Crypto-tracing firm Chainalysis says the mysterious 300-bitcoin donation to the pardoned Silk Road creator appears to have come from someone associated with a different defunct black market: AlphaBay.

When Ross Ulbricht received a $31 million bitcoin donation last weekend from an unknown source, many observers saw it as more than a very nice welcome-home gift. Rumors swirled that the creator of the Silk Road, less than five months after receiving a pardon from Donald Trump that saved him from a lifetime in prison, was sending himself a trove of his stashed criminal proceeds from his days running the dark web's first black market more than a decade prior.

Now cryptocurrency tracing investigators say they've arrived at a stranger explanation: The money wasn't originally Ulbricht's, and didn't come from the Silk Road. Instead, they suspect it came from a _different_ long-defunct dark-web black market: AlphaBay.

The crypto tracing firm Chainalysis tells WIRED that, based on blockchain analysis, it has tied the origin of the 300 bitcoins sent to Ulbricht on Sunday to someone involved in AlphaBay, a dark web market that sold a wide variety of drugs and cybercriminal contraband from 2014 to 2017 and eventually grew to be 10 times the size of the Silk Road, according to the FBI.

Chainalysis says the funds appear to have emerged from AlphaBay around 2016 and 2017. Given the amount of the donation, Chainalysis suggests it might have come from someone who acted as a large-scale seller on the market. “We have reasonable grounds to suspect that these funds originated in AlphaBay,” says Phil Larratt, Chainalysis's director of investigations and a former official at the UK's National Crime Agency. “Looking at the amount, that would suggest they came from someone who was possibly a vendor on AlphaBay back in the early days.”

WIRED reached out to Ulbricht for comment about the donation's origin via contacts at the Free Ross campaign that lobbied for his pardon, but didn't immediately receive a response.

Prior to Chainalysis’ finding that the $31 million donation appears to have originated at AlphaBay, the independent crypto-tracing investigator known as ZachXBT had already posted to his account on X his own findings that the money didn't appear to have come from the Silk Road. ZachXBT found that, despite the donor's use of multiple Bitcoin “mixers” that take in users' coins and return others to obfuscate their trail on the blockchain, he was able to trace the funds to an address that had been flagged in Chainalysis’ software tool Reactor as tied to illicit activity. That analysis suggested that the money was a “legitimate donation but not legitimate funds,” ZachXBT wrote in a text message to WIRED.

ZachXBT also found that the same individual who controlled the funds had cashed out other cryptocurrency at an exchange in small, distributed quantities rather than in a single sum, suggesting he or she may have been trying to prevent them being seized or flagged—another sign that the money may have come from criminal origins. “Usage of multiple mixers, spreading out CEX deposits, etc,” ZachXBT writes to WIRED, using the term CEX to mean a centralized exchange, “that is done typically if you are trying to avoid getting illicit funds frozen.”

Chainalysis declined to offer more information on how exactly it identified the funds as originating at AlphaBay. But the company has built a business around identifying illicit services like digital black markets out of the morass of billions of cryptocurrency addresses. Chainalysis’ identification of the AlphaBay cluster of bitcoin addresses, in fact, played a key role in the takedown of the market in a law enforcement investigation known as Operation Bayonet that spanned 2016 and 2017.

AlphaBay certainly produced plenty of crypto kingpins who would have the kind of eight-figure sum donated to Ulbricht. Before it was torn offline in an elaborate sting operation in July 2017, the site was facilitating $2 million a day in sales, largely of illegal drugs although it also offered malware, stolen data, and other cybercriminal wares. AlphaBay's creator and administrator, Alexandre Cazes, died in a Bangkok jail cell under mysterious circumstances following his arrest, but the site's second-in-command, who went by the handle Desnake, appears to have remained at large. Any bitcoins an AlphaBay seller or administrator managed to hold onto since the site’s closure would have since appreciated more than 40-fold.

