Cybercriminals are injecting fake support phone numbers onto official sites like Bank of America and Netflix. Learn how 'search parameter injection' scams work and protect yourself now.

Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands.

This trick has been seen affecting companies like:

1.  HP
2.  Apple
3.  Netflix
4.  PayPal
5.  Microsoft
6.  Facebook
7.  Bank of America

****How the Search Parameter Injection Works****

The scam typically starts with a sponsored advertisement on Google, which directs users to the real company website. It is worth noting that instead of creating a fake website, these scammers use a clever technique called a search parameter injection attack.

This means they create a special, malicious web address that embeds their scam phone number into the real website’s search function. When a user clicks on a poisoned search result, they land on the brand’s actual support page. The web address in their browser will show the legitimate site, giving no cause for alarm.

However, the scammer’s fake phone number appears prominently within what looks like an official search result on the page itself. For instance, on Netflix, the site’s search function “blindly reflects whatever users put in the search query parameter without proper sanitization or validation,” creating a weakness the scammers exploit, Malwarebytes’ Pieter Arntz explained in the report shared with Hackread.com.

Source: Malwarebytes

Once a victim calls the fake number, the scammers pretend to be company representatives. Their goal is to get personal details, credit card information, or even gain remote access to the victim’s computer. If it’s a financial company like Bank of America or PayPal, the scammers aim to empty bank accounts.

Malwarebytes Browser Guard proved effective in catching these scams, displaying a warning about Search Hijacking Detected and explaining that unauthorized changes have occurred. However, some instances are harder to spot such as, on Apple’s support page, the fake number appears alongside a message stating no search matches were found, urging users to call the displayed number.

Source: Malwarebytes

****Stay Safe: Spotting the Red Flags****

To avoid falling victim, always be suspicious if a phone number appears directly in the web address bar, or if search terms like Call Now or Emergency Support are visible there. Watch out for many strange characters (like %20 or %2B) mixed with phone numbers in the URL. If a website shows a search result before you even type anything, that’s another warning sign. Any urgent language like Account suspended should also raise an alarm.

Moreover, before calling any support number, always look up the official contact details from a trusted source, like their social media pages, and compare it to the number you found. If they don’t match, investigate further. Finally, if during a call, you’re asked for personal or banking details unrelated to your issue, hang up immediately.

Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages

### Impact
_What kind of vulnerability is it? Who is impacted?_
In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack.
This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system.
The vulnerable class is `com.powsybl.commons.xml.XmlReader` which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.

#### Am I impacted?
You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.

### Patches
com.powsybl:powsybl-commons:6.7.2 and higher

### References
[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-47293

**PowSyBl Core XML Reader allows XXE and SSRF**

Low severity GitHub Reviewed Published Jun 19, 2025 in powsybl/powsybl-core • Updated Jun 19, 2025

**Package**

maven com.powsybl:powsybl-commons (Maven)

**Affected versions**

<= 6.7.1

**Impact**

_What kind of vulnerability is it? Who is impacted?_  
In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack.  
This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system.  
The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.

**Am I impacted?**

You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.

**Patches**

com.powsybl:powsybl-commons:6.7.2 and higher

**References**

powsybl-core v6.7.2

**References**

*   GHSA-qpj9-qcwx-8jv2
*   powsybl/powsybl-core@e6c7c49
*   https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2

Published to the GitHub Advisory Database

Jun 19, 2025

Last updated

Jun 19, 2025

GHSA-qpj9-qcwx-8jv2: PowSyBl Core XML Reader allows XXE and SSRF

Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.

When organizations, good or bad, start hoarding collections of login credentials the numbers quickly add up. Take the 184 million logins for social media accounts we reported about recently. Now try to imagine 16 billion!

Researchers at Cybernews have discovered 30 exposed datasets containing from several millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.

