CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how this scam works and how to protect yourself.

Cybersecurity researchers at CloudSEK have a new campaign exploiting the popularity of PDFCandy.com, an online file conversion tool used by over two and a half million people, including over half a million from India alone.

As per their research, shared with Hackread.com, attackers are distributing ArechClient2 malware to steal private information like browser usernames and passwords. It is a SectopRAT family malware active since 2019 and is spread through deceptive online advertising via Google Ads or fake software updates.

Reportedly, attackers have created a fake PDF to DOCX converter that is similar to the legitimate pdfcandy.com. They have gone to great lengths to copy the look and feel of the real website. Such as they use similar web addresses to trick unsuspecting users and have “meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users,” CloudSEK’s researchers noted in the blog post.

Once a user lands on one of these fake sites, they are immediately asked to upload a PDF file for conversion, playing on a common need of many internet users. It even shows a fake loading animation as if a real conversion is happening, probably to build trust.

Then, unexpectedly, it presents a CAPTCHA verification, similar to what legitimate websites use for security. This marks a critical step in the attack where “social engineering transitions to system compromise,’ the report reads. This means the attack relies on manipulating how users typically interact with websites.

The Malicious Trap (Source: CloudSEK)

Introducing CAPTCHA serves two purposes: making the fake site appear more real and allowing users to click without thinking. Next, the website instructs users to run a command using Windows’ built-in tool PowerShell, leading to a system compromise. The command analysis reveals a series of redirects, starting with an innocent link and leading to a file named “adobe.zip,” hosted on 1728611543, which has been flagged as malicious by multiple security services.

The file contains a folder called “SoundBAND” with a dangerous executable file called “audiobitexe.” The attacker launches a multi-stage attack using a legitimate Windows program and a Windows tool, launching ArechClient2 information-stealing malware.

Fake PDFCandy websites involved in the scam (Screenshot: CloudSEK)

It is worth noting that the FBI warned on March 17, 2025, about malicious online file converters being used to distribute harmful software, so this threat is not new.

“Cybercriminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool,” the agency explained.

To protect against such threats, you should be cautious when using online file conversion services, verify website legitimacy before uploading files, pay attention to URLs, and be wary of unexpected prompts.

Fake PDFCandy File Converter Websites Spread Malware

Cheap Android phones with preinstalled malware use fake apps like WhatsApp to hijack crypto transactions and steal wallet recovery phrases.

A new wave of smartphone-based attacks is draining crypto wallets without victims ever realizing it. According to researchers at Doctor Web, a surge in malware-laced Android phones has exposed a coordinated operation where attackers are embedding spyware directly into the software of newly sold devices. The goal is to intercept cryptocurrency transactions through a hijacked version of WhatsApp.

****Cheap Phones, Expensive Consequences****

The phones in question look familiar. Models like the “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra” imitate premium brands with sleek branding and tempting specs. But beneath the surface, they’re running older software despite claiming to have the latest Android version, and they come with malicious software within.

The infected devices ship with preinstalled, modified versions of WhatsApp that operate as clippers, which are malicious programs designed to replace copied cryptocurrency wallet addresses with the attacker’s own. Once installed, this fake WhatsApp quietly swaps out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat.

Even more worrying, victims never see anything suspicious. The malware shows the correct wallet address on the sender’s screen but delivers the wrong one to the receiver and vice versa. Everything looks normal until the money disappears.

****Not Just WhatsApp****

The attackers didn’t stop at one app. According to Dr. Web’s report, researchers found nearly 40 fake applications, including Telegram, crypto wallets like Trust Wallet and MathWallet, QR code readers, and others. The technique behind the infection relies on a tool called LSPatch, which allows modifications without altering the core app code. This method not only evades detection but also lets the malicious code survive updates.

What makes this campaign particularly dangerous is the supply chain angle. Researchers believe the infection occurred at the manufacturing stage, meaning these phones were compromised before reaching store shelves. Many devices originate from smaller Chinese brands, with some models linked to a label called “SHOWJI.” Others remain untraceable.

