries.

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

**Contact**

**Senior Marketing Executive**  
**Megan Charrois**  
**BreachLock**  
**\[email protected\]**

BreachLock Named Sample Vendor for PTaaS and AEV in Two New 2025 Gartner® Reports

WatchGuard has issued a critical security alert for its Firebox firewalls due to a serious vulnerability, CVE-2025-9242. Learn what this 'out-of-bounds write' flaw means, which Fireware OS versions are affected, and the urgent steps to take to protect your network from remote attacks.

WatchGuard has released security updates to fix a high-risk vulnerability in its Firebox firewalls. This issue, CVE-2025-9242, could allow a remote attacker to take control of a device. The company is urging all users to update their systems right away to avoid potential attacks.

****What Is the Problem?****

This vulnerability is what’s known as an ‘out-of-bounds write’ weakness. Think of a computer’s memory as a series of boxes. An out-of-bounds write happens when a program tries to put data into a box it’s not supposed to, which can mess up the system.

In Firebox’s case, it could let a hacker run their own malicious code on the firewall without needing to be an authenticated user. This type of flaw is very serious because firewalls are meant to protect networks from outside threats. That’s why the issue has been given a high-risk score of 9.3 out of 10.

The problem affects a wide range of devices. This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4\_Update1, 12.0 up to and including 12.11.3 and 2025.1. While the vulnerability is only present if a user had previously set up a certain type of VPN (Virtual Private Network) called IKEv2, WatchGuard says even if those settings were deleted, the device could still be at risk.

As WatchGuard stated in its advisory, “An Out-of-bounds Write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code.”

The affected products include the Firebox T15 and T35 models running Fireware OS 12.5.x, as well as numerous other models in the T, M, and Firebox Cloud series that run Fireware OS 12.x and 2025.1.x.

****What to Do Now****

Although there have been no known attacks using this weakness, the risk is real. Attackers often target firewalls because they are a key entry point to a network.

WatchGuard has already released fixes for this problem in several software updates, including versions 12.3.1\_Update3, 12.5.13, 12.11.4, and 2025.1.1. If you own a WatchGuard Firebox, you should check your device’s software version and install the latest update immediately. For users who can’t update right away, WatchGuard recommends a temporary fix by limiting how traffic can get to the VPN.

The company recognised a researcher named “btaol” for finding and reporting this issue.

Several cybersecurity experts weighed in on the seriousness of the issue and shared their thoughts with Hackread.com.

David Matalon, CEO at Venn, called the flaw a “reminder of just how much trust organisations place in perimeter defences.” He added that a layered approach is “critical to limiting the blast radius when vulnerabilities inevitably emerge.”

Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, highlighted the vulnerability’s persistence, noting that “even if vulnerable VPN configurations have been deleted, systems remain at risk.”

He also pointed out that, according to threat reports, many exploited vulnerabilities in 2025 affected “edge security and gateway products” because they offer an easy way for attackers to get into an organisation.

Frankie Sclafani, Director of Cybersecurity Enablement at Deepwatch, described the CVSS 9.3 score as “the cyber equivalent of a five-alarm fire.” He stressed that for an attacker, “compromising the firewall is the ultimate tactical win,” as it offers a perfect entry point into a network.

WatchGuard Issues Fix for 9.3-Rated Firebox Firewall Vulnerability

Now, especially in a very competitive environment, it is essential to make your name shine. Enterprise SEO solutions…

Now, especially in a very competitive environment, it is essential to make your name shine. Enterprise SEO solutions are crucial for boosting brand authority. Search engine optimisation (SEO) helps to attract more traffic to your content and build your business’s credibility to establish a strong foothold. In this post, we will discuss how these solutions help build brand authority and why you need them.

****The Fundamentals of Enterprise SEO****

Enterprise SEO is the process of optimising websites for complex organisations (depending on size or structure). It aims to rank multiple pages higher on search engines. However, enterprise SEO solutions consider the individual needs of larger organisations, whereas traditional SEO often focuses on smaller businesses. It comprises working in multiple domains or millions of pages and being in sync with your corporation’s objectives.