Exactly why one of AlphaBay's crypto moguls would donate $31 million to Ulbricht, however, remains a mystery. Speculation on social media has ranged from a fellow black marketeer repaying a favor to a more principled gift intended to thank Ulbricht for blazing a trail with his invention of the Silk Road's crypto-enabled anonymous transactions.

That gratitude may also take into account that, while many got rich on the dark-web markets that Ulbricht pioneered, he instead spent over a decade in prison, speculates Taylor Monahan, a crypto tracer and security researcher at crypto firm MetaMask. “People donate when they’re deeply inspired by someone and/or grateful and/or have some sort of remorse for the situation,” says Monahan. “Survivor's guilt is wild.”

Ross Ulbricht Got a $31 Million Donation From a Dark Web Dealer, Crypto Tracers Suspect

Sophos researchers found this operation has similarities or connections to many other campaigns targeting GitHub repositories dating back to August 2022.

Backdoored Malware Reels in Newbie Cybercriminals

In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.

Thursday, June 5, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve discovered that being a rent guarantor for someone is an involved experience. While I’m glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed payments required handing over far more personal and financial data than I was comfortable with. 

I asked the agent about their information security policies and cybersecurity posture. I was relieved to hear that they delete all the personal data within two weeks of processing, but I was concerned that the person dealing with my dossier didn’t think that they were at risk of a cyber attack. They believed that because they had a low online profile and their organisation was small, they didn’t present as a target. 

Not wanting to jeopardise my position as a guarantor, I didn’t argue further beyond offering a few words of advice. The truth is that everyone is a target. Many criminals do not discriminate; they seek to compromise anyone and see how they can make money from a compromise once access is achieved. Sophisticated criminals research their targets and their wider ecosystem of suppliers and partners in depth to identify potential weak points. It only takes a moment’s inattention for anyone to fall for a phishing or social engineering scam. 

Cybersecurity training needs to reinforce the fact that anyone can be a victim of a cyber attack. No matter how careful you might be, how insignificant you think that you might be, an attack can still catch you off guard. The good news is that by ensuring basic cyber hygiene, we can make a lot of progress towards preventing harm. 

Impressing on users the need to install updates promptly, the importance of having end-point protection and using multi-factor authentication is not a panacea, but it is a basic foundation upon which more advanced protection can be built. 

Good cybersecurity begins with an awareness of the threat, an acknowledgement that we are all at risk, and knowing the potential consequences. Nobody is too insignificant, too small or too well hidden to escape the risk of cyber attack. Suitable protection follows from reflecting on what is at risk and what could possibly go wrong.

**The one big thing **

Talos has uncovered a destructive attack on Ukrainian critical infrastructure involving a new wiper malware, "PathWiper," deployed through a legitimate endpoint administration framework. Talos attributes this attack to a Russia-linked APT actor, underscoring the persistent threat to Ukraine's infrastructure amid the ongoing war. 

**Why do I care? **

This attack highlights the sophisticated tactics of state-sponsored threat actors and the risks critical infrastructure entities face, which could have global implications for cybersecurity and geopolitical stability. 

**So now what? **

Organizations, particularly those managing critical infrastructure, should strengthen their endpoint security, monitor for unusual administrative activity, and stay informed on evolving threats to mitigate potential risks.

**Top security headlines of the week**

**New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch**   
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. (The Hacker News) 

**Vanta bug exposed customers’ data to other customers**   
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. (TechCrunch) 

**Data Breach Affects 38K UChicago Medicine Patients**   
UChicago Medicine released a statement that the data of 38K patients may have been exposed by a third-party debt collector's system breach. The exposed data may include SSNs, addresses, dates of birth, medical information, and financial account information. (UPI)

**Can’t get enough Talos? **

**Fake AI installers target businesses.** Catch up on the ransomware and malware threats Talos discovered circulating in the wild and masquerading as legit AI tool installers. Read the blog or listen to our most recent Talos Takes to hear Hazel and Chetan, the author, discuss the blog more in-depth.

