eSentire TRU analyses the new DarkCloud V4.2 infostealer, rewritten in VB6. Find out how the malware steals browser data, crypto, and contacts via targeted phishing.

A recent security research from eSentire’s Threat Response Unit (TRU) has revealed the sudden rise of a dangerous information-stealing malware (Infostealer) known as DarkCloud, which cybercriminals are using to grab private data.

TRU Researchers discovered the latest version of DarkCloud Infostealer, version 4.2, during an attempted attack in September 2025 against their customer in the manufacturing industry.

DarkCloud is not new, but it has been completely rewritten using a programming language called VB6. It used to be sold on the Russian cybercrime forum XSS.is, which was shut down by law enforcement back in July 2025.

As Hackread.com reported at the time, the site was seized on July 23, 2025, after authorities arrested a suspected administrator in Ukraine. However, by July 24, the XSS forum was confirmed to be back online using its mirror and .onion domains.

Today, the malware is sold on its own website, darkcloud(.)onlinewebshop(.)net, and is also offered through the messaging app Telegram by a user known as @BluCoder.

DarkCloud website (Source: eSentire)

****Phishing Lure****

eSentire TRU explained that the attack began with a phishing email that looked like it was about financial information and had a malicious compressed file attached. The email was sent by “procure@bmuxitq(.)shop” and was themed with the subject “Swift Message MT103 Addiko Bank ad: FT2521935SVT.” The malicious compressed file attached was named “Swift Message MT103 FT2521935SVT.zip.”

Malicious email (Source: eSentire)

This shows that “phishing emails continue to remain a key vector for malware distribution,” researchers noted in the blog post shared with Hackread.com. This means that these fake emails are still one of the main ways this software gets onto a system. Researchers caught the spam emails and stopped the DarkCloud Infostealer delivery for their client in September 2025.

****What Does DarkCloud Infostealer Steal?****

This malware is designed to steal various kinds of sensitive information. This includes browser passwords, credit card numbers, website cookies, login details for FTP, what you type (keystrokes), and even content from your clipboard.

It also targets files such as documents and spreadsheets (including extensions like .txt, .pdf, .doc, and .xls), cryptocurrency wallets, and extracts contact information from email clients, including Thunderbird, MailMaster, and eM Client. All of this stolen data is then sent to the criminals using channels like Telegram, FTP, email, or even a Web Panel using PHP scripts.

****Fight DarkCloud Infostealer****

eSentire TRU has not only analysed the threat but also released two helpful programs to help other security researchers. One tool can pull out the setup details of the malware, and the other is a Python-based script that can unjumble its secret code. To protect yourself from threats like this, researchers recommend using email protection that blocks suspicious files like compressed folders with executable programs inside.

DarkCloud Infostealer Relaunched to Grab Credentials, Crypto and Contacts

As the digital asset market matures and regulators worldwide work to set clear standards, one fact has become…

As the digital asset market matures and regulators worldwide work to set clear standards, one fact has become obvious: Compliance is not a burden; it is a business advantage. For cryptocurrency entrepreneurs, the choice of jurisdiction can determine how quickly you scale, how confidently you attract capital, and how much trust you earn. Increasingly, many find that the smart move is Canada.

****Why Canada Stands Out****

Launching a crypto venture often feels like navigating an obstacle course. In some regions, rules are unclear, regulators remain distant, and even basic tasks like opening a bank account can be a struggle. Canada offers a different experience.

*   **Clear but adaptable rules** – Its licensing framework is rigorous enough to inspire confidence while remaining flexible enough to adjust as technology evolves.

*   **Constructive regulator dialogue** – Authorities are known to engage with businesses, shaping policy around operational realities rather than imposing outdated rules.

This balanced approach has earned Canada a reputation as one of the most credible and forward-looking jurisdictions for digital assets. Entrepreneurs spend less time guessing what regulators expect and more time building.

****Turning Compliance Into an Edge****

Scepticism around crypto is still widespread. Investors hesitate, banks remain cautious, and potential partners demand reassurance. A Canadian crypto license cuts through that hesitation and demonstrates trustworthiness.