The likely source: information stealers, or infostealers for short. Infostealers are malicious software designed specifically to gather sensitive information from infected devices. These malware variants silently extract credentials stored in browsers, email clients, messaging apps, and even crypto wallets, and send the data to cybercriminals.

And for those who are about to shrug it of as “probably old data,” it’s not. According to the researchers these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale.

Once again, an unfortunate demonstration on how effective and widespread infostealers are.

The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data.

But that doesn’t take away from the fact that these credentials are in the hands of cybercriminals who can use them for:

*   **Account takeovers**: Cybercriminals can use stolen credentials to hijack social media, banking, or corporate accounts.
*   **Identity theft**: Personal details enable fraud, loan applications, or impersonation.
*   **Targeted phishing**: Combining leaked data allows cybercriminals to engage in very convincing and personalized scams.
*   **Ransomware/business email compromise (BEC) attacks**: Compromised business credentials facilitate network intrusions or fraudulent wire transfers.

The leak includes credentials for virtually every large online service. Apple, Google, Facebook, Telegram, developer platforms, VPNs, and more.

And the number is so massive it exceeds our imagination. If you printed each credential (16 billion usernames + passwords) on a single line, using standard paper, and stacked the pages, the pile would reach far beyond the edge of the stratosphere (roughly 35 miles).

**How to protect against infostealers**

There are a few things you can do to limit the dangers of infostealers:

*   **Use an up-to-date and active anti-malware solution** that can detect and remove infostealers.
*   **Do not reuse passwords across different sites and services.** A password manager can be very helpful to create safe passwords and remember them for you.
*   **Enable two-factor authentication (2FA) for every account you can.** 2FA makes it much more difficult for an attacker to access your account with your login credentials. If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Data stolen by infostealers is often sold or posted online. If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll give you a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Billions of logins for Apple, Google, Facebook, Telegram, and more found exposed online 

Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

In a press release last week, the owner of the Barbie brand signed a “strategic collaboration” with the AI company, which owns ChatGPT. “By using OpenAI’s technology, Mattel will bring the magic of AI to age-appropriate play experiences with an emphasis on innovation, privacy, and safety,” it said.

Details on what might emerge were scarce, but Mattel said that it only integrates new technologies into its products in “a safe, thoughtful, and responsible way”.

Advocacy groups were quick to denounce the move. Robert Weissman, co-president of public rights advocacy group Public Citizen, commented:

> “Mattel should announce immediately that it will not incorporate AI technology into children’s toys. Children do not have the cognitive capacity to distinguish fully between reality and play.
> 
> Endowing toys with human-seeming voices that are able to engage in human-like conversations risks inflicting real damage on children. It may undermine social development, interfere with children’s ability to form peer relationships, pull children away from playtime with peers, and possibly inflict long-term harm.”

**The kids aren’t alright**

Some are concerned about the effect of AI on young developing minds. Researchers from universities including Harvard and Carnegie Mellon have warned about negative social effects, along with a tendency for children to attribute human-like properties to AI.

One such child, 14 year-old Sewell Seltzer III, took his own life after repeatedly talking to chatbots from Character.AI, which allows users to create their own AI characters.

In a lawsuit against the company, his mother Megan Garcia described how he began losing sleep and growing more depressed after using the service, to the point where he fell asleep in class. A therapist diagnosed him with anxiety and disruptive mood disorder. It emerged that he had become obsessed with an AI representing an adult character from Game of Thrones that purported to be in a real romantic relationship with him.

**Past mistakes**

We’re not suggesting Mattel would condone such activities. It cites “more than 80 years of earned trust from parents and families”, but that statement glosses over previous missteps.

These include Hello Barbie. Mattel launched this Wi-Fi connected doll in 2015 and encouraged kids to talk with it. It asked personal questions about children and their families, sending that audio to a third-party company that used AI to generate a response. Non-profit group Fairplay, which advocates for protecting children from inappropriate technology and brand marketing, launched a campaign protesting child surveillance. Subsequently, investigators found vulnerabilities that would allow intruders to eavesdrop on that audio. Mattel pulled the toy from shelves in 2017.