SHOWJI S19 Pro

Note 30i

Camon 20

SHOWJI Note 13 Pro

S23 Ultra

P70 Ultra

SHOWJI X100S Pro

S18 Pro

M14 Ultra

SHOWJI Reno12 Pro

6 Pro

S24 Ultra

Smartphone models identified by Dr. Web to be malicious

****Beyond Message Hijacking****

The spyware doesn’t just swap out wallet addresses; it digs through targeted devices’ image folders like DCIM, Downloads, and Screenshots, looking for pictures of recovery phrases. A lot of people snap screenshots of these for convenience, but those phrases are the master keys to their crypto wallets. If attackers get their hands on them, they can drain the account in minutes.

To make things worse, the malicious WhatsApp update system doesn’t point to official servers. Instead, it fetches updates from domains controlled by the hackers, ensuring the spyware stays functional and up to date.

So far, Doctor Web has identified over 60 servers and 30 domains used in the campaign. Some attacker wallets linked to the operation have already received more than $1 million, with others holding six-figure balances. And because many addresses are generated dynamically, the full financial scope remains unclear.

One of the attacker-controlled wallets has already stolen a substantial amount of cryptocurrency from victims (Screenshot via Dr. Web).

****How to Stay Safe****

Cybersecurity experts at Dr. Web warned users to be extra cautious, especially when it comes to mobile devices and crypto security. They recommend avoiding Android phones from unverified sellers, particularly if the price feels too good to be true. To make sure a device is legit, tools like DevCheck can help verify hardware specs since fake models often manipulate system details, even in well-known apps like CPU-Z or AIDA64.

Experts also advise against storing recovery phrases, passwords, or private keys as unencrypted images or text files, which can be easy targets for spyware. Installing reliable security software can help catch deeper system-level threats. And when it comes to downloading apps, it’s safest to stick with official sources like Google Play.

Although the campaign is currently targeting Russian-speaking users, pre-installed malware on cheap Android devices, including smartphones and TV boxes, has already been used to target unsuspecting users worldwide. Therefore, regardless of your location, if your Android phone isn’t what it claimed to be or if you’ve recently bought one off-brand device, it might be worth checking what’s running under the hood.

Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp

Though less well-known than groups like Volt Typhoon and Salt Typhoon, Brass Typhoon, or APT 41, is an infamous, longtime espionage actor that foreshadowed recent telecom hacks.

As China continues its digital gambit around the world, researchers are warning that hacking activity from long-tracked groups is evolving and blending together. On top of that, attackers are hiding their campaigns more effectively and blurring the lines between cybercriminals and state-backed hacking.

Last year, revelations rocked the United States federal government that the Chinese hacking group known as “Salt Typhoon” had breached at least nine major US telecoms. And the group’s rampage even continued into this year in the US and other countries around the world. Meanwhile, the Beijing-linked hacking group “Volt Typhoon” has continued to lurk in US critical infrastructure and utilities around the world. Meanwhile, the notoriously versatile syndicate known as Brass Typhoon—also called APT 41 or Barium—has been operating in the shadows.

The group, which researchers have been tracking since about 2012, has quietly continued its broad targeting around the world over the past year. Brass Typhoon has cast a wide net, leading researchers to view it as a sort of broad coalition that has attacked everything from a US livestock app to source code and chip designs from Taiwan’s semiconductor industry and even power grids. And over the last year, the group has compromised international institutions in the tech and automotive sectors, materials, shipping and logistics, media, and more, using new and refined malware in an array of sustained campaigns.

“They’re absolutely still active and still evolving,” says John Hultquist, who leads threat intelligence at the Google-owned cybersecurity firm Mandiant. “But it’s harder to attribute some of this activity than it was in the past, because it’s all part of a much bigger ecosystem of China’s activity which has been deliberately built to create a tremendous amount of capability.”

