Hazel discusses Interpol’s push to rename pig butchering scams as ‘romance baiting’. Plus, catch up on the latest vulnerability research from Talos, and why a recent discovery is a “rare industry win”.

Thursday, February 13, 2025 14:05

Welcome to this week’s edition of the Threat Source Newsletter.

Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?

You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”. 

I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.

In a statement, Interpol explained their reasoning:

_"The term 'pig butchering' dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,"_

Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it). 

By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:

_"Words matter. We've seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud," INTERPOL Acting Executive Director of Police Services Cyril Gout said._

_"It's time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes."_

I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better. 

What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?

**The one big thing**

In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality. 

The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.

**Why do I care?**

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY\_SOURCE, saved the day.

**So now what?**

The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.

**Top security headlines of the week**

Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).

Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)

Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).

Update to iOS 18.3.1 Right Now. There’s a ‘Sophisticated Attack’ Risk, Apple Says: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (Vice).

**Can't get enough Talos?**

Google Cloud Platform Data Destruction via Cloud Build

Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 

Catch up on the latest Talos Takes podcast:

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025) San Francisco, CA

TIPS 2025 (May 14-15, 2025) Arlington, VA

**Most prevalent malware files from Talos telemetry over the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 MD5: 7bdbd180c081fa63ca94f9c22c457376 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 

Typical Filename: c0dwjdi6a.dll 

Claimed Product: N/A 

Detection Name: Trojan.GenericKD.33515991

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA-256: 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1

MD5: 35f8db3dde368c6d25239d27fd79a4a7

VirusTotal: https://www.virustotal.com/gui/file/6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1/details

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: easysmartpdf.msi

Changing the narrative on pig butchering scams

New Astaroth Phishing Kit bypasses 2FA (two-factor authentication) to steal Gmail, Yahoo and Microsoft login credentials using a…

New Astaroth Phishing Kit bypasses 2FA (two-factor authentication) to steal Gmail, Yahoo and Microsoft login credentials using a reverse proxy, real-time credential capture, and session hijacking.

An advanced new phishing kit, dubbed Astaroth, has emerged on cybercrime networks, discovered by SlashNext Threat Researchers. According to SlashNext’s research, shared with Hackread.com ahead of its publishing, Astaroth is designed to bypass two-factor authentication (2FA) through a combination of session hijacking and real-time credential interception. 

**How Astorath Works?**

Astaroth operates by employing an evilginx-style reverse proxy (where a malicious server acts as an intermediary between the victim and a legitimate website). This technique allows the attackers can position themselves as a man-in-the-middle between the victim and legitimate authentication services, such as Gmail, Yahoo, and Microsoft. 

The centralized controlled panel of the Astaroth Phishing Kit – Source: SlashNext

The level of detail available to the attacker is mind-blowing.  There are columns for ‘Phishlet’, ‘Username’, ‘Password’, ‘User Agent’, ‘Remote Addr’, and ‘Tokens.’ The interface logs each phishing attempt, capturing usernames, passwords, user agent information, and crucially, 2FA tokens.  Attackers can filter and sort these logs, mark entries for follow-up, and even download captured tokens for later use.  

Unlike traditional phishing kits that rely on static fake login pages, Astaroth dynamically intercepts all authentication data. This means that even if a user has 2FA enabled, Astaroth can capture the second factor (such as a code from an authenticator app or SMS message) as it is entered. The reverse proxy intercepts and manipulates traffic, capturing login credentials, authentication tokens, and session cookies in real-time.  This real-time capture of all authentication data is what makes Astaroth so effective at bypassing 2FA.

****Attack Details****

According to SlashNext’s report, the attack involves a victim clicking on a link, which redirects them to a malicious server posing as a legitimate website. This server mirrors the target domain’s appearance and functionality, including SSL certificates, making it difficult for victims to detect.

When the victim enters login credentials, Astaroth captures them and forwards the request to the real server, obtaining username, password, user agent string, and IP address to replicate the victim’s session environment. The attacker is instantly alerted through the web panel interface and Telegram notifications when the token is entered.

The kit is sold through Telegram and promoted on cybercrime forums and marketplaces.

Source: SlashNext

The image shows the seller “черная магия” claim Astaroth can bypass headless detection, and capture full cookies, usernames, and passwords for Google, Microsoft (including Office 365), AOL, and Yahoo mail providers.

