An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in…

An SSL.com vulnerability allowed attackers to issue valid SSL certificates for major domains by exploiting a bug in its email-based domain verification method.

Internet security relies on trust, and the Certificate Authority (CA) is a key player in this system as it verifies website identities, and issues SSL/TLS certificates, which encrypt communication between a computer and the website.

However, recently, a serious problem was found with one of these trusted CAs, SSL.com. Researchers discovered a flaw in how SSL.com was checking if someone requesting a certificate actually controlled the domain name, a process called Domain Control Validation (DCV).

SSL.com enables users to verify domain control and obtain a TLS certificate for encrypted HTTPS connections by creating a _validation-contactemail DNS TXT record with the contact email address as the value. SSL.com sends a code and URL to confirm the user’s control of the domain. However, due to this bug, SSL.com now considers the user as the owner of the domain used for the contact email.

This flaw stems from the way email is used to verify control, particularly with MX records, which indicate which servers receive email for that domain. It allowed anyone to receive email at any email address associated with a domain, potentially obtaining a valid SSL certificate for the entire domain. It is specifically related to the BR 3.2.2.4.14 DCV method aka ‘Email to DNS TXT Contact’.

This is a big deal because an attacker wouldn’t need to have complete control over a website e.g., google.com, to get a legitimate-looking certificate as just the email address of an employee or even a free email address that’s somehow linked to the domain is enough.

Malicious actors can use valid SSL certificates to create fake versions of legitimate websites, steal credentials, intercept user communication, and potentially steal sensitive information through a man-in-the-middle attack. A security researcher using the alias _Sec Reporter_ demonstrated this by using an @aliyun.com email address (a webmail service run by Alibaba) to get certificates for aliyun.com and www.aliyun.com.  

This vulnerability affects organizations with publicly accessible email addresses, particularly large companies, domains without strict email control, and domains using CAA (Certification Authority Authorization) DNS records.

SSL.com has acknowledged the issue and explained that besides the test certificate the researcher obtained, they had mistakenly issued ten other certificates in the same way. These certificates, starting as early as June 2024, were for the following domains:

*. medinet.ca, help.gurusoft.com.sg (issued twice), banners.betvictor.com, production-boomi.3day.com, kisales.com (issued four times), and medc.kisales.com (issued four times).

The company also disabled the ‘Email to DNS TXT Contact’ validation method and clarified that “this did not affect the systems and APIs used by Entrust.”

Even though SSL.com’s issue has been resolved, it shows the important steps to maintain website safety. CAA records should be used to tell browsers which companies can issue certificates, public logs should be monitored to catch unauthorised certificates, and email accounts linked to websites should be secure.

SSL.com Vulnerability Allowed Fraudulent SSL Certificates for Major Domains

Terrance, United States / California, 22nd April 2025, CyberNewsWire

**Terrance, United States / California, April 22nd, 2025, CyberNewsWire**

**Joining Criminal IP at Booth S-634 | South Expo, Moscone Center | April 28 – May 1, 2025**

Criminal IP, the global cybersecurity platform specializing in AI-powered threat intelligence and OSINT-based data analytics, will exhibit at RSAC 2025 Conference, held from April 28 to May 1 at the Moscone Center in San Francisco. The company will welcome attendees at Booth S-634 in the South Expo Hall.

**Strengthening Its Global Presence Through Proven Success**

Following its impactful debut at RSAC 2023, Criminal IP has continued to expand its international footprint, establishing partnerships with over 40 global cybersecurity leaders, including Cisco, Tenable, Fortinet, VirusTotal, and Snowflake. Returning to RSAC 2025, the company will further strengthen its position in the global security market by showcasing its latest innovations in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI).

**Elevating Threat Intelligence with ASM at RSAC**

With a presence in over 150 countries, Criminal IP has positioned itself as a trusted leader in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI). At RSAC 2025, the company will highlight how its platform empowers security teams with real-time, actionable insights to proactively detect and respond to today’s most advanced cyber threats.