****Enhancing Online Visibility****

One of the biggest advantages of enterprise SEO is that it improves your business’s visibility online. Proper content optimisation with relevant keywords will ensure that a business website is ranked mostly at the top of the search results. This creates exposure and trust with potential customers. A brand appearing frequently in user searches creates a positive association and strengthens brand recognition.

****Building Trust and Credibility****

A brand’s content authority depends on trust and credibility. Enterprise SEO solutions assist in establishing this with relevant, valuable, and authoritative content. Posting high-quality content that answers users’ queries positions your brand as a reputable source. Search engines prioritise content like this, pushing it even higher in the rankings and visibility.

****Optimising User Experience****

Providing a high-quality user experience is vital for brand authority. Enterprise SEO improves website speed, mobile friendliness, and user navigation. A seamless experience encourages users to stay focused on the site and lessens bounce rates. Happy visitors are more likely to become repeat customers, enhancing brand credibility.

****Content Strategy and Creation****

Content lies at the centre of any SEO strategy. Enterprise search engine optimisation focuses on creating a content strategy aligned with business goals. This strategy involves researching topics that interest the audience and enjoyably providing quality content. Regularly putting out new updates/content ensures the audience keeps coming back for more.

****Leveraging Analytics for Improvement****

Analytics are a key component of enterprise SEO. With proper data analysis, businesses can find the room for improvement and change their strategies accordingly. By knowing what users like and dislike, how they behave, and what trending topics are in their world, content created can be much more focused. Continuously iterating and improving, thus keeping the brand on top of the game via a data-backed approach.

****Local SEO for Global Brands****

Many organisations are considered big and operate in more than one region. Enterprise SEO also includes local SEO, and you want potential customers to see you in specific areas. Optimised content for local audiences can help businesses connect with different customer bases. It enhances brand authority by showing that the company understands regional needs and preferences.

****Adapting to Algorithm Changes****

Search engines regularly update their algorithms, influencing rankings. Enterprise SEO solutions require keeping up with this and adjusting strategies. By being proactive, Businesses can retain their positions while continuing to build authority. This flexibility is vital for long-term success and staying relevant in the competition.

****Collaboration Across Departments****

This means enterprise SEO is not just a one- or two-person job; you must coordinate across departments. It also requires the collective efforts of marketing, IT, and content teams for overall strategic orientation. Such collaboration encourages innovation and efficiency and brings better results. Having an all-in-one strategy not only improves the brand’s authority but also ensures that every element of the business is in accordance with the goals of SEO.

Enterprise SEO Solutions are needed to enhance brand authority. Businesses leveraging visibility, credibility, and convenience through local SEO will strengthen their market share. This can be amplified even further with strategic content, analytics, and local SEO. Partnership and flexibility are the key factors for organisations to maintain their success and authenticity. Accepting enterprise SEO is more than a method; it is a pledge to excellence and market leadership.

(Image by Werner Moser from Pixabay)

How Enterprise SEO Solutions Improve Brand Authority

Two UK teens have been charged in connection with the TfL hack, as investigators link them to Scattered Spider cyberattacks and data breaches.

The cyberattack that disrupted Transport for London (TFL) websites and services in September 2024 has led to charges against two teenagers accused of working with the Scattered Spider hacking group.

Nineteen-year-old Thalha Jubair of East London and eighteen-year-old Owen Flowers of Walsall were arrested by the National Crime Agency on 16 September 2025 and brought before Westminster Magistrates’ Court. Prosecutors allege the pair conspired to breach TfL systems under the Computer Misuse Act, causing millions in damage and impacting parts of London’s critical infrastructure.

The incident did not stop the Underground from running, but it disrupted important services around it. Customers struggled to log into Oyster and contactless payment accounts, and third-party transit apps that rely on TfL’s APIs were knocked offline. Investigators estimate more than £30 million in costs so far, covering remediation, lost revenue, and security upgrades.

Roughly 5,000 Oyster users also had their personal information exposed, including bank details and contact records. TfL confirmed the data leak in its own disclosures, adding further weight to the charges against the accused.

