Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This…

Cybersecurity firm ESET uncovers PlushDaemon, a previously unknown APT group targeting South Korea, deploying a SlowStepper backdoor. This article analyses the attack techniques, the capabilities of the SlowStepper malware, and the growing threat posed by this sophisticated APT group. 

Cybersecurity firm ESET has identified a new China-aligned Advanced Persistent Threat (APT) group, dubbed “PlushDaemon,” behind a cyber espionage operation targeting South Korea.

The attack camaign nvolved a **supply chain compromise**, where attackers infiltrated the legitimate update channels of IPany, a popular South Korean VPN software. PlushDaemon then replaced genuine installers with trojanized versions, which upon download and execution, deployed both the legitimate IPany VPN software and a custom backdoor named SlowStepper.

This means, by replacing the genuine installer with a trojanized version, PlushDaemon successfully embedded a malicious backdoor within the software. As per ESET’s **research**, SlowStepper is a feature-rich backdoor boasting over 30 modules. It is designed for extensive surveillance and data collection.

Written in C++, Python, and Go, the malware possesses a wide range of capabilities, including stealing sensitive data such as system information, user credentials, and network configurations, recording audio and video, enabling attackers to monitor their targets’ activities, and gathering detailed information about the victim’s network environment.

Webpage on the IPany site where the malicious installer was available for download (Via ESET)

In addition, the backdoor features advanced persistence mechanisms, such as deploying files that ensure the continued presence of SlowStepper on infected systems and utilizing legitimate tools to sideload malicious code. The trojanized installer utilize advanced communication methods to connect with command-and-control (C&C) servers.

Instead of embedding IP addresses directly within the malware, SlowStepper crafts DNS queries to retrieve TXT records containing base64-encoded, AES-encrypted C&C server addresses. This multi-layered approach makes detection more challenging.

While ESET telemetry revealed manual downloads of the compromised software, suggesting a broad targeting strategy, the attack specifically focused on entities within South Korea’s critical semiconductor and software industries. The timely intervention of ESET, which alerted IPany to the compromised installer, prevented further widespread infection. 

Although only recently discovered, researchers believe the PlushDaemon APT has been active since 2019, consistently building a diverse and powerful arsenal of tools. The sophistication of SlowStepper and the successful execution of this supply chain attack highlight the growing threat posed by this actor. 

To stay safe from these cyber espionage groups there is an urgent need for continuous monitoring. Organizations must prioritize software update channel security and implement stringent verification procedures to ensure the integrity of all updates. Additionally, proactive **threat intelligence** sharing are vital for identifying and mitigating such attacks before they inflict damage.

1.  **Hackers cloned NordVPN website to drop banking trojan**
2.  **Hackers clone ProtonVPN website with password stealer**
3.  **Fake VPN website delivering password-stealing malware**
4.  **N. Korean APT37 Unleashes Dolphin Backdoor on S. Korea**
5.  **Dark web hackers selling S. Korean, US payment card data**

Chinese PlushDaemon APT Targets S. Korean IPany VPN with Backdoor

The Iranian nation-state hacking group known as Charming Kitten has been observed deploying a C++ variant of a known malware called BellaCiao.
Russian cybersecurity company Kaspersky, which dubbed the new version BellaCPP, said it discovered the artifact as part of a "recent" investigation into a compromised machine in Asia that was also infected with the BellaCiao malware.
BellaCiao was first

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT.
"The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint

Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

A novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group's cybercriminal tool set.

Source: Photo Spirit via Shutterstock

A known threat actor in the malware-as-a-service (MaaS) business known as "Venom Spider" continues to expand capabilities for cybercriminals who use its platform, with a novel backdoor and loader detected in two separate attacks in a recent two-month period.

Researchers at Zscaler ThreatLabz uncovered campaigns between August and October of this year that leveraged a backdoor called called RevC2, as well as a loader called Venom Loader, in attacks that use known MaaS tools from Venom Spider (aka Golden Chickens), according to a blog post published Dec. 2.

RevC2 uses WebSockets to communicate with its command-and-control (C2) server and can steal cookies and passwords, proxy network traffic, and enable remote code execution (RCE). Venom Loader meanwhile uses the victim's computer name to encode payloads, thus customizing them for each victim as an extra personalization tactic.