**Live Demonstrations & Strategic Dialogues**

Throughout the event, Criminal IP will host live demos and interactive sessions led by the CEO, senior developers, and global product experts. Visitors will gain exclusive insights into:

*   Real-world applications of ASM for enterprise security
*   Emerging threat trends and response tactics
*   Enhancing CTI workflows with AI and automation

Attendees will experience firsthand how Criminal IP uncovers exposed assets, detects abnormal behaviors, and delivers complete visibility across digital infrastructures.

**Connecting with the Criminal IP Team**

Attendees can arrange 1:1 meetings directly at Booth S-634 or pre-book sessions in advance through the Knowledge Hub > Conference section of the Criminal IP website. The team will be available to discuss how the platform can be tailored to support diverse cybersecurity goals.

The booth will also feature exclusive giveaways and a roulette-style prize draw for all on-site attendees.

> “RSAC continues to be a vital platform for exchanging ideas around proactive security,” said Byungtak Kang, CEO of AI SPERA. “We look forward to showcasing how our ASM-powered threat intelligence helps global organizations safeguard their external attack surfaces.”

**About Criminal IP**

Criminal IP is an all-in-one AI-driven threat intelligence platform that enables organizations to detect, assess, and respond to cyber threats in real time. Powered by massive-scale OSINT data and machine learning, the platform provides complete visibility into exposed assets, suspicious behaviors, and indicators of compromise.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP to Showcase Advanced Threat Intelligence at RSAC™ 2025

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies.

Cybersecurity experts at Trustwave’s SpiderLabs have discovered an increase in malicious online activities originating from a Russian “bulletproof” hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025.

Researchers have detailed their findings in a two-part series. The first part highlights a major increase in “mass scanning, credential brute-forcing, and exploitation attempts” coming from Proton66’s network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale.

SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66’s network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021.

Traffic Volume Analysis (Source: SpiderLabs)

Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing “some of the latest critical priority exploits,” researchers noted in the blog post.

The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps.

The domain naming conventions used suggest targets speaking English (“us-playmarket.com“), French (“playstors-france.com“), Spanish (“updatestore-spain.com“), and Greek (“playstors-gr.com“).

SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025.

Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for “$2,000, transferred in BTC or USDT.”

Sample Ransom Note (Source: SpiderLabs)

Interestingly, SpiderLabs’ investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST.

SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a “CHANGWAY / HOSTWAY” theme. Still, technical connections between the infrastructures remained, suggesting an underlying link.

Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora\_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware.

It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks’ PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided.

Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise.

Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated…

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated financial sector. Balancing innovation with responsibility is important as organizations harness AI’s potential while protecting data, ensuring fairness, and mitigating risks. 

Navigating this intersection of AI ethics, cybersecurity, and finance requires careful strategy.

****AI in Financial Systems****

AI has revolutionized financial systems by enhancing decision-making processes, optimizing resource allocation, and improving fraud detection capabilities. One prominent area where AI thrives is in trading and market analysis. Algorithms powered by AI can analyze massive datasets in real time, identifying trends and making predictions with remarkable accuracy. 

For example, traders often ask, Can you short futures effectively use AI? The answer lies in leveraging sophisticated machine learning models that evaluate market conditions, predict price movements, and execute trades with precision. 

However, employing AI in such high-stakes environments also brings ethical considerations, such as ensuring transparency in algorithmic decisions and addressing the potential for systemic risks caused by automation. Balancing these advancements with robust governance is essential to maintaining trust and stability in the financial sector.

****Why AI Ethics Matters****

AI Ethics emphasizes fairness, accountability, and transparency in developing and using artificial intelligence systems. It prompts questions like, “Is this decision fair?” or “What are the risks if this algorithm fails?” 

These issues are especially critical in finance, where AI-driven decisions can directly impact people’s financial well-being. Financial tools affect nearly every part of life from securing loans to managing investments making ethical practices essential. 

Financial platforms must ensure their AI systems don’t discriminate based on factors like ethnicity, gender, or socioeconomic status. For instance, algorithms used to determine creditworthiness or loan approvals should be carefully designed and tested to prevent bias. Accountability is just as important; companies need systems to evaluate their AI’s impact and correct mistakes. 

