Developed to boost productivity and operational readiness, the AI is now being used to “review” diversity, equity, inclusion, and accessibility policies to align them with President Trump’s orders.

The United States Army is employing a prototype generative artificial intelligence tool to identify references to diversity, equity, inclusion, and accessibility (DEIA) for removal from training materials in line with a recent executive order from President Donald Trump.

Officials at the Army’s Training and Doctrine Command (TRADOC)—the major command responsible for training soldiers, developing leaders, and shaping the service’s guidelines, strategies, and concepts—are currently using the AI tool, dubbed CamoGPT, to “review policies, programs, publications, and initiatives for DEIA and report findings,” according to an internal memo reviewed by WIRED.

The memo followed Trump’s signing of a January 27 executive order titled “Restoring America’s Fighting Force,” which directed Defense Secretary Pete Hegseth to eliminate all Pentagon policies seen as promoting what that the commander in chief declared “un-American, divisive, discriminatory, radical, extremist, and irrational theories” regarding race and gender, a linguistic dragnet that extends as far as past social media posts from official US military accounts.

In an email to WIRED, TRADOC spokesman Army Major Chris Robinson confirmed the use of CamoGPT to review DEIA materials.

TRADOC “will fully execute and implement all directives outlined in the Executive Orders issued by the president. We ensure that these directives are carried out with the utmost professionalism, efficiency, and in alignment with national security objectives,” Robinson says. “Specific details about internal policies and tactics cannot be discussed. However, the use of all tools in our portfolio, including CamoGPT, to increase productivity at all levels can and will be used.”

Developed last summer to boost productivity and operational readiness across the US Army, CamoGPT currently has around 4,000 users who “interact” with it on a daily basis, Captain Aidan Doyle, a CamoGPT data engineer, tells WIRED. The tool is used for everything from developing comprehensive training program materials to producing multilingual translations, with TRADOC providing a “proof of concept and demonstration” at last October’s annual Association of the United States Army conference in Washington, DC, according to Robinson.

While Doyle declined to comment on the specifics on how TRADOC officials were likely using the CamoGPT to scan for DEIA-related policies, he described the process of searching through documents as relatively straightforward.

“I would take all the documentation you want to examine, order it all in a collection on CamoGPT, and then ask questions about the documents,” he says. “The way retrieval-augmented generation works is that the more specific your question is to the concepts inside the document, the more detailed information the model will provide back.”

In practical terms, this means that TRADOC officials are likely inputting a large number of documents into CamoGPT and asking the LLM to scan for targeted keywords like “dignity” or “respect” (which, yes, the Army is currently using to screen past digital content) to identify materials for subsequent alteration and bring them in line with Trump’s executive order.

By using CamoGPT, the work of eliminating DEIA-related content will likely result in a rapid change to the US Army’s documentation. “We’re competing with ‘control+F’ in Adobe Acrobat,” Doyle says.

CamoGPT isn’t the only AI chatbot in the Pentagon’s arsenal: The US Air Force’s NIPRGPT has seen extensive use among airmen since its launch in June for “summarization of documents, drafting of documents and coding assistance,” according to DefenseScoop.

The AI-assisted assessment of US military training materials comes amid a government-wide effort to root out DEIA initiated the day Trump returned to the Oval Office in January to start his second term. Detailed in Trump’s January 27 executive order, the Defense Department’s purge has taken the form of the closure of service-specific DEIA offices and program, a department-wide review of past DEI initiatives, and even the removal of historical content related to the famed all-Black Tuskegee Airmen from Air Force basic training materials, the latter of which was swiftly reversed amid public outcry.

Originally inspired by the public release of OpenAI’s ChatGPT in November 2022, CamoGPT is a product of the Army’s Artificial Intelligence Integration Center (AI2C), the organization formed in 2018 as part of Army Future Command to spearhead AI research and development efforts by “leveraging a soldier workforce to build experimental prototypes,” as Eric Schmitz, AI2C’s operations and intelligence portfolio lead, tells WIRED.

