eSentire TRU analyses the new DarkCloud V4.2 infostealer, rewritten in VB6. Find out how the malware steals browser data, crypto, and contacts via targeted phishing.

A recent security research from eSentire’s Threat Response Unit (TRU) has revealed the sudden rise of a dangerous information-stealing malware (Infostealer) known as DarkCloud, which cybercriminals are using to grab private data.

TRU Researchers discovered the latest version of DarkCloud Infostealer, version 4.2, during an attempted attack in September 2025 against their customer in the manufacturing industry.

DarkCloud is not new, but it has been completely rewritten using a programming language called VB6. It used to be sold on the Russian cybercrime forum XSS.is, which was shut down by law enforcement back in July 2025.

As Hackread.com reported at the time, the site was seized on July 23, 2025, after authorities arrested a suspected administrator in Ukraine. However, by July 24, the XSS forum was confirmed to be back online using its mirror and .onion domains.

Today, the malware is sold on its own website, darkcloud(.)onlinewebshop(.)net, and is also offered through the messaging app Telegram by a user known as @BluCoder.

DarkCloud website (Source: eSentire)

****Phishing Lure****

eSentire TRU explained that the attack began with a phishing email that looked like it was about financial information and had a malicious compressed file attached. The email was sent by “procure@bmuxitq(.)shop” and was themed with the subject “Swift Message MT103 Addiko Bank ad: FT2521935SVT.” The malicious compressed file attached was named “Swift Message MT103 FT2521935SVT.zip.”

Malicious email (Source: eSentire)

This shows that “phishing emails continue to remain a key vector for malware distribution,” researchers noted in the blog post shared with Hackread.com. This means that these fake emails are still one of the main ways this software gets onto a system. Researchers caught the spam emails and stopped the DarkCloud Infostealer delivery for their client in September 2025.

****What Does DarkCloud Infostealer Steal?****

This malware is designed to steal various kinds of sensitive information. This includes browser passwords, credit card numbers, website cookies, login details for FTP, what you type (keystrokes), and even content from your clipboard.

It also targets files such as documents and spreadsheets (including extensions like .txt, .pdf, .doc, and .xls), cryptocurrency wallets, and extracts contact information from email clients, including Thunderbird, MailMaster, and eM Client. All of this stolen data is then sent to the criminals using channels like Telegram, FTP, email, or even a Web Panel using PHP scripts.

****Fight DarkCloud Infostealer****

eSentire TRU has not only analysed the threat but also released two helpful programs to help other security researchers. One tool can pull out the setup details of the malware, and the other is a Python-based script that can unjumble its secret code. To protect yourself from threats like this, researchers recommend using email protection that blocks suspicious files like compressed folders with executable programs inside.

DarkCloud Infostealer Relaunched to Grab Credentials, Crypto and Contacts

As the digital asset market matures and regulators worldwide work to set clear standards, one fact has become…

As the digital asset market matures and regulators worldwide work to set clear standards, one fact has become obvious: Compliance is not a burden; it is a business advantage. For cryptocurrency entrepreneurs, the choice of jurisdiction can determine how quickly you scale, how confidently you attract capital, and how much trust you earn. Increasingly, many find that the smart move is Canada.

****Why Canada Stands Out****

Launching a crypto venture often feels like navigating an obstacle course. In some regions, rules are unclear, regulators remain distant, and even basic tasks like opening a bank account can be a struggle. Canada offers a different experience.

*   **Clear but adaptable rules** – Its licensing framework is rigorous enough to inspire confidence while remaining flexible enough to adjust as technology evolves.

*   **Constructive regulator dialogue** – Authorities are known to engage with businesses, shaping policy around operational realities rather than imposing outdated rules.

This balanced approach has earned Canada a reputation as one of the most credible and forward-looking jurisdictions for digital assets. Entrepreneurs spend less time guessing what regulators expect and more time building.

****Turning Compliance Into an Edge****

Scepticism around crypto is still widespread. Investors hesitate, banks remain cautious, and potential partners demand reassurance. A Canadian crypto license cuts through that hesitation and demonstrates trustworthiness.