Furthermore, the seller emphasizes it’s a combination of Evilginx with added functionalities and bypass methods and comes with custom hosting options, including bulletproof hosting, for $2,000, which includes six months of updates and support. The seller also offers testing before purchase, demonstrating the kit’s capabilities and sharing techniques for bypassing reCAPTCHA and BotGuard protections.

These added functionalities are “aimed at improving its durability and attractiveness to threat actors,” researchers concluded.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions commented on the emergence of the Astaroth phishing kit warning about its alarming amount of sophistication.

_“_This phishing kit shows an alarming amount of sophistication. All the usual defences and things to look out for that we train users on are harder to spot with this attack. Having the infrastructure running on providers who don’t cooperate with law enforcement will make it more difficult to take down these malicious actors,_“_ said Thomas.

_“_Recently, the US and European countries placed sanctions on countries harbouring these bullet-proof hosting providers. Users should be extra cautious when receiving an email purporting to be from an organization they know and demanding immediate action. If such an email is received, users should visit the website directly and not click the link to see if there are any alerts or problems with their account,_“_ he warned.

Astaroth Phishing Kit Bypasses 2FA to Hijack Gmail and Microsoft Accounts

Romance scams cost victims hundreds of millions of dollars a year. As people grow increasingly isolated, and generative AI helps scammers scale their crimes, the problem could get worse.

Loneliness has never been more urgent. On top of the significant mental health concerns, the idea that people are now lonelier and having fewer social interactions is fueling very real threats to security. Foremost among these is one of today’s most pernicious digital frauds: romance scams, which exploit targets’ feelings of isolation and net fraudsters hundreds of millions of dollars per year. As scammers increasingly organize their workflows and incorporate new AI technologies, it’s becoming possible for them to deploy these scams at an even more vast scale.

Romance scams, also known as confidence scams, are extremely communication-intensive. They require attackers to build relationships with their targets via dating apps and social media. So while generative AI chatbots are already being used to write scripts and converse in multiple languages for other types of fraud, they can’t quite pull off these romance scams on their own. But with the vulnerable population growing, researchers believe there is real potential for automation to provide a boon to scammers.

“These frauds are growing into a more organized form,” says Fangzhou Wang, an assistant professor researching cybercrime at the University of Texas at Arlington. “They are hiring individuals from all over the world, meaning that they can target all different kinds of victims. Everybody is using dating apps and social media. There are all these opportunities that give fraudsters fertile ground.”

Romance fraud is already big business for scammers. People in the US have reported losses of nearly $4.5 billion to romance and confidence fraud over the past decade, according to an analysis of the last 10 years of data from the FBI’s annual internet crime reports. (The most recent data available encompasses up to the end of 2023.) According to the FBI’s figures, romance and confidence scams have led to losses of around $600 million for each of the past five years—except for 2021, when losses peaked at almost $1 billion. Some estimates are even higher. And while there has been some decrease in the amount of money lost to romance scammers in recent years, there has been a rise in so-called pig butchering fraud, which often contains elements of confidence scams.

Romance scams begin all over the internet, from criminals blasting out messages on Facebook to hundreds of victims at a time, to others matching with every profile they see on dating apps. A variety of criminals run romance scams, from “Yahoo Boys” in West Africa to giant scam compounds in Southeast Asia. However, once a criminal has made contact with a potential victim, they all follow an eerily similar playbook to build emotional attachment with those they are attempting to defraud.

“Romance fraud is the most devastating fraud to be a victim of, bar none,” says Elisabeth Carter, an associate professor of criminology at Kingston University London, who has extensively studied these scams and their impacts on people.

Online dating has taken years to integrate into mainstream conceptions of relationships and love, but it is now the norm. As generative AI chatbots have found their way onto scores of smartphones, they have quickly become yet another digital avenue for romance and connection. While it would be difficult with current technology to farm out a romance scam to a chatbot entirely, the potential is clearly there for attackers to use generative AI for creating scam scripts and helping fill in content for more and more chats that are all running simultaneously, even in multiple languages.

UTA’s Wang notes that while she hasn’t assessed whether scammers are using generative AI to produce romance scam scripts, she is seeing evidence that they are using it to produce content for online dating profiles. “I think it is something that has already happened, unfortunately,” she says. “Scammers right now are just using AI-generated profiles.”

Some criminals in Southeast Asia are already building AI tools into their scamming operations, with a United Nations report in October saying organized crime efforts have been “generating personalized scripts to deceive victims while engaging in real-time conversations in hundreds of languages.” Google says scam emails to businesses are being generated with AI. And separately, the FBI has noted, AI allows criminals to more quickly message victims.