Fairplay executive Josh Golin slammed the OpenAI partnership announcement.

> “Apparently, Mattel learned nothing from the failure of its creepy surveillance doll Hello Barbie a decade ago and is now escalating its threats to children’s privacy, safety and well-being.
> 
> Children’s creativity thrives when their toys and play are powered by their own imagination, not AI. And given how often AI ‘hallucinates’ or gives harmful advice, there is no reason to believe Mattel and OpenAI’s ‘guardrails’ will actually keep kids safe.”

Another incident where Mattel lost parents’ trust was back in November 2024 when a packaging mistake sent owners of its ‘Wicked’ doll to an adult movie website (Wicked Pictures) instead of a promotional landing page for the Wicked movie.

Incidents like these show that even with the best intentions in the world, companies can make mistakes.

Ultimately, it’s up to parents to make decisions about whether they’ll expose their children to AI-powered toys. It’s perhaps inevitable that AI will reach every corner of our lives, but is it ready and polished enough to be used on our children?

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Mattel&#8217;s going to make AI-powered toys, kids’ rights advocates are worried 

In a new wrinkle on the tech support scam front, these search parameter injection attacks dupe victims into believing they are receiving technical help when they are actually speaking to fraudsters.

Scammers Spread False Support Info Using Legitimate Websites

North Korean hackers deploy PylangGhost malware through fake crypto job interviews targeting blockchain professionals with phishing and remote access tools.

A new series of cyber attacks is targeting professionals in the crypto and blockchain industries using fake recruitment scams, according to new research by Cisco Talos. The attackers, linked to a North Korea-aligned group known as Famous Chollima, are impersonating legitimate companies to trick victims into installing malware disguised as video drivers.

The group has been active since at least mid-2024, previously known for tactics like fake developer job postings and fraudulent interview processes. This latest development shows the operation evolving in sophistication, now with a new Python-based malware called PylangGhost, a variant of the previously identified GolangGhost trojan.

****Real Jobseekers, Fake Companies****

Victims are approached by fake recruiters offering positions at companies that appear to be in the crypto sector. Targets are often software developers, marketers and designers with cryptocurrency experience.

Once contact is made, the victim is directed to a fake skill-assessment page designed to look like it belongs to a real company, including well-known names like Coinbase, Robinhood, Uniswap and others.

These pages use the React framework and closely mimic real corporate interfaces. After filling out personal information and completing the test, applicants are told they must record a video introduction for the hiring team. To do so, they’re asked to install “video drivers” by copying and pasting commands into their terminal.

That step downloads the malware.

****How the Malware Works****

According to Cicso Talos’ blog post, if the victim follows instructions on a Windows or MacOS system, a malicious ZIP file is pulled down. It contains the Python-based PylangGhost trojan and related scripts. The malware then unpacks itself, runs in the background and gives attackers remote access to the victim’s machine.

Screenshot of MacOS instructions prompting the user to copy, paste and run a malicious command line script (Image via Cisco Talos)

The Python version functions almost identically to its Go-based counterpart. It installs itself to run every time the system starts, collects system info, and connects to a command and control server. Once active, it can receive and execute remote commands, harvest credentials, and steal browser data, including passwords and crypto wallet keys.

According to Talos, it targets more than 80 different browser extensions, including widely used password managers and digital wallets like MetaMask, 1Password, NordPass and Phantom.

The malware uses RC4 encryption for communication with its server. Though the data stream is encrypted, the encryption key is sent along with the data, limiting the security of that method. Still, the setup helps it blend in with regular traffic and makes detection harder.

The goal of this operation is twofold. First, it allows attackers to gather sensitive personal data from real jobseekers. Second, it opens the door for fake employees to be placed inside real companies, which could lead to long-term infiltration and access to valuable financial data or software infrastructure.