**Talos at Cisco Live 2025**. From sessions featuring a live IR tabletop session to learning how to outsmart identity attacks, there’s plenty of Talos to keep you going in San Diego next week. Browse sessions Talos is participating in, and we'll see you there!

**Upcoming events where you can find Talos **

*   Cisco Live U.S. (June 8 – 12) San Diego, CA 
*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2–  7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection 

**SHA 256:**   
**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Simple\_Custom\_Detection 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

Everyone's on the cyber target list

Major porn sites have blocked access in France in response to age verification demands.

VPNs (Virtual Private Networks) are suddenly popular in France. Not because France has suddenly become super privacy conscious, but because Pornhub, RedTube, and YouPorn, have blocked access in France.

But why? Last year, France enacted a law mandating that pornographic sites implement stricter age-verification technology.

Since March 1, 1994, French law has prohibited exposing minors to pornographic content. To strengthen this, a 2020 law empowered the French Regulatory Authority for Audiovisual and Digital Communication (ARCOM) to issue warnings to non-compliant online services and seek judicial orders to block access if necessary.

In 2024, the French law on securing and regulating the digital environment (SREN) further enhanced ARCOM’s authority, allowing it to administratively block platforms that fail to prevent minors from accessing pornographic content.

On October 9, 2024, ARCOM adopted a technical framework, approved by the French Data Protection Agency (CNIL), outlining minimum requirements for age verification systems.

The requirements consisted of three major pillars:

*   Reliability
*   Third party implementation
*   Mandatory on each access

Services had until January 9, 2025, to comply with a transitional period until April 9, 2025, during which credit card-based verification was temporarily accepted under specific conditions.

In response to these regulations, the major adult websites like Pornhub, YouPorn, and RedTube have now suspended access in France, citing concerns over user privacy and data security associated with the mandated age verification methods.

This is a major decision for Pornhub because France is its second biggest market behind the US. Alex Kekesi, VP of president of brand and community of Aylo Holdings (Pornhub’s owner) said that:

> “French citizens deserve a government and a regulator who are serious about preventing children from accessing adult content. They also deserve laws which protect their privacy and safeguard their sensitive data.”

In the United States, 19 states have passed laws requiring pornographic sites to confirm a user’s age by checking a government-issued ID, scanning their face, or other methods. The laws have led some of the largest adult sites, including Pornhub, to block users from those states, rather than paying millions for ID-checking services.

Naturally, everywhere where people want to View Porn Normally, the use of VPNs has increased because VPNs can be used to circumvent access restrictions imposed by such regulations. While specific figures for France are not publicly available, similar scenarios in other regions provide insight into user behavior:

*   Florida: Following Pornhub’s decision to block access in response to new age verification laws, VPN demand in Florida surged by an astonishing 1,150% within the first few hours.
*   Texas: After the implementation of comparable laws, VPN usage increased by approximately 234.8%.

**Malwarebytes Privacy VPN**

Malwarebytes Privacy VPN can help adults to decide for themselves what they want to see or not. By choosing a location where no age verification block is in place, you will be able to access your coveted websites while also enjoying:

*   **No-log policy**: Your activity is neither tracked nor stored.
*   **WireGuard** **protocol**: Ensures fast and secure connections, good for streaming.
*   **Server coverage**: Plenty of servers near you to cover countries that are not blocked.
*   **Strong encryption:** To keep your web activity safe from prying eyes.

 Pornhub, RedTube, and YouPorn block access in France, VPN use set to soar 

Cybersecurity experts warn of widespread data exposure as a recent investigation reveals a staggering number of internet cookies…

Cybersecurity experts warn of widespread data exposure as a recent investigation reveals a staggering number of internet cookies circulating on the dark web.