That credibility brings tangible benefits:

*   **Banking access** – Licensed operators are more likely to secure accounts and relationships that remain out of reach for unlicensed startups.

*   **Investor confidence** – Institutional capital flows more easily toward regulated businesses, from venture firms to corporate treasuries.

*   **Market trust** – A license signals to partners and users alike that the business is built for the long term.

****Scaling in a Sophisticated Market****

Canada is not just regulation-friendly, it is also a prime market in its own right. As the world’s tenth-largest economy, with a digitally savvy population and a thriving fintech ecosystem, it provides a strong base of engaged users.

For many companies, a Canadian license becomes a springboard into North America and other global markets. The process is often more streamlined and cost-effective than in competing jurisdictions, which means faster entry and fewer delays. In an industry where every month of waiting is a lost chance for growth, speed matters.

****Staying Ahead of Global Regulation****

From Europe to Asia to the Americas, new digital asset rules are being introduced, many of them echoing Canada’s measured approach. By getting licensed in Canada, businesses align early with the direction global regulation is heading.

Advantages include:

*   **Established regulator relationships** – Channels of communication that make adapting to new frameworks smoother.

*   **Defined boundaries** – Clear compliance standards reduce the risk of sudden, disruptive enforcement.

While competitors scramble to interpret shifting rules, licensed operators in Canada move forward with certainty.

****The Real Risk: Inaction****

For crypto entrepreneurs, the greatest risk is not regulation but waiting too long to engage with it. Without a license, obstacles multiply: banks decline accounts, investors hesitate, and partners gravitate toward more credible competitors.

A Canadian crypto license offers what businesses need most today: trust, access, and a platform for sustainable growth.

****Final Word****

Compliance has moved from a checkbox to a competitive advantage. Canada has built one of the world’s most supportive regulatory environments for cryptocurrency, giving entrepreneurs the clarity, credibility, and reach to succeed on a global stage.

For those serious about building ventures that last, Canada is more than a safe choice; it is a strategic one. Now is the time to act and secure the foundation that separates businesses that scale from those that stall.

(Image by WorldSpectrum from Pixabay)

Accelerate Crypto Success: Why a Canadian Crypto License Is Your Launchpad to Growth

Harry Jackson went into Kathmandu as a tourist. He ended up being one of the main international sources of news on Nepal’s Gen Z protests.

When Harry Jackson pulled his small motorcycle into Kathmandu on September 8, he had no idea the city was exploding in protests. He didn’t even know there was a curfew. People in Nepal, largely driven by Gen Z youth, had taken to the streets, and that day riots broke out when nearly two dozen people were shot and killed by authorities. In the middle of it all was Jackson, a travel vlogger riding from Thailand to the United Kingdom on his bike.

Within a day, the mass demonstrations that filled the capital would do the seemingly impossible: defy trigger-happy law enforcement, storm the grounds of parliament and set fire to the building, and oust a prime minister. Jackson, who had been documenting his journey for months on YouTube, Instagram, and other social media under the @wehatethecold channel, became one of the main ways people around the world saw what was happening in Nepal as youth-led protests toppled the government.

Anger had been simmering in Nepal for months, much of it driven by widespread corruption among politicians. Many of those politicians’ children also flaunted their wealth, often on social media. They in turn were called out online by Nepali people, and on September 4, the government banned 26 social media platforms. Protests started, and large demonstrations broke out on September 8, with police using tear gas, rubber bullets, and live ammunition on crowds of largely young demonstrators. That’s when Jackson arrived, filming his way through marches and capturing the sounds of gunshots.

Video still courtesy of @wehatethecold

Jackson had been in Nepal earlier in June but returned due to other geopolitical issues. He had planned to be in Kathmandu for a short, easy stop to get his Honda CT125 shipped for the next leg of his journey. He had been in India, trying to cross into Pakistan. But the border was closed, so he headed north to Nepal. After getting a hotel and catching up on events, he decided to tag along with some people and see the protests the next day. He’d been told it wasn’t safe for tourists but said he was willing to roll the dice, especially after having ridden his bike through some unsafe roads for weeks. On September 9 he was out among the protests for several hours, and by midafternoon decided to get back to his hotel to quickly edit the footage and get it published.

