Victoria’s Secret website was down due to a ‘security incident’ impacting online and some in-store services. Get the…

Victoria’s Secret website was down due to a ‘security incident’ impacting online and some in-store services. Get the latest on the lingerie giant’s efforts to restore operations and what customers need to know.

Lingerie giant Victoria’s Secret shut down its US website and some in-store services for three days due to an unspecified security incident. Customers attempting to access the Victoria’s Secret website were met with a message explaining the service disruption.

“Valued customer, we identified and are taking steps to address a security incident. We have taken down our website and some in-store services as a precaution. Our team is working around the clock to fully restore operations. We appreciate your patience during this process.”

****Impact and Timeline****

The company announced the measure on Thursday, May 29, 2025, stating it was a precaution and that their team is “working around the clock to fully restore operations.”

While the company has not provided a specific timeline for when services will be fully restored, a FAQ page suggests the issue may have begun on or after Monday, May 26.

Some customers on online forums like Reddit reported experiencing problems as early as Sunday night. The company also confirmed that it is working to fulfil orders placed before Monday. Although online operations are affected, physical Victoria’s Secret and PINK brand stores remain open.

However, some in-store services, like processing online returns, were unavailable, as were online customer care services. A note to employees from Victoria’s Secret CEO Hillary Super reveals that “recovery is going to take a while.” This suggests a complex cleanup process is underway.

The company has engaged third-party experts to help resolve the issue. Following this incident, shares of Victoria’s Secret & Co., reportedly, saw a decline of around 10%. The company’s lack of clear communication about the incident, including no updates on social media, has heightened uncertainty, likely led to this decline.

****Another Retailor Hit by Cyber Attack?****

This incident at Victoria’s Secret comes amidst a recent rise in cyberattacks targeting major retailers. As Hackread.com earlier reported, companies such as Marks and Spencer, Harrods, and Co-op have faced similar security challenges this year.

Two weeks ago, Dior reported a cybersecurity incident where unknown attackers accessed data on some of its Fashion and Accessories customers. Last week, the German shoe and clothing giant, Adidas, also reported an unauthorized external party obtaining consumer data, primarily contact information, through a third-party customer service provider.

The methods behind these attacks often involve social engineering, where cybercriminals trick individuals associated with a company into providing access to sensitive systems.

A notorious cybercrime group, Scattered Spider, has been identified as responsible for the VS incident as it has been targeting major retail brands in the UK and the US. These attacks can lead to significant disruptions, as seen with Marks & Spencer halting online orders for weeks due to a cyber incident. Experts advise consumers to be cautious after such incidents, as fraudsters may try to exploit the situation with fake promotions or by using compromised personal data.

At the time of writing, the Victoria’s Secret website for the US was restored and available for customers.

Ben Hutchison, Associate Principal Consultant at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the incident, stating, “Once attackers succeed in a sector, others often follow, making similar targets ‘victims of the moment.’ With rising attacks on retail, these businesses should treat this as a wake-up call to strengthen cybersecurity and digital resilience.”

Victoria’s Secret US Website Restored After Security Incident

A Chinese-language PhaaS platform Haozi is making cybercrime easy with no tech skills needed. Discover how this plug-and-play service facilitated over $280,000 in illicit transactions.

A new report from cybersecurity firm Netcraft reveals a rise in a Chinese-language Phishing-as-a-Service (PhaaS) known as Haozi. This service makes it incredibly easy for criminals, even those without technical skills, to launch sophisticated phishing attacks. Rob Duncan, a security researcher at Netcraft, discovered this surge over the past five months.

According to Netcraft’s blog post, shared with Hackread.com, Haozi stands out for its user-friendliness, marketing itself with a cartoon mouse and emphasizing ease of use and strong support. Unlike older methods that require coding knowledge, Haozi provides a simple web panel.

Haozi phishing administration panel screenshot (Source: Netcraft)

Once a criminal buys a server and puts in the details, the phishing kit sets itself up automatically. This plug-and-play approach even surpasses other modern PhaaS tools that still require some command-line actions. Netcraft has found Haozi control panels on thousands of phishing websites, indicating its widespread use.

****An Attractive Business Model for Bad Actors****

Beyond just offering phishing kits, Haozi operates like a full-fledged business. It sells advertising space to connect phishing kit buyers with other services, such as those that send text messages. Haozi also acts as a middleman in these deals. The digital wallet used for these advertisements and intermediary services, which uses Tether (USDT), has taken in over $280,000.