That credibility brings tangible benefits:

*   **Banking access** – Licensed operators are more likely to secure accounts and relationships that remain out of reach for unlicensed startups.

*   **Investor confidence** – Institutional capital flows more easily toward regulated businesses, from venture firms to corporate treasuries.

*   **Market trust** – A license signals to partners and users alike that the business is built for the long term.

****Scaling in a Sophisticated Market****

Canada is not just regulation-friendly, it is also a prime market in its own right. As the world’s tenth-largest economy, with a digitally savvy population and a thriving fintech ecosystem, it provides a strong base of engaged users.

For many companies, a Canadian license becomes a springboard into North America and other global markets. The process is often more streamlined and cost-effective than in competing jurisdictions, which means faster entry and fewer delays. In an industry where every month of waiting is a lost chance for growth, speed matters.

****Staying Ahead of Global Regulation****

From Europe to Asia to the Americas, new digital asset rules are being introduced, many of them echoing Canada’s measured approach. By getting licensed in Canada, businesses align early with the direction global regulation is heading.

Advantages include:

*   **Established regulator relationships** – Channels of communication that make adapting to new frameworks smoother.

*   **Defined boundaries** – Clear compliance standards reduce the risk of sudden, disruptive enforcement.

While competitors scramble to interpret shifting rules, licensed operators in Canada move forward with certainty.

****The Real Risk: Inaction****

For crypto entrepreneurs, the greatest risk is not regulation but waiting too long to engage with it. Without a license, obstacles multiply: banks decline accounts, investors hesitate, and partners gravitate toward more credible competitors.

A Canadian crypto license offers what businesses need most today: trust, access, and a platform for sustainable growth.

****Final Word****

Compliance has moved from a checkbox to a competitive advantage. Canada has built one of the world’s most supportive regulatory environments for cryptocurrency, giving entrepreneurs the clarity, credibility, and reach to succeed on a global stage.

For those serious about building ventures that last, Canada is more than a safe choice; it is a strategic one. Now is the time to act and secure the foundation that separates businesses that scale from those that stall.

(Image by WorldSpectrum from Pixabay)

Accelerate Crypto Success: Why a Canadian Crypto License Is Your Launchpad to Growth

Singapore, Singapore, 29th September 2025, CyberNewsWire

**Singapore, Singapore, September 29th, 2025, CyberNewsWire**

*   Analyzing over 14 billion cyber-attack records daily, ThreatBook ATI is a global solution enriched with granular, local insights; and can offer organizations a truly APAC perspective.
*   Boasting low false positive rates, the solution is highly compatible with existing security stacks.
*   ThreatBook ATI provides actionable insights for threat detection and response, enabling organizations to accelerate their intelligence analysis, and make more informed decisions. 

ThreatBook, a global leader in cyber threat intelligence, detection and response, today announced the worldwide launch of ThreatBook Advanced Threat Intelligence (“ThreatBook ATI”). Spearheaded from its offices in Singapore and Hong Kong, the new service offers unique industry insights for threat intelligence platforms (TIPs), security operation centers (SOCs) and cybersecurity analysts globally.

Of note, ThreatBook ATI is able to capture new, difficult-to-detect threats emanating from within Asia, where coverage from many global vendors remains limited. It is also able to better identify Western attackers targeting Asian organizations as well. ThreatBook ATI’s capabilities are particularly timely, with 34% of cyber-attacks worldwide taking place within the Asia Pacific (APAC).

A further noteworthy feature of ThreatBook ATI are its low false positive rates. ThreatBook’s proprietary intelligence collection systems, which operate globally and in real time, employs dozens of analysis engines to deeply mine enormous raw datasets. False positives are filtered through AI-based models, followed by cross-verification by professional security analysts. ATI also applies AI to classify and label threat reports, transforming unstructured intelligence into structured insights, and features a built-in assistant that can rapidly correlate data to answer analysts’ questions. This layered process ensures the intelligence remains highly accurate and reliable. Over 14 billion attack records are identified daily, including over 80 million malicious inbound internet protocols (IPs), more than six billion malware files, over 7,000 high risk vulnerabilities, and more than 600 zero-day vulnerabilities. 