“This footage just has to go online. I was watching it back and reliving the time and thinking, wow, this is insane,” he tells WIRED. “They’re burning parliament, this is huge!”

Jackson was with crowds as they moved through narrow streets, eventually descending on the large area around the parliament building. The footage Jackson captured that day shows a mix of chaos—including hundreds fleeing gunshots—and mutual aid, with people stopping to hand out water, check in on each other, and help those hurt by tear gas. In the video, Jackson, 28, moves through the protesters, asking what the latest is, following the crowds as they get closer to the seat of power. His video took off, racking up millions of views in just hours, and it has more than 30 million views on YouTube alone.

Video still courtesy of @wehatethecold

“I have truly witnessed history, on a stupid trip from Thailand to England on a fucking moped!” Jackson shouts into the camera over the sound of chants, drums, fire, and upheaval.

Over the course of those two days, more than 70 people were killed and more than 21,000 injured. Several buildings were burned, including the parliament building and the homes of several politicians—busy shopping areas and popular neighborhood spots were left untouched, however, as Jackson’s videos show. The protests got results fast. K.P. Sharma Oli stepped down as prime minister after retaking office last summer. Nepal’s president dissolved the government and set new elections for March. Sushila Karki, a former chief justice, was named interim prime minister, in part following heavy debate and votes on the Discord messaging app, which activists had turned to regularly to communicate ahead of and during the protests.

After he started filming the protests, Jackson said in his videos and on social media that he does not consider himself a journalist, just a tourist filming what’s around him. “I don’t know what constitutes journalism and what doesn’t. I could be filming temples and asking people about temples; is that journalism? I went into this with the intention of being a YouTuber. I don’t have a journalist visa. I don’t have a journalism degree.”

Video still courtesy of @wehatethecold

As for why his videos took off, he admits that being a foreigner—specifically, a white, British one—probably played a small element in the international attention. But he put it more on him being a foreigner who was able to get up close to the events and capture dramatic footage. Jackson notes that there were plenty of local Nepali media and foreign news outlets there, but especially on September 9, many seemed to be hanging back, filming from a distance as fires raged. Jackson says that he asked many of his new Nepali friends about that dynamic. He said he was told it was in part because he showed up genuinely out of the loop, so he came into the protests without any bias or political lens, just filming the protests raw.

Since that day at parliament and after Oli was ousted, the protests have gotten attention in international media, but Jackson is surprised it hasn’t become a bigger story. He notes that other protests around the world had gotten some larger attention, but not the successful ones in Nepal. “It didn’t spread as much as it should—that was the literal collapse of a government,” he says.

Video still courtesy of @wehatethecold

The coverage that did come out, Jackson says, seemed to boil it down to singular causes, like the social media ban. “Trust Gen Z to protest—they’re without dopamine for a day,” he says sarcastically. Jackson says he had no intention of trying to speak for the people of Nepal, but from the conversations he’d had since arriving in Kathmandu, people told him that it was more about long-simmering issues over corruption that drove the organizing. He pointed to the nearly 20 people killed on September 8 as a catalyst for the escalation on the streets that led to the major government upheaval. “You know, ‘You shot 20 people, so we’re going to go harder,’” he says.

The massive surge in viewers also turned Jackson into a “weird local celebrity,” he says, bemused. In his videos since September 9, he says, people keep coming up to say hi, grab a selfie, or ask if he’s the guy from @wehatethecold. And there are the memes, both in Nepal and elsewhere. Edits of his protest videos, with Jackson running around the chaos, have spread, often with captions like “Guy goes on a holiday and ends up at a revolution.”

Video still courtesy of @wehatethecold

In the aftermath of the protest, Nepal’s new government is looking to investigate what led to the police violence earlier in September. The new prime minister set up a commission to investigate the assaults, deaths, and arsons.