Transparency is another cornerstone of AI Ethics. Consumers should know how their data is collected, used, and analyzed. They also deserve clarity on AI-driven decisions and the reasoning behind them. By prioritizing fairness, accountability, and transparency, companies can build trust and ensure their tools serve users responsibly and equitably.

****The Financial Costs of Cyber Threats****

AI doesn’t just create opportunities; it generates risks too. Cybersecurity is a constant challenge. It’s already critical in finance, but AI raises the stakes further. Imagine someone hacking an AI-driven trading system. This could cause widespread market turmoil in minutes.

The costs don’t stop at financial losses. A data breach can damage a company’s reputation. People lose trust, and rebuilding that trust can take years. Businesses need strong security measures to protect against breaches and ensure their AI systems are strengthened.

****Finding Balance Between Tech and Security****

Innovation and security can often feel at odds. New technologies drive progress but can also create vulnerabilities, as cyber threats evolve just as quickly. Cybersecurity teams must not only respond to threats but also anticipate and address issues before they escalate. 

This challenge becomes even greater with AI-powered systems. While transformative, their complexity makes them prime targets for attacks like data poisoning, adversarial manipulation, or algorithm flaws any of which can have serious consequences. 

To secure these systems, organizations should take a layered approach: regular audits to find vulnerabilities, secure coding to reduce risks, and employee training on handling sensitive data. By acting proactively, businesses can innovate without compromising security.

****The Future of AI Responsibility****

The future of AI is tied to how well we manage its capabilities and risks. Industries must keep asking tough questions. How much control should AI have? How do we hold businesses accountable when things go wrong?

This future depends on a collaborative effort. Governments, businesses, and researchers need to work together. Clear regulations should guide how AI is developed and used. Companies should prioritize ethical practices without cutting corners in pursuit of profits. Transparency, fairness, and strong cybersecurity protocols must remain non-negotiable.

The future of AI is both exciting and daunting. While it holds immense potential to improve our lives, it also poses significant challenges that must be addressed. As we continue to integrate AI into our society, we must do so with caution and responsibility.

We must continue having open discussions about the ethical implications of AI and actively work towards creating regulations and guidelines that prioritize human well-being. We must also hold businesses accountable for their actions and ensure that they uphold ethical practices in the development and use of AI.

(Image by Gerd Altmann from Pixabay)

AI Ethics, Cybersecurity and Finance: Navigating the Intersection

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new MACE Credential Revocation app and a Microsoft error in handling user refresh tokens.

Recently, many companies experienced a problem where their employees suddenly couldn’t log into their Microsoft Entra accounts and expressed concern in a Reddit thread. Microsoft, the company behind Entra ID (previously called Azure Active Directory), has explained what happened.

It seems that a newly introduced component of Microsoft Entra ID called the MACE Credential Revocation app, which is designed to enhance security by identifying compromised credentials, mistakenly flagged many regular users as high risk. This led to widespread account lockouts.

Microsoft has traced the root cause to an internal logging issue with a feature called refresh tokens (how users stay logged), which were being logged within Microsoft’s own systems. Specifically, the standard process is to only log metadata about these short-lived tokens, and the problem arose when a subset of these tokens themselves were being logged internally “for a small percentage of users,” beginning on Friday, April 18th, 2025.

As soon as they realized this mistake on Friday, April 18th, 2025, Microsoft took action to fix it. To keep their customers safe, they decided to make these specific tokens invalid, meaning they would no longer work.

However, this process of making the tokens invalid mistakenly triggered alerts in Entra ID Protection. These alerts, sent out on Sunday, April 20th, 2025, between 4 AM and 9 AM UTC, made it seem like users’ login details might have been stolen.

Microsoft has stated that they don’t have any proof that anyone gained unauthorized access to these tokens. “We have no indication of unauthorized access to these tokens – and if we determine there were any unauthorized access, we will invoke our standard security incident response and communication processes,” the tech giant noted.  