Recently, withdrawals from this wallet have often been in the thousands of dollars. The service also offers dedicated customer support through Telegram channels, providing tutorials, answering questions, and even allowing users to request custom phishing pages.

(Source: Netcraft)

This strong support system, combined with the automated setup, makes Haozi highly attractive to those new to cybercrime. The original Haozi Telegram community had almost 7,000 members before it was shut down, but since April 28, 2025, a new community has quickly gained over 1,700 followers. Haozi charges around $2,000 for a yearly subscription, with options for shorter terms.

****Understanding Phishing-as-a-Service (PhaaS)****

Phishing-as-a-Service (PhaaS) refers to online platforms that provide all the tools and support needed to carry out phishing attacks, often through a subscription model. Phishing itself is a type of cyberattack where criminals try to trick individuals into giving up sensitive information, like passwords or credit card details, by pretending to be a trustworthy entity.

Hackread.com has also highlighted this growing threat of PhaaS networks. In January 2025, we reported on Sneaky 2FA, a PhaaS targeting Microsoft 365 through a Telegram bot. In March 2025 Morphing Meerkat, a sophisticated operation using DNS vulnerabilities for years, was discovered and in April 2025, Netcraft warned about the Darcula-Suite upgrade, which now uses AI to create multilingual scam pages.

The rise of PhaaS like Haozi shows how easy it has become to commit cybercrime. While companies are improving their security, attackers are increasingly using social engineering and phishing because these methods don’t require breaking through protected infrastructure. All it requires is a human error, which shows the urgent need for employee cybersecurity training.

Chinese Phishing Service Haozi Resurfaces, Fueling Criminal Profits

Cisco Talos uncovers CyberLock ransomware, Lucky_Gh0$t, and Numero malware masquerading as legitimate software and AI tool installers. Learn…

Cisco Talos uncovers CyberLock ransomware, Lucky\_Gh0$t, and Numero malware masquerading as legitimate software and AI tool installers. Learn how these fake installers exploit businesses in sales, tech, and marketing.

Cybersecurity researchers at Cisco Talos have revealed that the increasing presence of Artificial Intelligence (AI) in the business world has opened new opportunities for cybercriminals. Threat actors are hiding malicious software within fake installers for AI tools, tricking businesses into downloading malware. This new wave includes ransomware like CyberLock and Lucky\_Gh0$t, and destructive malware called Numero.

According to researchers, these fake AI tool installers are distributed via various online channels, through SEO poisoning (manipulating search engine rankings) so that the fake websites appear at the top of search results. Additionally, social media and messaging platforms like Telegram are used to spread their malicious links.

Businesses, especially those in sales, technology, and marketing, are prime targets because they frequently use legitimate AI tools for automation, data analysis, and customer engagement.

As detailed by Cisco Talos’ report shared with Hackread.com ahead of its publishing on Thursday, May 29, when unsuspecting users download seemingly harmless installers, they unknowingly invite malware onto their systems, putting sensitive business data and financial assets at risk, and eroding trust in genuine AI solutions.

****Cisco Talos Exposes Several Threats********CyberLock Ransomware****

This ransomware, observed as early as February 2025, poses as a lead monetization AI platform called NovaLeadsAI. Its operators have created a fake website, ‘novaleadsaicom,’ to mimic the real ‘novaleads.app.’ They even offered deceptive “free access” for the first year to lure victims.

Fake Website Offering the AI Tool (Source: Cisco Talos)

Once downloaded, a file named ‘NovaLeadsAI.exe’ deploys the CyberLock ransomware. This ransomware, written in PowerShell and embedded with CSharp code, encrypts various file types, including documents, spreadsheets, images, and videos, and demands a $50,000 ransom in Monero (XMR) cryptocurrency.

As a manipulative tactic, cybercriminals falsely claim the ransom will support humanitarian aid in regions like Palestine, Ukraine, Africa, and Asia. CyberLock also attempts to wipe free space on the hard drive via a built-in Windows tool ‘cipher.exe’., making it harder to recover deleted files.

****Lucky\_Gh0$t Ransomware****

This Yashma ransomware variant (part of the Chaos ransomware series) is distributed through fake ChatGPT installers, usually as ‘ChatGPT 4.0 full version – Premium.exe’. This malicious installer includes a file called ‘dwn.exe’ which is the ransomware, along with legitimate Microsoft AI tools, likely to avoid detection.

Lucky\_Gh0$t encrypts files smaller than 1.2GB and also has destructive behaviour for larger files, overwriting them with a single character. Victims are given a personal ID and instructed to use a secure messenger platform for communication.