Only a small number of victims have been confirmed so far, mostly in India. Linux users are not affected in this particular campaign. No Cisco customers appear to have been impacted at this time.

Talos notes that the malware’s development does not seem to involve AI code generation, and the structure of both the Python and Go versions suggests the same developers created both.

****Stay Safe****

If you’re applying for roles in crypto or tech, be cautious with job listings that ask you to install software or run terminal commands as part of an interview. Legitimate companies will not require this.

Cybersecurity teams should review employee onboarding processes, especially for remote hires, and educate staff about these types of social engineering attacks. Monitoring for unexpected outbound connections or strange ZIP downloads can also help catch early signs of compromise.

N. Korean Hackers Use PylangGhost Malware in Fake Crypto Job Scam

Zimperium zLabs reveals GodFather malware’s advanced virtualization that hijacks mobile banking and crypto apps. Learn how it steals data on your phone.

Cybersecurity researchers at Zimperium zLabs, led by Fernando Ortega and Vishnu Pratapagiri, have uncovered a dangerous new version of the GodFather Android malware using an advanced technique called on-device virtualization to take over legitimate mobile apps. It especially targets banking and cryptocurrency apps, effectively turning your own device into a spy.

****The Virtualization Trick****

Instead of just showing a fake image, the malware installs a hidden host app, which then downloads and runs a real copy of your banking or crypto app inside its own controlled space, a sandbox. When you try to open your actual app, the malware redirects you to this virtual version.

The malware then monitors and controls every action, tap, and word you type in real time, making it nearly impossible for you to notice anything wrong, since you are interacting with the real app, just in a manipulated environment. This sophisticated technique allows attackers to obtain usernames, passwords, and device PINs, obtaining complete control of your accounts.

This method gives attackers a huge advantage. They can steal sensitive data as you enter it, and even change how the app works, bypassing security checks including those that detect rooting a phone. Notably, the GodFather banking malware is built by repurposing several legitimate open-source tools, such as VirtualApp and XposedBridge, to execute its deceptive attacks and evade detection.

****Global Targets and Evasive Manoeuvres****

While GodFather employs its advanced virtualization, it also continues to use traditional overlay attacks, placing deceptive screens directly over legitimate applications. This dual approach shows the threat actors’ remarkable ability to adapt their methods.

According to the company’s blog post, the GodFather Android malware campaign is widespread, targeting 484 applications globally, though the highly advanced virtualization attack currently focuses on 12 specific Turkish financial institutions. This broad reach includes not just banking and cryptocurrency platforms, but also major global services for payments, e-commerce, social media, and communication.

The malware also uses clever tricks to avoid being found by security tools. It changes the way APK files (Android app packages) are put together, tampering with their structure to make them look encrypted or adding misleading information like $JADXBLOCK. It also moves much of its harmful code to the Java part of the app and makes its Android manifest file harder to read with irrelevant information.

Further probing revealed that GodFather still uses Android’s accessibility services (designed to help users with disabilities) to trick users into installing hidden parts of its application. It uses deceptive messages like “You need permission to use all the features of the application,” and once it gains accessibility permissions, it can secretly grant itself more permissions without user knowledge.

Also, the malware hides its important information, like where it connects to its control server (C2), in encoded form, making it harder to track. Once active, it sends details of your screen to the attackers, giving them a real-time view of your device. This discovery, hence, highlights the ongoing challenge in mobile security as threats become more complex and harder to spot.

_“_This is definitely a novel technique and I can see its potential,_“_ said Casey Ellis, Founder at Bugcrowd. _“_It will be interesting to see how effectively it actually is in the wild, whether or not the threat actors decide to deploy it outside of Turkiye, and if other threat actors attempt to replicate a similar approach._“_

GodFather Android Malware Runs Real Apps in a Sandbox to Steal Data

The Android malware is targeting Turkish financial institutions, completely taking over legitimate banking and crypto apps by creating an isolated virtualized environment on a device.

GodFather Banking Trojan Debuts Virtualization Tactic

Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information.