“The mission is to make AI accessible to the Army through experimentation, and we have an ethos and culture that is very much a start-up ethos.” Schmitz says. “We are product-centric and believe AI is inherently software-driven: You can do all the research you like in academia, but if you don't have software to deliver it to somebody and find out if it's useful software, then you’ll never know if your AI is useful in the real world.”

In response to the arrival of ChatGPT, AI2C quickly spun up a CamoGPT prototype based on an open-source LLM in June 2024. The center’s approach to CamoGPT is “model agnostic,” according to Schmitz: While the system currently relies on tech giant Meta’s open-source Llama 3.3 70B LLM, the underlying model is “expendable” should a better version hit the market. What really matters is building software that the average soldier will actually use in their day-to-day operations, an achievement that might influence its long-term adoption across the force.

“When you talk about how the Army doesn’t build software well, it’s because user adoption is not a priority, but it’s a massive priority to us,” Schmitz says.

Whether CamoGPT proliferates more broadly across the Army remains to be seen, and Schmitz and Doyle emphasized that AI2C’s role is laser-focused on experimental prototyping rather than building products ready for immediate fielding. But with the entire federal government reorienting itself in the name of “efficiency,” the success of CamoGPT’s application to Trump’s DEIA overhaul may end up cementing its utility for military planners.

“You need to be ruthlessly critical of what you have built and what you plan to build and hyper focused on driving user adoption,” Schmitz says. “The core question is, how do you build something that’s so valuable that people say they can't live without it?”

The US Army Is Using ‘CamoGPT’ to Purge DEI From Training Materials

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot…

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot the red flags, and how to protect your account from credential theft.

A new sophisticated phishing operation, leveraging artificial intelligence, has recently targeted YouTube content creators. Scammers have utilized deepfake technology to create a convincing video of YouTube’s CEO, Neal Mohan, delivering a fabricated announcement about changes to the platform’s monetization policies.

This video is privately shared with targeted users to steal their login credentials and install malware on their devices. The fraudulent scheme begins with an email, seemingly originating from an official YouTube address, notifying creators that a private video has been shared with them. The video itself features a remarkably realistic deepfake of Neal Mohan, mimicking his appearance, voice, and mannerisms to an alarming degree.

In the video, the AI-generated Mohan discusses alleged alterations to YouTube’s monetization, urging viewers to take specific actions. These actions typically involve clicking on links, entering login credentials on fake websites, or downloading software from untrusted sources.

The Fraudulent Video (Source: Reddit)

Upon compromising a user’s account, the attackers gain access to their YouTube channel. This access can then be exploited for various malicious purposes, including spreading misinformation, conducting further phishing attacks, or engaging in fraudulent activities.

YouTube has responded to this threat with an urgent warning to its creator community. The company has explicitly stated that it will never share important information or contact users through private videos. Furthermore, they emphasized that any private video claiming to be from YouTube, particularly those featuring its CEO, should be treated as a phishing scam.

“We’re aware that phishers have been sharing private videos to send false videos, including an AI-generated video of YouTube’s CEO Neal Mohan announcing changes in monetization. YouTube and its employees will never attempt to contact you or share information through a private video,” Google’s official announcement read.

“If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam. Do not click these links as the videos will likely lead to phishing sites that can install malware or steal your credentials,” Rob from YouTube warned users.

AI deepfakes are a dangerous illusion created by sophisticated AI models trained on real footage and voice samples, exploiting people’s trust in public figures. Even tech-savvy individuals would struggle to distinguish them from real footage. This incident highlights that the sophistication of phishing attacks has increased, with deepfake technology being used to impersonate high-profile figures like YouTube’s CEO.

Cybercriminals exploit creators’ trust in official platform communications, creating believable deceptions. Content creators are encouraged to exercise caution and avoid downloading files from untrusted sources. If you receive the video, Google recommends following these steps to report it.

