Plus: Secret IRS data-sharing with ICE, a 20-year-old hackable vulnerability in train brakes, and more.

After reporting last week that the “raw” Jeffrey Epstein prison video posted by the FBI was likely modified in at least some ways (though there is no evidence that the footage was deceptively manipulated), WIRED reported on Tuesday that metadata analysis of the video shows approximately 2 minutes and 53 seconds were removed from one of two stitched-together clips.

The United States Department of Homeland Security is facing controversy over DNA samples taken from approximately 133,000 migrant children and teens that the department added to a criminal database. Meanwhile, researcher Jeremiah Fowler published findings this week that more than 2 GB of extremely sensitive adoption-related data—including information about biological parents, children, and adoptive parents—was exposed and publicly accessible on the open internet.

Roblox’s new Trusted Connections feature includes age verification that uses AI to scan teens’ video selfies and determine whether they can be granted access to unfiltered chatting with people they know. And as video deepfake capabilities mature—including AI tools that can even manipulate live video footage—AI “nudify” platforms are drawing millions of users and generating millions of dollars in revenue using tech from US companies.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**China’s Salt Typhoon Hackers Breached the US National Guard for Nearly a Year**

The Chinese state-sponsored hacking group known as Salt Typhoon has already shocked the US once with the revelation last year that it had deeply penetrated American telecom systems, even targeting the text messages and phone conversations of citizens including then-candidates Donald Trump and JD Vance in real time. Now it appears the group’s espionage has included the US military, and it spent much of the last year inside the network of the US National Guard in at least one state. NBC News this week reported on a DHS memo, obtained by the national security transparency nonprofit Property of the People, that warned the Chinese hacker group had breached that state-level National Guard network from March to December of last year. It didn’t identify which state had been targeted. According to the memo, Salt Typhoon’s access “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners.”

**IRS Blueprint Reveals Secret Plan to Let ICE Pull Taxpayer Data in Real Time**

The Trump administration is developing a new digital system designed to grant Immigration and Customs Enforcement near-real-time access to sensitive data of taxpayers, including their home addresses. Internal blueprints, revealed by ProPublica on Tuesday, show that the system is designed to automate and expedite data exchanges “on demand,” bypassing traditional IRS safeguards that normally require case-by-case review and legal justification. The system represents a major shift in how IRS data is accessed, and it is already raising concerns among civil liberties experts who say the process may violate privacy laws and further accelerate ICE's ability to obtain tax data for deportation purposes.

**US Trains’ Brakes Can Be Hacked With a 20-Year-Old Security Vulnerability**

A zero-day vulnerability that allows a trains’ brakes to be triggered by malicious hackers is a troubling notion. A 7,300-plus-day vulnerability that leaves trains exposed to that brake hack is a shocking level of negligence for a piece of critical US infrastructure. The Cybersecurity and Infrastructure Security Agency last week released an advisory about a lack of authentication in a protocol that allows a device in the head of a train (HOT) to send a braking signal to another device in the end of a train (EOT) for coordinated braking across long trains such as freight trains. That meant that hackers could send their own unauthenticated commands to disrupt trains, shut down rail networks, or even cause derailments, one of the researchers credited in the advisory told SecurityWeek. The issue is made all the more egregious by the fact that the researchers discovered the vulnerability had first been reported in 2005 but was never taken seriously or fixed. Tens of thousands of the vulnerable HOT and EOT devices are set to be replaced in a process that will begin next year.

**Google Sues Creators of a 10-Million-Device TV-Based Botnet**

Hackers who want to build a botnet of malware-controlled internet-of-things devices can scour those devices for vulnerabilities—which are plentiful enough—and remotely exploit them. Or better yet, they can infect them before they’re even shipped. Google announced this week it would be filing a lawsuit against the administrators of the so-called BadBox 2.0 botnet, which consisted of 10 million Android-powered TVs that were somehow infected with malware before being sold to consumers. The botnet operators, which Google describes as Chinese cybercriminals, then sold access to those devices to be used as proxy machines or to fake advertising views in a vast click-fraud scheme. BadBox 2.0 “is already the largest known botnet of internet-connected TV devices, and it grows each day. It has harmed millions of victims in the United States and around the world and threatens many more,” Google’s complaint reads.