TFL notification that was sent in September 2024

In its press release published today, the NCA described the probe as a “lengthy and complex investigation” in recent years. Paul Foster, deputy director of the agency’s National Cyber Crime Unit, said the attack “caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

****Charges Against Jubair Detail Major Cybercrime Allegations****

According to a press release from the US Department of Justice, Jubair faces charges of conspiracy to commit computer fraud, wire fraud, and money laundering, linked to more than 120 network breaches and extortion schemes against 47 U.S. organisations. Prosecutors say the victims handed over at least $115 million in ransom payments.,

He also faces an additional charge for refusing to provide passwords or PINs to devices seized by investigators. That falls under the Regulation of Investigatory Powers Act, which compels suspects to disclose encryption keys or face prosecution.

Flowers is facing more than the London charges. Court documents also link him to cyberattacks on US healthcare providers SSM Health Care Corporation and Sutter Health. Those cases highlight the cross-border nature of Scattered Spider, a group already associated with high-profile ransomware and extortion campaigns in both North America and Europe.

****One More Arrest****

This is not the first arrest linked to the September 2024 TfL cyberattack. On September 12, 2024, the NCA announced the arrest of a teenager in Walsall, England, connected to the incident. However, the suspect’s name was not disclosed.

As for the latest arrests, the Crown Prosecution Service has said the evidence was strong enough to bring both men to court, stressing that it is in the public interest to pursue the case, given the damage to TfL and the risk to wider critical services.

Scattered Spider has gained a reputation over the past two years for sophisticated social engineering attacks, often targeting corporate IT staff through phishing and voice calls. Security analysts believe the group is made up largely of young hackers who collaborate loosely online, sometimes overlapping with other cybercriminal groups.

Nevertheless, these arrests and the age of alleged hackers align with the NCA’s February 2024 findings, which revealed that 1 in 5 youths in the United Kingdom engage in cybercrime. The agency disclosed that one in five children aged 10-16 in the UK have participated in online activities that violate the Computer Misuse Act.

Two UK Teenagers Charged Over TfL Hack Linked to Scattered Spider

Palo Alto, California, 18th September 2025, CyberNewsWire

**Palo Alto, California, September 18th, 2025, CyberNewsWire**

SquareX first discovered and disclosed Last Mile Reassembly attacks at DEF CON 32 last year, warning the security community of 20+ attacks that allow attackers to bypass all major SASE/SSE solutions and smuggle malware through the browser. Despite responsible disclosures to all major SASE/SSE providers, no vendor has made an official statement to warn its customers about the vulnerability in the past 13 months – until two weeks ago. 

As more attackers are leveraging Last Mile Reassembly techniques to exploit enterprises, SASE/SSE vendors are beginning to recognize that proxy solutions are no longer sufficient to protect against browser based attacks, with Palo Alto Networks being the first to publicly acknowledge that Secure Web Gateways are architecturally unable to defend against Last Mile Reassembly attacks. In the press release, Palo Alto Networks recognized the attack as “encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.” The release also recognized that “the browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional.”

This marks a watershed moment in cybersecurity where a major incumbent SASE/SSE vendor publicly admits the fundamental limitations of Secure Web Gateways (SWGs) and acknowledges the critical importance of browser-native security solutions – exactly what SquareX has been advocating since pioneering this research.

**What are Last Mile Reassembly Attacks?**

Last Mile Reassembly attacks are a class of techniques that exploit architectural limitations of SWGs to smuggle malicious files through the proxy layer, only to be reassembled as functional malware in the victim’s browser. In one technique, attackers break the malware into different chunks. Individually, none of these chunks trigger a detection by SWGs. Once they bypass proxy inspection, the malware is then reassembled in the browser. 

In another example, attackers smuggle these malicious files via binary channels like WebRTC, gRPC and WebSockets. These are common communication channels used by web apps like video conferencing and streaming tools, but are completely unmonitored by SWGs. In fact, many SWGs publicly admit this on their website and recommend their customers disable these channels.

In total, there are over 20 such techniques that completely bypass SWGs. While Palo Alto Networks is the first to publicly admit this limitation, SquareX has demonstrated that all major SASE/SSE vendors are vulnerable and have been in touch with multiple solutions as part of responsible disclosures and to discuss alternative protection mechanisms. 