Max Gannon, Intelligence Manager at Cofense commented on the latest development stating, _“_Given that deepfakes have typically only been used in high-value targeted scams, it’s a surprise that threat actors are using it for such a broad attack. It’s concerning and potentially indicates a shift in the threat landscape where we can expect to see more deepfakes and other targeted attack methods being broadly applied to larger audiences._“_

_“_However, according to affected users posting about these fake YouTube emails on various social media platforms, the emails deliver malicious executables to steal session cookies and hijack YouTube accounts. Ultimately, the initial phishing hook may be shifting, but the best defence remains the same: training and awareness to detect suspect emails and not click on their links.”

1.  YouTube Channels Hacked to in Fake CS2 Giveaways Scam
2.  Malware in Fake Business Proposals Hits YouTube Creators
3.  Ukrainian News Channel Hacked to Run Zelensky’s Deepfake
4.  Scam Uses AI-Generated Images to Represent Fake Law Firm
5.  “Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets

Hackers Deploy AI Deepfake of YouTube CEO in Credential Theft Scam

Microsoft warns that Chinese espionage group Silk Typhoon now exploits IT tools like remote management apps and cloud services to breach networks.

Cybersecurity researchers at Microsoft Threat Intelligence have observed that Silk Typhoon aka HAFNIUM, a Chinese espionage group known for its technical skill, is now using common IT solutions as a gateway into networks. Instead of solely relying on highly critical security vulnerabilities in major systems, the group is turning its attention to everyday tools like remote management applications and cloud services.

The shift in tactics aligns with changes adopted by other sophisticated espionage groups worldwide. This trend was first reported in May 2024, highlighting how Russian hackers are moving away from custom payloads in favour of readily available malware. A similar shift was observed in Iran, as reported in August 2024, where Iranian hackers were found collaborating with ransomware gangs in attacks against the United States.

**Exploiting Vulnerabilities**

Traditionally, Silk Typhoon took advantage of rare zero-day vulnerabilities by scanning for weak public-facing devices such as firewalls and VPNs. Some of its known exploitation includes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. However, recent activity indicates that the group is now also targeting widely used solutions that many organizations rely on, including remote management tools and cloud applications.

While Microsoft confirms its own cloud services haven’t been directly targeted _yet_, Silk Typhoon is taking advantage of unpatched applications to breach systems. The group is known for misusing stolen keys and login details to compromise a targeted system and then using the access to reach into other systems, including those used by Microsoft particularly looking for information related to US government policy and legal matters.

****Changing Tactics****

The group’s change in tactics affects several sectors starting from government and healthcare to IT services and education. By attacking common IT tools, Silk Typhoon will take advantage of the fact that many organizations, including those with updated security measures, may overlook these everyday applications. Once inside, they will make use of various techniques to move across networks, access sensitive data, and even tamper with email and data storage services.

Therefore, Microsoft recommends a few key steps to secure yourself from the Silk Typhoon. First, keep all systems and software updated, as unpatched vulnerabilities are often the easiest entry points for attackers. Strong authentication practices, such as multi-factor authentication (MFA) and unique passwords, add an extra layer of security against unauthorized access.

For system administrators; monitoring network activity can also help detect unusual behaviour, like unexpected administrative changes, which could signal a breach. Additionally, organizations should carefully manage API keys and service credentials, restricting access wherever possible to prevent attackers from exploiting them.

Chinese Silk Typhoon Group Targets IT Tools for Network Breaches

The China-lined threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to corporate networks.
That's according to new findings from the Microsoft Threat Intelligence team, which said the Silk Typhoon (formerly Hafnium) hacking

China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access

London, United Kingdom, 5th March 2025, CyberNewsWire

**London, United Kingdom, March 5th, 2025, CyberNewsWire**

AI Soft has announced the upcoming public release of **Alli AI**, an advanced artificial intelligence-powered platform designed for content creation. Following the conclusion of a closed beta phase, the platform will soon be available with a free trial version, allowing users to explore its capabilities. Alli AI offers a range of tools for image enhancement, background modification, photo animation, video generation, and voice synthesis, catering to designers, photographers, marketers, and digital creators.