****Numero Malware****

This newly discovered destructive malware imitates the installer for InVideo AI, a popular online video creation tool. Compiled in January 2025, it is a window manipulator malware that continuously runs on a victim’s machine, making Windows systems unusable by interfering with their graphical interface. It avoids being detected by checking for common malware analysis tools like IDA, x64 debugger, and OllyDbg.

Fake Installer Running Numero Payload (Source: Cisco Talos)

Given these evolving threats, organizations and individuals must be extremely careful. Always verify the source of AI tools and only download software from trusted vendors.

Fake ChatGPT and InVideo AI Downloads Deliver Ransomware

PALO ALTO, California, 29th May 2025, CyberNewsWire

**PALO ALTO, California, May 29th, 2025, CyberNewsWire**

Today, SquareX released new threat research on an advanced Browser-in-the-Middle (BitM) attack targeting Safari users. As highlighted by Mandiant, adversaries have been increasingly using BitM attacks to steal credentials and gain unauthorized access to enterprise SaaS apps. BitM attacks work by using a remote browser to trick victims into interacting with an attacker-controlled browser via a pop-up window in the victim’s browser. A common BitM attack involves displaying the legitimate login page of an enterprise SaaS app, deceiving victims into divulging credentials and other sensitive information thinking that they are conducting work on a regular browser window.

Despite this, one flaw that BitM attacks always had was the fact that the parent window would still display the malicious URL, making the attack less convincing to a security-aware user. However, as part of the Year of Browser Bugs (YOBB) project, SquareX’s research team highlights a major Safari-specific implementation flaw using the Fullscreen API. When combined with BitM, this vulnerability can be exploited to create an extremely convincing Fullscreen BitM attack, where the BitM window opens up in fullscreen mode such that no suspicious URLs from the parent window is seen. Safari users are especially vulnerable to this attack as there is no clear visual indicator of users entering fullscreen. We have disclosed this vulnerability to Safari and were regrettably informed that there is no plan to address the issue.

The current Fullscreen API specifies that “the user has to interact with the page or a UI element in order for this feature to work.” However, what the API does not specify is what kind of interaction is required to trigger fullscreen mode. Consequently, attackers can easily embed any button – such as a fake login button – in the pop-up that calls the Fullscreen API when clicked. This triggers a fullscreen BitM window that perfectly mimics a legitimate login page, including the URL displayed on the address bar.

> “The Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the Fullscreen API,” says the researchers at SquareX, “Users can unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari where there is no notification when the user enters fullscreen mode. Users that typically rely on URLs to verify the legitimacy of a site will have zero visual cues that they are on an attacker-controlled site. With how advanced BitM is becoming, it is critical for enterprises to have browser-native security measures to stop attacks that can no longer be visually identified by even the most security aware individuals.”

While BitM attacks have primarily been used to steal credentials, session tokens and SaaS application data, the fullscreen variant has the potential to lead to even more damage by making the attack imperceptible for most ordinary enterprise users. For instance, the landing site may have a button that claims to link to a government resource and opens up to a fake government advisory page to spread misinformation and even gather sensitive company and personally identifiable information (PII). The victim can even subsequently open additional tabs in the attacker-controlled window, allowing adversaries to fully monitor the victim’s browsing activity.

Fullscreen BitM window displaying legitimate Figma login page and URL in the address bar (Disclaimer: Figma is used as an illustrative example)

**Are other browsers vulnerable to Fullscreen BitM attacks too?**

Unlike Safari, Firefox, Chrome, Edge and other Chromium-based browsers display a user message whenever the full-screen mode is toggled. However, this notification is extremely subtle and momentary in nature – most employees may not notice or register this as a suspicious sign. Additionally, the attacker can also use dark modes and colors to make the notification even less noticeable. By contrast, Safari does not have a messaging requirement – the only visual sign of entering fullscreen mode is a “swipe” animation. Thus, while the attack shows no clear visual cues in Safari browsers, other browsers are also exposed to the same Fullscreen API vulnerability that makes the Fullscreen BitM attack possible.

**Existing security solutions fail to detect Fullscreen BitM attacks**

Unfortunately, EDRs have zero visibility into the browser and are proven to be obsolete when it comes to detecting any BitM attack, much less its more advanced fullscreen variant. Additionally, orchestrating the attack with technologies such as remote browser and pixel pushing will also allow it to bypass SASE/SSE detection by eliminating any suspicious local traffic. As a result, without access to rich browser metrics, it is impossible for security tools to detect and mitigate Fullscreen BitM attacks. Thus, as phishing attacks become more sophisticated to exploit architectural limitations of browser APIs that are either unfixable or will take significant time to fix by browser providers, it is critical for enterprises to rethink their defense strategy to include advanced attacks like Fullscreen BitM in the browser.