> “With several billion attack records from all corners of the world analyzed daily, ThreatBook ATI is a truly global solution enriched with granular, local insights,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook.

> “We are of the opinion that Asia Pacific-centric threat intelligence matters, as tactics, techniques, and procedures (TTPs), tooling, language, command and control (C&C) infrastructure, and targeting patterns differ by region – and ATI can offer organizations a truly APAC perspective. We have a track record of exclusive discovery when it comes to cybercriminals, including advanced persistent threat (APT) groups; and at the end of the day, local context quickens threat detection and reduces dwell time.”

Integration with existing security stacks is key. Studies repeatedly find that a single unified platform, which provides a centralized view of cyber risks across the entire organization, is a priority for cybersecurity teams around the world. ThreatBook ATI is highly compatible with existing security stacks. Its output is available in both machine-readable and human-readable formats, making integration straight-forward.

Customer access is hassle-free. For TIPs, ThreatBook ATI can be purchased through platform marketplaces, or can be integrated through feeds or application programming interfaces (APIs). For SOCs, ThreatBook ATI feeds integrate easily with security information and event management (SIEM) solutions, firewalls and other security tools. While for cybersecurity analysts, ThreatBook ATI is accessible globally via a web portal.

> “High quality threat intelligence enhances existing security tools, which often rely on vulnerable rule-based signals, making them more reliable and accurate, and leading to less false positives across the stack,” added Mr. Xue. “By providing actionable insights for threat detection and response, organizations are able to accelerate their intelligence analysis, and make more informed decisions to better manage today’s myriad of cyber risks.”

ThreatBook ATI is a timely addition to the company’s acclaimed suite of cybersecurity solutions. Since 2015, thousands of enterprise organizations globally have placed their trust in Threatbook across the entire threat lifecycle — from detection to analysis, response and protection; all powered by the company’s proprietary intelligence core.

In 2025 alone, leading analyst firms have recognized ThreatBook, featuring the company in Forrester’s Network Analysis And Visibility Solutions Landscape, Q2 2025 report, and the inaugural Gartner Magic Quadrant for Network Detection and Response (NDR). In both instances, ThreatBook was one of a limited number of vendors recognized.

**About ThreatBook**

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, users can visit www.threatbook.io or follow them on LinkedIn.

ThreatBook ATI is not available in mainland China.

https://www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index

https://www.msspalert.com/native/the-strategic-shift-toward-unified-cybersecurity-platforms

**Contact**

**Belmont Communications on behalf of ThreatBook**  
**\[email protected\]**

ThreatBook Launches Best-of-Breed Advanced Threat Intelligence Solution

Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings.

The **Medusa** ransomware group is claiming responsibility for a ransomware attack on Comcast Corporation, a global media and technology company best known for its broadband, television, and film businesses.

According to the group’s dark web leak site, they exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. The same sum has been set as ransom for Comcast if the company wants the data deleted rather than leaked or sold.

To back its claims, Medusa has posted around 20 screenshots allegedly showing internal Comcast files. The group also shared a massive file listing of 167,121 entries, suggesting access to actuarial reports, product management data, insurance modelling scripts, and claim analytics.

The sample paths include files such as Esur_rerating_verification.xlsx, Claim Data Specifications.xlsm, and Python, as well as SQL scripts related to auto premium impact analysis.

Medusa Ransomware group’s dark web leak site claiming Comcast as its victim – These claims were published on Friday, September 26, 2025 (Image credit: Hackread.com)

****Comcast and Cybersecurity****

For your information, Comcast owns NBCUniversal, which operates NBC, Telemundo, Universal Pictures, Sky (in Europe), and a wide range of TV networks, film studios, and streaming platforms like Peacock.

Although the company has not been in news over large-scale cyber attacks, a 2015 report published by Hackread.com revealed that over 200,000 Comcast user credentials were leaked on the dark web.