Venom Spider is a threat actor known for offering various MaaS tools such as VenomLNK, TerraLoader, TerraStealer, and TerraCryptor that are widely used by groups such as FIN6 and Cobalt for cyberattacks. In fact, FIN6 was seen leveraging Venom Spider's MaaS platform in October, in a spear-phishing campaign spreading a novel backdoor dubbed "more\_eggs" capable of executing secondary malware payloads.

Related:Ransomware's Grip on Healthcare

**Even "More\_Eggs"**

That platform apparently has been enhanced yet again, this time with two new malware families observed in recent phishing campaigns. RevC2, observed by researchers in a campaign that occurred from August to September, used an API documentation lure to deliver the novel payload.

The attack began with with a VenomLNK file that contains an obfuscated batch (BAT) script that when executed downloads a PNG image from the website hxxp://gdrive\[.\]rest:8080/api/API.png. The PNG image aims to lure the victim with a document that is titled "APFX Media API Documentation."

Upon execution, RevC2 used two checks for specific system criteria and then executed only if they both pass, to ensure it's launched as part of an attack chain, and not in analysis environments such as sandboxes.

Once launched, the backdoor's capabilities include the ability to: communicate with the C2 using a C++ library called "websocketpp"; steal passwords and cookies from Chromium browsers; take screenshots of the victim's system; proxy network data using the SOCK5 protocol; and execute commands as a different user using the stolen credentials.

A second campaign occurring between September and October used a cryptocurrency lure to deliver Venom Loader, which in turn spread a JavaScript backdoor providing RCE capabilities that the researchers dubbed "More\_eggs lite." The malware is so-named because it has fewer capabilities than the previously discovered "more\_eggs," ThreatLabz security researcher Muhammed Irfan V A noted in the post.

Related:2 UK Hospitals Targeted in Separate Cyberattacks

"Although it is a JS backdoor delivered via VenomLNK, the variant only includes the capability to perform RCE," he wrote.

One notable feature of Venom Loader is that the DLL file it used in the observed campaign is custom built for each victim and is used to load the next stage, according to ThreatLabz.

The loader is downloaded from :hxxp://170.75.168\[.\]151/%computername%/aaa, "where the  %computername% value is an environment variable which contains the computer name of the system," Irfan V A wrote.

Venom Loader then uses %computername% as the hardcoded XOR key to encode its stages of attack, which in this case executes the More\_eggs lite backdoor for attackers to carry out RCE.

**MaaS Capabilities Expected to Expand**

ThreatLabz believes that the new malware included in Venom Spider's MaaS platform "are early versions, and expect more features and anti-analysis techniques to be added in the future," Irfan V A wrote.

Zscaler detected the malware using both a sandbox and its cloud security platform, which detected the following threat-name indictors related to the campaign: LNK.Downloader.VenomLNK; Win32.Backdoor.RevC2; and Win32.Downloader.VenomLoader.

Related:Incident Response Playbooks: Are You Prepared?

Zscaler also is providing a Python script that emulates RevC2's WebSocket server on its GitHub repository as well as included a long list of indicators of compromise (IoCs) in the blog post so defenders can check their respective organization's systems for evidence of the malware.         

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Venom Spider Spins Web of New Malware for MaaS Platform

This paper provides an in-depth technical explanation, illustration, and verification of discovered attacks affecting PlayReady on Windows 10 / 11 x64 that pertain to Warbird deficiencies, content key sniffer operation, magic XOR keys discovery, white-box crypto attack, and complete client identity compromise attacks.

Microsoft Warbird and PMP Security Research

Microsoft is readying a new release of Windows in 2025 that will have significant security controls, such as more resilient drivers and a "self-defending" operating system kernel.

Source: mundissima via Shutterstock

Microsoft is making sweeping changes to its Windows operating system (OS) in the wake of this past summer's flawed CrowdStrike update, which caused millions of commercial devices to crash and cost customers billions of dollars in downtime.