China’s Salt Typhoon Hackers Breached the US National Guard for Nearly a Year

Google on Thursday revealed it's pursuing legal action in New York federal court against 25 unnamed individuals or entities in China for allegedly operating BADBOX 2.0 botnet and residential proxy infrastructure.
"The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android's open-source software (Android Open Source Project), which lacks Google's security protections,"

Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Affecting 10M Android Devices

Hackers abused fake GitHub accounts to spread Emmenhtal, Amadey, Lumma and Redline infoStealers in attacks linked to a phishing campaign targeting Ukraine in early 2025.

A newly identified Malware-as-a-Service (MaaS) operation is using GitHub repositories to spread a mix of infostealer families. This campaign was spotted by cybersecurity researchers at Cisco Talos, who published their findings earlier today, detailing how the threat actors behind this activity are using the Amadey bot to pull malware directly from public GitHub pages onto infected systems.

This operation surfaced in April 2025, but its activity traces back to at least February, around the same time Ukrainian organizations were being hit with SmokeLoader phishing emails. Talos analysts noticed a notable overlap in tactics and infrastructure between that campaign and the new Amadey-driven one, suggesting the same hands may be behind both.

What stood out in this case was the abuse of GitHub. The attackers created fake accounts and used them like open directories, hosting payloads, tools, and Amadey plug-ins. By leveraging GitHub’s widespread use and trust in corporate environments, the attackers likely sidestepped many standard web filters that might have otherwise blocked malicious domains.

One GitHub account in particular, as per Cisco Talos’ technical blog post, named “Legendary99999,” was used heavily. It hosted more than 160 repositories, each containing just a single malicious file ready to be downloaded via a direct GitHub URL.

The malicious Legendary99999 account (Image via Cisco Talos)

Two other accounts, “Milidmdds” and “DFfe9ewf,” followed a similar approach, though “DFfe9ewf” appeared to be more experimental. In total, these accounts hosted scripts, loaders and binaries from several infostealer families including Amadey, Lumma, Redline and AsyncRAT.

Amadey isn’t new. It first appeared in 2018 on Russian-speaking forums, sold for around $500, and has since been used by various groups to create botnets and drop additional malware.

The malware can harvest system info, download more tools, and expand its functionality with plug-ins. Despite being commonly used as a downloader, its flexible design means it can pose a larger threat depending on how it’s configured.

The technical link between this campaign and the earlier SmokeLoader operation centers on a loader known as “Emmenhtal.” First documented in 2024 by Orange Cyberdefense, Emmenhtal is a multi-layer downloader that wraps its final payload in layers of obfuscation. Talos found that variants of Emmenhtal were not only used in the phishing campaign that targeted Ukrainian entities but also embedded in scripts hosted on the fake GitHub accounts.

What’s additionally noteworthy is that several scripts from the “Milidmdds” account, such as “Work.js” and “Putikatest.js,” were nearly identical to those seen in the earlier campaign. The only differences were minor changes in function names and final download targets. Instead of SmokeLoader, these versions fetched Amadey, PuTTY executables and remote access tools like AsyncRAT.

The use of GitHub wasn’t limited to JavaScript droppers. Talos also found a Python script named “checkbalance.py” masquerading as a crypto tool. In reality, it decoded and ran a PowerShell script that downloaded Amadey from a known command and control address. Even more, it showed an error message in broken Cyrillic, hinting at its origins or intended audience.

While GitHub acted quickly to shut down the identified accounts after being alerted, this incident highlights how everyday platforms can be exploited for malicious purposes. In environments where GitHub access is required, spotting this kind of misuse isn’t easy.

Talos researchers are continuing to monitor the infrastructure and believe the operators are distributing payloads on behalf of multiple clients. The variety of infoStealers seen in these repositories supports that theory, and with GitHub’s accessibility, it offers an efficient delivery method for MaaS operations looking to stay undetected.

GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine

Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that used fake GitHub accounts to distribute a variety of dangerous payloads and evade security defenses.

Thursday, July 17, 2025 06:00

*   In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads. 
*   The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.  
*   Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that targeted Ukrainian entities. 
*   The same variant of Emmenhtal identified in the SmokeLoader campaign was used by the MaaS operation to download Amadey payloads and other tooling.