Since those two chaotic days, Jackson has continued filming, using the new attention to his channels to show the people he met in Kathmandu and parts of the city that aren’t burning or surrounded by armed security forces. Shops are reopening, people are going out, and there is a positivity around the city, he says. After initially intending to get in and out of Nepal quickly for his journey, Jackson now says he’s going to stick around a little longer. He wants to show what’s going on in Nepal after the chaos from his first videos in the country, and some of the connections he has made since coming back have opened up new opportunities for what kind of places he can visit.

Video still courtesy of @wehatethecold

“I haven't had any bad experiences,” he says. “And it was kind of my duty to do that, to keep filing. They’ve helped me so much.”

How a Travel YouTuber Captured Nepal’s Revolution for the World

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.

This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).

**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-529q-4j3p-7c5r: algoliasearch-helper is vulnerable to Prototype Pollution in _merge()

Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out of range".

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-fmjh-f678-cv3x: github.com/nyaruka/phonenumbers Vulnerable to Improper Validation of Syntactic Correctness of Input

PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser.

GHSA-456v-f425-8mcv: PiranhaCMS stored XSS

By inflating numbers and narrowing definitions, Heritage promotes a false link between transgender identity and violence in its push for the FBI to create a new terrorism category.

In the wake of Charlie Kirk’s killing, the Republican policy apparatus went immediately to work. The Heritage Foundation, which published Project 2025, and its spinoff, the Oversight Project, issued a call for the Federal Bureau of Investigation to designate “Transgender Ideology-Inspired Violent Extremism,” or TIVE, as a domestic terrorism threat category. The push comes as President Donald Trump just signed an executive order that seeks to mobilize federal law enforcement against vaguely defined domestic terror networks.

The Heritage Foundation and Oversight Project document, which defines “transgender ideology” as “a belief that wholly or partially rejects fundamental science about human sex being biologically determined before birth, binary, and immutable," grounds its policy recommendations in a startling claim: “Experts estimate that 50% of all major (non-gang related) school shootings since 2015 have involved or likely involved transgender ideology.”

When WIRED asked for the data behind this claim, the Oversight Project did not respond; the Heritage Foundation pointed to a tweet from one of its vice presidents, Roger Severino, claiming that “50% of major (non-gang) school shootings since 2015” involve a transgender shooter or trans-related motive. Severino also lays out what appears to be his entire dataset: eight shootings, four of which, he claims, involve “a trans-identifying shooter and/or a likely trans-ideology related motivation.”

The data tell a different story.

Since 2015, at least four dozen shootings have taken place on school grounds, according to data from the K-12 School Shooting Database, which has tracked every incident involving a gun on school grounds since 1966. Only three perpetrators in the database—the 2019 shooter at STEM School Highlands Ranch in Colorado and the Covenant School shooter in Nashville in 2023 among them—have been credibly identified in public reporting as transgender or undergoing gender-affirming care. Nashville police concluded the shooter there was not motivated by a clear political or ideological agenda, but prioritized notoriety and infamy. In Colorado, investigators say one of the shooters, a transgender boy, cited bullying and long-standing mental health struggles as motivations.

In an August shooting, a 23-year-old individual opened fire outside Annunciation Catholic Church in Minneapolis. The shooter had legally changed their name and written about conflict over gender identity, but there is no public evidence they consistently identified as transgender, making classification uncertain. Police say the attack was fueled by hostility toward Jews, Christians, and minorities, along with a quest for notoriety. Prosecutors added the animus was sweeping, saying the shooter “expressed hate towards almost every group imaginable.”

The K-12 database, the most comprehensive of its kind, does not include gender data for about 12.5 percent of school shooters since 2015, which only makes it more difficult to draw firm conclusions about broader patterns.

Other mass shootings at schools, including Parkland in 2018 and Uvalde in 2022, were carried out by young men with histories of grievance, misogyny, or violent ideation. None were tied to “transgender ideology.”

The larger pattern, researchers say, points in the opposite direction: White supremacist, anti-government, and misogynist beliefs account for the lion’s share of ideologically motivated gun violence. Targeting “transgender ideology” as a terrorism category, they warn, confuses identity with ideology, risks licensing violence against anyone who defies gender norms, and shifts attention away from the real drivers of schoolyard violence.