The incident was a major impetus for the new Windows Resiliency Initiative, introduced and outlined during a session at last week's Microsoft Ignite conference. Microsoft officials said the changes are being made based on what they learned from the July 19 event, resulting in what they promised to be a more reliable and secure OS in 2025.

David Weston, Microsoft's vice president of enterprise and OS security, identified three objectives intended to make Windows more secure: faster and simpler recovery times, more resilient drivers, and tools and changes to how the OS kernel is secured to make it "more effective and self-defending."

The changes will also affect software developers and third-party security tool providers.

"We're working together across the industry and will improve reliability, based on lessons from July, with new changes and standards in the OS," said Pavan Davuluri, corporate VP for Windows and devices at Microsoft.

The new Windows release is being designed to resist malware and script attacks with stronger controls for applications and drivers, while improved identity protection aims to prevent phishing attacks. Microsoft is also establishing a new approach to privilege access management, Davuluri said.

Microsoft will release a preview of the new release to Windows Insiders next July. It will include tighter controls over what applications and software drivers are permitted to run, stronger identity management, quick machine recovery, personal data encryption for folders, and improved OS management and configuration capabilities.

The release is poised to arrive just as Microsoft ends support for Windows 10 on Oct. 14, 2025. Although Microsoft has been encouraging customers to upgrade to Windows 11, which was released in 2021, on an ongoing basis, nearly 61% of all PCs worldwide still have Windows 10, according to Statcounter.

**Enabling Security Partners to Build Outside the Kernel**

Further, tied to its long-term Secure Future Initiative announced a year ago, Microsoft is moving to safer programming languages by incrementally shifting from C++ to Rust. A new Windows Resilient Security Platform will enable third-party security product developers to build their products outside of the kernel, Weston explained.

"We're ensuring this platform will enable security solution providers to have the access they need to detect and respond to threats without introducing complexity into the kernel," he said. "This change will help end-user protection and antivirus products provide a high level of security and easier recovery."

While the moves should make Windows more resilient to attacks, Forrester senior analyst Paddy Harrington would like to see Microsoft tighten access even further.

"I would much prefer it if Microsoft bit the bullet and put the walls back up. That would mean recoding for everyone who messes in the kernel driver world, including Microsoft, but it's a safer method of operation," says Harrington, who first opined on that point in a July blog post.

**Post-Incident Security Summit in Redmond**

Two months after the CrowdStrike incident, Microsoft hosted its Windows Endpoint Security Ecosystem Summit, in Redmond, Wash., with security vendors and representatives of the US Cybersecurity and Infrastructure Security Agency (CISA) on hand to discuss how to make the OS more resilient.

Leading into the meeting, Weston indicated that an examination of Windows crash reports signaled the need to change how kernel drivers are deployed.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are, by nature, constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote in a July 27 post.

Following the summit, CISA last month published its Safe Software Deployment white paper, co-authored by the FBI, the Australian Signals Directorate's Australian Cyber Security Centre, and the Joint Cyber Defense Collaborative.

Omdia principal analyst Andrew Braunberg says that Microsoft is one of numerous vendors that have issued statements of support for CISA's Secure by Design pledge. However, it remains to be seen if it will follow through.

"It will be interesting to see if there is any change in behavior from Microsoft and other large software companies because of \[Donald\] Trump's win \[of the U.S. presidential election\]," Braunberg says. "These companies may reassess the external benefits of this support given a reduced, or eliminated, CISA under the new administration. There are international drivers for embracing Secure by Design principles, such as the EU Cyber Resiliency Act, but CISA has been the primary advocate in the US."

Nevertheless, Weston described CISA as playing an essential role in determining Microsoft's revamped security and resiliency standards for Windows endpoints.

"They are providing a framework for the whole IT industry to ensure that all partners, customers, and organizations are able to stay ahead of evolving security threats," he said.

Among the vendors at Microsoft's summit was CrowdStrike, which signaled it is endorsing Microsoft's Windows Resiliency Initiative.

"Microsoft's initiatives build on the discussions CrowdStrike participated in at the Windows Endpoint Security Summit in September, and we welcome innovations that enhance resiliency for our shared customers," a CrowdStrike spokesperson said. "The entire industry benefits when we collaborate to create a more resilient and open ecosystem that strengthens security for all."