At the time, Comcast stated the data likely came from credential aggregation rather than a direct breach of its systems. The case underscored how previously exposed information can resurface years later, complicating efforts to separate legacy leaks from fresh intrusions.

Medusa ransomware is known for publishing file listings and partial screenshots as proof of compromise while holding back the bulk of the data to increase ransom pressure. In this case, the nature of the files points toward actuarial and financial datasets, some of which appear to involve insurance calculations, customer data processing, and claim management systems.

****Medusa Aims At Top American Firms****

Past Medusa incidents have shown that the group tends to release portions of data if demands are not met, increasing the pressure on victims to negotiate. The cyber criminal group has also been behind several high-profile attacks this year.

On April 8, 2025, the group announced it had **targeted NASCAR** with a $4 million ransom demand. That incident was later **confirmed** as a data breach in July 2025, showing the group had followed through on previous threats when negotiations failed.

At the time of writing, Comcast has not publicly confirmed or denied the breach. The company may face regulatory scrutiny if sensitive customer or financial data is involved, particularly given the sheer size of the alleged leak.

Hackread.com has reached out to Comcast for comment and will continue monitoring the situation for updates on the company’s response and any further releases from Medusa.

Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M

Hackers are sending fake invoice emails with malicious Office files that install the XWorm RAT on Windows systems, allowing full remote access and data theft. Learn how the shellcode and process injection are used to steal data, and how to stay safe from this persistent threat.

A new wave of email attacks is on the rise, tricking people with fake invoice documents to install the dangerous **XWorm RAT** (Remote Access Trojan), capable of quietly stealing sensitive information from your computer, reveals the latest research from Forcepoint X-Labs.

The scam starts with an email, often pretending to be about “Facturas pendientes de pago” (Pending Invoices for Payment) from someone named Brezo Sánchez. The email includes an attached Office file that has the extension .xlam.

X-Labs researchers mention that when you open the file, it may look blank or corrupted, but the damage has already started.

Malicious Email (Source: Forcepoint)

****Understanding the Attack Chain****

As we know it, cyberattacks generally follow a chain of steps, and this one is highly detailed. Inside the attached Office file is a hidden component called oleObject1.bin, which contains an encrypted code, called shellcode. This shellcode is a small program that immediately downloads the next part of the attack.

The shellcode reaches out to a specific web address, hxxp://alpinreisan1com/UXOexe, to download the main malicious program, an executable file named UXO.exe. This program then starts the second stage- loading another harmful DLL file into the computer’s memory (DriverFixPro.dll).

This loading happens using reflective DLL injection (a sneaky way to load a harmful program directly into the computer’s memory without saving it as a regular file first). This DLL ultimately performs a process injection, which involves forcing the malicious code to run inside a normal, harmless program on your computer. This final injected code belongs to the XWorm **RAT** family.

****XWorm: A Persistent Threat****

Forcepoint’s senior researcher, Prashant Kumar, explains in the **blog post** that XWorm’s capabilities allow it to take full **remote control** over an infected system, from stealing files to logging keystrokes.

Through process injection, the malware runs secretly within a trusted application and successfully maintains persistence while avoiding detection. Lastly, the XWorm program connects to a Command & Control (C2) server, specifically 158.94.209180, to send all the victim’s stolen data to the attackers.

This important research on the multi-stage attack was shared exclusively with Hackread.com. However, it is worth noting that this is not the first time the XWorm threat has been seen this year.

In January 2025, Hackread.com **reported** an XWorm campaign that compromised over 18,459 devices globally, stealing browser passwords and Discord tokens. Then, in March 2025, Veriti’s **research** revealed that XWorm was using trusted platforms like Amazon Web Services (AWS) S3 storage to distribute its harmful files.

To protect yourself from such attacks, be cautious with attachments, especially those ending in .xlam or .bin, verify unexpected invoices by calling the sender, and regularly update your operating system and security software.

Hackers Use Fake Invoices to Spread XWorm RAT via Office Files

Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.

A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations, security researchers warn.