Brass Typhoon is known for having carried out a notable string of software supply chain attacks in the late 2010s and for brazen attacks on telecoms around the same time in which the group specifically targeted call record data. The gang is also known for its hybrid activity, carrying out hacks that align with Chinese state-sponsored espionage by the Chinese Ministry of State Security, but also moonlighting on seemingly cybercriminal projects, particularly focused on the video game industry and in-game currency scams.

Research indicates that Brass Typhoon has continued to be active in recent months with financial crimes targeting online gambling platforms as well as espionage targeting manufacturing and energy firms. Its sustained activity has run in parallel to Salt and Volt Typhoon’s recent, attention-grabbing campaigns, and analysis increasingly shows that China’s state-backed hacking operations must be viewed comprehensively, not just in terms of individual actors.

“I think we should not get too down the rabbit hole of is it Salt? Is it Flax? Is it Volt?” former US Cybersecurity and Infrastructure Security Agency director Jen Easterly told WIRED during her last days in that role in January, referring to an array of Beijing-linked hacking groups. “At the end of the day, China, as we've seen in assessments from the Intelligence Community, is the most formidable, persistent cyber threat that we are dealing with.”

Hultquist agrees, emphasizing that while tracking the activity of individual groups is still vital, it is increasingly important for defenders to factor in the advantages that state espionage and offensive hacking operations gain from broad collaboration.

“There was a time when there were very simple indicators that told us who each actor was, and they were operating incredibly loudly, so it was easy to spot the smash-and-grab nature of the activity,” he says. “APT 41 is still doing some loud activity, but so much of its activity now has gotten better and they’ve made an effort to really avoid our controls.”

Ultimately, though, researchers say that the most significant takeaway about Brass Typhoon’s current activity is that it continues apace.

Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows

For the past decade, this group of FSB hackers—including “traitor” Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.

Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia's GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla group has hijacked satellite internet connections to steal victims' data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.

The hackers, believed to work in the service of Russia's FSB intelligence agency, aren't known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group.

“They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,” says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.

ESET has tracked Gamaredon as it's breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. “Their operation is highly effective," says Robert Lipovsky, a malware researcher at ESEThe adds. "Volume is their big differentiator, and that's what makes them dangerous.”

If Gamaredon doesn't behave like other Russian hacking groups, that's in part because some of them aren't Russian nationals—or weren't, technically, until 2014.

According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy,” reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like “power plants, heat and water supply systems.”

The group's initial access techniques, ESET’s Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary.

“People sometimes don’t realize how big a part ‘persistence’ plays in the phrase APT,” says John Hultquist, chief analyst for Google's Threat Intelligence Group. "They’re just relentless. And that itself can be kind of a superpower.”

In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon's hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having “betrayed their oath” by voluntarily joining the FSB.

For Gamaredon's former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. “They should have given you a medal,” one team member says to another in the Russian-language conversation. “Screwed one more time.”

Given how mind-numbingly workaday their hacking campaigns are, it's no wonder they complained about their working conditions, says Google's Hultquist.

"Drudgery is so core to their operations,” he says. "This group grinds out wins."

As disgruntled as Gamaredon's hackers may be, defending against their constant barrage of spying attempts is at least as difficult and boring, say some of the defenders tasked with tracking them. The group writes its malware in relatively unsophisticated scripting languages like VBScript and Powershell rather than the C++ used by savvier hackers. But Gamaredon tweaks its humdrum code constantly, sometimes with automated changes to create endlessly differentiated versions designed to defy antivirus, according to ESET, whose anti-malware products are used widely across Ukraine.

In some cases, the hackers infect the same machine with numerous malware specimens, and hit so many targets that ESET hasn't even been able to identify all of the group's victims, despite closely tracking Gamaredon's campaigns.

“It's exhausting work,” says Anton Cherepanov, an ESET malware researcher. “People overdose and get burnt out.”

Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers. A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility, though it usually confines itself to mere intelligence gathering on behalf of the Russian military effort.

The same report notes that once Gamaredon infects a machine, it often starts stealing files in as little as 30 minutes. By the end of a week, if the machine remains infected, the hackers will have installed 80 to 120 variants of its malware on the computer. If defenders fail to delete even one, the hackers keep their foothold and can maintain access to that device.