Endpoint protection provider ESET is offering conditional support for Microsoft's initiative.

"In general, we support this evolution if it demonstrates measurable improvements to stability and strongly stress this must be on condition that any change must not weaken security, affect performance, or limit the choice and differentiation between cybersecurity solutions for customers," says ESET CTO Juraj Malcho.

**Shifting to Trusted Apps and Drivers**

Because many attacks result from users who download malicious or unsafe apps and drivers, Microsoft is adding Smart App Control and App Control for Business to Windows. These features use artificial intelligence to let administrators employ policies that require verified applications, according to Weston. He noted that Microsoft already offers this through App Locker, but it is complicated to manage.

A feature called "robust app control" will ensure that only verified apps can run, eliminating attacks from malicious attachments and socially engineered malware, he added.

**Thwarting Identity-Based Attacks and Overprivileged Accounts**

According to Microsoft's Entra ID data, more than 600 million identity attacks occur every day, 99% of which are password-based. In response, Microsoft has hardened its Windows Hello multifactor authentication capability, which uses biometrics. Microsoft has extended Windows Hello support for passkeys.

As part of its latest Windows Insider build, last week Microsoft released a preview of updates to its implementation of the WebAuthn APIs that will enable plug-in support for passkeys. In the coming months, Microsoft said third-party password managers will work with the native Windows passkey provider using Windows Hello. 

The new Windows release will also aim to reduce attacks resulting from users who have too many privileges and organizations that have insufficient privilege controls, which, according to Microsoft's Digital Defense report, are the cause of 93% of ransomware attacks.

A new feature called "administrator protection" will give employees standard user permissions by default "so they can still make Windows system changes, including app installation, but only when necessary and only after authorizing the change using Windows Hello," Weston said. "Admin protection will be incredibly disruptive to attackers, as they no longer have elevated privileges by default, and it will help ensure that employees do not use malware and remain in control of Windows."

According to Forrester's Harrington, the new app control approach should help organizations lock down their endpoints.

"I think there will be plenty of businesses who still go to third parties because of the flexibility those solutions bring," he says. "But this is a good move by Microsoft to breathe life back into the app control solution. For all those functions, I would have liked to see these moves earlier in the Windows 11 releases, but with Windows 10 going end-of-service next year, the timing works to give more enterprises reasons to move to Windows 11."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Boosts Device Security With Windows Resiliency Initiative

Python has emerged as a powerful ally in combating rising cybersecurity threats and tracking cybercrime through tools leveraging…

Python has emerged as a powerful ally in combating rising cybersecurity threats and tracking cybercrime through tools leveraging **threat intelligence**. With its versatility and powerful libraries, experts today can create solutions that run large algorithms and enhance searchability and scalability.

****Unmatched Versatility in Threat Detection****

Cyber threats are evolving rapidly, and tools must stay ahead to counter them effectively. Python stands out with its versatility and a wide range of libraries tailored for cybersecurity. For instance, Scapy allows developers to analyze network packets, identifying suspicious behaviours before they can cause harm. Additionally, Python can be used to create predictive models to detect and mitigate threats using frameworks like TensorFlow.

****Real-life use cases highlight Python’s potential****

Python is incredibly useful in real-world cybersecurity. For network monitoring, tools like **Pyshark** leverage Python to decode and analyze network traffic for anomalies. Automated penetration testing benefits from Python scripts that streamline server and application vulnerability scans. In malware analysis, the Python-based **YARA** library plays a crucial role in identifying patterns of malicious code, making it an invaluable tool for threat detection.

Beyond technical strength, Python’s simplicity makes it easy for cybersecurity teams of different levels of expertise to work together. **Python software development services** are used by developers and analysts alike to easily integrate threat detection into existing systems.   

****Why Python Outshines Other Languages in Cybersecurity**  **

Python isn’t the only programming language out there—so what sets it apart? Its rich ecosystem, ability to quickly prototype, and cross-platform compatibility make it stand out from languages like Java or C++. Python enables rapid development of tools that can respond to threats in real-time, a critical factor in combating modern cyber risks.