This ongoing campaign, tracked by Bitdefender Labs for the past year, has reportedly moved from Meta’s Facebook Ads to appear across both Google Ads and YouTube, putting many more users at risk.

This campaign was previously reported by Hackread.com for exploiting Facebook Ads using fake crypto sites and celebrity images to spread malware, but has now evolved its tactics.

****How the Scam Works****

Research reveals that the cyber criminals behind this attack are highly organised, using over 500 different website addresses and publishing thousands of malicious ads every day in different languages (mostly English, Vietnamese and Thai).

They run their ads by taking control of legitimate, verified business accounts on Google and YouTube, including the hijacked Google advertiser account of a design agency in Norway. For your information, TradingView Premium is a paid service that offers advanced tools and features for financial trading analysis.

Fake ad and the hijacked accounts used in the attack (Via Bitdefender Labs)

To appear real, the scammers hijack a verified YouTube channel, delete all its original content, and rebrand it to look exactly like the official TradingView page, including the correct logos and banner art. They even copy playlists from the real channel so that the fake one appears active, abusing the verified badge to trick users into assuming authenticity.

They then use paid ads to push special videos that are hidden from public view, called unlisted videos, to avoid detection. One such video, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” gathered over 182,000 views in just a few days through this aggressive advertising.

However, close inspection reveals red flags, such as a different channel handle (not @TradingView) and a low overall registered view count, which would be impossible for the popular trading platform.

Attack Flow (Image Credit: Bitdefender Labs)

****The Threat****

This campaign’s core objective seems to be to get users to download a dangerous file disguised as the free premium app. This file is actually a type of spyware called Trojan.Agent.GOSL, which can remotely control a victim’s computer. This program is designed to steal highly sensitive information, including passwords, personal data, and cryptocurrency wallet details.

Shared with Hackread.com, this research warns content creators that having their business accounts compromised not only damages their reputation but also allows scammers to take over the connected, verified YouTube channel and use it as a weapon.

That’s why you should always download software from official websites. Bitdefender advises users to carefully check the channel handle and subscriber count, and consider any ad promising free premium access to an app that is normally paid a major red flag.

Google Ads Used to Spread Trojan Disguised as TradingView Premium

FortiGuard Labs exposes a high-severity phishing campaign impersonating the National Police of Ukraine to deliver Amatera Stealer (data theft) and PureMiner (cryptojacking) to Windows PCs.

Hackers are distributing malicious emails that imitate official notices from the National Police of Ukraine. This phishing campaign, identified by FortiGuard Labs, targets any organisation running **Microsoft Windows** to compromise their systems with at least two new malware strains, including Amatera Stealer and PureMiner.

The attacks start with an email that includes a malicious Scalable Vector Graphics (**SVG**) file. For your information, an SVG is a simple image format, but attackers exploit its text-based code to embed harmful content.

The messages pressure the recipient using formal, legal language, falsely claiming an appeal is under review and warning that ignoring the notice could lead to “further legal action.”

Phishing email (source: FortiGuard)

****How the Infection Spreads****

When a victim opens the SVG attachment, the file tricks them by displaying a fake screen that says, “Please wait, your document is loading…” It then immediately forces the computer to download one of several password-protected ZIP archives, including ergosystem.zip or smtpB.zip, with the password displayed to make the process seem trustworthy.

Inside the archive is a Compiled HTML Help (CHM) file, which acts as the main trigger, launching a malicious script called the CountLoader. This loader, which _Hackread.com_ previously **reported** on, is a known entry point designed to deliver multiple harmful programs.

Here, its job is to connect with a remote server, steal some basic system details, and then deliver the final malware. Researchers refer to this as a “**fileless**” threat because the payload is loaded directly into the computer’s memory, making it hard to detect.

****Double Threat of Data Theft and Hijacking****

According to FortiGuard Labs’ **blog post**, CountLoader delivers two dangerous payloads: Amatera Stealer and PureMiner. Researchers explained in a report shared exclusively with Hackread.com that the PureMiner cryptominer is delivered using DLL sideloading from ergosystem.zip, while the Amatera Stealer is deployed via a malicious **Python** script found in smtpB.zip.