**Data Splicing Attacks: Exfiltrating Data with Last Mile Reassembly Techniques**

Since the discovery of Last Mile Reassembly Attacks, SquareX’s research team conducted further research to see how attackers can leverage these techniques to steal sensitive data. At BSides San Francisco this year, SquareX’s talk on Data Splicing Attacks demonstrated how similar techniques can be used by insider threats and attackers to share confidential files and copy-paste sensitive data in the browser, completely bypassing both endpoint DLP and cloud SASE/SSE DLP solutions. In fact, there has been an emergence of P2P file sharing sites that allow users to send any file with no DLP inspection.

**The Year of Browser Bugs: Pioneering Critical Browser Security Research**

As the browser becomes one of the most common initial access points for attackers, browser security research plays a critical role in understanding and defending against bleeding edge browser-based attacks. Inspired by the impact of Last Mile Reassembly, SquareX launched a research project called The Year of Browser Bugs, disclosing a major architectural vulnerability every month since January. Some seminal research include Polymorphic Extensions, a malicious extension that can silently impersonate password managers and crypto wallets to steal credentials/crypto and Passkeys Pwned, a major passkey implementation flaw disclosed at DEF CON 33 this year. 

> “Research has always been a core part of SquareX’s DNA. We believe that the only way to defend against bleeding edge attacks is to be one step ahead of attackers. In the past year alone, we’ve discovered over 10 zero day vulnerabilities in the browser, many of which we disclosed at major conferences like DEF CON and Black Hat due to the major threat it poses to organizations,” says Vivek Ramachandran, the Founder of SquareX, “Palo Alto Networks’ recognition of Last Mile Reassembly attacks represents a major shift in incumbent perspectives on browser security. At SquareX, research has continued to inform how we build browser-native defenses, allowing us to protect our customers against Last Mile Reassembly attacks and other novel browser-native attacks even before we disclosed the attack last year.”

As part of their mission to further browser security education, SquareX collaborated with CISOs from major enterprises like Campbell’s and Arista Networks to write The Browser Security Field Manual. Launched at Black Hat this year, the book serves as a technical guide for the cybersecurity practitioners to learn about bleeding edge attacks and mitigation techniques. 

**Fair Use Disclaimer**

This site may contain copyrighted materials (including but not limited to the recent press release by Palo Alto Networks dated September 4, 2025), the use of which has not always been specifically authorised by the copyright owner. Such materials are made available to advance understanding of issues related to Last Mile Reassembly attacks which shall constitute a “fair use” of any such copyrighted material as provided for under the applicable laws. If you wish to use copyrighted material from this site for purposes of your own that go beyond fair use, you must obtain permission from the respective copyright owner.

**About SquareX**

SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including Last Mile Reassembly Attacks, rogue AI agents, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. Users can find out more about SquareX’s research-led innovation at www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Palo Alto Networks Acknowledges SquareX Research on Limitations of SWGs Against Last Mile Reassembly Attacks

Hackers are posing as Empire podcast hosts, tricking crypto influencers and developers with fake interview invites to deliver macOS AMOS Stealer malware.

A new phishing campaign is targeting developers and influencers in the crypto industry with fake interview requests that impersonate a popular Web3 podcast. The attackers pose as hosts, luring unsuspecting victims to websites mimicking platforms such as Streamyard and Huddle to distribute AMOS Stealer malware against macOS devices.

The latest scam surfaced only weeks after another scheme, reported in August 2025, where fraudsters posed as CoinMarketCap journalists to target crypto executives in a spear-phishing campaign.

****A fake podcast, real consequences**  **

José A. Gómez Ledesma, a threat intelligence analyst from Quetzal Team, originally identified a phishing campaign targeting influencers and developers in the crypto industry.  

The attackers impersonate hosts and producers of the popular Empire podcast,  approaching victims via social media DMs under the pretext of interviewing them about recent projects and market forecasts. Once engaged, they suggest interviewing Streamyard or Huddle, sharing links to phishing sites that mimic the chosen platform. 

When visiting the website, an error message is displayed saying something went wrong (either the browser is incompatible or it cannot connect to the platform) and that a desktop client should be downloaded and installed. A DMG (a macOS application installation disk) is then downloaded, posing as either Huddle or StreamYard. 

A fake Streamyard DMG Installer for Mac

****The Setup**  **

By installing the contents of the DMG, victims are actually infecting themselves with  AMOS (Atomic macOS) Stealer, a trending threat creatively distributed and previously seen posing as popular apps such as DeepSeek.  