**Expanding AI Applications in Content Creation**

Alli AI functions as both an editor and a content generator, with applications spanning social media, digital marketing, and creative design. The technology has reportedly contributed to a growing volume of AI-generated content across platforms such as TikTok, Instagram, and X. Users have leveraged the tool for various applications, from animated imagery to advertising campaigns.

**Insights from Beta Testing**

The beta testing phase highlighted the platform’s appeal across multiple industries. Designers have used Alli AI to accelerate creative workflows and experiment with different artistic styles, while photographers have explored its animation and enhancement tools. Marketers have utilized the platform to streamline content production, and early adopters in other fields have experimented with its capabilities.

**Upcoming Public Launch**

Alli AI’s developers have announced plans for an upcoming public release, which will include a trial version. The platform is positioned as a tool for content creators seeking AI-driven enhancements for branding, digital media, and other projects.

**About Alli AI**

Alli AI is an AI-powered content creation platform developed by **AI Soft**. It offers tools for image enhancement, animation, background modification, video generation, and voice synthesis. Designed for professionals and casual users alike, Alli AI aims to streamline creative workflows across multiple industries, including marketing, photography, and design.

For more information, users can visit Alli AI’s official website or follow updates on X.

**Contact**

**AI Soft**  
**XS Trade**  
**\[email protected\]**  
**+447458196484**

Alli AI Announces Upcoming Public Launch of AI-Powered Content Creation Platform

Google has announced the rollout of artificial intelligence (AI)-powered scam detection features to secure Android device users and their personal information.
"These features specifically target conversational scams, which can often appear initially harmless before evolving into harmful situations," Google said. "And more phone calling scammers are using spoofing techniques to hide their real

Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud

New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime.

Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they’re used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that’s broader in scope and even more sneaky.

At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.

“This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,” Gavin Reid, Human’s chief information security officer, tells WIRED. “Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don't know that they're a proxy, they never agreed to be a proxy service, but they're being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.”

The researchers found that the majority of infected devices are in South America, particularly Brazil. The impacted devices often use generic names and aren’t produced by known brands. For example, there are dozens of impacted streaming boxes, but the majority of Badbox 2.0 targets are in the “TV98” and “X96” device families. Virtually all of the targeted devices are designed using Android’s open source operating system code, meaning they run versions of Android but aren’t part of Google’s ecosystem of protected devices.

Google collaborated with the researchers to address the ad fraud component of the activity, though. The company says it worked to terminate publisher accounts associated with the scams and block the ability of those accounts to generate revenue through Google’s advertising ecosystem.

“Malicious attacks like the one described in this report are expressly prohibited on our platforms,” Google spokesperson Nate Funkhouser told WIRED in a statement. “Bad actors’ tactics are constantly evolving. Partnering with organizations like HUMAN helps us share threat intelligence and expands our collective ability to identify and take swift action against bad actors, as we did here.”

In the original Badbox campaign, scammers focused on installing backdoored firmware in streaming boxes before they arrived in the hands of consumers. The Badbox 2.0 campaign is significant, the researchers say, because it reflects a major change in tactics. Rather than focusing on low-level firmware infections, Badbox 2.0 involves more traditional software-level malware distributed through common tactics like drive-by downloads, in which victims accidentally download malware without realizing it.

Researchers from multiple firms say that the campaign seems to come from a loosely connected ecosystem of fraud groups rather than one single actor. Each group has its own versions of the Badbox 2.0 backdoor and malware modules and distributes the software in a variety of ways. In some cases, malicious apps come preinstalled on compromised devices, but in many examples that the researchers tracked, attackers are tricking users into unknowingly installing compromised apps.

The researchers highlight a technique in which the scammers create a benign app—say, a game—post it in Google's Play Store to show that it’s been vetted, but then trick users into downloading nearly identical versions of the app that are not hosted in official app stores and are malicious. Such “evil twin” apps showed up at least 24 times, the researchers say, allowing the attackers to run ad fraud in the Google Play versions of their apps, and distribute malware in their imposter apps. Human also found that the scammers distributed over 200 compromised, re-bundled versions of popular, mainstream apps as yet another way of spreading their backdoors.