“There are no legitimate studies that suggest that a majority of school shootings since 2015 involve trangender people,” said Rachel Carroll Rivas and R. G. Cravens of the Southern Poverty Law Center’s Intelligence Project in an email. “Trans people are far more likely to be victimized by gun violence than to perpetrate it.”

The FBI defines a “mass shooting” as an incident in which four or more victims are killed by gunfire, not including the shooter or shooters. However, other less restrictive definitions are more widely accepted. The Gun Violence Archive, which has tracked gun violence in the US since 2013, includes incidents in which four or more victims are killed or injured in its “mass shooting” definition. There is no consensus on the definition of a “major” shooting, as described by the Heritage Foundation’s Severino.

Severino did not immediately respond to a request for comment.

According to a WIRED analysis of data provided by data scientist David Riedman, creator of the K-12 School Shooting Database, there have been 48 school shootings with four or more victims—injured or killed—since the start of 2015. (Just six of those meet the FBI’s definition of a mass shooting.) Of the 48 shootings, 45 have no known connection to gang activity. Three were by shooters identified in public reporting as being or having been transgender or having undergone gender-affirming care. Six of the 48 shootings since 2015 do not list the gender of the shooter, primarily because their identity was unknown to authorities.

There have been 74 total active school shooter incidents since 2015; of those, three of the perpetrators have identified as transgender, according to Riedman’s data. Data collected by the Gun Violence Archive shows that there were 5,748 mass shootings at any location in the US between January 1, 2013, and September 15, 2025; of those, five of the shooters identified as transgender people, nonbinary, or having undergone gender-affirming care—less than 0.087 percent.

In other words, Heritage’s “50 percent” claim is not just unsupported, it appears misleading by design, arbitrary in scope, and unscientific at its core.

“A methodology that limits the pool of potential observations in this way suggests researchers have a predetermined outcome in mind,” Cravens and Carroll Rivas say. “It's a method that suggests the researchers are committing an error called selecting on the dependent variable—choosing a sample that ensures the study will produce the desired outcome. In combination with the use of ‘trans ideology,’ this suggests that the desired outcome is the further scapegoating and demonization of transgender people.”

Heritage reaches its 50 percent figure by shrinking the universe of school shootings to a hand-picked few. Severino first rules out incidents rooted in crime, personal disputes, or workplace grievances. He then defines “major” school shootings as those he says are intended to “send a public message.” Applying those filters, Heritage crops down decades’ worth of incidents into fewer than 10 cases—a sample small enough that even a few shooters with one or two shared traits can be made to look like half. Broader databases, which count school shootings by more consistent criteria, show dozens of incidents each year and make clear that Heritage’s figures rest on a frame built to exaggerate, not measure—to reflect a narrative, not reality.

The Heritage Foundation did not respond to questions about the discrepancies between Severino’s conclusions and those of other researchers.

Experts say Heritage's push not only distorts the data but also diverts attention from the extremist movements actually driving violence: nihilistic violent extremist networks, accelerationist neo-fascist movements, and lone actors motivated by any number of far-right culture war grievances. Jonathan Lewis, a researcher at George Washington University’s Program on Extremism, tells WIRED: “There is no academic publication I am aware of which has found any causal relationship between an individual’s gender identity and their radicalization or mobilization, nor which establishes any basis for such an argument.”

“Any definitional framework that only includes eight of the hundreds of school shootings in the last decade,” he adds, “is certainly of questionable analytic value.”

Civil rights advocates see the proposal and Trump’s executive order as working hand in hand—moves that redefine political opposition as extremism and open the door to targeting marginalized communities. “Today we saw this administration’s latest attempt to divide, scare, and intimidate those who work to advance freedom and equality,” says Kelley Robinson, president of the Human Rights Campaign. She called the effort to label opponents as extremists “dangerous, unconstitutional, and un-American,” and part of a broader escalation by the administration to turn people’s identity into suspicious characteristics and grounds for targeting.

The timing is also notable, as federal resources for countering domestic terrorism are being steadily cut back.