For companies whose users were locked out because they were wrongly marked as high-risk, Microsoft suggests a solution. Administrators can use a feature called Confirm User Safe within Entra ID. This tells the system that even though an alert was raised, the user’s account is actually okay. Microsoft has provided a link to their help documentation that explains how to use this feature and understand the risk alerts. 

Microsoft is still looking into exactly what went wrong and will share a detailed report, called a Post Incident Review (PIR), with all the affected customers and anyone who opened a support ticket.

To be notified when this report is available or to stay updated on any future problems with Azure services, Microsoft recommends setting up Azure Service Health alerts. These alerts can send notifications through email, text messages, and other methods. 

Jim Routh, Chief Trust Officer Saviynt, shared his thoughts on the situation with Hackread.com. He pointed out that even though this caused problems for some Microsoft business customers over the weekend, there were some positive aspects.

“The positive news is that the disruption occurred over the weekend, and today (Monday), customers have the facts along with the fix (corrective actions) necessary for recovery,” he said. ”The vulnerability and the action taken (token invalidation) were ultimately shared by Microsoft in an advisory relatively quickly. This is a sign of health or resilience despite the inconvenience to some enterprise customers over the weekend,” Routh added.

Microsoft Entra ID Lockouts After MACE App Flags Legit Users

Fake Booking.com emails trick hotel staff into running AsyncRAT malware via fake CAPTCHA, targeting systems with remote access…

Fake Booking.com emails trick hotel staff into running AsyncRAT malware via fake CAPTCHA, targeting systems with remote access trojan.

A new phishing campaign is targeting hotel staff with fake Booking.com emails, tricking victims into executing malicious commands on their own systems. The scam appears well-planned, combining social engineering with the end aim to infect and compromise hotel networks with AsyncRAT.

****It Starts with a Convincing Email****

The attack begins with a message that appears to come from Booking.com. The email claims a guest has left behind important personal belongings and urges the hotel manager to click a button labelled “View guest information.”

The email is polite, urgent and designed to look legitimate, typical of social engineering attempts designed to trick people into clicking without thinking.

The phishing email

****A Fake CAPTCHA Hides the Real Threat****

Clicking the link takes the user to a lookalike Booking.com site hosted at: booking.partlet-id739847.com. The page initially presents a CAPTCHA asking the visitor to confirm they’re not a robot.

After checking the box, users are presented with something far more suspicious — a set of instructions that tell them to press **WIN + R** (to open the Windows Run dialogue), followed by **CTRL + V** and **Enter**. This trick uses the clipboard to deliver and execute a hidden command.

Fake CAPTCHA

****Behind the Scenes: AsyncRAT****

Security analysis of the malware delivered in this scam shows it’s AsyncRAT, a remote access trojan. This malware has been active since the second half of 2019 and has gained popularity among cybercriminals because of its open-source and highly customizable features.

AsyncRAT is capable of:

*   Keystroke logging
*   Remote desktop viewing
*   File access and data theft
*   Installing additional payloads
*   Persistent control over infected systems

AsyncRAT has been actively used in cyberattacks over the past few years. In May 2021, Microsoft observed AsyncRAT targeting aerospace and travel organizations. By November 2021, security researchers found it being delivered alongside other malware families to infect systems and steal cryptocurrencies.

In June 2023, cybersecurity firm eSentire reported a new variant called DcRAT, which was embedded in OnlyFans-related content a rebranded version of AsyncRAT. Then in January 2024, the malware was spotted targeting critical infrastructure in the United States, this time using malicious GIF and SVG files to deliver the payload.

The malware runs via MSBuild.exe, a legitimate Windows utility, helping it evade some antivirus tools. It installs itself in the %AppData% directory and communicates with a command-and-control server at 185.39.17.70 over port 8848.

****Why this Phishing Scam is Tricky****

Unlike basic phishing campaigns that aim to steal passwords, this one goes much further. It guides the user into executing malware manually, a clever way to bypass security restrictions and avoid triggering downloads.

If successful, attackers could gain full remote access to hotel systems, putting customer data, reservation info, and payment records at risk.