A new report from NordVPN highlights the severe privacy risks associated with web cookies, which are small files websites store on your device to remember your browsing activity. The research, conducted in partnership with threat exposure management platform, NordStellar, uncovered approximately 93.7 billion stolen cookies available for sale in underground online marketplaces.

Researchers analyzed data from Telegram channels between April 23 and April 30, 2025, resulting in a dataset of around 94 billion cookies. The researchers analyzed the cookies’ active or inactive status, malware used, country of origin, data content, the company, the user’s OS, and keyword categories assigned to users. NordVPN did not buy stolen cookies or access their contents, but only examined the data within them.

****What’s Inside the Digital Cookie Jar?****

The analysis of these stolen cookies revealed a treasure trove of personal data. When analyzing these stolen cookies, ‘ID’ (Assigned ID was associated with 18 billion cookies) and ‘session’ (associated with 1.2 billion cookies) were identified as the most common keywords, indicating the type of data they held.

These are crucial for maintaining active user sessions on websites, meaning a stolen session ID could grant an attacker direct access to an account without needing a password. Alarmingly, out of the total 93.7 billion stolen cookies analysed, 15.6 billion were still active, posing an immediate threat to users.

This vast collection of compromised data poses a significant threat to personal security, potentially allowing malicious actors to access sensitive information and online accounts. Beyond session data, the report reveals that compromised cookies frequently contained personal details such as names, email addresses, countries, cities, and even passwords.

This information can be exploited for targeted phishing attacks or, in more severe cases, identity theft. Here’s a breakdown of the data attackers can steal via cookies.

Source: NordVPN

****Where Did These Cookies Come From?****

The majority of these stolen cookies were traced back to several major online platforms and originated from a diverse set of countries. Google services alone accounted for over 4.5 billion cookies, with YouTube and Microsoft each contributing more than 1 billion. This indicates that widely used platforms are prime targets for cybercriminals due to the sheer volume of user data they handle.

The primary method of theft involved various types of malware, including infostealers, trojans, and keyloggers. Redline emerged as the most prolific, responsible for stealing almost 42 billion cookies. Check out the list of malicious software used to steal these cookies:

Source: NordVPN

****Protecting Your Digital Crumbs****

Given the widespread threat, cybersecurity experts advise users to take proactive steps to safeguard their online presence.

> _“Cookies may seem harmless, but in the wrong hands, they’re digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.”_
> 
> Adrianus Warmenhoven, Cybersecurity Expert – NordVPN

Therefore, to stay safe, always be careful when accepting cookies on websites, opting to reject unnecessary ones, especially third-party trackers. Also, regularly clear cookies from your browser to limit the window of opportunity for attackers.

Furthermore, using security tools like anti-malware software and Virtual Private Networks (VPNs) can significantly enhance protection. It helps block malicious websites, scan downloads for threats, and encrypt internet traffic, making it harder for cybercriminals to snatch your digital cookies.

Nearly 94 Billion Stolen Cookies Found on Dark Web

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these sophisticated attacks trick users into running malware and what to watch out for.

Cybersecurity experts at Cofense Intelligence are warning hotel chains and other businesses in the food and accommodation sector about an email scam that mimics Booking.com. These deceptive emails are part of attack campaigns known as ClickFix, which aims to trick users into running malicious software.

The ClickFix campaign has been steadily gaining traction since November 2024, with a notable acceleration in recent months. According to Cofense’s analysis, a staggering 47% of the total campaign volume was observed in March 2025 alone.

The firm’s active threat reports (ATRs) indicate that 75% of all incidents involving fake CAPTCHAs utilized Booking.com-themed ClickFix templates. While Booking.com impersonations are most common, Cofense also noted less frequent variations, including those spoofing Cloudflare Turnstile and cookie consent banners.

****How the Scam Works****

The scam begins with an email containing a link to a fake CAPTCHA website. A CAPTCHA is usually a test designed to tell humans and computers apart, like typing distorted letters. In this case, however, the fake CAPTCHA is a trick. Instead of a real verification code, clicking on it delivers a harmful script to the user’s computer.