For years, the Iranian regime has been building the technology and infrastructure needed for it to control, censor, and shut down internet access for more than 80 million Iranians. In 2019, the country shut off internet access as police sought to silence protesters, while in 2022 WhatsApp and Instagram connections were severed following protests after the death of 22-year-old Mahsa Amini in police custody. Each shutdown deprives people of information and has huge economic costs. Now as the conflict between Israel and Iran approaches the end of its first week, internet connections within Iran have been restricted again, limiting people’s access to information and stopping them connecting with loved ones who may be in peril.

Hours after Israel’s Air Force bombed targets in Iran on June 13, escalating the shadow conflict between the two countries, the first reports of self-imposed internet disruptions inside Iran emerged. Iran’s Ministry of Communication, according to semi-official state news agency Tasnim, said “temporary restrictions” had been imposed due to the “special conditions” the country was facing. Since then, Israel and Iran have traded fire, continually raising the stakes in the conflict. US president Donald Trump has indicated, but not confirmed, that the United States could support further Israeli efforts to destroy Iranian nuclear facilities.

Internet connectivity in Iran saw a 54 percent drop on June 13, says Doug Madory, director of internet analysis at monitoring firm Kentik. Then, days later on June 17, there was an additional 49 percent drop from the already lower level of connectivity. After internet connections were briefly restored back to where they were earlier on Tuesday, it dropped again on Wednesday by another 90 percent, Madory says. “Numerous Iranian service providers \[are\] now offline in second national Internet blackout in as many days,” Madory posted on BlueSky on Wednesday. Multiple internet companies in Iran have been impacted by the restrictions, including cell providers.

“Things went to overdrive since yesterday,” says a researcher with internet freedom effort Project Ainita, who asked not to be named for safety reasons. “For a second day in a row, they have cut international connectivity, and this time it's even more severe than yesterday, affecting all domestic news sites as well.” Other internet monitoring efforts such as Cloudflare Radar and Netblocks have also observed the multiple internet shutdowns in recent days, with Netblocks calling the most recent a “near-total” blackout. Iranian news agency Khabar posted on its Telegram channel that international internet access in the country had been “temporarily restricted to prevent enemy abuse,” citing the Ministry of Communications.

Iran has reportedly also told officials to stop using internet-connected devices and claimed citizens should delete WhatsApp, which has previously introduced ways to circumvent censorship. Government officials have also said the shutdowns are to try to prevent potential cyberattacks. However, the widespread measures to control and restrict connectivity have left people in Iran struggling to communicate and find out vital information about the state of the conflict. The shutdowns come at a time when Trump has said the almost 10 million people living in the Iranian capital, Tehran, should “immediately evacuate” the area.

“This extensive censorship and internet disruption primarily serve the regime’s goal of maintaining control, especially over information,” says Mahsa Alimardani, a digital rights analyst of Iranian origin and the associate director of technology, threats, and opportunities at international human rights nonprofit Witness. “These internet blocks are jeopardizing people’s safety mainly in Tehran.”

Alimardani says that it appears mobile data services are patchy, and for many people virtual private networks, which can be used to avoid censorship, have stopped working. This means it has been difficult to reach people in the country and potentially for information to get out, Alimardani says. “Some family that left Tehran today were offline and disconnected from the internet and finally found some connectivity when they were 200 kilometers outside of Tehran in another province,” Alimardani explains. “My connections are primarily with people using home broadband Wi-Fi, but even that has been unstable.”

Over the last decade, countries have increasingly taken the draconian step of fully or partially shutting down internet connectivity for citizens in times of perceived crisis. There were 296 shutdowns last year, according to Access Now, an internet rights nonprofit that tracks the actions—the highest number of any on record. Shutdowns are often linked to repressive governments trying to restrict protests that could damage them, to limit people’s ability to gather and communicate freely, as part of conflicts, and even to try and stop cheating in exams.