In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails that appeared to target Ukrainian entities. These emails included compressed archive attachments (e.g., ZIP, 7Zip or RAR) containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader. The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system. Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed in the collected samples and those described by Orange Cyberdefense.  

During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar in structure, but did not appear to be part of the original activity cluster. Most notably, these samples were not delivered via email but were instead found in several public GitHub repositories. They also did not deliver SmokeLoader as a next-stage payload. Instead, the Emmenhtal samples were being used to deliver Amadey, which in turn downloaded a variety of custom payloads from certain public GitHub repositories.

Further review of the associated GitHub accounts and the files hosted within related repositories showed that they may be part of a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads.

**MaaS operation leverages GitHub public repositories **

MaaS is a business model in which the operators of the service sell access to malware or pre-existing infrastructure. In the operation Talos identified, the operators utilized Amadey to download a variety of malware families from fake GitHub repositories onto infected hosts. Initial activity appeared in February 2025, around the same time as the SmokeLoader campaign. 

This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey. 

**Emmenhtal and Amadey **

The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It was given the name “Emmenhtal” by Orange Cyberdefense in August 2024, though it is sometimes referred to as “PEAKLIGHT”, which is how Mandiant refers to the final stage PowerShell downloader. Orange and Talos have observed activity that appears to involve elements of the Emmenhtal loader dating back to April 2024.  

Emmenhtal variants have been found embedded in other files and deployed in a standalone format. Each loader typically includes four layers — three that act as obfuscation and the final PowerShell downloader script. These layers are described in the “Emmenhtal similarities between activity clusters” section below.  

Amadey (or Amadey bot) originally appeared in late 2018 on Russian-speaking hacking forums with a $500 price tag. It was initially used by various threat actors to establish botnets. Amadey has also been observed dropping other malware including Redline, Lumma, StealC and SmokeLoader. 

Amadey’s primary functions are to collect system information and download secondary payloads on an infected host. However, Amadey is modular and its functionality can be expanded with an assortment of plugins. These plugins come in the form of dynamic link libraries (DLLs) that can be selected based on desired functionality, such as screenshot capabilities or credential harvesting. Despite its common use as a downloader, Amadey can pose a serious threat. 

**GitHub as an open directory **

During Talos’ research into the MaaS operation, we uncovered three GitHub accounts being used as open directories for hosting tools, secondary payloads and Amadey plugins: 

*   Legendary99999 
*   DFfe9ewf 
*   Milidmdds 

In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass web filtering that is not configured to block the GitHub domain. While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic. 

Talos reported the accounts listed above to GitHub, who quickly took them down. Talos would like to thank the GitHub team for their cooperation and quick response time.

****Legendary999999** **

“Legendary99999” appears to have been the most utilized account, containing over 160 repositories with randomized names. Each of these repositories contained a single file in the “Releases” section:

Figure 1. Legendary99999 GitHub account overview.

The files hosted on “Legendary99999” are a collection of payloads from numerous different malware families. By hosting these files in a GitHub repository, they can easily be downloaded via a URL to the “Releases” section of the repository:

https://github.com/\[account\_name\]/\[repository\_name\]/releases/download/\[release\_name\]/\[file\_name\]

Once a host was infected with Amadey, the operators of this service could choose the payload to be delivered by simply downloading the file from the URL above. 

Talos also discovered other GitHub accounts that may be linked to this operator by commonality of account name, file name, repository structure and type of hosted malware (i.e., information stealers delivered via Amadey). The earliest “first seen” date on VirusTotal for files related to these repositories was Jan. 3, 2025. None of the accounts were active at the time of Talos’ review.

Malware Types Hosted in Repositories 

****DFfe9ewf****

“DFfe9ewf” appears to have been a test account. The repositories all contained “test” within the names and no new commits have been made since February 2025, the same month as the first commit to “Legendary99999”.

Figure 2. DFfe9ewf GitHub account overview.

While this GitHub account does not bear similarities to the other two accounts detailed in this section, files associated with the MaaS operation interacted with at least one repository associated with this account.

“DFfe9ewf” only contained six repositories, one of which was a fork of DInvoke, a tool used to invoke arbitrary unmanaged code from managed code. Attackers frequently use DInvoke to perform process injection and avoid Windows API hooks to evade detection.