Criminals will use a range of manipulation tactics to entrap their victims and build up their perceived romantic relationships. This includes asking intimate questions of their potential victims that only a trusted confidant would ask—for example, questions about relationships or dating history. Attackers also build intimacy through a technique known as “love bombing,” in which they use terms of endearment to try to rapidly advance a feeling of connection and closeness. As romance scams progress, it is very common for attackers to start saying that victims are their girlfriend or boyfriend, or even call them “husband” or “wife” as a way of signaling their devotion.

Carter emphasizes that a core tactic used by romance scammers is to make their heartthrob personas seem hapless and vulnerable. Criminals lurking on dating apps, for example, will sometimes even claim that they were previously scammed and are wary of trusting anyone new. This names the elephant in the room right away and makes it seem less likely that the person the victim is chatting with could be a scammer.

When it comes to extorting money from their victims, this vulnerability is crucial. “They will do things like explain that they have some kind of cash-flow problem in their business, not ask for money, drop it, then maybe a few weeks later bring it back up again,” Carter says. At which point, she explains, the person being manipulated may want to help and proactively offer to send money. Attackers may even go so far, at first, as to argue with victims and attempt to dissuade them from sending funds, all to manipulate targets into believing that it is not only safe but also important to take a stand and assist someone they care about.

“It's never framed as the perpetrator wanting money for themselves,” Carter says. “There is a real link between the language of fraud criminals and the language of domestic abusers and coercive controllers.”

In a lot of cases, criminals find romance scam success with people who are struggling with feelings of loneliness, says Brian Mason, a constable with the Edmonton Police Service in Alberta, Canada, who works with the victims of scams. “Especially with romance scams, it’s very difficult to convince the person that the person they’re speaking with is not in love,” he says.

Mason says that in one instance he spent two years working with a victim of a romance scam and found out, when updating them on the case, that they had been back in touch with their scammer. “He looped her back in and got her to start sending money again, and she was doing it just so she could see his photos, because she was lonely,” Mason explains. At the end of 2023, the World Health Organization declared high levels of loneliness to be an ongoing threat to people’s health.

Stigma and embarrassment are major reasons that it can be difficult for victims to accept the reality of their situation. And Kingston’s Carter notes that attackers exploit this from the start by telling victims that their conversations should stay between them, because the relationship is too special and no one will understand. Keeping the relationship secret, combined with tactics to trick the victim into offering money rather than asking for it, can make it difficult for even the most careful, thoughtful person to grasp the manipulation that’s happening.

Scammers “dull down red flags and alarm bells; they hide them,” Carter says. “The victim not only has a lot of money taken from them, but it’s taken from them by the person that they love and trust the most in that moment. Just because it's online, just because it was completely fake, doesn't mean it wasn't real to them.”

The Loneliness Epidemic Is a Security Crisis

The open technology, which tackles disinformation, has gained steam in the past year, surpassing 500 corporate members and continuing to evolve.

Source: Tero Vesalainen via Shutterstock

When armed gangs raided a Haitian prison and released 4,700 prisoners last March, images and videos showing the violence and gunfire saturated social media around the world. Determining which graphic media was authentic — and marking those instances in a way that future viewers could verify for themselves what was real and what was modified — was a significant challenge.

Showcasing a solution to exactly that problem, the British Broadcasting Corporation (BBC) launched its adoption of Content Credentials, a technology for attesting to the authenticity and provenance of digital content, by using the technology to verify a TikTok video of the attack. The BBC verified the location of the video and its likely veracity, but it determined that audio of gunfire had been added after the fact. The company then digitally signed the video so that future viewers would know the BBC had verified it.

Content Credentials — an open technology that aims to solve disinformation and media integrity issues — is being developed by the Coalition for Content Provenance and Authenticity (C2PA), a group of more than 500 media, software, and hardware companies working to create an ecosystem for verified media.

The BBC's adoption of Content Credentials is just one use case but an important one, says Andy Parsons, senior director of the Content Authenticity Initiative (CAI) at Adobe and a steering committee member of the C2PA.

"The BBC \[is\] declaring that — regardless of whether this is a photo or whether AI was used to do a photo illustration — you can be guaranteed that it came from BBC, and even that simple proof-of-date or proof-of-origin is something we don't have in media right now," Parsons says.

In 2019, technology and media companies created the CAI to find solutions to disinformation and ways for news organizations to authenticate photos and video. Two years later, six companies — Adobe, Arm, BBC, Intel, Microsoft, and Truepic — founded the C2PA to pursue an open standard for establishing the provenance of various types of media files. The two efforts eventually combined forces to advance Content Credentials, a digital-signature technology and infrastructure for verifying and authenticating media.