**Tips for Hotels and Staff**

*   Never click links in unsolicited emails, even if they look official.

*   Don’t run commands based on instructions from emails or websites, especially anything involving the Windows Run dialogue.

*   Check the domain, real Booking.com links don’t contain extra subdomains like partlet-id739847.

*   Report suspicious messages directly to Booking.com via their official partner support channels.

This campaign is just another example of how phishing has become a threat by combining realistic branding with malware execution tactics. Hotel managers and staff should stay alert and treat any unexpected email involving guest data with caution.

Booking.com Phishing Scam Uses Fake CAPTCHA to Install AsyncRAT

There’s nothing like the freedom of the open road when you’re on a motorcycle. But staying connected while…

There’s nothing like the freedom of the open road when you’re on a motorcycle. But staying connected while you ride can be tough. Whether it’s for safety, directions, or just talking to a passenger or riding group, a Bluetooth motorcycle intercom can make a huge difference. It adds convenience, safety, and a lot more enjoyment to the ride.

Whether you prefer solo rides through winding backroads or cruising with a group, a Bluetooth intercom in your helmet can change the experience completely. Here’s a look at what these systems do, how they work, and what to look for when choosing one.

****What is a Bluetooth motorcycle intercom?****

It’s a wireless device that lets motorcyclists talk to each other or connect to things like their phone or GPS while riding. The system is usually mounted on a helmet and uses Bluetooth to make the connections.

With one of these, you can:

*   Take phone calls hands-free

*   Listen to music or podcasts

*   Hear turn-by-turn GPS directions

*   Talk to a passenger or fellow riders

*   Use voice commands to keep your hands on the handlebars

So it’s not just about staying in touch it’s also about staying safe and focused.

****Types of intercoms to choose from****

According to MomanX, an online store specializing in technology gadgets, the Bluetooth motorcycle intercom comes in various designs to meet the needs of different riders. Here are three popular types to consider:

**Bluetooth intercoms for full-face or modular helmets**: This is the most common type. It fits securely and offers good sound, decent noise filtering, and usually holds up well in the weather.

**Intercoms for half helmets**: If you wear a half helmet, you’ll need a different design. These usually include clip-on mics and speakers that sit outside the helmet, and they’re built to handle wind and road noise.

**Bluetooth intercoms for cyclists**: These are similar but built for bicycle helmets. They’re lighter, have long battery life, and work well for team rides or coaching.

****How do they work?****

Most of them pair using Bluetooth, so you can link your helmet to other riders or to devices like your phone or GPS. Basic ones connect a couple of helmets, while advanced models can handle larger groups with mesh tech or chain-style connections.

They also use full-duplex communication, which means you can talk and listen at the same time, just like a phone call.

Once everything’s paired, the intercom can stream audio from your phone, play GPS directions, or let you answer calls. Some systems let you do all of these at once, so you don’t have to switch between tasks.

****Why use one?****

**Easier communication** – Whether you’re warning someone about a pothole or just chatting, being able to talk without pulling over makes the ride smoother and safer.

**Better navigation** – You can keep your eyes on the road and still hear directions clearly without needing to check your screen.

**Entertainment** – Long rides can get tiring. Having music, a podcast, or even an audiobook can keep you alert and in the zone.

****What features should you look for?****

**Audio multitasking** – Some intercoms let you listen to music while still being connected to your intercom. That way, nothing gets interrupted and everything flows naturally.

**Range and group size** – Different models have different ranges. Some only reach a few hundred meters, while others can stretch several miles. If you often ride in a group, go for one that supports more riders and has solid connectivity.

**Sound quality and noise control** – Road noise is no joke. A good intercom will have solid speakers, noise cancellation, and adjustable volume so you can hear clearly even at highway speeds.

**Battery life** – If you’re doing longer rides, you’ll want a system that lasts. Most good ones run for 8 to 15 hours. Quick charging is a bonus if you’re stopping for fuel or food.

**Weather resistance** – You never know what the weather will do. Look for something waterproof or at least resistant to rain and dust.