All of that means Gamaredon represents a challenge that's painfully dull for cybersecurity defenders, but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death.

“They're not interesting,” ESET malware researcher Zoltán Rusnák says. “Just dangerous.”

Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine

From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar.

Read More

_The Last of Us_ Creator Didn’t Want to Sweep ‘Upsetting’ Moments Under the Rug

During _The Last of Us_’ second-season premiere, Ellie gets called a homophobic slur. Craig Mazin tells WIRED it highlights what happens when humanity stops moving forward.

FTC v. Meta Trial: The Future of Instagram and WhatsApp Is at Stake

The blockbuster antitrust case begins Monday. Its outcome could impact how Big Tech companies grow—but the government has a long way to go to prove its case.

The Best Laptops to Work and Play Wherever You Are

These are our favorite Windows laptops, MacBooks, Chromebooks, and Linux portables.

The Best Backpacking Water Filters

We’ve tested filter from Sawyer, Katadyn, LifeStraw, MSR and more to find the best option for every adventure.

The Best Way to Roast a Chicken Is on a Stick

This simple gadget is a fun and inexpensive way to tinker.

Small Language Models Are the New Rage, Researchers Say

Larger models can pull off a wider variety of feats, but the reduced footprint of smaller models makes them attractive tools.

Homeland Security Email Tells a US Citizen to 'Immediately' Self-Deport

An email sent by the Department of Homeland Security instructs people in the US on a temporary legal status to leave the country. But who the email actually applies to—and who actually received it—is far from clear.

The Best Google Pixel 9 Cases and Accessories

Whether you saved some cash with the Pixel 9a or went big with the Pixel 9 Pro XL, we’ve got a selection of cases—MagSafe included—to kit out your new Android phone.

Am I the Asshole if I Don’t Put My Phone on Airplane Mode?

If you don’t, your flight won’t crash, but ignoring airplane mode uses up your battery and annoys the pilot.

The 24 Best Shows on Amazon Prime Right Now

_The Wheel of Time, Reacher_, and _The Bondsman_ are just a few of the shows you should be watching on Amazon Prime Video this week.

China Secretly (and Weirdly) Admits It Hacked US Infrastructure

Plus: The Department of Homeland Security begins surveilling immigrants' social media, President Donald Trump targets former CISA director who refuted his claims of 2020 election fraud, and more.

The Most Dangerous Hackers You’ve Never Heard Of

Millions of scam text messages are sent every month. The Chinese cybercriminals behind many of them are expanding their operations—and quickly innovating.

The scam text messages follow a similar pattern: You need to pay an outstanding toll road fee, or a parcel can’t be properly delivered, they say. “The USPS package arrived at the warehouse but could not be delivered due to incomplete address information,” reads one typical message.

A link in the message points to a realistic website where you are asked to enter more details and make a small payment—while behind the scenes, cybercriminals hoover up your information and credit card digits in real time.

These messages originate from one prolific collection of loosely linked cybercriminals: “smishing” syndicates.

Over the past three years, these Chinese-speaking fraudsters have developed and operated the world’s foremost smishing operation, spamming millions of people with text messages and likely stealing millions of dollars in the process. The term “smishing” is a mashup of SMS and phishing emails, which try to trick people into handing over personal details. Text messages, though, add a layer of urgency and may catch people off-guard as they go about their busy day.

Now, these groups are quickly adapting their methods and expanding their scamming, security experts say.

“They operate very similar to a \[legitimate\] business in a lot of ways,” says Grant Smith, the founder of offensive cybersecurity firm Phantom Security who last year hacked one Chinese-language group and uncovered how its internal phishing kits function.

“The vast majority of the kits I see nowadays are surprisingly well put together,” Smith says. “They are constantly developing these, constantly updating them, making them look better, making them more secure.”

Multiple Chinese-speaking smishing groups and individual actors are involved in the ongoing development of new techniques and running the large-scale fraud. Often, groups will even sell the kits they develop to less sophisticated cybercriminals to easily operate.