In the past year, Content Credentials and the C2PA gained significant steam, with the addition of Amazon, Google, Meta, and OpenAI to the steering committee and the adoption of the technology by several camera makers — including Canon, Leica, and Sony — and smartphone makers, such as Samsung.

Yet the ecosystem is still in its infancy, Christian Paquin, a principal research software engineer at Microsoft, told attendees at last month's ShmooCon 2025.

"You can imagine the situation in five to 10 years when this technology is baked in a lot of the trusted news and a hardware ecosystem that can produce these signatures and can be validated by the social media themselves or the browsers, so that we can really have trust signals to differentiate what's real and what's not," he said.

**Manifest Destiny**

Content Credentials have three main components: the media data, a manifest describing the data and any actions transforming the data, and a digital signature binding the two pieces of information together in a tamper-evident way. The manifest includes typical metadata, as well as some additional C2PA-accepted fields — attestations — that can describe additional attributes of the photo, its source, and the software actions used to process the data.

Based on public-key encryption and digital signatures, Content Credentials act as an audit log of every action performed on a piece of media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Each of those steps would be an attestation in the manifest of the signed content credential.

A video signed with a Content Credential shows that it originated with the BBC News Lab. Source: https://contentcredentials.org/verify

The result is providing an audit trail with each piece of authenticated content, which could help citizens and users better know what is fake and what is arguably real, Adobe's Parsons says.

"All the companies involved — and I would lump in civil society and some governments as well — have a real urgency to solve this problem," he says. "And while C2PA is not a silver bullet at solving misinformation, it does put in place a fundamental foundational layer that the Internet probably should always have had around trust, and this is a really nice clean way to do it."

Already, most makers of foundational artificial intelligence (AI) models — such as Open AI, Meta, and Microsoft — digitally sign all images created by their image-generation models with a Content Credential, indicating that it was AI generated or manipulated.

**An Evolving Standard**

The technology is not done, either. The C2PA specification has quickly evolved over the past three years, reaching version 2.1 in September. Among the new features are efforts to make the credentials more "durable" — in other words, adopting techniques, such as digital fingerprinting and watermarking, to indicate the provenance of images, even if they are manipulated after publication or captured from a screenshot.

The combination of signed metadata with fingerprinting and watermarking is powerful, Adobe's Purdy wrote in a 2024 analysis of the techniques.

"\[N\]one of these techniques is durable enough in isolation to be effective on its own," he said. "But combined into a single approach, the three form a unified solution that is robust and secure enough to ensure that reliable provenance information is available no matter where a piece of content goes."

Watermarks, fingerprinting, and Content Credentials can be a powerful combination. Source: "Durable Content Credentials," CAI blog

A number of technical problems remain to be solved. Journalists reporting on an authoritarian regime, for example, may want to remain anonymous and mask their location. Zero-knowledge proofs can help, allowing a name to be redacted and only the organization — BBC News, for example — to be shown or to generalize the location. ZK proofs allow an attribute to be signed, so a photo's GPS coordinates could instead be reduced to New York City or Kiev to provide a general location that hides the photographer's identity, and verified with a digital signature.

"This is an evolving set of certifications," Microsoft's Paquin told the audience at ShmooCon. "The main challenge is establishing who can sign certificates ... establishing PKI that is worldwide is a big problem."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Content Credentials Technology Verifies Image, Video Authenticity

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

**Microsoft** today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.

**Tenable** senior staff research engineer **Satnam Narang** noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang said. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”

The other zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft’s advisory on this bug references something called “CWE-59: Improper Link Resolution Before File Access,” says no user interaction is required, and that the attack complexity is low.

**Adam Barnett**, lead software engineer at **Rapid7**, said although the advisory provides scant detail, and even offers some vague reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.

“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.

One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes — essentially allowing an attacker to authenticate as the targeted user without having to log in.

According to Microsoft, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or “performing an action other than opening or executing the file.”

“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,'” Barnett said. “Accordingly, Microsoft assesses exploitation as more likely.”

The SANS Internet Storm Center has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems.

It’s getting harder to buy Windows software that isn’t also bundled with Microsoft’s flagship Copilot artificial intelligence (AI) feature. Last month Microsoft started bundling Copilot with **Microsoft Office 365**, which Redmond has since rebranded as “**Microsoft 365 Copilot**.” Ostensibly to offset the costs of its substantial AI investments, Microsoft also jacked up prices from 22 percent to 30 percent for upcoming license renewals and new subscribers.