“We saw four different types of fraud modules—two ad fraud ones, one fake click one, and then the residential proxy network one—but it's extensible,” says Lindsay Kaye, Human’s vice president of threat intelligence. “So you can imagine how, if time had gone on and they were able to develop more modules, maybe forge more relationships, there is the opportunity to have additional ones.”

Researchers from the security firm Trend Micro collaborated with Human on the Badbox 2.0 investigation, particularly focusing on the actors behind the activity.

“The scale of the operation is huge,” says Fyodor Yarochkin, a Trend Micro senior threat researcher. He added that while there are “easily up to a million devices online” for any of the groups, “This is only a number of devices that are currently connected to their platform. If you count all the devices that would probably have their payload, it probably would be exceeding a few millions.”

Yarochkin adds that many of the groups involved in the campaigns seem to have some connection to Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explains, there were multiple legal cases in China in which companies had installed “silent” plugins on devices and used them for a diverse array of seemingly fraudulent activity.

“The companies that basically survived that age of 2015 were the companies who adapted,” Yarochkin says. He notes that his investigations have now identified multiple “business entities” in China which appear to be linked back to some of the groups involved in Badbox 2. The connections include both economic and technical links. “We identified their addresses, we’ve seen some pictures of their offices, they have accounts of some employees on LinkedIn,” he says.

Human, Trend Micro, and Google also collaborated with the internet security group Shadow Server to neuter as much Badbox 2.0 infrastructure as possible by sinkholing the botnet so it essentially sends its traffic and requests for instructions into a void. But the researchers caution that after scammers pivoted following revelations about the original Badbox scheme, it’s unlikely that exposing Badbox 2.0 will permanently end the activity.

“As a consumer, you should keep in mind that if the device is too cheap to be true, you should be prepared that there might be some additional surprises hidden in the device,” Trend Micro’s Yarochkin says. “There is no free cheese unless the cheese is in a mousetrap.”

1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers

Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails…

Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails and how to protect against this sophisticated phishing tactic.

Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. This operation, detected by their Phishing Defense Center and Intelligence teams, diverges from typical LinkedIn-themed phishing attacks, which usually aim to steal user credentials or facilitate business email compromise. Instead, this campaign delivers a remote access trojan called ConnectWise RAT.

The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy. However, careful examination reveals that the email uses an outdated template, reminiscent of LinkedIn’s design prior to its 2020 user interface and branding overhaul.

LinkedIn’s 2020 Branding (Source: Cofense)

The email’s narrative centres around a supposed sales director from a company requesting a product or service quote. This strategy aims to create a sense of urgency, prompting the recipient to respond quickly. However, the sender’s identity and the company mentioned are fabricated.

The profile picture used in the email belongs to a real individual, Cho So-young, who is the president of a Korean civil engineering organization, whereas the company name (DONGJIN Weidmüller Korea Ind) combines elements of two legitimate corporations, but this company does not exist.

Clicking the “Read More” or “Reply To” buttons embedded within the email triggers the download of the ConnectWise RAT installer. Interestingly, the email avoids the common tactic of directly prompting users to download or run a file. This subtle approach might be designed to bypass the suspicions of users who are trained to be wary of such direct requests.

Analysis of the email’s security headers reveals that it fails Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication checks, indicating that the email was not sent from a legitimate LinkedIn server and was not digitally signed.

Despite these red flags, the email bypassed existing security measures, likely due to the Domain-based Message Authentication, Reporting & Conformance (DMARC) policy being configured to mark the email as spam rather than outright rejecting it.

This campaign has been active since at least May 2024, with the email template remaining consistent. However, whether earlier iterations of this campaign also delivered the ConnectWise RAT remains unconfirmed.

“This campaign was found to exist in the wild as far back as May 2024. While the email template has not changed since then, Cofense Intelligence was unable to confirm whether this campaign was used to deliver ConnectWise RAT in prior samples that were found via open-source intelligence,” researchers noted in the blog post.