The infection chain is quite elaborate, starting with the DMG installer, which invokes a Bash script heavily obfuscated with Base64. The encoded contents are deobfuscated, then XORed via Perl, and once again deobfuscated from Base64,  generating an AppleScript that is subsequently executed.  

A fake Huddle DMG Installer for Mac

This AppleScript simply looks for a hidden binary inside the volume named .Huddle or .Streamyard (Note the leading period, which denotes a hidden file in Unix systems.) This file is, in fact, the AMOS Stealer sample. 

****The Afermath**  **

By becoming infected with AMOS (or with virtually any information-stealer), victims place their digital lives in the hands of organised criminals. From banking apps to gaming accounts, login artefacts such as credentials and cookies are sold to the highest bidder, often for a surprisingly low price. 

Some old advice still holds true when browsing the internet: do not download anything you see, and be cautious when dealing with strangers. You could end up with an unpleasant surprise. 

Malicious Apple Script Loader

****IOCs and Summary**  **

    URL: streamyard.ai 
    
    SHA256:69b859db7397a04bb1f1c2ff9d987686b5ce0c64ec8fc716c783ed6dd755e291 SHA256:c275252592228b51b3934a9b3932d269c2f9132caad5f51ae54216ec147a8834     
    
    URL: https://x.com/BillyBitcoins 
    
    Domain: streamyard.ai 
    
    Domain: huddle01.com 
    
    URL: huddle01.com 
    
    SHA256:f7d138a4fa15215c4e747449f31b2b6b6726aed00a9cc9e3ec830df366c1437f     SHA256:af4ba47f760ae08bce49c7b7c16e9dcff7df7eff53f27abc0c2a1eee1cea6085       
    
    FilePath: Huddle.Iwv 
    
    FilePath: Streamyard.ZTz 
    
    SHA256:9665dac619c7d17a2fafd32f2df77f27dc39135d31235a748bd95ac137005e9b       SHA256:f7fe593806aa2b2486e2052c582b1b8423b2455bf9392fa42b1d2cb6d98ca897
    
    

****References**  **

Original Intelligence Pulse: https://otx.alienvault.com/pulse/68c99d5ca31f8adcc38d0637

Fake Empire Podcast Invites Target Crypto Industry with macOS AMOS Stealer

In the current cycle, Bitcoin has anchored most of the capital inflow. In 2025, 66% of investors selected…

In the current cycle, Bitcoin has anchored most of the capital inflow. In 2025, 66% of investors selected Bitcoin as their first digital purchase, driven by more global regulatory clarity and ease of access. With the cycle progressing and Bitcoin dominance falling below 58%, altcoins have gained momentum, with 73% of institutional investors now holding or allocating capital into them. This shift signals a growing trend among investors as they view altcoins as a diversifying strategy.

****Capital seeks higher returns****

Interest rate fluctuations are a primary driver for how institutions allocate capital towards risk on assets. Lower interest rates trigger higher investor risk appetite, as patterns indicate stronger inflows into digital assets. Notably, TOTAL3 has increased by 109.43% YoY, highlighting how altcoins often outperform Bitcoin as higher-beta assets during easing cycles.

Bitcoin dominance is showing signs of reversal as the altcoins market jumped from below 35% to 41% in early September, while Bitcoin’s dominance slid below 58% for the first time in 2025. Institutional inflows are reinforcing the trend as Ethereum ETFs attracted $3 billion in net flows in a single week.

The global M2 liquidity has expanded by $5.6 trillion in 2025, indicating a notable increase in global liquidity. Consequently, more capital is available for investment following monetary policy easing, with capital historically rotating into altcoins that can outperform Bitcoin up to 200%.

****Institutional Momentum Extends Beyond Bitcoin****

Institutional capital is no longer solely concentrated on Bitcoin. The existing cycle shows a growing institutional interest across multiple crypto verticals. Binance Research (PDF) has highlighted stronger performance in sectors such as DeFi, stablecoins, and RWA. At the same time, research on institutional adoption of DeFi emphasises that 24% of institutions currently engage with crypto products, and this number is expected to triple in the next two years.