Office-watch.com writes that existing Office 365 users who are paying an annual cloud license do have the option of “Microsoft 365 Classic,” an AI-free subscription at a lower price, but that many customers are not offered the option until they attempt to cancel their existing Office subscription.

In other security patch news, **Apple** has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that is showing up in attacks.

**Adobe** has issued security updates that fix a total of 45 vulnerabilities across **InDesign**, **Commerce**, **Substance 3D** **Stager**, **InCopy**, **Illustrator**, **Substance 3D Designer** and **Photoshop Elements**.

**Chris Goettl** at **Ivanti** notes that **Google Chrome** is shipping an update today which will trigger updates for Chromium based browsers including **Microsoft Edge**, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Microsoft Patch Tuesday, February 2025 Edition

In a letter to a US senator, a Florida-based data broker says it obtained sensitive data on US military members in Germany from a Lithuanian firm, revealing the global nature of online ad surveillance.

Last year, a media investigation revealed that a Florida-based data broker, Datastream Group, was selling highly sensitive location data that tracked United States military and intelligence personnel overseas. At the time, the origin of that data was unknown.

Now, a letter sent to US senator Ron Wyden’s office that was obtained by an international collective of media outlets—including WIRED and 404 Media—reveals that the ultimate source of that data was Eskimi, a little-known Lithuanian ad-tech company.

Eskimi’s role highlights the opaque and interconnected nature of the location data industry: A Lithuanian company provided data on US military personnel in Germany to a data broker in Florida, which could then theoretically sell that data to essentially anyone.

“There’s a global insider threat risk, from some unknown advertising companies, and those companies are essentially breaking all these systems by abusing their access and selling this extremely sensitive data to brokers who further sell it to government and private interests,” says Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, referring to the ad-tech ecosystem broadly.

In December, the joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org analyzed a free sample of location data provided by Datastream. The investigation revealed that Datastream was offering access to precise location data from devices likely belonging to American military and intelligence personnel overseas—including at German airbases believed to store US nuclear weapons. Datastream is a data broker in the location data history, sourcing data from other providers and then selling it to customers. Its website previously said it offered “internet advertising data coupled with hashed emails, cookies, and mobile location data.”

That dataset contained 3.6 billion location coordinates, some logged at millisecond intervals, from up to 11 million mobile advertising IDs in Germany over a one-month period. The data was likely collected through SDKs (software development kits) embedded in mobile apps by developers who knowingly integrate tracking tools in exchange for revenue-sharing agreements with data brokers.

Following this reporting, Wyden’s office demanded answers from Datastream Group about its role in trafficking the location data of US military personnel. In response, Datastream identified Eskimi as its source, stating it obtained the data “legitimately from a respected third-party provider, Eskimi.com.” Vytautas Paukstys, CEO of Eskimi, says that “Eskimi does not have or have ever had any commercial relationship with Datasys/Datastream Group,” referring to another name that Datastream has used, and that Eskimi “is not a data broker.”

In an email responding to detailed questions from the reporting collective, M. Seth Lubin, an attorney representing Datastream Group, described the data as lawfully sourced from a third party. While Lubin acknowledged to Wyden that the data was intended for use in digital advertising, he stressed to the reporting collective that it was never intended for resale. Lubin declined to disclose the source of the data, citing a nondisclosure agreement, and dismissed the reporting collective’s analysis as reckless and misleading.

The Department of Defense (DOD) declined to answer specific questions related to our investigation. However, in December, DOD spokesperson Javan Rasnake said that the Pentagon is aware that geolocation services could put personnel at risk and urged service members to remember their training and adhere strictly to operational security protocols.

In an email, Keith Chu, chief communications adviser and deputy policy director for Wyden, explained how their office has tried to engage with Eskimi and Lithuania’s Data Protection Authority (DPA) for months. The office contacted Eskimi on November 21 and has not received a response, Chu says. Staff then contacted the DPA multiple times, “raising concerns about the national security impact of a Lithuanian company selling location data of US military personnel serving overseas.” After receiving no response, Wyden staff contacted the defense attaché at the Lithuanian embassy in Washington, DC.

It was only after that, and on January 13, that the DPA responded, asking for more information. “Once additional information is received, we will assess the situation within the scope of our competence and determine the appropriate course of action,” the DPA said, according to Chu.