The repository “test3” contains a legitimate Selenium WebDriver file, as well as versions for Microsoft Edge and Google Chrome (ChromeDriver). A WebDriver is a powerful development tool that is intended for automating the testing of web-based applications by remotely and programmatically controlling the target browser. However, they can be used in a malicious context on a victim's machine to remotely perform a variety of tasks, such as retrieving payloads from malicious URLs or accessing local browser data. 

While WebDrivers are helpful for many developers, they can pose a serious security risk when abused. Security considerations for using WebDriver can be found here, in the documentation for ChromeDriver.

****Milidmdds****

The third repository, named “Milidmdds”, contained 10 repositories with similar random names to those in “Legendary99999”. This account contained several malicious scripts that ultimately download a payload to the infected host.

Figure 3. Milidmdds GitHub account overview.

**Emmenhtal similarities between activity clusters **

Our research revealed similarities in TTPs and indicators between the SmokeLoader campaign and the Amadey MaaS activity. Three of the JavaScript files hosted by the “Milidmdds” GitHub account are nearly identical to the Emmenthal scripts used in the SmokeLoader campaign. Aside from randomized variable and function names, and different download targets in the final PowerShell script, much of the code is the same between all samples. These loader files found in the various “Milidmdds” repositories were called: 

*   Work.js 
*   Workhmv.js 
*   Putikatest.js 

Although we did not observe the use of these scripts in the wild, it is likely they were intended for delivery through phishing emails or for embedding in malicious files in a manner similar to the SmokeLoader activity. 

The similarities between the Emmenhtal loaders used in the phishing campaign targeting Ukrainian entities (noted as Sample 1) and those in the “Milidmdds” repositories (noted as Sample 2, Sample 3 and Sample 4) are shown below. 

The first obfuscation layer used by the Emmenhtal samples defines a series of two-letter variables mapped to a two- or three-digit numeric value. These variables apply to a long string of comma-separated values defined in a variable with a random name, such as “qiXSF”.

Figure 4. First layer of obfuscation, Sample 1 (left) vs, Sample 2 (right).

Once this initial script has been executed, a second script is revealed that uses the ActiveXObject function to execute an encoded PowerShell command with WScript.Shell:

Figure 5. Second layer of obfuscation, Sample 1 (left) vs. Sample 2 (right).

The third layer is a PowerShell command that contains an AES-encrypted binary large object (blob).

Figure 6. Initial PowerShell command, Sample 1 (left) vs. Sample 2 (right).

The blob contains an additional AES-encrypted PowerShell script that is decrypted and executed by the initial script. This final script initiates the download of the next stage from a hard-coded IP address. In the phishing campaign targeting Ukrainian entities, this final payload would be SmokeLoader and a decoy PDF. The Emmenhtal loader files found in the public GitHub repositories noted previously were found to download a variety of files, including: 

*   Amadey 
*   A legitimate copy of PuTTY.exe 
*   AsyncRAT 

The presence of a legitimate copy of PuTTY in the list of files delivered by the Emmenhtal loaders found in the public GitHub repositories demonstrates the adaptability of the MaaS operation to deliver whatever tooling is required by its customers.

Examples of the final decrypted PowerShell downloader are shown below.

Figure 7. Final PowerShell script, Sample 1 (left, SmokeLoader download) vs. Sample 2 (right, Amadey download).

Figure 8. Final PowerShell script, PuTTY download (left) vs. AsyncRAT download (right).

**MP4 file variants **

During research of both activity clusters noted in this article, Talos identified Emmenhtal samples masquerading as MP4 files. Two URLs link to .mp4 files hosted on pivqmane\[.\]com: 

*   pivqmane\[.\]com/testonload\[.\]mp4/ 
*   pivqmane\[.\]com/doc/fb\[.\]mp4 

Although the two .mp4 files hosted here had been removed, the abuse of this file format highlights another similarity between the MaaS operation and the SmokeLoader campaign. This observation also aligns with a statement made by Orange Cyberdefense that certain Emmenhtal variants masquerade as MP3 or MP4 files.

**Purpose-built variant: “Checkbalance.py” **

Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”. While this sample did not use initial obfuscation layers like the samples previously discussed, the later PowerShell stages were nearly identical to those shown above. This variant could represent an evolution of the Emmenhtal loader or, more likely, was a purpose-built variant developed for a specific campaign. 