Stay tuned as we explore how Python accelerates incident response and powers proactive defence systems, helping organizations stay ahead of security threats worldwide.

****Python’s Role in Accelerating Incident Response**  **

Quick action is necessary for incident response to limit the damage. The automation of repetitive tasks and real-time analysis make Python an ideal tool for this. Its simple syntax enables teams to write scripts that respond to threats quickly and resolve the issues faster.  

****Key ways Python aids incident response****

Python plays a vital role in incident response by streamlining critical tasks. Libraries like Loguru help parse server logs to identify irregularities, while Python scripts enable real-time alerts when threats are detected.

Tools like **Beautiful Soup** automate data extraction from compromised systems, and custom scripts can isolate infected systems to prevent the spread of malicious activity. These capabilities make Python an invaluable asset in managing and mitigating cyber threats effectively.

Python software development service helps organizations improve their incident response, reducing downtime and protecting their critical assets. Thanks to Python’s robust capabilities, teams can accelerate risk mitigation and manage what was once a potential crisis as an ordinary event.    

****Proactive Defense Through Python Development**  **

Python isn’t just reactive—it’s also a proactive tool for combating threats right from the start. With its extensive libraries and frameworks, cybersecurity teams can build predictive analytics tools to identify potential vulnerabilities and detect unusual patterns, keeping organizations one step ahead of attackers.

For instance, Python integrates seamlessly with AI tools for real-time anomaly detection. Developers can create algorithms to monitor network behavior and trigger instant alerts when deviations occur. Additionally, Python’s flexibility allows it to integrate easily with existing security infrastructures without stretching budgets.

By leveraging Python, businesses can reduce the risk of breaches, maintain stakeholder trust, and strengthen their overall security posture. Its proactive capabilities transform cybersecurity from a reactive necessity into a strategic advantage, enhancing digital protection at every level.

****Key Advantages of Python in Cyber Defense**  **

Python is a powerhouse in cybersecurity, offering developers and organizations unmatched efficiency in tackling complex security challenges. With extensive libraries like Cryptography and Hashlib for secure encryption and hashing, Python ensures data protection is seamless.

Furthermore, its cross-platform support allows it to work effortlessly across Windows, Linux, and macOS without compromising security. Python’s user-friendly syntax accelerates tool development and reduces deployment time, while its vast and active community continuously updates resources to address evolving threats. This combination of features makes Python a key factor for cybersecurity solutions.

1.  **Top Software Development Outsourcing Trends**
2.  **Why is learning Python important in Data Science?**
3.  **A Step-by-Step Guide to How Threat Hunting Works**
4.  **Power of Cloud App Development, DevOps for Businesses**
5.  **The Essential Tools and Plugins for WordPress Development**

How Python Software Development Enhances Cyber Defense

Group-IB has discovered that cybercriminals are using fake betting apps and ads with AI-generated voices to steal personal information and money. Discover the tactics used by scammers and how to avoid falling victim to these fraudulent schemes.

**SUMMARY**

*   **Scammers Use Fake Ads**: Cybercriminals are creating fake betting app ads to lure users and steal money and personal information.

*   **AI-Generated Voices**: Scammers use AI-generated voices in multiple languages to make their schemes seem more credible.

*   **Massive Reach**: Over 500 fake ads and 1,377 malicious sites have been identified, targeting users in regions like Egypt, the Middle East, Europe, and Asia.

*   **Serious Losses**: Victims have reported losing significant amounts, with some losing over $10,000 to these scams.

*   **Stay Safe**: Avoid downloading apps from unofficial sources, be wary of too-good-to-be-true offers, and always use strong security measures.

Cybersecurity firm Group-IB has observed a surge in **fake betting** game advertisements across various social media platforms. In its detailed investigation, shared with Hackread.com, Group-IB’s CERT team discovered deceptive ads designed to lure unsuspecting users by promising easy money, ultimately leading to financial loss and personal data compromise. The ads typically target users in regions like Egypt, the Middle East, Europe, and Asia.