The Lithuanian DPA told reporters in an email that it “currently is not investigating this company” and it “is gathering information and assessing the situation in order to be prepared to take well-informed actions, if needed.” If the Lithuanian DPA does decide to investigate and finds Eskimi in violation of GDPR provisions, the company could face significant consequences—including fines up to €20 million.

Wyden’s office also contacted Google in November, to alert them to Datastream saying that Eskimi, a Google advertising partner, was selling the location data of DOD personnel overseas, Chu says.

Jacel Booth, Google spokesperson, wrote in an email that “Eskimi is currently part of Google’s Authorized Buyer program and must abide by our policies.”

“Google regularly audits its Authorized Buyers program participants, and reviews allegations of potential misconduct,” the spokesperson adds.

Even if Google does act against Eskimi, there may be plenty more advertising companies ready to sell harvested location data.

“Advertising companies are merely surveillance companies with better business models,” Edwards says.

_This story was produced as part of an ongoing reporting project from an international coalition of media outlets, including Netzpolitik.org and Bayerischer Rundfunk (Germany), Schweizer Radio und Fernsehen (Switzerland), BNR Nieuwsradio (Netherlands), NRK (Norway), Dagens Nyheter (Sweden), Le Monde (France), and WIRED and 404 Media (US)._

This Ad-Tech Company Is Powering Surveillance of US Military Personnel

Hacker claims to have breached OmniGPT, leaking over 30,000 user email address, phone  numbers, and 34 million lines of chat messages. Data includes API keys, credentials, and file links.

A hacker claims to have breached **OmniGPT**, a popular AI-powered chatbot and productivity platform, exposing 30,000 user emails, phone numbers, and more than 34 million (34,270,455) lines of user conversations. The data was published on **Breach Forums** on Sunday at 10:04 AM by a hacker using the alias “Gloomer.”

The leak, as analysed by the Hackread.com research team, includes messages exchanged between users and the chatbot, as well as links to uploaded files, some of which contain credentials, billing information, and API keys. In a post accompanying the download link, Gloomer stated:

> _“This leak contains all messages between the users and the chatbot of this site, as well as all links to the files uploaded by users and also 30k user emails. You can find a lot of useful information in the messages, such as API keys and credentials. Many of the files uploaded to this site are very interesting because sometimes they contain credentials/billing information.”_

If confirmed, this breach would be one of the largest leaks of AI-generated conversation data, exposing users to identity theft, phishing scams, and financial fraud.

The hacker claiming OmniGPT breach on Breach Forums (Screenshot credit: Hackread.com)

****Sample Data: Messages, Files, and User Information****

A sample from the leaked dataset includes chat messages from users discussing technical and development topics, such as:

📌 **User: Kamil**  
_“The cut duration is not displayed correctly.”_

📌 **User: Marcus**  
_“Right now, I’m seeing it be accurate for a cut. How is it displaying incorrectly?”_

📌 **User: Javier**  
_“This comes from review.display\_data (edited).”_

Along with message logs, the leak includes file upload links to documents stored on OmniGPT’s servers, which may contain sensitive information in PDF and Document format. Some of the leaked files include:

*   **Office projects**
*   **University assignments**
*   **Market Analysis Reports**
*   **WhatsApp chat screenshots**
*   **Police verification certificates**
*   **Multiple personal and business-related documents**

_and a lot more._

Screenshot from the leaked data (Screenshot credit: Hackread.com)

****How Does OmniGPT Work****

OmniGPT integrates various advanced language models, including ChatGPT-4, Claude 3.5, Perplexity, Google Gemini, and Midjourney, into a single interface. Designed to enhance efficiency, it offers features such as data encryption, team collaboration tools, document management, image analysis, and WhatsApp integration. Pricing plans start from a free tier with basic features to a Plus plan at $16 per month, providing access to more advanced models and functionalities.

****Data Breach and GDPR****

While the hacker’s modus operandi behind the alleged breach remains unclear, the leaked data suggests that OmniGPT has a global user base, with a major portion of the exposed information belonging to users from South America, particularly Brazil; Europe, especially Italy; and Asia, including India, Pakistan, China, and Saudi Arabia.

If confirmed, this breach could present serious legal and regulatory challenges, particularly concerning **GDPR compliance in Europe**, where strict data protection laws require companies to safeguard user information and report breaches promptly. Failure to address these issues could lead to heavy fines and legal repercussions, further complicating OmniGPT’s position in the global market.