To learn more about this security research, users can visit https://sqrx.com/fullscreen-bitm.

SquareX’s research team is also holding a webinar on June 5th, 10am PT/1pm ET to dive deeper into the full attack chain. To register, users can click here.

**About SquareX**

SquareX is a pioneering Browser Detection and Response (BDR) that empowers organizations to proactively detect, mitigate, and effectively threat-hunt client-side web attacks. SquareX provides critical protection against a wide range of browser security threats, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Users can find out more on www.sqrx.com.

The Fullscreen BitM Attack disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking, Polymorphic Extensions and Browser-Native Ransomware.

To learn more about SquareX’s BDR, users can contact SquareX at \[email protected\]. For press enquiries on this disclosure or the Year of Browser Bugs, users can email at \[email protected\]. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Fullscreen BitM Attack Discovered by SquareX Exploits Browser Fullscreen APIs to Steal Credentials in Safari

Fortinet spots new malware that corrupts its own headers to block forensic analysis, hide behavior, and communicate with its C2 server.

The FortiGuard Incident Response Team has released a detailed investigation into a newly discovered malware that managed to quietly operate on a compromised Windows machine for several weeks. What makes this malware different from others is its deliberate corruption of its own DOS and PE headers, a method designed to obstruct forensic analysis and reconstruction efforts by security researchers.

Despite this challenge, Fortinet’s team successfully obtained a memory dump of the live malware process, housed in a dllhost.exe process (PID 8200), along with a complete 33GB memory dump of the compromised system.

By carefully replicating the compromised environment, Fortinet’s researchers were able to bring the dumped malware back to life in a controlled setting, allowing them to observe its operations and communication patterns.

****Bringing Corrupted Malware Back Online****

Without its DOS and PE headers, the malware could not be simply loaded and executed like a normal Windows binary. The research team had to manually identify the malware’s entry point, allocate memory, and resolve API addresses that differed between the compromised system and the test environment. Through repeated debugging, address relocation, and parameter adjustments, they were finally able to emulate the malware’s behaviour in a lab setting.

The image shows the DOS and PE headers have been corrupted, which makes it challenging to fully reconstruct the executable from memory (Credit: FortiGuard)

According to Fortinet’s blog post shared with Hackread.com ahead of its publishing on Thursday, once operational, the malware revealed its communication with a command-and-control (C2) server at rushpaperscom over port 443, using TLS encryption.

Fortinet analysts traced the malware’s use of Windows API functions like SealMessage() and DecryptMessage() to handle encrypted traffic. They also identified an additional layer of custom encryption that wrapped specific data packets before applying TLS, further complicating traffic inspection.

****What the Malware Can Do****

Fortinet’s analysis confirms that the malware operates as a Remote Access Trojan (RAT), providing the attacker with several powerful features:

*   **Screen capture**: The malware takes periodic screenshots, compresses them as JPEGs, and sends them to the C2 server along with the titles of active windows.

*   **Remote server functionality**: The malware sets up a listening TCP port, allowing attackers to connect directly and issue commands or deploy additional attacks.

*   **System service control**: By interfacing with the Windows Service Control Manager, the malware can enumerate, manipulate, and potentially disrupt critical system services on the infected machine.

****How the Attack Works****

The initial infection relied on batch scripts and PowerShell to launch the malware, embedding it into a Windows process. Once running, the malware fetched the C2 server’s domain information from encrypted memory, established a secure connection, and began exfiltrating system details.

Full memory dump of the compromised machine. The image shows detailed file information for the “fullout” dump, used to recreate a local test environment for malware analysis. (Credit: FortiGuard)

During traffic analysis, Fortinet captured decrypted WebSocket requests and responses, uncovering how the malware collects and reports system information, including OS version and architecture.

Interestingly, the malware’s encryption scheme uses a randomly generated key for XOR-based scrambling of packet data before it is handed off for TLS encryption. This extra layer adds protection against simple network-based detection, forcing researchers to rely on endpoint inspection or memory-level analysis to catch malicious activity.

New Malware Spotted Corrupts Its Own Headers to Block Analysis

A recent investigation by cybersecurity researchers at Oasis Security has revealed a data overreach in how Microsoft’s OneDrive…

A recent investigation by cybersecurity researchers at Oasis Security has revealed a data overreach in how Microsoft’s OneDrive File Picker handles permissions, opening the door for hundreds of popular web applications, including ChatGPT, Slack, Trello, and ClickUp, to access far more user data than most people realize.