Attack Chain (Source: FortiGuard)

Amatera Stealer is an information-gathering tool that first gathers basic system information (like computer name, OS details, and username) and current clipboard contents. It then aggressively targets saved information, including credentials and files, from Firefox and Chrome browsers, chat apps like Telegram and Discord, and programs like Steam, FileZilla, and AnyDesk. It also targets files from major desktop crypto wallets, including BitcoinCore, Exodus, Atomic, and Electrum, and can search up to five folders deep for these files.

On the other hand, PureMiner is a **cryptominer** that collects detailed hardware information, like video card specifications. Once installed, PureMiner allows the criminals to secretly use the victim’s own computer power (both the CPU and GPU) for their financial benefit, a process called cryptocurrency mining.

The overall impact of this attack is rated as High severity as it allows remote control, data theft, and resource hijacking. Given this threat, users are urged to maintain strong security awareness. Avoid opening unexpected attachments, and always verify urgent, unsolicited requests through a separate trusted channel before clicking links.

Fake Ukraine Police Notices Spread New Amatera Stealer and PureMiner

California-based Archer Health exposed 23GB of patient records, including SSNs, IDs, and medical files, after an unprotected database was found online.

A large cache of medical and personal information belonging to patients of Archer Health Inc. was left publicly accessible after a database was found online without encryption or password protection. Archer Health Inc., also known as Archer Home Health, is a California-based provider of in-home healthcare and palliative care services.

The exposure, first identified by cybersecurity researcher Jeremiah Fowler and reported to Website Planet, included highly sensitive files that could have put thousands of individuals at risk.

The database held more than 145,000 files, sized up to 23 gigabytes. Among the documents were patient assessments, home health certifications, care plans, discharge forms, and internal communications.

Many of these contained personal details such as names, Social Security numbers (SSN), addresses, phone numbers, patient ID numbers, and medical information. Some folders were even labelled with patient names, while others contained categories like “faxed orders” or “referrals,” further confirming the sensitive nature of the data.

The files also included screenshots of healthcare management software dashboards, showing scheduling details, provider information, and patient records. Such exposures can carry significant risks, including identity theft, fraud, and violations of medical privacy regulations like HIPAA.

One of the screenshots showing the type of data involved in the leak (Credit: Jeremiah Fowler via Website Planet)

Fowler reported the exposure directly to the company, and access to the database was restricted within hours. Archer Health acknowledged the notification, stating that it takes patient privacy seriously and that its team is investigating the issue.

It remains unclear how long the database was exposed or whether any unauthorised parties accessed the records before it was secured. However, incidents like this show the constant risks when healthcare data is stored without proper security authentication.

****Possible Legal Consequences****

While Archer Health acted quickly once informed, patients whose records were included in the exposure may face long-term consequences if their identifiers or medical histories were accessed by malicious threat actors or copied during the time the database was online.

Additionally, when a healthcare provider or related service fails to protect sensitive data, it may face serious legal exposure. In a related example, a misconfigured Amazon Web Services (AWS) bucket belonging to Florida-based **IMDataCenter was publicly exposed**, letting a hacker known as “ThinkingOne” download tens of gigabytes of records, including names, emails, addresses and even Social Security numbers.

In response, IMDataCenter is now the target of a lawsuit over the data leak. If Archer Health faces similar scrutiny, it could confront claims under privacy and data protection laws, especially laws governing health and personal information.

Archer Health Data Leak Exposes 23GB of Medical Records

Austin / TX, United States, 25th September 2025, CyberNewsWire

**Austin / TX, United States, September 25th, 2025, CyberNewsWire**

Living Security, a global leader in Human Risk Management (HRM), today announced the full speaker lineup for the Human Risk Management Conference (HRMCon 2025), taking place October 20, 2025, at Austin’s Q2 Stadium and virtually worldwide.