These ClickFix websites then instruct users to press specific keyboard shortcuts, typically Windows key + R, followed by Ctrl + V, and then Enter. This sequence opens the Run command in Windows, pastes the hidden malicious script, and then executes it. The malicious script often includes extra characters that look like a _verification code_ to hide the real harmful commands.

These sites are cleverly designed to look like legitimate pages from well-known brands such as Booking.com and Cloudflare. Interestingly, the scam only targets Windows computers, and if accessed on other devices, the fake CAPTCHA sites will display a message indicating they only work on Windows.

****What Malware is Being Delivered?****

Once the malicious script is run, it can install various types of dangerous software. The most common payload seen in these attacks is XWorm RAT, a type of Remote Access Trojan (RAT). For your information, RATs allow attackers to secretly control a victim’s computer from a distance.

Other frequently observed malware include Pure Logs Stealer and DanaBot, which are information stealers designed to swipe sensitive data. In some instances, both RATs and information stealers have been delivered in a single attack.

Sample Attack Chain (Source: Cofense)

This ClickFix method is a concerning new tactic because it manipulates users into activating the malware themselves, without needing to download any files directly. It highlights the importance of being cautious about suspicious emails, even those that appear to be from trusted sources like Booking.com, and to always double-check the legitimacy of any verification steps or prompts that ask you to run commands on your computer.

For more detailed information on how to spot these ClickFix attacks, refer to Hackread.com’s guide on the techniques used to trick users and how to stay safe.

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.

Artificial intelligence (AI) and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware.

In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead monetization service Nova Leads, the enormously popular Chat GPT, and an AI-empowered video tool called InVideo AI.

As small businesses quickly adopt AI tools—a recent survey from the US Chamber of Commerce and the strategy firm Teneo revealed that 98% of small businesses already use at least one AI-powered product and 40% use generative AI—these cybercriminal lures pose the next, big threat to sole proprietors and boutique shops.

According to the researchers at Cisco Talos, the threat is twofold.

“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Talos said. “This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”

In the first potential online attack, Talos found that cybercriminals created a fake website that closely resembled that of the legitimate company Nova Leads. The company helps businesses with lead monetization through acquisition, conversion, and content creation. But rather than simply copying the look and feel of Nova’s website, the cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”

On the malicious website, users were prompted to download Nova Leads AI for ”free access” for 12 months. If users downloaded and installed the fake software, the ransomware CyberLock was instead deployed. Researchers at Talos analyzed how CyberLock moved throughout a network and retrieved the ransom note left behind by the cybercriminals. In it, the ransomware gang claimed, falsely, that their attacks were altruistic.

“We want to assure you that your payment does not go to us,” the ransomware gang said in its note. “It will instead go to support affected women and children in Palestine, Ukraine, Africa, Asia, and other regions where injustices are a daily reality.”

In the note, victims are directed to pay $50,000 in cryptocurrency. The ransomware campaign is particularly dangerous as cybercriminals managed to manipulate SEO practices to rank their malicious website near the top of relevant online searches. This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites.

In a second potential attack, Talos found that a software installer labeled “ChatGPT 4.0 full version – Premium.exe” was actually hiding the ransomware Lucky\_Gh0$t. Interestingly, the files contained within the installer also contained legitimate open-source AI tools from Microsoft, likely as an evasion technique to ward off any antivirus tools inspecting the package for malware.

Though the Lucky\_Gh0$t ransom note did not include a specific dollar amount, the cybercriminals displayed a starkly different attitude from CyberLock’s alleged humanitarianism:

> “We are not a politically motivated group and we do not need anything other than your money.”

In the last potential attack, Talos found a new malware that the team dubbed “Numero.” Though it is not officially a form of ransomware, Talos found that, once deployed, it effectively renders systems “completely unusable.”