Ford Merrill, a security researcher at SecAlliance, part of the CSIS Security Group, has been tracking the syndicates for two years and says there are now seven “major” Chinese “phishing-as-a-service” actors. “They have been enabling global SMS-based phishing campaigns at a massive scale since early 2023 onwards,” he tells WIRED.

Criminals will create websites impersonating companies or brands—such as postal services, tax authorities, telecoms, utilities companies, and increasingly payment providers—and then send texts (either SMS, encrypted iMessage, or RCS) that entice people to enter their personal information and bank cards on the fraudulent websites. This process requires the fraudsters to register thousands of domains and use Apple iCloud accounts.

One of the most prominent of the smishing actors is often referred to as the Smishing Triad—although security researchers group Chinese-speaking threat actors and affiliates in different ways—which has impersonated organizations and brands in at least 121 countries, according to recent research by security company Silent Push.

Around 200,000 domains have been used by the group in recent years, the research says, with around 187 top-level domains—such as .top, .world, and .vip—being used. Across one recent 20-day period, there were more than 1 million page visits to scam websites used by the Smishing Triad, according to Silent Push.

Besides collecting names, emails, addresses, and bank card details, the websites also prompt people to enter one-time passwords or authentication codes that allow the criminals to add bank cards to Apple Pay or Google Wallet, allowing them to use the cards while on the other side of the world.

“They have effectively turned the modern digital wallet, like Apple Pay or Google Wallet, into the best card-cloning device we’ve ever invented,” Merrill says.

In Telegram groups linked to the cybercriminal organizations, some members share photos and videos of bank cards being added to digital wallets on iPhones and Androids. For instance, in one video, scammers allegedly show off dozens of virtual cards that they have added to phones they are using.

Merrill says the criminals may not make payments using the cards they’ve added to digital wallets straightaway, but it probably won’t take long.

“When we first started seeing this, they would wait between 60 and 90 days before actually stealing money from the cards,” he explains, adding that at first the criminals would let the cards “age” on a device in an attempt to look legitimate. “Nowadays you would be lucky if they wait seven days or even a couple days. Once they hit the card, they hit it hard and fast.”

“Security is core to the Google Wallet experience, and we work closely with card issuers to prevent fraud,” says Google communications manager Olivia O'Brien. “For example, banks notify customers when their card has been added to a new Wallet, and we provide signals to help issuers detect fraudulent behavior so they can decide whether to approve added cards.”

Apple did not respond to WIRED’s request for comment.

The giant scam ecosystem is powered in part by commercial underground scamming services. Findings from security firm Resecurity, which has tracked the Smishing Triad for more than two years, says the group has been using “bulk” SMS and message-sending services as it has expanded the number of messages it sends.

Meanwhile, as multiple security researchers have noted, the Smishing Triad group also uses its own software, called Lighthouse, to collect, manage, and store people's personal information and card details. A video of the Lighthouse software originally shared on Telegram and republished by Silent Push shows how the system collects card details.

The latest version of the software, which was updated in March this year, “targets dozens of financial brands” including PayPal, Mastercard, Visa, and Stripe, Silent Push says. In addition, the research says, Australian banking brands appear to be impersonated, indicating a potential further expansion of targets.

The smishing groups are constantly improving their own scamming software. Smith, the researcher who hacked a smishing gang, says he has seen groups operating their own development pipelines for their software and systems.

“Recently they were using some custom-made software that they had to basically replicate Jira and have tickets open for any issues with the platform and any customer complaints,” Smith says. “They would assign them to team members.”

Chinese smishing groups do not appear to be slowing down. The cybercriminals are behind huge waves of toll road text scams sweeping across the United States this year, says Shawn Loveland, the chief operating officer at Resecurity. “They’re increasing in their scale and their volume of attacks,” he says.