According to the report, the problem comes from how the OneDrive File Picker requests OAuth permissions. Instead of limiting access to just the files a user selects for upload or download, the system grants connected applications broad read or write permissions across the user’s entire OneDrive. This means that when you click to upload a single file, the app may be able to see or modify everything in your cloud storage and maintain that access for extended periods.

****A Hidden Access Problem****

OAuth is the widely used industry standard that allows apps to request access to user data on another platform, with user consent. But as Oasis explains in their blog post shared with Hackread.com ahead of its publication on Wednesday, the OneDrive File Picker lacks “fine-grained” OAuth scopes that could better restrict what connected apps can see or do.

Microsoft’s current setup presents the user with a consent screen that suggests only the selected files will be accessed, but in reality, the application gains sweeping permissions over the entire drive.

This works quite differently compared to how services like Google Drive and Dropbox handle similar integrations. Both offer more precise permission models, allowing apps to interact only with specific files or folders without handing over the keys to the whole storage account.

Adding to the concern, older versions of the OneDrive File Picker (versions 6.0 through 7.2) used outdated authentication flows that exposed sensitive access tokens in insecure places, like browser localStorage or URL fragments. Even the latest version (8.0), while more modern, still stores these tokens in browser session storage in plain text, leaving them vulnerable if an attacker gains local access.

****Millions of Users at Risk****

Oasis Security estimates that hundreds of apps use the OneDrive File Picker to facilitate file uploads, putting millions of users at risk. For example, ChatGPT users can upload files directly from OneDrive, and with over 400 million users reported each month, the scale of possible over-permissioning is massive.

Oasis contacted both Microsoft and several app vendors ahead of releasing its findings. Microsoft acknowledged the report and indicated it may explore improvements in the future, but as of now, the system works as designed.

****An Expert View on the API Security Challenge****

Eric Schwake, Director of Cybersecurity Strategy at Salt Security, commented on the research, stating, “Oasis Security’s research points to a major privacy risk in how Microsoft OneDrive connects with popular apps like ChatGPT, Slack, and Trello. Because the OAuth scopes in the OneDrive File Picker are too broad, apps can gain access to an entire drive, not just selected files.”

He warned that “Combined with insecure storage of access tokens, this creates a serious API security challenge. As more tools rely on APIs to handle sensitive data, it’s essential to apply strict governance, limit permissions, and secure tokens to avoid exposing user information.”

****What Users and Companies Should Do****

For users, it’s worth checking which third-party apps have access to your Microsoft account. This can be done through the account’s privacy settings, where you can view app permissions and revoke any you no longer trust.

****How to Check Which Third-Party Apps Have Access to Your Microsoft Account****

*   **Go to your Microsoft Account page** – Visit account.microsoft.com and sign in if you aren’t already.

*   **Click on “Privacy”** – In the top or left menu, find and click the **Privacy** section.

*   **Find “Apps and Services”** – Scroll down or look under account settings for Apps **and Services** you’ve given access to.

*   **View app details** – You’ll see a list of apps that have permission to access your Microsoft account. Click Details on each app to see what data or scopes they can access.

*   **Revoke access if needed** – If you no longer trust or use an app, click Remove these permissions or Stop sharing to revoke its access.

For companies, Oasis recommends reviewing enterprise applications in the Entra Admin Center and monitoring service principal permissions to see which apps may have broader access than intended. Using tools like the Azure CLI can help automate parts of this review.

For developers, the best immediate steps include avoiding the use of long-lived refresh tokens, securely storing access tokens, and disposing of them when no longer needed. Until Microsoft offers more precise OAuth scopes for OneDrive integrations, developers are encouraged to explore safer workarounds, like supporting “view-only” shared file links instead of direct picker integrations.

OneDrive File Picker Flaw Gives Apps Full Access to User Drives

Researchers reveal how guest accounts with billing roles can create Azure subscriptions inside external tenants, gaining unexpected Owner access and opening hidden privilege risks.

Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit.

The issue is that guest users invited into an organization’s Azure tenant can create and transfer subscriptions inside that tenant without having any direct admin privileges there. Once they do, they gain “Owner” rights over that subscription, opening up a surprising set of attack opportunities that many Azure administrators might never have considered.

****What’s Happening Behind the Scenes****

Organizations frequently invite external partners or collaborators into their Azure environments as “guest users.” Typically, these guests are assigned limited access to prevent damage if their accounts are compromised. But BeyondTrust’s findings shared with Hackread.com, reveal that under certain conditions, these guests can spin up entire Azure subscriptions inside the host tenant, even without explicit permissions in that environment.