In its initial state, the script masquerades as a simple tool that enumerates the contents of Zerion cryptocurrency accounts. However, the script also includes a large lambda function containing a Base64-encoded and compressed blob that executes at runtime. The user is then presented with an error message in Cyrillic, “Аккаунт кончились”. Curiously, this message isn’t grammatically correct since “Аккаунт” is singular and “кончились” is plural. However, given the context of the message, the author may have meant “no more accounts” or “end of accounts,” approximately.

Figure 9. Checkbalance.py.

The lambda function then runs a second Python script, which uses the subprocess.run method to execute an encoded PowerShell command. The resulting PowerShell is nearly identical to the JavaScript variants discussed previously.

Figure 10. Initial PowerShell command, Checkbalance.py.

The final PowerShell command downloads the Amadey payload from the IP address “185\[.\]215\[.\]113\[.\]16” as a file labeled “amnew.exe”.  The resulting PowerShell script found in “checkbalance.py” is identical to the one derived from the Sample 2 (“work.js”) file, which was also found in the “Milidmdds” repository. 

After execution, this payload contacts “hxxp://185\[.\]215\[.\]113\[.\]43/Zu7JuNko/index.php”, a known Amadey C2 address.

Figure 11. Final PowerShell script, Checkbalance.py.

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

**Indicators of compromise (IOCs) **

IOCs for this threat can be found on our GitHub repository here. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private applications no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protection measures with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

BADBOX variant BADBOX 2.0 found preinstalled on Android IoT devices in 222 countries, turning them into proxy nodes used in fraud and large-scale malicious activity.

A new series of Android-based malware, BADBOX 2.0, is turning everyday smart devices into a botnet, often before they even reach users’ homes. The FBI has now flagged this malware as a global threat, and recent analysis from Point Wild’s Lat61 Threat Intelligence Team reveals over 1 million devices across 222 countries and territories have already been compromised.

Led by Dr. Zulfikar Ramzan, the Lat61 team traced the infection chain to its core: a native backdoor library named libanl.so, embedded deep within device firmware. The malware is designed to survive factory resets, carry out stealthy operations, and generate profit through hidden ad-click activity.

****Malware Hidden in Plain Sight****

What makes BADBOX 2.0 especially dangerous is how it spreads. It’s not just pushed through malicious downloads or fake apps. Many of the infected devices come preloaded or pre-installed with the malware straight from the factory. This means users are exposed from the moment they power on a new device.

BADBOX was first identified in October 2023, found in low-cost Android TV boxes that were compromising home networks. In the latest attack as well, most victims are users of low-cost Android-based IoT devices like generic-brand smart TVs, streaming boxes, digital projectors, or tablets, often purchased from online marketplaces and in some cases also available on Amazon. These devices are typically manufactured through unregulated supply chains and shipped worldwide without proper security checks.

Malicious T95 TV Boxes ready to be shipped through Amazon back in 2023 (Screenshot: Hackread.com)

****What the Malware Actually Does****

Once active, BADBOX 2.0 turns the device into a node in a residential proxy network. These nodes are then sold to criminal groups who use them to hide their tracks during click fraud, credential stuffing, and other types of cyberattacks.

According to Point Wild’s blog post shared with Hackread.com, the key components identified by analysts include:

*   **libanl.so**: A native backdoor that triggers malware modules on boot
*   **p.jar and q.jar**: Java modules responsible for downloading new payloads and maintaining persistence
*   **com.hs.app**: A system-level Android app that loads the backdoor
*   **catmore88(.)com and ipmoyu(.)com**: Command and control (C2) domains used to communicate with infected devices

The malware is capable of operating silently in the background. Victims may only notice symptoms like high CPU usage, overheating, sluggish performance, or unusual internet traffic when the device is idle.

****Stealth and Scale****

Point Wild’s telemetry shows infections spread across more than 222 countries, with many occurring out of the box. Users don’t need to download anything or click a malicious link. Just plugging in the device is enough to become part of a botnet.

What’s worse, the design allows for persistent access, encrypted communication with remote servers, and revenue generation through invisible ad-click modules, all without the user’s knowledge.