The announcement follows findings from the newly published **2025 State of Human Cyber Risk Report**, produced by the **Cyentia Institute in collaboration with Living Security**, which reveals that on average, organizations detect only **19% of all human risk activity**. That means the majority of risky behaviors — from credential misuse to insider threats — go unseen, leaving enterprises exposed to risks that technology or traditional awareness programs alone can’t solve.

HRMCon is a one-day event focused on the people side of cybersecurity, offered this year both in-person in Austin and virtually worldwide. The program is designed for CISOs, security leaders, risk managers, and HR professionals who are responsible for building security culture and reducing human-driven risk. Sessions will explore how to extend risk ownership beyond traditional awareness programs and the security operations center, empowering managers and employees across the business to take accountability. Attendees will gain practical strategies they can apply immediately from executives, global analysts, and peers. Participants with confirmed attendance may also request a completion certificate for Continuing Professional Education (CPE) credits for the full conference.

> “Most organizations remain blind to the majority of human-driven risk, leaving gaps that technology or traditional awareness programs alone can’t solve,” said Ashley Rose, CEO and Co-Founder of Living Security. “Closing that visibility gap requires new strategies, proven frameworks, and collaboration across functions — which is exactly what HRMCon is designed to deliver. No matter where you are in your HRM journey, you’ll walk away with practical playbooks, proven strategies, and inspiring stories you can apply immediately. This isn’t just another security event—it’s a launchpad for making human risk a managed business function, all without pulling you away from your day-to-day responsibilities.”

HRMCon 2025 will feature enterprise CISOs, Fortune 500 veterans, and leading analysts sharing research-backed strategies and real-world lessons on operationalizing human risk management.

**Speaker Highlights**

**Opening Keynote – Brett Wahlin, CISO, Aurora –** From Counterintelligence to Cybersecurity: Rethinking the Human Factor Across Industries.

Risk frameworks have shaped enterprise security for decades but often overlook the human element. Drawing on his path from counterintelligence to the CISO seat, Brett Wahlin will show where traditional frameworks succeed, where they fall short, and how Human Risk Management can integrate people into the same disciplined approach that governs technology.

**Tim Taylor, VP of Security Education and Awareness, Mastercard –** Creating Human Risk Visibility: Where to Start and How to Scale.

Tim offers a step-by-step play for creating measurable human risk visibility in 90 days. Attendees will learn how to define goals, connect data sources, and build momentum toward sustainable risk reduction.

**Ashley Atiles, Director of Identity Risk, & Alfonso Mancuso, Director of Information Security, Labcorp –** The Access Equation: Identity Meets Human Risk.

Ashley and Alfonso will explore how identity and behavior intersect as the earliest line of defense. Attendees will learn how integrating IAM signals with human risk data creates a powerful new lever for stopping threats before they escalate.

**Kelly Harward, VP of Product & Mike Siegel, President, Living Security –** Operationalizing HRM: From Frameworks and Playbooks to Goals for Adaptive Defense.

Living Security leaders show how to translate frameworks into measurable outcomes. Attendees will see real-world playbooks and a preview of the new Goals feature, which ties behavior change directly to risk reduction.

**Jinan Budge, VP & Principal Analyst, Forrester –** The Future of Human Risk Management: Market Landscape and the Role of Agentic AI.

A market-level view of how Human Risk Management is evolving from compliance to strategy. Attendees will learn about the current state of the market, where it’s headed, and how autonomous AI agents are set to reshape HRM strategies in the years ahead.

**Closing Keynote – Larry Whiteside Jr., CISO Advisor & Co-Founder, Confide –** Evolving the Role of the CISO: From Defense to Business Enabler.

A concise look at how the CISO role is shifting from technical defense to strategic business leadership. Attendees will hear how Human Risk Management can help CISOs align security with culture, accountability, and measurable business outcomes.

**HRMCon 2025 Features**

*   **Grounded in Research:** Learning real-world strategies to close the 19% human risk visibility gap.
*   **Professional Development:** Earning verifiable CPE credits with a completion certificate (confirmed attendance and upon request).
*   **Free and Flexible:** Registering at no cost and choose to attending live in Austin or virtually from anywhere.
*   **Expert-Led:** Hearing from leading CISOs, analysts, and security practitioners shaping the HRM market.
*   **Peer Insights:** Seeing how organizations are operationalizing HRM through case studies and playbooks.
*   **Immediate Takeaways:** Leaving with frameworks, tools, and strategies you can implement right away.