****Consequences: Identity Theft, Phishing, and API Key Exploitation****

If the hacker’s claims are accurate, this leak could pose significant cybersecurity and privacy risks for OmniGPT users. Exposed email addresses and phone numbers may lead to targeted phishing attacks or increase the risk of identity theft.

Additionally, if users shared sensitive API keys or credentials in chatbot conversations, attackers could exploit this information to gain unauthorized access to third-party services or personal accounts. Furthermore, some of the leaked files may contain billing information or confidential business data, exposing companies to financial fraud, data theft, or corporate espionage.

****OmniGPT’s Response: Silence So Far****

As of now, OmniGPT has not issued an official response regarding the alleged breach. Hackead.com has contacted OmniGPT for a response, and this article will be updated as new information becomes available.

If you have an OmniGPT account, it is important to take immediate precautions to protect your data. Start by changing your passwords, especially if you have shared any credentials or sensitive information on the platform. Enabling two-factor authentication (2FA) adds an extra layer of security against unauthorized access.

Stay alert by monitoring your emails and financial accounts for any unusual activity, such as unauthorized logins or fraudulent transactions. Be cautious of phishing attempts, as cybercriminals may use leaked email addresses to send fake messages pretending to be from OmniGPT or other trusted sources. Also, if you have used OmniGPT to process API keys, consider revoking old tokens and generating new ones to prevent unauthorized access.

This is a developing story, and we will update it as more information becomes available.

OmniGPT AI Chatbot Alleged Breach: Hacker Leaks User Data, 34M Messages

Cisco denies recent data breach claims by the Kraken ransomware group, stating leaked credentials are from a resolved 2022 incident. Learn more about Cisco's response and the details of the original attack.

Cisco has refuted claims of a recent data breach after the Kraken ransomware group published sensitive information, allegedly stolen from the company’s internal network, on its dark web leak site. Cyber Press reported on the ransomware group’s claims, which included the exposure of credentials linked to Cisco’s Windows Active Directory environment. 

According to the report, the leaked dataset contained usernames and their associated domains, unique relative identifiers (RIDs) for each user account, and hashed representations of passwords (NTLM hashes). The compromised accounts include privileged administrator accounts, regular user accounts, service and machine accounts linked to domain controllers, and the crucial Kerberos Ticket Granting Ticket (krbtgt) account.

The report further revealed that credential-dumping tools like Mimikatz, pwdump, or hashdump were likely used to extract this information. These tools are commonly employed by cybercriminals and advanced persistent threat (APT) groups to harvest credentials stored within system memory. Alongside the leaked data, the attackers left a threatening message, hinting at their intent to inflict further damage.  

“You lied to us and play for time to kick us out. We will meet you soon, again. Next time you’ll have no chance,” attackers stated.

Files published by the Kraken ransomware group (Image via: CyberPress)

However, Cisco has issued an official statement contradicting the ransomware group’s claims, revealing that the exposed credentials stem from a previously disclosed security incident that occurred back in May 2022.  

“Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers,” the company stated.

Hackread.com reported a breach where attackers gained control of a Cisco employee’s personal Google account containing company credentials. Through sophisticated voice phishing (vishing) attacks, the attackers bypassed multi-factor authentication (MFA) and gained access to the target user’s VPN. Cisco confirmed it successfully removed the intruder, who made several unsuccessful attempts to regain access in the following weeks.

Cisco’s CSRIT and Talos teams found no evidence suggesting the attacker accessed critical internal systems, such as the production environment or code signing architecture.  

At the time of the 2022 incident, Cisco believed the perpetrator was an initial access broker (IAB) linked to the group tracked by Mandiant as UNC2447, known for its use of the FiveHands malware, as well as the Lapsus$ threat collective and the Yanluowang ransomware operation.  

While the current claims by the Kraken ransomware group involve data from an older incident, the re-emergence of this information highlights the increasing prevalence of credential-based cyberattacks and the need to implement advanced yet reliable security measures.

Organizations should adopt proactive defences, such as forced password resets, disabling NTLM authentication, implementing multi-factor authentication, monitoring access logs for unauthorized activity, and enhancing network monitoring to detect intrusion attempts.

Cisco Rejects Kraken Ransomware’s Data Breach Claims

Google has stepped in to clarify that a newly introduced Android System SafetyCore app does not perform any client-side scanning of content.
"Android provides many on-device protections that safeguard users against threats like malware, messaging spam and abuse protections, and phone scam protections, while preserving user privacy and keeping users in control of their data," a spokesperson for

Google Confirms Android SafetyCore Enables AI-Powered On-Device Content Classification

Android phishing apps are the latest, critical threat for Android users, putting their passwords in danger of new, sneaky tricks of theft.