DeFi recorded a 44.5% year-to-date gain, while stablecoin had a 38.6% increase. Both sectors outperformed Bitcoin’s YTD increase of 19.8% is illustrating why capital is shifting from Bitcoin towards altcoins and infrastructure. As Bitcoin dominance falls below 57%, institutions are diversifying by capitalising on the regulatory tailwind, indicating that institutional interest is no longer confined to a single asset.

Binance France President David Princay recently commented on a potential altcoin season, “If or when BTC prices plateau, institutions and corporations may look to diversify their crypto holdings further. It will be interesting to observe how an altcoin season unfolds in a more mature and regulated crypto market.”

Rising DEX volumes are an early indicator of investors pivoting their strategy to increase altcoin exposure. With many new tokens initially unavailable on centralised exchanges, DEXs capture dislocated liquidity by offering listings ahead of traditional platforms. DEX volumes doubled over the past year, with spot reaching 23.1% and futures climbing to 9.3%.

Additionally, DEX trading volumes reached a combined total of over $1.15 trillion in 2025. Similarly, Ethereum has reached an all-time high monthly DEX volume of $139.63 billion in August 2025, emphasising how investors seek DEXs as alternative trading infrastructures to access new assets.

Fee reductions on Ethereum have supported increased activity and reduced costs for DeFi users. The network has also enabled higher on-chain trading volumes, which more than doubled in 2025 while centralised exchange activity declined. Growing on-chain metrics emphasise the structural shift toward decentralised infrastructure as a driver of market activity.

****On-Chain Lending Moves From Growth to Utilisation****

On-chain data illustrate that DeFi protocols are continuing to grow in value. Total value locked (TVL) on lending increased by 65% to $79.8B for the first time, with investors identifying new opportunities to deploy capital towards on-chain lending.

Larger protocols such as AAVE are capturing the growth with half of the on-chain lending market –  $39.9 billion. Ethereum’s DeFi TVL has expanded from $54 billion to over $97 billion while total staked ETH neared 35.8 million ETH. The Paceta accelerated this trend by increasing the validators’ stake from 32 ETH to 2,048 ETH, prompting entities to allocate capital and capitalise on the opportunities.

Regulatory clarity helped drive demand for DeFi products. The SEC’s announcement not to classify liquid staking as a security prompted positive institutional momentum. According to DeFi Llama, total liquid staking increased by 103% year-over-year, reflecting growing institutional demand for deploying altcoins to generate reliable yields.

Such developments underline DeFi’s role in evolving beyond deposit and towards active use cases. Stablecoin deposits on exchanges climbed to an all-time high of $68 billion, indicating available capital for potential deployment from retail and institutional investors towards digital assets.

****Wrap Up****

As Bitcoin’s dominance continues to ease, the rise of altcoins underscores a broader maturation of the digital asset market. What was once seen as a speculative corner of crypto is now attracting serious institutional attention, reshaping portfolio strategies in the process.

If the trend continues, altcoins may move beyond being seen as just “alternatives” to Bitcoin. Instead, they could become core pieces of diversified crypto strategies, signalling a shift in how investors approach the next phase of the digital economy.

(Image by Igor Schubin from Pixabay)

Shifting Tides: Investors Pivot Toward Altcoins Amid Bitcoin Slowdown

Infoblox links Vane Viper to PropellerAds, exposing a global malvertising network posing as adtech while spreading malware and running online scams.

Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware.

Linked to **previously reported** PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date.

Infoblox Threat Intel tracked Vane Viper for more than three years and found that domains linked to the operation appeared in about half of its customer networks. Some of those domains ranked among the world’s top 10,000 websites, with one tracking domain even breaking into the top 1,000.

According to Infoblox’s investigation shared with Hackread.com, PropellerAds was not simply a victim of abuse by bad actors but was actively delivering malware itself. During testing, Infoblox researchers followed links from Vane Viper’s traffic distribution system and received direct malware payloads from PropellerAds. That evidence, Infoblox argues, proves complicity rather than negligence.