Loveland says there may be multiple ways to limit the effectiveness of smishing operations. Domain registrars could get better at detecting fraudulent websites, for example, and improved spam filtering on messages would help potential victims. Plus, law enforcement could target the platforms and systems they use to create accounts and send messages.

Making it harder for smishing groups to successfully operate could reduce profits and have a cooling effect on the surging criminal ecosystem, Loveland says.

“Criminals have a supply chain, and you don't have to go after all the components in the supply chain,” he says. “You can go after choke points in the supply chain.”

Smishing Triad: The Scam Group Stealing the World’s Riches

Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea’s TraderTraitor is one of the most sophisticated cybercrime groups in the world.

On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.

The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.

Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.

“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn't go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.

North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.

Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.

TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.

“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group \[TraderTraitor\] is one of the most sophisticated groups within that echelon,” she says.

TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”

Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”

Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.

TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. “They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They’re focused on that entire industry, understanding it backwards and forwards,” says Microsoft’s DeGrippo.

GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub’s research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.

The group has been seen using “custom backdoors,” such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google’s Threat Intelligence Group. “These are typically heavily obfuscated to prevent detection and thwart analysis,” Hernandez says. “Once UNC4899 \[TraderTraitor\] has gained access to valid credentials, we’ve observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.”

Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.

“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.

“North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic says in its blog post.

In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. “That could impact any tech industry, any organization that uses that software,” says Andy Piazza, senior director for threat research at Unit 42.

As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42’s recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.

“You can definitely tell that they’re stepping up,” Piazza says.

Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. “It seems more coordinated that they're not bumping into each other out in the battle space,” Piazza says. “They’re really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.”

North Korea’s hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some “overlap,” Piazza says.

“If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you’re looking for developers before the day is out, you would have North Koreans in your inbox,” Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country’s different groups, and there’s the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.

“Whenever we attribute this \[hacking\] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?”

TraderTraitor: The Kings of the Crypto Heist

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2025-2783
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
https://issues.chromium.org/issues/405143032

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-f87w-3j5w-v58p

**CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows**

High severity GitHub Reviewed Published Apr 11, 2025 in cefsharp/CefSharp • Updated Apr 12, 2025

**Package**

nuget CefSharp.OffScreen (NuGet)

**Affected versions**

< 134.3.90

**Patched versions**

134.3.90

nuget CefSharp.OffScreen.NetCore (NuGet)

nuget CefSharp.WinForms (NuGet)

nuget CefSharp.WinForms.NetCore (NuGet)

nuget CefSharp.Wpf (NuGet)

nuget CefSharp.Wpf.HwndHost (NuGet)

nuget CefSharp.Wpf.NetCore (NuGet)

**Description**

Published to the GitHub Advisory Database

Apr 12, 2025

Last updated

Apr 12, 2025

**EPSS score**

GHSA-f87w-3j5w-v58p: CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without…

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without strong protection, sensitive data, user access, and cloud infrastructure are left vulnerable to breaches. SaaS security is not a single-layer fix; it demands multiple approaches to address cybersecurity threats across identity, data, and applications.

****Key Components of a Secure SaaS Architecture****

Creating a secure SaaS architecture involves prioritizing the most important security factors. Each factor serves to mitigate certain threats that may endanger your application or customer information.

****Identity and Access Management (IAM)****

A strong IAM solution enforces secure access using multi-factor authentication (MFA), single sign-on (SSO), and user provisioning to minimize identity-based threats. Integrate identity providers like Azure AD, Okta, or Google Workspace to gain centralized control over user authentication and authorization.

****Data Protection****

Encrypt sensitive data, implement data loss prevention (DLP) policies, and control data sharing to prevent leaks or breaches. Implement encryption at rest and in transit to protect data at multiple levels.

****Secure Development Practices****

Adopt secure coding principles, perform code reviews, and implement automated security scanning tools to identify vulnerabilities in the initial phases of the development life cycle. Use tools like SonarQube, Snyk, or Checkmarx to scan code and identify vulnerabilities.