Nevertheless, this campaign highlights the evolving tactics of cybercriminals and the persistent threat of sophisticated phishing attacks involving LinkedIn. Protection against such threats requires educating employees to carefully scrutinize email senders especially those requesting urgent actions, appropriately configuring email authentication protocols (SPF, DKIM, and DMARC), and ensuring your Secure Email Gateway (SEG) is configured to effectively filter and block suspicious emails.

LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how…

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how to protect against this extortion scam.

GuidePoint Security’s Senior Threat Intelligence Analyst, Grayson North, has discovered a peculiar trend in the corporate sector in which executives at various organizations began receiving physical letters delivered via the US Postal Service.

In March 2025, the GuidePoint Research and Intelligence Team (GRIT) received reports of suspicious physical letters from the BianLian ransomware group, claiming that the recipient’s corporate IT network had been compromised and sensitive data had been stolen. The letters were delivered via mail from US addresses.

These senders demanded substantial ransom payments, ranging from $250,000 to $350,000, to a Bitcoin wallet address provided, with a threat of data leakage if payment was not received within ten days. The letter arrived with the following text:

“We no longer negotiate with victims: You have 10 days from the receipt of this letter to pay. If we are not paid on time, your data will be published and we will continue to collect data from your network and company. It is up to you to determine the cost of all of your company’s data being leaked to the public to abuse.”

The letters mimicked the format of traditional digital ransomware notes, including QR codes for easy Bitcoin transfers and Tor links to BianLian’s data leak site on the Dark Web. However, cybersecurity analysts at GuidePoint Security quickly identified numerous inconsistencies that cast doubt on the legitimacy of these claims.

Such as, the letters’ language was notably different from BianLian’s past ransom notes, displaying a level of polished English that was uncharacteristic. Though the provided Tor links did lead to BianLian’s legitimate data leak sites, these links are publicly known and easily accessible. The most glaring anomaly was the method of delivery since ransomware groups typically communicate digitally, and generally avoid using physical mail mediums.

Moreover, according to GRIT’s report, instead of standard threat actors’ practices, the senders refused to negotiate. The Bitcoin wallet addresses were newly generated and showed no previous association with any ransomware activity. Crucially, investigations revealed no evidence of network intrusions or data breaches in the organizations that received these letters.

The research team, hence, concluded that given the unusual delivery method, the language inconsistencies, the lack of intrusion evidence, and the fresh Bitcoin wallets all pointed to an attempt to impersonate BianLian for financial gain. The letters were marked “TIME SENSITIVE READ IMMEDIATELY” and had a return address in Boston.

The fake ransom letter used in the campaign (Via GRIT)

These aspects indicate that the letters were designed to create a sense of urgency and fear, exploiting the reputation of a known ransomware group. GRIT recommends organizations should educate employees on handling such threats and ensure network defences are up to date and no active alerts are present.

1.  Fake CrowdStrike Recruiters Distribute Malware
2.  Journalist Targeted in USB Drive Bombing Attack
3.  Hackers Call Employees to Steal VPN Data from US Firms
4.  Volcano Demon Ransomware Makes Phones Victim of Ransom
5.  Fake IT Calls Scam MS Teams Users into Installing Ransomware

Scammers Mailing Ransom Letters While Posing as BianLian Ransomware

Boston and Tel Aviv, United States, 4th March 2025, CyberNewsWire

**Boston and Tel Aviv, United States, March 4th, 2025, CyberNewsWire**

Pathfinder AI expands Hunters’ vision for AI-driven SOCs, introducing Agentic AI for autonomous investigation and response.

**Hunters**, the leader in next-generation SIEM, today announced **Pathfinder AI**, a major step toward a more AI-driven SOC. Building on Copilot AI, which is already transforming SOC workflows with LLM-powered investigation guidance, Hunters is introducing its Agentic AI vision, designed to autonomously enhance detection, investigation, and response. Agentic AI will launch soon, with ongoing innovations to further streamline security operations.