One of the fake apps used in the scam (Source: Group-IB)

Researchers, reportedly, discovered over 500 deceptive ads and 1,377 malicious websites targeting users to download fraudulent applications. Further probing revealed that cybercriminals are employing advanced techniques to make these fraudulent ads appear legitimate.

This, according to Group-IB’s **blog post**, includes using AI-generated voices in multiple languages to create a sense of authenticity, even when the scam originates from a different country. Victims have suffered significant financial losses, with some reporting losses exceeding US$10,000.

As soon as a user clicks on a deceptive ad, they are directed to download a fraudulent app. These apps are typically distributed through third-party websites or APK files and are capable of bypassing security measures on official app stores. Upon installation, the app requests various personal and financial information, which is then harvested by the scammers.

> _“Group-IB CERT discovered these scams across multiple regions, with more than 200 ads targeting Egypt, 160 ads in the GCC, and another 140 in Europe and Asia. The momentum of such scams has rapidly increased, with scammers continually expanding into new markets.”_
> 
> Group-IB

Fake reviews and testimonials are a key facilitating factor in these scams, as these enhance the legitimacy of the fake apps. These reviews feature detailed narratives, screenshots, and photos of “successful” players, creating the illusion of a highly profitable and trustworthy game, and generating attraction for the scam.

Fake reviews on one of the fraud apps (Source: Group-IB)

Fake betting apps can lead to severe consequences for users, such as financial loss through “bait and switch” tactics, identity theft due to the collection of personal information, and device compromise. Malicious apps can compromise device security, allowing attackers to access sensitive data and install additional malware, posing a significant risk to users’ personal information.

We have been witnessing a gradual rise in fake gaming apps compromising users’ devices. Recently, Hackread **reported** Fortinet’s FortiGuard Labs discovery of a new malicious campaign targeting Microsoft Windows users using game-related applications to deliver Winos4.0, an advanced malware framework similar to Cobalt Strike and Sliver. Earlier this week, Indian authorities **busted** an international gang of cybercriminals who used fake gaming apps to mint over 190cr from unsuspecting users.

Hence, it is essential to be cautious of quick money offers to avoid falling victim to such scams. Always download apps from official stores, avoid suspicious links, use strong security measures like passwords and two-factor authentication, and stay updated on the latest online scams and **phishing techniques** to stay safe.

1.  **Crooks Exploit Satellite Live Feed Delay for Betting Advantage**
2.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**
3.  **Chinese Scammers Exploit Cloned Sites in Vast Gambling Network**
4.  **Facebook Malvertising Campaign Drops Malware via Fake Bitwarden**
5.  **Dude Finds Flaw in World’s Biggest Gambling Site, Steals $1M in BTC**

Fake Betting Apps Using AI-Generated Voices to Sensitive Data

Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware.

Source: TippaPatt via Shutterstock

Businesses are not the only organizations looking for skilled cybersecurity professionals; cybercriminals are also advertising for individuals capable of creating dark AI models and penetration-testing products — that is, ransomware — to reduce the chance of defenders finding ways to circumvent the scheme.

In advertisements on Telegram chats and forums — such as the Russian Anonymous Marketplace, or RAMP — ransomware affiliate groups and initial access providers are seeking cybersecurity professionals to help find and close holes in their malware and other attack tools, security firm Cato Networks stated in its "Q3 SASE Threat Report." In the past, the firm's threat researchers have noted advertisements seeking developers capable of creating a malicious version of ChatGPT.

The search for more technical talent highlights the recent success of law enforcement and private companies in taking down botnets and helping defenders recover their data, says Etay Maor, chief security strategist at Cato Networks.

"They definitely want to make sure that all the effort they're putting into their software is not going to be turned over when somebody finds a vulnerability," he says. "They're really stepping up their game in terms of approaching software development, making it closer to what an enterprise would do than what is typically seen today from other development groups."

The search for better software security is the latest sign of technical evolution among cybercriminal groups. In Southeast Asia, cybercriminal syndicates have grown from illegal gambling and drug cartels into enterprises that rake in more than $27 billion a year, fueling improvements in money laundering, technical development, and forced labor.