“The internet is a lifeline, we have seen this in many places under conflict,” says Hanna Kreitem, director of internet technology and development at the Internet Society, which has been tracking the blackouts in Iran. Kreitem says that when the connectivity in Iran first started to drop on June 13, he heard from people with relatives in Iran that their services had significantly slowed down. “People under fire use it to get news, request help, learn of safer areas, and communicate with loved ones. And for people outside to learn about what is going on and know about their loved ones.”

To limit connectivity, countries use multiple different technical approaches. Iran has been developing its own internet alternative, an intranet system called the National Information Network, known as the NIN, for years. The NIN, according to analysis by Freedom House, allows “tiers” of internet access and lets the government censor content and push people towards home-grown Iran apps, such as alternatives messaging apps, that may have “weak privacy and security features.” (Freedom House rates Iran as “not free” in its most recent measures of internet freedom, highlighting persistent shutdowns, increasing costs, and efforts to push people to the domestic internet.)

Amir Rashidi, the director of digital rights and security at the Iran-focused human rights organization Miaan Group, says that amid the recent shutdowns, there have been increased efforts to push people towards Iranian apps. “In a climate of fear, where people are simply trying to stay connected with loved ones, many are turning to these insecure platforms out of desperation,” he posted online, telling WIRED that a messaging app called Bale appears to be getting attention. “Since they are hosted on NIN, they will work even during shutdown,” he says.

Iran is not the first country to restrict people’s access to the internet—and uncensored information—with the potential justification of protecting cybersecurity or security more broadly, says Lukasz Olejnik, an independent consultant and visiting senior research fellow at the Kings’ College London’s Department of War Studies. As global internet shutdowns have soared over the last decade, Olejnik says, officials in Myanmar, India, Russia, and Belarus have all cited security reasons for implementing blackouts.

“Internet shutdowns are largely ineffective against real-world state-level cyberattacks,” Olejnik says. He explains that military and critical infrastructure systems, like energy networks or transport systems, will typically operate on separate networks and not be accessible from the open internet. “Professional cyber operations could use other means of access, albeit it could indeed make it difficult to command and control some of the deployed malware (if this was the case),” Olejnik says. “What it would block primarily would be access to information for the society.”

Witness’ Alimardani says the technical details supporting any claims that the internet restrictions are meant to protect cybersecurity are “unclear,” and ultimately, the goal of these efforts may be to control people within Iran. “The official narrative from state news channels portrays a strong war against Israel and a path to victory,” Alimardani says. “Free and open access to media would undermine this narrative, and at worst, could incite Iranians to revolt, further eroding the regime's power.”

Iran’s Internet Blackout Adds New Dangers for Civilians Amid Israeli Bombings

In this edition, Thor shares how a week off with a new car turned into a crash course in modern vehicle tech. Surprisingly, it offers many parallels to cybersecurity usability.

Wednesday, June 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

June 9 was Whit Monday — a bank holiday here in Germany — so I decided to take the whole week off. It turned out to be the perfect opportunity to try out a brand new car. Little did I know, I was about to get a crash course in modern vehicle technology (and a few unexpected life lessons).

There’s an EU regulation that requires new cars to come equipped with “Advanced Vehicle Systems,” which include features like driver drowsiness and attention warnings, lane-keeping systems and intelligent speed assistance. I hadn’t swapped cars in over a decade, so I was blissfully unaware of just how intrusive these systems could be. 

While I generally appreciate technology that makes our life safer, these features gave me a tough time. The car seemed to beep at me constantly, so much so that the beeping itself became a distraction. Instead of focusing on the road, I found myself trying to decipher what each alert meant. After a few kilometers, I had to pull over and consult the manual just to figure out how to disable these “helpful” assistants. 

Problem solved? Not quite. Every time I turned off and restarted the car, the systems re-enabled themselves. Disabling the lane-keeping assistant was just a button press, but turning off the “intelligent” speed assistant required a convoluted sequence: six menu clicks, a long press then a short click. I had to dig out the manual every time. 