How? It all comes down to Microsoft’s billing permissions. If the guest holds specific billing roles in their home tenant (for example, they created a free trial account), they can use that authority to create subscriptions and then move them into any other tenant they are invited to. By doing so, they effectively become “Owners” of those subscriptions, gaining broad control over resources inside the targeted tenant.

Microsoft has confirmed that this is intended behaviour, pointing out that these subscriptions stay on the guest’s bill and that there are existing (but non-default) controls to prevent such transfers. Still, the security implications are substantial.

****The Privilege You Didn’t See Coming****

Once a guest becomes a subscription Owner inside your Azure tenant, they unlock several advanced capabilities including Identifying who’s really in charge, disabling security monitoring, creating persistent backdoors and abusing device trust

These attack paths exist because billing roles and resource permissions operate on separate tracks, creating an overlap that isn’t covered by typical role-based access control (RBAC) models.

**Real-World Attack Steps**

BeyondTrust researchers demonstrated how an attacker could exploit this issue in practice. An attacker could start by setting up their own Azure tenant using a free trial, which automatically gives them billing authority.

Once they are invited as a guest into a target tenant, they can log into the Azure portal and create a new subscription using advanced settings, selecting the target tenant as the destination. Without ever needing admin approval in that tenant, the attacker gains full Owner access over the new subscription, opening the door to privilege abuse techniques.

> _“The feature Microsoft has created here makes sense: some organizations have many tenants, and there are use cases where users with one home directory need to create subscriptions in others they are simply a guest in. The problem lies in the default behavior: if this capability were opt-in, meaning guests were blocked from creating subscriptions by default, the risk would be significantly reduced, and this wouldn’t pose a security concern.”_
> 
> Simon Maxwell-Stewart, Sr Data Engineer – BeyondTrust

****Microsoft’s Position****

Microsoft has stated that this is intended behaviour, meant to support complex multi-tenant setups where guests sometimes need to create resources. They provide subscription policies that can block these transfers, but these controls are off by default.

For cybersecurity teams, this means the risk remains active until they take clear action. BeyondTrust recommends several key steps to reduce exposure including enabling subscription policies that block guest-led transfers, regularly auditing guest accounts and removing any that are unused or unnecessary.

To prevent attackers from using virtual machines or devices for further attacks, closely monitor subscriptions for unusual or unexpected guest-created resources, and carefully review dynamic group rules and device trust policies.

Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say

Mandiant Threat Defense uncovers a campaign where Vietnam-based group UNC6032 tricks users with malicious social media ads for…

Mandiant Threat Defense uncovers a campaign where Vietnam-based group UNC6032 tricks users with malicious social media ads for fake AI video tools, leading to stolen credentials and credit card information.

Mandiant Threat Defense has uncovered a widespread cybercrime operation preying on the public’s excitement for new AI tools. A group known as UNC6032, believed to be based in Vietnam, is tricking people with fake social media ads that look like they’re promoting popular AI video generators such as Luma AI and Canva Dream Lab.

According to Mandiant’s research, shared with Hackread.com, UNC6032 has been running misleading ads on platforms like Facebook and LinkedIn since mid-2024. These ads direct users to fake websites that appear to offer AI video generation services.

However, these sites secretly download harmful software, including infostealers and backdoors, which steal sensitive information like login details and personal data. The stolen data is likely sold on illegal online markets.

This type of attack is a major concern for everyone, from individuals to large companies. In fact, according to Mandiant’s M-Trends 2025 report, stolen credentials are the second-highest initial way cybercriminals get into systems. Mandiant has found thousands of these ads, reaching millions of users, and believes similar campaigns are active on other social media sites.

For instance, one specific attack that Mandiant investigated started with a Facebook ad for Luma Dream AI Machine. When a user clicked on “Start Free Now,” they were led through a series of steps mimicking a real AI video creation process.

After a loading bar, a Download button appeared, which then installed the malicious software instead of a video. The files used a trick with hidden characters and a fake .mp4 icon to appear harmless, but they were actually dangerous executable files.

Malicious Facebook ads on Facebook and LinkedIn (Image credit: Mandiant)

The malicious software used in these attacks, which Mandiant tracks as STARKVEIL, is a complex program written in Rust. It may display fake error messages to trick users into reopening the program. The software then drops other dangerous tools like XWORM, FROSTRIFT backdoors, and the GRIMPULL downloader.