****Network Security****

You must implement firewalls, Virtual Private Clouds (VPCs), and network segmentation so that sensitive workloads are placed within secure boundaries. It will also minimize the attack surface. Implement IP whitelisting, VPN access, and network-level monitoring to secure data flow.

****Incident Response Plan****

Establish a good incident response plan that provides detection, containment, and recovery procedures in the case of security incidents. Regular practice drills are necessary to educate your staff to respond to an incident properly.

Bridging these building blocks contributes to developing a good foundation for your SaaS architecture.

****Essential SaaS Security Practices****

Effective SaaS security requires a layered approach. These essential strategies help protect your SaaS applications from unauthorized access, misconfigurations, and third-party vulnerabilities:

1.  **Data Encryption**: You must encrypt data at rest and in transit to prevent unauthorized access. Ensure encryption keys are managed securely to prevent compromise.
2.  **Access Controls**: Use role-based access controls (RBAC) and implement the principle of least privilege. It is necessary to regularly review and audit permissions to minimize over-privileged accounts.
3.  **Secure Configuration**: Regularly review and harden cloud configurations to minimize exposure. Tools like AWS Config, Azure Security Center, and GCP Security Command Center help maintain consistent security configurations.
4.  **Monitoring and Logging**: Enable detailed logs and use tools to detect suspicious behavior. Solutions like AWS CloudTrail, Azure Monitor, and Google Cloud Operations provide insights for incident response.
5.  **Third-Party Risk Management**: Assess the security posture of third-party integrations. Regularly conduct vendor assessments to evaluate risks posed by external services.

Combining these strategies ensures a stronger security posture for your SaaS applications.

****Implementing Identity First Security for Stronger Access Control****

Identity-first security shifts the security focus from the network perimeter to individual user identities. This approach strengthens access control by ensuring that identity is the core factor in securing resources.

****1\. Centralized Identity Management****

You must use centralized identity providers (IdPs) like Azure AD, Okta, or Google Workspace to simplify user management and ensure consistent security policies. Centralized identity management reduces identity sprawl and makes it easier to enforce MFA, password policies, and session control.

****2\. Multi-Factor Authentication (MFA)****

MFA across critical applications is important so you can prevent unauthorized access even if credentials are compromised. Enable adaptive MFA to assess risk signals, such as user behavior or device location, before prompting additional verification.

****3\. Role-Based Access Control (RBAC)****

Implement RBAC to ensure users only have access to resources relevant to their roles, reducing excessive permissions. Continuously review and audit roles to prevent privilege creep.

****4\. Just-in-Time (JIT) Access****

Grant temporary elevated access only when required, minimizing the risk of long-term privileged accounts. This reduces the risk of attackers exploiting excessive or dormant privileges.

By focusing on identity as the foundation for security, organizations can better control access and reduce exposure to breaches.

****Building Secure SaaS Workflows****

Implementing secure workflows helps reduce the risk of human errors and potential security gaps. Structured workflows ensure consistent handling of data, identity, and application behavior.

*   **Secure Onboarding and Offboarding**: Create well-defined onboarding and offboarding processes to manage user access efficiently. Automated provisioning and deprovisioning tools help ensure that no orphaned accounts remain active. Integrate these processes with your IAM provider to streamline access management.

*   **Secure API Management**: Ensure all SaaS APIs are authenticated, encrypted, and properly documented. Implement API gateways and limit exposure to only essential endpoints. Use OAuth 2.0, OpenID Connect, and API rate limiting to enhance API security.

*   **Data Backup and Recovery**: Establish backup routines with strict data recovery objectives. Regularly test recovery processes to minimize downtime in case of an incident. Adopt services like AWS Backup, Azure Backup, or Google Cloud Backup for automated backup management.

By following these practices, organizations can maintain secure and efficient workflows.

****Why Identity Security is the Backbone of Modern Cybersecurity****

Identity security plays an important role in protecting cloud applications, services, and data. Since compromised identities are often the starting point for cyberattacks, securing identities is key to preventing major security incidents.