You might think I’m just cutting corners, or that I should pay better attention to speed limits. But here’s the thing: Technology fails, and these systems are no exception. Sometimes the cameras miss speed signs, or worse, pick up the wrong ones. I’ve read about people putting stickers on their windshields to block the camera, only to discover the system then falls back to GPS data, which can be outdated or just plain wrong. On one occasion, it thought a car was on a 50 km/h road when the person was actually on the Autobahn directly next and parallel to the road, which famously has no speed limit. 

Some drivers try to muffle the alerts by gluing the speaker, but in modern cars, the system also lowers the radio volume to make sure you hear the alarm. Pulling the fuse would disable the emergency brake, too — not something I’m willing to risk, regardless of how insurance would feel about it.

I ended up learning two important lessons that week. The first was technical: I dove into the world of Controller Area Network (CAN) bus wiring, protocols, network gateways and tools like SavvyCAN to understand how these systems work... and maybe how to disable a few, purely for educational purposes. 

The second lesson hit me later, and it was more personal. In my job, I often preach about deploying multi-factor authentication (MFA) everywhere. My focus has always been on keeping out the bad guys, not on the user experience. I never understood why anyone would use apps to automatically accept authentication pushes — it seemed crazy to me. But after a a few days with the car, I finally saw things from the user’s perspective. Security tools can’t just be effective; they also have to be easy to use. Reducing friction, like using single sign-on or minimizing unnecessary clicks, matters just as much. Users also need to understand why these barriers are in place. 

Tomorrow is another holiday. Maybe I’ll spend it exploring Kali Linux 2025.2 and the latest CARsenal tools (formerly CAN Arsenal). Who knows? I might just tap a wire or two — for educational purposes only, of course.

**The one big thing **

Cisco Talos has discovered that the North Korean-aligned threat actor Famous Chollima has been actively targeting cryptocurrency and blockchain professionals (primarily in India) through sophisticated phishing campaigns. Previously known for using the GolangGhost trojan, they've now introduced a Python-based variant called PylangGhost, which retains the same capabilities. Recent campaigns have targeted Windows users with the Python version, while MacOS users are still being hit with the Golang-based variant.

**Why do I care? **

Even if you're not in the cryptocurrency or blockchain space, this campaign highlights how threat actors are constantly evolving their tools. It's a reminder that no matter how niche or localized an attack might seem, the techniques could easily be adapted to broader campaigns. Plus, if attackers succeed in these targeted efforts, stolen credentials could ripple across networks and platforms globally.

**So now what?**

Take this as your cue to double-check your defenses. Ensure your organization's security tools can detect Python and Golang-based malware, and educate your teams on recognizing phishing attempts, especially fake job offers. Stay proactive by monitoring emerging threats like PylangGhost, because even if you're not the target today, tomorrow isn’t a guarantee.

**Top security headlines of the week **

**AI Scraping Bots Are Breaking Open Libraries, Archives, and Museums**  
AI bots that scrape the internet for training data are hammering the servers of libraries, archives, museums and galleries, and are in some cases knocking their collections offline. (404 Media)

**Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web**  
Hackers leaked the personal data of 7.4 million people in Paraguay on the dark web. A cybercriminal group called "Cyber PMC" demanded $7.4 million, blaming government corruption and poor security. (Security Affairs)

**Trend Micro fixes critical vulnerabilities in multiple products**  
Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities. (Bleeping Computer)

**Can’t get enough Talos? **

**When legitimate tools go rogue**  
From LOLBins to open-source utilities like DonPAPI, threat actors are leveraging legitimate tools to evade detection and carry out attacks. Read the blog here.

**Microsoft Patch Tuesday for June 2025**   
Microsoft released its monthly security update last week, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.

**Upcoming events where you can find Talos **

*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe  
Claimed Product: N/A  
Detection Name: Simple\_Custom\_Detection

Tag

#git