The FBI has consistently diverted resources away from domestic terrorism investigations this year, pulling staff from specialized units and discounting tools long used to track extremist cases. By May, agents in field offices had been ordered to devote at least a third of their time to immigration enforcement instead, moving national security specialists into work far outside the bureau’s traditional role. Some counterterrorism agents were abruptly recalled to their posts after a US strike on Iranian nuclear facilities—a reversal that only underscored the chaos created by constant shifts in priorities.

The administration previously gutted tens of millions of dollars from federal terrorism-prevention grants at the same time, shuttering key programs at the Department of Homeland Security’s Center for Prevention Programs and Partnerships. Senator Dick Durbin, the ranking member of the Senate Judiciary Committee, called it a “broad institutional pullback” from investigating domestic terrorism, even as, he noted, “experts continue to warn about intensifying danger.”

Other experts say the retreat amounts to abandoning the fight against homegrown extremism altogether—at one of the worst possible moments.

The Heritage Foundation, whose Project 2025 policy recommendations have been widely adopted by the Trump administration, is urging the FBI to create the “TIVE” terrorism designation amid increasingly fervent anti-trans propaganda from right-wing groups.

A super PAC associated with the American Principles Project, a socially conservative group often aligned with Heritage on cultural and transgender policy, has rolled out aggressive campaign ads this week targeting, for example, US representative Mikie Sherrill, a Democrat of New Jersey, over her support for transgender rights. The spot portrays Sherrill’s positions, and trans people, in lurid, grotesque terms—a hallmark of APP’s approach in recent years as it seeks to turn transgender issues into a wedge in congressional races.

The group, led by Terry Schilling, has made opposition to trans rights central to its political strategy, running provocative ads in multiple states with the aim of stirring backlash among voters who reject transgender people’s right to exist. It did not immediately respond to a request for comment.

Heritage Foundation Uses Bogus Stat to Push a Trans Terrorism Classification

A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.
"The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments," Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The

A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver **CountLoader**, which is then used to drop **Amatera Stealer** and **PureMiner**.

"The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments," Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The Hacker News.

In the attack chains documented by the cybersecurity company, the SVG files are used to initiate the download of a password-protected ZIP archive, which contains a Compiled HTML Help (CHM) file. The CHM file, when launched, activates a chain of events that culminate in the deployment of CountLoader. The email messages claim to be a notice from the National Police of Ukraine.

CountLoader, which was the subject of a recent analysis by Silent Push, has been found to drop various payloads like Cobalt Strike, AdaptixC2, and PureHVNC RAT. In this attack chain, however, it serves as a distribution vector for Amatera Stealer, a variant of ACRStealer, and PureMiner, a stealthy .NET cryptocurrency miner.

It's worth pointing out that both PureHVNC RAT and PureMiner are part of a broader malware suite developed by a threat actor known as PureCoder. Some of the other products from the same author include -

*   PureCrypter, a crypter for Native and .NET
*   PureRAT (aka ResolverRAT), a successor to PureHVNC RAT
*   PureLogs, an information stealer and logger
*   BlueLoader, a malware that can act as a botnet by downloading and executing payloads remotely
*   PureClipper, a clipper malware that substitutes cryptocurrency addresses copied into the clipboard with attacker-controlled wallet addresses to redirect transactions and steal funds

According to Fortinet, Amatera Stealer and PureMiner are both deployed as fileless threats, with the malware "executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule."

Amatera Stealer, once launched, gathers system information, collects files matching a predefined list of extensions, and harvests data from Chromium- and Gecko-based browsers, as well as applications like Steam, Telegram, FileZilla, and various cryptocurrency wallets.

"This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain," Fortinet said. In this case, attackers targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a download site."

The development comes as Huntress uncovered a likely Vietnamese-speaking threat group using phishing emails bearing copyright infringement notice themes to trick recipients into launching ZIP archives that lead to the deployment of PXA Stealer, which then evolves into a multi-layered infection sequence dropping PureRAT.