****Preventing Credential-Based Attacks****

Attackers frequently exploit weak passwords or stolen credentials. Strong identity security with MFA, password policies, and behavior-based monitoring can reduce this risk. Use tools like Microsoft Defender for Identity, Google Cloud Identity Protection, or Okta ThreatInsight to detect suspicious identity-related behavior.

****Enabling Zero Trust Architecture****

Identity security aligns with Zero Trust principles, ensuring that no user or device is trusted by default. Every access request is verified based on identity, device health, and location before access is granted.

****Enhancing User Accountability****

With proper identity tracking and auditing, organizations can monitor user actions and quickly detect suspicious behavior. Solutions like AWS CloudTrail, Azure AD Logs, and Google Cloud Audit Logs provide visibility into identity-related events.

****Improving Compliance****

Identity security helps meet compliance standards by enforcing access controls, maintaining audit trails, and ensuring data protection. Frameworks such as ISO 27001, SOC 2, and HIPAA emphasize strong identity security as part of compliance best practices.

Organizations can build a resilient defense against evolving cyber threats by prioritising identity security.

****Conclusion****

SaaS security is not a one-time effort but a continuous strategy combining proactive threat defense, identity-centric access control, and scalable automation. By implementing strong data encryption, enforcing least-privilege access, and managing identities with precision, businesses can significantly reduce their exposure to threats.

Prioritizing identity security lays the groundwork for Zero Trust and helps meet growing compliance demands. Investing in these security measures not only protects your SaaS stack but also builds long-term customer trust and operational resilience as your business scales.

Top/Featured Image by Vicki Hamilton from Pixabay

SaaS Security Essentials: Reducing Risks in Cloud Applications

The US indicated they will sign the Pall Mall Pact, an international treaty to regulate commercial spyware and surveillance tools.

The US State Department reportedly plans to sign an international agreement designed to govern the use of commercial spyware known as the Pall Mall Pact.

The Pall Mall Pact, formally known as the Pall Mall Process, was initiated by France and the United Kingdom in February 2024. The goal of the Pall Mall Pact is to regulate Commercial Cyber Intrusion Capabilities (CCICs), or what we usually refer to as spyware and surveillance tools.

Signed by France, the UK, Japan, and 18 other EU member states, the Code of Practice is a voluntary non-binding agreement establishing “best practices” among governments in relation to the development, facilitation, purchase, transfer, and use of commercial cyber intrusion tools and services.

Primarily, it aims to tackle the misuse of powerful cybertools sold on the open market. These tools, often developed by private companies like the NSO Group and Paragon Solutions, have been exploited by state and non-state actors to surveil journalists, human rights defenders, activists, and even government officials. The misuse of spyware has raised concerns about its impact on democracy, human rights, and national security.

By promoting international collaboration among governments, combined with industry players like Google and Microsoft, civil society organizations, and academics, the pact represents a collective effort to regulate an industry that has operated almost without reins.

The ongoing proliferation of spyware poses existential risks to privacy and civil liberties. Commercial hacking tools have enabled intrusive surveillance practices that undermine fundamental freedom and human rights. For example, spyware can infiltrate smartphones and computers, granting unauthorized access to sensitive data such as messages, emails, and location information.

Initially, countries like the United States opted not to sign the Pall Mall Pact but to pursue similar initiatives independently. However, this fragmentation could dilute global efforts to regulate spyware effectively. Not ideal, since its voluntary nature already raises questions about its effectiveness.

While not legally binding, the Code offers building blocks for the future and builds momentum for further development. It also offers the participating states a framework for further discussion and national implementation into laws.

In an increasingly digital world, privacy is a growing concern. As our recent research showed, a majority of people feel isolated in securing their sensitive information from companies, governments, AI models, and scammers.

Privacy is more than a personal concern. It’s a cornerstone of democracy and human rights. The Pall Mall Pact offers a roadmap for protecting these values against the misuse of powerful surveillance technologies. No one should be subject to arbitrary or unlawful interference with their privacy, as set out in the International Covenant on Civil and Political Rights and other applicable international and regional treaties.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Tag

#google