****Signs You Might Be Infected****

If your device feels sluggish, heats up unexpectedly, or shows signs of unusual internet activity even when idle, it might be infected. Other red flags include Google Play Protect being disabled or missing entirely, unfamiliar apps appearing on their own, or the device being from an off-brand manufacturer without verified firmware. These signs could point to malware like BADBOX 2.0 running silently in the background.

Users should also avoid buying unbranded or ultra-cheap devices from unknown sellers. Stick to manufacturers that offer ongoing firmware support and publish clear security documentation.

Remember, BADBOX 2.0 isn’t just some run-of-the-mill malware. It’s part of a large, coordinated operation that’s quietly turning cheap consumer devices into tools for cybercriminals, renting them out for fraud and other attacks.

The groups behind it are likely based in China, and what makes it especially dangerous is how deeply it’s embedded. Since the malware is often pre-installed during manufacturing, spotting or removing it is far more difficult than dealing with typical infections.

BADBOX 2.0 Found Preinstalled on Android IoT Devices Worldwide

Cybersecurity researchers are calling attention to a malware campaign that's targeting security flaws in TBK digital video recorders (DVRs) and Four-Faith routers to rope the devices into a new botnet called RondoDox.
The vulnerabilities in question include CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRs, and CVE-2024-12856, an operating

RondoDox Botnet Exploits Flaws in TBK DVRs and Four-Faith Routers to Launch DDoS Attacks

Blind Eagle hackers linked to Russian host Proton66 to target banks in Latin America using phishing and RATs. Trustwave urges stronger security.

Trustwave SpiderLabs, a leading cybersecurity research team, has confidently connected the cyber threat group known as Blind Eagle (also called APT-C-36) with Proton66, a Russian company that provides bulletproof hosting services.

Blind Eagle is an active threat actor notorious for targeting organizations across Latin America, with a particular focus on financial institutions in Colombia. Reportedly, this link results from SpiderLabs’ continuous monitoring of Proton66’s infrastructure for several months.

****The Attack Infrastructure****

According to SpiderLabs’ investigation, shared with Hackread.com, their analysts made this connection by examining assets tied to Proton66, which led them to an interconnected network of domains and IP addresses. This infrastructure, which became notably active in the summer of 2024 (with specific domain registrations observed starting August 12, 2024), relies heavily on free Dynamic DNS (DDNS) services.

Image via Trustwave SpiderLabs

Its initial attack method exclusively uses Visual Basic Script (VBS) files. These scripts act as loaders for commonly available Remote Access Trojans (RATs), which are malicious software that allows attackers to control a compromised computer remotely.

Further analysis showed that some VBS code samples overlapped with previously identified samples generated by a service called Vbs-Crypter, used to hide and package malicious VBS payloads.

Despite the potential high value of their targets, the threat actors behind Blind Eagle showed surprisingly little effort to conceal their operational infrastructure. Researchers found numerous open directories containing identical malicious files, and in some cases, even complete phishing pages designed to impersonate well-known Colombian banks like Bancolombia, BBVA, Banco Caja Social, and Davivienda. These fake websites were crafted to steal user login details and other sensitive financial information.

Davivienda’s phishing page ( Image via Trustwave SpiderLabs)

****Targeting and Protection****

The phishing sites replicated legitimate banking login portals using standard web components. Alongside these fake pages, the infrastructure also hosted VBS scripts that served as the first stage of malware delivery. These scripts included code designed to gain administrative privileges on a victim’s computer and then download further payloads, typically commodity RATs such as Remcos or AsyncRATs.

Once a system is infected, these RATs establish a connection back to a C2 server, allowing the attackers to manage compromised hosts, steal data, and execute further commands. Trustwave even observed a botnet management panel with a Portuguese-language interface, showing a dashboard of infected machines, primarily in Argentina.

Trustwave previously confirmed that Proton66’s infrastructure is being exploited for malicious activities, including campaigns from SuperBlack ransomware operators and Android malware distribution.

As Hackread.com reported, the infrastructure is a hub for cyber threats, including the distribution of Android malware via hacked WordPress sites and targeted attacks deploying specific malware like XWorm and Strela Stealer. Trustwave also noted potential connections to Chang Way Technologies, indicating Proton66’s role as a key enabler for cybercriminal operations.