**Penetration Testing Just the Latest**

As cybercriminal groups grow, specialization is a necessity. In fact, as cybercriminal gangs grow, their business structures increasingly resemble a corporation, with full-time staff, software development groups, and finance teams. By creating more structure around roles, cybercriminals can boost economies of scale and increase profits.

Currently, the top ransomware groups are LockBit, RansomHub, PLAY, Hunters International, and Akira — all likely using more structured roles and cybercriminal services to operate efficiently, according to a 2024 review of the top ransomware groups by threat intelligence firm Recorded Future, now part of Mastercard International.

"These emerging groups and platforms bring new and interesting ways to attack so organizations need to be on their toes and adjust their cybersecurity accordingly," the company stated in a blog post. "As they evolve, understanding their modus operandi and targets will be key to mitigating the impact."

New cybercriminals groups are always appearing, and that also means new opportunities for skilled cybercriminals. The first half of 2024 saw 21 new ransomware groups appear in underground forums, although many of those new groups are likely rebranded versions of previous groups that had splintered. Overall, 68 groups posted more than 2,600 claimed breaches to leak sites in the first six months of the year, a 23% increase over the same period in 2023, according to cybersecurity firm Rapid7.

Most malware and tools created by the groups use C or C++ — the programming language used in 58 samples — but the use of more modern, memory-safe languages is growing, with Rust used in 10 samples and Go used in six samples, according to a report released by Rapid7, which noted "the complexity of the ransomware business model, with groups coming and going, extortion tactics intensifying, builders and code 'leaking' — and all the while, the overall scope of the threat only expanding."

**More Aggressive Defense**

Finally, some groups required specialization in roles based on geographical need — one of the earliest forms of contract work for cybercriminals is for those who can physically move cash, a way to break the paper trail. "Of course, there's recruitment for roles across the entire attack life cycle," Maor says. "When you're talking about financial fraud, mule recruitment ... has always been a key part of the business, and of course, development of the software, of malware, and end of services."

Cybercriminals' concerns over software security boil down to self-preservation. In the first half of 2024, law enforcement agencies in the US, Australia, and the UK — among other nations — arrested prominent members of several groups, including the ALPHV/BlackCat ransomware group and seized control of BreachForums. The FBI was able to offer a decryption tool for victims of the BlackCat group — another reason why ransomware groups want to shore up their security.

Current geopolitical disruptions, which can lead to highly skilled people unemployed, are making it more likely that cybercriminals groups will be able to convince legitimate cybersecurity professionals to take a risk and do illegal work, Cato Networks' Maor says.

"There's people ... losing jobs in Eastern Europe because of the current war situation, so unfortunately you see that in the underground forums, where you have smart people there, who — at the end of the day — need to put food on the table," he says. "If that means they have to resort to jobs that are not necessarily super legal, if that's what they need to do to pay the bills, then they'll pop up on these forums and be like, 'Hey, I worked for this company. I have this knowledge ... and I can offer access.'"

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Gangs Seek Pen Testers to Boost Quality

Ubuntu Security Notice 7125-1 - It was discovered that RapidJSON incorrectly parsed numbers written in scientific notation, leading to an integer underflow. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-7125-1  
November 25, 2024

rapidjson vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

RapidJSON could be made to crash or run programs as your login if it  
opened a specially crafted file.

Software Description:  
- rapidjson: A fast JSON parser/generator for C++

Details:

It was discovered that RapidJSON incorrectly parsed numbers written in  
scientific notation, leading to an integer underflow. An attacker could  
possibly use this issue to cause a denial of service, or execute arbitrary  
code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  rapidjson-dev                   1.1.0+dfsg2-7.3ubuntu0.1

Ubuntu 24.04 LTS  
  rapidjson-dev                   1.1.0+dfsg2-7.2ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS  
  rapidjson-dev                   1.1.0+dfsg2-7ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS  
  rapidjson-dev                   1.1.0+dfsg2-5ubuntu1+esm1  
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS  
  rapidjson-dev                   1.1.0+dfsg2-3ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  rapidjson-dev                   0.12~git20141031-3ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7125-1  
  CVE-2024-38517

Package Information:

https://launchpad.net/ubuntu/+source/rapidjson/1.1.0+dfsg2-7.3ubuntu0.1

Tag

#c++