> “Hunters has already made a significant impact on our security operations by reducing manual investigations, streamlining data ingestion, and improving threat visibility. With Pathfinder AI, we’re enhancing efficiency and response times through AI-driven detection explanations and automated investigative guidance. This innovation continues to strengthen Emburse’s security posture with cutting-edge AI-powered threat intelligence.” — Casey Sword, Endpoint Security Architect, Emburse

**How AI is Shaping the Future of Security Operations**

Security investigations are complex and unpredictable—each alert triggers multiple investigative steps, creating an overwhelming number of possible paths. Traditional automation follows rigid workflows, often leaving analysts stuck chasing false leads while real threats slip through.

AI changes the equation. Unlike static rule-based automation, Agentic AI dynamically adapts, prioritizing critical threats, filtering out noise, and continuously refining investigations to keep security teams focused and efficient.

To stay ahead of evolving threats, SOCs need two key AI-driven capabilities:

*   **Copilot AI** – Enhances analyst workflows with automated data analysis, report generation, and guided investigations.
*   **Agentic AI** – Delivers autonomous threat detection, investigation, and response, reducing manual workloads and accelerating decision-making.

By leveraging specialized AI agents that collaborate in real time, security teams can move beyond manual triage and fragmented investigations—operating faster, smarter, and with greater precision.

**Hunters Pathfinder AI**

From day one, Hunters was founded with the vision of embedding analyst intelligence into the SIEM—automating triage and investigation to maximize efficiency and accuracy. With years of experience refining AI-driven security operations, they are uniquely positioned to lead the AI-driven SOC transformation, leveraging the deep expertise to deliver automation at scale.

As Hunters Pathfinder AI continues to evolve, they are expanding its capabilities in two key areas: AI-Assisted SOC and AI-Driven SOC. These advancements will further reduce manual workloads while enhancing detection, investigation, and response.

**AI-Assisted SOC with Copilot AI**

*   Lead Summarization – AI-generated summaries that provide analysts with immediate and comprehensive context on security events.
*   Guided Investigation Workflows – Suggests next steps across the entire attack surface.
*   Natural Language Querying – Enables SOC analysts to interact with the system using conversational AI to retrieve insights efficiently.
*   Custom Detection Authoring – Helps analysts refine detections with guided logic and iterative fine-tuning.
*   Threat Classification – AI evaluates signals and context to determine whether a threat is benign or malicious, reducing manual triage time.

**AI-Driven SOC with Agentic AI**

*   Autonomous Triage and Classification – AI-driven agents investigate every threat, classifying incidents and providing full investigation reports.
*   Self-Optimizing Detections – Machine learning models continuously refine detection accuracy based on real-world attack data.
*   Automated Root Cause Analysis – AI correlates attack signals across multiple sources to provide full attack narratives.

> “Pathfinder AI is a game-changer for SOC teams, allowing us to deliver on our promise of making security operations more effective in the fight against cyber threats. By combining Copilot AI and Agentic AI, we are not just automating tasks but enabling security teams to focus on what truly matters—stopping real threats before they cause harm.” — Ian Forrest, VP of Product, Hunters

**The Road Ahead**

Hunters remains committed to pushing the boundaries of SOC automation with AI-driven investigations, automated response mechanisms, and deeper AI capabilities. Pathfinder AI represents the next advancement toward a faster, smarter, and more effective security operations center and will be delivered in the upcoming months.

For more details, users can explore Hunters’ **blog post** and **join the webinar** about this announcement on March 5th, 2025.

**About Hunters**

Hunters empowers SOC teams with AI-driven automation, maximizing efficiency without large security budgets. As a next-gen SIEM, the Hunters SOC Platform integrates Agentic AI, Copilot AI, machine learning, and graph-based correlation to automate detection, investigation, and response. Trusted by Cimpress, OpenLane, and The RealReal, Hunters delivers built-in detections, AI-driven investigations, and security expert support from Team Axon.

For more information, users can visit **Hunters Security**.

**Contact**

**Ada Filipek**  
**Hunters**  
**\[email protected\]**

Tag

#intel