**Voice control** – Being able to use your voice for commands helps you keep your hands on the bars and your eyes on the road.

****Solo rides vs group rides****

**If you ride solo** – Even if you’re riding alone, an intercom is still useful. You can make calls, follow directions, and listen to your music or podcast without having to stop and mess with your phone.

**If you ride in a group** – Communication becomes a big deal when you’re riding with others. You can share updates about traffic, keep formation, and plan stops without needing hand signals or guesswork.

**Setup and helmet fit** – Most intercoms come with mounting gear and install pretty easily. They’re compatible with most helmets, but it’s always good to check how the system fits with your helmet’s shape and padding.

Whether you’re out on a quiet solo ride or leading a group down a scenic route, a Bluetooth motorcycle intercom can really improve the experience. It keeps you connected without being distracting and gives you better control over your ride. It’s not just a gadget anymore it’s something that can seriously level up how you ride.

Riding Smarter: A Guide to Bluetooth Motorcycle Intercoms

Morphisec discovers a new malware threat ResolverRAT, that combines advanced methods for running code directly in computer memory,…

Morphisec discovers a new malware threat ResolverRAT, that combines advanced methods for running code directly in computer memory, figuring out necessary system functions and resources as it runs, and employing multiple layers of techniques to avoid detection by security software.

A new and sophisticated piece of malware, dubbed ResolverRAT by Morphisec researchers, has been discovered actively targeting organisations within the healthcare and pharmaceutical sectors, with the most recent wave of attacks occurring around March 10, 2025.

Morphisec’s Threat Labs researchers dubbed it Resolver because of the malware’s high reliance on figuring things out and handling resources dynamically while running, making it much harder for traditional methods to detect it.

According to researchers, ResolverRAT is distributed via phishing emails designed to create a sense of urgency or fear, pressuring recipients to click on a malicious link. Once clicked, the link leads to a file that starts the ResolverRAT infection process.

This is a highly localised phishing attack as the emails are written in the native language of the targeted country and consistently use alarming subjects, such as legal investigations or copyright violations. This multi-language approach suggests a global operation aimed at maximising successful infections through personalised targeting.

Use of native language subject lines (Source: Morphisec)

ResolverRAT infections begin with DLL side-loading, a technique that involves placing a malicious DLL file alongside a legitimate, signed program, identified as ‘hpreader.exe‘ in this case. When ‘hpreader.exe’ is executed, it unknowingly loads the malicious DLL, triggering the malware’s execution.

Interestingly, the same executable was identified by CPR in a recent campaign distributing the Rhadamanthys malware, and Cisco Talos documented similar phishing techniques used to deliver Lumma information-stealing malware. This could suggest that the groups are reusing tools, sharing resources, or part of a coordinated effort or shared network of cybercriminal affiliates.

ResolverRAT employs multiple layers of evasion to avoid detection, including extensive code obfuscation and a custom protocol over standard ports to blend network traffic. It executes malicious code directly in the computer’s memory (in-memory execution) and dynamically identifies and uses necessary system functions as it runs (API resolution).

To stay on an infected system even after a reboot, ResolverRAT creates up to 20 entries in the Windows Registry, spread across various locations, and installs copies of itself in various locations.

Moreover, the malware uses a unique method of certificate validation and ‘.NET Resource Resolver Hijacking’ technique is a key element of its stealth. Additionally, it attempts to fingerprint analysis environments and can alter its behaviour when it detects it’s being examined.

It allows attackers to steal sensitive information like credentials and patient data, breaking large datasets into smaller chunks for easier transmission. ResolverRAT also has remote access capabilities, allowing attackers to execute commands, upload files, take screenshots, capture keystrokes, and potentially deploy further malware.

This sophisticated blend of in-memory execution, advanced evasion techniques, and resilient C2 infrastructure poses a substantial threat to sensitive sectors like healthcare and pharmaceuticals, highlighting the need for organisations to adopt proactive defence strategies to effectively counter these threats.