HRMCon 2025, hosted by Living Security, comes at a pivotal time for organizations looking to transform security culture, reduce human-driven risk, and lead in an AI-enabled world.

**Users can register today at www.livingsecurity.com/hrmcon-2025**

**About Living Security**

Living Security is the global leader in Human Risk Management (HRM), providing a risk-informed approach that meets organizations where they are—whether that’s starting with AI-based phishing simulations, intelligent behavior-based training, or implementing a full HRM strategy that correlates behavior, identity, and threat data streams.

Living Security’s Unify platform delivers 3X more visibility into human risk than traditional, compliance-based training platforms by eliminating siloed data and integrating across the security ecosystem. The platform pinpoints the 8–12% of users who pose the greatest risk and automates targeted interventions in real time—reducing exposure to human risk by over 90%. Powered by AI, human analysis, and industry-wide threat telemetry, Unify transforms fragmented signals into intelligent, adaptive defense.

Named a Global Leader in Human Risk Management by Forrester and trusted by enterprises like Unilever, Mastercard, Merck, and Abbott Labs, Living Security helps security teams move from awareness to action—driving measurable behavior change and proving impact at every stage of the journey.

**Contact**

**Living Security Media**  
**\[email protected\]**

Living Security Unveils HRMCon 2025 Speakers as Report Finds Firms Detect Just 19% of Human Risk

New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam.

A Vietnamese hacking group known as Lone None is running an online scam campaign that has been active since at least November 2024. The campaign focuses on stealing personal and financial information, especially cryptocurrency.

Cybersecurity research firm Cofense Intelligence has been tracking this threat actor’s movements and shared their analysis with Hackread.com.

****The Face Copyright Notice****

The attacks begin with a fake email of an official legal notice from different law firms across the world, telling the recipient to take down copyrighted content from their website or social media, sometimes even naming the recipient’s real Facebook account.

Fake Take Down notice (Image credit: Cofense Intelligence)

These messages are sent in around ten different languages, including English, French, German, and Chinese, suggesting the criminals’ aim to expand their reach. The emails contain a link that, when clicked, leads to a downloaded archive (like a ZIP file). This archive contains the malware, which is cleverly disguised as evidence documents such as PDFs or PNGs.

To execute the malware, the attackers use DLL side-loading, which allows them to abuse a legitimate, signed program (like a trusted Microsoft Word or PDF reader executable) to secretly run their malicious code and bypass standard security checks.

Attack Flow (Image credit: Cofense Intelligence)

****Malware Deployment****

The campaign delivers two types of information stealers: Pure Logs Stealer and the newer Lone None Stealer (aka PXA Stealer).  Pure Logs steals a wide range of sensitive data, including passwords, credit card numbers, session cookies, and local crypto wallet files saved in a victim’s browsers and computers.

The Lone None Stealer, however, focuses on stealing cryptocurrency. It monitors the victim’s clipboard (the place where copied text is temporarily stored) and, if a crypto-wallet address is copied, the malware quietly replaces it with the criminal’s address. This means if a victim tries to send money by copying and pasting a wallet address, the funds go straight to the hacker instead.

In its blog post, Cofense Intelligence noted that Lone None Stealer has been found in nearly a third (29%) of all recent reports involving the older Pure Logs Stealer since June 2025, indicating its growing use.

****Evasive C2****

This scam involves a unique staging technique where the actor hides the address for the next step of the attack within a Telegram bot profile page. Moreover, Lone None Stealer uses the Telegram network as its primary Command and Control (C2) channel, rapidly sending back all the collected data to the hackers.

Since this scam plays directly on the fear of an urgent legal dispute, it is important to recognise the signs of a fake email. Never click links or download files from unexpected sources, as this simple precaution remains the best security against such scams.

Source

HackRead