These tools allow attackers to control the computer, steal more information, record keystrokes, and check for security software. GRIMPULL, for example, can download and run the Tor browser to connect to criminals’ hidden servers. XWORM even sends the stolen information to the attackers via Telegram.

According to Mandiant Threat Defense’s blog post, the company is collaborating with Meta and LinkedIn to fight this campaign. Although Meta has removed many of these ads, new ones are appearing daily. This ongoing threat necessitates constant collaboration across the tech industry to protect users.

Yash Gupta, Senior Manager at Mandiant Threat Defense, warns that “well-crafted websites masquerading as legitimate AI tools can pose a threat to anyone… Users should exercise caution when engaging with seemingly harmless ads.”

It is a fact that AI tools are becoming popular, and cybercriminals will continue to exploit this interest. Users are advised to be cautious when trying out new AI tools and verify the website’s address before interacting.

Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers

ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. Learn how attackers…

ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. Learn how attackers exploit Pickle files and the growing threat to the software supply chain.

Cybersecurity experts from ReversingLabs (RL) have discovered a new trick used by cybercriminals to spread harmful software, this time by hiding it within artificial intelligence (AI) and machine learning (ML) models. 

Researchers discovered three dangerous packages on the Python Package Index (PyPI), a popular platform for Python developers to find and share code, which resembled a Python SDK for Aliyun AI Labs services and targeted users of Alibaba AI labs.

Alibaba AI labs is a significant investment and research initiative within Alibaba Group and a part of Alibaba Cloud’s AI and Data Intelligence services, or Alibaba DAMO Academy.

****New Software Threat Hides in AI Tools****

These malicious packages, named aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk, had no real AI functionality, explained ReversingLabs reverse engineer Karlo Zanki in the research shared with Hackread.com.

“The ai-labs-snippets-sdk package accounted for the majority of downloads, due to it being available for download longer than the other two packages,” the blog post revealed.

A Package’s Readme Page (Source: ReversingLabs)

Instead, once installed, they secretly dropped an infostealer (malware designed to steal information). This harmful code was hidden inside a PyTorch model. For your information, PyTorch models are often used in ML and are essentially zipped Pickle files. Pickle is a common Python format for saving and loading data, but it can be risky because malicious code can be hidden inside. This particular infostealer collected basic details about the infected computer and its .gitconfig file, which often contains sensitive user information for developers.

The packages were available on PyPI starting May 19th for less than 24 hours but were downloaded about 1,600 times. RL researchers believe the attack might have started with phishing emails or other social engineering tactics to trick users into downloading the fake software. The fact that the malware looked for details from the popular Chinese app AliMeeting, and .gitconfig files suggests developers in China might be the main targets.

****Why ML Models are being Targeted?****

The rapid rise in the use of AI and ML in everyday software makes them a part of the software supply chain, creating new opportunities for attackers. ReversingLabs has been tracking this trend, previously warning about the dangers of the Pickle file format.

ReversingLabs product management director Dhaval Shah had noted earlier that Pickle files could be used to inject harmful code. This was proven true in February with the nullifAI campaign, where malicious ML models were found on Hugging Face, another platform for ML projects.

This latest discovery on PyPI shows that attackers are increasingly using ML models, specifically the Pickle format, to hide their malware. Security tools are only just beginning to catch up to this new threat, as ML models were traditionally seen as just data carriers, not places for executable code. This highlights the urgent need for better security measures for all types of files in software development.

Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods.

What makes this campaign particularly dangerous is its use of built-in Windows tools and trusted system processes to blend in with normal activity, making it much harder to catch through signatures alone.

Let’s walk through the full infection chain and see how you can safely detect these techniques in seconds with the help of the right analysis solutions.

****See the Full Attack Chain Unfold in Real Time****

To understand how this phishing campaign works end-to-end, let’s take a look at how it unfolds inside ANY.RUN’s interactive sandbox, where every step is visual, traceable, and recorded in real time.

View the full analysis session

Full attack chain of the new phishing danger inside ANY.RUN’s sandbox

From initial delivery to post-exploitation behaviour, the sandbox reveals the full picture, giving SOC teams the visibility they need to respond faster and helping businesses reduce the risk of silent, long-term compromise.

Full attack chain of the latest phishing threat inside ANY.RUN’s sandbox:

**Phishing Email → Malicious Archive → DBatLoader Execution → Obfuscated CMD Scripts → Remcos Injected into .exe**

Inside the sandbox, you can visually trace each stage of the attack as it happens, such as:

Watch how the archive triggers DBatLoader, and how obfuscated .cmd scripts begin executing suspicious commands.