Native Language Phishing Spreads ResolverRAT to Healthcare

Government-backed hacking groups from North Korea (TA427), Iran (TA450), and Russia (UNK_RemoteRogue, TA422) are now using the ClickFix…

Government-backed hacking groups from North Korea (TA427), Iran (TA450), and Russia (UNK\_RemoteRogue, TA422) are now using the ClickFix technique in their espionage campaigns. Learn about Proofpoint’s insights into this new wave of attacks.

Proofpoint has recently discovered a concerning development related to the ClickFix attack, a dangerous social engineering method. Reportedly, government-backed hacking groups are now using this technique, exploiting users’ trust by presenting fake error messages or security alerts from the operating system or familiar applications.

Users are tricked into downloading and running a code in their computer’s command line interface, believing it is a solution to their problem. However, when run, this code executes malicious commands on the victim’s machine.

Last year, Hackread.com raised an alarm about the rising popularity of the ClickFix attack among cybercriminals starting in March 2024, after groups like TA571 and ClearFake used it. In October 2024, Sekoia observed a rise in ClickFix attacks involving fake Google Meet, Chrome, and Facebook pages tricking users into downloading malware.

The latest wave of ClickFix attacks was observed between July 2024 and early 2025, with North Korea, Iran, and Russia-backed hackers incorporating ClickFix into their usual operations.

Attacks Timeline (Source: Proofpoint)

****North Korea (TA427)****

In early 2025, TA427 (Kimsuky, Emerald Sleet) targeted individuals from 5 organisations in the think tank sector working on North Korea affairs. They used deceptive meeting requests and fake websites to trick them into running PowerShell commands. One successful attack involved impersonating a Japanese diplomat (Ambassador Shigeo Yamada) and led to the installation of QuasarRAT malware.

Malicious email (Source: Proofpoint)

****Iran (TA450)****

In November 2024, TA450 (MuddyWater, Mango Sandstorm) targeted 39 organisations, mainly finance and government sectors, in the Middle East with fake Microsoft security update emails. They used ClickFix to persuade users to run PowerShell commands that installed the Level RMM tool, which the attackers intended to use for espionage and data theft. No further use of ClickFix by this group was observed afterwards.

****Russia (UNK\_RemoteRogue and TA422)****

UNK\_RemoteRogue used ClickFix once in December 2024, targeting individuals in two prominent arms manufacturing firms in the defence industry, sending emails with a link to a fake Microsoft Office page with Russian instructions to copy/paste code that executed JavaScript and then PowerShell linked to the Empire framework.

TA422 (Sofacy, APT28) employed ClickFix in October 2024, targeting Ukrainian entities, sending phishing emails with a link mimicking a Google spreadsheet sent out by CERT-UA that led to a reCAPTCHA, which, upon clicking, provided a PowerShell command to create an SSH tunnel and run Metasploit.

These groups, however, are not completely changing their attack methods. Instead, they are using ClickFix to replace certain steps in how they initially infect a target’s computer and run malicious software. Also, according to Proofpoint’s blog post, they have not observed any Chinese government-backed groups using ClickFix, possibly due to limited visibility into their activities.

Even though ClickFix is not yet a standard tool for state-sponsored actors, its increasing popularity suggests that this technique could become more common in government-backed cyber espionage campaigns in the coming months, researchers conclude.

North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks

Dallas, United States, TX, 21st April 2025, CyberNewsWire

**Dallas, United States, TX, April 21st, 2025, CyberNewsWire**

Brings Automated Response to Your Assets, Identity, Vulnerabilities, Alerts, and More to Redefine Risk Prioritization.

For years, security teams have operated in reactive mode, contending with siloed tools, fragmented intelligence, and a never-ending backlog of alerts. Traditional Security Operations platforms were supposed to unify data and streamline response—but they often introduced their own complexity, requiring heavy customization and manual oversight. “Hyper automation” delivered much of the same empty promises, leaving most security teams firefighting today’s incidents with limited bandwidth to proactively manage tomorrow’s risks.

At the 2025 RSA Conference, StrikeReady is introducing its next-generation Security Command Center v2. This AI-powered platform is engineered to go beyond basic alert processing, offering integrated asset and identity visibility, comprehensive vulnerability management, and coordinated automated response capabilities—enabling organizations to address threats with a focus on effective risk resolution.