Talos discovered that the malware’s internal data co-opted the product and organizations names of the service InVideo AI, an AI-powered video generation service that can be used for marketing, content, and more.

While cybercriminals have long disguised their malware under popular brands, the emergence of AI—and its popularity for small businesses—highlight the dangers that small shops face simply for trying to do business online. But there is help at hand.

****How to protect your small business from ransomware****

As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:

*   **Block common forms of entry.** Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
*   **Prevent intrusions and stop malicious encryption.** Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

 Ransomware hiding in fake AI, business tools 

Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.”

Thursday, June 5, 2025 06:00

*   Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper”. 
*   The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints. 
*   Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities.  
*   The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war. 

**Proliferation of PathWiper **

Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment.

The BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall.vbs’, also pushed to the endpoint by the administrative console: 

C:\\WINDOWS\\System32\\WScript.exe C:\\WINDOWS\\TEMP\\uacinstall.vbs

Upon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum.exe’, to disk and executed it: 

C:\\WINDOWS\\TEMP\\sha256sum.exe 

Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment.

**PathWiper capabilities **

On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly. It first gathers a list of connected storage media on the endpoint, including: 

*   Physical drive names 
*   Volume names and paths 
*   Network shared and unshared (removed) drive paths 

Although most storage devices and volumes are discovered programmatically (via APIs), the wiper also queries ‘HKEY\_USERS\\Network\\<drive\_letter>| RemovePath’ to obtain the path of shared network drives for destruction. 

Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes. The wiper reads multiple file systems attributes, such as the following from New Technology File System (NTFS). PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data: 

*   MBR 
*   $MFT 
*   $MFTMirr 
*   $LogFile 
*   $Boot 
*   $Bitmap 
*   $TxfLog 
*   $Tops 
*   $AttrDef 

Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the ‘FSCTL\_DISMOUNT\_VOLUME IOCTL’ to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized bytes. 

PathWiper’s mechanisms are somewhat semantically similar to another wiper family, HermeticWiper, previously seen targeting Ukrainian entities in 2022. HermeticWiper, also known as FoxBlade or NEARMISS, is attributed to Russia’s Sandworm group in third-party reporting with medium to high confidence. Both wipers attempt to corrupt the master boot record (MBR) and NTFS-related artifacts.  

 A significant difference between HermeticWiper and PathWiper is the corruption mechanisms used against recorded drives and volumes. PathWiper programmatically identifies all connected (including dismounted) drives and volumes on the system, identifies volume labels for verification and documents valid records. This differs from HermeticWiper's simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them. 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort 2 rules: 64742, 64743 

Snort 3 rules: 301174

**Indicators of compromise (IOCs) **

7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3

Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine

**Overview**
The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

**Am I Affected?**
You are affected by this vulnerability if you meet the following preconditions:

1. Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1. 
2. Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.

**Fix**
Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-862m-5253-832r

**Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data**

Critical severity GitHub Reviewed Published Jun 3, 2025 in auth0/wordpress • Updated Jun 5, 2025

**Package**

composer auth0/wordpress (Composer)

**Affected versions**

\>= 5.0.0-BETA0, <= 5.0.1

**Overview**  
The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

**Am I Affected?**  
You are affected by this vulnerability if you meet the following preconditions:

1.  Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1.
2.  Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.

**Fix**  
Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).

**References**

*   GHSA-v9m8-9xxp-q492
*   GHSA-c42h-56wx-h85q
*   GHSA-98j6-67v3-mw34
*   GHSA-862m-5253-832r
*   https://nvd.nist.gov/vuln/detail/CVE-2025-48951

Published to the GitHub Advisory Database

Jun 5, 2025

GHSA-862m-5253-832r: Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data

### Impact

A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.

### Patches

Users should upgrade to `2.0.1`

### Workarounds

None

### References

https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9
https://github.com/expressjs/multer/issues/1233
https://github.com/expressjs/multer/pull/1256

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

Tag

#git