ANY.RUN sandbox detected the commands execution of cmd.exe

See exactly when and where Remcos is injected into legitimate system processes, with process trees and memory indicators updated in real-time.

Remcos RAT exposed inside the interactive sandbox

Observe persistence techniques in action, such as the creation of scheduled tasks, registry changes, and the use of .url and .pif files, clearly highlighted in the system activity log.

To better understand the tactics behind this phishing attack, you can use the built-in MITRE ATT&CK mapping in ANY.RUN. Just click the “ATT&CK” button in the top-right corner of the sandbox interface.

This view instantly highlights the techniques used during the analysis, grouped by tactics like execution, persistence, privilege escalation, and more. It’s a fast, analyst-friendly way to connect behaviour to real-world threat intelligence, no manual mapping is needed.

MITRE ATT&CK techniques and tactics used by the new phishing campaign

Whether you’re performing triage or writing reports, this feature helps security teams act faster and gives managers clear evidence of how threats operate and where defences might be bypassed.

****Techniques Used in This Phishing Attack (Visible Inside Sandbox)****

Here are some of the key tactics observed in the session and how you can spot them easily inside the sandbox:

1.  **Faktura.exe: The Lure File**

Victims receive a phishing email containing an archive with Faktura.exe, posing as a legitimate invoice. When opened, it kicks off the attack.

Most email security tools won’t flag this file if it’s not known or doesn’t match known IOCs. In ANY.RUN, you can immediately see Faktura.exe in the process tree and watch how it spawns malicious activity, giving analysts clarity from the very first click.

FAKTURA.exe displayed inside ANY.RUN sandbox

2.  **DBatLoader: The Initial Loader**

Once the victim opens the phishing archive, **DBatLoader** is executed. It’s responsible for starting the infection chain by launching obfuscated scripts.

In the Process tree, DBatLoader appears as a dropped .exe, immediately spawning cmd.exe. You can inspect the command lines, and file system activity, and see exactly how the script execution begins.

YARA rule triggered by DBatLoader

3.  **Obfuscated Execution with BatCloak-Wrapped CMD Files**

We see inside this analysis session that .cmd scripts obfuscated with BatCloak are used to download and execute the malicious payload.

Obfuscation hides intent from static scanners. In sandboxes like ANY.RUN, you can open the command-line view and see every decoded instruction and suspicious pattern as it executes, no manual decoding is needed.

4.  **LOLBAS Abuse with Esentutl.exe**

The legitimate utility esentutl.exe is abused to copy cmd.exe into alpha.pif, a renamed dropper meant to look harmless.

File copy operations using esentutl.exe show up in the ANY.RUN Process tree and File system activity, including full paths and command context.

LOLBAS Abuse with Esentutl.exe detected inside ANY.RUN sandbox

5.  **Scheduled Tasks Trigger .url → .pif Execution**

A scheduled task is created to run Cmwdnsyn.url, which launches the .pif file on boot or at regular intervals. 

Scheduled task technique in detail

Scheduled tasks are a common persistence mechanism, but in complex environments, they often go unnoticed. With ANY.RUN, you can instantly see when and how the task is created, track its execution chain in the process tree, and inspect related file and registry changes.

This gives SOC teams a clear view of how the malware stays active over time, making it easier to build detection rules, document the persistence method, and ensure it’s fully removed.

6.  **UAC Bypass with Fake “C:\\Windows ” Directory**

A mock directory (C:\\Windows with a space) is used to bypass UAC prompts by exploiting Windows path handling quirks.

Bypass UAC with mock directories (note trailing space)

****Why Sandbox Analysis Is Critical Against Evasive Threats****

This phishing campaign highlights just how far attackers go to stay hidden, using built-in Windows tools, crafted persistence, and subtle privilege escalation tricks that easily bypass traditional defences.

With sandbox analysis, especially through the one like ANY.RUN, security teams gain the clarity and speed needed to stay ahead of these threats. You can observe every step of the infection, uncover techniques that static tools miss, and act with confidence.

*   Faster incident response thanks to real-time behavioural insight
*   Reduced dwell time by identifying threats before they spread
*   Better-informed security decisions through visibility into attacker tactics
*   Improved compliance and audit readiness with shareable, in-depth reports

****Take Advantage of ANY.RUN’s Birthday Offers****

To celebrate its 9th anniversary, ANY.RUN is offering a limited-time promotion:

Get bonus Interactive Sandbox licenses or double your TI Lookup quota, available only until May 31, 2025.

Don’t miss your chance to upgrade your threat detection and response workflow with solutions trusted by over 15,000 organizations worldwide.

Source

HackRead