There are plenty of phish in the sea, and the latest ones have little interest in your email inbox.

In 2024, Malwarebytes detected more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called “multifactor authentication,” by prying into basic text messages sent to a device. Another 4,800 could even read information from an Android device’s “Notifications” bar to obtain the same info.

These “Android phishing apps” may sound high-tech, but they are not. They don’t crack into password managers or spy on passwords entered for separate apps. Instead, they present a modern wrapper on a classic form of theft: Phishing.

By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals. If enough victims unwittingly send their passwords, the cyber thieves may even bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

The volume of these apps and their capabilities underscore the importance of securing yourself and your devices. With vigilance, safe behavior, and some extra support, you can avoid Android phishing apps and protect your accounts from cybercriminals.

****Same trick, new delivery****

For more than a decade, phishing was often understood as an email threat. Cybercriminals would send emails disguised as legitimate communications from major businesses, such as Netflix, Uber, Instagram, Google, and more. These emails would frequently warn recipients about a problem with their accounts—a password needed to be updated, or a policy change required a login.

But when victims followed the links within these malicious emails, they’d be brought to a website that, while appearing genuine, would actually be in complete control of cybercriminals. Fooled by similar color schemes, company logos, and familiar layouts, victims would “log in” to their account by entering their username and password. In reality, those usernames and passwords would just be delivered to cybercriminals on the other side of the website.

There never was a problem with a user’s account, and there never was a real request for information from the company. Instead, the entire back-and-forth was a charade.

Over time, phishing emails have advanced—cybercriminals have stolen credit card details by posing as charities—but so, too, have phishing protections from major email providers, sending many cybercriminal efforts into people’s “spam” inboxes, where the emails are, thankfully, never retrieved.

But last year, cybercriminals focused on a new avenue for phishing. They started developing entire mobile apps on Android that could provide the same level of theft.

The lure that convinces people to download these apps varies.

Some Android phishing apps are disguised as regular videogames or utilities which may ask users to connect with a separate social media account for the primary app to function. The requests are bogus and simply a method for harvesting passwords. Other Android phishing apps pose as popular apps, including TikTok, WhatsApp, and Spotify. These decoy apps are often hosted on less popular mobile app stores, as the protections of the Google Play store often flag and remove these apps, should they ever sneak onto the marketplace.

Here, cybercriminals have again found loopholes.

Malwarebytes discovered Android phishing apps last year that do not contain any code—or programmatic “instructions”—to steal passwords. Instead, the apps merely serve ads that, if clicked, send victims to external websites that do all the cybercriminal work outside of the app. These “benign” apps have a better chance of being hosted on legitimate mobile app stores, which gives them greater visibility amongst everyday people, and thus, more chances to steal information.

Most concerning, though, is the recent development from Android phishing apps that pierces one of the strongest security practices in use today: multifactor authentication.

Multifactor authentication is a security measure offered by most major online platforms including banks, retirement systems, social media companies, email providers, and more. With multifactor authentication, a username and password are no longer enough to sign into an account. Instead, the platform will send a separate “code,” typically a six-digit number, that the user must also enter to complete the login process. This code is often sent as a text message directly to the user, who has registered their phone number with the platform.

But now, multifactor authentication codes can also be stolen by Android phishing apps.

Last year, Malwarebytes found 5,200 apps that could steal these codes either by cracking directly into certain text messages or by stealing information from a device’s “Notifications” bar, which can deliver timely summaries or prompts for many apps.

This does not make multifactor authentication useless. Instead, it emphasized a more holistic approach to cybersecurity that, at the very least, includes multifactor authentication.

****Staying safe from Android phishing apps****

Android phishing apps are simple, effective, and hard to spot to the naked eye. But there are behaviors and tools that can help keep you and your accounts safe.

To protect yourself from Android phishing apps:

*   Use mobile security software that detects and stops Android phishing apps from ever being installed on your Android device.
*   Before downloading any apps, you should look at the number of reviews. A low number of reviews may signal a decoy app.
*   Most people will only ever need to download Android apps directly from the Google Play Store. Be wary of other app stores or marketplaces, and never download a mobile app directly from a website.
*   Use a password manager to create and manage unique passwords for every single account. That way, if one password is stolen, it cannot be abused to open other online accounts.
*   Use multifactor authentication on your most sensitive accounts, including your financial, email, social media, healthcare, and government platforms (such as any accounts you use to file taxes).

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#google