> “We built StrikeReady to help security teams escape the cycle of perpetual reactivity,” said Alex Lanstein, CTO at StrikeReady. “With our platform, you don’t just see threats faster—you control and reduce risk in real time, closing gaps before they’re exploited. It’s a complete shift from dousing fires to preventing them from igniting.”

**v2 Key Business Outcomes and Metrics**

**1\. Proactive Risk Visibility**

A consolidated risk view across your identities, assets, and vulnerabilities, validated in a single unified interface/command center. Enable informed, strategic planning, rather than being in constant firefighting mode.

**2\. Radical Time Reduction**

Validating risk with threat intelligence, like threat intelligence reports, is cut from four to six hours to four to six minutes.

Alert processing drops from one hour to one minute, freeing analysts to focus on hunting.

All alerts, from any source—high, medium, and low severity—are all processed without differentiation, and at machine speed and accuracy.

**3\. Better, Faster, and More Cost-Effective Deployments**

Automated workflows and capabilities can be live in as little as 60 minutes, unlike traditional automation systems that often require six to 18 months of customization and cost upwards of $1 million.

**4\. Lower Operational Expenses**

One of many examples is phishing alert backlogs cleared in minutes, reducing manual efforts and saving over $180,000 annually.

Analysts spend less time on foundational work, false positives, and repetitive tasks, slashing overhead and burnout.

**5\. Native Case Management, Collaboration, and Real-Time Validation**

Built-in case management means no external ticketing, and zero trust collaboration with any internal or external team, with auto-documentation as standard (auditable).

**6\. Validate Your Security Controls** 

Use prepackaged or custom live attack content across your endpoints, cloud, and network to assess your security posture, resolve risk, and report improvements to your business.

**7\. Moving from Alerts to Strategic Defense**

While many AI-based security solutions focus on short-term alert handling, StrikeReady frames cybersecurity as an end-to-end risk management process. The platform’s proprietary Large Action Model (LAM) goes beyond mere analysis—directly executing defensive actions across the environment based on user prompts. This proactive approach helps organizations:

**Optimize** existing security investments by centralizing management.

**Preemptively** counter sophisticated threats, rather than reacting after the fact.

**Continuously** improve security efficiency through automation and instant control validation.

> “Success in cybersecurity today isn’t about chasing the latest threat—it’s about operationalizing intelligence, standardizing incident resolution, and eliminating friction at every step,” said Adil Mufti, CISO at StrikeReady. “StrikeReady makes this shift possible by consolidating the entire security lifecycle under one roof.”

**Experience StrikeReady at RSA Conference**

At **RSA Conference 2025**, StrikeReady will demonstrate live how the platform unifies risk visibility, orchestrates proactive actions, and frees analysts to make strategic decisions. Attendees can learn how to lower mean time to respond (MTTR), reduce false positives, and transform their SOC from a reactive entity into a proactive defense powerhouse.

**About StrikeReady**

Founded in 2019, StrikeReady introduced the first unified, vendor-agnostic, AI-powered Security Command Center delivering full-spectrum risk visibility, intelligent threat management, and automated response from a single, integrated platform.

By unifying identities, assets, vulnerabilities, and advanced simulations in one place, StrikeReady empowers organizations to proactively defend against modern threats and stay ahead of an ever-shifting cyber landscape. Moving beyond conventional AI, StrikeReady leverages its Large Action Model (LAM) to automate actions across the tech stack, creating a force multiplier for security teams seeking truly proactive risk management.

Recognized by Gartner as the only Virtual Security Assistant in its Emerging Technologies report, StrikeReady is dedicated to reshaping the future of cybersecurity.

**For more information users can visit**: https://strikeready.com/

**To schedule a demo at RSA, users can contact:** 

Lee Weyers | \[email protected\] | +1 (702) 588-1131

**Contact**

**Director, Public Relations**  
**Cara Harbor**  
**StrikeReady**  
**\[email protected\]**

Source

HackRead