The company warns that organizations in Latin America, particularly those in the financial sector, must increase their protection. This includes strengthening email filtering systems, educating staff to recognize localized phishing attempts, and proactively monitoring for threat indicators and infrastructure specific to the region.

Blind Eagle Linked to Russian Host Proton66 in Latin America Attacks

What happens in the privacy of your own home stays there. Or does it?

If you have internet-connected cameras in or around your home, be sure to check their settings. Researchers just discovered 40,000 of them serving up images of homes and businesses to the internet.

Bitsight’s TRACE research team revealed the issue in a report released this month. The cameras were providing the images without any kind of password or authentication, it said. While some of them were connected to businesses, showing images of offices, retail stores, and factories, many were likely connected in private residences.

Many cameras contain their own web servers that people can access remotely using a browser or app so that they can monitor their premises while away. These are often completely exposed to the internet, according to the report. That means anyone could access the video feed by typing in the right IP address.

The highest number of exposed cameras by far was in the US, at around 14,000. Breaking down the states there showed the highest concentrations in California and Texas.

Japan, the second highest country, had just half that, at 7,000. After that came Austria, Czechia, South Korea, Germany, Italy, Russia, and Taiwan.

The big threat for such users is privacy. People put these cameras everywhere, including extra-private spaces in their homes like kids’ and adults’ bedrooms. Attackers might spy on people or even set them up for extortion if the images are compromising.

Aside from the obvious privacy implications, there are other security worries, the report said. Cameras could be used to gather surveillance data by someone planning a physical intrusion, it pointed out.

But access to admin interfaces is just one threat; getting SSH access (which allows someone to log into the device via a terminal and control it as they would a regular computer) could give an attacker total control over the camera’s hardware and software if they’re able to exploit vulnerabilities left there by the manufacturer.

If this happens, a camera (which is, after all, just a computer with a lens) could become a jumping-off point for the attacker to compromise other computers on the network. Or it could be joined to a botnet to do the attacker’s bidding.

Botnets made of up connected devices are common. One of the most famous such botnets, Mirai, co-opted cameras and other internet-connected systems to launch denial of service attacks, in which thousands of devices would try to connect with a target, flooding it with traffic and rendering it inoperable.

Bitsight’s report also cites one case where attackers used vulnerabilities in a camera to install ransomware on it.

**A long history of camera compromise**

Internet-enabled camera issues are nothing new. Finding exposed feeds, whether via Bitsight’s own scanning engine or via publicly accessible ones like Shodan.io, is like shooting fish in a barrel. Indeed, Bitsight did something similar in 2023. In the past, we’ve seen sites like Insecam (now offline), which streamed images from 40,000 unsecured video cameras around the world. Some of those cameras were doubtless there for public consumption, just as many were not.

Finding unsecured feeds is so easy because people tend to just plug these things in and turn them on, much as you might use a portable air conditioner. Vendors should force some basic cybersecurity hygiene, but they don’t, because they don’t want to introduce any costly friction. Regulation for connected smart devices like IP cameras has emerged in the US and the UK, but enforcement is another issue.

Some might advise you to only choose a respectable brand of IP camera, but you can’t always trust big-name vendors who claim to act responsibly. Last year, Amazon settled with the Federal Trade Commission, paying $5.6m over charges that its employees and contractors spied on users of its Ring cameras.

Ring allowed everyone working for it to see any customer’s feeds, the FTC said, which led to some employees repeatedly accessing feeds of young women in sensitive areas of the home. Ring also failed to protect its cameras adequately against intruders that compromised them, the FTC said. That led to intruders taking control of the cameras. They would use camera microphones to hurl racial slurs at children, and swear at women lying in bed, the complaint alleged.

Other vendor missteps have included Wyze accidentally showing customers each others’ video feeds, and Eufy sending camera images to the cloud when it said it wouldn’t.