> _“Although PropellerAds has been implicated in malvertising campaigns by others in the past, proving that they have crossed the line from abused service to complicit enabler has been challenging. We didn’t come to our conclusions lightly.”_
> 
> _“We found compelling evidence that not only has PropellerAds turned a “blind eye” to criminal abuse of their platform, but indicators described below suggest – with moderate-to-high confidence – that several ad-fraud campaigns originated from infrastructure attributed to PropellerAds.”_
> 
> Infoblox Threat Intel

Infoblox ALSO observed more than one trillion DNS queries linked to its infrastructure in the past year, spread across more than 60,000 domains. Many of these domains are short-lived, active for only days, while others remain live for years to support ongoing campaigns. The group uses bulk domain registrations, **push notification abuse and cloaking** to keep operations alive while evading takedowns.

The investigation also connects Vane Viper to Webzilla and XBT Holdings, companies previously cited in **Russia’s Methbot (aka Boaxxe and Miuref) ad fraud**, disinformation efforts, and piracy platforms.

Additionally, corporate records show layers of offshore registrations and opaque ownership, with links to Russian nationals, gambling enterprises, and adult content businesses. These overlapping connections, Infoblox says, create “plausible deniability” that shields the operation from accountability.

A look at the main companies and individuals connected to the Vane Viper network, and the roles they play in the operation (Image credit: Infoblox)

This isn’t the first large-scale adtech-linked threat group Infoblox has reported on. Last month, the company profiled **VexTrio**, another operation that surfaced in 2015 under similar circumstances. Like Vane Viper, it operates as a cluster of adtech companies run by Russian speakers and has built traffic distribution systems that double as malware delivery engines.

“Cybercriminals aren’t just exploiting adtech platforms,” said Dr. **Renée Burton**, VP of Threat Intel at Infoblox. “Sometimes, they are the adtech platforms.”

Advertisers and publishers should take Infoblox’s findings as a warning to carefully vet the ad networks they work with. For everyday users, the advice is simpler but just as important: be cautious about clicking links or ads on unfamiliar or untrusted sites.

Infoblox’s **full report**, including technical details and domain data, is available through its threat intel team.

Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams

New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it's a growing risk for everyday users.

A new sneaky type of malware, known as Raven Stealer, has been identified by the Lat61 Threat Intelligence Team at Point Wild. The research team, led by Onkar R. Sonawane, have found that this simple-looking program is surprisingly good at staying hidden while it steals your personal information. The research, which was shared with Hackread.com, shows that the malware is primarily spread through underground forums and bundled with pirated software.

Built using the programming languages Delphi and C++, Raven Stealer is designed to be small and quick. It works by quietly getting into your computer, where its payload (the part of the malware that does the actual harm) goes to work.

The payload targets popular web browsers like Chrome and Edge to grab things like your passwords, cookies, payment details, and other information you’ve saved. What makes it particularly tricky is that it can send this stolen information directly to a cybercriminal using a Telegram messaging bot. This means the bad guys get your data in real-time.

Attack flow, the UI of the file and the generated payload (Image Credit: Point Wild)

****How It Works****

Point Wild’s report explains that Raven Stealer uses a clever trick called process hollowing to avoid being caught by traditional antivirus programs. This means, instead of leaving a file on your computer’s hard drive, it works entirely within your computer’s memory, pretending to be a regular browser program. It’s like a car thief hollowing out a car and putting a different engine in it, so it looks normal from the outside but is used for something else entirely. This technique makes it tough for security software to spot it.

The malware’s creator used a simple builder program to create the attack file, which hides an encrypted “payload” inside and gives it a unique name to avoid detection. Once on an infected computer, it gathers a screenshot and stolen data into a ZIP file, then tries to send it to the attacker via Telegram. Although this transmission failed in testing due to a Telegram bot token problem, the threat of data theft remains.

****Protecting Yourself****

To keep your personal information safe from threats like this, always use up-to-date antivirus software with real-time protection and avoid downloading pirated programs. It’s also wise to be careful about clicking on suspicious links or attachments.

As Dr. Zulfikar Ramzan, CTO of Point Wild and Head of the Lat61 Threat Intelligence Team, explains, “Raven Stealer shows how commodity malware is evolving – stealing credentials, cookies, and payment data while hiding its tracks through in-memory execution and Telegram exfiltration. It’s a reminder that attackers are packaging advanced techniques into tools that even low-skilled actors can use.”

Source

HackRead