"This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft," security researcher James Northey said. "The final payload, PureRAT, represents the culmination of this effort: a modular, professionally developed backdoor that gives the attacker complete control over a compromised host."

"Their progression from amateurish obfuscation of their Python payloads to abusing commodity malware like PureRAT shows not just persistence, but also hallmarks of a serious and maturing operator."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam

Hackers stole data on 8,000 nursery children, then called the children's parents, hoping to increase leverage for their ransom demand.

Just when you think extortionists can’t sink any lower, along comes a lowlife that manages to surprise you.

The BBC reported that a group calling itself “Radiant” claims to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

The data the group says it stole includes names, photos, addresses, dates of birth, and details about their parents or carers. The hack also reportedly exposed safeguarding notes and medical information.

To prove their possession of the data, the criminals posted samples, including pictures and profiles of ten children on their darknet website. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

When contacted by the BBC about their extortion attempt, the group defended their actions, claiming to:

> “… deserve some compensation for our pentest.”

They should educate themselves before continuing. In most jurisdictions, to carry out this type of “penetration testing” legally, they need to get explicit permission from the company first (or choose a company that runs a bug bounty program).

As if stealing children’s data and publishing them on the dark web isn’t bad enough, Joe Tidy at the BBC reported that the group also called some of the children’s parents—telling them to put pressure on the nursery chain to pay the ransom demand, or they’ll leak their child’s data.

If history has taught us anything, the next step is that they will try to extort the parents individually, as happened in the case of the Finnish psychotherapy practice Vastaamo. Trust me, these things never end well. In Vastaamo’s case, the clinic went bankrupt, at least one suicide has been linked to the case, and the attackers have been sentenced to jail time.

Kido has not issued a public statement. Although the investigation is ongoing, it has contacted parents to confirm the incident and offer reassurance.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication **(****2FA)**.** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Hackers threaten parents: Get nursery to pay ransom or we leak your child&#8217;s data 

Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.

A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations, security researchers warn.

This ongoing campaign, tracked by Bitdefender Labs for the past year, has reportedly moved from Meta’s Facebook Ads to appear across both Google Ads and YouTube, putting many more users at risk.

This campaign was previously reported by Hackread.com for exploiting Facebook Ads using fake crypto sites and celebrity images to spread malware, but has now evolved its tactics.

****How the Scam Works****

Research reveals that the cyber criminals behind this attack are highly organised, using over 500 different website addresses and publishing thousands of malicious ads every day in different languages (mostly English, Vietnamese and Thai).

They run their ads by taking control of legitimate, verified business accounts on Google and YouTube, including the hijacked Google advertiser account of a design agency in Norway. For your information, TradingView Premium is a paid service that offers advanced tools and features for financial trading analysis.

Fake ad and the hijacked accounts used in the attack (Via Bitdefender Labs)

To appear real, the scammers hijack a verified YouTube channel, delete all its original content, and rebrand it to look exactly like the official TradingView page, including the correct logos and banner art. They even copy playlists from the real channel so that the fake one appears active, abusing the verified badge to trick users into assuming authenticity.

They then use paid ads to push special videos that are hidden from public view, called unlisted videos, to avoid detection. One such video, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” gathered over 182,000 views in just a few days through this aggressive advertising.

However, close inspection reveals red flags, such as a different channel handle (not @TradingView) and a low overall registered view count, which would be impossible for the popular trading platform.

Attack Flow (Image Credit: Bitdefender Labs)

****The Threat****

This campaign’s core objective seems to be to get users to download a dangerous file disguised as the free premium app. This file is actually a type of spyware called Trojan.Agent.GOSL, which can remotely control a victim’s computer. This program is designed to steal highly sensitive information, including passwords, personal data, and cryptocurrency wallet details.

Shared with Hackread.com, this research warns content creators that having their business accounts compromised not only damages their reputation but also allows scammers to take over the connected, verified YouTube channel and use it as a weapon.

That’s why you should always download software from official websites. Bitdefender advises users to carefully check the channel handle and subscriber count, and consider any ad promising free premium access to an app that is normally paid a major red flag.

Tag

#auth