**How to protect your internet-enabled camera**

We can’t think of a worse privacy scenario than having someone snoop on you and your loved ones in what is supposed to be your safest space. Letting any connected device into your home is always risky, especially when it has video capabilities. Here is some advice to minimize that risk:

*   **Use unique credentials.** Make sure that you set unique logins and passwords for your cameras so that people can’t just stroll in and view them. That means taking some time to configure the camera through its admin interface and making sure to change the default password.
*   **Restrict IP camera use to non-sensitive places as much as possible.** While some Ring customers apparently needed cameras in the bathroom and bedroom, we urge you to think twice.
*   **Research the camera for vulnerabilities.** Check to see whether the brand you’re considering has had any security issues in the past, and how quickly the issues have been fixed.
*   **Try accessing your camera insecurely.** Try accessing your camera remotely without using your login credentials. If you can, then so can everyone else.
*   **Patch regularly.** Find out how to update your device with the latest security patches and check for updates regularly, or preferably set it to update automatically if you can.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Thousands of private camera feeds found online. Make sure yours isn&#8217;t one of them 

New CloudSEK findings show Androxgh0st botnet evolving. Academic institutions, including UC San Diego, hit. Discover how this sophisticated…

New CloudSEK findings show Androxgh0st botnet evolving. Academic institutions, including UC San Diego, hit. Discover how this sophisticated threat uses RCE and web shells, and steps to protect against it.

A recent investigation by CloudSEK shared with Hackread.com, reveals a major evolution in the Androxgh0st botnet’s operations, demonstrating a sharp increase in its ability to compromise systems. The botnet, first observed in early 2023, is now leveraging a wider array of initial access methods, including the exploitation of misconfigured servers belonging to academic institutions.

Notably, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued a security advisory in January 2024, raising awareness about Androxgh0st’s expansion.

****Key Targets and Tactics****

CloudSEK’s findings indicate that the botnet has expanded its arsenal of attack vectors by approximately 50% since an earlier report in 2024. A concerning discovery was a command-and-control (C2) logger panel hosted on a subdomain of the University of California, San Diego (“USArhythms”). It is associated with content for the USA Basketball Men’s U19 National Team.

Androxgh0st botnet’s (C&C) (Via CloudSEK)

This shows a trend where botnet operators utilize legitimate, yet vulnerable, public domains to host their malicious infrastructure, making detection more challenging. Previously, CloudSEK also reported the botnet hosting its logger on a Jamaican events aggregator platform.

The Androxgh0st botnet exploits well-known vulnerabilities in popular software frameworks such as Apache Shiro and Spring Framework, along with issues in WordPress plugins and Lantronix IoT devices. These exploits have serious consequences, including the ability to run unauthorized code, steal sensitive information, and even initiate cryptocurrency mining on compromised systems.

CloudSEK had predicted in its first report that Androxgh0st operators would introduce new malicious programs into their toolkit by mid-2025, a prediction that now appears to be unfolding.

****Understanding the Threat****

According to the company’s report, the Androxgh0st botnet gains initial access through various Initial Access Vectors (IAVs), which are the pathways into a system. Once inside, attackers communicate with compromised devices via Command-and-control (C2) servers. A key goal is Remote Code Execution (RCE), enabling them to run their own code on distant computers.

This is often achieved using complex methods like JNDI Injection and OGNL Injection, particularly effective against Java-based applications. These advanced techniques allow Androxgh0st to bypass security and maintain persistent control, frequently by installing webshells.

****Protecting Against Androxgh0st****

In light of these developments, organizations, especially academic institutions and those using the affected software are urged to take immediate action. CloudSEK recommends patching all systems vulnerable to the identified CVEs, such as those affecting Spring4Shell and Apache Shiro.

Restricting outbound network traffic for certain protocols like RMI, LDAP, and JNDI is also crucial. Regularly auditing website plugins, like _Popup Maker_ in WordPress, and monitoring for unusual file activity are also vital steps in preventing and detecting Androxgh0st compromises.

“Shifting from its earlier focus on Chinese-linked mass surveillance campaigns to a much broader exploitation strategy, we now observe the botnet aggressively incorporating a wider array of high-impact vulnerabilities including JNDI injection, OGNL exploitation, including CVEs tied to frameworks like Apache Shiro, Spring, and Fastjson,” said Koushik Pal, Threat Research, CloudSEK.

Androxgh0st Botnet Expands Reach, Exploiting US University Servers

Cybersecurity researchers have detailed two novel methods that can be used to disrupt cryptocurrency mining botnets.
The methods take advantage of the design of various common mining topologies in order to shut down the mining process, Akamai said in a new report published today.
"We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a

Tag

#botnet